forked from torproject/tor
-
Notifications
You must be signed in to change notification settings - Fork 2
/
ReleaseNotes
14505 lines (13224 loc) · 775 KB
/
ReleaseNotes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
This document summarizes new features and bugfixes in each stable release
of Tor. If you want to see more detailed descriptions of the changes in
each development snapshot, see the ChangeLog file.
Changes in version 0.2.8.13 - 2017-03-03
Tor 0.2.8.13 backports a security fix from later Tor
releases. Anybody running Tor 0.2.8.12 or earlier should upgrade to this
this release, if for some reason they cannot upgrade to a later
release series, and if they build Tor with the --enable-expensive-hardening
option.
Note that support for Tor 0.2.8.x is ending next year: we will not issue
any fixes for the Tor 0.2.8.x series after 1 Jan 2018. If you need
a Tor release series with longer-term support, we recommend Tor 0.2.9.x.
o Major bugfixes (parsing, backported from 0.3.0.4-rc):
- Fix an integer underflow bug when comparing malformed Tor
versions. This bug could crash Tor when built with
--enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
0.2.9.8, which were built with -ftrapv by default. In other cases
it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
on 0.0.8pre1. Found by OSS-Fuzz.
o Minor features (geoip):
- Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
Country database.
Changes in version 0.2.7.7 - 2017-03-03
Tor 0.2.7.7 backports a number of security fixes from later Tor
releases. Anybody running Tor 0.2.7.6 or earlier should upgrade to
this release, if for some reason they cannot upgrade to a later
release series.
Note that support for Tor 0.2.7.x is ending this year: we will not issue
any fixes for the Tor 0.2.7.x series after 1 August 2017. If you need
a Tor release series with longer-term support, we recommend Tor 0.2.9.x.
o Directory authority changes (backport from 0.2.8.5-rc):
- Urras is no longer a directory authority. Closes ticket 19271.
o Directory authority changes (backport from 0.2.9.2-alpha):
- The "Tonga" bridge authority has been retired; the new bridge
authority is "Bifroest". Closes tickets 19728 and 19690.
o Directory authority key updates (backport from 0.2.8.1-alpha):
- Update the V3 identity key for the dannenberg directory authority:
it was changed on 18 November 2015. Closes task 17906. Patch
by "teor".
o Major bugfixes (parsing, security, backport from 0.2.9.8):
- Fix a bug in parsing that could cause clients to read a single
byte past the end of an allocated region. This bug could be used
to cause hardened clients (built with --enable-expensive-hardening)
to crash if they tried to visit a hostile hidden service. Non-
hardened clients are only affected depending on the details of
their platform's memory allocator. Fixes bug 21018; bugfix on
0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
2016-12-002 and as CVE-2016-1254.
o Major bugfixes (security, client, DNS proxy, backport from 0.2.8.3-alpha):
- Stop a crash that could occur when a client running with DNSPort
received a query with multiple address types, and the first
address type was not supported. Found and fixed by Scott Dial.
Fixes bug 18710; bugfix on 0.2.5.4-alpha.
- Prevent a class of security bugs caused by treating the contents
of a buffer chunk as if they were a NUL-terminated string. At
least one such bug seems to be present in all currently used
versions of Tor, and would allow an attacker to remotely crash
most Tor instances, especially those compiled with extra compiler
hardening. With this defense in place, such bugs can't crash Tor,
though we should still fix them as they occur. Closes ticket
20384 (TROVE-2016-10-001).
o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha):
- Avoid a difficult-to-trigger heap corruption attack when extending
a smartlist to contain over 16GB of pointers. Fixes bug 18162;
bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
Reported by Guido Vranken.
o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha):
- Avoid crashing when running as a DNS proxy. Fixes bug 16248;
bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".
o Major bugfixes (key management, backport from 0.2.8.3-alpha):
- If OpenSSL fails to generate an RSA key, do not retain a dangling
pointer to the previous (uninitialized) key value. The impact here
should be limited to a difficult-to-trigger crash, if OpenSSL is
running an engine that makes key generation failures possible, or
if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
Baishakhi Ray.
o Major bugfixes (parsing, backported from 0.3.0.4-rc):
- Fix an integer underflow bug when comparing malformed Tor
versions. This bug could crash Tor when built with
--enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
0.2.9.8, which were built with -ftrapv by default. In other cases
it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
on 0.0.8pre1. Found by OSS-Fuzz.
o Minor features (security, memory erasure, backport from 0.2.8.1-alpha):
- Make memwipe() do nothing when passed a NULL pointer or buffer of
zero size. Check size argument to memwipe() for underflow. Fixes
bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
patch by "teor".
o Minor features (bug-resistance, backport from 0.2.8.2-alpha):
- Make Tor survive errors involving connections without a
corresponding event object. Previously we'd fail with an
assertion; now we produce a log message. Related to bug 16248.
o Minor features (geoip):
- Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
Country database.
Changes in version 0.2.6.11 - 2017-03-03
Tor 0.2.6.11 backports a number of security fixes from later Tor
releases. Anybody running Tor 0.2.6.10 or earlier should upgrade to
this release, if for some reason they cannot upgrade to a later
release series.
