New Release: Tor 0.4.0.5

by nickm | May 3, 2019

After months of work, we have a new stable release series! If you build Tor from source, you can download the source code for 0.4.0.5 on the website. Packages should be available within the next several weeks, with a new Tor Browser likely later this month.

This is the first stable release in the 0.4.0.x series. It contains improvements for power management and bootstrap reporting, as well as preliminary backend support for circuit padding to prevent some kinds of traffic analysis. It also continues our work in refactoring Tor for long-term maintainability.

Per our support policy, we will support the 0.4.0.x series for nine months, or until three months after the release of a stable 0.4.1.x: whichever is longer. If you need longer-term support, please stick with 0.3.5.x, which will we plan to support until Feb 2022.

Below are the changes since 0.3.5.7. For a complete list of changes since 0.4.0.4-rc, see the ChangeLog file.

Changes in version 0.4.0.5 - 2019-05-02

  • Major features (battery management, client, dormant mode):
    • When Tor is running as a client, and it is unused for a long time, it can now enter a "dormant" state. When Tor is dormant, it avoids network and CPU activity until it is reawoken either by a user request or by a controller command. For more information, see the configuration options starting with "Dormant". Implements tickets 2149 and 28335.
    • The client's memory of whether it is "dormant", and how long it has spent idle, persists across invocations. Implements ticket 28624.
    • There is a DormantOnFirstStartup option that integrators can use if they expect that in many cases, Tor will be installed but not used.
  • Major features (bootstrap reporting):
    • When reporting bootstrap progress, report the first connection uniformly, regardless of whether it's a connection for building application circuits. This allows finer-grained reporting of early progress than previously possible, with the improvements of ticket 27169. Closes tickets 27167 and 27103. Addresses ticket 27308.
    • When reporting bootstrap progress, treat connecting to a proxy or pluggable transport as separate from having successfully used that proxy or pluggable transport to connect to a relay. Closes tickets 27100 and 28884.

 

