[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Tor is out

Tor introduces a workaround for a critical renegotiation
bug in OpenSSL 1.0.1 (where 20% of the Tor network can't talk to itself
currently). It also fixes a variety of smaller bugs and other cleanups
that get us closer to a release candidate.

The workaround for the OpenSSL bug will be part of the upcoming
release too.


(Packages coming eventually.)

Changes in version - 2012-06-05
  o Major bugfixes (general):
    - Work around a bug in OpenSSL that broke renegotiation with TLS
      1.1 and TLS 1.2. Without this workaround, all attempts to speak
      the v2 Tor connection protocol when both sides were using OpenSSL
      1.0.1 would fail. Resolves ticket 6033.
    - When waiting for a client to renegotiate, don't allow it to add
      any bytes to the input buffer. This fixes a potential DoS issue.
      Fixes bugs 5934 and 6007; bugfix on
    - Pass correct OR address to managed proxies (like obfsproxy),
      even when ORListenAddress is used. Fixes bug 4865; bugfix on
    - The advertised platform of a router now includes only its operating
      system's name (e.g., "Linux", "Darwin", "Windows 7"), and not its
      service pack level (for Windows) or its CPU architecture (for Unix).
      We also no longer include the "git-XYZ" tag in the version. Resolves
      part of bug 2988.

  o Major bugfixes (clients):
    - If we are unable to find any exit that supports our predicted ports,
      stop calling them predicted, so that we don't loop and build
      hopeless circuits indefinitely. Fixes bug 3296; bugfix on 0.0.9pre6,
      which introduced predicted ports.
    - Fix an edge case where if we fetch or publish a hidden service
      descriptor, we might build a 4-hop circuit and then use that circuit
      for exiting afterwards -- even if the new last hop doesn't obey our
      ExitNodes config option. Fixes bug 5283; bugfix on
    - Check at each new consensus whether our entry guards were picked
      long enough ago that we should rotate them. Previously, we only
      did this check at startup, which could lead to us holding a guard
      indefinitely. Fixes bug 5380; bugfix on
    - When fetching a bridge descriptor from a bridge authority,
      always do so anonymously, whether we have been able to open
      circuits or not. Partial fix for bug 1938; bugfix on 2.0.7-alpha.
      This behavior makes it *safer* to use UpdateBridgesFromAuthority,
      but we'll need to wait for bug 6010 before it's actually usable.

  o Major bugfixes (directory authorities):
    - When computing weight parameters, behave more robustly in the
      presence of a bad bwweightscale value. Previously, the authorities
      would crash if they agreed on a sufficiently broken weight_scale
      value: now, they use a reasonable default and carry on. Partial
      fix for 5786; bugfix on
    - Check more thoroughly to prevent a rogue authority from
      double-voting on any consensus directory parameter. Previously,
      authorities would crash in this case if the total number of
      votes for any parameter exceeded the number of active voters,
      but would let it pass otherwise. Partial fix for bug 5786; bugfix

  o Minor features:
    - Rate-limit log messages when asked to connect anonymously to
      a private address. When these hit, they tended to hit fast and
      often. Also, don't bother trying to connect to addresses that we
      are sure will resolve to getting in a directory
      reply makes us think we have been lied to, even when the address the
      client tried to connect to was "localhost." Resolves ticket 2822.
    - Allow packagers to insert an extra string in server descriptor
      platform lines by setting the preprocessor variable TOR_BUILD_TAG.
      Resolves the rest of ticket 2988.
    - Raise the threshold of server descriptors needed (75%) and exit
      server descriptors needed (50%) before we will declare ourselves
      bootstrapped. This will make clients start building circuits a
      little later, but makes the initially constructed circuits less
      skewed and less in conflict with further directory fetches. Fixes
      ticket 3196.
    - Close any connection that sends unrecognized junk before the
      handshake. Solves an issue noted in bug 4369.
    - Improve log messages about managed transports. Resolves ticket 5070.
    - Tag a bridge's descriptor as "never to be sent unencrypted".
      This shouldn't matter, since bridges don't open non-anonymous
      connections to the bridge authority and don't allow unencrypted
      directory connections from clients, but we might as well make
      sure. Closes bug 5139.
    - Expose our view of whether we have gone dormant to the controller,
      via a new "GETINFO dormant" value. Torbutton and other controllers
      can use this to avoid doing periodic requests through Tor while
      it's dormant (bug 4718). Fixes bug 5954.
    - Tell GCC and Clang to check for any errors in format strings passed
      to the tor_v*(print|scan)f functions.
    - Update to the May 1 2012 Maxmind GeoLite Country database.

