From 0f2df56902907cbe8bfade6db0f37cf567fa1a0db9eb2072c0cf86168408dc6a Mon Sep 17 00:00:00 2001 From: Bernhard Wiedemann Date: Thu, 2 Jan 2025 03:33:55 +0000 Subject: [PATCH 1/6] tor 0.4.8.13 OBS-URL: https://build.opensuse.org/package/show/network/tor?expand=0&rev=277 --- .gitattributes | 23 + .gitignore | 1 + defaults-torrc | 11 + fix-test.patch | 21 + tor-0.2.5.x-logrotate.patch | 29 + tor-0.4.8.12.tar.gz | 3 + tor-0.4.8.12.tar.gz.sha256sum | 1 + tor-0.4.8.12.tar.gz.sha256sum.asc | 18 + tor-0.4.8.13.tar.gz | 3 + tor-0.4.8.13.tar.gz.sha256sum | 1 + tor-0.4.8.13.tar.gz.sha256sum.asc | 18 + tor-master.service | 16 + tor.changes | 3175 +++++++++++++++++++++++++++++ tor.keyring | 686 +++++++ tor.service | 53 + tor.spec | 172 ++ tor.tmpfiles | 1 + 17 files changed, 4232 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 defaults-torrc create mode 100644 fix-test.patch create mode 100644 tor-0.2.5.x-logrotate.patch create mode 100644 tor-0.4.8.12.tar.gz create mode 100644 tor-0.4.8.12.tar.gz.sha256sum create mode 100644 tor-0.4.8.12.tar.gz.sha256sum.asc create mode 100644 tor-0.4.8.13.tar.gz create mode 100644 tor-0.4.8.13.tar.gz.sha256sum create mode 100644 tor-0.4.8.13.tar.gz.sha256sum.asc create mode 100644 tor-master.service create mode 100644 tor.changes create mode 100644 tor.keyring create mode 100644 tor.service create mode 100644 tor.spec create mode 100644 tor.tmpfiles diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/defaults-torrc b/defaults-torrc new file mode 100644 index 0000000..bf7923e --- /dev/null +++ b/defaults-torrc @@ -0,0 +1,11 @@ +DataDirectory /var/lib/tor +PidFile /var/run/tor/tor.pid +Log notice syslog +ControlSocket /var/run/tor/control GroupWritable RelaxDirModeCheck +ControlSocketsGroupWritable 1 +SocksPort unix:/var/run/tor/socks WorldWritable +SocksPort 9050 + +CookieAuthentication 1 +CookieAuthFileGroupReadable 1 +CookieAuthFile /var/run/tor/control.authcookie diff --git a/fix-test.patch b/fix-test.patch new file mode 100644 index 0000000..9eedcfd --- /dev/null +++ b/fix-test.patch @@ -0,0 +1,21 @@ +commit 0384f5b3efbb041e2bc0080a6b6259e1b96815af +Author: Bernhard M. Wiedemann +Date: Wed Aug 21 11:36:05 2019 +0200 + + Workaround a LTO-induced test-failure + + https://bugzilla.opensuse.org/show_bug.cgi?id=1146548#c3 + +diff --git a/src/test/bt_test.py b/src/test/bt_test.py +index f9ca79efd..07026164a 100755 +--- a/src/test/bt_test.py ++++ b/src/test/bt_test.py +@@ -30,7 +30,7 @@ def matches(lines, funcs): + else: + return True + +-FUNCNAMES = "crash oh_what a_tangled_web we_weave main".split() ++FUNCNAMES = "oh_what a_tangled_web we_weave main".split() + + LINES = sys.stdin.readlines() + diff --git a/tor-0.2.5.x-logrotate.patch b/tor-0.2.5.x-logrotate.patch new file mode 100644 index 0000000..c08d015 --- /dev/null +++ b/tor-0.2.5.x-logrotate.patch @@ -0,0 +1,29 @@ +From: Andreas Stieger +Subject: openSUSE specific logrotate fixes +Date: Sun, 18 May 2014 00:10:32 +0100 +Upstream: no +References: + +* add su to logrotate config to fix W: suse-logrotate-user-writable-log-dir +* use "service tor" instead of "/etc/init.d/tor" to reload after logrotate + to fix logrotate on systemd-only setups without init script (by seife) + +--- + contrib/operator-tools/tor.logrotate.in | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: tor-0.2.5.10/contrib/operator-tools/tor.logrotate.in +=================================================================== +--- tor-0.2.5.10.orig/contrib/operator-tools/tor.logrotate.in 2014-06-27 22:45:19.000000000 +0100 ++++ tor-0.2.5.10/contrib/operator-tools/tor.logrotate.in 2014-10-24 20:22:54.000000000 +0100 +@@ -7,8 +7,9 @@ + notifempty + # you may need to change the username/groupname below + create 0640 _tor _tor ++ su _tor _tor + sharedscripts + postrotate +- /etc/init.d/tor reload > /dev/null ++ /usr/bin/systemctl try-reload-or-restart tor + endscript + } diff --git a/tor-0.4.8.12.tar.gz b/tor-0.4.8.12.tar.gz new file mode 100644 index 0000000..5f65915 --- /dev/null +++ b/tor-0.4.8.12.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ca7cc735d98e3747b58f2f3cc14f804dd789fa0fb333a84dcb6bd70adbb8c874 +size 9687430 diff --git a/tor-0.4.8.12.tar.gz.sha256sum b/tor-0.4.8.12.tar.gz.sha256sum new file mode 100644 index 0000000..644490a --- /dev/null +++ b/tor-0.4.8.12.tar.gz.sha256sum @@ -0,0 +1 @@ +ca7cc735d98e3747b58f2f3cc14f804dd789fa0fb333a84dcb6bd70adbb8c874 tor-0.4.8.12.tar.gz diff --git a/tor-0.4.8.12.tar.gz.sha256sum.asc b/tor-0.4.8.12.tar.gz.sha256sum.asc new file mode 100644 index 0000000..8a0263c --- /dev/null +++ b/tor-0.4.8.12.tar.gz.sha256sum.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmZhuq0ACgkQQuhqKhH0 +jTYZXAf+J26VUvM2M1DsjeUAMOZPEtNsQ0voIN9jeXFHUt7p3tqa2aBe8gJ5IREC +MtFK6MJLjJEHf6javbwoZuXXQ+xepJftPdJ9AR2bGlTConWE0VNVvfigawFHyKZn +Sdt6JyB2AesWl0HLIZnOXeSLy8JA12s/HPWtt8Fsf94drZwQsSl+WQGHr787JugF +aYmNRR4L+y46xL5HXbJ8KTc/UKPNlT+1vvwoAisofOQywrIJZGFsKpaowNiW9RWi +MXUdjmPjKJZ8vn+FQG0ZOmahUWMOMYIt6fWmkttI5KF6HajtGNTG4A+A5+QMBoif +N/VyJsISI2beHBAgAgPNGsXAa0FsIA== +=2gNt +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNATURE----- + +iHUEABYKAB0WIQRRQQJFTQqH2wdnoeu+agUxwYqReQUCZmHEggAKCRC+agUxwYqR +eVRoAP0SI+tzoCS06Pf1EJ0Mvea/ACIDZ5+XCaf9U0urRciMhgEA4BjvVG7I2cD8 +vGcxbkRtg4h9vZTr8rhdtSczdo3KYAY= +=C9WI +-----END PGP SIGNATURE----- diff --git a/tor-0.4.8.13.tar.gz b/tor-0.4.8.13.tar.gz new file mode 100644 index 0000000..582dde4 --- /dev/null +++ b/tor-0.4.8.13.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9baf26c387a2820b3942da572146e6eb77c2bc66862af6297cd02a074e6fba28 +size 9912610 diff --git a/tor-0.4.8.13.tar.gz.sha256sum b/tor-0.4.8.13.tar.gz.sha256sum new file mode 100644 index 0000000..0a3a86a --- /dev/null +++ b/tor-0.4.8.13.tar.gz.sha256sum @@ -0,0 +1 @@ +9baf26c387a2820b3942da572146e6eb77c2bc66862af6297cd02a074e6fba28 tor-0.4.8.13.tar.gz diff --git a/tor-0.4.8.13.tar.gz.sha256sum.asc b/tor-0.4.8.13.tar.gz.sha256sum.asc new file mode 100644 index 0000000..7e0fec9 --- /dev/null +++ b/tor-0.4.8.13.tar.gz.sha256sum.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmcaXcgACgkQQuhqKhH0 +jTY76wgAwOXmC2L3o594jJTXXAooZRkdQL/wAk4o6iNKFHmwiyIz/MGVTcrQBQSN +Hv3dQUhe3G3Z42M7GnJlEkFDA9Z6iBprkg0y9cD7nbmqC9nkB1zMdrUXdXOgMulG +sybEgzRFqTLVQmJzA4/tcGcjU+AXCqG13z1ScHOZP3Ev8S6yPntfax42hnFewAoW +OLSaYU68PGZ88uO2lAe65Hr/detdfJeWsG0rKK6jtCkej49qijiERemKZKCMTpYc +iW8DGA0n/O1p+qOHF4e0Du7lzhP1CckI5HeWZS2wgtqDKol1Kw86zugPfYWyh/V+ +WWEofhVb2OZOHed1qL9OeutDfdNtcg== +=NXg7 +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNATURE----- + +iHUEABYKAB0WIQRRQQJFTQqH2wdnoeu+agUxwYqReQUCZxpelAAKCRC+agUxwYqR +eV+2AP99m5nYfq/z1P7SYUpW1ddreizjFqlaQvJ1QhbZbpqc+AD+LxmvhDxM7+6S +8vyZWFHZYQ8ehhMftF70qM6o9NpQHgs= +=4Hya +-----END PGP SIGNATURE----- diff --git a/tor-master.service b/tor-master.service new file mode 100644 index 0000000..1426f4f --- /dev/null +++ b/tor-master.service @@ -0,0 +1,16 @@ +# Use tor-master.service to restart/reload/stop the main tor.service and +# all instances of tor@.service that are running. +# +# systemd targets cannot be reloaded so this is a service instead. + +[Unit] +Description=Anonymizing overlay network for TCP (multi-instance master) + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/true +ExecReload=/bin/true + +[Install] +WantedBy=multi-user.target diff --git a/tor.changes b/tor.changes new file mode 100644 index 0000000..6070cb6 --- /dev/null +++ b/tor.changes @@ -0,0 +1,3175 @@ +------------------------------------------------------------------- +Fri Dec 27 21:55:57 UTC 2024 - Andreas Stieger + +- tor 0.4.8.13 + * Conflux related client circuit building performance bugfix + * Fix minor memory leaks + * Add STATUS TYPE=version handler for Pluggable Transport + +------------------------------------------------------------------- +Tue Jun 11 10:05:46 UTC 2024 - Bernhard Wiedemann + +- tor 0.4.8.12 + * Minor features and bugfixes + * See https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.8/ReleaseNotes + +------------------------------------------------------------------- +Thu Apr 11 06:50:01 UTC 2024 - Bernhard Wiedemann + +- tor 0.4.8.11 + * Minor features and bugfixes + * See https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.8/ReleaseNotes + +------------------------------------------------------------------- +Wed Feb 14 15:50:14 UTC 2024 - Martin Pluskal + +- Enables scrypt support unconditionally + +------------------------------------------------------------------- +Mon Feb 5 09:01:39 UTC 2024 - Andreas Stieger + +- fix users/groups with rpm 4.19 + +------------------------------------------------------------------- +Fri Dec 8 21:51:16 UTC 2023 - Bernhard Wiedemann + +- tor 0.4.8.10: + * (TROVE-2023-007, exit) (boo#1217918) + - fix a a UAF and NULL pointer dereference crash on Exit relays + +------------------------------------------------------------------- +Thu Nov 9 14:29:00 UTC 2023 - Bernhard Wiedemann + +- tor 0.4.8.9: + * (onion service, TROVE-2023-006): + - Fix a possible hard assert on a NULL pointer + * (guard usage): + - When Tor excluded a guard due to temporary circuit restrictions, + it considered *additional* primary guards for potential usage by + that circuit. + +------------------------------------------------------------------- +Fri Nov 3 20:51:01 UTC 2023 - Andreas Stieger + +- tor 0.4.8.8: + * Mitigate an issue when Tor compiled with OpenSSL can crash during + handshake with a remote relay. (TROVE-2023-004, boo#1216873) + * Regenerate fallback directories generated on November 03, 2023. + * Update the geoip files to match the IPFire Location Database, as + retrieved on 2023/11/03 + * directory authority: Look at the network parameter + "maxunmeasuredbw" with the correct spelling + * vanguards addon support: Count the conflux linked cell as + valid when it is successfully processed. This will quiet a + spurious warn in the vanguards addon + +------------------------------------------------------------------- +Mon Sep 25 20:15:52 UTC 2023 - Andreas Stieger + +- tor 0.4.8.7: + * Fix an issue that prevented us from pre-building more conflux + sets after existing sets had been used + +------------------------------------------------------------------- +Tue Sep 19 16:52:36 UTC 2023 - Andreas Stieger + +- tor 0.4.8.6: + * onion service: Fix a reliability issue where services were + expiring their introduction points every consensus update. + This caused connectivity issues for clients caching the old + descriptor and intro points + * Log the input and output buffer sizes when we detect a potential + compression bomb + * Disable multiple BUG warnings of a missing relay identity key when + starting an instance of Tor compiled without relay support + * When reporting a pseudo-networkstatus as a bridge authority, or + answering "ns/purpose/*" controller requests, include accurate + published-on dates from our list of router descriptors + * Use less frightening language and lower the log-level of our + run-time ABI compatibility check message in our Zstd + compression subsystem + +------------------------------------------------------------------- +Wed Aug 30 18:50:03 UTC 2023 - Andreas Stieger + +- tor 0.4.8.5: + * bugfixes creating log BUG stacktrace + +------------------------------------------------------------------- +Sun Aug 27 15:23:43 UTC 2023 - Andreas Stieger + +- tor 0.4.8.4: + * Extend DoS protection to partially opened channels and known + relays + * Dynamic Proof-Of-Work protocol to thwart flooding DoS attacks + against hidden services. Disabled by default, enable via + "HiddenServicePoW" in torrc + * Implement conflux traffic splitting + * Directory authorities and relays now interact properly with + directory authorities if they change addresses + +------------------------------------------------------------------- +Sun Jul 30 07:33:04 UTC 2023 - Andreas Stieger + +- tor 0.4.7.14: + * bugfix affecting vanguards (onion service), and minor fixes + +------------------------------------------------------------------- +Fri Mar 10 08:27:57 UTC 2023 - Martin Pluskal + +- Enable support for scrypt() + +------------------------------------------------------------------- +Fri Jan 13 06:29:25 UTC 2023 - Bernhard Wiedemann + +- tor 0.4.7.13: + * fix SafeSocks option to avoid DNS leaks (boo#1207110, TROVE-2022-002) + * improve congestion control + * fix relay channel handling + +------------------------------------------------------------------- +Tue Dec 6 21:10:57 UTC 2022 - Andreas Stieger + +- tor 0.4.7.12: + * new key for moria1 + * new metrics are exported on the MetricsPort for the congestion + control subsystem + +------------------------------------------------------------------- +Thu Nov 10 19:14:54 UTC 2022 - Andreas Stieger + +- tor 0.4.7.11: + * Improve security of DNS cache by randomly clipping the TTL + value (boo#1205307, TROVE-2021-009) + * Improved defenses against network-wide DoS, multiple counters + and metrics added to MetricsPorts + * Apply circuit creation anti-DoS defenses if the outbound + circuit max cell queue size is reached too many times. This + introduces two new consensus parameters to control the queue + size limit and number of times allowed to go over that limit. + * Directory authority updates + * IPFire database and geoip updates + * Bump the maximum amount of CPU that can be used from 16 to 128. + The NumCPUs torrc option overrides this hardcoded maximum. + * onion service: set a higher circuit build timeout for opened + client rendezvous circuit to avoid timeouts and retry load + * Make the service retry a rendezvous if the circuit is being + repurposed for measurements + +------------------------------------------------------------------- +Fri Aug 12 15:52:53 UTC 2022 - Andreas Stieger + +- tor 0.4.7.10 + * IPFire location database did not have proper ARIN network + allocations - affected circuit path selection and relay metrics + +------------------------------------------------------------------- +Thu Aug 11 16:39:24 UTC 2022 - Andreas Stieger + +- tor 0.4.7.9 (boo#1202336) + * major fixes aimed at reducing memory pressure on relays + * prevent a possible side-channel + * major bugfix related to congestion control + * major bugfix related to Vanguard L2 layer node selection + +------------------------------------------------------------------- +Thu Jun 16 17:08:53 UTC 2022 - Bernhard Wiedemann + +- tor 0.4.7.8 + * Fix a scenario where RTT estimation can become wedged, seriously + degrading congestion control performance on all circuits. This + impacts clients, onion services, and relays, and can be triggered + remotely by a malicious endpoint. + (TROVE-2022-001, CVE-2022-33903, boo#1200672) + * Regenerate fallback directories generated on June 17, 2022. + * Update the geoip files to match the IPFire Location Database, as + retrieved on 2022/06/17. + * Allow the rseq system call in the sandbox + * logging bug fixes + +------------------------------------------------------------------- +Wed Apr 27 18:29:58 UTC 2022 - Andreas Stieger + +- tor 0.4.7.7 + * New feature: Congestion control to improve traffic speed and + stability on the network once a majority of Exit nodes upgrade + boo#1198949 + * Directory authorities: improved handling of "MiddleOnly" relays + * Improved mitigation against guard discovery attacks on clients + and short-lived services + * Improve observed performance under DNS load + * Improve handling of overload state + * end-of-life relays running version 0.4.2.x, 0.4.3.x, + 0.4.4.x and 0.4.5 alphas/rc, 0.3.5.x are now rejected + * Onion service v2 addresses are no longer recognized + +------------------------------------------------------------------- +Sun Feb 6 01:10:07 UTC 2022 - Bernhard Wiedemann + +- tor 0.4.6.10 + * minor bugfixes and features + * https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.6/ReleaseNotes + +------------------------------------------------------------------- +Fri Dec 17 18:54:05 UTC 2021 - Andreas Stieger + +- tor 0.4.6.9: + * remove the DNS timeout metric from the overload general signal + * regenerate fallback directories generated on December 15, 2021 + * Update the geoip files to match the IPFire Location Database, + as retrieved on 2021/12/15 + * Reject IPv6-only DirPort + +------------------------------------------------------------------- +Sat Nov 13 11:02:55 UTC 2021 - Andreas Stieger + +- tor 0.4.6.8: + * Improving reporting of general overload state for DNS timeout + errors by relays + * Regenerate fallback directories for October 2021 + * Bug fixes for onion services + * CVE-2021-22929: do not log v2 onion services access attempt + warnings on disk excessively (TROVE-2021-008, boo#1192658) + +------------------------------------------------------------------- +Tue Aug 24 09:11:38 UTC 2021 - Jan Engelhardt + +- Reduce boilerplate generated by %service_*. + +------------------------------------------------------------------- +Tue Aug 17 18:52:40 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.6.7: + * Fix a DoS via a remotely triggerable assertion failure + (boo#1189489, TROVE-2021-007, CVE-2021-38385) + +------------------------------------------------------------------- +Tue Jul 6 07:13:19 UTC 2021 - Bernhard Wiedemann + +- Add missing service_add_pre tor-master.service + +------------------------------------------------------------------- +Thu Jul 1 11:13:23 UTC 2021 - Andreas Stieger + +- tor 0.4.6.6: + * Fix a compilation error with gcc 7, drop tor-0.4.6.5-gcc7.patch + * Enable the deterministic RNG for unit tests that covers the + address set bloomfilter-based API's + +------------------------------------------------------------------- +Wed Jun 16 20:32:43 UTC 2021 - Andreas Stieger + +- tor 0.4.6.5 + * Add controller support for creating v3 onion services with + client auth + * When voting on a relay with a Sybil-like appearance, add the + Sybil flag when clearing out the other flags. This lets a relay + operator know why their relay hasn't been included in the + consensus + * Relays now report how overloaded they are + * Add a new DoS subsystem to control the rate of client + connections for relays + * Relays now publish statistics about v3 onions services + * Improve circuit timeout algorithm for client performance +- add tor-0.4.6.5-gcc7.patch to fix build with gcc7 + +------------------------------------------------------------------- +Mon Jun 14 18:06:34 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.5.9 + * Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell (CVE-2021-34548, boo#1187322) + * Detect more failure conditions from the OpenSSL RNG code (boo#1187323) + * Resist a hashtable-based CPU denial-of-service attack against relays (CVE-2021-34549, boo#1187324) + * Fix an out-of-bounds memory access in v3 onion service descriptor parsing (CVE-2021-34550, boo#1187325) + +------------------------------------------------------------------- +Tue May 11 01:54:10 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.5.8 + * https://lists.torproject.org/pipermail/tor-announce/2021-May/000219.html + * allow Linux sandbox with Glibc 2.33 + * work with autoconf 2.70+ + * several other minor features and bugfixes (see announcement) + +------------------------------------------------------------------- +Sat Apr 24 19:07:24 UTC 2021 - Andreas Stieger + +- fix packaging warnings related to tor-master service + +------------------------------------------------------------------- +Fri Apr 23 21:22:30 UTC 2021 - Andreas Stieger + +- Fix logging issue due to systemd picking up stdout - boo#1181244 + Continue to log notices to syslog by default. +- actually build with lzma/zstd +- skip i586 tests (boo#1179331) + +------------------------------------------------------------------- +Tue Mar 16 23:38:53 