Tor Changelog

New in version 0.2.4.15 RC

July 9th, 2013
  • Update Tor to 0.2.4.15-rc
  • Update NoScript to 2.6.6.7

New in version 0.2.4.12 Alpha (April 30th, 2013)

  • Update Tor to 0.2.4.12-alpha
  • Update Torbutton to 1.5.2
  • Update libpng to 1.5.15
  • Update NoScript to 2.6.6
  • Update PDF.js to 0.8.1
  • Firefox patch changes:
  • Apply font limits to @font-face local() fonts and disable fallback
  • rendering for @font-face. (closes: #8455)
  • Use Optimistic Data SOCKS handshake (improves page load performance).
  • closes: #3875)
  • Honor the Windows theme for inverse text colors (without leaking those
  • colors to content). (closes: #7920)
  • Increase pipeline randomization and try harder to batch pipelined
  • requests together. (closes: #8470)
  • Fix an image cache isolation domain key misusage. May fix several image
  • cache related crash bugs with New Identity, exit, and certain websites.
  • closes: #8628)
  • Torbutton changes:
  • Allow session restore if the user allows disk actvity (closes: #8457)
  • Remove the Display Settings panel and associated locales (closes: #8301)
  • Fix "Transparent Torification" option. (closes: #6566)
  • Fix a hang on New Identity. (closes: #8642)
  • Build changes:
  • Fetch our source deps from an https mirror (closes: #8286)
  • Create watch scripts for syncing mirror sources and monitoring mirror
  • integrity (closes: #8338)

New in version 0.2.4.11 Alpha (April 7th, 2013)

  • Update Firefox to 17.0.5esr
  • Update NoScript to 2.6.59

New in version 0.2.4.9 Alpha (February 9th, 2013)

  • Update Firefox to 17.0.2esr
  • Update Tor to 0.2.4.9-alpha
  • Update Torbutton to 1.5.0pre-alpha
  • Update NoScript to 2.6.4.3
  • Update HTTPS-Everywhere to 4.0development.5
  • Add Mozilla's PDF.js extension to give people the ability to read PDFs in
  • TBB
  • Prevent TBB from trying to access the X session manager
  • Firefox patch changes:
  • Isolate image cache to url bar domain
  • Enable DOM storage and isolate it to url bar domain
  • Include nsIHttpChannel.redirectTo API for HTTPS-Everywhere
  • Misc preference changes:
  • Disable DOM performance timers (dom.enable_performance)
  • Disable HTTP connection retry timeout (network.http.connection-retry-timeout)
  • Disable full path information for plugins (plugin.expose_full_path)
  • Disable NoScript's block of remote WebFonts (noscript.forbidFonts)

New in version 0.2.4.7 Alpha (January 7th, 2013)

  • Update Firefox to 10.0.12esr
  • Update Tor to 0.2.4.7-alpha
  • Update Libevent to 2.0.21-stable
  • Update HTTPS Everywhere to 4.0development.4
  • Update NoScript to 2.6.4.2

New in version 0.2.3.25 (December 4th, 2012)

  • Update Firefox 10.0.11esr
  • Update Vidalia to 0.2.21
  • Update NoScript to 2.6.2

New in version 0.2.2.39 (September 13th, 2012)

  • Update NoScript to 2.5.4

New in version 0.2.2.38 (August 31st, 2012)

  • Update Firefox to 10.0.7esr
  • Update Libevent to 2.0.20-stable
  • Update NoScript to 2.5.2
  • Update HTTPS Everywhere to 2.2.1

New in version 0.2.2.36 (June 5th, 2012)

  • Directory authority changes:
  • Change IP address for maatuska (v3 directory authority).
  • Change IP address for ides (v3 directory authority), and rename it to turtles.
  • Security fixes:
  • When building or running with any version of OpenSSL earlier than 0.9.8s or 1.0.0f, disable SSLv3 support. These OpenSSL versions have a bug (CVE-2011-4576) in which their block cipher padding includes uninitialized data, potentially leaking sensitive information to any peer with whom they make a SSLv3 connection. Tor does not use SSL v3 by default, but a hostile client or server could force an SSLv3 connection in order to gain information that they shouldn't have been able to get. The best solution here is to upgrade to OpenSSL 0.9.8s or 1.0.0f (or later). But when building or running with a non-upgraded OpenSSL, we disable SSLv3 entirely to make sure that the bug can't happen.
  • Never use a bridge or a controller-supplied node as an exit, even if its exit policy allows it. Found by wanoskarnet. Fixes bug 5342. Bugfix on 0.1.1.15-rc (for controller-purpose descriptors) and 0.2.0.3-alpha (for bridge-purpose descriptors).
  • Only build circuits if we have a sufficient threshold of the total descriptors that are marked in the consensus with the "Exit" flag. This mitigates an attack proposed by wanoskarnet, in which all of a client's bridges collude to restrict the exit nodes that the client knows about. Fixes bug 5343.
  • Provide controllers with a safer way to implement the cookie authentication mechanism. With the old method, if another locally running program could convince a controller that it was the Tor process, then that program could trick the contoller into telling it the contents of an arbitrary 32-byte file. The new "SAFECOOKIE" authentication method uses a challenge-response approach to prevent this attack. Fixes bug 5185; implements proposal 193.
  • Major bugfixes:
  • Avoid logging uninitialized data when unable to decode a hidden service descriptor cookie. Fixes bug 5647; bugfix on 0.2.1.5-alpha.
  • Avoid a client-side assertion failure when receiving an INTRODUCE2 cell on a general purpose circuit. Fixes bug 5644; bugfix on 0.2.1.6-alpha.
  • Fix builds when the path to sed, openssl, or sha1sum contains spaces, which is pretty common on Windows. Fixes bug 5065; bugfix on 0.2.2.1-alpha.
  • Correct our replacements for the timeradd() and timersub() functions on platforms that lack them (for example, Windows). The timersub() function is used when expiring circuits, while timeradd() is currently unused. Bug report and patch by Vektor. Fixes bug 4778; bugfix on 0.2.2.24-alpha.
  • Fix the SOCKET_OK test that we use to tell when socket creation fails so that it works on Win64. Fixes part of bug 4533; bugfix on 0.2.2.29-beta. Bug found by wanoskarnet.
  • Minor bugfixes:
  • Reject out-of-range times like 23:59:61 in parse_rfc1123_time().
  • Fixes bug 5346; bugfix on 0.0.8pre3.
  • Make our number-parsing functions always treat too-large values as an error, even when those values exceed the width of the underlying type. Previously, if the caller provided these functions with minima or maxima set to the extreme values of the underlying integer type, these functions would return those values on overflow rather than treating overflow as an error.
  • Fixes part of bug 5786; bugfix on 0.0.9.
  • Older Linux kernels erroneously respond to strange nmap behavior by having accept() return successfully with a zero-length socket. When this happens, just close the connection. Previously, we would try harder to learn the remote address: but there was no such remote address to learn, and our method for trying to learn it was incorrect. Fixes bugs 1240, 4745, and 4747. Bugfix on 0.1.0.3-rc. Reported and diagnosed by "r1eo".
  • Correct parsing of certain date types in parse_http_time().
  • Without this patch, If-Modified-Since would behave incorrectly. Fixes bug 5346; bugfix on 0.2.0.2-alpha. Patch from Esteban Manchado Velázques.
  • Change the BridgePassword feature (part of the "bridge community" design, which is not yet implemented) to use a time-independent comparison. The old behavior might have allowed an adversary to use timing to guess the BridgePassword value. Fixes bug 5543; bugfix on 0.2.0.14-alpha.
  • Detect and reject certain misformed escape sequences in configuration values. Previously, these values would cause us to crash if received in a torrc file or over an authenticated control port. Bug found by Esteban Manchado Velázquez, and independently by Robert Connolly from Matta Consulting who further noted that it allows a post-authentication heap overflow. Patch
  • by Alexander Schrijver. Fixes bugs 5090 and 5402 (CVE 2012-1668); bugfix on 0.2.0.16-alpha.
  • Fix a compile warning when using the --enable-openbsd-malloc configure option. Fixes bug 5340; bugfix on 0.2.0.20-rc.
  • During configure, detect when we're building with clang version 3.0 or lower and disable the -Wnormalized=id and -Woverride-init CFLAGS. clang doesn't support them yet.
  • When sending an HTTP/1.1 proxy request, include a Host header. Fixes bug 5593; bugfix on 0.2.2.1-alpha.
  • Fix a NULL-pointer dereference on a badly formed SETCIRCUITPURPOSE command. Found by mikeyc. Fixes bug 5796; bugfix on 0.2.2.9-alpha.
  • If we hit the error case where routerlist_insert() replaces an existing (old) server descriptor, make sure to remove that server descriptor from the old_routers list. Fix related to bug 1776. Bugfix on 0.2.2.18-alpha.
  • Minor bugfixes (documentation and log messages):
  • Fix a typo in a log message in rend_service_rendezvous_has_opened(). Fixes bug 4856; bugfix on Tor 0.0.6.
  • Update "ClientOnly" man page entry to explain that there isn't really any point to messing with it. Resolves ticket 5005.
  • Document the GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays
  • directory authority option (introduced in Tor 0.2.2.34).
  • Downgrade the "We're missing a certificate" message from notice to info: people kept mistaking it for a real problem, whereas it is seldom the problem even when we are failing to bootstrap. Fixes bug 5067; bugfix on 0.2.0.10-alpha.
  • Correctly spell "connect" in a log message on failure to create a controlsocket. Fixes bug 4803; bugfix on 0.2.2.26-beta.
  • Clarify the behavior of MaxCircuitDirtiness with hidden service circuits. Fixes issue 5259.
  • Minor features:
  • Directory authorities now reject versions of Tor older than 0.2.1.30, and Tor versions between 0.2.2.1-alpha and 0.2.2.20-alpha inclusive. These versions accounted for only a small fraction of the Tor network, and have numerous known security issues. Resolves issue 4788.
  • Update to the May 1 2012 Maxmind GeoLite Country database.
  • Feature removal:
  • When sending or relaying a RELAY_EARLY cell, we used to convert it to a RELAY cell if the connection was using the v1 link protocol. This was a workaround for older versions of Tor, which didn't handle RELAY_EARLY cells properly. Now that all supported versions can handle RELAY_EARLY cells, and now that we're enforcing the "no RELAY_EXTEND commands except in RELAY_EARLY cells" rule, remove this workaround. Addresses bug 4786.