  • Major features (circuit padding):
    • Implement preliminary support for the circuit padding portion of Proposal 254. The implementation supports Adaptive Padding (aka WTF-PAD) state machines for use between experimental clients and relays. Support is also provided for APE-style state machines that use probability distributions instead of histograms to specify inter-packet delay. At the moment, Tor does not provide any padding state machines that are used in normal operation: for now, this feature exists solely for experimentation. Closes ticket 28142.
  • Major features (refactoring):
    • Tor now uses an explicit list of its own subsystems when initializing and shutting down. Previously, these systems were managed implicitly in various places throughout the codebase. (There may still be some subsystems using the old system.) Closes ticket 28330.
  • Major bugfixes (cell scheduler, KIST, security):
    • Make KIST consider the outbuf length when computing what it can put in the outbuf. Previously, KIST acted as though the outbuf were empty, which could lead to the outbuf becoming too full. It is possible that an attacker could exploit this bug to cause a Tor client or relay to run out of memory and crash. Fixes bug 29168; bugfix on 0.3.2.1-alpha. This issue is also being tracked as TROVE-2019-001 and CVE-2019-8955.
  • Major bugfixes (networking):
    • Gracefully handle empty username/password fields in SOCKS5 username/password auth messsage and allow SOCKS5 handshake to continue. Previously, we had rejected these handshakes, breaking certain applications. Fixes bug 29175; bugfix on 0.3.5.1-alpha.
  • Major bugfixes (NSS, relay):
    • When running with NSS, disable TLS 1.2 ciphersuites that use SHA384 for their PRF. Due to an NSS bug, the TLS key exporters for these ciphersuites don't work -- which caused relays to fail to handshake with one another when these ciphersuites were enabled. Fixes bug 29241; bugfix on 0.3.5.1-alpha.
  • Major bugfixes (windows, startup):
    • When reading a consensus file from disk, detect whether it was written in text mode, and re-read it in text mode if so. Always write consensus files in binary mode so that we can map them into memory later. Previously, we had written in text mode, which confused us when we tried to map the file on windows. Fixes bug 28614; bugfix on 0.4.0.1-alpha.
  • Minor features (address selection):
    • Treat the subnet 100.64.0.0/10 as public for some purposes; private for others. This subnet is the RFC 6598 (Carrier Grade NAT) IP range, and is deployed by many ISPs as an alternative to RFC 1918 that does not break existing internal networks. Tor now blocks SOCKS and control ports on these addresses and warns users if client ports or ExtORPorts are listening on a RFC 6598 address. Closes ticket 28525. Patch by Neel Chauhan.
  • Minor features (bandwidth authority):
    • Make bandwidth authorities ignore relays that are reported in the bandwidth file with the flag "vote=0". This change allows us to report unmeasured relays for diagnostic reasons without including their bandwidth in the bandwidth authorities' vote. Closes ticket 29806.
    • When a directory authority is using a bandwidth file to obtain the bandwidth values that will be included in the next vote, serve this bandwidth file at /tor/status-vote/next/bandwidth. Closes ticket 21377.
  • Minor features (bootstrap reporting):
    • When reporting bootstrap progress, stop distinguishing between situations where only internal paths are available and situations where external paths are available. Previously, Tor would often erroneously report that it had only internal paths. Closes ticket 27402.
  • Minor features (compilation):
    • Compile correctly when OpenSSL is built with engine support disabled, or with deprecated APIs disabled. Closes ticket 29026. Patches from "Mangix".
  • Minor features (continuous integration):
    • On Travis Rust builds, cleanup Rust registry and refrain from caching the "target/" directory to speed up builds. Resolves issue 29962.
    • Log Python version during each Travis CI job. Resolves issue 28551.
    • In Travis, tell timelimit to use stem's backtrace signals, and launch python directly from timelimit, so python receives the signals from timelimit, rather than make. Closes ticket 30117.
  • Minor features (controller):
    • Add a DROPOWNERSHIP command to undo the effects of TAKEOWNERSHIP. Implements ticket 28843.
  • Minor features (developer tooling):
    • Check that bugfix versions in changes files look like Tor versions from the versions spec. Warn when bugfixes claim to be on a future release. Closes ticket 27761.
    • Provide a git pre-commit hook that disallows commiting if we have any failures in our code and changelog formatting checks. It is now available in scripts/maint/pre-commit.git-hook. Implements feature 28976.
    • Provide a git hook script to prevent "fixup!" and "squash!" commits from ending up in the master branch, as scripts/main/pre- push.git-hook. Closes ticket 27993.
  • Minor features (diagnostic):
    • Add more diagnostic log messages in an attempt to solve the issue of NUL bytes appearing in a microdescriptor cache. Related to ticket 28223.
  • Minor features (directory authority):
    • When a directory authority is using a bandwidth file to obtain bandwidth values, include the digest of that file in the vote. Closes ticket 26698.
    • Directory authorities support a new consensus algorithm, under which the family lines in microdescriptors are encoded in a canonical form. This change makes family lines more compressible in transit, and on the client. Closes ticket 28266; implements proposal 298.
  • Minor features (directory authority, relay):
    • Authorities now vote on a "StaleDesc" flag to indicate that a relay's descriptor is so old that the relay should upload again soon. Relays treat this flag as a signal to upload a new descriptor. This flag will eventually let us remove the 'published' date from routerstatus entries, and make our consensus diffs much smaller. Closes ticket 26770; implements proposal 293.
  • Minor features (dormant mode):
    • Add a DormantCanceledByStartup option to tell Tor that it should treat a startup event as cancelling any previous dormant state. Integrators should use this option with caution: it should only be used if Tor is being started because of something that the user did, and not if Tor is being automatically started in the background. Closes ticket 29357.
  • Minor features (fallback directory mirrors):
    • Update the fallback whitelist based on operator opt-ins and opt- outs. Closes ticket 24805, patch by Phoul.
  • Minor features (FreeBSD):
    • On FreeBSD-based systems, warn relay operators if the "net.inet.ip.random_id" sysctl (IP ID randomization) is disabled. Closes ticket 28518.
  • Minor features (geoip):
    • Update geoip and geoip6 to the April 2 2019 Maxmind GeoLite2 Country database. Closes ticket 29992.
  • Minor features (HTTP standards compliance):
    • Stop sending the header "Content-type: application/octet-stream" along with transparently compressed documents: this confused browsers. Closes ticket 28100.
  • Minor features (IPv6):
    • We add an option ClientAutoIPv6ORPort, to make clients randomly prefer a node's IPv4 or IPv6 ORPort. The random preference is set every time a node is loaded from a new consensus or bridge config. We expect that this option will enable clients to bootstrap more quickly without having to determine whether they support IPv4, IPv6, or both. Closes ticket 27490. Patch by Neel Chauhan.
    • When using addrs_in_same_network_family(), avoid choosing circuit paths that pass through the same IPv6 subnet more than once. Previously, we only checked IPv4 subnets. Closes ticket 24393. Patch by Neel Chauhan.
  • Minor features (log messages):
    • Improve log message in v3 onion services that could print out negative revision counters. Closes ticket 27707. Patch by "ffmancera".
  • Minor features (memory usage):
    • Save memory by storing microdescriptor family lists with a more compact representation. Closes ticket 27359.
    • Tor clients now use mmap() to read consensus files from disk, so that they no longer need keep the full text of a consensus in memory when parsing it or applying a diff. Closes ticket 27244.
  • Minor features (NSS, diagnostic):
    • Try to log an error from NSS (if there is any) and a more useful description of our situation if we are using NSS and a call to SSL_ExportKeyingMaterial() fails. Diagnostic for ticket 29241.
  • Minor features (parsing):
    • Directory authorities now validate that router descriptors and ExtraInfo documents are in a valid subset of UTF-8, and reject them if they are not. Closes ticket 27367.
  • Minor features (performance):
    • Cache the results of summarize_protocol_flags(), so that we don't have to parse the same protocol-versions string over and over. This should save us a huge number of malloc calls on startup, and may reduce memory fragmentation with some allocators. Closes ticket 27225.
    • Remove a needless memset() call from get_token_arguments, thereby speeding up the tokenization of directory objects by about 20%. Closes ticket 28852.
    • Replace parse_short_policy() with a faster implementation, to improve microdescriptor parsing time. Closes ticket 28853.
    • Speed up directory parsing a little by avoiding use of the non- inlined strcmp_len() function. Closes ticket 28856.
    • Speed up microdescriptor parsing by about 30%, to help improve startup time. Closes ticket 28839.
  • Minor features (pluggable transports):
    • Add support for emitting STATUS updates to Tor's control port from a pluggable transport process. Closes ticket 28846.
    • Add support for logging to Tor's logging subsystem from a pluggable transport process. Closes ticket 28180.
  • Minor features (process management):
    • Add a new process API for handling child processes. This new API allows Tor to have bi-directional communication with child processes on both Unix and Windows. Closes ticket 28179.
    • Use the subsystem manager to initialize and shut down the process module. Closes ticket 28847.
  • Minor features (relay):
    • When listing relay families, list them in canonical form including the relay's own identity, and try to give a more useful set of warnings. Part of ticket 28266 and proposal 298.
  • Minor features (required protocols):
