commit 6d1c310ec69b4a325d1cf3b6c13b60f4a1f65804 parent df257565da02c37104fa5394008ab13e1d2cb729 Author: David Goulet <dgoulet@torproject.org> Date: Wed, 28 Jan 2026 13:29:41 -0500 release: ChangeLog and ReleaseNotes for 0.4.9.4-rc Signed-off-by: David Goulet <dgoulet@torproject.org> Diffstat:
34 files changed, 296 insertions(+), 140 deletions(-)
diff --git a/ChangeLog b/ChangeLog @@ -1,3 +1,151 @@ +Changes in version 0.4.9.4-rc - 2026-01-28 + Finally, the release candidate for the 0.4.9.x series. It consists of minor + features and several bugfixes. Nothing major has been added since the alpha. + If everything goes well, the next version will be the first stable. + + o Major bugfixes (security): + - Avoid an out-of-bounds read error that could occur with + V1-formatted cells. Fixes bug 41180; bugfix on 0.4.8.1-alpha. This + is tracked as TROVE-2025-016. + + o Major bugfixes (client, TLS): + - Fix some clients not being able to connect to LibreSSL relays. + Fixes bug 41134; bugfix on 0.4.8.17 + + o Major bugfixes (conflux, exit): + - When dequeuing out-of-order conflux cells, the circuit could be + close in between two dequeue which could lead to a mishandling of + a NULL pointer. Fixes bug 41162; bugfix on 0.4.8.4. + + o Major bugfixes (directory servers): + - Allow old clients to fetch the consensus even if they use version + 0 of the SENDME protocol. In mid 2025 we changed the required + minimum version of the "FlowCtrl" protocol to 1, meaning directory + caches hang up on clients that send a version 0 SENDME cell. Since + old clients were no longer able to retrieve the consensus, they + couldn't learn about this required minimum version -- meaning + we've had many many old clients loading down directory servers for + the past months. Fixes bug 41191; bugfix on 0.4.1.1-alpha. + - Don't count networkstatus serves until they finish. When we + started serving a consensus document but the client didn't receive + all of it, we were still counting that as a success in our stats. + This mistake, which can be triggered for example by obsolete + clients or by DPI-based censorship, led to wildly inflated user + counts because we estimate total users in the world based on + successful consensus fetches. Fixes bug 41192; bugfix + on 0.2.1.1-alpha. + + o Minor features (security, reliability): + - When KeepaliveIsolateSOCKSAuth is keeping a circuit alive, expire + the circuit based on when it was last in use for any stream, not + (as we did before) based on when a stream was last attached to it. + Closes ticket 41157. Implements a minimal version of Proposal 368. + + o Minor feature (compiler flag): + - Add -fcf-protection=full if supported by the compiler. + Fixes 41139. + - Add -mbranch-protection=standard for arm64. + + o Minor feature (Exit): + - Add Monero ports to the ReducedExitPolicy. Closes ticket 41168. + + o Minor feature (testing, CI): + - Bump the CI version of chutney to the current version as of + 2026-01-21 (3338f5c). + + o Minor features (debugging, compression): + - Do not check for compression bombs for buffers smaller than 5MB + (increased from 64 KB). Fixes ticket 40739; bugfix on 0.2.1.29. + - Log the input and output buffer sizes when we detect a potential + compression bomb. Diagnostic for ticket 40739. + + o Minor features (directory servers): + - Track how many times directory servers begin serving networkstatus + documents, so we can compare it to the number of times we finish + serving them. Motivated by the fixes in ticket 41192. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on January 28, 2026. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2026/01/28. + + o Minor features (HTTPTunnelPort): + - Implement new HTTPTunnelPort features for interoperability with + Arti's HTTP CONNECT proxy. This work adds new headers to requests + to and replies from the HttpConnectPort, support for OPTIONS + requests, tightens the expected syntax for Proxy-Authorization, + and increases defense-in-depth against some kinds of cross-site + HTTP attacks. Closes ticket 41156. Implements proposal 365. + + o Minor features (linux seccomp2 sandbox): + - Allow the fstatat64 and statx syscalls on i386 architecture when + glibc >= 2.33. On i386, glibc uses fstatat64 instead of newfstatat + for stat operations, and statx for time64 support. Without this, + SIGHUP configuration reload fails when using sandbox mode with + %include directives on i386 with Debian Bookworm or newer. + - Allow the lstat64 syscall on i386 architecture. This syscall is + used by glob() in glibc 2.36+ when processing %include directives + with directory patterns. + + o Minor bugfix (process): + - Avoid closing all possible FDs when spawning a process (PT). On + some systems, this could lead to 3+ minutes hang. Fixes bug 40990; + bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (bridges, pluggable transport): + - Fix a bug causing the initial tor process to hang intead of + exiting with RunAsDaemon, when pluggable transports are used. + Fixes bug 41088; bugfix on 0.4.8.1-alpha. + + o Minor bugfixes (conflux fragile asserts): + - Fix the root cause of some conflux fragile asserts when a control + port listener is attached. Fixes bug 41037; bugfix on 0.4.8.16. + + o Minor bugfixes (conflux, relay): + - Fix a series of conflux edge cases about sequence number + arithmetic and OOM handler kicking in under heavy memory pressure. + Fixes bug 41155; bugfix on 0.4.8.4. + + o Minor bugfixes (DNS, exit): + - Clip every returned DNS TTL to 60 (RESOLVED) in order to mitigate + an exit DNS cache oracle. Fixes bug 40979; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (relay): + - Downgrade log warn to info as the error condition is possible under + normal circumstances. Fixes bug 40951; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (spec conformance): + - Do not treat "15" as a recognized remote END reason code. + Formerly, we treated it as synonymous with a local ENTRYPOLICY, + which isn't a valid remote code at all. Fixes bug 41171; bugfix + on 0.2.0.8-alpha. + + o Minor bugfixes (stream flow control performance): + - Use a 5 ms grace period to allow an edge connection to flush its + stream data to the socket before sending an XOFF. This + significantly reduces the number of XON/XOFF messages sent when + (1) the application is reading stream data at a fast rate, and (2) + when conflux is enabled. Fixes part of bug 41130; bugfix + on 0.4.7.2-alpha + + o Minor bugfixes (tooling): + - Fix a false positive valgrind related to inspecting a bitfield + next to another uninitialized bitfield. Fixes bug 41182; bugfix + on 0.3.3.2-alpha. + + o Minor bugfixes (warnings): + - Fix minor warnings from newer versions of shellcheck and clang. + Fixes bug 41166; bugfix on 0.4.3.1-alpha and several + other versions. + + o Code simplification and refactoring: + - Simplify SOCKS4a parsing to avoid the (false) appearance of + integer underflows, and to make the logic more obvious. Fixes bug + 41190; bugfix on 0.3.5.1-alpha. + + Changes in version 0.4.8.21 - 2025-11-17 This release is a continuation of the previous one and addresses additional Conflux-related issues identified through further testing and feedback from diff --git a/ReleaseNotes b/ReleaseNotes @@ -2,6 +2,154 @@ This document summarizes new features and bugfixes in each stable release of Tor. If you want to see more detailed descriptions of the changes in each development snapshot, see the ChangeLog file. +Changes in version 0.4.9.4-rc - 2026-01-28 + Finally, the release candidate for the 0.4.9.x series. It consists of minor + features and bugfixes. Nothing major has been added since the alpha. If + everything goes well, next version will be the first stable. + + o Major bugfixes (security): + - Avoid an out-of-bounds read error that could occur with + V1-formatted cells. Fixes