New in version 0.2.3.12 Alpha (February 15th, 2012)

  • Major bugfixes:
  • Fix builds when the path to sed, openssl, or sha1sum contains spaces, which is pretty common on Windows. Fixes bug 5065; bugfix on 0.2.2.1-alpha.
  • Set the SO_REUSEADDR socket option before we call bind() on outgoing connections. This change should allow busy exit relays to stop running out of available sockets as quickly. Fixes bug 4950; bugfix on 0.2.2.26-beta.
  • Allow 0.2.3.x clients to use 0.2.2.x bridges. Previously the client would ask the bridge for microdescriptors, which are only supported in 0.2.3.x, and then fail to bootstrap when it didn't get the answers it wanted. Fixes bug 4013; bugfix on 0.2.3.2-alpha.
  • Avoid an assert when managed proxies like obfsproxy are configured, and we receive HUP signals or configuration values too rapidly. This situation happens most commonly when Vidalia tries to attach to Tor or tries to configure the Tor it's attached to. Fixes bug 5084; bugfix on 0.2.3.6-alpha.
  • Properly set up obfsproxy's environment when in managed mode. The Tor Browser Bundle needs LD_LIBRARY_PATH to be passed to obfsproxy, and when you run your Tor as a daemon, there's no HOME. Fixes bugs 5076 and 5082; bugfix on 0.2.3.6-alpha.
  • Minor features:
  • Use the dead_strip option when building Tor on OS X. This reduces binary size by almost 19% when linking openssl and libevent statically, which we do for Tor Browser Bundle.
  • Fix broken URLs in the sample torrc file, and tell readers about the OutboundBindAddress, ExitPolicyRejectPrivate, and PublishServerDescriptor options. Addresses bug 4652.
  • Update to the February 7 2012 Maxmind GeoLite Country database.
  • Minor bugfixes:
  • Downgrade the "We're missing a certificate" message from notice to info: people kept mistaking it for a real problem, whereas it is seldom the problem even when we are failing to bootstrap. Fixes bug 5067; bugfix on 0.2.0.10-alpha.
  • Don't put "TOR_PT_EXTENDED_SERVER_PORT=127.0.0.1:4200" in a managed pluggable transport server proxy's environment. Previously, we would put it there, even though Tor doesn't implement an 'extended server port' yet, and even though Tor almost certainly isn't listening at that address. For now, we set it to an empty string to avoid crashing older obfsproxies. Bugfix on 0.2.3.6-alpha.
  • Log the heartbeat message every HeartbeatPeriod seconds, not every HeartbeatPeriod + 1 seconds. Fixes bug 4942; bugfix on 0.2.3.1-alpha. Bug reported by Scott Bennett.
  • Calculate absolute paths correctly on Windows. Fixes bug 4973; bugfix on 0.2.3.11-alpha.
  • Update "ClientOnly" man page entry to explain that there isn't really any point to messing with it. Resolves ticket 5005.
  • Use the correct CVE number for CVE-2011-4576 in our comments and log messages. Found by "fermenthor". Resolves bug 5066; bugfix on 0.2.3.11-alpha.
  • Code simplifications and refactoring:
  • Use the _WIN32 macro throughout our code to detect Windows. (Previously we had used the obsolete 'WIN32' and the idiosyncratic 'MS_WINDOWS'.)

