Tor 0.2.1.22 fixes a critical privacy problem in bridge directory
authorities -- it would tell you its whole history of bridge descriptors
if you make the right directory request. This stable update also
rotates two of the seven v3 directory authority keys and locations.
o Directory authority changes:
- Rotate keys (both v3 identity and relay identity) for moria1
and gabelmoo.
o Major bugfixes:
- Stop bridge directory authorities from answering dbg-stability.txt
directory queries, which would let people fetch a list of all
bridge identities they track. Bugfix on 0.2.1.6-alpha. o Major bugfixes (performance):
- We were selecting our guards uniformly at random, and then weighting
which of our guards we'd use uniformly at random. This imbalance
meant that Tor clients were severely limited on throughput (and
probably latency too) by the first hop in their circuit. Now we
select guards weighted by currently advertised bandwidth. We also
automatically discard guards picked using the old algorithm. Fixes
bug 1217; bugfix on 0.2.1.3-alpha. Found by Mike Perry.
o Minor features:
- Avoid a mad rush at the beginning of each month when each client
rotates half of its guards. Instead we spread the rotation out
throughout the month, but we still avoid leaving a precise timestamp
in the state file about when we first picked the guard. Improves
over the behavior introduced in 0.1.2.17.
Changes in version 0.2.2.7-alpha - 2010-01-19
o Major features (performance):
- We were selecting our guards uniformly at random, and then weighting
which of our guards we'd use uniformly at random. This imbalance
meant that Tor clients were severely limited on throughput (and
probably latency too) by the first hop in their circuit. Now we
select guards weighted by currently advertised bandwidth. We also
automatically discard guards picked using the old algorithm. Fixes
bug 1217; bugfix on 0.2.1.3-alpha. Found by Mike Perry.
- When choosing which cells to relay first, relays can now favor
circuits that have been quiet recently, to provide lower latency
for low-volume circuits. By default, relays enable or disable this
feature based on a setting in the consensus. You can override
this default by using the new "CircuitPriorityHalflife" config
option. Design and code by Ian Goldberg, Can Tang, and Chris
Alexander.
- Add separate per-conn write limiting to go with the per-conn read
limiting. We added a global write limit in Tor 0.1.2.5-alpha,
but never per-conn write limits.
- New consensus params "bwconnrate" and "bwconnburst" to let us
rate-limit client connections as they enter the network. It's
controlled in the consensus so we can turn it on and off for
experiments. It's starting out off. Based on proposal 163.
o Major features (relay selection options):
- Switch to a StrictNodes config option, rather than the previous
"StrictEntryNodes" / "StrictExitNodes" separation that was missing a
"StrictExcludeNodes" option.
- If EntryNodes, ExitNodes, ExcludeNodes, or ExcludeExitNodes
change during a config reload, mark and discard all our origin
circuits. This fix should address edge cases where we change the
config options and but then choose a circuit that we created before
the change.
- If EntryNodes or ExitNodes are set, be more willing to use an
unsuitable (e.g. slow or unstable) circuit. The user asked for it,
they get it.
- Make EntryNodes config option much more aggressive even when
StrictNodes is not set. Before it would prepend your requested
entrynodes to your list of guard nodes, but feel free to use others
after that. Now it chooses only from your EntryNodes if any of
those are available, and only falls back to others if a) they're
all down and b) StrictNodes is not set.
- Now we refresh your entry guards from EntryNodes at each consensus
fetch -- rather than just at startup and then they slowly rot as
the network changes.
o Minor features:
- Log a notice when we get a new control connection. Now it's easier
for security-conscious users to recognize when a local application
is knocking on their controller door. Suggested by bug 1196.
- New config option "CircuitStreamTimeout" to override our internal
timeout schedule for how many seconds until we detach a stream from
a circuit and try a new circuit. If your network is particularly
slow, you might want to set this to a number like 60.
- New controller command "getinfo config-text". It returns the
contents that Tor would write if you send it a SAVECONF command,
so the controller can write the file to disk itself.
- New options for SafeLogging to allow scrubbing only log messages
generated while acting as a relay.
- Ship the bridges spec file in the tarball too.
- Avoid a mad rush at the beginning of each month when each client
rotates half of its guards. Instead we spread the rotation out
throughout the month, but we still avoid leaving a precise timestamp
in the state file about when we first picked the guard. Improves
over the behavior introduced in 0.1.2.17.
o Minor bugfixes (compiling):
- Fix compilation on OS X 10.3, which has a stub mlockall() but
hides it. Bugfix on 0.2.2.6-alpha.
- Fix compilation on Solaris by removing support for the
DisableAllSwap config option. Solaris doesn't have an rlimit for
mlockall, so we cannot use it safely. Fixes bug 1198; bugfix on
0.2.2.6-alpha.
o Minor bugfixes (crashes):
- Do not segfault when writing buffer stats when we haven't observed
a single circuit to report about. Found by Fabian Lanze. Bugfix on
0.2.2.1-alpha.
- If we're in the pathological case where there's no exit bandwidth
but there is non-exit bandwidth, or no guard bandwidth but there
is non-guard bandwidth, don't crash during path selection. Bugfix
on 0.2.0.3-alpha.
- Fix an impossible-to-actually-trigger buffer overflow in relay
descriptor generation. Bugfix on 0.1.0.15.
o Minor bugfixes (privacy):
- Fix an instance where a Tor directory mirror might accidentally
log the IP address of a misbehaving Tor client. Bugfix on
0.1.0.1-rc.
- Don't list Windows capabilities in relay descriptors. We never made
use of them, and maybe it's a bad idea to publish them. Bugfix
on 0.1.1.8-alpha.
o Minor bugfixes (other):
- Resolve an edge case in path weighting that could make us misweight
our relay selection. Fixes bug 1203; bugfix on 0.0.8rc1.
