./net/tor, Anonymizing overlay network for TCP

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 0.4.7.8nb1, Package name: tor-0.4.7.8nb1, Maintainer: pkgsrc-users

The simple version: Tor provides a distributed network of servers ("onion
routers"). Users bounce their TCP streams (web traffic, FTP, SSH, etc.) around
the routers. This makes it hard for recipients, observers, and even the onion
routers themselves to track the source of the stream.

The complex version: Onion Routing is a connection-oriented anonymizing
communication service. Users choose a source-routed path through a set of
nodes, and negotiate a "virtual circuit" through the network, in which each
node knows its predecessor and successor, but no others. Traffic flowing down
the circuit is unwrapped by a symmetric key at each node, which reveals the
downstream node.


Required to run:
[security/openssl] [devel/libevent] [archivers/zstd]

Required to build:
[textproc/asciidoc] [pkgtools/cwrappers]

Package options: doc, openssl

Master sites:

Filesize: 7724.688 KB

Version history: (Expand)


CVS history: (Expand)


   2022-06-28 13:38:00 by Thomas Klausner | Files touched by this commit (3952)
Log message:
*: recursive bump for perl 5.36
   2022-06-17 16:53:59 by Thomas Klausner | Files touched by this commit (2) | Package updated
Log message:
tor: update to 0.4.7.8.

Changes in version 0.4.7.8 - 2022-06-17
  This version fixes several bugfixes including a High severity security issue
  categorized as a Denial of Service. Everyone running an earlier version
  should upgrade to this version.

  o Major bugfixes (congestion control, TROVE-2022-001):
    - Fix a scenario where RTT estimation can become wedged, seriously
      degrading congestion control performance on all circuits. This
      impacts clients, onion services, and relays, and can be triggered
      remotely by a malicious endpoint. Tracked as CVE-2022-33903. Fixes
      bug 40626; bugfix on 0.4.7.5-alpha.

  o Minor features (fallbackdir):
    - Regenerate fallback directories generated on June 17, 2022.

  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2022/06/17.

  o Minor bugfixes (linux seccomp2 sandbox):
    - Allow the rseq system call in the sandbox. This solves a crash
      issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug
      40601; bugfix on 0.3.5.11.

  o Minor bugfixes (logging):
    - Demote a harmless warn log message about finding a second hop to
      from warn level to info level, if we do not have enough
      descriptors yet. Leave it at notice level for other cases. Fixes
      bug 40603; bugfix on 0.4.7.1-alpha.
    - Demote a notice log message about "Unexpected path length" to info
      level. These cases seem to happen arbitrarily, and we likely will
      never find all of them before the switch to arti. Fixes bug 40612;
      bugfix on 0.4.7.5-alpha.

  o Minor bugfixes (relay, logging):
    - Demote a harmless XOFF log message to from notice level to info
      level. Fixes bug 40620; bugfix on 0.4.7.5-alpha.
   2022-04-27 23:02:18 by Thomas Klausner | Files touched by this commit (2) | Package updated
Log message:
tor: update to 0.4.7.7.

Changes in version 0.4.7.7 - 2022-04-27
  This is the first stable version of the 0.4.7.x series. This series includes
  several major bugfixes from previous series and one massive new feature:
  congestion control.

  Congestion control should improve traffic speed and stability on the network
  once a majority of Exit upgrade. You can find more details about it in
  proposal 324 in the torspec.git repository.

  For a complete list of changes since 0.4.6.10, see the ReleaseNotes file.

  o Minor features (fallbackdir):
    - Regenerate fallback directories generated on April 27, 2022.

  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2022/04/27.

  o Minor bugfixes (congestion control, client side logs):
    - Demote a warn about 1-hop circuits using congestion control down to
      info; Demote the 4-hop case to notice. Fixes bug 40598; bugfix on
      0.4.5-alpha.

Changes in version 0.4.7.6-rc - 2022-04-07
  This is the first release candidate of the 0.4.7.x series. Only one minor
  bugfix went in since the last alpha couple weeks ago. We strongly recommend
  anyone running an alpha version to upgrade to this version. Unless major
  problems are found, the next release will finally be the stable!

  o Minor features (fallbackdir):
    - Regenerate fallback directories generated on April 07, 2022.

  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2022/04/07.

  o Minor features (linux seccomp2 sandbox):
    - Permit the clone3 syscall, which is apparently used in glibc-2.34
      and later. Closes ticket 40590.

Changes in version 0.4.7.5-alpha - 2022-03-25
  This version contains, of what we hope, the final work for congestion
  control paving the way to the stable version. We expect this to be the last
  alpha version of the 0.4.7.x series. Mostly minor bugfixes except one major
  bugfix that changes how Tor behaves with DNS timeouts for Exit relays. As
  always with an alpha, we recommend all relay operators to upgrade from
  previous alpha to this one.

  o Major bugfixes (onion service, congestion control):
    - Fix the onion service upload case where the congestion control
      parameters were not added to the right object. Fixes bug 40586;
      bugfix on 0.4.7.4-alpha.

  o Major bugfixes (relay, DNS):
    - Lower the DNS timeout from 3 attempts at 5 seconds each to 2
      attempts at 1 seconds each. Two new consensus parameters were
      added to control these values. This change should improve observed
      performance under DNS load; see ticket for more details. Fixes bug
      40312; bugfix on 0.3.5.1-alpha.

  o Minor features (control port):
    - Provide congestion control fields on CIRC_BW and STREAM control
      port events, for use by sbws. Closes ticket 40568.

  o Minor features (fallbackdir):
    - Regenerate fallback directories generated on March 25, 2022.

  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2022/03/25.

  o Minor bugfixes (DNSPort, dormant mode):
    - A request on the DNSPort now wakes up a dormant tor. Fixes bug
      40577; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (metrics port, onion service):
    - Fix the metrics with a port label to be unique. Before this, all
      ports of an onion service would be on the same line which violates
      the Prometheus rules of unique labels. Fixes bug 40581; bugfix
      on 0.4.5.1-alpha.

  o Minor bugfixes (onion service congestion control):
    - Avoid a non-fatal assertion failure in the case where we fail to
      set up congestion control on a rendezvous circuit. This could
      happen naturally if a cache entry expired at an unexpected time.
      Fixes bug 40576; bugfix on 0.4.7.4-alpha.

  o Minor bugfixes (onion service, client):
    - Fix a rare but fatal assertion failure due to a guard subsystem
      recursion triggered by the onion service client. Fixes bug 40579;
      bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (relay, overload):
    - Decide whether to signal overload based on a fraction and
      assessment period of ntor handshake drops. Previously, a single
      drop could trigger an overload state, which caused many false
      positives. Fixes bug 40560; bugfix on 0.4.7.1-alpha.

Changes in version 0.4.7.4-alpha - 2022-02-25
  This version contains the negotiation congestion control work which is the
  final part needed before going stable. There are also various bugfixes
  including two major ones detailed below. Last, the Exit notice page layout
  has been modernized but the text is unchanged. We recommend that all relay
  operators running any previous alpha upgrade to this one.

  o Major features (relay, client, onion services):
    - Implement RTT-based congestion control for exits and onion
      services, from Proposal 324. Disabled by default. Enabled by the
      'cc_alg' consensus parameter. Closes ticket 40444.

  o Major bugfixes (client):
    - Stop caching TCP connect failures to relays/bridges when we
      initiated the connection as a client. Now we only cache connect
      failures as a relay or bridge when we initiated them because of an
      EXTEND request. Declining to re-attempt the client-based
      connections could cause problems when we lose connectivity and try
      to reconnect. Fixes bug 40499; bugfix on 0.3.3.4-alpha.

  o Major bugfixes (relay, overload):
    - Do not trigger a general overload on DNS timeout. Even after
      fixing 40527, some code remained that triggered the overload.
      Fixes bug 40564; bugfix on 0.4.7.1-alpha.

  o Minor feature (authority, relay):
    - Reject End-Of-Life relays running version 0.3.5.x. Closes
      ticket 40559.

  o Minor features (fallbackdir):
    - Regenerate fallback directories generated on February 25, 2022.