    • Before exiting because of a missing required protocol, Tor will now check the publication time of the consensus, and not exit unless the consensus is newer than the Tor program's own release date. Previously, Tor would not check the consensus publication time, and so might exit because of a missing protocol that might no longer be required in a current consensus. Implements proposal 297; closes ticket 27735.
  • Minor features (testing):
    • Treat all unexpected ERR and BUG messages as test failures. Closes ticket 28668.
    • Allow a HeartbeatPeriod of less than 30 minutes in testing Tor networks. Closes ticket 28840. Patch by Rob Jansen.
    • Use the approx_time() function when setting the "Expires" header in directory replies, to make them more testable. Needed for ticket 30001.
  • Minor bugfixes (security):
    • Fix a potential double free bug when reading huge bandwidth files. The issue is not exploitable in the current Tor network because the vulnerable code is only reached when directory authorities read bandwidth files, but bandwidth files come from a trusted source (usually the authorities themselves). Furthermore, the issue is only exploitable in rare (non-POSIX) 32-bit architectures, which are not used by any of the current authorities. Fixes bug 30040; bugfix on 0.3.5.1-alpha. Bug found and fixed by Tobias Stoeckmann.
    • Verify in more places that we are not about to create a buffer with more than INT_MAX bytes, to avoid possible OOB access in the event of bugs. Fixes bug 30041; bugfix on 0.2.0.16. Found and fixed by Tobias Stoeckmann.
  • Minor bugfix (continuous integration):
    • Reset coverage state on disk after Travis CI has finished. This should prevent future coverage merge errors from causing the test suite for the "process" subsystem to fail. The process subsystem was introduced in 0.4.0.1-alpha. Fixes bug 29036; bugfix on 0.2.9.15.
    • Terminate test-stem if it takes more than 9.5 minutes to run. (Travis terminates the job after 10 minutes of no output.) Diagnostic for 29437. Fixes bug 30011; bugfix on 0.3.5.4-alpha.
  • Minor bugfixes (build, compatibility, rust):
    • Update Cargo.lock file to match the version made by the latest version of Rust, so that "make distcheck" will pass again. Fixes bug 29244; bugfix on 0.3.3.4-alpha.
  • Minor bugfixes (C correctness):
    • Fix an unlikely memory leak in consensus_diff_apply(). Fixes bug 29824; bugfix on 0.3.1.1-alpha. This is Coverity warning CID 1444119.
  • Minor bugfixes (client, clock skew):
    • Bootstrap successfully even when Tor's clock is behind the clocks on the authorities. Fixes bug 28591; bugfix on 0.2.0.9-alpha.
    • Select guards even if the consensus has expired, as long as the consensus is still reasonably live. Fixes bug 24661; bugfix on 0.3.0.1-alpha.
  • Minor bugfixes (compilation):
    • Fix compilation warnings in test_circuitpadding.c. Fixes bug 29169; bugfix on 0.4.0.1-alpha.
    • Silence a compiler warning in test-memwipe.c on OpenBSD. Fixes bug 29145; bugfix on 0.2.9.3-alpha. Patch from Kris Katterjohn.
    • Compile correctly on OpenBSD; previously, we were missing some headers required in order to detect it properly. Fixes bug 28938; bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn.
  • Minor bugfixes (directory clients):
    • Mark outdated dirservers when Tor only has a reasonably live consensus. Fixes bug 28569; bugfix on 0.3.2.5-alpha.
  • Minor bugfixes (directory mirrors):
    • Even when a directory mirror's clock is behind the clocks on the authorities, we now allow the mirror to serve "future" consensuses. Fixes bug 28654; bugfix on 0.3.0.1-alpha.
  • Minor bugfixes (DNS):
    • Gracefully handle an empty or absent resolve.conf file by falling back to using "localhost" as a DNS server (and hoping it works). Previously, we would just stop running as an exit. Fixes bug 21900; bugfix on 0.2.1.10-alpha.
  • Minor bugfixes (documentation):
    • Describe the contents of the v3 onion service client authorization files correctly: They hold public keys, not private keys. Fixes bug 28979; bugfix on 0.3.5.1-alpha. Spotted by "Felixix".
  • Minor bugfixes (guards):
    • In count_acceptable_nodes(), the minimum number is now one bridge or guard node, and two non-guard nodes for a circuit. Previously, we had added up the sum of all nodes with a descriptor, but that could cause us to build failing circuits when we had either too many bridges or not enough guard nodes. Fixes bug 25885; bugfix on 0.3.6.1-alpha. Patch by Neel Chauhan.
  • Minor bugfixes (IPv6):
    • Fix tor_ersatz_socketpair on IPv6-only systems. Previously, the IPv6 socket was bound using an address family of AF_INET instead of AF_INET6. Fixes bug 28995; bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn.
  • Minor bugfixes (linux seccomp sandbox):
    • Fix startup crash when experimental sandbox support is enabled. Fixes bug 29150; bugfix on 0.4.0.1-alpha. Patch by Peter Gerber.
  • Minor bugfixes (logging):
    • Correct a misleading error message when IPv4Only or IPv6Only is used but the resolved address can not be interpreted as an address of the specified IP version. Fixes bug 13221; bugfix on 0.2.3.9-alpha. Patch from Kris Katterjohn.
    • Log the correct port number for listening sockets when "auto" is used to let Tor pick the port number. Previously, port 0 was logged instead of the actual port number. Fixes bug 29144; bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn.