Note that support for Tor 0.2.6.x is ending this year: we will not issue
any fixes for the Tor 0.2.6.x series after 1 August 2017. If you need
a Tor release series with longer-term support, we recommend Tor 0.2.9.x.
o Directory authority changes (backport from 0.2.8.5-rc):
- Urras is no longer a directory authority. Closes ticket 19271.
o Directory authority changes (backport from 0.2.9.2-alpha):
- The "Tonga" bridge authority has been retired; the new bridge
authority is "Bifroest". Closes tickets 19728 and 19690.
o Directory authority key updates (backport from 0.2.8.1-alpha):
- Update the V3 identity key for the dannenberg directory authority:
it was changed on 18 November 2015. Closes task 17906. Patch
by "teor".
o Major features (security fixes, backport from 0.2.9.4-alpha):
- Prevent a class of security bugs caused by treating the contents
of a buffer chunk as if they were a NUL-terminated string. At
least one such bug seems to be present in all currently used
versions of Tor, and would allow an attacker to remotely crash
most Tor instances, especially those compiled with extra compiler
hardening. With this defense in place, such bugs can't crash Tor,
though we should still fix them as they occur. Closes ticket
20384 (TROVE-2016-10-001).
o Major bugfixes (parsing, security, backport from 0.2.9.8):
- Fix a bug in parsing that could cause clients to read a single
byte past the end of an allocated region. This bug could be used
to cause hardened clients (built with --enable-expensive-hardening)
to crash if they tried to visit a hostile hidden service. Non-
hardened clients are only affected depending on the details of
their platform's memory allocator. Fixes bug 21018; bugfix on
0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
2016-12-002 and as CVE-2016-1254.
o Major bugfixes (security, client, DNS proxy, backport from 0.2.8.3-alpha):
- Stop a crash that could occur when a client running with DNSPort
received a query with multiple address types, and the first
address type was not supported. Found and fixed by Scott Dial.
Fixes bug 18710; bugfix on 0.2.5.4-alpha.
o Major bugfixes (security, correctness, backport from 0.2.7.4-rc):
- Fix an error that could cause us to read 4 bytes before the
beginning of an openssl string. This bug could be used to cause
Tor to crash on systems with unusual malloc implementations, or
systems with unusual hardening installed. Fixes bug 17404; bugfix
on 0.2.3.6-alpha.
o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha):
- Avoid a difficult-to-trigger heap corruption attack when extending
a smartlist to contain over 16GB of pointers. Fixes bug 18162;
bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
Reported by Guido Vranken.
o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha):
- Avoid crashing when running as a DNS proxy. Fixes bug 16248;
bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".
o Major bugfixes (guard selection, backport from 0.2.7.6):
- Actually look at the Guard flag when selecting a new directory
guard. When we implemented the directory guard design, we
accidentally started treating all relays as if they have the Guard
flag during guard selection, leading to weaker anonymity and worse
performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
by Mohsen Imani.
o Major bugfixes (key management, backport from 0.2.8.3-alpha):
- If OpenSSL fails to generate an RSA key, do not retain a dangling
pointer to the previous (uninitialized) key value. The impact here
should be limited to a difficult-to-trigger crash, if OpenSSL is
running an engine that makes key generation failures possible, or
if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
Baishakhi Ray.
o Major bugfixes (parsing, backported from 0.3.0.4-rc):
- Fix an integer underflow bug when comparing malformed Tor
versions. This bug could crash Tor when built with
--enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
0.2.9.8, which were built with -ftrapv by default. In other cases
it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
on 0.0.8pre1. Found by OSS-Fuzz.
o Minor features (security, memory erasure, backport from 0.2.8.1-alpha):
- Make memwipe() do nothing when passed a NULL pointer or buffer of
zero size. Check size argument to memwipe() for underflow. Fixes
bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
patch by "teor".
o Minor features (bug-resistance, backport from 0.2.8.2-alpha):
- Make Tor survive errors involving connections without a
corresponding event object. Previously we'd fail with an
assertion; now we produce a log message. Related to bug 16248.
o Minor features (geoip):
- Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
Country database.
o Minor bugfixes (compilation, backport from 0.2.7.6):
- Fix a compilation warning with Clang 3.6: Do not check the
presence of an address which can never be NULL. Fixes bug 17781.
Changes in version 0.2.5.13 - 2017-03-03
Tor 0.2.5.13 backports a number of security fixes from later Tor
releases. Anybody running Tor 0.2.5.13 or earlier should upgrade to
this release, if for some reason they cannot upgrade to a later
release series.
Note that support for Tor 0.2.5.x is ending next year: we will not issue
any fixes for the Tor 0.2.5.x series after 1 May 2018. If you need
a Tor release series with longer-term support, we recommend Tor 0.2.9.x.
o Directory authority changes (backport from 0.2.8.5-rc):
- Urras is no longer a directory authority. Closes ticket 19271.
o Directory authority changes (backport from 0.2.9.2-alpha):
- The "Tonga" bridge authority has been retired; the new bridge
authority is "Bifroest". Closes tickets 19728 and 19690.
o Directory authority key updates (backport from 0.2.8.1-alpha):
- Update the V3 identity key for the dannenberg directory authority:
it was changed on 18 November 2015. Closes task 17906. Patch
by "teor".
o Major features (security fixes, backport from 0.2.9.4-alpha):
- Prevent a class of security bugs caused by treating the contents
of a buffer chunk as if they were a NUL-terminated string. At
least one such bug seems to be present in all currently used
versions of Tor, and would allow an attacker to remotely crash
most Tor instances, especially those compiled with extra compiler
hardening. With this defense in place, such bugs can't crash Tor,
though we should still fix them as they occur. Closes ticket
20384 (TROVE-2016-10-001).