New in version 0.2.3.10 Alpha (December 17th, 2011)

  • Major bugfixes:
  • Fix a heap overflow bug that could occur when trying to pull data into the first chunk of a buffer, when that chunk had already had some data drained from it. Fixes CVE-2011-2778; bugfix on 0.2.0.16-alpha. Reported by "Vektor".
  • Minor bugfixes:
  • If we can't attach streams to a rendezvous circuit when we finish connecting to a hidden service, clear the rendezvous circuit's stream-isolation state and try to attach streams again. Previously, we cleared rendezvous circuits' isolation state either too early (if they were freshly built) or not at all (if they had been built earlier and were cannibalized). Bugfix on 0.2.3.3-alpha; fixes bug 4655.
  • Fix compilation of the libnatpmp helper on non-Windows. Bugfix on 0.2.3.9-alpha; fixes bug 4691. Reported by Anthony G. Basile.
  • Fix an assertion failure when a relay with accounting enabled starts up while dormant. Fixes bug 4702; bugfix on 0.2.3.9-alpha.
  • Minor features:
  • Update to the December 6 2011 Maxmind GeoLite Country database.

New in version 0.2.2.35 (December 17th, 2011)

  • Major bugfixes:
  • Fix a heap overflow bug that could occur when trying to pull data into the first chunk of a buffer, when that chunk had already had some data drained from it. Fixes CVE-2011-2778; bugfix on 0.2.0.16-alpha. Reported by "Vektor".
  • Initialize Libevent with the EVENT_BASE_FLAG_NOLOCK flag enabled, so that it doesn't attempt to allocate a socketpair. This could cause some problems on Windows systems with overzealous firewalls. Fix for bug 4457; workaround for Libevent versions 2.0.1-alpha through 2.0.15-stable.
  • If we mark an OR connection for close based on a cell we process, don't process any further cells on it. We already avoid further reads on marked-for-close connections, but now we also discard the cells we'd already read. Fixes bug 4299; bugfix on 0.2.0.10-alpha, which was the first version where we might mark a connection for close based on processing a cell on it.
  • Correctly sanity-check that we don't underflow on a memory allocation (and then assert) for hidden service introduction point decryption. Bug discovered by Dan Rosenberg. Fixes bug 4410; bugfix on 0.2.1.5-alpha.
  • Fix a memory leak when we check whether a hidden service descriptor has any usable introduction points left. Fixes bug 4424. Bugfix on 0.2.2.25-alpha.
  • Don't crash when we're running as a relay and don't have a GeoIP file. Bugfix on 0.2.2.34; fixes bug 4340. This backports a fix we've had in the 0.2.3.x branch already.
  • When running as a client, do not print a misleading (and plain wrong) log message that we're collecting "directory request" statistics: clients don't collect statistics. Also don't create a useless (because empty) stats file in the stats/ directory. Fixes bug 4353; bugfix on 0.2.2.34.
  • Minor bugfixes:
  • Detect failure to initialize Libevent. This fix provides better detection for future instances of bug 4457.
  • Avoid frequent calls to the fairly expensive cull_wedged_cpuworkers function. This was eating up hideously large amounts of time on some busy servers. Fixes bug 4518; bugfix on 0.0.9.8.
  • Resolve an integer overflow bug in smartlist_ensure_capacity(). Fixes bug 4230; bugfix on Tor 0.1.0.1-rc. Based on a patch by Mansour Moufid.
  • Don't warn about unused log_mutex in log.c when building with --disable-threads using a recent GCC. Fixes bug 4437; bugfix on 0.1.0.6-rc which introduced --disable-threads.
  • When configuring, starting, or stopping an NT service, stop immediately after the service configuration attempt has succeeded or failed. Fixes bug 3963; bugfix on 0.2.0.7-alpha.
  • When sending a NETINFO cell, include the original address received for the other side, not its canonical address. Found by "troll_un"; fixes bug 4349; bugfix on 0.2.0.10-alpha.
  • Fix a typo in a hibernation-related log message. Fixes bug 4331; bugfix on 0.2.2.23-alpha; found by "tmpname0901".
  • Fix a memory leak in launch_direct_bridge_descriptor_fetch() that occurred when a client tried to fetch a descriptor for a bridge in ExcludeNodes. Fixes bug 4383; bugfix on 0.2.2.25-alpha.
  • Backport fixes for a pair of compilation warnings on Windows. Fixes bug 4521; bugfix on 0.2.2.28-beta and on 0.2.2.29-beta.
  • If we had ever tried to call tor_addr_to_str on an address of unknown type, we would have done a strdup on an uninitialized buffer. Now we won't. Fixes bug 4529; bugfix on 0.2.1.3-alpha. Reported by "troll_un".
  • Correctly detect and handle transient lookup failures from tor_addr_lookup. Fixes bug 4530; bugfix on 0.2.1.5-alpha. Reported by "troll_un".
  • Fix null-pointer access that could occur if TLS allocation failed. Fixes bug 4531; bugfix on 0.2.0.20-rc. Found by "troll_un".
  • Use tor_socket_t type for listener argument to accept(). Fixes bug 4535; bugfix on 0.2.2.28-beta. Found by "troll_un".
  • Minor features:
  • Add two new config options for directory authorities: AuthDirFastGuarantee sets a bandwidth threshold for guaranteeing the Fast flag, and AuthDirGuardBWGuarantee sets a bandwidth threshold that is always sufficient to satisfy the bandwidth requirement for the Guard flag. Now it will be easier for researchers to simulate Tor networks with different values. Resolves ticket 4484.
  • When Tor ignores a hidden service specified in its configuration, include the hidden service's directory in the warning message. Previously, we would only tell the user that some hidden service was ignored. Bugfix on 0.0.6; fixes bug 4426.
  • Update to the December 6 2011 Maxmind GeoLite Country database.
  • Packaging changes:
  • Make it easier to automate expert package builds on Windows, by removing an absolute path from makensis.exe command.

New in version 0.2.3.9 Alpha (December 16th, 2011)