- Fix statistics on client numbers by country as seen by bridges that
were broken in 0.2.2.1-alpha. Also switch to reporting full 24-hour
intervals instead of variable 12-to-48-hour intervals.
- After we free an internal connection structure, overwrite it
with a different memory value than we use for overwriting a freed
internal circuit structure. Should help with debugging. Suggested
by bug 1055.
- Update our OpenSSL 0.9.8l fix so that it works with OpenSSL 0.9.8m
too.
o Removed features:
- Remove the HSAuthorityRecordStats option that version 0 hidden
service authorities could have used to track statistics of overall
hidden service usage. o Major bugfixes (performance):
- We were selecting our guards uniformly at random, and then weighting
which of our guards we'd use uniformly at random. This imbalance
meant that Tor clients were severely limited on throughput (and
probably latency too) by the first hop in their circuit. Now we
select guards weighted by currently advertised bandwidth. We also
automatically discard guards picked using the old algorithm. Fixes
bug 1217; bugfix on 0.2.1.3-alpha. Found by Mike Perry.
o Major bugfixes:
- Make Tor work again on the latest OS X: when deciding whether to
use strange flags to turn TLS renegotiation on, detect the OpenSSL
version at run-time, not compile time. We need to do this because
Apple doesn't update its dev-tools headers when it updates its
libraries in a security patch.
- Fix a potential buffer overflow in lookup_last_hid_serv_request()
that could happen on 32-bit platforms with 64-bit time_t. Also fix
a memory leak when requesting a hidden service descriptor we've
requested before. Fixes bug 1242, bugfix on 0.2.0.18-alpha. Found
by aakova.
o Directory authority changes:
- Change IP address for dannenberg (v3 directory authority), and
remove moria2 (obsolete v1, v2 directory authority and v0 hidden
service directory authority) from the list.
o Minor bugfixes:
- Refactor resolve_my_address() to not use gethostbyname() anymore.
Fixes bug 1244; bugfix on 0.0.2pre25. Reported by Mike Mestnik.
o Minor features:
- Avoid a mad rush at the beginning of each month when each client
rotates half of its guards. Instead we spread the rotation out
throughout the month, but we still avoid leaving a precise timestamp
in the state file about when we first picked the guard. Improves
over the behavior introduced in 0.1.2.17.Changes in version 0.2.1.26 - 2010-05-02
o Major bugfixes:
- Teach relays to defend themselves from connection overload. Relays
now close idle circuits early if it looks like they were intended
for directory fetches. Relays are also more aggressive about closing
TLS connections that have no circuits on them. Such circuits are
unlikely to be re-used, and tens of thousands of them were piling
up at the fast relays, causing the relays to run out of sockets
and memory. Bugfix on 0.2.0.22-rc (where clients started tunneling
their directory fetches over TLS).
- Fix SSL renegotiation behavior on OpenSSL versions like on Centos
that claim to be earlier than 0.9.8m, but which have in reality
backported huge swaths of 0.9.8m or 0.9.8n renegotiation
behavior. Possible fix for some cases of bug 1346.
- Directory mirrors were fetching relay descriptors only from v2
directory authorities, rather than v3 authorities like they should.
Only 2 v2 authorities remain (compared to 7 v3 authorities), leading
to a serious bottleneck. Bugfix on 0.2.0.9-alpha. Fixes bug 1324.
o Minor bugfixes:
- Finally get rid of the deprecated and now harmful notion of "clique
mode", where directory authorities maintain TLS connections to
every other relay.
o Testsuite fixes:
- In the util/threads test, no longer free the test_mutex before all
worker threads have finished. Bugfix on 0.2.1.6-alpha.
- The master thread could starve the worker threads quite badly on
certain systems, causing them to run only partially in the allowed
window. This resulted in test failures. Now the master thread sleeps
occasionally for a few microseconds while the two worker-threads
compete for the mutex. Bugfix on 0.2.0.1-alpha.Changes in version 0.2.1.26
Major bugfixes:
* Teach relays to defend themselves from connection overload. Relays
now close idle circuits early if it looks like they were intended
for directory fetches. Relays are also more aggressive about closing
TLS connections that have no circuits on them. Such circuits are
unlikely to be re-used, and tens of thousands of them were piling
up at the fast relays, causing the relays to run out of sockets
and memory. Bugfix on 0.2.0.22-rc (where clients started tunneling
their directory fetches over TLS).
* Fix SSL renegotiation behavior on OpenSSL versions like on Centos
that claim to be earlier than 0.9.8m, but which have in reality
backported huge swaths of 0.9.8m or 0.9.8n renegotiation
behavior. Possible fix for some cases of bug 1346.
* Directory mirrors were fetching relay descriptors only from v2
directory authorities, rather than v3 authorities like they should.
Only 2 v2 authorities remain (compared to 7 v3 authorities), leading
to a serious bottleneck. Bugfix on 0.2.0.9-alpha. Fixes bug 1324.
Minor bugfixes:
* Finally get rid of the deprecated and now harmful notion of "clique
mode", where directory authorities maintain TLS connections to
every other relay.
Testsuite fixes:
* In the util/threads test, no longer free the test_mutex before all
worker threads have finished. Bugfix on 0.2.1.6-alpha.
* The master thread could starve the worker threads quite badly on
certain systems, causing them to run only partially in the allowed
window. This resulted in test failures. Now the master thread sleeps
occasionally for a few microseconds while the two worker-threads
compete for the mutex. Bugfix on 0.2.0.1-alpha.
