Tor 0.2.3.17-beta enables compiler and linker hardening by default,
gets our TLS handshake back on track for being able to blend in with
Firefox, fixes a big bug in 0.2.3.16-alpha that broke Tor's interaction
with Vidalia, and otherwise continues to get us closer to a release
candidate.
https://www.torproject.org/download/download
(Packages coming eventually.)
Changes in version 0.2.3.17-beta - 2012-06-15
o Major features:
- Enable gcc and ld hardening by default. Resolves ticket 5210.
- Update TLS cipher list to match Firefox 8 and later. Resolves
ticket 4744.
- Implement the client side of proposal 198: remove support for
clients falsely claiming to support standard ciphersuites that
they can actually provide. As of modern OpenSSL versions, it's not
necessary to fake any standard ciphersuite, and doing so prevents
us from using better ciphersuites in the future, since servers
can't know whether an advertised ciphersuite is really supported or
not. Some hosts -- notably, ones with very old versions of OpenSSL
or where OpenSSL has been built with ECC disabled -- will stand
out because of this change; TBB users should not be affected.
o Major bugfixes:
- Change the default value for DynamicDHGroups (introduced in
0.2.3.9-alpha) to 0. This feature can make Tor relays less
identifiable by their use of the mod_ssl DH group, but at
the cost of some usability (#4721) and bridge tracing (#6087)
regressions. Resolves ticket 5598.
- Send a CRLF at the end of each STATUS_* control protocol event. This
bug tickled a bug in Vidalia which would make it freeze. Fixes
bug 6094; bugfix on 0.2.3.16-alpha.
o Minor bugfixes:
- Disable writing on marked-for-close connections when they are
blocked on bandwidth, to prevent busy-looping in Libevent. Fixes
bug 5263; bugfix on 0.0.2pre13, where we first added a special
case for flushing marked connections.
- Detect SSL handshake even when the initial attempt to write the
server hello fails. Fixes bug 4592; bugfix on 0.2.0.13-alpha.
- Change the AllowDotExit rules so they should actually work.
We now enforce AllowDotExit only immediately after receiving an
address via SOCKS or DNSPort: other sources are free to provide
.exit addresses after the resolution occurs. Fixes bug 3940;
bugfix on 0.2.2.1-alpha.
- Fix a (harmless) integer overflow in cell statistics reported by
some fast relays. Fixes bug 5849; bugfix on 0.2.2.1-alpha.
- Make sure circuitbuild.c checks LearnCircuitBuildTimeout in all the
right places and never depends on the consensus parameters or
computes adaptive timeouts when it is disabled. Fixes bug 5049;
bugfix on 0.2.2.14-alpha.
- When building Tor on Windows with -DUNICODE (not default), ensure
that error messages, filenames, and DNS server names are always
NUL-terminated when we convert them to a single-byte encoding.
Fixes bug 5909; bugfix on 0.2.2.16-alpha.
- Make Tor build correctly again with -DUNICODE -D_UNICODE defined.
Fixes bug 6097; bugfix on 0.2.2.16-alpha.
- Fix an edge case where TestingTorNetwork is set but the authorities
and relays all have an uptime of zero, where the private Tor network
could briefly lack support for hidden services. Fixes bug 3886;
bugfix on 0.2.2.18-alpha.
- Correct the manpage's descriptions for the default values of
DirReqStatistics and ExtraInfoStatistics. Fixes bug 2865; bugfix
on 0.2.3.1-alpha.
- Fix the documentation for the --hush and --quiet command line
options, which changed their behavior back in 0.2.3.3-alpha.
- Fix compilation warning with clang 3.1. Fixes bug 6141; bugfix on
0.2.3.11-alpha.
o Minor features:
- Rate-limit the "Weighted bandwidth is 0.000000" message, and add
more information to it, so that we can track it down in case it
returns again. Mitigates bug 5235.
- Check CircuitBuildTimeout and LearnCircuitBuildTimeout in
options_validate(); warn if LearnCircuitBuildTimeout is disabled and
CircuitBuildTimeout is set unreasonably low. Resolves ticket 5452.
- Warn the user when HTTPProxy, but no other proxy type, is
configured. This can cause surprising behavior: it doesn't send
all of Tor's traffic over the HTTPProxy -- it sends unencrypted
directory traffic only. Resolves ticket 4663.
- Issue a notice if a guard completes less than 40% of your circuits.
Threshold is configurable by torrc option PathBiasNoticeRate and
consensus parameter pb_noticepct. There is additional, off-by-
default code to disable guards which fail too many circuits.
Addresses ticket 5458.
- Update to the June 6 2012 Maxmind GeoLite Country database.
o Code simplifications and refactoring:
- Remove validate_pluggable_transports_config(): its warning
message is now handled by connection_or_connect().
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk