[tor-talk] Tor 0.3.0.2-alpha is out!
Roger Dingledine
arma at mit.edu
Tue Jan 24 01:12:34 UTC 2017
(Also, Tor 0.2.9.9 is out. If you didn't know, you should subscribe to
the tor-announce list and/or read the Tor blog!)
Tor 0.3.0.2-alpha fixes a denial-of-service bug where an attacker could
cause relays and clients to crash, even if they were not built with
the --enable-expensive-hardening option. This bug affects all 0.2.9.x
versions, and also affects 0.3.0.1-alpha: all relays running an affected
version should upgrade.
Tor 0.3.0.2-alpha also improves how exit relays and clients handle DNS
time-to-live values, makes directory authorities enforce the 1-to-1
mapping of relay RSA identity keys to ED25519 identity keys, fixes a
client-side onion service reachability bug, does better at selecting
the set of fallback directories, and more.
You can download the source code from https://dist.torproject.org/ but
most users should wait for the upcoming 7.0a Tor Browser alpha release,
or for their upcoming system package updates.
Changes in version 0.3.0.2-alpha - 2017-01-23
o Major bugfixes (security, also in 0.2.9.9):
- Downgrade the "-ftrapv" option from "always on" to "only on when
--enable-expensive-hardening is provided." This hardening option,
like others, can turn survivable bugs into crashes--and having it
on by default made a (relatively harmless) integer overflow bug
into a denial-of-service bug. Fixes bug 21278 (TROVE-2017-001);
bugfix on 0.2.9.1-alpha.
o Major features (security):
- Change the algorithm used to decide DNS TTLs on client and server
side, to better resist DNS-based correlation attacks like the
DefecTor attack of Greschbach, Pulls, Roberts, Winter, and
Feamster. Now relays only return one of two possible DNS TTL
values, and clients are willing to believe DNS TTL values up to 3
hours long. Closes ticket 19769.
o Major features (directory authority, security):
- The default for AuthDirPinKeys is now 1: directory authorities
will reject relays where the RSA identity key matches a previously
seen value, but the Ed25519 key has changed. Closes ticket 18319.
o Major bugfixes (client, guard, crash):
- In circuit_get_global_origin_list(), return the actual list of
origin circuits. The previous version of this code returned the
list of all the circuits, and could have caused strange bugs,
including possible crashes. Fixes bug 21118; bugfix
on 0.3.0.1-alpha.
o Major bugfixes (client, onion service, also in 0.2.9.9):
- Fix a client-side onion service reachability bug, where multiple
socks requests to an onion service (or a single slow request)
could cause us to mistakenly mark some of the service's
introduction points as failed, and we cache that failure so
eventually we run out and can't reach the service. Also resolves a
mysterious "Remote server sent bogus reason code 65021" log
warning. The bug was introduced in ticket 17218, where we tried to
remember the circuit end reason as a uint16_t, which mangled
negative values. Partially fixes bug 21056 and fixes bug 20307;
bugfix on 0.2.8.1-alpha.
o Major bugfixes (DNS):
- Fix a bug that prevented exit nodes from caching DNS records for
more than 60 seconds. Fixes bug 19025; bugfix on 0.2.4.7-alpha.
o Minor features (controller):
- Add "GETINFO sr/current" and "GETINFO sr/previous" keys, to expose
shared-random values to the controller. Closes ticket 19925.
o Minor features (entry guards):
- Add UseEntryGuards to TEST_OPTIONS_DEFAULT_VALUES in order to not
break regression tests.
- Require UseEntryGuards when UseBridges is set, in order to make
sure bridges aren't bypassed. Resolves ticket 20502.
o Minor features (fallback directories):
- Select 200 fallback directories for each release. Closes
ticket 20881.
- Allow 3 fallback relays per operator, which is safe now that we
are choosing 200 fallback relays. Closes ticket 20912.
- Exclude relays affected by bug 20499 from the fallback list.
Exclude relays from the fallback list if they are running versions
known to be affected by bug 20499, or if in our tests they deliver
a stale consensus (i.e. one that expired more than 24 hours ago).
Closes ticket 20539.
- Reduce the minimum fallback bandwidth to 1 MByte/s. Part of
ticket 18828.
- Require fallback directories to have the same address and port for
7 days (now that we have enough relays with this stability).
Relays whose OnionOO stability timer is reset on restart by bug
18050 should upgrade to Tor 0.2.8.7 or later, which has a fix for
this issue. Closes ticket 20880; maintains short-term fix
in 0.2.8.2-alpha.
- Require fallbacks to have flags for 90% of the time (weighted
decaying average), rather than 95%. This allows at least 73% of
clients to bootstrap in the first 5 seconds without contacting an
authority. Part of ticket 18828.
- Annotate updateFallbackDirs.py with the bandwidth and consensus
weight for each candidate fallback. Closes ticket 20878.
- Make it easier to change the output sort order of fallbacks.
Closes ticket 20822.
