Tor 0.2.2.25-alpha is out

Tor 0.2.2.25-alpha fixes many bugs: hidden service clients are more
robust, routers no longer overreport their bandwidth, Win7 should crash
a little less, and NEWNYM (as used by Vidalia's "new identity" button)
now prevents hidden service-related activity from being linkable. It
provides more information to Vidalia so you can see if your bridge is
working. Also, 0.2.2.25-alpha revamps the Entry/Exit/ExcludeNodes and
StrictNodes configuration options to make them more reliable, more
understandable, and more regularly applied. If you use those options,
please see the revised documentation for them in the manual page.

https://www.torproject.org/download/download

Major bugfixes:

• Relays were publishing grossly inflated bandwidth values because
  they were writing their state files wrong--now they write the
  correct value. Also, resume reading bandwidth history from the
  state file correctly. Fixes bug 2704; bugfix on 0.2.2.23-alpha.
• Improve hidden service robustness: When we find that we have
  extended a hidden service's introduction circuit to a relay not
  listed as an introduction point in the HS descriptor we currently
  have, retry with an introduction point from the current
  descriptor. Previously we would just give up. Fixes bugs 1024 and
  1930; bugfix on 0.2.0.10-alpha.
• Clients now stop trying to use an exit node associated with a given
  destination by TrackHostExits if they fail to reach that exit node.
  Fixes bug 2999. Bugfix on 0.2.0.20-rc.
• Fix crash bug on platforms where gmtime and localtime can return
  NULL. Windows 7 users were running into this one. Fixes part of bug
  2077. Bugfix on all versions of Tor. Found by boboper.

Security and stability fixes:

• Don't double-free a parsable, but invalid, microdescriptor, even if
  it is followed in the blob we're parsing by an unparsable
  microdescriptor. Fixes an issue reported in a comment on bug 2954.
  Bugfix on 0.2.2.6-alpha; fix by "cypherpunks".
• If the Nickname configuration option isn't given, Tor would pick a
  nickname based on the local hostname as the nickname for a relay.
  Because nicknames are not very important in today's Tor and the
  "Unnamed" nickname has been implemented, this is now problematic
  behavior: It leaks information about the hostname without being
  useful at all. Fixes bug 2979; bugfix on 0.1.2.2-alpha, which
  introduced the Unnamed nickname. Reported by tagnaq.
• Fix an uncommon assertion failure when running with DNSPort under
  heavy load. Fixes bug 2933; bugfix on 0.2.0.1-alpha.
• Avoid linkability based on cached hidden service descriptors: forget
  all hidden service descriptors cached as a client when processing a
  SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6.

Major features:

• Export GeoIP information on bridge usage to controllers even if we
  have not yet been running for 24 hours. Now Vidalia bridge operators
  can get more accurate and immediate feedback about their
  contributions to the network.

Major features and bugfixes (node selection):

• Revise and reconcile the meaning of the ExitNodes, EntryNodes,
  ExcludeEntryNodes, ExcludeExitNodes, ExcludeNodes, and StrictNodes
  options. Previously, we had been ambiguous in describing what
  counted as an "exit" node, and what operations exactly "StrictNodes
  0" would permit. This created confusion when people saw nodes built
  through unexpected circuits, and made it hard to tell real bugs from
  surprises. Now the intended behavior is:
  • "Exit", in the context of ExitNodes and ExcludeExitNodes, means
    a node that delivers user traffic outside the Tor network.
  • "Entry", in the context of EntryNodes, means a node used as the
    first hop of a multihop circuit. It doesn't include direct
    connections to directory servers.
  • "ExcludeNodes" applies to all nodes.
  • "StrictNodes" changes the behavior of ExcludeNodes only. When
    StrictNodes is set, Tor should avoid all nodes listed in
    ExcludeNodes, even when it will make user requests fail. When
    StrictNodes is *not* set, then Tor should follow ExcludeNodes
    whenever it can, except when it must use an excluded node to
    perform self-tests, connect to a hidden service, provide a
    hidden service, fulfill a .exit request, upload directory
    information, or fetch directory information.

  Collectively, the changes to implement the behavior fix bug 1090.