1.3.8: Released 2010-07-22
update Firefox to 3.5.11
1.3.9: Released 2010-07-22
update Pidgin to 2.7.22010-11-19 AdvTor v0.1.0.13
- when the exit is changed from system tray menu or from the exit node selection dialog, a notification message will show the selection in debug window
- all file operations now use absolute paths because on some systems GetOpenFileName changes the directory even with OFN_NOCHANGEDIR flag set
- addresses of websites can also be banned by IP
- favorite routers are now added to the "Select IP" system tray menu and if there are less than 30 IPs added, other routers are added that are not in banlist
- new configuration option: FavoriteExitNodesPriority which is a percent and it is used when selecting a random exit node to decide if an exit node from favorites will be selected when StrictExitNodes is disabled (default is 100)
- new option for favorite exit nodes on "Router restrictions" page: "Priority" which allows changing FavoriteExitNodesPriority
- added: context menus for circuit tree from "Network information" page that allow closing connections, destroying circuits, banning websites by hostname or IP, banning nodes, adding nodes to favorites, etc.
- updated language strings: 1248, 2672, 2673, 2674, 2675, 2676, 2677, 2678, 2679, 2680, 2681, 2682, 2683, 2684, 2685, 2686 1 Changes in version 0.2.1.27 - 2010-11-23
2 Yet another OpenSSL security patch broke its compatibility with Tor:
3 Tor 0.2.1.27 makes relays work with openssl 0.9.8p and 1.0.0.b. We
4 also took this opportunity to fix several crash bugs, integrate a new
5 directory authority, and update the bundled GeoIP database.
6
7 o Major bugfixes:
8 - Resolve an incompatibility with OpenSSL 0.9.8p and OpenSSL 1.0.0b:
9 No longer set the tlsext_host_name extension on server SSL objects;
10 but continue to set it on client SSL objects. Our goal in setting
11 it was to imitate a browser, not a vhosting server. Fixes bug 2204;
12 bugfix on 0.2.1.1-alpha.
13 - Do not log messages to the controller while shrinking buffer
14 freelists. Doing so would sometimes make the controller connection
15 try to allocate a buffer chunk, which would mess up the internals
16 of the freelist and cause an assertion failure. Fixes bug 1125;
17 fixed by Robert Ransom. Bugfix on 0.2.0.16-alpha.
18 - Learn our external IP address when we're a relay or bridge, even if
19 we set PublishServerDescriptor to 0. Bugfix on 0.2.0.3-alpha,
20 where we introduced bridge relays that don't need to publish to
21 be useful. Fixes bug 2050.
22 - Do even more to reject (and not just ignore) annotations on
23 router descriptors received anywhere but from the cache. Previously
24 we would ignore such annotations at first, but cache them to disk
25 anyway. Bugfix on 0.2.0.8-alpha. Found by piebeer.
26 - When you're using bridges and your network goes away and your
27 bridges get marked as down, recover when you attempt a new socks
28 connection (if the network is back), rather than waiting up to an
29 hour to try fetching new descriptors for your bridges. Bugfix on
30 0.2.0.3-alpha; fixes bug 1981.
31
32 o Major features:
33 - Move to the November 2010 Maxmind GeoLite country db (rather
34 than the June 2009 ip-to-country GeoIP db) for our statistics that
35 count how many users relays are seeing from each country. Now we'll
36 have more accurate data, especially for many African countries.
37
38 o New directory authorities:
39 - Set up maatuska (run by Linus Nordberg) as the eighth v3 directory
40 authority.
41
42 o Minor bugfixes:
43 - Fix an assertion failure that could occur in directory caches or
44 bridge users when using a very short voting interval on a testing
45 network. Diagnosed by Robert Hogan. Fixes bug 1141; bugfix on
46 0.2.0.8-alpha.
47 - Enforce multiplicity rules when parsing annotations. Bugfix on
48 0.2.0.8-alpha. Found by piebeer.
49 - Allow handshaking OR connections to take a full KeepalivePeriod
50 seconds to handshake. Previously, we would close them after
51 IDLE_OR_CONN_TIMEOUT (180) seconds, the same timeout as if they
52 were open. Bugfix on 0.2.1.26; fixes bug 1840. Thanks to mingw-san
53 for analysis help.
54 - When building with --enable-gcc-warnings on OpenBSD, disable
55 warnings in system headers. This makes --enable-gcc-warnings
56 pass on OpenBSD 4.8.
57
58 o Minor features:
59 - Exit nodes didn't recognize EHOSTUNREACH as a plausible error code,
60 and so sent back END_STREAM_REASON_MISC. Clients now recognize a new
61 stream ending reason for this case: END_STREAM_REASON_NOROUTE.
62 Servers can start sending this code when enough clients recognize
63 it. Bugfix on 0.1.0.1-rc; fixes part of bug 1793.
64 - Build correctly on mingw with more recent versions of OpenSSL 0.9.8.
65 Patch from mingw-san.
66
67 o Removed files:
68 - Remove the old debian/ directory from the main Tor distribution.
69 The official Tor-for-debian git repository lives at the URL
70 https://git.torproject.org/debian/tor.git
71 - Stop shipping the old doc/website/ directory in the tarball. We
72 changed the website format in late 2010, and what we shipped in
73 0.2.1.26 really wasn't that useful anyway.Tor 0.2.1.30 fixes a variety of less critical bugs. The main other
change is a slight tweak to Tor's TLS handshake that makes relays
and bridges that run this new version reachable from Iran again.
We don't expect this tweak will win the arms race long-term, but it
buys us time until we roll out a better solution.
https://www.torproject.org/download/download
Changes in version 0.2.1.30 - 2011-02-23
o Major bugfixes:
- Stop sending a CLOCK_SKEW controller status event whenever
we fetch directory information from a relay that has a wrong clock.
Instead, only inform the controller when it's a trusted authority
that claims our clock is wrong. Bugfix on 0.1.2.6-alpha; fixes
the rest of bug 1074.
- Fix a bounds-checking error that could allow an attacker to
remotely crash a directory authority. Bugfix on 0.2.1.5-alpha.
Found by "piebeer".
- If relays set RelayBandwidthBurst but not RelayBandwidthRate,
Tor would ignore their RelayBandwidthBurst setting,
potentially using more bandwidth than expected. Bugfix on
0.2.0.1-alpha. Reported by Paul Wouters. Fixes bug 2470.