    • Stop logging a BUG() warning when Tor is waiting for exit descriptors. Fixes bug 28656; bugfix on 0.3.5.1-alpha.
    • Avoid logging that we are relaxing a circuit timeout when that timeout is fixed. Fixes bug 28698; bugfix on 0.2.4.7-alpha.
    • Log more information at "warning" level when unable to read a private key; log more information at "info" level when unable to read a public key. We had warnings here before, but they were lost during our NSS work. Fixes bug 29042; bugfix on 0.3.5.1-alpha.
    • Rework rep_hist_log_link_protocol_counts() to iterate through all link protocol versions when logging incoming/outgoing connection counts. Tor no longer skips version 5, and we won't have to remember to update this function when new link protocol version is developed. Fixes bug 28920; bugfix on 0.2.6.10.
  • Minor bugfixes (memory management):
    • Refactor the shared random state's memory management so that it actually takes ownership of the shared random value pointers. Fixes bug 29706; bugfix on 0.2.9.1-alpha.
    • Stop leaking parts of the shared random state in the shared-random unit tests. Fixes bug 29599; bugfix on 0.2.9.1-alpha.
  • Minor bugfixes (misc):
    • The amount of total available physical memory is now determined using the sysctl identifier HW_PHYSMEM (rather than HW_USERMEM) when it is defined and a 64-bit variant is not available. Fixes bug 28981; bugfix on 0.2.5.4-alpha. Patch from Kris Katterjohn.
  • Minor bugfixes (networking):
    • Introduce additional checks into tor_addr_parse() to reject certain incorrect inputs that previously were not detected. Fixes bug 23082; bugfix on 0.2.0.10-alpha.
  • Minor bugfixes (onion service v3, client):
    • Stop logging a "BUG()" warning and stacktrace when we find a SOCKS connection waiting for a descriptor that we actually have in the cache. It turns out that this can actually happen, though it is rare. Now, tor will recover and retry the descriptor. Fixes bug 28669; bugfix on 0.3.2.4-alpha.
  • Minor bugfixes (onion services):
    • Avoid crashing if ClientOnionAuthDir (incorrectly) contains more than one private key for a hidden service. Fixes bug 29040; bugfix on 0.3.5.1-alpha.
    • In hs_cache_store_as_client() log an HSDesc we failed to parse at "debug" level. Tor used to log it as a warning, which caused very long log lines to appear for some users. Fixes bug 29135; bugfix on 0.3.2.1-alpha.
    • Stop logging "Tried to establish rendezvous on non-OR circuit..." as a warning. Instead, log it as a protocol warning, because there is nothing that relay operators can do to fix it. Fixes bug 29029; bugfix on 0.2.5.7-rc.
  • Minor bugfixes (periodic events):
    • Refrain from calling routerlist_remove_old_routers() from check_descriptor_callback(). Instead, create a new hourly periodic event. Fixes bug 27929; bugfix on 0.2.8.1-alpha.
  • Minor bugfixes (pluggable transports):
    • Make sure that data is continously read from standard output and standard error pipes of a pluggable transport child-process, to avoid deadlocking when a pipe's buffer is full. Fixes bug 26360; bugfix on 0.2.3.6-alpha.
  • Minor bugfixes (rust):
    • Abort on panic in all build profiles, instead of potentially unwinding into C code. Fixes bug 27199; bugfix on 0.3.3.1-alpha.
  • Minor bugfixes (scheduler):
    • When re-adding channels to the pending list, check the correct channel's sched_heap_idx. This issue has had no effect in mainline Tor, but could have led to bugs down the road in improved versions of our circuit scheduling code. Fixes bug 29508; bugfix on 0.3.2.10.
  • Minor bugfixes (shellcheck):
    • Look for scripts in their correct locations during "make shellcheck". Previously we had looked in the wrong place during out-of-tree builds. Fixes bug 30263; bugfix on 0.4.0.1-alpha.
  • Minor bugfixes (single onion services):
    • Allow connections to single onion services to remain idle without being disconnected. Previously, relays acting as rendezvous points for single onion services were mistakenly closing idle rendezvous circuits after 60 seconds, thinking that they were unused directory-fetching circuits that had served their purpose. Fixes bug 29665; bugfix on 0.2.1.26.
  • Minor bugfixes (stats):
    • When ExtraInfoStatistics is 0, stop including PaddingStatistics in relay and bridge extra-info documents. Fixes bug 29017; bugfix on 0.3.1.1-alpha.
  • Minor bugfixes (testing):
    • Backport the 0.3.4 src/test/test-network.sh to 0.2.9. We need a recent test-network.sh to use new chutney features in CI. Fixes bug 29703; bugfix on 0.2.9.1-alpha.
    • Fix a test failure on Windows caused by an unexpected "BUG" warning in our tests for tor_gmtime_r(-1). Fixes bug 29922; bugfix on 0.2.9.3-alpha.
    • Downgrade some LOG_ERR messages in the address/* tests to warnings. The LOG_ERR messages were occurring when we had no configured network. We were failing the unit tests, because we backported 28668 to 0.3.5.8, but did not backport 29530. Fixes bug 29530; bugfix on 0.3.5.8.
    • Fix our gcov wrapper script to look for object files at the correct locations. Fixes bug 29435; bugfix on 0.3.5.1-alpha.
    • Decrease the false positive rate of stochastic probability distribution tests. Fixes bug 29693; bugfix on 0.4.0.1-alpha.