  • Major features:
  • Clients can now connect to private bridges over IPv6. Bridges still need at least one IPv4 address in order to connect to other relays. Note that we don't yet handle the case where the user has two bridge lines for the same bridge (one IPv4, one IPv6). Implements parts of proposal 186.
  • New "DisableNetwork" config option to prevent Tor from launching any connections or accepting any connections except on a control port. Bundles and controllers can set this option before letting Tor talk to the rest of the network, for example to prevent any connections to a non-bridge address. Packages like Orbot can also use this option to instruct Tor to save power when the network is off.
  • Clients and bridges can now be configured to use a separate "transport" proxy. This approach makes the censorship arms race easier by allowing bridges to use protocol obfuscation plugins. It implements the "managed proxy" part of proposal 180 (ticket 3472).
  • When using OpenSSL 1.0.0 or later, use OpenSSL's counter mode implementation. It makes AES_CTR about 7% faster than our old one (which was about 10% faster than the one OpenSSL used to provide). Resolves ticket 4526.
  • Add a "tor2web mode" for clients that want to connect to hidden services non-anonymously (and possibly more quickly). As a safety measure to try to keep users from turning this on without knowing what they are doing, tor2web mode must be explicitly enabled at compile time, and a copy of Tor compiled to run in tor2web mode cannot be used as a normal Tor client. Implements feature 2553.
  • Add experimental support for running on Windows with IOCP and no kernel-space socket buffers. This feature is controlled by a new "UserspaceIOCPBuffers" config option (off by default), which has no effect unless Tor has been built with support for bufferevents, is running on Windows, and has enabled IOCP. This may, in the long run, help solve or mitigate bug 98.
  • Use a more secure consensus parameter voting algorithm. Now at least three directory authorities or a majority of them must vote on a given parameter before it will be included in the consensus. Implements proposal 178.
  • Major bugfixes:
  • Hidden services now ignore the timestamps on INTRODUCE2 cells. They used to check that the timestamp was within 30 minutes of their system clock, so they could cap the size of their replay-detection cache, but that approach unnecessarily refused service to clients with wrong clocks. Bugfix on 0.2.1.6-alpha, when the v3 intro-point protocol (the first one which sent a timestamp field in the INTRODUCE2 cell) was introduced; fixes bug 3460.
  • Only use the EVP interface when AES acceleration is enabled, to avoid a 5-7% performance regression. Resolves issue 4525; bugfix on 0.2.3.8-alpha.
  • Privacy/anonymity features (bridge detection):
  • Make bridge SSL certificates a bit more stealthy by using random serial numbers, in the same fashion as OpenSSL when generating self-signed certificates. Implements ticket 4584.
  • Introduce a new config option "DynamicDHGroups", enabled by default, which provides each bridge with a unique prime DH modulus to be used during SSL handshakes. This option attempts to help against censors who might use the Apache DH modulus as a static identifier for bridges. Addresses ticket 4548.
  • Minor features (new/different config options):
  • New configuration option "DisableDebuggerAttachment" (on by default) to prevent basic debugging attachment attempts by other processes. Supports Mac OS X and Gnu/Linux. Resolves ticket 3313.
  • Allow MapAddress directives to specify matches against super-domains, as in "MapAddress *.torproject.org *.torproject.org.torserver.exit". Implements issue 933.
  • Slightly change behavior of "list" options (that is, config options that can appear more than once) when they appear both in torrc and on the command line. Previously, the command-line options would be appended to the ones from torrc. Now, the command-line options override the torrc options entirely. This new behavior allows the user to override list options (like exit policies and ports to listen on) from the command line, rather than simply appending to the list.
  • You can get the old (appending) command-line behavior for "list" options by prefixing the option name with a "+".
  • You can remove all the values for a "list" option from the command line without adding any new ones by prefixing the option name with a "/".
  • Add experimental support for a "defaults" torrc file to be parsed before the regular torrc. Torrc options override the defaults file's options in the same way that the command line overrides the torrc.
  • The SAVECONF controller command saves only those options which differ between the current configuration and the defaults file. HUP reloads both files. (Note: This is an experimental feature; its behavior will probably be refined in future 0.2.3.x-alpha versions to better meet packagers' needs.)
  • Minor features:
  • Try to make the introductory warning message that Tor prints on startup more useful for actually finding help and information. Resolves ticket 2474.
  • Running "make version" now displays the version of Tor that we're about to build. Idea from katmagic; resolves issue 4400.
  • Expire old or over-used hidden service introduction points. Required by fix for bug 3460.
  • Move the replay-detection cache for the RSA-encrypted parts of INTRODUCE2 cells to the introduction point data structures. Previously, we would use one replay-detection cache per hidden service. Required by fix for bug 3460.
  • Reduce the lifetime of elements of hidden services' Diffie-Hellman public key replay-detection cache from 60 minutes to 5 minutes. This replay-detection cache is now used only to detect multiple INTRODUCE2 cells specifying the same rendezvous point, so we can avoid launching multiple simultaneous attempts to connect to it.
  • Minor bugfixes (on Tor 0.2.2.x and earlier):
  • Resolve an integer overflow bug in smartlist_ensure_capacity(). Fixes bug 4230; bugfix on Tor 0.1.0.1-rc. Based on a patch by Mansour Moufid.
  • Fix a minor formatting issue in one of tor-gencert's error messages. Fixes bug 4574.
  • Prevent a false positive from the check-spaces script, by disabling the "whitespace between function name and (" check for functions named 'op()'.
  • Fix a log message suggesting that people contact a non-existent email address. Fixes bug 3448.
  • Fix null-pointer access that could occur if TLS allocation failed. Fixes bug 4531; bugfix on 0.2.0.20-rc. Found by "troll_un".
  • Report a real bootstrap problem to the controller on router identity mismatch. Previously we just said "foo", which probably made a lot of sense at the time. Fixes bug 4169; bugfix on 0.2.1.1-alpha.
  • If we had ever tried to call tor_addr_to_str() on an address of unknown type, we would have done a strdup() on an uninitialized buffer. Now we won't. Fixes bug 4529; bugfix on 0.2.1.3-alpha. Reported by "troll_un".
  • Correctly detect and handle transient lookup failures from tor_addr_lookup(). Fixes bug 4530; bugfix on 0.2.1.5-alpha. Reported by "troll_un".
  • Use tor_socket_t type for listener argument to accept(). Fixes bug 4535; bugfix on 0.2.2.28-beta. Found by "troll_un".
  • Initialize conn->addr to a valid state in spawn_cpuworker(). Fixes bug 4532; found by "troll_un".
  • Minor bugfixes (on Tor 0.2.3.x):
  • Fix a compile warning in tor_inet_pton(). Bugfix on 0.2.3.8-alpha; fixes bug 4554.
  • Don't send two ESTABLISH_RENDEZVOUS cells when opening a new circuit for use as a hidden service client's rendezvous point. Fixes bugs 4641 and 4171; bugfix on 0.2.3.3-alpha. Diagnosed with help from wanoskarnet.
  • Restore behavior of overriding SocksPort, ORPort, and similar options from the command line. Bugfix on 0.2.3.3-alpha.
  • Build fixes:
  • Properly handle the case where the build-tree is not the same as the source tree when generating src/common/common_sha1.i, src/or/micro-revision.i, and src/or/or_sha1.i. Fixes bug 3953; bugfix on 0.2.0.1-alpha.
  • Code simplifications, cleanups, and refactorings:
  • Remove the pure attribute from all functions that used it previously. In many cases we assigned it incorrectly, because the functions might assert or call impure functions, and we don't have evidence that keeping the pure attribute is worthwhile. Implements changes suggested in ticket 4421.
  • Remove some dead code spotted by coverity. Fixes cid 432. Bugfix on 0.2.3.1-alpha, closes bug 4637.