- Ignore and warn if the user mistakenly sets "PublishServerDescriptor
hidserv" in her torrc. The 'hidserv' argument never controlled
publication of hidden service descriptors. Bugfix on 0.2.0.1-alpha.
o Minor features:
- Adjust our TLS Diffie-Hellman parameters to match those used by
Apache's mod_ssl.
- Update to the February 1 2011 Maxmind GeoLite Country database.
o Minor bugfixes:
- Check for and reject overly long directory certificates and
directory tokens before they have a chance to hit any assertions.
Bugfix on 0.2.1.28. Found by "doorss".
- Bring the logic that gathers routerinfos and assesses the
acceptability of circuits into line. This prevents a Tor OP from
getting locked in a cycle of choosing its local OR as an exit for a
path (due to a .exit request) and then rejecting the circuit because
its OR is not listed yet. It also prevents Tor clients from using an
OR running in the same instance as an exit (due to a .exit request)
if the OR does not meet the same requirements expected of an OR
running elsewhere. Fixes bug 1859; bugfix on 0.1.0.1-rc.
o Packaging changes:
- Stop shipping the Tor specs files and development proposal documents
in the tarball. They are now in a separate git repository at
git://git.torproject.org/torspec.git
- Do not include Git version tags as though they are SVN tags when
generating a tarball from inside a repository that has switched
between branches. Bugfix on 0.2.1.15-rc; fixes bug 2402.
2011-08-08 Advanced Onion Router 0.3.0.1e
- corrected: a negative status was assigned to an unsigned variable in proxy_handle_client_data()
2011-08-05 Advanced Onion Router 0.3.0.1d
- corrected: invalid pointer access if headers with different line terminators were received from a client in one request
- corrected: when a web redirect was sent as a response for a request on a connection that was already associated with a different host the client was expected to close the connection causing some clients to wait indefinitely for the remote connection to be closed
- the directory Tor-info was renamed to "Help" and the file tor-manual.html was removed; all text files related to the OR protocol were moved to Help\Tor
- added a help file with explanations for all GUI settings and commands ("Help\AdvOR.html", "Help\Img")
- geoip_c.h was updated with GeoIPCountryWhois.csv released on August 4th
2011-07-30 Advanced Onion Router 0.3.0.1c
- HTTP servers that don't send any information about the length of the message they return for statuses that allow/require an entity to be returned are assumed to close the connection after sending the response (thanks to DeepAnger for reporting this problem)
2011-07-30 Advanced Onion Router 0.3.0.1b
- corrected: when processing server data, a wrong buffer size could had been returned to _connection_write_to_buf_impl()
- corrected: the capitalization for rewritten uTorrent HTTP headers did not match uTorrent's capitalization
2011-07-28 Advanced Onion Router 0.3.0.1a
- corrected the resize_info structure for the main dialog to make more room for child dialogs
- uTorrent is now autodetected and its headers are re-generated as uTorrent headers (thanks to DeepAnger for reporting problems with some private trackers)
- added uTorrent version pairs that are used to generate identity-dependent major browser versions when uTorrent is detected
- added: new browser type on the "HTTP headers" page: "Mask a BitTorrent client as uTorrent" which can be used with BitTorrent clients that are not supported yet
- updated language strings: 29302011-11-21 Advanced Onion Router 0.3.0.2a
- a value of 0 for circuit build timeout / expiration time will cause the circuit to never expire
- when downloading the network-status consensus, a failure to download from a directory server will cause a new download attempt from another directory server immediately if bootstrap_status is less than 80
2011-11-20 Advanced Onion Router 0.3.0.2
- all files were updated with changes from tor-0.2.2.34 relative to tor-0.2.1.30; all changes were corrected to remove goto's and some bugs were fixed; all file I/O operations were modified to support UNICODE paths; latest versions of Tor consider excluded nodes a banlist if "StrictNodes" is set - however, AdvOR already considered excluded nodes a "strict" banlist since 0.1.0.x, so "StrictNodes" is used only for favorites
- [tor-0.2.2.34] new configuration options: AllowDotExit, CellStatistics, LearnCircuitBuildTimeout, CircuitStreamTimeout, CircuitPriorityHalflife, ClientRejectInternalAddresses, ConsensusParams, ControlPortFileGroupReadable, ControlPortWriteToFile, ControlSocketsGroupWritable, DirReqStatistics, DisableAllSwap, EntryStatistics, ExitPortStatistics, ExtraInfoStatistics, FetchDirInfoExtraEarly, FetchV2Networkstatus, GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays, Socks4Proxy, Socks5Proxy, Socks5ProxyUsername, Socks5ProxyPassword, PerConnBWBurst, PerConnBWRate, RefuseUnknownExits, V3BandwidthsFile, __OwningControllerProcess, VoteOnHidServDirectoriesV2, _UsingTestNetworkDefaults, MinUptimeHidServDirectoryV2, AccountingSecondsToReachSoftLimit, AccountingSoftLimitHitAt, AccountingBytesAtSoftLimit
- [tor-0.2.2.34] new state settings: BWHistoryReadMaxima, BWHistoryWriteMaxima, BWHistoryDirReadEnds, BWHistoryDirReadInterval, BWHistoryDirReadValues, BWHistoryDirReadMaxima, BWHistoryDirWriteEnds, BWHistoryDirWriteInterval, BWHistoryDirWriteValues, BWHistoryDirWriteMaxima, TotalBuildTimes, CircuitBuildAbandonedCount, CircuitBuildTimeBin, BuildtimeHistogram
- [tor-0.2.2.34] configuration options that were removed: DirRecordUsageByCountry, DirRecordUsageGranularity, DirRecordUsageRetainIPs, DirRecordUsageSaveInterval, HSAuthorityRecordStats, RunTesting
- [tor-0.2.2.34] the limits for HttpProxyAuthenticator and HttpsProxyAuthenticator were changed from 48 characters to 512 characters
- updated libraries: libevent-2.0.16-stable, openssl-1.0.0e
- geoip_c.h was updated with GeoIPCountryWhois.csv released on November 1st
The wrong version of Firefox got into the OS X 64-bit and Windows bundles. These have now been updated properly and are online with version number 2.2.35-7.1.
o Draw the bandwidth graph curves based on the local maximum, not
the global maximum. Fixes bug 2188.
o Make the default data directory in windows be located in the Local
AppData instead of the Roaming one. Fixes bug 2319.
o Displays a warning to notify users that the passphrase will be
stored as plaintext. Fixes bug 3064.
o Add a way to use the autoconfiguration for ControlPort and SocksPort.