    • Fix intermittent failures on an adaptive padding test. Fixes one case of bug 29122; bugfix on 0.4.0.1-alpha.
    • Disable an unstable circuit-padding test that was failing intermittently because of an ill-defined small histogram. Such histograms will be allowed again after 29298 is implemented. Fixes a second case of bug 29122; bugfix on 0.4.0.1-alpha.
    • Detect and suppress "bug" warnings from the util/time test on Windows. Fixes bug 29161; bugfix on 0.2.9.3-alpha.
    • Do not log an error-level message if we fail to find an IPv6 network interface from the unit tests. Fixes bug 29160; bugfix on 0.2.7.3-rc.
    • Instead of relying on hs_free_all() to clean up all onion service objects in test_build_descriptors(), we now deallocate them one by one. This lets Coverity know that we are not leaking memory there and fixes CID 1442277. Fixes bug 28989; bugfix on 0.3.5.1-alpha.
    • Check the time in the "Expires" header using approx_time(). Fixes bug 30001; bugfix on 0.4.0.4-rc.
  • Minor bugfixes (TLS protocol):
    • When classifying a client's selection of TLS ciphers, if the client ciphers are not yet available, do not cache the result. Previously, we had cached the unavailability of the cipher list and never looked again, which in turn led us to assume that the client only supported the ancient V1 link protocol. This, in turn, was causing Stem integration tests to stall in some cases. Fixes bug 30021; bugfix on 0.2.4.8-alpha.
  • Minor bugfixes (UI):
    • Lower log level of unlink() errors during bootstrap. Fixes bug 29930; bugfix on 0.4.0.1-alpha.
  • Minor bugfixes (usability):
    • Stop saying "Your Guard ..." in pathbias_measure_{use,close}_rate(). Some users took this phrasing to mean that the mentioned guard was under their control or responsibility, which it is not. Fixes bug 28895; bugfix on Tor 0.3.0.1-alpha.
  • Minor bugfixes (Windows, CI):
    • Skip the Appveyor 32-bit Windows Server 2016 job, and 64-bit Windows Server 2012 R2 job. The remaining 2 jobs still provide coverage of 64/32-bit, and Windows Server 2016/2012 R2. Also set fast_finish, so failed jobs terminate the build immediately. Fixes bug 29601; bugfix on 0.3.5.4-alpha.
  • Code simplification and refactoring:
    • Introduce a connection_dir_buf_add() helper function that detects whether compression is in use, and adds a string accordingly. Resolves issue 28816.
    • Refactor handle_get_next_bandwidth() to use connection_dir_buf_add(). Implements ticket 29897.
    • Reimplement NETINFO cell parsing and generation to rely on trunnel-generated wire format handling code. Closes ticket 27325.
    • Remove unnecessary unsafe code from the Rust macro "cstr!". Closes ticket 28077.
    • Rework SOCKS wire format handling to rely on trunnel-generated parsing/generation code. Resolves ticket 27620.
    • Split out bootstrap progress reporting from control.c into a separate file. Part of ticket 27402.
    • The .may_include files that we use to describe our directory-by- directory dependency structure now describe a noncircular dependency graph over the directories that they cover. Our checkIncludes.py tool now enforces this noncircularity. Closes ticket 28362.
  • Documentation:
    • Clarify that Tor performs stream isolation among *Port listeners by default. Resolves issue 29121.
    • In the manpage entry describing MapAddress torrc setting, use example IP addresses from ranges specified for use in documentation by RFC 5737. Resolves issue 28623.
    • Mention that you cannot add a new onion service if Tor is already running with Sandbox enabled. Closes ticket 28560.
    • Improve ControlPort documentation. Mention that it accepts address:port pairs, and can be used multiple times. Closes ticket 28805.
    • Document the exact output of "tor --version". Closes ticket 28889.
  • Removed features:
    • Remove the old check-tor script. Resolves issue 29072.
    • Stop responding to the 'GETINFO status/version/num-concurring' and 'GETINFO status/version/num-versioning' control port commands, as those were deprecated back in 0.2.0.30. Also stop listing them in output of 'GETINFO info/names'. Resolves ticket 28757.
    • The scripts used to generate and maintain the list of fallback directories have been extracted into a new "fallback-scripts" repository. Closes ticket 27914.
  • Testing:
    • Run shellcheck for scripts in the in scripts/ directory. Closes ticket 28058.
    • Add unit tests for tokenize_string() and get_next_token() functions. Resolves ticket 27625.
  • Code simplification and refactoring (onion service v3):
    • Consolidate the authorized client descriptor cookie computation code from client and service into one function. Closes ticket 27549.
  • Code simplification and refactoring (shell scripts):
    • Cleanup scan-build.sh to silence shellcheck warnings. Closes ticket 28007.
    • Fix issues that shellcheck found in chutney-git-bisect.sh. Resolves ticket 28006.
    • Fix issues that shellcheck found in updateRustDependencies.sh. Resolves ticket 28012.
    • Fix shellcheck warnings in cov-diff script. Resolves issue 28009.
    • Fix shellcheck warnings in run_calltool.sh. Resolves ticket 28011.
    • Fix shellcheck warnings in run_trunnel.sh. Resolves issue 28010.
    • Fix shellcheck warnings in scripts/test/coverage. Resolves issue 28008.

