2022-06-17 16:53:59 by Thomas Klausner | Files touched by this commit (2) | |
Log message:
tor: update to 0.4.7.8.
Changes in version 0.4.7.8 - 2022-06-17
This version fixes several bugfixes including a High severity security issue
categorized as a Denial of Service. Everyone running an earlier version
should upgrade to this version.
o Major bugfixes (congestion control, TROVE-2022-001):
- Fix a scenario where RTT estimation can become wedged, seriously
degrading congestion control performance on all circuits. This
impacts clients, onion services, and relays, and can be triggered
remotely by a malicious endpoint. Tracked as CVE-2022-33903. Fixes
bug 40626; bugfix on 0.4.7.5-alpha.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on June 17, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/06/17.
o Minor bugfixes (linux seccomp2 sandbox):
- Allow the rseq system call in the sandbox. This solves a crash
issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug
40601; bugfix on 0.3.5.11.
o Minor bugfixes (logging):
- Demote a harmless warn log message about finding a second hop to
from warn level to info level, if we do not have enough
descriptors yet. Leave it at notice level for other cases. Fixes
bug 40603; bugfix on 0.4.7.1-alpha.
- Demote a notice log message about "Unexpected path length" to info
level. These cases seem to happen arbitrarily, and we likely will
never find all of them before the switch to arti. Fixes bug 40612;
bugfix on 0.4.7.5-alpha.
o Minor bugfixes (relay, logging):
- Demote a harmless XOFF log message to from notice level to info
level. Fixes bug 40620; bugfix on 0.4.7.5-alpha.
|
2022-04-27 23:02:18 by Thomas Klausner | Files touched by this commit (2) | |
Log message:
tor: update to 0.4.7.7.
Changes in version 0.4.7.7 - 2022-04-27
This is the first stable version of the 0.4.7.x series. This series includes
several major bugfixes from previous series and one massive new feature:
congestion control.
Congestion control should improve traffic speed and stability on the network
once a majority of Exit upgrade. You can find more details about it in
proposal 324 in the torspec.git repository.
For a complete list of changes since 0.4.6.10, see the ReleaseNotes file.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on April 27, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/04/27.
o Minor bugfixes (congestion control, client side logs):
- Demote a warn about 1-hop circuits using congestion control down to
info; Demote the 4-hop case to notice. Fixes bug 40598; bugfix on
0.4.5-alpha.
Changes in version 0.4.7.6-rc - 2022-04-07
This is the first release candidate of the 0.4.7.x series. Only one minor
bugfix went in since the last alpha couple weeks ago. We strongly recommend
anyone running an alpha version to upgrade to this version. Unless major
problems are found, the next release will finally be the stable!
o Minor features (fallbackdir):
- Regenerate fallback directories generated on April 07, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/04/07.
o Minor features (linux seccomp2 sandbox):
- Permit the clone3 syscall, which is apparently used in glibc-2.34
and later. Closes ticket 40590.
Changes in version 0.4.7.5-alpha - 2022-03-25
This version contains, of what we hope, the final work for congestion
control paving the way to the stable version. We expect this to be the last
alpha version of the 0.4.7.x series. Mostly minor bugfixes except one major
bugfix that changes how Tor behaves with DNS timeouts for Exit relays. As
always with an alpha, we recommend all relay operators to upgrade from
previous alpha to this one.
o Major bugfixes (onion service, congestion control):
- Fix the onion service upload case where the congestion control
parameters were not added to the right object. Fixes bug 40586;
bugfix on 0.4.7.4-alpha.
o Major bugfixes (relay, DNS):
- Lower the DNS timeout from 3 attempts at 5 seconds each to 2
attempts at 1 seconds each. Two new consensus parameters were
added to control these values. This change should improve observed
performance under DNS load; see ticket for more details. Fixes bug
40312; bugfix on 0.3.5.1-alpha.
o Minor features (control port):
- Provide congestion control fields on CIRC_BW and STREAM control
port events, for use by sbws. Closes ticket 40568.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on March 25, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/03/25.
o Minor bugfixes (DNSPort, dormant mode):
- A request on the DNSPort now wakes up a dormant tor. Fixes bug
40577; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (metrics port, onion service):
- Fix the metrics with a port label to be unique. Before this, all
ports of an onion service would be on the same line which violates
the Prometheus rules of unique labels. Fixes bug 40581; bugfix
on 0.4.5.1-alpha.
o Minor bugfixes (onion service congestion control):
- Avoid a non-fatal assertion failure in the case where we fail to
set up congestion control on a rendezvous circuit. This could
happen naturally if a cache entry expired at an unexpected time.
Fixes bug 40576; bugfix on 0.4.7.4-alpha.
o Minor bugfixes (onion service, client):
- Fix a rare but fatal assertion failure due to a guard subsystem
recursion triggered by the onion service client. Fixes bug 40579;
bugfix on 0.3.5.1-alpha.
o Minor bugfixes (relay, overload):
- Decide whether to signal overload based on a fraction and
assessment period of ntor handshake drops. Previously, a single
drop could trigger an overload state, which caused many false
positives. Fixes bug 40560; bugfix on 0.4.7.1-alpha.
Changes in version 0.4.7.4-alpha - 2022-02-25
This version contains the negotiation congestion control work which is the
final part needed before going stable. There are also various bugfixes
including two major ones detailed below. Last, the Exit notice page layout
has been modernized but the text is unchanged. We recommend that all relay
operators running any previous alpha upgrade to this one.
o Major features (relay, client, onion services):
- Implement RTT-based congestion control for exits and onion
services, from Proposal 324. Disabled by default. Enabled by the
'cc_alg' consensus parameter. Closes ticket 40444.
o Major bugfixes (client):
- Stop caching TCP connect failures to relays/bridges when we
initiated the connection as a client. Now we only cache connect
failures as a relay or bridge when we initiated them because of an
EXTEND request. Declining to re-attempt the client-based
connections could cause problems when we lose connectivity and try
to reconnect. Fixes bug 40499; bugfix on 0.3.3.4-alpha.
o Major bugfixes (relay, overload):
- Do not trigger a general overload on DNS timeout. Even after
fixing 40527, some code remained that triggered the overload.
Fixes bug 40564; bugfix on 0.4.7.1-alpha.
o Minor feature (authority, relay):
- Reject End-Of-Life relays running version 0.3.5.x. Closes
ticket 40559.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on February 25, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/02/25.
o Minor bugfix (logging):
- Update a log notice dead URL to a working one. Fixes bug 40544;
bugfix on 0.3.5.1-alpha.
o Minor bugfix (relay):
- Remove the HSDir and HSIntro onion service v2 protocol versions so
relay stop advertising that they support them. Fixes bug 40509;
bugfix on 0.3.5.17.
o Minor bugfixes (cell scheduling):
- Avoid writing empty payload with NSS write.
- Don't attempt to write 0 bytes after a cell scheduling loop. No
empty payload was put on the wire. Fixes bug 40548; bugfix
on 0.3.5.1-alpha.
o Minor bugfixes (compilation):
- Resume being able to build on old / esoteric gcc versions. Fixes
bug 40550; bugfix on 0.4.7.1-alpha.
o Minor bugfixes (compiler warnings):
- Fix couple compiler warnings on latest Ubuntu Jammy. Fixes bug
40516; bugfix on 0.3.5.1-alpha.
o Documentation:
- Provide an improved version of the tor-exit-notice.html file for
exit relays to use as a landing page. The text is unchanged, but
the page design and layout are significantly modernized, and
several links are fixed. Patch from "n_user"; closes ticket 40529.
|
2022-04-20 11:15:08 by Thomas Klausner | Files touched by this commit (1) |
Log message:
tor: reset maintainer
|
2022-02-15 10:14:12 by Thomas Klausner | Files touched by this commit (2) | |
Log message:
tor: update to 0.4.6.10.
Changes in version 0.4.6.10 - 2022-02-04
This version contains minor bugfixes but one in particular is that relays
don't advertise onion service v2 support at the protocol version level.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on February 04, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/02/04.
o Minor bugfix (logging):
- Update a log notice dead URL to a working one. Fixes bug 40544;
bugfix on 0.3.5.1-alpha.
o Minor bugfix (relay):
- Remove the HSDir and HSIntro onion service v2 protocol versions so
relay stop advertising that they support them. Fixes bug 40509;
bugfix on 0.3.5.17.
o Minor bugfixes (MetricsPort, Prometheus):
- Add double quotes to the label values of the onion service
metrics. Fixes bug 40552; bugfix on 0.4.5.1-alpha.
|
2021-12-17 20:09:28 by Thomas Klausner | Files touched by this commit (2) | |
Log message:
tor: update to 0.4.6.9.
Changes in version 0.4.6.9 - 2021-12-15
This version fixes several bugs from earlier versions of Tor. One important
piece is the removal of DNS timeout metric from the overload general signal.
See below for more details.
o Major bugfixes (relay, overload):
- Don't make Tor DNS timeout trigger an overload general state.
These timeouts are different from DNS server timeout. They have to
be seen as timeout related to UX and not because of a network
problem. Fixes bug 40527; bugfix on 0.4.6.1-alpha.
o Minor feature (reproducible build):
- The repository can now build reproducible tarballs which adds the
build command "make dist-reprod" for that purpose. Closes
ticket 26299.
o Minor features (compilation):
- Give an error message if trying to build with a version of
LibreSSL known not to work with Tor. (There's an incompatibility
with LibreSSL versions 3.2.1 through 3.4.0 inclusive because of
their incompatibility with OpenSSL 1.1.1's TLSv1.3 APIs.) Closes
ticket 40511.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on December 15, 2021.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2021/12/15.
o Minor bugfixes (compilation):
- Fix our configuration logic to detect whether we had OpenSSL 3:
previously, our logic was reversed. This has no other effect than
to change whether we suppress deprecated API warnings. Fixes bug
40429; bugfix on 0.3.5.13.
o Minor bugfixes (relay):
- Reject IPv6-only DirPorts. Our reachability self-test forces
DirPorts to be IPv4, but our configuration parser allowed them to
be IPv6-only, which led to an assertion failure. Fixes bug 40494;
bugfix on 0.4.5.1-alpha.
o Documentation (man, relay):
- Missing "OverloadStatistics" in tor.1 manpage. Fixes bug 40504;
bugfix on 0.4.6.1-alpha.
|
2021-10-27 15:16:35 by Thomas Klausner | Files touched by this commit (2) | |
Log message:
tor: update to 0.4.6.8.
Changes in version 0.4.6.8 - 2021-10-26
This version fixes several bugs from earlier versions of Tor. One
highlight is a fix on how we track DNS timeouts to report general
relay overload.
o Major bugfixes (relay, overload state):
- Relays report the general overload state for DNS timeout errors
only if X% of all DNS queries over Y seconds are errors. Before
that, it only took 1 timeout to report the overload state which
was just too low of a threshold. The X and Y values are 1% and 10
minutes respectively but they are also controlled by consensus
parameters. Fixes bug 40491; bugfix on 0.4.6.1-alpha.
o Minor features (fallbackdir):
- Regenerate fallback directories for October 2021. Closes
ticket 40493.
o Minor features (testing):
- On a testing network, relays can now use the
TestingMinTimeToReportBandwidth option to change the smallest
amount of time over which they're willing to report their observed
maximum bandwidth. Previously, this was fixed at 1 day. For
safety, values under 2 hours are only supported on testing
networks. Part of a fix for ticket 40337.
- Relays on testing networks no longer rate-limit how frequently
they are willing to report new bandwidth measurements. Part of a
fix for ticket 40337.
- Relays on testing networks now report their observed bandwidths
immediately from startup. Previously, they waited until they had
been running for a full day. Closes ticket 40337.
o Minor bugfix (onion service):
- Do not flag an HSDir as non-running in case the descriptor upload
or fetch fails. An onion service closes pending directory
connections before uploading a new descriptor which can thus lead
to wrongly flagging many relays and thus affecting circuit building
path selection. Fixes bug 40434; bugfix on 0.2.0.13-alpha.
- Improve logging when a bad HS version is given. Fixes bug 40476;
bugfix on 0.4.6.1-alpha.
o Minor bugfix (CI, onion service):
- Exclude onion service version 2 Stem tests in our CI. Fixes bug 40500;
bugfix on 0.3.2.1-alpha.
o Minor bugfixes (compatibility):
- Fix compatibility with the most recent Libevent versions, which no
longer have an evdns_set_random_bytes() function. Because this
function has been a no-op since Libevent 2.0.4-alpha, it is safe
for us to just stop calling it. Fixes bug 40371; bugfix
on 0.2.1.7-alpha.
o Minor bugfixes (onion service, TROVE-2021-008):
- Only log v2 access attempts once total, in order to not pollute
the logs with warnings and to avoid recording the times on disk
when v2 access was attempted. Note that the onion address was
_never_ logged. This counts as a Low-severity security issue.
Fixes bug 40474; bugfix on 0.4.5.8.
|
2021-10-26 13:07:15 by Nia Alarie | Files touched by this commit (958) |
Log message:
net: Replace RMD160 checksums with BLAKE2s checksums
All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Not committed (merge conflicts...):
net/radsecproxy/distinfo
The following distfiles could not be fetched (fetched conditionally?):
./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz
./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch
./net/djbdns/distinfo djbdns-1.05-test28.diff.xz
./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch
./net/djbdns/distinfo djbdns-1.05-multiip.diff
./net/djbdns/distinfo djbdns-cachestats.patch
|
2021-10-07 16:43:07 by Nia Alarie | Files touched by this commit (962) |
Log message:
net: Remove SHA1 hashes for distfiles
|
2021-09-07 16:00:52 by Greg Troxel | Files touched by this commit (1) |
Log message:
net/tor: Workaround upstream "micro-revision.i" bug
There is something wrong in tor's makefiles which causes:
src/lib/version/git_revision.c:21:10: fatal error: micro-revision.i: No such \
file or directory
#include "micro-revision.i"
^~~~~~~~~~~~~~~~~~
compilation terminated.
obviously by not having built micro-revision.i when that compilation
is done. This happens reliably for some people and not for others.
This commit adds a comment with the issue in tor's bug tracker, and a
workaround that builds micro-revision.i and then does the normal
build.
No PKGREVISION as this is just a build fix, and should have zero
effect if this built anyway.
ok @wiz
|
2021-07-01 09:42:38 by Thomas Klausner | Files touched by this commit (3) | |
Log message:
tor: update to 0.4.6.6.
Changes in version 0.4.6.6 - 2021-06-30
Tor 0.4.6.6 makes several small fixes on 0.4.6.5, including one that
allows Tor to build correctly on older versions of GCC. You should
upgrade to this version if you were having trouble building Tor
0.4.6.5; otherwise, there is probably no need.
o Minor bugfixes (compilation):
- Fix a compilation error when trying to build Tor with a compiler
that does not support const variables in static initializers.
Fixes bug 40410; bugfix on 0.4.6.5.
- Suppress a strict-prototype warning when building with some
versions of NSS. Fixes bug 40409; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (testing):
- Enable the deterministic RNG for unit tests that covers the
address set bloomfilter-based API's. Fixes bug 40419; bugfix
on 0.3.3.2-alpha.
|