o Major bugfixes (parsing, security, backport from 0.2.9.8):
- Fix a bug in parsing that could cause clients to read a single
byte past the end of an allocated region. This bug could be used
to cause hardened clients (built with --enable-expensive-hardening)
to crash if they tried to visit a hostile hidden service. Non-
hardened clients are only affected depending on the details of
their platform's memory allocator. Fixes bug 21018; bugfix on
0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
2016-12-002 and as CVE-2016-1254.
o Major bugfixes (security, client, DNS proxy, backport from 0.2.8.3-alpha):
- Stop a crash that could occur when a client running with DNSPort
received a query with multiple address types, and the first
address type was not supported. Found and fixed by Scott Dial.
Fixes bug 18710; bugfix on 0.2.5.4-alpha.
o Major bugfixes (security, correctness, backport from 0.2.7.4-rc):
- Fix an error that could cause us to read 4 bytes before the
beginning of an openssl string. This bug could be used to cause
Tor to crash on systems with unusual malloc implementations, or
systems with unusual hardening installed. Fixes bug 17404; bugfix
on 0.2.3.6-alpha.
o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha):
- Avoid a difficult-to-trigger heap corruption attack when extending
a smartlist to contain over 16GB of pointers. Fixes bug 18162;
bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
Reported by Guido Vranken.
o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha):
- Avoid crashing when running as a DNS proxy. Fixes bug 16248;
bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".
o Major bugfixes (guard selection, backport from 0.2.7.6):
- Actually look at the Guard flag when selecting a new directory
guard. When we implemented the directory guard design, we
accidentally started treating all relays as if they have the Guard
flag during guard selection, leading to weaker anonymity and worse
performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
by Mohsen Imani.
o Major bugfixes (key management, backport from 0.2.8.3-alpha):
- If OpenSSL fails to generate an RSA key, do not retain a dangling
pointer to the previous (uninitialized) key value. The impact here
should be limited to a difficult-to-trigger crash, if OpenSSL is
running an engine that makes key generation failures possible, or
if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
Baishakhi Ray.
o Major bugfixes (parsing, backported from 0.3.0.4-rc):
- Fix an integer underflow bug when comparing malformed Tor
versions. This bug could crash Tor when built with
--enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
0.2.9.8, which were built with -ftrapv by default. In other cases
it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
on 0.0.8pre1. Found by OSS-Fuzz.
o Minor features (security, memory erasure, backport from 0.2.8.1-alpha):
- Make memwipe() do nothing when passed a NULL pointer or buffer of
zero size. Check size argument to memwipe() for underflow. Fixes
bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
patch by "teor".
o Minor features (bug-resistance, backport from 0.2.8.2-alpha):
- Make Tor survive errors involving connections without a
corresponding event object. Previously we'd fail with an
assertion; now we produce a log message. Related to bug 16248.
o Minor features (geoip):
- Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
Country database.
o Minor bugfixes (compilation, backport from 0.2.7.6):
- Fix a compilation warning with Clang 3.6: Do not check the
presence of an address which can never be NULL. Fixes bug 17781.
o Minor bugfixes (crypto error-handling, backport from 0.2.7.2-alpha):
- Check for failures from crypto_early_init, and refuse to continue.
A previous typo meant that we could keep going with an
uninitialized crypto library, and would have OpenSSL initialize
its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced
when implementing ticket 4900. Patch by "teor".
o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha):
- Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on
a client authorized hidden service. Fixes bug 15823; bugfix
on 0.2.1.6-alpha.
Changes in version 0.2.4.28 - 2017-03-03
Tor 0.2.4.28 backports a number of security fixes from later Tor
releases. Anybody running Tor 0.2.4.27 or earlier should upgrade to
this release, if for some reason they cannot upgrade to a later
release series.
Note that support for Tor 0.2.4.x is ending soon: we will not issue
any fixes for the Tor 0.2.4.x series after 1 August 2017. If you need
a Tor release series with long-term support, we recommend Tor 0.2.9.x.
o Directory authority changes (backport from 0.2.8.5-rc):
- Urras is no longer a directory authority. Closes ticket 19271.
o Directory authority changes (backport from 0.2.9.2-alpha):
- The "Tonga" bridge authority has been retired; the new bridge
authority is "Bifroest". Closes tickets 19728 and 19690.
o Directory authority key updates (backport from 0.2.8.1-alpha):
- Update the V3 identity key for the dannenberg directory authority:
it was changed on 18 November 2015. Closes task 17906. Patch
by "teor".
o Major features (security fixes, backport from 0.2.9.4-alpha):
- Prevent a class of security bugs caused by treating the contents
of a buffer chunk as if they were a NUL-terminated string. At
least one such bug seems to be present in all currently used
versions of Tor, and would allow an attacker to remotely crash
most Tor instances, especially those compiled with extra compiler
hardening. With this defense in place, such bugs can't crash Tor,
though we should still fix them as they occur. Closes ticket
20384 (TROVE-2016-10-001).
