"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "ChangeLog" between
tor-0.4.6.4-rc.tar.gz and tor-0.4.6.5.tar.gz

About: Tor is an anonymous Internet communication system - a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet.

ChangeLog  (tor-0.4.6.4-rc):ChangeLog  (tor-0.4.6.5)
Changes in version 0.4.6.5 - 2021-06-14
Tor 0.4.6.5 is the first stable release in its series. The 0.4.6.x
series includes numerous features and bugfixes, including a significant
improvement to our circuit timeout algorithm that should improve
observed client performance, and a way for relays to report when they are
overloaded.
This release also includes security fixes for several security issues,
including a denial-of-service attack against onion service clients,
and another denial-of-service attack against relays. Everybody should
upgrade to one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5.
Below are the changes since 0.4.6.4-rc. For a complete list of changes
since 0.4.5.8, see the ReleaseNotes file.
o Major bugfixes (security):
- Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on
half-closed streams. Previously, clients failed to validate which
hop sent these cells: this would allow a relay on a circuit to end
a stream that wasn't actually built with it. Fixes bug 40389;
bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021-
003 and CVE-2021-34548.
o Major bugfixes (security, defense-in-depth):
- Detect more failure conditions from the OpenSSL RNG code.
Previously, we would detect errors from a missing RNG
implementation, but not failures from the RNG code itself.
Fortunately, it appears those failures do not happen in practice
when Tor is using OpenSSL's default RNG implementation. Fixes bug
40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as
TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.
o Major bugfixes (security, denial of service):
- Resist a hashtable-based CPU denial-of-service attack against
relays. Previously we used a naive unkeyed hash function to look
up circuits in a circuitmux object. An attacker could exploit this
to construct circuits with chosen circuit IDs, to create
collisions and make the hash table inefficient. Now we use a
SipHash construction here instead. Fixes bug 40391; bugfix on
0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and
CVE-2021-34549. Reported by Jann Horn from Google's Project Zero.
- Fix an out-of-bounds memory access in v3 onion service descriptor
parsing. An attacker could exploit this bug by crafting an onion
service descriptor that would crash any client that tried to visit
it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also
tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei
Glazunov from Google's Project Zero.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2021/06/10.
o Minor features (logging, diagnostic):
- Log decompression failures at a higher severity level, since they
can help provide missing context for other warning messages. We
rate-limit these messages, to avoid flooding the logs if they
begin to occur frequently. Closes ticket 40175.
Changes in version 0.4.6.4-rc - 2021-05-28 Changes in version 0.4.6.4-rc - 2021-05-28
Tor 0.4.6.4-rc fixes a few bugs from previous releases. This, we hope, Tor 0.4.6.4-rc fixes a few bugs from previous releases. This, we hope,
the final release candidate in its series: unless major new issues are the final release candidate in its series: unless major new issues are
found, the next release will be stable. found, the next release will be stable.
o Minor features (compatibility): o Minor features (compatibility):
- Remove an assertion function related to TLS renegotiation. It was - Remove an assertion function related to TLS renegotiation. It was
used nowhere outside the unit tests, and it was breaking used nowhere outside the unit tests, and it was breaking
compilation with recent alpha releases of OpenSSL 3.0.0. Closes compilation with recent alpha releases of OpenSSL 3.0.0. Closes
ticket 40399. ticket 40399.
skipping to change at line 36 skipping to change at line 94
o Minor bugfixes (metrics port): o Minor bugfixes (metrics port):
- Fix a bug that made tor try to re-bind() on an already open - Fix a bug that made tor try to re-bind() on an already open
MetricsPort every 60 seconds. Fixes bug 40370; bugfix MetricsPort every 60 seconds. Fixes bug 40370; bugfix
on 0.4.5.1-alpha. on 0.4.5.1-alpha.
o Removed features: o Removed features:
- Remove unneeded code for parsing private keys in directory - Remove unneeded code for parsing private keys in directory
documents. This code was only used for client authentication in v2 documents. This code was only used for client authentication in v2
onion services, which are now unsupported. Closes ticket 40374. onion services, which are now unsupported. Closes ticket 40374.