bug 41180; bugfix on 0.4.8.1-alpha. This + is tracked as TROVE-2025-016. + + o Major bugfixes (client, TLS): + - Fix some clients not being able to connect to LibreSSL relays. + Fixes bug 41134; bugfix on 0.4.8.17 + + o Major bugfixes (conflux, exit): + - When dequeuing out-of-order conflux cells, the circuit could be + close in between two dequeue which could lead to a mishandling of + a NULL pointer. Fixes bug 41162; bugfix on 0.4.8.4. + + o Major bugfixes (directory servers): + - Allow old clients to fetch the consensus even if they use version + 0 of the SENDME protocol. In mid 2025 we changed the required + minimum version of the "FlowCtrl" protocol to 1, meaning directory + caches hang up on clients that send a version 0 SENDME cell. Since + old clients were no longer able to retrieve the consensus, they + couldn't learn about this required minimum version -- meaning + we've had many many old clients loading down directory servers for + the past months. Fixes bug 41191; bugfix on 0.4.1.1-alpha. + - Don't count networkstatus serves until they finish. When we + started serving a consensus document but the client didn't receive + all of it, we were still counting that as a success in our stats. + This mistake, which can be triggered for example by obsolete + clients or by DPI-based censorship, led to wildly inflated user + counts because we estimate total users in the world based on + successful consensus fetches. Fixes bug 41192; bugfix + on 0.2.1.1-alpha. + + o Minor features (security, reliability): + - When KeepaliveIsolateSOCKSAuth is keeping a circuit alive, expire + the circuit based on when it was last in use for any stream, not + (as we did before) based on when a stream was last attached to it. + Closes ticket 41157. Implements a minimal version of Proposal 368. + + o Minor feature (compiler flag): + - Add -fcf-protection=full if supported by the compiler. + Fixes 41139. + - Add -mbranch-protection=standard for arm64. + + o Minor feature (Exit): + - Add Monero ports to the ReducedExitPolicy. Closes ticket 41168. + + o Minor feature (testing, CI): + - Bump the CI version of chutney to the current version as of + 2026-01-21 (3338f5c). + + o Minor features (debugging, compression): + - Do not check for compression bombs for buffers smaller than 5MB + (increased from 64 KB). Fixes ticket 40739; bugfix on 0.2.1.29. + - Log the input and output buffer sizes when we detect a potential + compression bomb. Diagnostic for ticket 40739. + + o Minor features (directory servers): + - Track how many times directory servers begin serving networkstatus + documents, so we can compare it to the number of times we finish + serving them. Motivated by the fixes in ticket 41192. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on January 28, 2026. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2026/01/28. + + o Minor features (HTTPTunnelPort): + - Implement new HTTPTunnelPort features for interoperability with + Arti's HTTP CONNECT proxy. This work adds new headers to requests + to and replies from the HttpConnectPort, support for OPTIONS + requests, tightens the expected syntax for Proxy-Authorization, + and increases defense-in-depth against some kinds of cross-site + HTTP attacks. Closes ticket 41156. Implements proposal 365. + + o Minor features (linux seccomp2 sandbox): + - Allow the fstatat64 and statx syscalls on i386 architecture when + glibc >= 2.33. On i386, glibc uses fstatat64 instead of newfstatat + for stat operations, and statx for time64 support. Without this, + SIGHUP configuration reload fails when using sandbox mode with + %include directives on i386 with Debian Bookworm or newer. + - Allow the lstat64 syscall on i386 architecture. This syscall is + used by glob() in glibc 2.36+ when processing %include directives + with directory patterns. + + o Minor bugfix (process): + - Avoid closing all possible FDs when spawning a process (PT). On + some systems, this could lead to 3+ minutes hang. Fixes bug 40990; + bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (bridges, pluggable transport): + - Fix a bug causing the initial tor process to hang intead of + exiting with RunAsDaemon, when pluggable transports are used. + Fixes bug 41088; bugfix on 0.4.8.1-alpha. + + o Minor bugfixes (conflux fragile asserts): + - Fix the root cause of some conflux fragile asserts when a control + port listener is attached. Fixes bug 41037; bugfix on 0.4.8.16. + + o Minor bugfixes (conflux, relay): + - Fix a series of conflux edge cases about sequence number + arithmetic and OOM handler kicking in under heavy memory pressure. + Fixes bug 41155; bugfix on 0.4.8.4. + + o Minor bugfixes (DNS, exit): + - Clip every returned DNS TTL to 60 (RESOLVED) in order to mitigate + an exit DNS cache oracle. Fixes bug 40979; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (relay): + - Downgrade log warn to info as the error condition is possible under + normal circumstances. Fixes bug 40951; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (spec conformance): + - Do not treat "15" as a recognized remote END reason code. + Formerly, we treated it as synonymous with a local ENTRYPOLICY, + which isn't a valid remote code at all. Fixes bug 41171; bugfix + on 0.2.0.8-alpha. + + o Minor bugfixes (stream flow control performance): + - Use a 5 ms grace period to allow an edge connection to flush its + stream data to the socket before sending an XOFF. This + significantly reduces the number of XON/XOFF messages sent when + (1) the application is reading stream data at a fast rate, and (2) + when conflux is enabled. Fixes part of bug 41130; bugfix + on 0.4.7.2-alpha + + o Minor bugfixes (tooling): + - Fix a false positive valgrind related to inspecting a bitfield + next to another uninitialized bitfield. Fixes bug 41182; bugfix + on 0.3.3.2-alpha. + + o Minor bugfixes (warnings): + - Fix minor warnings from newer versions of shellcheck and clang. + Fixes bug 41166; bugfix on 0.4.3.1-alpha and several + other versions. + + o Code simplification and refactoring: + - Simplify SOCKS4a parsing to avoid the (false) appearance of + integer underflows, and to make the logic more obvious. Fixes bug + 41190; bugfix on 0.3.5.1-alpha. + + Changes in version 0.4.8.21 - 2025-11-17 This release is a continuation of the previous one and addresses additional Conflux-related issues identified through further testing and feedback from diff --git a/changes/bug41037 b/changes/bug41037 @@ -1,4 +0,0 @@ - o Minor bugfixes (conflux fragile asserts): - - Fix the root cause of some conflux fragile asserts - when a control port listener is attached. Fixes bug 41037; - bugfix on 0.4.8.16. diff --git a/changes/bug41088 b/changes/bug41088 @@ -1,4 +0,0 @@ - o Minor bugfixes (bridges, pluggable transport): - - Fix a bug causing the initial tor process to hang intead of exiting with - RunAsDaemon, when pluggable transports are used. - Fixes bug 41088; bugfix on 0.4.8.1-alpha. diff --git a/changes/bug41130 b/changes/bug41130 @@ -1,6 +0,0 @@ - o Minor bugfixes (stream flow control performance): - - Use a 5 ms grace period to allow an edge connection to flush its stream - data to the socket before sending an XOFF. This significantly reduces the - number of XON/XOFF messages sent when (1) the application is reading - stream data at a fast rate, and (2) when conflux is enabled. - Fixes part of bug 41130; bugfix on 0.4.7.2-alpha diff --git a/changes/bug41134 b/changes/bug41134 @@ -1,3 +0,0 @@ - o Major bugfixes (client, TLS): - - Fix some clients not being able to connect to LibreSSL relays. - Fixes bug 41134; bugfix on 0.4.8.17 diff --git a/changes/bug41171 b/changes/bug41171 @@ -1,5 +0,0 @@ - o Minor bugfixes (spec conformance): - - Do not treat "15" as a recognized remote END reason code. - Formerly, we treated it as synonymous with a local