o Major bugfixes (parsing, security, backport from 0.2.9.8):
- Fix a bug in parsing that could cause clients to read a single
byte past the end of an allocated region. This bug could be used
to cause hardened clients (built with --enable-expensive-hardening)
to crash if they tried to visit a hostile hidden service. Non-
hardened clients are only affected depending on the details of
their platform's memory allocator. Fixes bug 21018; bugfix on
0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
2016-12-002 and as CVE-2016-1254.
o Major bugfixes (security, correctness, backport from 0.2.7.4-rc):
- Fix an error that could cause us to read 4 bytes before the
beginning of an openssl string. This bug could be used to cause
Tor to crash on systems with unusual malloc implementations, or
systems with unusual hardening installed. Fixes bug 17404; bugfix
on 0.2.3.6-alpha.
o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha):
- Avoid a difficult-to-trigger heap corruption attack when extending
a smartlist to contain over 16GB of pointers. Fixes bug 18162;
bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
Reported by Guido Vranken.
o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha):
- Avoid crashing when running as a DNS proxy. Fixes bug 16248;
bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".
o Major bugfixes (guard selection, backport from 0.2.7.6):
- Actually look at the Guard flag when selecting a new directory
guard. When we implemented the directory guard design, we
accidentally started treating all relays as if they have the Guard
flag during guard selection, leading to weaker anonymity and worse
performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
by Mohsen Imani.
o Major bugfixes (key management, backport from 0.2.8.3-alpha):
- If OpenSSL fails to generate an RSA key, do not retain a dangling
pointer to the previous (uninitialized) key value. The impact here
should be limited to a difficult-to-trigger crash, if OpenSSL is
running an engine that makes key generation failures possible, or
if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
Baishakhi Ray.
o Major bugfixes (parsing, backported from 0.3.0.4-rc):
- Fix an integer underflow bug when comparing malformed Tor
versions. This bug could crash Tor when built with
--enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
0.2.9.8, which were built with -ftrapv by default. In other cases
it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
on 0.0.8pre1. Found by OSS-Fuzz.
o Minor features (security, memory erasure, backport from 0.2.8.1-alpha):
- Make memwipe() do nothing when passed a NULL pointer or buffer of
zero size. Check size argument to memwipe() for underflow. Fixes
bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
patch by "teor".
o Minor features (bug-resistance, backport from 0.2.8.2-alpha):
- Make Tor survive errors involving connections without a
corresponding event object. Previously we'd fail with an
assertion; now we produce a log message. Related to bug 16248.
o Minor features (DoS-resistance, backport from 0.2.7.1-alpha):
- Make it harder for attackers to overload hidden services with
introductions, by blocking multiple introduction requests on the
same circuit. Resolves ticket 15515.
o Minor features (geoip):
- Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
Country database.
o Minor bugfixes (compilation, backport from 0.2.7.6):
- Fix a compilation warning with Clang 3.6: Do not check the
presence of an address which can never be NULL. Fixes bug 17781.
o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha):
- Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on
a client authorized hidden service. Fixes bug 15823; bugfix
on 0.2.1.6-alpha.
Changes in version 0.2.9.10 - 2017-03-01
Tor 0.2.9.10 backports a security fix from later Tor release. It also
includes fixes for some major issues affecting directory authorities,
LibreSSL compatibility, and IPv6 correctness.
The Tor 0.2.9.x release series is now marked as a long-term-support
series. We intend to backport security fixes to 0.2.9.x until at
least January of 2020.
o Major bugfixes (directory authority, 0.3.0.3-alpha):
- During voting, when marking a relay as a probable sybil, do not
clear its BadExit flag: sybils can still be bad in other ways
too. (We still clear the other flags.) Fixes bug 21108; bugfix
on 0.2.0.13-alpha.
o Major bugfixes (IPv6 Exits, backport from 0.3.0.3-alpha):
- Stop rejecting all IPv6 traffic on Exits whose exit policy rejects
any IPv6 addresses. Instead, only reject a port over IPv6 if the
exit policy rejects that port on more than an IPv6 /16 of
addresses. This bug was made worse by 17027 in 0.2.8.1-alpha,
which rejected a relay's own IPv6 address by default. Fixes bug
21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha.
o Major bugfixes (parsing, also in 0.3.0.4-rc):
- Fix an integer underflow bug when comparing malformed Tor
versions. This bug could crash Tor when built with
--enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
0.2.9.8, which were built with -ftrapv by default. In other cases
it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
on 0.0.8pre1. Found by OSS-Fuzz.
o Minor features (directory authorities, also in 0.3.0.4-rc):
- Directory authorities now reject descriptors that claim to be
malformed versions of Tor. Helps prevent exploitation of
bug 21278.
- Reject version numbers with components that exceed INT32_MAX.
Otherwise 32-bit and 64-bit platforms would behave inconsistently.
Fixes bug 21450; bugfix on 0.0.8pre1.
o Minor features (geoip):
- Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
Country database.
o Minor features (portability, compilation, backport from 0.3.0.3-alpha):
- Autoconf now checks to determine if OpenSSL structures are opaque,
instead of explicitly checking for OpenSSL version numbers. Part
of ticket 21359.
- Support building with recent LibreSSL code that uses opaque
structures. Closes ticket 21359.
o Minor bugfixes (code correctness, also in 0.3.0.4-rc):
- Repair a couple of (unreachable or harmless) cases of the risky
comparison-by-subtraction pattern that caused bug 21278.
o Minor bugfixes (tor-resolve, backport from 0.3.0.3-alpha):
- The tor-resolve command line tool now rejects hostnames over 255
characters in length. Previously, it would silently truncate them,
which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5.