• ExcludeNodes now takes precedence over EntryNodes and ExitNodes: if
  a node is listed in both, it's treated as excluded.
• ExcludeNodes now applies to directory nodes -- as a preference if
  StrictNodes is 0, or an absolute requirement if StrictNodes is 1.
  Don't exclude all the directory authorities and set StrictNodes to 1
  unless you really want your Tor to break.
• ExcludeNodes and ExcludeExitNodes now override exit enclaving.
• ExcludeExitNodes now overrides .exit requests.
• We don't use bridges listed in ExcludeNodes.
• When StrictNodes is 1:
  • We now apply ExcludeNodes to hidden service introduction points
    and to rendezvous points selected by hidden service users. This
    can make your hidden service less reliable: use it with caution!
  • If we have used ExcludeNodes on ourself, do not try relay
    reachability self-tests.
  • If we have excluded all the directory authorities, we will not
    even try to upload our descriptor if we're a relay.
  • Do not honor .exit requests to an excluded node.
• Remove a misfeature that caused us to ignore the Fast/Stable flags
  when ExitNodes is set. Bugfix on 0.2.2.7-alpha.
• When the set of permitted nodes changes, we now remove any mappings
  introduced via TrackExitHosts to now-excluded nodes. Bugfix on
  0.1.0.1-rc.
• We never cannibalize a circuit that had excluded nodes on it, even
  if StrictNodes is 0. Bugfix on 0.1.0.1-rc.
• Revert a change where we would be laxer about attaching streams to
  circuits than when building the circuits. This was meant to prevent
  a set of bugs where streams were never attachable, but our improved
  code here should make this unnecessary. Bugfix on 0.2.2.7-alpha.
• Keep track of how many times we launch a new circuit to handle a
  given stream. Too many launches could indicate an inconsistency
  between our "launch a circuit to handle this stream" logic and our
  "attach this stream to one of the available circuits" logic.
• Improve log messages related to excluded nodes.

Minor bugfixes:

• Fix a spurious warning when moving from a short month to a long
  month on relays with month-based BandwidthAccounting. Bugfix on
  0.2.2.17-alpha; fixes bug 3020.
• When a client finds that an origin circuit has run out of 16-bit
  stream IDs, we now mark it as unusable for new streams. Previously,
  we would try to close the entire circuit. Bugfix on 0.0.6.
• Add a forgotten cast that caused a compile warning on OS X 10.6.
  Bugfix on 0.2.2.24-alpha.
• Be more careful about reporting the correct error from a failed
  connect() system call. Under some circumstances, it was possible to
  look at an incorrect value for errno when sending the end reason.
  Bugfix on 0.1.0.1-rc.
• Correctly handle an "impossible" overflow cases in connection byte
  counting, where we write or read more than 4GB on an edge connection
  in a single second. Bugfix on 0.1.2.8-beta.
• Correct the warning displayed when a rendezvous descriptor exceeds
  the maximum size. Fixes bug 2750; bugfix on 0.2.1.5-alpha. Found by
  John Brooks.
• Clients and hidden services now use HSDir-flagged relays for hidden
  service descriptor downloads and uploads even if the relays have no
  DirPort set and the client has disabled TunnelDirConns. This will
  eventually allow us to give the HSDir flag to relays with no
  DirPort. Fixes bug 2722; bugfix on 0.2.1.6-alpha.
• Downgrade "no current certificates known for authority" message from
  Notice to Info. Fixes bug 2899; bugfix on 0.2.0.10-alpha.
• Make the SIGNAL DUMP control-port command work on FreeBSD. Fixes bug
  2917. Bugfix on 0.1.1.1-alpha.
• Only limit the lengths of single HS descriptors, even when multiple
  HS descriptors are published to an HSDir relay in a single POST
  operation. Fixes bug 2948; bugfix on 0.2.1.5-alpha. Found by hsdir.
• Write the current time into the LastWritten line in our state file,
  rather than the time from the previous write attempt. Also, stop
  trying to use a time of -1 in our log statements. Fixes bug 3039;
  bugfix on 0.2.2.14-alpha.
• Be more consistent in our treatment of file system paths. "~" should
  get expanded to the user's home directory in the Log config option.
  Fixes bug 2971; bugfix on 0.2.0.1-alpha, which introduced the
  feature for the -f and --DataDirectory options.

Minor features:

• Make sure every relay writes a state file at least every 12 hours.
  Previously, a relay could go for weeks without writing its state
  file, and on a crash could lose its bandwidth history, capacity
  estimates, client country statistics, and so on. Addresses bug 3012.
• Send END_STREAM_REASON_NOROUTE in response to EHOSTUNREACH errors.
  Clients before 0.2.1.27 didn't handle NOROUTE correctly, but such
  clients are already deprecated because of security bugs.
• Don't allow v0 hidden service authorities to act as clients.
  Required by fix for bug 3000.
• Ignore SIGNAL NEWNYM commands on relay-only Tor instances. Required
  by fix for bug 3000.
• Ensure that no empty [dirreq-](read|write)-history lines are added
  to an extrainfo document. Implements ticket 2497.

Code simplification and refactoring:

• Remove workaround code to handle directory responses from servers
  that had bug 539 (they would send HTTP status 503 responses _and_
  send a body too). Since only server versions before
  0.2.0.16-alpha/0.1.2.19 were affected, there is no longer reason to
  keep the workaround in place.
• Remove the old 'fuzzy time' logic. It was supposed to be used for
  handling calculations where we have a known amount of clock skew and
  an allowed amount of unknown skew. But we only used it in three
  places, and we never adjusted the known/unknown skew values. This is
  still something we might want to do someday, but if we do, we'll
  want to do it differently.
• Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned.
  None of the cases where we did this before were wrong, but by making
  this change we avoid warnings. Fixes bug 2475; bugfix on 0.2.1.28.
• Use GetTempDir to find the proper temporary directory location on
  Windows when generating temporary files for the unit tests. Patch by
  Gisle Vanem.