Comments

Please note that the comment area below has been archived.

May 03, 2019

Permalink

Many thanks for your work.

Please, put your effort on getting the padding thing done and introduce more DoS protection against hidden services.

Is there a plan to change the path selection AS aware like the Astor paper did?

Afaik, Tor is still making a lot of cpu intense shit with just one process... Is there a roadmap to upgrade this to use more CPU cores and even threads so this way it can be faster? With rust already making his way on Tor core, this should be easier and faster to implement while maintaining memory security.

On the Tor Browser side: please, introduce already a good sandbox at least for Linux.

May 07, 2019

Permalink

Dear Tor developers,
thanks for this release. I look forward to test it, either on my laptop (deb packages have not been uploaded yet on your repos) and smartphone (hopefully one day, Orbot will be updated).

I have a question I am curios about. For this new release you have switched to a new number (3.5.8 -> 4.0.5). Why? Is there any specific reason? Does the new numbering for this major release has any particular meaning? Or is it just an arbitrary choice?

Cheers

June 20, 2019

Permalink

June 20, still no Ubuntu 18.04 packages.

do you know how to update ?(apart from compiling the source code)

Thanks.

August 16, 2019

Permalink

Why has the RPM directory been removed. deb.torproject.org/torproject.org/rpm/. Are you no longing providing repo for el6 or el7