New in version 0.2.2.34-1 (October 31st, 2011)

  • Privacy/anonymity fixes (clients):
  • Clients and bridges no longer send TLS certificate chains on outgoing OR
  • connections. Previously, each client or bridge would use the same cert chain
  • for all outgoing OR connections until its IP address changes, which allowed any
  • relay that the client or bridge contacted to determine which entry guards it is
  • using. Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by "frosty_un".
  • If a relay receives a CREATE_FAST cell on a TLS connection, it no longer
  • considers that connection as suitable for satisfying a circuit EXTEND request.
  • Now relays can protect clients from the CVE-2011-2768 issue even if the clients
  • haven't upgraded yet.
  • Directory authorities no longer assign the Guard flag to relays that
  • haven't upgraded to the above "refuse EXTEND requests to client connections"
  • fix. Now directory authorities can protect clients from the CVE-2011-2768 issue
  • even if neither the clients nor the relays have upgraded yet. There's a new
  • "GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays" config option to let us
  • transition smoothly, else tomorrow there would be no guard relays.
  • Privacy/anonymity fixes (bridge enumeration):
  • Bridge relays now do their directory fetches inside Tor TLS connections,
  • like all the other clients do, rather than connecting directly to the DirPort
  • like public relays do. Removes another avenue for enumerating bridges. Fixes
  • bug 4115; bugfix on 0.2.0.35.
  • Bridges relays now build circuits for themselves in a more similar way to
  • how clients build them. Removes another avenue for enumerating bridges. Fixes
  • bug 4124; bugfix on 0.2.0.3-alpha, when bridges were introduced.
  • Bridges now refuse CREATE or CREATE_FAST cells on OR connections that they
  • initiated. Relays could distinguish incoming bridge connections from client
  • connections, creating another avenue for enumerating bridges. Fixes
  • CVE-2011-2769. Bugfix on 0.2.0.3-alpha. Found by "frosty_un".
  • Major bugfixes:
  • Fix a crash bug when changing node restrictions while a DNS lookup is
  • in-progress. Fixes bug 4259; bugfix on 0.2.2.25-alpha. Bugfix by "Tey'".
  • Don't launch a useless circuit after failing to use one of a hidden
  • service's introduction points. Previously, we would launch a new introduction
  • circuit, but not set the hidden service which that circuit was intended to
  • connect to, so it would never actually be used. A different piece of code would
  • then create a new introduction circuit correctly. Bug reported by katmagic and
  • found by Sebastian Hahn. Bugfix on 0.2.1.13-alpha; fixes bug 4212.
  • Minor bugfixes:
  • Change an integer overflow check in the OpenBSD_Malloc code so that GCC is
  • less likely to eliminate it as impossible. Patch from Mansour Moufid. Fixes bug
  • 4059.
  • When a hidden service turns an extra service-side introduction circuit into
  • a general-purpose circuit, free the rend_data and intro_key fields first, so we
  • won't leak memory if the circuit is cannibalized for use as another
  • service-side introduction circuit. Bugfix on 0.2.1.7-alpha; fixes bug
  • 4251.
  • Bridges now skip DNS self-tests, to act a little more stealthily. Fixes
  • bug 4201; bugfix on 0.2.0.3-alpha, which first introduced bridges. Patch by
  • "warms0x".
  • Fix internal bug-checking logic that was supposed to catch failures in
  • digest generation so that it will fail more robustly if we ask for a
  • nonexistent algorithm. Found by Coverity Scan. Bugfix on 0.2.2.1-alpha; fixes
  • Coverity CID 479.
  • Report any failure in init_keys() calls launched because our IP address has
  • changed. Spotted by Coverity Scan. Bugfix on 0.1.1.4-alpha; fixes CID 484.
  • Minor bugfixes (log messages and documentation):
  • Remove a confusing dollar sign from the example fingerprint in the man
  • page, and also make the example fingerprint a valid one. Fixes bug 4309; bugfix
  • on 0.2.1.3-alpha.
  • The next version of Windows will be called Windows 8, and it has a major
  • version of 6, minor version of 2. Correctly identify that version instead of
  • calling it "Very recent version". Resolves ticket 4153; reported by
  • funkstar.
  • Downgrade log messages about circuit timeout calibration from "notice" to
  • "info": they don't require or suggest any human intervention. Patch from Tom
  • Lowenthal. Fixes bug 4063; bugfix on 0.2.2.14-alpha.
  • Minor features:
  • Turn on directory request statistics by default and include them in
  • extra-info descriptors. Don't break if we have no GeoIP database. Backported
  • from 0.2.3.1-alpha; implements ticket 3951.
  • Update to the October 4 2011 Maxmind GeoLite Country database.

New in version 0.2.2.33-2 (October 1st, 2011)

  • Begin building Vidalia with DEP/ASLR
  • Update Firefox to 7.0.1
  • Update OpenSSL to 1.0.0e
  • Update Tor to 0.2.2.33
  • Update NoScript to 2.1.2.8
  • Downgrade HTTPS Everywhere to 1.0.3, because we don't want stable TBBs to use development versions of extensions

New in version 0.2.2.33 (September 21st, 2011)

  • Major bugfixes:
  • Avoid an assertion failure when reloading a configuration with TrackExitHosts changes. Found and fixed by 'laruldan'. Fixes bug 3923; bugfix on 0.2.2.25-alpha.
  • Minor features (security):
  • Check for replays of the public-key encrypted portion of an INTRODUCE1 cell, in addition to the current check for replays of the g^x value. This prevents a possible class of active attacks by an attacker who controls both an introduction point and a rendezvous point, and who uses the malleability of AES-CTR to alter the encrypted g^x portion of the INTRODUCE1 cell. We think that these attacks are infeasible (requiring the attacker to send on the order of zettabytes of altered cells in a short interval), but we'd rather block them off in case there are any classes of this attack that we missed. Reported by Willem Pinckaers.
  • Minor features:
  • Adjust the expiration time on our SSL session certificates to better match SSL certs seen in the wild. Resolves ticket 4014.
  • Change the default required uptime for a relay to be accepted as a HSDir (hidden service directory) from 24 hours to 25 hours. Improves on 0.2.0.10-alpha; resolves ticket 2649.
  • Add a VoteOnHidServDirectoriesV2 config option to allow directory authorities to abstain from voting on assignment of the HSDir consensus flag. Related to bug 2649.
  • Update to the September 6 2011 Maxmind GeoLite Country database.
  • Minor bugfixes (documentation and log messages):
  • Correct the man page to explain that HashedControlPassword and CookieAuthentication can both be set, in which case either method is sufficient to authenticate to Tor. Bugfix on 0.2.0.7-alpha, when we decided to allow these config options to both be set. Issue raised by bug 3898.
  • Demote the 'replay detected' log message emitted when a hidden service receives the same Diffie-Hellman public key in two different INTRODUCE2 cells to info level. A normal Tor client can cause that log message during its normal operation. Bugfix on 0.2.1.6-alpha; fixes part of bug 2442.
  • Demote the 'INTRODUCE2 cell is too {old,new}' log message to info level. There is nothing that a hidden service's operator can do to fix its clients' clocks. Bugfix on 0.2.1.6-alpha; fixes part of bug 2442.
  • Clarify a log message specifying the characters permitted in HiddenServiceAuthorizeClient client names. Previously, the log message said that "[A-Za-z0-9+-_]" were permitted; that could have given the impression that every ASCII character between "+" and "_" was permitted. Now we say "[A-Za-z0-9+_-]". Bugfix on 0.2.1.5-alpha.
  • Build fixes:
  • Provide a substitute implementation of lround() for MSVC, which apparently lacks it. Patch from Gisle Vanem.
  • Clean up some code issues that prevented Tor from building on older BSDs. Fixes bug 3894; reported by "grarpamp".
  • Search for a platform-specific version of "ar" when cross-compiling. Should fix builds on iOS. Resolves bug 3909, found by Marco Bonetti.