  o Minor bugfixes (already included in
    - Reject out-of-range times like 23:59:61 in parse_rfc1123_time().
      Fixes bug 5346; bugfix on 0.0.8pre3.
    - Correct parsing of certain date types in parse_http_time().
      Without this patch, If-Modified-Since would behave
      incorrectly. Fixes bug 5346; bugfix on Patch from
      Esteban Manchado Velázques.
    - Make our number-parsing functions always treat too-large values
      as an error, even when those values exceed the width of the
      underlying type. Previously, if the caller provided these
      functions with minima or maxima set to the extreme values of the
      underlying integer type, these functions would return those
      values on overflow rather than treating overflow as an error.
      Fixes part of bug 5786; bugfix on 0.0.9.
    - If we hit the error case where routerlist_insert() replaces an
      existing (old) server descriptor, make sure to remove that
      server descriptor from the old_routers list. Fix related to bug
      1776. Bugfix on
    - Clarify the behavior of MaxCircuitDirtiness with hidden service
      circuits. Fixes issue 5259.

  o Minor bugfixes (coding cleanup, on 0.2.2.x and earlier):
    - Prevent a null-pointer dereference when receiving a data cell
      for a nonexistent stream when the circuit in question has an
      empty deliver window. We don't believe this is triggerable,
      since we don't currently allow deliver windows to become empty,
      but the logic is tricky enough that it's better to make the code
      robust. Fixes bug 5541; bugfix on 0.0.2pre14.
    - Fix a memory leak when trying to launch a DNS request when the
      network is disabled or the nameservers are unconfigurable. Fixes
      bug 5916; bugfix on Tor (for the unconfigurable
      nameserver case) and on (for the DisableNetwork case).
    - Don't hold a windows file handle open for every file mapping;
      the file mapping handle is sufficient. Fixes bug 5951; bugfix on
    - Avoid O(n^2) performance characteristics when parsing a large
      extrainfo cache. Fixes bug 5828; bugfix on
    - Format more doubles with %f, not %lf. Patch from grarpamp to make
      Tor build correctly on older BSDs again. Fixes bug 3894; bugfix on
    - Make our replacement implementation of strtok_r() compatible with
      the standard behavior of strtok_r(). Patch by nils. Fixes bug 5091;
      bugfix on
    - Fix a NULL-pointer dereference on a badly formed
      SETCIRCUITPURPOSE command. Found by mikeyc. Fixes bug 5796;
      bugfix on
    - Fix a build warning with Clang 3.1 related to our use of vasprint.
      Fixes bug 5969. Bugfix on
    - Defensively refactor rend_mid_rendezvous() so that protocol
      violations and length checks happen in the beginning. Fixes
      bug 5645.
    - Set _WIN32_WINNT to 0x0501 consistently throughout the code, so
      that IPv6 stuff will compile on MSVC, and compilation issues
      will be easier to track down. Fixes bug 5861.

