[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Tor and are out

These are the next two development snapshots for the 0.2.0.x series. We've
had them ready for a week or so, but I delayed the official announce
since we didn't have all the packages ready.

Tor fixes a critical security vulnerability for most users,
specifically those running Vidalia, TorK, etc. Everybody should upgrade
to either or

Tor introduces new experimental blocking-resistance
features and a preliminary version of the v3 directory voting design,
and includes many other smaller features and bugfixes.


Changes in version - 2007-08-01
  o Major security fixes:
    - Close immediately after missing authentication on control port;
      do not allow multiple authentication attempts.

  o Major bugfixes (compilation):
    - Fix win32 compilation: apparently IN_ADDR and IN6_ADDR are already
      defined there.

  o Minor features (performance):
    - Be even more aggressive about releasing RAM from small
      empty buffers. Thanks to our free-list code, this shouldn't be too
    - Disable sentinel-based debugging for buffer code: we squashed all
      the bugs that this was supposed to detect a long time ago, and
      now its only effect is to change our buffer sizes from nice
      powers of two (which platform mallocs tend to like) to values
      siightly over powers of two (which make some platform mallocs sad).
    - Log malloc statistics from mallinfo() on platforms where it

Changes in version - 2007-07-29
  o Major features:
    - The first pieces of our "bridge" design for blocking-resistance
      are implemented. People can run bridge directory authorities;
      people can run bridges; and people can configure their Tor clients
      with a set of bridges to use as the first hop into the Tor network.
      See http://archives.seul.org/or/talk/Jul-2007/msg00249.html for
    - Create listener connections before we setuid to the configured
      User and Group. Now non-Windows users can choose port values
      under 1024, start Tor as root, and have Tor bind those ports
      before it changes to another UID. (Windows users could already
      pick these ports.)
    - Added a new ConstrainedSockets config option to set SO_SNDBUF and
      SO_RCVBUF on TCP sockets. Hopefully useful for Tor servers running
      on "vserver" accounts. (Patch from coderman.)
    - Be even more aggressive about separating local traffic from relayed
      traffic when RelayBandwidthRate is set. (Refines proposal 111.)

  o Major features (experimental):
    - First cut of code for "v3 dir voting": directory authorities will
      vote on a common network status document rather than each publishing
      their own opinion. This code needs more testing and more corner-case
      handling before it's ready for use.

  o Security fixes:
    - Directory authorities now call routers Fast if their bandwidth is
      at least 100KB/s, and consider their bandwidth adequate to be a
      Guard if it is at least 250KB/s, no matter the medians. This fix
      complements proposal 107. [Bugfix on 0.1.2.x]
    - Directory authorities now never mark more than 3 servers per IP as
      Valid and Running. (Implements proposal 109, by Kevin Bauer and
      Damon McCoy.)
    - Minor change to organizationName and commonName generation
      procedures in TLS certificates during Tor handshakes, to invalidate
      some earlier censorware approaches. This is not a long-term
      solution, but applying it will give us a bit of time to look into
      the epidemiology of countermeasures as they spread.

  o Major bugfixes (directory):
    - Rewrite directory tokenization code to never run off the end of
      a string. Fixes bug 455. Patch from croup. [Bugfix on 0.1.2.x]

  o Minor features (controller):
    - Add a SOURCE_ADDR field to STREAM NEW events so that controllers can
      match requests to applications. (Patch from Robert Hogan.)
    - Report address and port correctly on connections to DNSPort. (Patch
      from Robert Hogan.)
    - Add a RESOLVE command to launch hostname lookups. (Original patch
      from Robert Hogan.)
    - Add GETINFO status/enough-dir-info to let controllers tell whether
      Tor has downloaded sufficient directory information. (Patch
      from Tup.)
    - You can now use the ControlSocket option to tell Tor to listen for
      controller connections on Unix domain sockets on systems that
      support them. (Patch from Peter Palfrader.)
    - STREAM NEW events are generated for DNSPort requests and for
      tunneled directory connections. (Patch from Robert Hogan.)
    - New "GETINFO address-mappings/*" command to get address mappings
      with expiry information. "addr-mappings/*" is now deprecated.
      (Patch from Tup.)

  o Minor features (misc):
    - Merge in some (as-yet-unused) IPv6 address manipulation code. (Patch
      from croup.)
    - The tor-gencert tool for v3 directory authorities now creates all
      files as readable to the file creator only, and write-protects
      the authority identity key.
    - When dumping memory usage, list bytes used in buffer memory
    - When running with dmalloc, dump more stats on hup and on exit.
    - Directory authorities now fail quickly and (relatively) harmlessly
      if they generate a network status document that is somehow

  o Traffic load balancing improvements:
    - If exit bandwidth ever exceeds one third of total bandwidth, then
      use the correct formula to weight exit nodes when choosing paths.
      (Based on patch from Mike Perry.)
    - Choose perfectly fairly among routers when choosing by bandwidth and
      weighting by fraction of bandwidth provided by exits. Previously, we
      would choose with only approximate fairness, and correct ourselves
      if we ran off the end of the list. [Bugfix on 0.1.2.x]

  o Performance improvements:
    - Be more aggressive with freeing buffer RAM or putting it on the
      memory free lists.
    - Use Critical Sections rather than Mutexes for synchronizing threads
      on win32; Mutexes are heavier-weight, and designed for synchronizing
      between processes.

  o Deprecated and removed features:
    - RedirectExits is now deprecated.
    - Stop allowing address masks that do not correspond to bit prefixes.
      We have warned about these for a really long time; now it's time
      to reject them. (Patch from croup.)

  o Minor bugfixes (directory):
    - Fix another crash bug related to extra-info caching. (Bug found by
      Peter Palfrader.) [Bugfix on]
    - Directories no longer return a "304 not modified" when they don't
      have the networkstatus the client asked for. Also fix a memory
      leak when returning 304 not modified. [Bugfixes on]
    - We had accidentally labelled 0.1.2.x directory servers as not
      suitable for begin_dir requests, and had labelled no directory
      servers as suitable for uploading extra-info documents. [Bugfix

  o Minor bugfixes (dns):
    - Fix a crash when DNSPort is set more than once. (Patch from Robert
      Hogan.) [Bugfix on]
    - Add DNSPort connections to the global connection list, so that we
      can time them out correctly. (Bug found by Robert Hogan.) [Bugfix
    - Fix a dangling reference that could lead to a crash when DNSPort is
      changed or closed (Patch from Robert Hogan.) [Bugfix on]

  o Minor bugfixes (controller):
    - Provide DNS expiry times in GMT, not in local time. For backward
      compatibility, ADDRMAP events only provide GMT expiry in an extended
      field. "GETINFO address-mappings" always does the right thing.
    - Use CRLF line endings properly in NS events.
    - Terminate multi-line control events properly. (Original patch
      from tup.) [Bugfix on 0.1.2.x-alpha]
    - Do not include spaces in SOURCE_ADDR fields in STREAM
      events. Resolves bug 472. [Bugfix on 0.2.0.x-alpha]

Attachment: signature.asc
Description: Digital signature