Tor can now autoconfigure Control and Socks Ports when the default ones
are in use. This makes it easier to run several different instances of
TBB at the same time. Resolves bug 3077.
o Make the AutoPort setting default to false, so that it doesn't
break backwards compatibility for people that aren't using Vidalia
inside Tor Browser Bundle.
o Check tor version and that settings are sanitized before trying to
use the port autoconfiguration feature. Fixes bug 3843.
o Provide the necessary fields (Control password, ControlPort) to let
TorButton NEWNYM. Vidalia provides these in env vars when it launches
the Firefox instance. Resolves bug 2659.
o Add an option in the Tor menu to exit the application. Fixes bug
3146.
o Display the message "Connected to the Tor network!" centered in
the main window. Fixes bug 3147.
o Explicitly notifies the user that her clock is wrong and tor will
probably malfuntion because of it. Fixes bug 3156.
o Make the main window visible when opening a tab through the system
tray menu. Fixes bug 3165.
o Fixes wrong spelling in the method showBandwidthTab inside
MainWindow. Resolves ticket 3166.
o Fix wrong behavior when trying to connect to an already running
tor instance. Fixes bug 3168.
o Prevent restarting Tor when it hasn't been started yet. Fixes bug
3171.
o Make Vidalia hide its main window when the tray icon is
doubleclicked. Resolves ticket 3194.
o Display time statistics for bridges in UTC time, rather than local
time. Fixes bug 3342.
o Uses TAKEOWNERSHIP and __OwningControllerProcess to avoid leaving
tor running in background if Vidalia exits unexpectedly. Fixes bug
3463.
o Change the parameter for ordering the entries in the Basic Log
list from currentTime to currentDateTime to avoid missplacing
entries from different days.
o Check tor version and that settings are sanitized before trying to
use the port autoconfiguration feature. Fixes bug 3843.
o Try Cookie authentication if available in tor based on
ProtocolInfo. If that fails, fall back to HashedPassword if
supported. Fixes bug 3898.
o Remember the previously used random socks/control ports so Firefox
keeps working after restarting tor. Fixes bug 4031.
o Attempt to remove port.conf file before using it to avoid a race
condition between tor and Vidalia. Fixes bug 4048.
o Do not allow users to check the "My ISP blocks..." checkbox
without entering any bridges. Also updates the
documentation. Fixes bug 4290.
o Check that the authentication-cookie file length is exactly 32
bytes long. Fixes bug 4304.
o Explicitly disable ControlPort auto. Fixes bug 4379.
o Adds a checkbox to remember the answer of a VMessageBox::question
easily. It is used to remember how the user wants to terminate tor
when running a relay. Fixes bug 4577.
o Explicitly disable SocksPort auto by setting it to its default
(9050). Fixes bug 4598.
o Make the non exit relay option backward compatible with Vidalia <
0.2.14 so that it doesn't confuse users. Fixes bug 4642.
o Sets the preferred size for the GUI layout so it doesn't squeeze
widges when the size isn't big enough. Fixes bug 4656.
o Removes the option to have only HTTPProxy since it does not work
any more as it used to do with older tor versions. Users should
use HTTP/HTTPSProxy instead. Fixes bug 4724.
o Add a hidden configuration option called SkipVersionCheck so
systems like Tails can force Vidalia to skip checking tor's
version. Resolves ticket 4736.
o When Tor has cached enough information it bootstraps faster than
what takes Vidalia connect to it, so Vidalia does not see the
event to update the progress bar. Now Vidalia explicitly asks for
bootstrap-phase when it connects to Tor, and updates the progress
to what is actually happening instead of hanging in
"Authenticating to Tor". Fixes bug 4827.
o Sets __ReloadTorrcOnSIGHUP to 0 if SAVECONF failed, which means
the user can't write the torrc file. Fixes bug 4833.
o Improve search in the router list from the Network Map with a
search field. Resolves ticket 3144.
o Add a plugin framework based on QtScript. This gives the abbility
to create extensions for Vidalia with all Qt's functionality and
interfaces to interact with tor and with Vidalia itself. Resolves
ticket 3215
o Add a way to detach a tab from Vidalia's main window. This will
provide more flexibility with plugins that might be intended to be
displayed apart from Vidalia.
o Vidalia only validates IPv4 bridge lines. IPv6 bridges are now
available, and there will be pluggable transport bridge lines. So
the validation is now delegated to Tor through SETCONF.
o Improve dist-osx* targets to be able to distribute qtscript
extensions properly, and also handle deploying Qt with the
macdeployqt tool instead of a macro.2012-06-08 Advanced Onion Router 0.3.0.9
- [tor-0.2.2.35] Change IP address for maatuska (v3 directory authority).
- [tor-0.2.2.35] Change IP address for ides (v3 directory authority), and rename it to turtles.
- [tor-0.2.2.35] When building or running with any version of OpenSSL earlier than 0.9.8s or 1.0.0f, disable SSLv3 support. These OpenSSL versions have a bug (CVE-2011-4576) in which their block cipher padding includes uninitialized data, potentially leaking sensitive information to any peer with whom they make a SSLv3 connection. Tor does not use SSL v3 by default, but a hostile client or server could force an SSLv3 connection in order to gain information that they shouldn't have been able to get. The best solution here is to upgrade to OpenSSL 0.9.8s or 1.0.0f (or later). But when building or running with a non-upgraded OpenSSL, we disable SSLv3 entirely to make sure that the bug can't happen.
- [tor-0.2.2.35] Never use a bridge or a controller-supplied node as an exit, even if its exit policy allows it. Found by wanoskarnet. Fixes bug 5342. Bugfix on 0.1.1.15-rc (for controller-purpose descriptors) and 0.2.0.3-alpha (for bridge-purpose descriptors).
- [tor-0.2.2.35] Only build circuits if we have a sufficient threshold of the total descriptors that are marked in the consensus with the "Exit" flag. This mitigates an attack proposed by wanoskarnet, in which all of a client's bridges collude to restrict the exit nodes that the client knows about. Fixes bug 5343.
- [tor-0.2.2.35] Provide controllers with a safer way to implement the cookie authentication mechanism. With the old method, if another locally running program could convince a controller that it was the Tor process, then that program could trick the contoller into telling it the contents of an arbitrary 32-byte file. The new "SAFECOOKIE" authentication method uses a challenge-response approach to prevent this attack. Fixes bug 5185; implements proposal 193.
- [tor-0.2.2.35] Avoid logging uninitialized data when unable to decode a hidden service descriptor cookie. Fixes bug 5647; bugfix on 0.2.1.5-alpha.
- [tor-0.2.2.35] Avoid a client-side assertion failure when receiving an INTRODUCE2 cell on a general purpose circuit. Fixes bug 5644; bugfix on 0.2.1.6-alpha.
- [tor-0.2.2.35] Fix the SOCKET_OK test that we use to tell when socket creation fails so that it works on Win64. Fixes part of bug 4533; bugfix on 0.2.2.29-beta. Bug found by wanoskarnet.
- [tor-0.2.2.35] Reject out-of-range times like 23:59:61 in parse_rfc1123_time(). Fixes bug 5346; bugfix on 0.0.8pre3.
- [tor-0.2.2.35] Make our number-parsing functions always treat too-large values as an error, even when those values exceed the width of the underlying type. Previously, if the caller provided these functions with minima or maxima set to the extreme values of the underlying integer type, these functions would return those values on overflow rather than treating overflow as an error. Fixes part of bug 5786; bugfix on 0.0.9.
- [tor-0.2.2.35] Correct parsing of certain date types in parse_http_time(). Without this patch, If-Modified-Since would behave incorrectly. Fixes bug 5346; bugfix on 0.2.0.2-alpha. Patch from Esteban Manchado Velazques.
- [tor-0.2.2.35] Change the BridgePassword feature (part of the "bridge community" design, which is not yet implemented) to use a time-independent comparison. The old behavior might have allowed an adversary to use timing to guess the BridgePassword value. Fixes bug 5543; bugfix on 0.2.0.14-alpha.
- [tor-0.2.2.35] Detect and reject certain misformed escape sequences in configuration values. Previously, these values would cause us to crash if received in a torrc file or over an authenticated control port. Bug found by Esteban Manchado Velazquez, and independently by Robert Connolly from Matta Consulting who further noted that it allows a post-authentication heap overflow. Patch by Alexander Schrijver. Fixes bugs 5090 and 5402 (CVE 2012-1668); bugfix on 0.2.0.16-alpha.
- [tor-0.2.2.35] When sending an HTTP/1.1 proxy request, include a Host header. Fixes bug 5593; bugfix on 0.2.2.1-alpha.
- [tor-0.2.2.35] Fix a NULL-pointer dereference on a badly formed SETCIRCUITPURPOSE command. Found by mikeyc. Fixes bug 5796; bugfix on 0.2.2.9-alpha.
- [tor-0.2.2.35] If we hit the error case where routerlist_insert() replaces an existing (old) server descriptor, make sure to remove that server descriptor from the old_routers list. Fix related to bug 1776. Bugfix on 0.2.2.18-alpha.
- [tor-0.2.2.35] Directory authorities now reject versions of Tor older than 0.2.1.30, and Tor versions between 0.2.2.1-alpha and 0.2.2.20-alpha inclusive. These versions accounted for only a small fraction of the Tor network, and have numerous known security issues. Resolves issue 4788.
- [tor-0.2.2.35] Feature removal: When sending or relaying a RELAY_EARLY cell, we used to convert it to a RELAY cell if the connection was using the v1 link protocol. This was a workaround for older versions of Tor, which didn't handle RELAY_EARLY cells properly. Now that all supported versions can handle RELAY_EARLY cells, and now that we're enforcing the "no RELAY_EXTEND commands except in RELAY_EARLY cells" rule, remove this workaround. Addresses bug 4786.
- geoip_c.h was updated with GeoIPCountryWhois.csv released on June 6th
- updated language strings: 3085, 3086, 3205, 3206, 3207, 3208 6 Changes in version 0.2.2.37 - 2012-06-06
7 Tor 0.2.2.37 introduces a workaround for a critical renegotiation
8 bug in OpenSSL 1.0.1 (where 20% of the Tor network can't talk to itself
9 currently).
10
11 o Major bugfixes:
12 - Work around a bug in OpenSSL that broke renegotiation with TLS
13 1.1 and TLS 1.2. Without this workaround, all attempts to speak
14 the v2 Tor connection protocol when both sides were using OpenSSL
15 1.0.1 would fail. Resolves ticket 6033.
16 - When waiting for a client to renegotiate, don't allow it to add
17 any bytes to the input buffer. This fixes a potential DoS issue.
18 Fixes bugs 5934 and 6007; bugfix on 0.2.0.20-rc.
19 - Fix an edge case where if we fetch or publish a hidden service
20 descriptor, we might build a 4-hop circuit and then use that circuit
21 for exiting afterwards -- even if the new last hop doesn't obey our
22 ExitNodes config option. Fixes bug 5283; bugfix on 0.2.0.10-alpha.
23
24 o Minor bugfixes:
25 - Fix a build warning with Clang 3.1 related to our use of vasprintf.
26 Fixes bug 5969. Bugfix on 0.2.2.11-alpha.
27
28 o Minor features:
29 - Tell GCC and Clang to check for any errors in format strings passed
30 to the tor_v*(print|scan)f functions.Tor 0.2.2.38 fixes a rare race condition that can crash exit relays; fixes a remotely triggerable crash bug; and fixes a timing attack that could in theory leak path information.
o Security fixes:
- Avoid read-from-freed-memory and double-free bugs that could occur when a DNS request fails while launching it. Fixes bug 6480; bugfix on 0.2.0.1-alpha.
- Avoid an uninitialized memory read when reading a vote or consensus document that has an unrecognized flavor name. This read could lead to a remote crash bug. Fixes bug 6530; bugfix on 0.2.2.6-alpha.
- Try to leak less information about what relays a client is choosing to a side-channel attacker. Previously, a Tor client would stop iterating through the list of available relays as soon as it had chosen one, thus finishing a little earlier when it picked a router earlier in the list. If an attacker can recover this timing information (nontrivial but not proven to be impossible), they could learn some coarse-grained information about which relays a client was picking (middle nodes in particular are likelier to be affected than exits). The timing attack might be mitigated by other factors (see bug 6537 for some discussion), but it's best not to take chances. Fixes bug 6537; bugfix on 0.0.8rc1.
Update Firefox to 17.0.3esr
Downgrade OpenSSL to 1.0.0k
Update libpng to 1.5.14
Update NoScript to 2.6.5.7
Firefox patch changes:
Exempt remote @font-face fonts from font limits (and prefer them).
(closes: #8270)
Remote fonts (aka "User Fonts") are not a fingerprinting threat, so
they should not count towards our CSS font count limits. Moreover,
if a CSS font-family rule lists any remote fonts, those fonts are
preferred over the local fonts, so we do not reduce the font count
for that rule.
This vastly improves rendering and typography for many websites.
Disable WebRTC in Firefox build options. (closes: #8178)
WebRTC isn't slated to be enabled until Firefox 18, but the code
was getting compiled in already and is capable of creating UDP Sockets
and bypassing Tor. We disable it from build as a safety measure.
Move prefs.js into omni.ja and extension-overrides. (closes: #3944)
This causes our browser pref changes to appear as defaults. It also
means that future updates of TBB should preserve user pref settings.
Fix a use-after-free that caused crashing on MacOS (closes: #8234)
Eliminate several redundant, useless, and deprecated Firefox pref settings
Report Firefox 17.0 as the Tor Browser user agent
Use Firefox's click-to-play barrier for plugins instead of NoScript
Set the Tor SOCKS+Control ports to 9150, 9151 respectively on all platforms
This fixes a SOCKS race condition with our SOCKS autoport configuration
and HTTPS-Everywhere's Tor test. Firefox 17 appears to cache proxy
settings per URL now, which resulted in a proxy error for
check.torproject.org if we lost the race.
Torbutton was updated to 1.5.0. The following issues were fixed:
Remove old toggle observers and related code (closes: #5279)
Simplify Security Preference UI and associated pref updates (closes: #3100)
Eliminate redundancy in our Flash/plugin disabling code (closes: #7470)
Leave most preferences under Tor Browser's control (closes: #3944)
Disable toggle-on-startup and crash detection logic (closes: #7974)
Disable/remove toggle-mode code and related observers (closes: #5379)
Add menu hint to Torbutton icon (closes: #6431)
Make Torbutton icon flash a warning symbol if TBB is out of date (closes: #7495)
Perform version check every time there's a new tab. (closes: #6096)
Rate limit version check queries to once every 1.5hrs max. (closes: #6156)
misc: Allow WebGL and DOM storage.
misc: Disable independent Torbutton updates
misc: Change the recommended SOCKSPort to 9150 (to match TBB)
The following Firefox patch changes are also included in this release:
Isolate image cache to url bar domain (closes: #5742 and #6539)
Enable DOM storage and isolate it to url bar domain (closes: #6564)
Include nsIHttpChannel.redirectTo API for HTTPS-Everywhere (closes: #5477)
Misc preference changes:
Disable DOM performance timers (dom.enable_performance) (closes: #6204)
Disable HTTP connection retry timeout (network.http.connection-retry-timeout) (closes: #7656)
Disable full path information for plugins (plugin.expose_full_path) (closes: #6210)
Disable NoScript's block of remote WebFonts (noscript.forbidFonts) (closes: #7937)Update Firefox to 17.0.4esr
Update NoScript to 2.6.5.8
Update HTTPS Everywhere to 3.1.4
Fix non-English language bundles to have the correct branding (closes: #8302)
Firefox patch changes:
Remove "This plugin is disabled" barrier
This improves the user experience for HTML5 Youtube videos:
They "silently" attempt to load flash first, which was not so silent
with this barrier in place. (closes: #8312)
Disable NoScript's HTML5 media click-to-play barrier (closes: #8386)
Fix a New Identity hang and/or crash condition (closes: #6386)
Fix crash with Drag + Drop on Windows (closes: #8324)
Torbutton changes:
Fix Drag+Drop crash by using a new TBB drag observer (closes: #8324)
Fix XML/E4X errors with Cookie Protections (closes: #6202)
Don't clear cookies at shutdown if user wants disk history (closes: #8423)
Leave IndexedDB and Offline Storage disabled. (closes: #8382)
Clear DOM localStorage on New Identity. (closes: #8422)
Don't strip "third party" HTTP auth from favicons (closes: #8335)
Localize the "Spoof english" button strings (closes: #5183)
Ask user for confirmation before enabling plugins (closes: #8313)
Emit private browsing session clearing event on "New Identity"Changes in version 0.2.4.20 - 2013-12-22
Tor 0.2.4.20 fixes potentially poor random number generation for users
who 1) use OpenSSL 1.0.0 or later, 2) set "HardwareAccel 1" in their
torrc file, 3) have "Sandy Bridge" or "Ivy Bridge" Intel processors,
and 4) have no state file in their DataDirectory (as would happen on
first start). Users who generated relay or hidden service identity
keys in such a situation should discard them and generate new ones.