  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2022/02/25.

  o Minor bugfix (logging):
    - Update a log notice dead URL to a working one. Fixes bug 40544;
      bugfix on 0.3.5.1-alpha.

  o Minor bugfix (relay):
    - Remove the HSDir and HSIntro onion service v2 protocol versions so
      relay stop advertising that they support them. Fixes bug 40509;
      bugfix on 0.3.5.17.

  o Minor bugfixes (cell scheduling):
    - Avoid writing empty payload with NSS write.
    - Don't attempt to write 0 bytes after a cell scheduling loop. No
      empty payload was put on the wire. Fixes bug 40548; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (compilation):
    - Resume being able to build on old / esoteric gcc versions. Fixes
      bug 40550; bugfix on 0.4.7.1-alpha.

  o Minor bugfixes (compiler warnings):
    - Fix couple compiler warnings on latest Ubuntu Jammy. Fixes bug
      40516; bugfix on 0.3.5.1-alpha.

  o Documentation:
    - Provide an improved version of the tor-exit-notice.html file for
      exit relays to use as a landing page. The text is unchanged, but
      the page design and layout are significantly modernized, and
      several links are fixed. Patch from "n_user"; closes ticket 40529.
   2022-04-20 11:15:08 by Thomas Klausner | Files touched by this commit (1)
Log message:
tor: reset maintainer
   2022-02-15 10:14:12 by Thomas Klausner | Files touched by this commit (2) | Package updated
Log message:
tor: update to 0.4.6.10.

Changes in version 0.4.6.10 - 2022-02-04
  This version contains minor bugfixes but one in particular is that relays
  don't advertise onion service v2 support at the protocol version level.

  o Minor features (fallbackdir):
    - Regenerate fallback directories generated on February 04, 2022.

  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2022/02/04.

  o Minor bugfix (logging):
    - Update a log notice dead URL to a working one. Fixes bug 40544;
      bugfix on 0.3.5.1-alpha.

  o Minor bugfix (relay):
    - Remove the HSDir and HSIntro onion service v2 protocol versions so
      relay stop advertising that they support them. Fixes bug 40509;
      bugfix on 0.3.5.17.

  o Minor bugfixes (MetricsPort, Prometheus):
    - Add double quotes to the label values of the onion service
      metrics. Fixes bug 40552; bugfix on 0.4.5.1-alpha.
   2021-12-17 20:09:28 by Thomas Klausner | Files touched by this commit (2) | Package updated
Log message:
tor: update to 0.4.6.9.

Changes in version 0.4.6.9 - 2021-12-15
  This version fixes several bugs from earlier versions of Tor. One important
  piece is the removal of DNS timeout metric from the overload general signal.
  See below for more details.

  o Major bugfixes (relay, overload):
    - Don't make Tor DNS timeout trigger an overload general state.
      These timeouts are different from DNS server timeout. They have to
      be seen as timeout related to UX and not because of a network
      problem. Fixes bug 40527; bugfix on 0.4.6.1-alpha.

  o Minor feature (reproducible build):
    - The repository can now build reproducible tarballs which adds the
      build command "make dist-reprod" for that purpose. Closes
      ticket 26299.

  o Minor features (compilation):
    - Give an error message if trying to build with a version of
      LibreSSL known not to work with Tor. (There's an incompatibility
      with LibreSSL versions 3.2.1 through 3.4.0 inclusive because of
      their incompatibility with OpenSSL 1.1.1's TLSv1.3 APIs.) Closes
      ticket 40511.

  o Minor features (fallbackdir):
    - Regenerate fallback directories generated on December 15, 2021.

