-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Hello, all!

This is a slightly belated announcement for the release of 0.2.4.22. I'm including the release notes for Tor 0.2.4.20 and Tor 0.2.4.21 as well, since apparently they never made it onto this list.

I've enlisted help from Colin to make sure that future stable release announcements make it to this list in a more timely manner (ideally, as soon as packages are built). TorBrowser releases will typically lag a little, as they follow their own release schedule.

(Alpha releases will still be announced on tor-talk only.)

Changes in version 0.2.4.22 - 2014-05-16 Tor 0.2.4.22 backports numerous high-priority fixes from the Tor 0.2.5 alpha release series. These include blocking all authority signing keys that may have been affected by the OpenSSL "heartbleed" bug, choosing a far more secure set of TLS ciphersuites by default, closing a couple of memory leaks that could be used to run a target relay out of RAM, and several others.

o Major features (security, backport from 0.2.5.4-alpha): - Block authority signing keys that were used on authorities vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160). (We don't have any evidence that these keys _were_ compromised; we're doing this to be prudent.) Resolves ticket 11464.

o Major bugfixes (security, OOM): - Fix a memory leak that could occur if a microdescriptor parse fails during the tokenizing step. This bug could enable a memory exhaustion attack by directory servers. Fixes bug 11649; bugfix on 0.2.2.6-alpha.

o Major bugfixes (TLS cipher selection, backport from 0.2.5.4-alpha): - The relay ciphersuite list is now generated automatically based on uniform criteria, and includes all OpenSSL ciphersuites with acceptable strength and forward secrecy. Previously, we had left some perfectly fine ciphersuites unsupported due to omission or typo. Resolves bugs 11513, 11492, 11498, 11499. Bugs reported by 'cypherpunks'. Bugfix on 0.2.4.8-alpha. - Relays now trust themselves to have a better view than clients of which TLS ciphersuites are better than others. (Thanks to bug 11513, the relay list is now well-considered, whereas the client list has been chosen mainly for anti-fingerprinting purposes.) Relays prefer: AES over 3DES; then ECDHE over DHE; then GCM over CBC; then SHA384 over SHA256 over SHA1; and last, AES256 over AES128. Resolves ticket 11528. - Clients now try to advertise the same list of ciphersuites as Firefox 28. This change enables selection of (fast) GCM ciphersuites, disables some strange old ciphers, and stops advertising the ECDH (not to be confused with ECDHE) ciphersuites. Resolves ticket 11438.

o Minor bugfixes (configuration, security): - When running a hidden service, do not allow TunneledDirConns 0: trying to set that option together with a hidden service would otherwise prevent the hidden service from running, and also make it publish its descriptors directly over HTTP. Fixes bug 10849; bugfix on 0.2.1.1-alpha.

o Minor bugfixes (controller, backport from 0.2.5.4-alpha): - Avoid sending a garbage value to the controller when a circuit is cannibalized. Fixes bug 11519; bugfix on 0.2.3.11-alpha.

o Minor bugfixes (exit relay, backport from 0.2.5.4-alpha): - Stop leaking memory when we successfully resolve a PTR record. Fixes bug 11437; bugfix on 0.2.4.7-alpha.

o Minor bugfixes (bridge client, backport from 0.2.5.4-alpha): - Avoid 60-second delays in the bootstrapping process when Tor is launching for a second time while using bridges. Fixes bug 9229; bugfix on 0.2.0.3-alpha.

o Minor bugfixes (relays and bridges, backport from 0.2.5.4-alpha): - Give the correct URL in the warning message when trying to run a relay on an ancient version of Windows. Fixes bug 9393.

o Minor bugfixes (compilation): - Fix a compilation error when compiling with --disable-curve25519. Fixes bug 9700; bugfix on 0.2.4.17-rc.

o Minor bugfixes: - Downgrade the warning severity for the the "md was still referenced 1 node(s)" warning. Tor 0.2.5.4-alpha has better code for trying to diagnose this bug, and the current warning in earlier versions of tor achieves nothing useful. Addresses warning from bug 7164.

o Minor features (log verbosity, backport from 0.2.5.4-alpha): - When we run out of usable circuit IDs on a channel, log only one warning for the whole channel, and describe how many circuits there were on the channel. Fixes part of ticket 11553.

o Minor features (security, backport from 0.2.5.4-alpha): - Decrease the lower limit of MaxMemInCellQueues to 256 MBytes (but leave the default at 8GBytes), to better support Raspberry Pi users. Fixes bug 9686; bugfix on 0.2.4.14-alpha.

o Documentation (backport from 0.2.5.4-alpha): - Correctly document that we search for a system torrc file before looking in ~/.torrc. Fixes documentation side of 9213; bugfix on 0.2.3.18-rc.

Changes in version 0.2.4.21 - 2014-02-28 Tor 0.2.4.21 further improves security against potential adversaries who find breaking 1024-bit crypto doable, and backports several stability and robustness patches from the 0.2.5 branch.

o Major features (client security): - When we choose a path for a 3-hop circuit, make sure it contains at least one relay that supports the NTor circuit extension handshake. Otherwise, there is a chance that we're building a circuit that's worth attacking by an adversary who finds breaking 1024-bit crypto doable, and that chance changes the game theory. Implements ticket 9777.

o Major bugfixes: - Do not treat streams that fail with reason END_STREAM_REASON_INTERNAL as indicating a definite circuit failure, since it could also indicate an ENETUNREACH connection error. Fixes part of bug 10777; bugfix on 0.2.4.8-alpha.

o Code simplification and refactoring: - Remove data structures which were introduced to implement the CellStatistics option: they are now redundant with the new timestamp field in the regular packed_cell_t data structure, which we did in 0.2.4.18-rc in order to resolve bug 9093. Resolves ticket 10870.

o Minor features: - Always clear OpenSSL bignums before freeing them -- even bignums that don't contain secrets. Resolves ticket 10793. Patch by Florent Daigniere. - Build without warnings under clang 3.4. (We have some macros that define static functions only some of which will get used later in the module. Starting with clang 3.4, these give a warning unless the unused attribute is set on them.) Resolves ticket 10904. - Update geoip and geoip6 files to the February 7 2014 Maxmind GeoLite2 Country database.

o Minor bugfixes: - Set the listen() backlog limit to the largest actually supported on the system, not to the value in a header file. Fixes bug 9716; bugfix on every released Tor. - Treat ENETUNREACH, EACCES, and EPERM connection failures at an exit node as a NOROUTE error, not an INTERNAL error, since they can apparently happen when trying to connect to the wrong sort of netblocks. Fixes part of bug 10777; bugfix on 0.1.0.1-rc. - Fix build warnings about missing "a2x" comment when building the manpages from scratch on OpenBSD; OpenBSD calls it "a2x.py". Fixes bug 10929; bugfix on 0.2.2.9-alpha. Patch from Dana Koch. - Avoid a segfault on SIGUSR1, where we had freed a connection but did not entirely remove it from the connection lists. Fixes bug 9602; bugfix on 0.2.4.4-alpha. - Fix a segmentation fault in our benchmark code when running with Fedora's OpenSSL package, or any other OpenSSL that provides ECDH but not P224. Fixes bug 10835; bugfix on 0.2.4.8-alpha. - Turn "circuit handshake stats since last time" log messages into a heartbeat message. Fixes bug 10485; bugfix on 0.2.4.17-rc.

o Documentation fixes: - Document that all but one DirPort entry must have the NoAdvertise flag set. Fixes bug 10470; bugfix on 0.2.3.3-alpha / 0.2.3.16-alpha.

Changes in version 0.2.4.20 - 2013-12-22 Tor 0.2.4.20 fixes potentially poor random number generation for users who 1) use OpenSSL 1.0.0 or later, 2) set "HardwareAccel 1" in their torrc file, 3) have "Sandy Bridge" or "Ivy Bridge" Intel processors, and 4) have no state file in their DataDirectory (as would happen on first start). Users who generated relay or hidden service identity keys in such a situation should discard them and generate new ones.

This release also fixes a logic error that caused Tor clients to build many more preemptive circuits than they actually need.

o Major bugfixes: - Do not allow OpenSSL engines to replace the PRNG, even when HardwareAccel is set. The only default builtin PRNG engine uses the Intel RDRAND instruction to replace the entire PRNG, and ignores all attempts to seed it with more entropy. That's cryptographically stupid: the right response to a new alleged entropy source is never to discard all previously used entropy sources. Fixes bug 10402; works around behavior introduced in OpenSSL 1.0.0. Diagnosis and investigation thanks to "coderman" and "rl1987". - Fix assertion failure when AutomapHostsOnResolve yields an IPv6 address. Fixes bug 10465; bugfix on 0.2.4.7-alpha. - Avoid launching spurious extra circuits when a stream is pending. This fixes a bug where any circuit that _wasn't_ unusable for new streams would be treated as if it were, causing extra circuits to be launched. Fixes bug 10456; bugfix on 0.2.4.12-alpha.

o Minor bugfixes: - Avoid a crash bug when starting with a corrupted microdescriptor cache file. Fixes bug 10406; bugfix on 0.2.2.6-alpha. - If we fail to dump a previously cached microdescriptor to disk, avoid freeing duplicate data later on. Fixes bug 10423; bugfix on 0.2.4.13-alpha. Spotted by "bobnomnom".