Tor 0.2.3.17-beta enables compiler and linker hardening by default, gets our TLS handshake back on track for being able to blend in with Firefox, fixes a big bug in 0.2.3.16-alpha that broke Tor's interaction with Vidalia, and otherwise continues to get us closer to a release candidate. https://www.torproject.org/download/download (Packages coming eventually.) Changes in version 0.2.3.17-beta - 2012-06-15 o Major features: - Enable gcc and ld hardening by default. Resolves ticket 5210. - Update TLS cipher list to match Firefox 8 and later. Resolves ticket 4744. - Implement the client side of proposal 198: remove support for clients falsely claiming to support standard ciphersuites that they can actually provide. As of modern OpenSSL versions, it's not necessary to fake any standard ciphersuite, and doing so prevents us from using better ciphersuites in the future, since servers can't know whether an advertised ciphersuite is really supported or not. Some hosts -- notably, ones with very old versions of OpenSSL or where OpenSSL has been built with ECC disabled -- will stand out because of this change; TBB users should not be affected. o Major bugfixes: - Change the default value for DynamicDHGroups (introduced in 0.2.3.9-alpha) to 0. This feature can make Tor relays less identifiable by their use of the mod_ssl DH group, but at the cost of some usability (#4721) and bridge tracing (#6087) regressions. Resolves ticket 5598. - Send a CRLF at the end of each STATUS_* control protocol event. This bug tickled a bug in Vidalia which would make it freeze. Fixes bug 6094; bugfix on 0.2.3.16-alpha. o Minor bugfixes: - Disable writing on marked-for-close connections when they are blocked on bandwidth, to prevent busy-looping in Libevent. Fixes bug 5263; bugfix on 0.0.2pre13, where we first added a special case for flushing marked connections. - Detect SSL handshake even when the initial attempt to write the server hello fails. Fixes bug 4592; bugfix on 0.2.0.13-alpha. - Change the AllowDotExit rules so they should actually work. We now enforce AllowDotExit only immediately after receiving an address via SOCKS or DNSPort: other sources are free to provide .exit addresses after the resolution occurs. Fixes bug 3940; bugfix on 0.2.2.1-alpha. - Fix a (harmless) integer overflow in cell statistics reported by some fast relays. Fixes bug 5849; bugfix on 0.2.2.1-alpha. - Make sure circuitbuild.c checks LearnCircuitBuildTimeout in all the right places and never depends on the consensus parameters or computes adaptive timeouts when it is disabled. Fixes bug 5049; bugfix on 0.2.2.14-alpha. - When building Tor on Windows with -DUNICODE (not default), ensure that error messages, filenames, and DNS server names are always NUL-terminated when we convert them to a single-byte encoding. Fixes bug 5909; bugfix on 0.2.2.16-alpha. - Make Tor build correctly again with -DUNICODE -D_UNICODE defined. Fixes bug 6097; bugfix on 0.2.2.16-alpha. - Fix an edge case where TestingTorNetwork is set but the authorities and relays all have an uptime of zero, where the private Tor network could briefly lack support for hidden services. Fixes bug 3886; bugfix on 0.2.2.18-alpha. - Correct the manpage's descriptions for the default values of DirReqStatistics and ExtraInfoStatistics. Fixes bug 2865; bugfix on 0.2.3.1-alpha. - Fix the documentation for the --hush and --quiet command line options, which changed their behavior back in 0.2.3.3-alpha. - Fix compilation warning with clang 3.1. Fixes bug 6141; bugfix on 0.2.3.11-alpha. o Minor features: - Rate-limit the "Weighted bandwidth is 0.000000" message, and add more information to it, so that we can track it down in case it returns again. Mitigates bug 5235. - Check CircuitBuildTimeout and LearnCircuitBuildTimeout in options_validate(); warn if LearnCircuitBuildTimeout is disabled and CircuitBuildTimeout is set unreasonably low. Resolves ticket 5452. - Warn the user when HTTPProxy, but no other proxy type, is configured. This can cause surprising behavior: it doesn't send all of Tor's traffic over the HTTPProxy -- it sends unencrypted directory traffic only. Resolves ticket 4663. - Issue a notice if a guard completes less than 40% of your circuits. Threshold is configurable by torrc option PathBiasNoticeRate and consensus parameter pb_noticepct. There is additional, off-by- default code to disable guards which fail too many circuits. Addresses ticket 5458. - Update to the June 6 2012 Maxmind GeoLite Country database. o Code simplifications and refactoring: - Remove validate_pluggable_transports_config(): its warning message is now handled by connection_or_connect().
Description: Digital signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk