This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via c4ae15e75de968e684161d9162a1575fc7f69a1f (commit) via 32f417b74395e228527749030be819c48dac56fa (commit) via 665ea28e9a27483ed0111021fc6fe58a0c0b88f1 (commit) from a55f760086046bcabb946c867addcd82c2b5b9ea (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit c4ae15e75de968e684161d9162a1575fc7f69a1f Author: Adolf Belka Date: Wed Apr 8 17:18:53 2026 +0200 tor: Update to version 0.4.9.6 - Update from version 0.4.8.21 to 0.4.9.6 - Version 0.4.8.22 was likely the last update on the 0.4.8 branch. Everything is now focussed on the 0.4.9 branch. - There are some security fixes in some of the update steps. - No change in rootfile - Changelog 0.4.9.6 This is a security release fixing major bugfixes that could possibly lead to remote crashing relays. We strongly recommend upgrading as soon as possible. o Major bugfix (security): - Fix a stack overflow of 11 bytes on malicious CREATED2. This lead to a remote crash. TROVE-2026-003. Reported-by: Anas Cherni of Calif.io. Fixes bug 41231; bugfix on 0.4.9.1-alpha. o Major bugfix (security, conflux): - Fix a memory compare using the wrong length. This could lead to a remote crash when using the conflux subsystem. TROVE-2026-004. Fixes bug 41232; bugfix on 0.4.8.1-alpha. o Minor bugfixes (security): - Fix a series of defense in depth security issues found across the codebase. Fixes bug 41228; bugfix on 0.3.5.1-alpha. o Minor bugfixes (portability): - (Hopefully) fix our polyval implementation on big-endian platforms. Fixes bug 41215; bugfix on 0.4.9.3-alpha. o Minor features (fallbackdir): - Regenerate fallback directories generated on March 25, 2026. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2026/03/25. 0.4.9.5 This first stable release in the 0.4.9 series introduces a new circuit-level encryption design for better client security, as well as a more scalable way for large relay operators to annotate which relays they run so clients can avoid using too many of them in a single circuit. o Major features (cryptography): - Clients and relays can now negotiate Counter Galois Onion (CGO) relay cryptography, as designed by Jean Paul Degabriele, Alessandro Melloni, Jean-Pierre Münch, and Martijn Stam. CGO provides improved resistance to several kinds of tagging attacks, better forward secrecy, and better forgery resistance. Closes ticket 41047. Implements proposal 359. o Major features (path selection): - Clients and relays now support "happy families", a system to simplify relay family operation and improve directory performance. With "happy families", relays in a family share a secret "family key", which they use to prove their membership in the family. Implements proposal 321; closes ticket 41009. Note that until enough clients are upgraded, relay operators will still need to configure MyFamily lists. But once clients no longer depend on those lists, we will be able to remove them entirely, thereby simplifying family operation, and making microdescriptor downloads approximately 80% smaller. For more information, see https://community.torproject.org/relay/setup/post-install/family-ids/ o Major bugfixes (conflux): - Ensure conflux guards obey family and subnet restrictions. Fixes bug 40976; bugfix on 0.4.8.1-alpha. o Major bugfixes (controller events): - Fix spikes occurring in bandwidth cache events on control connection. Fixes bug 31524; bugfix on 0.0.9pre5. o Major bugfixes (sandbox): - Fix sandbox to work on architectures that use Linux's generic syscall interface, extending support for AArch64 (ARM64) and adding support for RISC-V, allowing test_include.sh and the sandbox unit tests to pass on these systems even when building with fragile hardening enabled. Fixes bugs 40465 and 40599; bugfix on 0.2.5.1-alpha. o Minor features (client security, reliability): - When KeepaliveIsolateSOCKSAuth is keeping a circuit alive, expire the circuit based on when it was last in use for any stream, not (as we did before) based on when a stream was last attached to it. Closes ticket 41157. Implements a minimal version of Proposal 368. o Minor features (exit relays): - Implement reevaluating new exit policy against existing connections. This is controlled by new config option ReevaluateExitPolicy, defaulting to 0. Closes ticket 40676. - Implement a token-bucket based rate limiter for stream creation and resolve request. It is configured by the DoSStream* family of configuration options. Closes ticket 40736. - Add Monero ports to the ReducedExitPolicy. Closes ticket 41168. o Minor features (bridges): - Save complete bridge lines to 'datadir/bridgelines'. Closes ticket 29128. o Minor features (client extensibility): - Implement new HTTPTunnelPort features for interoperability with Arti's HTTP CONNECT proxy. This work adds new headers to requests to and replies from the HttpConnectPort, support for OPTIONS requests, tightens the expected syntax for Proxy-Authorization, and increases defense-in-depth against some kinds of cross-site HTTP attacks. Closes ticket 41156. Implements proposal 365. - Detect invalid SOCKS5 username/password combinations according to new extended parameters syntax. (Currently, this rejects any SOCKS5 username beginning with "", except for the username "0". Such usernames are now reserved to communicate additional parameters with other Tor implementations.) Implements proposal 351. o Minor features (sandboxing): - Allow the fstatat64 and statx syscalls on i386 architecture when glibc >= 2.33. On i386, glibc uses fstatat64 instead of newfstatat for stat operations, and statx for time64 support. Without this, SIGHUP configuration reload fails when using sandbox mode with %include directives on i386 with Debian Bookworm or newer. - Allow the lstat64 syscall on i386 architecture. This syscall is used by glob() in glibc 2.36+ when processing %include directives with directory patterns. o Minor features (security): - Increase the size of our finite-field Diffie Hellman TLS group (which we should never actually use!) to 2048 bits. Part of ticket 41067. - Require TLS version 1.2 or later. (Version 1.3 support will be required in the near future.) Part of ticket 41067. - Update TLS 1.2 client cipher list to match current Firefox. Part of ticket 41067. - Verify needle is smaller than haystack before calling memmem. Closes ticket 40854. o Minor features (onion services): - Add 3 more keywords to the ADD_ONION control command: PoWDefensesEnabled, PoWQueueRate and PoWQueueBurst which correspond to HiddenServicePoWDefensesEnabled, HiddenServicePoWQueueRate and HiddenServicePoWQueueBurst from torrc. - Reduce the minimum value of hsdir_interval to match recent tor- spec change. o Minor feature (directory authority): - Introduce MinimalAcceptedServerVersion to allow configuring the minimum accepted relay version without requiring a new tor release. Closes ticket 40817. o Minor features (metrics port): - New metrics on the MetricsPort for the number of BUG() calls that occurred at runtime. Fixes bugs 40839 and 41104; bugfix on 0.4.7.1-alpha. - Handle rephist tracking of ntor and ntor_v3 handshakes individually such that MetricsPort exposes the correct values. Fixes bug 40638; bugfix on 0.4.7.11. - Add new metrics for relays on the MetricsPort namely the count of drop cell, destroy cell and the number of circuit protocol violation seen that lead to a circuit close. Closes ticket 40816. o Minor features (forward-compatibility): - We now correctly parse microdescriptors and router descriptors that do not include TAP onion keys. (For backward compatibility, authorities continue to require these keys.) Implements part of proposal 350. o Minor features (portability, android): - Use /data/local/tmp for data storage on Android by default. Closes ticket 40487. Patch from Hans-Christoph Steiner. o Minor features (directory authority): - Export unsigned consensus documents once we have seen a threshold of signatures, as a step toward the consensus transparency experiment. o Minor features (fallbackdir): - Regenerate fallback directories generated on February 12, 2026. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2026/02/12. o Minor features (windows): - Various compilation fixes for our Windows CI. Closes ticket 41214. o Minor bugfixes (exit relays): - Clip every returned DNS TTL to 60 (RESOLVED) in order to mitigate an exit DNS cache oracle. Fixes bug 40979; bugfix on 0.3.5.1-alpha. o Minor bugfixes (spec conformance): - Set the length field correctly on RELAY_COMMAND_CONFLUX_SWITCH messages. Previously, it was always set to the maximum value. Fixes bug 41056; bugfix on 0.4.8.1-alpha. - Do not treat "15" as a recognized remote END reason code. Formerly, we treated it as synonymous with a local ENTRYPOLICY, which isn't a valid remote code at all. Fixes bug 41171; bugfix on 0.2.0.8-alpha. o Minor bugfixes (tooling): - Fix a false positive valgrind related to inspecting a bitfield next to another uninitialized bitfield. Fixes bug 41182; bugfix on 0.3.3.2-alpha. - Fix minor warnings from newer versions of shellcheck and clang. Fixes bug 41166; bugfix on 0.4.3.1-alpha and several other versions. - Fix a warning when compiling with GCC 14.2. Closes 41032. o Minor bugfixes (threads): - Make thread control POSIX compliant. Fixes bug 41109; bugfix on 0.4.8.17. o Minor bugfix (client DNS): - Handle empty DNS reply without sending back an error and instead send back NOERROR (RFC1035 error code 0x0). Fixes bug 40248; bugfix on 0.3.5.1-alpha. o Minor bugfixes (directory authorities): - After we added layer-two vanguards, directory authorities wouldn't think any of their vanguards were suitable for circuits, leading to a "Failed to find node for hop #2 of our path. Discarding this circuit." log message once per second from startup until they made a fresh consensus. Now they look to their existing consensus on startup, letting them build circuits properly from the beginning. Fixes bug 40802; bugfix on 0.4.7.1-alpha. o Minor bugfixes (tests): - Fix a test failure with OpenSSL builds running at security level 1 or greater, which does not permit SHA-1 certificates. Fixes bug 41021; bugfix on 0.2.8.1-alpha. o Minor bugfixes (bridges): - Don't warn when BridgeRelay is 1 and ExitRelay is explicitly set to 0. Fixes bug 40884; bugfix on 0.4.8.3-rc. o Minor bugfixes (conflux, client): - Avoid a non fatal assert caused by data coming in on a conflux set that is being freed during shutdown. Fixes bug 40870; bugfix on 0.4.8.1-alpha. o Minor bugfixes (testing network): - Enabling TestingTorNetwork no longer forces fast hidden service intro point rotation. This reduces noise and errors when using hidden services with TestingTorNetwork enabled. Fixes bug 40922; bugfix on 0.3.2.1-alpha. o Minor bugfixes (relay): - Refuse to overwrite an existing *.secret_family_key when running tor --keygen-family. Fixes bug 41184; bugfix on 0.4.9.1-alpha. o New system requirements: - When built with LibreSSL, Tor now requires LibreSSL 3.7 or later. Part of ticket 41059. - When built with OpenSSL, Tor now requires OpenSSL 1.1.1 or later. (We strongly recommend 3.0 or later, but still build with 1.1.1, even though it is not supported by the OpenSSL team, due to its presence in Debian oldstable.) Part of ticket 41059. o Removed features (relays): - Relays no longer support clients that falsely advertise TLS ciphers they don't really support. (Clients have not done this since 0.2.3.17-beta). Part of ticket 41031. - Relays no longer support clients that require obsolete v1 and v2 link handshakes. (The v3 link handshake has been supported since 0.2.3.6-alpha). Part of ticket 41031. - Relays no longer support the obsolete TAP circuit extension protocol. (For backward compatibility, however, relays still continue to include TAP keys in their descriptors.) Implements part of proposal 350. - Relays no longer support the obsolete "RSA-SHA256-TLSSecret" authentication method, which used a dangerously short RSA key, and which required access TLS session internals. The current method ("Ed25519-SHA256-RFC5705") has been supported since 0.3.0.1-alpha. Closes ticket 41020. o Removed features (directory authorities): - Directory authorities no longer support consensus methods before method 32. Closes ticket 40835. - We include a new consensus method that removes support for computing "package" lines in consensus documents. This feature was never used, and support for including it in our votes was removed in 0.4.2.1-alpha. Finishes implementation of proposal 301. 0.4.9.4-rc Finally, the release candidate for the 0.4.9.x series. It consists of minor features and several bugfixes. Nothing major has been added since the alpha. If everything goes well, the next version will be the first stable. o Minor features (security, reliability): - When KeepaliveIsolateSOCKSAuth is keeping a circuit alive, expire the circuit based on when it was last in use for any stream, not (as we did before) based on when a stream was last attached to it. Closes ticket 41157. Implements a minimal version of Proposal 368. o Minor feature (Exit): - Add Monero ports to the ReducedExitPolicy. Closes ticket 41168. o Minor features (HTTPTunnelPort): - Implement new HTTPTunnelPort features for interoperability with Arti's HTTP CONNECT proxy. This work adds new headers to requests to and replies from the HttpConnectPort, support for OPTIONS requests, tightens the expected syntax for Proxy-Authorization, and increases defense-in-depth against some kinds of cross-site HTTP attacks. Closes ticket 41156. Implements proposal 365. o Minor features (linux seccomp2 sandbox): - Allow the fstatat64 and statx syscalls on i386 architecture when glibc >= 2.33. On i386, glibc uses fstatat64 instead of newfstatat for stat operations, and statx for time64 support. Without this, SIGHUP configuration reload fails when using sandbox mode with %include directives on i386 with Debian Bookworm or newer. - Allow the lstat64 syscall on i386 architecture. This syscall is used by glob() in glibc 2.36+ when processing %include directives with directory patterns. o Minor bugfixes (DNS, exit): - Clip every returned DNS TTL to 60 (RESOLVED) in order to mitigate an exit DNS cache oracle. Fixes bug 40979; bugfix on 0.3.5.1-alpha. o Minor bugfixes (spec conformance): - Do not treat "15" as a recognized remote END reason code. Formerly, we treated it as synonymous with a local ENTRYPOLICY, which isn't a valid remote code at all. Fixes bug 41171; bugfix on 0.2.0.8-alpha. o Minor bugfixes (tooling): - Fix a false positive valgrind related to inspecting a bitfield next to another uninitialized bitfield. Fixes bug 41182; bugfix on 0.3.3.2-alpha. o Minor bugfixes (warnings): - Fix minor warnings from newer versions of shellcheck and clang. Fixes bug 41166; bugfix on 0.4.3.1-alpha and several other versions. 0.4.9.3-alpha This is the third alpha release and likely the last before going stable. This release contains the new CGO circuit encryption. See proposal 359 for more details. Several TLS minor fixes which will strengthen the link security. o New system requirements: - When built with LibreSSL, Tor now requires LibreSSL 3.7 or later. Part of ticket 41059. - When built with OpenSSL, Tor now requires OpenSSL 1.1.1 or later. (We strongly recommend 3.0 or later, but still build with 1.1.1, even though it is not supported by the OpenSSL team, due to its presence in Debian oldstable.) Part of ticket 41059. o Major features (cell format): - Tor now has (unused) internal support to encode and decode relay messages in the new format required by our newer CGO encryption algorithm. Closes ticket 41051. Part of proposal 359. o Major features (cryptography): - Clients and relays can now negotiate Counter Galois Onion (CGO) relay cryptography, as designed by Jean Paul Degabriele, Alessandro Melloni, Jean-Pierre Münch, and Martijn Stam. CGO provides improved resistance to several kinds of tagging attacks, better forward secrecy, and better forgery resistance. Closes ticket 41047. Implements proposal 359. o Major bugfixes (onion service directory cache): - Preserve the download counter of an onion service descriptor across descriptor uploads, so that recently updated descriptors don't get pruned if there is memory pressure soon after update. Additionally, create a separate torrc option MaxHSDirCacheBytes that defaults to the former 20% of MaxMemInQueues threshold, but can be controlled by relay operators under DoS. Also enforce this threshold during HSDir uploads. Fixes bug 41006; bugfix on 0.4.8.14. o Minor features (security): - Increase the size of our finite-field Diffie Hellman TLS group (which we should never actually use!) to 2048 bits. Part of ticket 41067. - Require TLS version 1.2 or later. (Version 1.3 support will be required in the near future.) Part of ticket 41067. - Update TLS 1.2 client cipher list to match current Firefox. Part of ticket 41067. o Minor features (security, TLS): - When we are running with OpenSSL 3.5.0 or later, support using the ML-KEM768 for post-quantum key agreement. Closes ticket 41041. o Minor feature (client, TLS): - Set the TLS 1.3 cipher list instead of falling back on the default value. o Minor feature (padding, logging): - Reduce the amount of messages being logged related to channel padding timeout when log level is "notice". o Minor features (bridges): - Save complete bridge lines to 'datadir/bridgelines'. Closes ticket 29128. o Minor features (fallbackdir): - Regenerate fallback directories generated on September 16, 2025. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2025/09/16. o Minor features (hidden services): - Reduce the minimum value of hsdir_interval to match recent tor- spec change. o Minor features (hsdesc POW): - Tolerate multiple PoW schemes in onion service descriptors, for future extensibility. Implements torspec ticket 272. o Minor features (performance TLS): - When running with with OpenSSL 3.0.0 or later, support using X25519 for TLS key agreement. (This should slightly improve performance for TLS session establishment.) o Minor features (portability): - Fix warnings when compiling with GCC 15. Closes ticket 41079. o Minor bugfix (conflux): - Remove the pending nonce if we realize that the nonce of the unlinked circuit is not tracked anymore. Should avoid the non fatal assert triggered with a control port circuit event. Fixes bug 41037; bugfix on 0.4.8.15. o Minor bugfixes (bridges, pluggable transport): - Fix a bug causing the initial tor process to hang instead of exiting with RunAsDaemon, when pluggable transports are used. Fixes bug 41088; bugfix on 0.4.9.1-alpha. o Minor bugfixes (circuit handling): - Prevent circuit_mark_for_close() from being called twice on the same circuit. Fixes bug 40951; bugfix on 0.4.8.16-dev. - Prevent circuit_mark_for_close() from being called twice on the same circuit. Second fix attempt Fixes bug 41106; bugfix on 0.4.8.17 o Minor bugfixes (compilation): - Fix linking on systems without a working stdatomic.h. Fixes bug 41076; bugfix on 0.4.9.1-alpha. o Minor bugfixes (compiler warnings): - Make sure the two bitfields in the half-closed edge struct are unsigned, as we're using them for boolean values and assign 1 to them. Fixes bug 40911; bugfix on 0.4.7.2-alpha. o Minor bugfixes (logging, metrics port): - Count BUG statements for the MetricsPort only if they are warnings or errors. Fixes bug 41104; bugfix on 0.4.7.1-alpha. Patch contributed by shadowcoder. o Minor bugfixes (protocol): - Set the length field correctly on RELAY_COMMAND_CONFLUX_SWITCH messages. Previously, it was always set to the maximum value. Fixes bug 41056; bugfix on 0.4.8.1-alpha. o Minor bugfixes (relay): - Fix a crash when FamilyKeyDir is a path that cannot be read. Fixes bug 41043; bugfix on 0.4.9.2-alpha. o Minor bugfixes (threads): - Make thread control POSIX compliant. Fixes bug 41109; bugfix on 0.4.8.17-dev. o Removed features: - Relays no longer support clients that falsely advertise TLS ciphers they don't really support. (Clients have not done this since 0.2.3.17-beta). Part of ticket 41031. - Relays no longer support clients that require obsolete v1 and v2 link handshakes. (The v3 link handshake has been supported since 0.2.3.6-alpha). Part of ticket 41031. 0.4.9.2-alpha This is the second alpha of the 0.4.9.x series. We have several new minor features and a big one, the happy families that was long awaited by relay operators. This release also fixes a number of bugs including major ones. o Major feature (happy families): - Clients and relays now support "happy families", a system to simplify relay family operation and improve directory performance. With "happy families", relays in a family shares a secret "family key", which they use to prove their membership in the family. Implements proposal 321; closes ticket 41009. Note that until enough clients are upgraded, relay operators will still need to configure MyFamily lists. But once clients no longer depend on those lists, we will be able to remove them entirely, thereby simplifying family operation, and making microdescriptor downloads approximately 80% smaller. For more information, see https://community.torproject.org/relay/setup/post-install/family-ids/ o Major features (client): - Clients now respect "happy families" per proposal 321. This feature will eventually allow a much more compact representation for relay families, for a significant savings in directory download size. o Minor feature (onion service, control port): - Add 3 more keywords to the ADD_ONION control command: PoWDefensesEnabled, PoWQueueRate and PoWQueueBurst which correspond to HiddenServicePoWDefensesEnabled, HiddenServicePoWQueueRate and HiddenServicePoWQueueBurst from torrc. o Minor feature (testing, CI): - Use a fixed version of chutney (be881a1e) instead of its current HEAD. This version should also be preferred when testing locally. o Minor features (compilation): - Fix a warning when compiling with GCC 14.2. Closes 41032. o Minor features (continuous integration): - Upgrade CI runners to use Debian Bookworm instead of Bullseye. Closes ticket 41029. o Minor features (fallbackdir): - Regenerate fallback directories generated on February 05, 2025. - Regenerate fallback directories generated on March 20, 2025. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2025/02/05. - Update the geoip files to match the IPFire Location Database, as retrieved on 2025/03/20. - Update the geoip files to match the IPFire Location Database, as retrieved on 2025/03/24. o Minor features (recommended protocols): - Directory authorities now vote to recommend that clients support certain protocols beyond those that are required. These include improved support for connecting to relays on IPv6, NtorV3, and congestion control. Part of ticket 40836. o Minor features (required protocols): - Directory authorities now vote to require clients to support the authenticated SENDME feature, which was introduced in 0.4.1.1-alpha. Part of ticket 40836. - Directory authorities now vote to require relays to support certain protocols, all of which have been implemented since 0.4.7.4-alpha or earlier. These include improved support for connecting to relays on IPv6, NtorV3, running as a rate-limited introduction point, authenticated SENDMEs, and congestion control. Part of ticket 40836. o Major bugfix (control-events, bw-cache): - Fixes spikes occurring in bandwidth cache on control connection. Fixes bug 31524; bugfix on 0.4.8.12-dev. o Major bugfixes (conflux): - Ensure conflux guards obey family and subnet restrictions. Fixes bug 40976; bugfix on 0.4.8.13. o Major bugfixes (onion service directory cache): - When the OOM killer kicks in, cleanup the descriptor cache of an HSDir by looking at the lowest downloaded count instead of time in cache. Fixes bug 40996; bugfix on 0.3.5.1-alpha. o Minor bugfix (client DNS): - Handle empty DNS reply without sending back an error and instead send back NOERROR (RFC1035 error code 0x0). Fixes bug 40248; bugfix on 0.3.5.1-alpha. o Minor bugfix (conflux): - Avoid a non fatal assert when describing a conflux circuit on the control port after being prepped to be freed. Fixes bug 41037; bugfix on 0.4.8.15. o Minor bugfix (dirauth): - Fix typo in flag assignment approved-routers file. Fixes bug 41035; bugfix on 0.4.8.15 o Minor bugfixes (control port): - Correctly report conflux pair information to controller fields Fixes bug 40872; bugfix on 0.4.8.1-alpha o Minor bugfixes (directory authorities): - After we added layer-two vanguards, directory authorities wouldn't think any of their vanguards were suitable for circuits, leading to a "Failed to find node for hop #2 of our path. Discarding this circuit." log message once per second from startup until they made a fresh consensus. Now they look to their existing consensus on startup, letting them build circuits properly from the beginning. Fixes bug 40802; bugfix on 0.4.7.1-alpha. o Minor bugfixes (relay flag usage): - Fix client usage of the MiddleOnly flag so that MiddleOnly relays are not used as HS IP or RP by clients or services. Additionally, give dirauths the ability to remove specific flags, as an alternative to MiddleOnly. Fixes bug 41023; bugfix on 0.4.7.2-alpha o Minor bugfixes (sandbox, bwauth): - Fix sandbox to work for bandwidth authority. Fixes bug 40933; bugfix on 0.2.2.1-alpha o Minor bugfixes (tests): - Fix a test failure with OpenSSL builds running at security level 1 or greater, which does not permit SHA-1 certificates. (Fixes bug 41021; bugfix on 0.2.8.1-alpha.) o Minor bugfixes (threads, memory): - Improvements in cleanup of resources used by threads. Fixes bug 40991; bugfix on 0.4.8.13-dev. - Rework start and exit of worker threads. o Removed features: - Relays no longer support the obsolete "RSA-SHA256-TLSSecret" authentication method, which used a dangerously short RSA key, and which required access TLS session internals. The current method ("Ed25519-SHA256-RFC5705") has been supported since 0.3.0.1-alpha. Closes ticket 41020. 0.4.9.1-alpha This is the first alpha of the 0.4.9.x series. This release mostly consists of bugfixes including some major ones. There are several minor features in this release but no large new subsystem. o Major bugfixes (sandbox): - Fix sandbox to work on architectures that use Linux's generic syscall interface, extending support for AArch64 (ARM64) and adding support for RISC-V, allowing test_include.sh and the sandbox unit tests to pass on these systems even when building with fragile hardening enabled. Fixes bugs 40465 and 40599; bugfix on 0.2.5.1-alpha. o Minor feature (defense in depth): - Verify needle is smaller than haystack before calling memmem. Closes ticket 40854. o Minor feature (directory authority): - Introduce MinimalAcceptedServerVersion to allow modification of minimal accepted