This release also fixes a logic error that caused Tor clients to build
many more preemptive circuits than they actually need.
o Major bugfixes:
- Do not allow OpenSSL engines to replace the PRNG, even when
HardwareAccel is set. The only default builtin PRNG engine uses
the Intel RDRAND instruction to replace the entire PRNG, and
ignores all attempts to seed it with more entropy. That's
cryptographically stupid: the right response to a new alleged
entropy source is never to discard all previously used entropy
sources. Fixes bug 10402; works around behavior introduced in
OpenSSL 1.0.0. Diagnosis and investigation thanks to "coderman"
and "rl1987".
- Fix assertion failure when AutomapHostsOnResolve yields an IPv6
address. Fixes bug 10465; bugfix on 0.2.4.7-alpha.
- Avoid launching spurious extra circuits when a stream is pending.
This fixes a bug where any circuit that _wasn't_ unusable for new
streams would be treated as if it were, causing extra circuits to
be launched. Fixes bug 10456; bugfix on 0.2.4.12-alpha.
o Minor bugfixes:
- Avoid a crash bug when starting with a corrupted microdescriptor
cache file. Fixes bug 10406; bugfix on 0.2.2.6-alpha.
- If we fail to dump a previously cached microdescriptor to disk, avoid
freeing duplicate data later on. Fixes bug 10423; bugfix on
0.2.4.13-alpha. Spotted by "bobnomnom".Update Firefox to 24.4.0esr
Include Pluggable Transports by default:
Obfsproxy3 0.2.4, Flashproxy 1.6, and FTE 0.2.6 are now included
Update Tor Launcher to 0.2.5.1:
Bug 10418: Provide UI configuration for Pluggable Transports
Bug 10604: Allow Tor status & error messages to be translated
Bug 10894: Make bridge UI clear that helpdesk is a last resort for
bridges
Bug 10610: Clarify wizard UI text describing obstacles/blocking
Bug 11074: Support Tails use case (XULRunner and optional
customizations)
Update Torbutton to 1.6.7.0:
Bug 9901: Fix browser freeze due to content type sniffing
Bug 10611: Add Swedish (sv) to extra locales to update
Update NoScript to 2.6.8.17
Update Tor to 0.2.4.21
Backport Pending Tor Patches:
Bug 5018: Don't launch Pluggable Transport helpers if not in use
Bug 9229: Eliminate 60 second stall during bootstrap with some PTs
Bug 11069: Detect and report Pluggable Transport bootstrap failures
Bug 11156: Prevent spurious warning about missing pluggable transports
Bug 10237: Disable the media cache to prevent disk leaks for videos
Bug 10703: Force the default charset to avoid locale fingerprinting
Bug 10104: Update gitian to fix LXC build issues (for non-KVM/VT builders)Here is the complete changelog since TBB 3.5.4:
All Platforms
Update Firefox to 24.5.0esr
Include Pluggable Transports by default:
Obfsproxy3 0.2.4, Flashproxy 1.6, and FTE 0.2.13 are now included
Bug 11586: Include license files for component software in Docs directory.
Bug 9010: Add Turkish language support.
Bug 9387 testing: Disable JS JIT, type inference, asmjs, and ion.
Update NoScript to 2.6.8.20
Update Tor Launcher to 0.2.5.4
Bug 9665: Localize Tor's unreachable bridges bootstrap error
Bug 10418: Provide UI configuration for Pluggable Transports
Bug 10604: Allow Tor status & error messages to be translated
Bug 10894: Make bridge UI clear that helpdesk is a last resort for bridges
Bug 10610: Clarify wizard UI text describing obstacles/blocking
Bug 11074: Support Tails use case (XULRunner and optional customizations)
Bug 11482: Hide bridge settings prompt if no default bridges.
Bug 11484: Show help button even if no default bridges.
Update Torbutton to 1.6.9.0:
Bug 11242: Fix improper "update needed" message after in-place upgrade.
Bug 10398: Ease translation of about:tor page elements
Bug 9901: Fix browser freeze due to content type sniffing
Bug 10611: Add Swedish (sv) to extra locales to update
Bug 7439: Improve download warning dialog text.
Bug 11384: Completely remove hidden toggle menu item.
Backport Pending Tor Patches:
Bug 9665: Report a bootstrap error if all bridges are unreachable
Bug 11200: Prevent spurious error message prior to enabling network.
Bug 5018: Don't launch Pluggable Transport helpers if not in use
Bug 9229: Eliminate 60 second stall during bootstrap with some PTs
Bug 11069: Detect and report Pluggable Transport bootstrap failures
Bug 11156: Prevent spurious warning about missing pluggable transports
Mac:
Bug 4261: Use DMG instead of ZIP for Mac packages
Bug 9308: Prevent install path from leaking in some JS exceptions on Mac and Windows
Linux:
Bug 11190: Switch linux PT build process to python2
Bug 10383: Enable NIST P224 and P256 accel support for 64bit builds.
Windows:
Bug 9308: Prevent install path from leaking in some JS exceptions on Mac and WindowsWe are adding our new platform that supports translations, and have added spanish to get the ball rolling. We also updated the logo to look better on newer devices
Warning:
Tor Browser will stop supporting version 2 onion services later this year. Please see the previously published deprecation timeline. Migrate your services and update your bookmarks to version 3 onion services as soon as possible.