Changes in version 0.4.5.8 - 2021-05-10
Tor 0.4.5.8 fixes several bugs in earlier version, backporting fixes
from the 0.4.6.x series.
o Minor features (compatibility, Linux seccomp sandbox, backport from 0.4.6.3-
rc):
- Add a workaround to enable the Linux sandbox to work correctly
with Glibc 2.33. This version of Glibc has started using the
fstatat() system call, which previously our sandbox did not allow.
Closes ticket 40382; see the ticket for a discussion of trade-offs.
o Minor features (compilation, backport from 0.4.6.3-rc):
- Make the autoconf script build correctly with autoconf versions
2.70 and later. Closes part of ticket 40335.
o Minor features (fallback directory list, backport from 0.4.6.2-alpha):
- Regenerate the list of fallback directories to contain a new set
of 200 relays. Closes ticket 40265.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2021/05/07.
o Minor features (onion services):
- Add warning message when connecting to now deprecated v2 onion
services. As announced, Tor 0.4.5.x is the last series that will
support v2 onions. Closes ticket 40373.
o Minor bugfixes (bridge, pluggable transport, backport from 0.4.6.2-alpha):
- Fix a regression that made it impossible start Tor using a bridge
line with a transport name and no fingerprint. Fixes bug 40360;
bugfix on 0.4.5.4-rc.
o Minor bugfixes (build, cross-compilation, backport from 0.4.6.3-rc):
- Allow a custom "ar" for cross-compilation. Our previous build
script had used the $AR environment variable in most places, but
it missed one. Fixes bug 40369; bugfix on 0.4.5.1-alpha.
o Minor bugfixes (channel, DoS, backport from 0.4.6.2-alpha):
- Fix a non-fatal BUG() message due to a too-early free of a string,
when listing a client connection from the DoS defenses subsystem.
Fixes bug 40345; bugfix on 0.4.3.4-rc.
o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc):
- Fix an indentation problem that led to a warning from GCC 11.1.1.
Fixes bug 40380; bugfix on 0.3.0.1-alpha.
o Minor bugfixes (controller, backport from 0.4.6.1-alpha):
- Fix a "BUG" warning that would appear when a controller chooses
the first hop for a circuit, and that circuit completes. Fixes bug
40285; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (onion service, client, memory leak, backport from 0.4.6.3-rc
):
- Fix a bug where an expired cached descriptor could get overwritten
with a new one without freeing it, leading to a memory leak. Fixes
bug 40356; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (testing, BSD, backport from 0.4.6.2-alpha):
- Fix pattern-matching errors when patterns expand to invalid paths
on BSD systems. Fixes bug 40318; bugfix on 0.4.5.1-alpha. Patch by
Daniel Pinto.
Changes in version 0.4.6.3-rc - 2021-05-10 Changes in version 0.4.6.3-rc - 2021-05-10
Tor 0.4.6.3-rc is the first release candidate in its series. It fixes Tor 0.4.6.3-rc is the first release candidate in its series. It fixes
a few small bugs from previous versions, and adds a better error a few small bugs from previous versions, and adds a better error
message when trying to use (no longer supported) v2 onion services. message when trying to use (no longer supported) v2 onion services.
Though we anticipate that we'll be doing a bit more clean-up between Though we anticipate that we'll be doing a bit more clean-up between
now and the stable release, we expect that our remaining changes will now and the stable release, we expect that our remaining changes will
be fairly simple. There will likely be at least one more release be fairly simple. There will likely be at least one more release
candidate before 0.4.6.x is stable. candidate before 0.4.6.x is stable.
 End of changes. 2 change blocks. 
0 lines changed or deleted 121 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)