ENTRYPOLICY, - which isn't a valid remote code at all. - Fixes bug 41171; bugfix on 0.2.0.8-alpha. diff --git a/changes/bug41180 b/changes/bug41180 @@ -1,4 +0,0 @@ - o Major bugfixes (security): - - Avoid an out-of-bounds read error that could occur with V1-formatted - cells. Fixes bug 41180; bugfix on 0.4.8.1-alpha. This is tracked as - TROVE-2025-016. diff --git a/changes/bug41182 b/changes/bug41182 @@ -1,4 +0,0 @@ - o Minor bugfixes (tooling): - - Fix a false positive valgrind related to inspecting - a bitfield next to another uninitialized bitfield. - Fixes bug 41182; bugfix on 0.3.3.2-alpha. diff --git a/changes/bug41191 b/changes/bug41191 @@ -1,10 +0,0 @@ - o Major bugfixes (directory servers): - - Allow old clients to fetch the consensus even if they use version 0 - of the SENDME protocol. In mid 2025 we changed the required - minimum version of the "FlowCtrl" protocol to 1, meaning directory - caches hang up on clients that send a version 0 SENDME cell. Since - old clients were no longer able to retrieve the consensus, they - couldn't learn about this required minimum version -- meaning - we've had many many old clients loading down directory servers - for the past months. Fixes bug 41191; bugfix on 0.4.1.1-alpha. - diff --git a/changes/bug41192 b/changes/bug41192 @@ -1,9 +0,0 @@ - o Major bugfixes (directory servers): - - Don't count networkstatus serves until they finish. When we started - serving a consensus document but the client didn't receive all of - it, we were still counting that as a success in our stats. This - mistake, which can be triggered for example by obsolete clients - or by DPI-based censorship, led to wildly inflated user counts - because we estimate total users in the world based on successful - consensus fetches. Fixes bug 41192; bugfix on 0.2.1.1-alpha. - diff --git a/changes/bug41192b b/changes/bug41192b @@ -1,4 +0,0 @@ - o Minor features (directory servers): - - Track how many times directory servers begin serving networkstatus - documents, so we can compare it to the number of times we finish - serving them. Motivated by the fixes in ticket 41192. diff --git a/changes/bug_sandbox_lstat64 b/changes/bug_sandbox_lstat64 @@ -1,9 +0,0 @@ - o Minor features (linux seccomp2 sandbox): - - Allow the fstatat64 and statx syscalls on i386 architecture when - glibc >= 2.33. On i386, glibc uses fstatat64 instead of newfstatat - for stat operations, and statx for time64 support. Without this, - SIGHUP configuration reload fails when using sandbox mode with - %include directives on i386 with Debian Bookworm or newer. - - Allow the lstat64 syscall on i386 architecture. This syscall is used - by glob() in glibc 2.36+ when processing %include directives with - directory patterns. diff --git a/changes/ci-bump-chutney-2026-01-21 b/changes/ci-bump-chutney-2026-01-21 @@ -1,3 +0,0 @@ - o Minor feature (testing, CI): - - Bump the CI version of chutney to the current version as of 2026-01-21 - (3338f5c). diff --git a/changes/fallbackdirs-2025-10-06 b/changes/fallbackdirs-2025-10-06 @@ -1,2 +0,0 @@ - o Minor features (fallbackdir): - - Regenerate fallback directories generated on October 06, 2025. diff --git a/changes/fallbackdirs-2025-11-10 b/changes/fallbackdirs-2025-11-10 @@ -1,2 +0,0 @@ - o Minor features (fallbackdir): - - Regenerate fallback directories generated on November 10, 2025. diff --git a/changes/fallbackdirs-2025-11-17 b/changes/fallbackdirs-2025-11-17 @@ -1,2 +0,0 @@ - o Minor features (fallbackdir): - - Regenerate fallback directories generated on November 17, 2025. diff --git a/changes/fallbackdirs-2026-01-28 b/changes/fallbackdirs-2026-01-28 @@ -1,2 +0,0 @@ - o Minor features (fallbackdir): - - Regenerate fallback directories generated on January 28, 2026. diff --git a/changes/fc43-warnings b/changes/fc43-warnings @@ -1,3 +0,0 @@ - o Minor bugfixes (warnings): - - Fix minor warnings from newer versions of shellcheck and clang. - Fixes bug 41166; bugfix on 0.4.3.1-alpha and several other versions. diff --git a/changes/gcc-fcf b/changes/gcc-fcf @@ -1,4 +0,0 @@ - o Minor feature (compiler flag): - - Add -fcf-protection=full if supported by the compiler. Fixes 41139. - - Add -mbranch-protection=standard for arm64. - diff --git a/changes/geoip-2025-10-06 b/changes/geoip-2025-10-06 @@ -1,3 +0,0 @@ - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2025/10/06. diff --git a/changes/geoip-2025-11-10 b/changes/geoip-2025-11-10 @@ -1,3 +0,0 @@ - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2025/11/10. diff --git a/changes/geoip-2025-11-17 b/changes/geoip-2025-11-17 @@ -1,3 +0,0 @@ - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2025/11/17. diff --git a/changes/geoip-2026-01-28 b/changes/geoip-2026-01-28 @@ -1,3 +0,0 @@ - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2026/01/28. diff --git a/changes/prop365_interop b/changes/prop365_interop @@ -1,8 +0,0 @@ - o Minor features (HTTPTunnelPort): - - Implement new HTTPTunnelPort features for interoperability with - Arti's HTTP CONNECT proxy. This work adds new headers to - requests to and replies from the HttpConnectPort, - support for OPTIONS requests, tightens the expected syntax - for Proxy-Authorization, and increases defense-in-depth - against some kinds of cross-site HTTP attacks. - Closes ticket 41156. Implements proposal 365. diff --git a/changes/ticket40739 b/changes/ticket40739 @@ -1,5 +0,0 @@ - o Minor features (debugging, compression): - - Log the input and output buffer sizes when we detect a potential - compression bomb. Diagnostic for ticket 40739. - - Do not check for compression bombs for buffers smaller than 5 MB - (increased from 64 KB). Fixes ticket 40739; bugfix on 0.2.1.29. diff --git a/changes/ticket40951 b/changes/ticket40951 @@ -1,4 +0,0 @@ - o Minor bugfixes (relay): - - Downgrade log warn to info as the error condition is possible under normal - circumstances. Fixes bug 40951; bugfix on 0.3.5.1-alpha. - diff --git a/changes/ticket40979 b/changes/ticket40979 @@ -1,4 +0,0 @@ - o Minor bugfixes (DNS, exit): - - Clip every returned DNS TTL to 60 (RESOLVED) in order to mitigate an exit - DNS cache oracle. Fixes bug 40979; bugfix on 0.3.5.1-alpha. - diff --git a/changes/ticket40990 b/changes/ticket40990 @@ -1,4 +0,0 @@ - o Minor bugfix (process): - - Avoid closing all possible FDs when spawning a process (PT). On some systems, this could - lead to 3+ minutes hang. Fixes bug 40990; bugfix on 0.3.5.1-alpha. - diff --git a/changes/ticket41155 b/changes/ticket41155 @@ -1,5 +0,0 @@ - o Minor bugfixes (conflux, relay): - - Fix a series of conflux edge cases about sequence number arithmetic and - OOM handler kicking in under heavy memory pressure. Fixes bug 41155; - bugfix on 0.4.8.4. - diff --git a/changes/ticket41157 b/changes/ticket41157 @@ -1,6 +0,0 @@ - o Minor features (security, reliability): - - When KeepaliveIsolateSOCKSAuth is keeping a circuit alive, - expire the circuit based on when it was last in use for any stream, - not (as we did before) based on when a stream was last attached to it. - Closes ticket 41157. Implements a minimal version of - Proposal 368. diff --git a/changes/ticket41162 b/changes/ticket41162 @@ -1,5 +0,0 @@ - o Major bugfixes (conflux, exit): - - When dequeuing out-of-order conflux cells, the circuit could be close in - between two dequeue which could lead to a mishandling of a NULL pointer. - Fixes bug 41162; bugfix on 0.4.8.4. - diff --git a/changes/ticket41168 b/changes/ticket41168 @@ -1,3 +0,0 @@ - o Minor feature (Exit): - - Add Monero ports to the ReducedExitPolicy. Closes ticket 41168. - diff --git a/changes/ticket_41190 b/changes/ticket_41190 @@ -1,4 +0,0 @@ - o Code simplification and refactoring: - - Simplify SOCKS4a parsing to avoid the (false) appearance of - integer underflows, and to make the logic more obvious. - Fixes bug 41190; bugfix on 0.3.5.1-alpha.