Patch by "junglefowl".
Changes in version 0.2.9.9 - 2017-01-23
Tor 0.2.9.9 fixes a denial-of-service bug where an attacker could
cause relays and clients to crash, even if they were not built with
the --enable-expensive-hardening option. This bug affects all 0.2.9.x
versions, and also affects 0.3.0.1-alpha: all relays running an affected
version should upgrade.
This release also resolves a client-side onion service reachability
bug, and resolves a pair of small portability issues.
o Major bugfixes (security):
- Downgrade the "-ftrapv" option from "always on" to "only on when
--enable-expensive-hardening is provided." This hardening option,
like others, can turn survivable bugs into crashes -- and having
it on by default made a (relatively harmless) integer overflow bug
into a denial-of-service bug. Fixes bug 21278 (TROVE-2017-001);
bugfix on 0.2.9.1-alpha.
o Major bugfixes (client, onion service):
- Fix a client-side onion service reachability bug, where multiple
socks requests to an onion service (or a single slow request)
could cause us to mistakenly mark some of the service's
introduction points as failed, and we cache that failure so
eventually we run out and can't reach the service. Also resolves a
mysterious "Remote server sent bogus reason code 65021" log
warning. The bug was introduced in ticket 17218, where we tried to
remember the circuit end reason as a uint16_t, which mangled
negative values. Partially fixes bug 21056 and fixes bug 20307;
bugfix on 0.2.8.1-alpha.
o Minor features (geoip):
- Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2
Country database.
o Minor bugfixes (portability):
- Avoid crashing when Tor is built using headers that contain
CLOCK_MONOTONIC_COARSE, but then tries to run on an older kernel
without CLOCK_MONOTONIC_COARSE. Fixes bug 21035; bugfix
on 0.2.9.1-alpha.
- Fix Libevent detection on platforms without Libevent 1 headers
installed. Fixes bug 21051; bugfix on 0.2.9.1-alpha.
Changes in version 0.2.8.12 - 2016-12-19
Tor 0.2.8.12 backports a fix for a medium-severity issue (bug 21018
below) where Tor clients could crash when attempting to visit a
hostile hidden service. Clients are recommended to upgrade as packages
become available for their systems.
It also includes an updated list of fallback directories, backported
from 0.2.9.
Now that the Tor 0.2.9 series is stable, only major bugfixes will be
backported to 0.2.8 in the future.
o Major bugfixes (parsing, security, backported from 0.2.9.8):
- Fix a bug in parsing that could cause clients to read a single
byte past the end of an allocated region. This bug could be used
to cause hardened clients (built with --enable-expensive-hardening)
to crash if they tried to visit a hostile hidden service. Non-
hardened clients are only affected depending on the details of
their platform's memory allocator. Fixes bug 21018; bugfix on
0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
2016-12-002 and as CVE-2016-1254.
o Minor features (fallback directory list, backported from 0.2.9.8):
- Replace the 81 remaining fallbacks of the 100 originally
introduced in Tor 0.2.8.3-alpha in March 2016, with a list of 177
fallbacks (123 new, 54 existing, 27 removed) generated in December
2016. Resolves ticket 20170.
o Minor features (geoip, backported from 0.2.9.7-rc):
- Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2
Country database.
Changes in version 0.2.9.8 - 2016-12-19
Tor 0.2.9.8 is the first stable release of the Tor 0.2.9 series.
The Tor 0.2.9 series makes mandatory a number of security features
that were formerly optional. It includes support for a new shared-
randomness protocol that will form the basis for next generation
hidden services, includes a single-hop hidden service mode for
optimizing .onion services that don't actually want to be hidden,
tries harder not to overload the directory authorities with excessive
downloads, and supports a better protocol versioning scheme for
improved compatibility with other implementations of the Tor protocol.
And of course, there are numerous other bugfixes and improvements.
This release also includes a fix for a medium-severity issue (bug
21018 below) where Tor clients could crash when attempting to visit a
hostile hidden service. Clients are recommended to upgrade as packages
become available for their systems.
Below are listed the changes since Tor 0.2.8.11. For a list of
changes since 0.2.9.7-rc, see the ChangeLog file.
o New system requirements:
- When building with OpenSSL, Tor now requires version 1.0.1 or
later. OpenSSL 1.0.0 and earlier are no longer supported by the
OpenSSL team, and should not be used. Closes ticket 20303.
- Tor now requires Libevent version 2.0.10-stable or later. Older
versions of Libevent have less efficient backends for several
platforms, and lack the DNS code that we use for our server-side
DNS support. This implements ticket 19554.
- Tor now requires zlib version 1.2 or later, for security,
efficiency, and (eventually) gzip support. (Back when we started,
zlib 1.1 and zlib 1.0 were still found in the wild. 1.2 was
released in 2003. We recommend the latest version.)
o Deprecated features:
- A number of DNS-cache-related sub-options for client ports are now
deprecated for security reasons, and may be removed in a future
version of Tor. (We believe that client-side DNS caching is a bad
idea for anonymity, and you should not turn it on.) The options
are: CacheDNS, CacheIPv4DNS, CacheIPv6DNS, UseDNSCache,
UseIPv4Cache, and UseIPv6Cache.