version for relays without requiring a new tor release. Closes ticket 40817. o Minor feature (exit policies): - Implement reevaluating new exit policy against existing connections. This is controlled by new config option ReevaluateExitPolicy, defaulting to 0. Closes ticket 40676. o Minor feature (exit relay, DoS resistance): - Implement a token-bucket based rate limiter for stream creation and resolve request. It is configured by the DoSStream* family of configuration options. Closes ticket 40736. o Minor feature (metrics port): - New metrics on the MetricsPort for the number of BUG() that occurred at runtime. Closes MR 760. o Minor feature (metrics port, relay): - Add new metrics for relays on the MetricsPort namely the count of drop cell, destroy cell and the number of circuit protocol violation seen that lead to a circuit close. Closes ticket 40816. o Minor feature (testing): - test-network now unconditionally includes IPv6 instead of trying to detect IPv6 support. o Minor feature (testing, CI): - Use a fixed version of chutney (be881a1e) instead of its current HEAD. This version should also be preferred when testing locally. o Minor features (forward-compatibility): - We now correctly parse microdescriptors and router descriptors that do not include TAP onion keys. (For backward compatibility, authorities continue to require these keys.) Implements part of proposal 350. o Minor features (portability, android): - Use /data/local/tmp for data storage on Android by default. Closes ticket 40487. Patch from Hans-Christoph Steiner. o Minor features (SOCKS): - Detect invalid SOCKS5 username/password combinations according to new extended parameters syntax. (Currently, this rejects any SOCKS5 username beginning with "", except for the username "0". Such usernames are now reserved to communicate additional parameters with other Tor implementations.) Implements proposal 351. o Minor bugfix (MetricsPort, relay): - Handle rephist tracking of ntor and ntor_v3 handshakes individually such that MetricsPort exposes the correct values. Fixes bug 40638; bugfix on 0.4.7.11. o Minor bugfix (process): - Avoid closing all possible FDs when spawning a process (PT). On some systems, this could lead to 3+ minutes hang. Fixes bug 40990; bugfix on 0.3.5.1-alpha. o Minor bugfix (relay, sandbox): - Disable a sandbox unit test that is failing on Debian Sid breaking our nightly packages. Fixes bug 40918; bugfix on 0.3.5.1-alpha. o Minor bugfixes (bridge): - Don't warn when BridgeRelay is 1 and ExitRelay is explicitly set to 0. Fixes bug 40884; bugfix on 0.4.8.3-rc. o Minor bugfixes (compiler warnings): - Make sure the two bitfields in the half-closed edge struct are unsigned, as we're using them for boolean values and assign 1 to them. Fixes bug 40911; bugfix on 0.4.7.2-alpha. o Minor bugfixes (conflux, client): - Avoid a non fatal assert caused by data coming in on a conflux set that is being freed during shutdown. Fixes bug 40870; bugfix on 0.4.8.1-alpha. o Minor bugfixes (memory): - Fix a pointer free that wasn't set to NULL afterwards which could be reused by calling back in the free all function. Fixes bug 40989; bugfix on 0.4.8.13. o Minor bugfixes (sandbox, bwauth): - Fix sandbox to work for bandwidth authority. Fixes bug 40933; bugfix on 0.2.2.1-alpha o Minor bugfixes (testing): - Enabling TestingTorNetwork no longer forces fast hidden service intro point rotation. This reduces noise and errors when using hidden services with TestingTorNetwork enabled. Fixes bug 40922; bugfix on 0.3.2.1-alpha. o Minor bugfixes (tor-resolve): - Create socket with correct family as given by sockshost, fixes IPv6. Fixes bug 40982; bugfix on 0.4.9.0-alpha. o Removed features: - Directory authorities no longer support consensus methods before method 32. Closes ticket 40835. o Removed features (directory authority): - We include a new consensus method that removes support for computing "package" lines in consensus documents. This feature was never used, and support for including it in our votes was removed in 0.4.2.1-alpha. Finishes implementation of proposal 301. o Removed features (obsolete): - Relays no longer support the obsolete TAP circuit extension protocol. (For backward compatibility, however, relays still continue to include TAP keys in their descriptors.) Implements part of proposal 350. - Removed some vestigial code for selecting the TAP circuit extension protocol. 0.4.8.22 This is likely the very last release of the 0.4.8.x series. Three major bugfixes detailed below including two affecting directory servers (basically all relays). We strongly recommend upgrading as soon as possible. o Major bugfixes (security): - Avoid an out-of-bounds read error that could occur with V1-formatted EXTEND cells. Fixes bug 41180; bugfix on 0.4.8.1-alpha. This is tracked as TROVE-2025-016. o Major bugfixes (directory servers): - Allow old clients to fetch the consensus even if they use version 0 of the SENDME protocol. In mid 2025 we changed the required minimum version of the "FlowCtrl" protocol to 1, meaning directory caches hang up on clients that send a version 0 SENDME cell. Since old clients were no longer able to retrieve the consensus, they couldn't learn about this required minimum version -- meaning we've had many many old clients loading down directory servers for the past months. Fixes bug 41191; bugfix on 