  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2021/12/15.

  o Minor bugfixes (compilation):
    - Fix our configuration logic to detect whether we had OpenSSL 3:
      previously, our logic was reversed. This has no other effect than
      to change whether we suppress deprecated API warnings. Fixes bug
      40429; bugfix on 0.3.5.13.

  o Minor bugfixes (relay):
    - Reject IPv6-only DirPorts. Our reachability self-test forces
      DirPorts to be IPv4, but our configuration parser allowed them to
      be IPv6-only, which led to an assertion failure. Fixes bug 40494;
      bugfix on 0.4.5.1-alpha.

  o Documentation (man, relay):
    - Missing "OverloadStatistics" in tor.1 manpage. Fixes bug 40504;
      bugfix on 0.4.6.1-alpha.
   2021-10-27 15:16:35 by Thomas Klausner | Files touched by this commit (2) | Package updated
Log message:
tor: update to 0.4.6.8.

Changes in version 0.4.6.8 - 2021-10-26
  This version fixes several bugs from earlier versions of Tor. One
  highlight is a fix on how we track DNS timeouts to report general
  relay overload.

  o Major bugfixes (relay, overload state):
    - Relays report the general overload state for DNS timeout errors
      only if X% of all DNS queries over Y seconds are errors. Before
      that, it only took 1 timeout to report the overload state which
      was just too low of a threshold. The X and Y values are 1% and 10
      minutes respectively but they are also controlled by consensus
      parameters. Fixes bug 40491; bugfix on 0.4.6.1-alpha.

  o Minor features (fallbackdir):
    - Regenerate fallback directories for October 2021. Closes
      ticket 40493.

  o Minor features (testing):
    - On a testing network, relays can now use the
      TestingMinTimeToReportBandwidth option to change the smallest
      amount of time over which they're willing to report their observed
      maximum bandwidth. Previously, this was fixed at 1 day. For
      safety, values under 2 hours are only supported on testing
      networks. Part of a fix for ticket 40337.
    - Relays on testing networks no longer rate-limit how frequently
      they are willing to report new bandwidth measurements. Part of a
      fix for ticket 40337.
    - Relays on testing networks now report their observed bandwidths
      immediately from startup. Previously, they waited until they had
      been running for a full day. Closes ticket 40337.

  o Minor bugfix (onion service):
    - Do not flag an HSDir as non-running in case the descriptor upload
      or fetch fails. An onion service closes pending directory
      connections before uploading a new descriptor which can thus lead
      to wrongly flagging many relays and thus affecting circuit building
      path selection. Fixes bug 40434; bugfix on 0.2.0.13-alpha.
    - Improve logging when a bad HS version is given. Fixes bug 40476;
      bugfix on 0.4.6.1-alpha.

  o Minor bugfix (CI, onion service):
    - Exclude onion service version 2 Stem tests in our CI. Fixes bug 40500;
      bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (compatibility):
    - Fix compatibility with the most recent Libevent versions, which no
      longer have an evdns_set_random_bytes() function. Because this
      function has been a no-op since Libevent 2.0.4-alpha, it is safe
      for us to just stop calling it. Fixes bug 40371; bugfix
      on 0.2.1.7-alpha.

  o Minor bugfixes (onion service, TROVE-2021-008):
    - Only log v2 access attempts once total, in order to not pollute
      the logs with warnings and to avoid recording the times on disk
      when v2 access was attempted. Note that the onion address was
      _never_ logged. This counts as a Low-severity security issue.
      Fixes bug 40474; bugfix on 0.4.5.8.
   2021-10-26 13:07:15 by Nia Alarie | Files touched by this commit (958)
Log message:
net: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Not committed (merge conflicts...):

net/radsecproxy/distinfo

The following distfiles could not be fetched (fetched conditionally?):

./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz
./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch
./net/djbdns/distinfo djbdns-1.05-test28.diff.xz
./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch
./net/djbdns/distinfo djbdns-1.05-multiip.diff
./net/djbdns/distinfo djbdns-cachestats.patch