- A number of options are deprecated for security reasons, and may
be removed in a future version of Tor. The options are:
AllowDotExit, AllowInvalidNodes, AllowSingleHopCircuits,
AllowSingleHopExits, ClientDNSRejectInternalAddresses,
CloseHSClientCircuitsImmediatelyOnTimeout,
CloseHSServiceRendCircuitsImmediatelyOnTimeout,
ExcludeSingleHopRelays, FastFirstHopPK, TLSECGroup,
UseNTorHandshake, and WarnUnsafeSocks.
- The *ListenAddress options are now deprecated as unnecessary: the
corresponding *Port options should be used instead. These options
may someday be removed. The affected options are:
ControlListenAddress, DNSListenAddress, DirListenAddress,
NATDListenAddress, ORListenAddress, SocksListenAddress,
and TransListenAddress.
o Major bugfixes (parsing, security, new since 0.2.9.7-rc):
- Fix a bug in parsing that could cause clients to read a single
byte past the end of an allocated region. This bug could be used
to cause hardened clients (built with --enable-expensive-hardening)
to crash if they tried to visit a hostile hidden service. Non-
hardened clients are only affected depending on the details of
their platform's memory allocator. Fixes bug 21018; bugfix on
0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
2016-12-002 and as CVE-2016-1254.
o Major features (build, hardening):
- Tor now builds with -ftrapv by default on compilers that support
it. This option detects signed integer overflow (which C forbids),
and turns it into a hard-failure. We do not apply this option to
code that needs to run in constant time to avoid side-channels;
instead, we use -fwrapv in that code. Closes ticket 17983.
- When --enable-expensive-hardening is selected, stop applying the
clang/gcc sanitizers to code that needs to run in constant time.
Although we are aware of no introduced side-channels, we are not
able to prove that there are none. Related to ticket 17983.
o Major features (circuit building, security):
- Authorities, relays, and clients now require ntor keys in all
descriptors, for all hops (except for rare hidden service protocol
cases), for all circuits, and for all other roles. Part of
ticket 19163.
- Authorities, relays, and clients only use ntor, except for
rare cases in the hidden service protocol. Part of ticket 19163.
o Major features (compilation):
- Our big list of extra GCC warnings is now enabled by default when
building with GCC (or with anything like Clang that claims to be
GCC-compatible). To make all warnings into fatal compilation
errors, pass --enable-fatal-warnings to configure. Closes
ticket 19044.
- Use the Autoconf macro AC_USE_SYSTEM_EXTENSIONS to automatically
turn on C and POSIX extensions. (Previously, we attempted to do
this on an ad hoc basis.) Closes ticket 19139.
o Major features (directory authorities, hidden services):
- Directory authorities can now perform the shared randomness
protocol specified by proposal 250. Using this protocol, directory
authorities generate a global fresh random value every day. In the
future, this value will be used by hidden services to select
HSDirs. This release implements the directory authority feature;
the hidden service side will be implemented in the future as part
of proposal 224. Resolves ticket 16943; implements proposal 250.
o Major features (downloading, random exponential backoff):
- When we fail to download an object from a directory service, wait
for an (exponentially increasing) randomized amount of time before
retrying, rather than a fixed interval as we did before. This
prevents a group of Tor instances from becoming too synchronized,
or a single Tor instance from becoming too predictable, in its
download schedule. Closes ticket 15942.
o Major features (resource management):
- Tor can now notice it is about to run out of sockets, and
preemptively close connections of lower priority. (This feature is
off by default for now, since the current prioritizing method is
yet not mature enough. You can enable it by setting
"DisableOOSCheck 0", but watch out: it might close some sockets
you would rather have it keep.) Closes ticket 18640.
o Major features (single-hop "hidden" services):
- Add experimental HiddenServiceSingleHopMode and
HiddenServiceNonAnonymousMode options. When both are set to 1,
every hidden service on that Tor instance becomes a non-anonymous
Single Onion Service. Single Onions make one-hop (direct)
connections to their introduction and rendezvous points. One-hop
circuits make Single Onion servers easily locatable, but clients
remain location-anonymous. This is compatible with the existing
hidden service implementation, and works on the current Tor
network without any changes to older relays or clients. Implements
proposal 260, completes ticket 17178. Patch by teor and asn.
o Major features (subprotocol versions):
- Tor directory authorities now vote on a set of recommended
"subprotocol versions", and on a set of required subprotocol
versions. Clients and relays that lack support for a _required_
subprotocol version will not start; those that lack support for a
_recommended_ subprotocol version will warn the user to upgrade.
This change allows compatible implementations of the Tor protocol(s)
to exist without pretending to be 100% bug-compatible with
particular releases of Tor itself. Closes ticket 19958; implements
part of proposal 264.
o Major bugfixes (circuit building):
- Hidden service client-to-intro-point and service-to-rendezvous-
point circuits use the TAP key supplied by the protocol, to avoid
epistemic attacks. Fixes bug 19163; bugfix on 0.2.4.18-rc.
o Major bugfixes (download scheduling):
- Avoid resetting download status for consensuses hourly, since we
already have another, smarter retry mechanism. Fixes bug 8625;
bugfix on 0.2.0.9-alpha.
- If a consensus expires while we are waiting for certificates to
download, stop waiting for certificates.