New in version 0.2.2.21 Alpha (January 18th, 2011)

  • Major bugfixes (security), alsincluded in 0.2.1.29:
  • Fix a heap overflow bug where an adversary could cause heap corruption. This bug probably allows remote code execution attacks. Reported by "debuger". Fixes CVE-2011-0427. Bugfix on 0.1.2.10-rc.
  • Prevent a denial-of-service attack by disallowing any zlib-compressed data whose compression factor is implausibly high. Fixes part of bug 2324; reported by "doorss".
  • Zerout a few more keys in memory before freeing them. Fixes bug 2384 and part of bug 2385. These key instances found by "cypherpunks", based on Andrew Case's report about being able tfind sensitive data in Tor's memory space if you have enough permissions. Bugfix on 0.0.2pre9.
  • Major bugfixes (crashes), alsincluded in 0.2.1.29:
  • Prevent calls tLibevent from inside Libevent log handlers. This had potential tcause a nasty set of crashes, especially if running Libevent with debug logging enabled, and running Tor with a controller watching for low-severity log messages. Bugfix on 0.1.0.2-rc. Fixes bug 2190.
  • Add a check for SIZE_T_MAX ttor_realloc() ttry tavoid underflow errors there too. Fixes the other part of bug 2324.
  • Fix a bug where we would assert if we ever had a cached-descriptors.new file (or another file read directly intmemory) of exactly SIZE_T_CEILING bytes. Fixes bug 2326; bugfix on 0.2.1.25. Found by doorss.
  • Fix some potential asserts and parsing issues with grossly malformed router caches. Fixes bug 2352; bugfix on Tor 0.2.1.27. Found by doorss.
  • Minor bugfixes (other), alsincluded in 0.2.1.29:
  • Fix a bug with handling misformed replies treverse DNS lookup requests in DNSPort. Bugfix on Tor 0.2.0.1-alpha. Related ta bug reported by doorss.
  • Fix compilation on mingw when a pthreads compatibility library has been installed. (We don't want tuse it, swe shouldn't be including pthread.h.) Fixes bug 2313; bugfix on 0.1.0.1-rc.
  • Fix a bug where we would declare that we had run out of virtual addresses when the address space was only half-exhausted. Bugfix on 0.1.2.1-alpha.
  • Correctly handle the case where AutomapHostsOnResolve is set but nvirtual addresses are available. Fixes bug 2328; bugfix on 0.1.2.1-alpha. Bug found by doorss.
  • Correctly handle wrapping around twhen we run out of virtual address space. Found by cypherpunks, bugfix on 0.2.0.5-alpha.
  • The 0.2.1.28 tarball was missing src/common/OpenBSD_malloc_Linux.c because we built it with a too-old version of automake. Thus that release broke ./configure --enable-openbsd-malloc, which is popular among really fast exit relays on Linux.
  • Minor features, alsincluded in 0.2.1.29:
  • Update tthe January 1 2011 Maxmind GeoLite Country database.
  • Introduce output size checks on all of our decryption functions.
  • Build changes, alsincluded in 0.2.1.29:
  • Tor does not build packages correctly with Automake 1.6 and earlier; added a check tMakefile.am tmake sure that we're building with Automake 1.7 or later.
  • Major bugfixes, new in 0.2.2.21-alpha:
  • Prevent crash/heap corruption when the cbtnummodes consensus parameter is set t0 or large values. Fixes bug 2317; bugfix on 0.2.2.14-alpha.
  • Major features, new in 0.2.2.21-alpha:
  • Introduce minimum/maximum values that clients will believe from the consensus. Now we'll have a better chance tavoid crashes or worse when a consensus param has a weird value.
  • Minor features, new in 0.2.2.21-alpha:
  • Make sure tdisable DirPort if running as a bridge. DirPorts aren't used on bridges, and it makes bridge scanning somewhat easier.
  • If writing the state file tdisk fails, wait up tan hour before retrying again, rather than trying again each second. Fixes bug 2346; bugfix on Tor 0.1.1.3-alpha.
  • Make Libevent log messages get delivered tcontrollers later, and not from inside the Libevent log handler. This prevents unsafe reentrant Libevent calls while still letting the log messages get through.
  • Detect platforms that brokenly use a signed size_t, and refuse tbuild there. Found and analyzed by doorss and rransom.
  • Fix a bunch of compile warnings revealed by mingw with gcc 4.5. Resolves bug 2314.
  • Minor bugfixes, new in 0.2.2.21-alpha:
  • Handle SOCKS messages longer than 128 bytes long correctly, rather than waiting forever for them tfinish. Fixes bug 2330; bugfix on 0.2.0.16-alpha. Found by doorss.
  • Add assertions tcheck for overflow in arguments tbase32_encode() and base32_decode(); fix a signed-unsigned comparison there too. These bugs are not actually reachable in Tor, but it's good tprevent future errors too. Found by doorss.
  • Correctly detect failures tcreate DNS requests when using Libevent versions before v2. (Before Libevent 2, we used our own evdns implementation. Its return values for Libevent's evdns_resolve_*() functions are not consistent with those from Libevent.) Fixes bug 2363; bugfix on 0.2.2.6-alpha. Found by "lodger".
  • Documentation, new in 0.2.2.21-alpha:
  • Document the default socks host and port (127.0.0.1:9050) for tor-resolve.

New in version 0.2.1.29 Stable (January 18th, 2011)