0.4.1.1-alpha. - Don't count networkstatus serves until they finish. When we started serving a consensus document but the client didn't receive all of it, we were still counting that as a success in our stats. This mistake, which can be triggered for example by obsolete clients or by DPI-based censorship, led to wildly inflated user counts because we estimate total users in the world based on successful consensus fetches. Fixes bug 41192; bugfix on 0.2.1.1-alpha. o Minor feature (testing, CI): - Bump the CI version of chutney to the current version as of 2026-01-21 (3338f5c). o Minor features (debugging, compression): - Do not check for compression bombs for buffers smaller than 5MB (increased from 64 KB). Fixes ticket 40739; bugfix on 0.2.1.29. o Minor features (directory servers): - Track how many times directory servers begin serving networkstatus documents, so we can compare it to the number of times we finish serving them. Motivated by the fixes in ticket 41192. o Minor features (fallbackdir): - Regenerate fallback directories generated on January 28, 2026. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2026/01/28. o Minor bugfixes (relay): - Downgrade "Error relaying cell across rendezvous" log warn to info as the error condition is possible under normal circumstances. Fixes bug 40951; bugfix on 0.3.5.1-alpha. o Code simplification and refactoring: - Simplify SOCKS4a parsing to avoid the (false) appearance of integer underflows, and to make the logic more obvious. Fixes bug 41190; bugfix on 0.3.5.1-alpha. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 32f417b74395e228527749030be819c48dac56fa Author: Adolf Belka Date: Wed Apr 8 17:18:51 2026 +0200 core202: Ship systemd Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 665ea28e9a27483ed0111021fc6fe58a0c0b88f1 Author: Adolf Belka Date: Wed Apr 8 17:18:52 2026 +0200 systemd: Update to version 260.1 - Update from version 258 to 260.1 - Update of rootfile - Remove FTBFS patch as this has now been included in the tarball. - Remove the sed line for fixing udev linking as this is now part of the tarball. - Changelog entries only related to udev 260.1 * Support for non-system users and groups in udev rules and systemd-networkd configuration has been restored, but is deprecated and discouraged. systemd-udevd will emits warnings if a non-system user/group is specified in OWNER=/GROUP=. Similarly, systemd-networkd will warn about User=/Group= settings with a non-system user/group specified in .netdev files for Tun/Tap interfaces. This support will be removed in a future release. Device nodes should not be owned by a non-system user/group. It is recommended to check udev rules files with 'udevadm verify' and/or 'udevadm test' commands. * Permissions for /dev/ptp* are now set to 0664 (previously 0660), allowing unprivileged read-only access. This relies on the kernel fix "ptp: Add PHC file mode checks. Allow RO adjtime() without FMODE_WRITE." (commit b4e53b15c04e3852949003752f48f7a14ae39e86 in v6.15, backported to LTS releases in v6.12.68, v6.6.122, v6.1.162, v5.15.199, and v5.10.249), which adds missing PTP ioctl permission checks and keeps clock-modifying operations write-restricted. Systems running stable kernel branches should ensure they are updated to patch levels that include the fix. * Persistent network interface naming has bee extended to MCTP devices with the "mc" prefix. * The minimum backlight brightness value used when restoring backlight levels at boot has been lowered from 5% to 1%. This lower value should be sufficient to avoid blacked-out displays, but allows user environments to use a wider range of values (without lower values being reset during reboot). Note that environments may still set very low brightness values at runtime independently of the systemd clamp which only applies during boot. * A new udev property ID_INTEGRATION= is now exposed on devices that have ID_BUS= defined. This variable can be set to 'internal' when the device is integral part of the system or 'external' otherwise. Internal buses like PCI, I2C, SPI... imply 'internal' and external buses like bluetooth imply 'external'. For USB the 'removable' attribute of the port the device is connected to determines the result: 'fixed' implies 'internal' and 'removable' or 'unknown' implies 'external'. * ID_INPUT_JOYSTICK_INTEGRATION= property has been dropped in favour of ID_INTEGRATION= because it was never used and the new variable covers the idea that variable was intended for better. * A new udev builtin "tpm2_id" is now available which will extract vendor/model identification from connected TPM2 devices as they are probed. This is then used to import data from the udev database, possibly containing quirk and other information about specific TPMs. 259 * systemd-udevd rules gained support for OPTIONS="dump-json" to dump the current event status in JSON format. This generates output similar to "udevadm test --json=short". * The net_id builtin for systemd-udevd now can generate predictable interface names for Wifi devices on DeviceTree systems. * systemd-udevd and systemd-repart will now reread partition tables on block devices in a more graceful, incremental fashion. Specifically, they no longer use the kernel BLKRRPART ioctl() which removes all in-memory partition objects loaded into the kernel and then recreates them as new objects. Instead they will use the BLKPG ioctl() to make minimal changes, and individually add, remove, or grow modified partitions, avoiding removal/re-adding where the partitions were left unmodified on disk. This should greatly improve behaviour on systems that make modifications to partition tables on disk while using them. * A new udev property ID_BLOCK_SUBSYSTEM is now exposed on block devices reporting a short identifier for the subsystem a block device belongs to. This only applies to block devices not connected to a regular bus, i.e. virtual block devices such as loopback, DM, MD, or zram. * systemd-udevd will now generate /dev/gpio/by-id/… symlinks for GPIO devices. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: config/rootfiles/common/systemd | 10 +++++++--- config/rootfiles/{oldcore/199 => core/202}/filelists/systemd | 0 lfs/systemd | 12 +++--------- lfs/tor | 6 +++--- 4 files changed, 13 insertions(+), 15 deletions(-) copy config/rootfiles/{oldcore/199 => core/202}/filelists/systemd (100%) Difference in files: diff --git a/config/rootfiles/common/systemd b/config/rootfiles/common/systemd index b3dd31afd..965d2fe3f 100644 --- a/config/rootfiles/common/systemd +++ b/config/rootfiles/common/systemd @@ -27,6 +27,7 @@ usr/bin/udev-hwdb #usr/include/systemd/sd-dhcp6-lease.h #usr/include/systemd/sd-dhcp6-option.h #usr/include/systemd/sd-dhcp6-protocol.h +#usr/include/systemd/sd-dns-resolver.h #usr/include/systemd/sd-event.h #usr/include/systemd/sd-gpt.h #usr/include/systemd/sd-hwdb.h @@ -51,15 +52,14 @@ usr/bin/udev-hwdb #usr/include/systemd/sd-path.h #usr/include/systemd/sd-radv.h #usr/include/systemd/sd-resolve.h -#usr/include/systemd/sd-utf8.h #usr/include/systemd/sd-varlink-idl.h #usr/include/systemd/sd-varlink.h #usr/lib/libsystemd.so usr/lib/libsystemd.so.0 -usr/lib/libsystemd.so.0.41.0 +usr/lib/libsystemd.so.0.43.0 #usr/lib/libudev.so usr/lib/libudev.so.1 -usr/lib/libudev.so.1.7.11 +usr/lib/libudev.so.1.7.13 #usr/lib/pkgconfig/libsystemd.pc #usr/lib/pkgconfig/libudev.pc usr/lib/udev @@ -88,6 +88,7 @@ usr/lib/udev/hwdb.d/60-input-id.hwdb usr/lib/udev/hwdb.d/60-keyboard.hwdb usr/lib/udev/hwdb.d/60-seat.hwdb usr/lib/udev/hwdb.d/60-sensor.hwdb +usr/lib/udev/hwdb.d/60-tpm2.hwdb usr/lib/udev/hwdb.d/70-analyzers.hwdb usr/lib/udev/hwdb.d/70-av-production.hwdb usr/lib/udev/hwdb.d/70-cameras.hwdb @@ -121,6 +122,7 @@ usr/lib/udev/rules.d/60-dmi-id.rules usr/lib/udev/rules.d/60-drm.rules usr/lib/udev/rules.d/60-evdev.rules usr/lib/udev/rules.d/60-fido-id.rules +usr/lib/udev/rules.d/60-gpiochip.rules usr/lib/udev/rules.d/60-infiniband.rules usr/lib/udev/rules.d/60-input-id.rules usr/lib/udev/rules.d/60-net.rules @@ -134,8 +136,10 @@ usr/lib/udev/rules.d/60-persistent-storage.rules usr/lib/udev/rules.d/60-persistent-v4l.rules usr/lib/udev/rules.d/60-sensor.rules usr/lib/udev/rules.d/60-serial.rules +usr/lib/udev/rules.d/60-tpm2-id.rules usr/lib/udev/rules.d/61-extrahd.rules usr/lib/udev/rules.d/64-btrfs.rules +usr/lib/udev/rules.d/65-integration.rules usr/lib/udev/rules.d/70-camera.rules usr/lib/udev/rules.d/70-joystick.rules usr/lib/udev/rules.d/70-memory.rules diff --git a/config/rootfiles/core/202/filelists/systemd b/config/rootfiles/core/202/filelists/systemd new file mode 120000 index 000000000..f5616415e --- /dev/null +++ b/config/rootfiles/core/202/filelists/systemd @@ -0,0 +1 @@ +../../../common/systemd \ No newline at end of file diff --git a/lfs/systemd b/lfs/systemd index df2b5346c..46f873b04 100644 --- a/lfs/systemd +++ b/lfs/systemd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2023 IPFire Team # +# Copyright (C) 2007-2026 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 258 +VER = 260.1 THISAPP = systemd-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -50,7 +50,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = c63bc09bff11ba4cf6e87bef689250a6b354bf8f5bfb5af6d2a173fa1e1838aa457a8a7db66f7aad20dae25b7a0defddcb052d53f18a688a2dd6d5f323d4692a +$(DL_FILE)_BLAKE2 = 072424e7288f8796be1e6952fadc5452c2ab54633b356796a29872609a03b4cc2edbc0cac0df7542bc969b06d265d2cbf52f9174742c5a570a5a3d7a7664cfa8 install : $(TARGET) @@ -91,12 +91,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Remve udev rule which requires a full systemd installation cd $(DIR_APP) && sed '/systemd-sysctl/s/^/#/' -i rules.d/99-systemd.rules.in - # Fix udev linking - cd $(DIR_APP) && \ - sed -i "/udev_dependencies,/a \ 'link_with': udev_link_with," src/udev/meson.build - - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/systemd-258-FTBFS.patch - # Prepare udev for build. cd $(DIR_APP) && mkdir -pv build cd $(DIR_APP)/build &&meson setup \ diff --git a/lfs/tor b/lfs/tor index 50e469507..7ba6c6641 100644 --- a/lfs/tor +++ b/lfs/tor @@ -26,7 +26,7 @@ include Config SUMMARY = Anonymizing overlay network for TCP (The onion router) -VER = 0.4.8.21 +VER = 0.4.9.6 THISAPP = tor-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = tor -PAK_VER = 93 +PAK_VER = 94 DEPS = @@ -48,7 +48,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 1b7d786a7ec5a3e5967d8ce214f8a2aef10f8ba10791bc45d42a322bf4107c0a1962b80368e043ee1b239a8367660fdf810d05f00a010d9e69d024e1042217e8 +$(DL_FILE)_BLAKE2 = 93c4a338e892fdc451826fc5be2fa193aec582257b33b5cbb100f3f2ea2ecec182f56fa80e071e0a64fc81fb3a673d27521807071be85917a6490932659d8ebf install : $(TARGET) hooks/post-receive -- IPFire 2.x development tree