- Display the relay fingerprint when downloading consensuses from
fallbacks. Closes ticket 20908.
o Minor features (geoip, also in 0.2.9.9):
- Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2
Country database.
o Minor features (next-gen onion service directories):
- Remove the "EnableOnionServicesV3" consensus parameter that we
introduced in 0.3.0.1-alpha: relays are now always willing to act
as v3 onion service directories. Resolves ticket 19899.
o Minor features (linting):
- Enhance the changes file linter to warn on Tor versions that are
prefixed with "tor-". Closes ticket 21096.
o Minor features (logging):
- In several places, describe unset ed25519 keys as "<unset>",
rather than the scary "AAAAAAAA...AAA". Closes ticket 21037.
o Minor bugfix (control protocol):
- The reply to a "GETINFO config/names" request via the control
protocol now spells the type "Dependent" correctly. This is a
breaking change in the control protocol. (The field seems to be
ignored by the most common known controllers.) Fixes bug 18146;
bugfix on 0.1.1.4-alpha.
o Minor bugfixes (bug resilience):
- Fix an unreachable size_t overflow in base64_decode(). Fixes bug
19222; bugfix on 0.2.0.9-alpha. Found by Guido Vranken; fixed by
Hans Jerry Illikainen.
o Minor bugfixes (build):
- Replace obsolete Autoconf macros with their modern equivalent and
prevent similar issues in the future. Fixes bug 20990; bugfix
on 0.1.0.1-rc.
o Minor bugfixes (client, guards):
- Fix bug where Tor would think that there are circuits waiting for
better guards even though those circuits have been freed. Fixes
bug 21142; bugfix on 0.3.0.1-alpha.
o Minor bugfixes (config):
- Don't assert on startup when trying to get the options list and
LearnCircuitBuildTimeout is set to 0: we are currently parsing the
options so of course they aren't ready yet. Fixes bug 21062;
bugfix on 0.2.9.3-alpha.
o Minor bugfixes (controller):
- Make the GETINFO interface for inquiring about entry guards
support the new guards backend. Fixes bug 20823; bugfix
on 0.3.0.1-alpha.
o Minor bugfixes (dead code):
- Remove a redundant check for PidFile changes at runtime in
options_transition_allowed(): this check is already performed
regardless of whether the sandbox is active. Fixes bug 21123;
bugfix on 0.2.5.4-alpha.
o Minor bugfixes (documentation):
- Update the tor manual page to document every option that can not
be changed while tor is running. Fixes bug 21122.
o Minor bugfixes (fallback directories):
- Stop failing when a relay has no uptime data in
updateFallbackDirs.py. Fixes bug 20945; bugfix on 0.2.8.1-alpha.
- Avoid checking fallback candidates' DirPorts if they are down in
OnionOO. When a relay operator has multiple relays, this
prioritizes relays that are up over relays that are down. Fixes
bug 20926; bugfix on 0.2.8.3-alpha.
- Stop failing when OUTPUT_COMMENTS is True in updateFallbackDirs.py.
Fixes bug 20877; bugfix on 0.2.8.3-alpha.
o Minor bugfixes (guards, bootstrapping):
- When connecting to a directory guard during bootstrap, do not mark
the guard as successful until we receive a good-looking directory
response from it. Fixes bug 20974; bugfix on 0.3.0.1-alpha.
o Minor bugfixes (onion services):
- Fix the config reload pruning of old vs new services so it
actually works when both ephemeral and non-ephemeral services are
configured. Fixes bug 21054; bugfix on 0.3.0.1-alpha.
- Allow the number of introduction points to be as low as 0, rather
than as low as 3. Fixes bug 21033; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (IPv6):
- Make IPv6-using clients try harder to find an IPv6 directory
server. Fixes bug 20999; bugfix on 0.2.8.2-alpha.
- When IPv6 addresses have not been downloaded yet (microdesc
consensus documents don't list relay IPv6 addresses), use hard-
coded addresses for authorities, fallbacks, and configured
bridges. Now IPv6-only clients can use microdescriptors. Fixes bug
20996; bugfix on b167e82 from 19608 in 0.2.8.5-alpha.
o Minor bugfixes (memory leaks):
- Fix a memory leak when configuring hidden services. Fixes bug
20987; bugfix on 0.3.0.1-alpha.
o Minor bugfixes (portability, also in 0.2.9.9):
- Avoid crashing when Tor is built using headers that contain
CLOCK_MONOTONIC_COARSE, but then tries to run on an older kernel
without CLOCK_MONOTONIC_COARSE. Fixes bug 21035; bugfix
on 0.2.9.1-alpha.
- Fix Libevent detection on platforms without Libevent 1 headers
installed. Fixes bug 21051; bugfix on 0.2.9.1-alpha.
o Minor bugfixes (relay):
- Honor DataDirectoryGroupReadable when tor is a relay. Previously,
initializing the keys would reset the DataDirectory to 0700
instead of 0750 even if DataDirectoryGroupReadable was set to 1.
Fixes bug 19953; bugfix on 0.0.2pre16. Patch by "redfish".
o Minor bugfixes (testing):
- Remove undefined behavior from the backtrace generator by removing
its signal handler. Fixes bug 21026; bugfix on 0.2.5.2-alpha.
o Minor bugfixes (unit tests):
- Allow the unit tests to pass even when DNS lookups of bogus
addresses do not fail as expected. Fixes bug 20862 and 20863;
bugfix on unit tests introduced in 0.2.8.1-alpha
through 0.2.9.4-alpha.
o Code simplification and refactoring:
- Refactor code to manipulate global_origin_circuit_list into
separate functions. Closes ticket 20921.
o Documentation (formatting):
- Clean up formatting of tor.1 man page and HTML doc, where <pre>
blocks were incorrectly appearing. Closes ticket 20885.
o Documentation (man page):
- Clarify many options in tor.1 and add some min/max values for
HiddenService options. Closes ticket 21058.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20170123/ff856f60/attachment.sig>
More information about the tor-talk
mailing list