  o Minor bugfixes (correctness, on 0.2.2.x and earlier):
    - Exit nodes now correctly report EADDRINUSE and EADDRNOTAVAIL as
      resource exhaustion, so that clients can adjust their load to
      try other exits. Fixes bug 4710; bugfix on, which
    - Don't check for whether the address we're using for outbound
      connections has changed until after the outbound connection has
      completed. On Windows, getsockname() doesn't succeed until the
      connection is finished. Fixes bug 5374; bugfix on
    - If the configuration tries to set MyFamily on a bridge, refuse to
      do so, and warn about the security implications. Fixes bug 4657;
      bugfix on
    - If the client fails to set a reasonable set of ciphersuites
      during its v2 handshake renegotiation, allow the renegotiation to
      continue nevertheless (i.e. send all the required certificates).
      Fixes bug 4591; bugfix on
    - When we receive a SIGHUP and the controller __ReloadTorrcOnSIGHUP
      option is set to 0 (which Vidalia version 0.2.16 now does when
      a SAVECONF attempt fails), perform other actions that SIGHUP
      usually causes (like reopening the logs). Fixes bug 5095; bugfix
    - If we fail to write a microdescriptor to the disk cache, do not
      continue replacing the old microdescriptor file. Fixes bug 2954;
      bugfix on
    - Exit nodes don't need to fetch certificates for authorities that
      they don't recognize; only directory authorities, bridges,
      and caches need to do that. Fixes part of bug 2297; bugfix on
    - Correctly handle checking the permissions on the parent
      directory of a control socket in the root directory. Bug found
      by Esteban Manchado Vel�¡zquez. Fixes bug 5089; bugfix on Tor
    - When told to add a bridge with the same digest as a preexisting
      bridge but a different addr:port, change the addr:port as
      requested. Previously we would not notice the change. Fixes half
      of bug 5603; fix on
    - End AUTHCHALLENGE error messages (in the control protocol) with
      a CRLF. Fixes bug 5760; bugfix on and

  o Minor bugfixes (on 0.2.3.x):
    - Turn an assertion (that the number of handshakes received as a
      server is not < 1) into a warning. Fixes bug 4873; bugfix on
    - Format IPv4 addresses correctly in ADDRMAP events. (Previously,
      we had reversed them when the answer was cached.) Fixes bug
      5723; bugfix on
    - Work correctly on Linux systems with accept4 support advertised in
      their headers, but without accept4 support in the kernel. Fix
      by murb. Fixes bug 5762; bugfix on
    - When told to add a bridge with the same addr:port as a preexisting
      bridge but a different transport, change the transport as
      requested. Previously we would not notice the change. Fixes half
      of bug 5603; fix on
    - Avoid a "double-reply" warning when replying to a SOCKS request
      with a parse error. Patch from Fabian Keil. Fixes bug 4108;
      bugfix on
    - Fix a bug where a bridge authority crashes if it has seen no
      directory requests when it's time to write statistics to disk.
      Fixes bug 5891; bugfix on Also fixes bug 5508 in
      a better way.
    - Don't try to open non-control listeners when DisableNetwork is set.
      Previously, we'd open all listeners, then immediately close them.
      Fixes bug 5604; bugfix on
    - Don't abort the managed proxy protocol if the managed proxy
      sends us an unrecognized line; ignore it instead. Fixes bug
      5910; bugfix on
    - Fix a compile warning in crypto.c when compiling with clang 3.1.
      Fixes bug 5969, bugfix on
    - Fix a compilation issue on GNU Hurd, which doesn't have PATH_MAX.
      Fixes bug 5355; bugfix on
    - Remove bogus definition of "_WIN32" from src/win32/orconfig.h, to
      unbreak the MSVC build. Fixes bug 5858; bugfix on
    - Resolve numerous small warnings and build issues with MSVC. Resolves
      bug 5859.

  o Documentation fixes:
    - Improve the manual's documentation for the NT Service command-line
      options. Addresses ticket 3964.
    - Clarify SessionGroup documentation slightly; resolves ticket 5437.
    - Document the changes to the ORPort and DirPort options, and the
      fact that {OR/Dir}ListenAddress is now unnecessary (and
      therefore deprecated). Resolves ticket 5597.

  o Removed files:
    - Remove the torrc.bridge file: we don't use it for anything, and
      it had become badly desynchronized from torrc.sample. Resolves
      bug 5622.

Attachment: signature.asc
Description: Digital signature

tor-talk mailing list