- If we stop waiting for certificates less than a minute after we
started downloading them, do not consider the certificate download
failure a separate failure. Fixes bug 20533; bugfix
on 0.2.0.9-alpha.
- When using exponential backoff in test networks, use a lower
exponent, so the delays do not vary as much. This helps test
networks bootstrap consistently. Fixes bug 20597; bugfix on 20499.
o Major bugfixes (exit policies):
- Avoid disclosing exit outbound bind addresses, configured port
bind addresses, and local interface addresses in relay descriptors
by default under ExitPolicyRejectPrivate. Instead, only reject
these (otherwise unlisted) addresses if
ExitPolicyRejectLocalInterfaces is set. Fixes bug 18456; bugfix on
0.2.7.2-alpha. Patch by teor.
o Major bugfixes (hidden services):
- Allow Tor clients with appropriate controllers to work with
FetchHidServDescriptors set to 0. Previously, this option also
disabled descriptor cache lookup, thus breaking hidden services
entirely. Fixes bug 18704; bugfix on 0.2.0.20-rc. Patch by "twim".
- Clients now require hidden services to include the TAP keys for
their intro points in the hidden service descriptor. This prevents
an inadvertent upgrade to ntor, which a malicious hidden service
could use to distinguish clients by consensus version. Fixes bug
20012; bugfix on 0.2.4.8-alpha. Patch by teor.
o Major bugfixes (relay, resolver, logging):
- For relays that don't know their own address, avoid attempting a
local hostname resolve for each descriptor we download. This
will cut down on the number of "Success: chose address 'x.x.x.x'"
log lines, and also avoid confusing clock jumps if the resolver
is slow. Fixes bugs 20423 and 20610; bugfix on 0.2.8.1-alpha.
o Minor features (port flags):
- Add new flags to the *Port options to give finer control over which
requests are allowed. The flags are NoDNSRequest, NoOnionTraffic,
and the synthetic flag OnionTrafficOnly, which is equivalent to
NoDNSRequest, NoIPv4Traffic, and NoIPv6Traffic. Closes enhancement
18693; patch by "teor".
o Minor features (build, hardening):
- Detect and work around a libclang_rt problem that would prevent
clang from finding __mulodi4() on some 32-bit platforms, and thus
keep -ftrapv from linking on those systems. Closes ticket 19079.
- When building on a system without runtime support for the runtime
hardening options, try to log a useful warning at configuration
time, rather than an incomprehensible warning at link time. If
expensive hardening was requested, this warning becomes an error.
Closes ticket 18895.
o Minor features (client, directory):
- Since authorities now omit all routers that lack the Running and
Valid flags, we assume that any relay listed in the consensus must
have those flags. Closes ticket 20001; implements part of
proposal 272.
o Minor features (code safety):
- In our integer-parsing functions, ensure that the maximum value we
allow is no smaller than the minimum value. Closes ticket 19063;
patch from "U+039b".
o Minor features (compilation, portability):
- Compile correctly on MacOS 10.12 (aka "Sierra"). Closes
ticket 20241.
o Minor features (config):
- Warn users when descriptor and port addresses are inconsistent.
Mitigates bug 13953; patch by teor.
o Minor features (controller):
- Allow controllers to configure basic client authorization on
hidden services when they create them with the ADD_ONION controller
command. Implements ticket 15588. Patch by "special".
- Fire a STATUS_SERVER controller event whenever the hibernation
status changes between "awake"/"soft"/"hard". Closes ticket 18685.
- Implement new GETINFO queries for all downloads that use
download_status_t to schedule retries. This allows controllers to
examine the schedule for pending downloads. Closes ticket 19323.
o Minor features (development tools, etags):
- Teach the "make tags" Makefile target how to correctly find
"MOCK_IMPL" function definitions. Patch from nherring; closes
ticket 16869.
o Minor features (directory authority):
- After voting, if the authorities decide that a relay is not
"Valid", they no longer include it in the consensus at all. Closes
ticket 20002; implements part of proposal 272.
- Directory authorities now only give the Guard flag to a relay if
they are also giving it the Stable flag. This change allows us to
simplify path selection for clients. It should have minimal effect
in practice, since >99% of Guards already have the Stable flag.
Implements ticket 18624.
- Directory authorities now write their v3-status-votes file out to
disk earlier in the consensus process, so we have a record of the
votes even if we abort the consensus process. Resolves
ticket 19036.
o Minor features (fallback directory list, new since 0.2.9.7-rc):
- Replace the 81 remaining fallbacks of the 100 originally
introduced in Tor 0.2.8.3-alpha in March 2016, with a list of 177
fallbacks (123 new, 54 existing, 27 removed) generated in December
2016. Resolves ticket 20170.
o Minor features (hidden service):
- Stop being so strict about the payload length of "rendezvous1"
cells. We used to be locked in to the "TAP" handshake length, and
now we can handle better handshakes like "ntor". Resolves
ticket 18998.
o Minor features (infrastructure, time):
- Tor now includes an improved timer backend, so that we can
efficiently support tens or hundreds of thousands of concurrent
timers, as will be needed for some of our planned anti-traffic-
analysis work. This code is based on William Ahern's "timeout.c"
project, which implements a "tickless hierarchical timing wheel".
Closes ticket 18365.