  • Major bugfixes (security):
  • Fix a heap overflow bug where an adversary could cause heap corruption. This bug probably allows remote code execution attacks. Reported by "debuger". Fixes CVE-2011-0427. Bugfix on 0.1.2.10-rc.
  • Prevent a denial-of-service attack by disallowing any zlib-compressed data whose compression factor is implausibly high. Fixes part of bug 2324; reported by "doorss".
  • Zerout a few more keys in memory before freeing them. Fixes bug 2384 and part of bug 2385. These key instances found by "cypherpunks", based on Andrew Case's report about being able tfind sensitive data in Tor's memory space if you have enough permissions. Bugfix on 0.0.2pre9.
  • Major bugfixes (crashes):
  • Prevent calls tLibevent from inside Libevent log handlers. This had potential tcause a nasty set of crashes, especially if running Libevent with debug logging enabled, and running Tor with a controller watching for low-severity log messages. Bugfix on 0.1.0.2-rc. Fixes bug 2190.
  • Add a check for SIZE_T_MAX ttor_realloc() ttry tavoid underflow errors there too. Fixes the other part of bug 2324.
  • Fix a bug where we would assert if we ever had a cached-descriptors.new file (or another file read directly intmemory) of exactly SIZE_T_CEILING bytes. Fixes bug 2326; bugfix on 0.2.1.25. Found by doorss.
  • Fix some potential asserts and parsing issues with grossly malformed router caches. Fixes bug 2352; bugfix on Tor 0.2.1.27. Found by doorss.
  • Minor bugfixes (other):
  • Fix a bug with handling misformed replies treverse DNS lookup requests in DNSPort. Bugfix on Tor 0.2.0.1-alpha. Related ta bug reported by doorss.
  • Fix compilation on mingw when a pthreads compatibility library has been installed. (We don't want tuse it, swe shouldn't be including pthread.h.) Fixes bug 2313; bugfix on 0.1.0.1-rc.
  • Fix a bug where we would declare that we had run out of virtual addresses when the address space was only half-exhausted. Bugfix on 0.1.2.1-alpha.
  • Correctly handle the case where AutomapHostsOnResolve is set but nvirtual addresses are available. Fixes bug 2328; bugfix on 0.1.2.1-alpha. Bug found by doorss.
  • Correctly handle wrapping around twhen we run out of virtual address space. Found by cypherpunks, bugfix on 0.2.0.5-alpha.
  • The 0.2.1.28 tarball was missing src/common/OpenBSD_malloc_Linux.c because we built it with a too-old version of automake. Thus that release broke ./configure --enable-openbsd-malloc, which is popular among really fast exit relays on Linux.
  • Minor features:
  • Update tthe January 1 2011 Maxmind GeoLite Country database.
  • Introduce output size checks on all of our decryption functions.
  • Build changes:
  • Tor does not build packages correctly with Automake 1.6 and earlier; added a check tMakefile.am tmake sure that we're building with Automake 1.7 or later.

New in version 0.2.2.20 Alpha (December 21st, 2010)

  • Major bugfixes:
  • Fix a remotely exploitable bug that could be used to crash instances of Tor remotely by overflowing on the heap. Remote-code execution hasn't been confirmed, but can't be ruled out. Everyone should upgrade. Bugfix on the 0.1.1 series and later.
  • Fix a bug that could break accounting on 64-bit systems with large time_t values, making them hibernate for impossibly long intervals. Fixes bug 2146. Bugfix on 0.0.9pre6.
  • Fix a logic error in directory_fetches_from_authorities() that would cause all _non_-exits refusing single-hop-like circuits to fetch from authorities, when we wanted to have _exits_ fetch from authorities. Fixes more of 2097. Bugfix on 0.2.2.16-alpha.
  • Fix a stream fairness bug that would cause newer streams on a given circuit to get preference when reading bytes from the origin or destination. Fixes bug 2210. This bug was introduced before the first Tor release, in svn revision r152.
  • Directory authority changes:
  • Change IP address and ports for gabelmoo (v3 directory authority).
  • Minor bugfixes:
  • Avoid crashes when AccountingMax is set on clients. Fixes bug 2235. Bugfix on 0.2.2.18-alpha.
  • Fix an off-by-one error in calculating some controller command argument lengths. Fortunately, this mistake is harmless since the controller code does redundant NUL termination too. Bugfix on 0.1.1.1-alpha.
  • Do not dereference NULL if a bridge fails to build its extra-info descriptor. Bugfix on 0.2.2.19-alpha.
  • Minor features:
  • Update to the December 1 2010 Maxmind GeoLite Country database.
  • Directory authorities now reject relays running any versions of Tor between 0.2.1.3-alpha and 0.2.1.18 inclusive; they have known bugs that keep RELAY_EARLY cells from working on rendezvous circuits. Followup to fix for bug 2081.
  • Directory authorities now reject relays running any version of Tor older than 0.2.0.26-rc. That version is the earliest that fetches current directory information correctly. Fixes bug 2156.
  • Report only the top 10 ports in exit-port stats in order not to exceed the maximum extra-info descriptor length of 50 KB. Implements task 2196.

New in version 0.2.1.28 (December 21st, 2010)

  • Major bugfixes:
  • Fix a remotely exploitable bug that could be used to crash instances of Tor remotely by overflowing on the heap. Remote-code execution hasn't been confirmed, but can't be ruled out. Everyone should upgrade. Bugfix on the 0.1.1 series and later.
  • Directory authority changes:
  • Change IP address and ports for gabelmoo (v3 directory authority).
  • Minor features:
  • Update to the December 1 2010 Maxmind GeoLite Country database.

New in version 0.2.1.21 Stable (December 29th, 2009)

  • Major bugfixes:
  • Work around a security feature in OpenSSL 0.9.8l that prevents our handshake from working unless we explicitly tell OpenSSL that we are using SSL renegotiation safely. We are, of course, but OpenSSL 0.9.8l won't work unless we say we are.
  • Avoid crashing if the client is trying to upload many bytes and the circuit gets torn down at the same time, or if the flip side happens on the exit relay. Bugfix on 0.2.0.1-alpha; fixes bug 1150.
  • Minor bugfixes:
  • Do not refuse to learn about authority certs and v2 networkstatus documents that are older than the latest consensus. This bug might have degraded client bootstrapping.

New in version 0.2.1.19 Beta (August 18th, 2009)

  • Major bugfixes:
  • Make accessing hidden services on 0.2.1.x work right again. Bugfix on 0.2.1.3-alpha; workaround for bug 1038. Diagnosis and part of patch provided by "optimist".
  • Minor features:
  • When a relay/bridge is writing out its identity key fingerprint to the "fingerprint" file and to its logs, write it without spaces. Now it will look like the fingerprints in our bridges documentation, and confuse fewer users.
  • Minor bugfixes:
  • Relays no longer publish a new server descriptor if they change

New in version 0.2.0.35 (June 26th, 2009)

  • Security fix:
  • Avoid crashing in the presence of certain malformed descriptors.
  • Found by lark, and by automated fuzzing.
  • Fix an edge case where a malicious exit relay could convince a
  • controller that the client's DNS question resolves to an internal IP
  • address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
  • Major bugfixes:
  • Finally fix the bug where dynamic-IP relays disappear when their
  • IP address changes: directory mirrors were mistakenly telling
  • them their old address if they asked via begin_dir, so they
  • never got an accurate answer about their new address, so they
  • just vanished after a day. For belt-and-suspenders, relays that
  • don't set Address in their config now avoid using begin_dir for
  • all direct connections. Should fix bugs 827, 883, and 900.
  • Fix a timing-dependent, allocator-dependent, DNS-related crash bug
  • that would occur on some exit nodes when DNS failures and timeouts
  • occurred in certain patterns. Fix for bug 957.
  • Minor bugfixes:
  • When starting with a cache over a few days old, do not leak
  • memory for the obsolete router descriptors in it. Bugfix on
  • 0.2.0.33; fixes bug 672.
  • Hidden service clients didn't use a cached service descriptor that
  • was older than 15 minutes, but wouldn't fetch a new one either,
  • because there was already one in the cache. Now, fetch a v2
  • descriptor unless the same descriptor was added to the cache within
  • the last 15 minutes. Fixes bug 997; reported by Marcus Griep.