- Tor now uses the operating system's monotonic timers (where
available) for internal fine-grained timing. Previously we would
look at the system clock, and then attempt to compensate for the
clock running backwards. Closes ticket 18908.
o Minor features (logging):
- Add a set of macros to check nonfatal assertions, for internal
use. Migrating more of our checks to these should help us avoid
needless crash bugs. Closes ticket 18613.
- Provide a more useful warning message when configured with an
invalid Nickname. Closes ticket 18300; patch from "icanhasaccount".
- When dumping unparseable router descriptors, optionally store them
in separate files, named by digest, up to a configurable size
limit. You can change the size limit by setting the
MaxUnparseableDescSizeToLog option, and disable this feature by
setting that option to 0. Closes ticket 18322.
o Minor features (performance):
- Change the "optimistic data" extension from "off by default" to
"on by default". The default was ordinarily overridden by a
consensus option, but when clients were bootstrapping for the
first time, they would not have a consensus to get the option
from. Changing this default saves a round-trip during startup.
Closes ticket 18815.
o Minor features (relay, usability):
- When the directory authorities refuse a bad relay's descriptor,
encourage the relay operator to contact us. Many relay operators
won't notice this line in their logs, but it's a win if even a few
learn why we don't like what their relay was doing. Resolves
ticket 18760.
o Minor features (security, TLS):
- Servers no longer support clients that lack AES ciphersuites.
(3DES is no longer considered an acceptable cipher.) We believe
that no such Tor clients currently exist, since Tor has required
OpenSSL 0.9.7 or later since 2009. Closes ticket 19998.
o Minor features (testing):
- Disable memory protections on OpenBSD when performing our unit
tests for memwipe(). The test deliberately invokes undefined
behavior, and the OpenBSD protections interfere with this. Patch
from "rubiate". Closes ticket 20066.
- Move the test-network.sh script to chutney, and modify tor's test-
network.sh to call the (newer) chutney version when available.
Resolves ticket 19116. Patch by teor.
- Use the lcov convention for marking lines as unreachable, so that
we don't count them when we're generating test coverage data.
Update our coverage tools to understand this convention. Closes
ticket 16792.
- Our link-handshake unit tests now check that when invalid
handshakes fail, they fail with the error messages we expected.
- Our unit testing code that captures log messages no longer
prevents them from being written out if the user asked for them
(by passing --debug or --info or --notice or --warn to the "test"
binary). This change prevents us from missing unexpected log
messages simply because we were looking for others. Related to
ticket 19999.
- The unit tests now log all warning messages with the "BUG" flag.
Previously, they only logged errors by default. This change will
help us make our testing code more correct, and make sure that we
only hit this code when we mean to. In the meantime, however,
there will be more warnings in the unit test logs than before.
This is preparatory work for ticket 19999.
- The unit tests now treat any failure of a "tor_assert_nonfatal()"
assertion as a test failure.
- We've done significant work to make the unit tests run faster.
o Minor features (testing, ipv6):
- Add the hs-ipv6 chutney target to make test-network-all's IPv6
tests. Remove bridges+hs, as it's somewhat redundant. This
requires a recent chutney version that supports IPv6 clients,
relays, and authorities. Closes ticket 20069; patch by teor.
- Add the single-onion and single-onion-ipv6 chutney targets to
"make test-network-all". This requires a recent chutney version
with the single onion network flavors (git c72a652 or later).
Closes ticket 20072; patch by teor.
o Minor features (Tor2web):
- Make Tor2web clients respect ReachableAddresses. This feature was
inadvertently enabled in 0.2.8.6, then removed by bugfix 19973 on
0.2.8.7. Implements feature 20034. Patch by teor.
o Minor features (unix domain sockets):
- When configuring a unix domain socket for a SocksPort,
ControlPort, or Hidden service, you can now wrap the address in
quotes, using C-style escapes inside the quotes. This allows unix
domain socket paths to contain spaces. Resolves ticket 18753.
o Minor features (user interface):
- Tor now supports the ability to declare options deprecated, so
that we can recommend that people stop using them. Previously, this
was done in an ad-hoc way. There is a new --list-deprecated-options
command-line option to list all of the deprecated options. Closes
ticket 19820.
o Minor features (virtual addresses):
- Increase the maximum number of bits for the IPv6 virtual network
prefix from 16 to 104. In this way, the condition for address
allocation is less restrictive. Closes ticket 20151; feature
on 0.2.4.7-alpha.
o Minor bug fixes (circuits):
- Use the CircuitBuildTimeout option whenever
LearnCircuitBuildTimeout is disabled. Previously, we would respect
the option when a user disabled it, but not when it was disabled
because some other option was set. Fixes bug 20073; bugfix on
0.2.4.12-alpha. Patch by teor.
o Minor bugfixes (build):
- The current Git revision when building from a local repository is
now detected correctly when using git worktrees. Fixes bug 20492;
bugfix on 0.2.3.9-alpha.
o Minor bugfixes (relay address discovery):
- Stop reordering IP addresses returned by the OS. This makes it
more likely that Tor will guess the same relay IP address every
time. Fixes issue 20163; bugfix on 0.2.7.1-alpha, ticket 17027.
Reported by René Mayrhofer, patch by "cypherpunks".
o Minor bugfixes (memory allocation):
- Change how we allocate memory for large chunks on buffers, to
avoid a (currently impossible) integer overflow, and to waste less
space when allocating unusually large chunks. Fixes bug 20081;
bugfix on 0.2.0.16-alpha. Issue identified by Guido Vranken.