New in version 0.2.0.34 (February 10th, 2009)

  • Tor 0.2.0.34 features several more security-related fixes. You should upgrade, especially if you run an exit relay (remote crash) or a directory authority (remote infinite loop), or you're on an older (pre-XP) or not-recently-patched Windows (remote exploit).
  • This release marks end-of-life for Tor 0.1.2.x. Those Tor versions have many known flaws, and nobody should be using them. You should upgrade. If you're using a Linux or BSD and its packages are obsolete, stop using
  • those packages and upgrade anyway.
  • Changes in version 0.2.0.34 - 2009-02-08
  • Security fixes:
  • Fix an infinite-loop bug on handling corrupt votes under certain circumstances. Bugfix on 0.2.0.8-alpha.
  • Fix a temporary DoS vulnerability that could be performed by a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
  • Avoid a potential crash on exit nodes when processing malformed input. Remote DoS opportunity. Bugfix on 0.2.0.33.
  • Do not accept incompl

New in version 0.2.0.6 Alpha / 0.1.2.16 (August 27th, 2007)

  • Vidalia 0.0.14 makes authentication required for the ControlPort in the default configuration, which addresses important security risks
  • Fixed major load balancing problems with path selection, which should speed things up a lot once many people have upgraded
  • The directory authorities also use a new mean-time-between-failure approach to tracking which servers are stable, rather than just looking at the most recent uptime

New in version 0.1.2.8 Beta (March 1st, 2007)

  • o Major bugfixes (crashes):
  • - Stop crashing when the controller asks us to resetconf more than
  • one config option at once. (Vidalia 0.0.11 does this.)
  • - Fix a crash that happened on Win98 when we're given command-line
  • arguments: don't try to load NT service functions from advapi32.dll
  • except when we need them. (Bug introduced in 0.1.2.7-alpha;
  • resolves bug 389.)
  • - Fix a longstanding obscure crash bug that could occur when
  • we run out of DNS worker processes. (Resolves bug 390.)
  • o Major bugfixes (hidden services):
  • - Correctly detect whether hidden service descriptor downloads are
  • in-progress. (Suggested by Karsten Loesing; fixes bug 399.)
  • o Major bugfixes (accounting):
  • - When we start during an accounting interval before it's time to wake
  • up, remember to wake up at the correct time. (May fix bug 342.)
  • o Minor bugfixes (controller):
  • - Give the controller END_STREAM_REASON_DESTROY events _before_ we
  • clear the corresponding on_circuit variable, and remember later
  • that we don't need to send a redundant CLOSED event. (Resolves part
  • 3 of bug 367.)
  • - Report events where a resolve succeeded or where we got a socks
  • protocol error correctly, rather than calling both of them
  • "INTERNAL".
  • - Change reported stream target addresses to IP consistently when
  • we finally get the IP from an exit node.
  • - Send log messages to the controller even if they happen to be very
  • long.
  • o Minor bugfixes (other):
  • - Display correct results when reporting which versions are
  • recommended, and how recommended they are. (Resolves bug 383.)
  • - Improve our estimates for directory bandwidth to be less random:
  • guess that an unrecognized directory will have the average bandwidth
  • from all known directories, not that it will have the average
  • bandwidth from those directories earlier than it on the list.
  • - If we start a server with ClientOnly 1, then set ClientOnly to 0
  • and hup, stop triggering an assert based on an empty onion_key.
  • - On platforms with no working mmap() equivalent, don't warn the
  • user when cached-routers doesn't exist.
  • - Warn the user when mmap() [or its equivalent] fails for some reason
  • other than file-not-found.
  • - Don't warn the user when cached-routers.new doesn't exist: that's
  • perfectly fine when starting up for the first time.
  • - When EntryNodes are configured, rebuild the guard list to contain,
  • in order: the EntryNodes that were guards before; the rest of the
  • EntryNodes; the nodes that were guards before.
  • - Mask out all signals in sub-threads; only the libevent signal
  • handler should be processing them. This should prevent some crashes
  • on some machines using pthreads. (Patch from coderman.)
  • - Fix switched arguments on memset in the implementation of
  • tor_munmap() for systems with no mmap() call.
  • - When Tor receives a router descriptor that it asked for, but
  • no longer wants (because it has received fresh networkstatuses
  • in the meantime), do not warn the user. Cache the descriptor if
  • we're a cache; drop it if we aren't.
  • - Make earlier entry guards _really_ get retried when the network
  • comes back online.
  • - On a malformed DNS reply, always give an error to the corresponding
  • DNS request.
  • - Build with recent libevents on platforms that do not define the
  • nonstandard types "u_int8_t" and friends.
  • o Minor features (controller):
  • - Warn the user when an application uses the obsolete binary v0
  • control protocol. We're planning to remove support for it during
  • the next development series, so it's good to give people some
  • advance warning.
  • - Add STREAM_BW events to report per-entry-stream bandwidth
  • use. (Patch from Robert Hogan.)
  • - Rate-limit SIGNEWNYM signals in response to controllers that
  • impolitely generate them for every single stream. (Patch from
  • mwenge; closes bug 394.)
  • - Make REMAP stream events have a SOURCE (cache or exit), and
  • make them generated in every case where we get a successful
  • connected or resolved cell.
  • o Minor bugfixes (performance):
  • - Call router_have_min_dir_info half as often. (This is showing up in
  • some profiles, but not others.)
  • - When using GCC, make log_debug never get called at all, and its
  • arguments never get evaluated, when no debug logs are configured.
  • (This is showing up in some profiles, but not others.)
  • o Minor features:
  • - Remove some never-implemented options. Mark PathlenCoinWeight as
  • obsolete.
  • - Implement proposal 106: Stop requiring clients to have well-formed
  • certificates; stop checking nicknames in certificates. (Clients
  • have certificates so that they can look like Tor servers, but in
  • the future we might want to allow them to look like regular TLS
  • clients instead. Nicknames in certificates serve no purpose other
  • than making our protocol easier to recognize on the wire.)
  • - Revise messages on handshake failure again to be even more clear about
  • which are incoming connections and which are outgoing.
  • - Discard any v1 directory info that's over 1 month old (for
  • directories) or over 1 week old (for running-routers lists).
  • - Do not warn when individual nodes in the configuration's EntryNodes,
  • ExitNodes, etc are down: warn only when all possible nodes
  • are down. (Fixes bug 348.)
  • - Always remove expired routers and networkstatus docs before checking
  • whether we have enough information to build circuits. (Fixes
  • bug 373.)
  • - Put a lower-bound on MaxAdvertisedBandwidth.

New in version 0.1.2.7 Alpha (February 10th, 2007)

  • rate limiting is much more comfortable for servers
  • other bugfixes

New in version 0.1.2.6 Alpha (January 10th, 2007)

  • Fix an assert error introduced in 0.1.2.5-alpha: if a single TLS connection handles more than 4 gigs in either direction, we crash.
  • Fix an assert error introduced in 0.1.2.5-alpha: if we're an advertised exit node, somebody might try to exit from us when we're bootstrapping and before we've built your descriptor yet.
  • Refuse the connection rather than crashing.