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.5.7 + * https://lists.torproject.org/pipermail/tor-announce/2021-March/000216.html + * Fix 2 denial of service security issues (boo#1183726) + + Disable the dump_desc() function that we used to dump unparseable + information to disk (CVE-2021-28089) + + Fix a bug in appending detached signatures to a pending consensus + document that could be used to crash a directory authority + (CVE-2021-28090) + * Ship geoip files based on the IPFire Location Database + +------------------------------------------------------------------- +Tue Feb 16 07:49:14 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.5.6 + * https://lists.torproject.org/pipermail/tor-announce/2021-February/000214.html + * Introduce a new MetricsPort HTTP interface + * Support IPv6 in the torrc Address option + * Add event-tracing library support for USDT and LTTng-UST + * Try to read N of N bytes on a TLS connection +- Drop upstream tor-practracker.patch + +------------------------------------------------------------------- +Fri Feb 5 08:16:39 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.4.7 + * https://blog.torproject.org/node/1990 + * Stop requiring a live consensus for v3 clients and services + * Re-entry into the network is now denied at the Exit level + * Fix undefined behavior on our Keccak library + * Strip '\r' characters when reading text files on Unix platforms + * Handle partial SOCKS5 messages correctly +- Add tor-practracker.patch to fix tests + +------------------------------------------------------------------- +Wed Jan 27 06:16:46 UTC 2021 - Bernhard Wiedemann + +- Restrict service permissions with systemd + +------------------------------------------------------------------- +Thu Nov 12 17:02:48 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.4.6 + * Check channels+circuits on relays more thoroughly + (TROVE-2020-005, boo#1178741) + +------------------------------------------------------------------- +Tue Sep 15 14:51:40 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.4.5 + * Improve guard selection + * IPv6 improvements + +------------------------------------------------------------------- +Wed Aug 19 09:49:51 UTC 2020 - Dominique Leuenberger + +- Use %{_tmpfilesdir} instead of abusing %{_libexecdir}/tmpfiles.d. + +------------------------------------------------------------------- +Thu Jul 9 17:27:13 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.3.6 + * Fix a crash due to an out-of-bound memory access (CVE-2020-15572) + * Some minor fixes + +------------------------------------------------------------------- +Mon Jun 29 08:57:42 UTC 2020 - Bernhard Wiedemann + +- Fix logrotate to not fail when tor is stopped (boo#1164275) + +------------------------------------------------------------------- +Fri May 15 18:58:11 UTC 2020 - Andreas Stieger + +- tor 0.4.3.5: + * first stable release in the 0.4.3.x series + * implement functionality needed for OnionBalance with v3 onion + services + * significant refactoring of our configuration and controller + functionality + * Add support for banning a relay's ed25519 keys in the + approved-routers file in support for migrating away from RSA + * support OR connections through a HAProxy server + +------------------------------------------------------------------- +Wed Mar 18 20:52:20 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.2.7 + * CVE-2020-10592: CPU consumption DoS and timing patterns (boo#1167013) + * CVE-2020-10593: circuit padding memory leak (boo#1167014) + * Directory authorities now signal bandwidth pressure to clients + * Avoid excess logging on bug when flushing a buffer to a TLS connection + +------------------------------------------------------------------- +Fri Jan 31 08:32:28 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.2.6 + * Correct how we use libseccomp + * Fix crash when reloading logging configuration while the + experimental sandbox is enabled + * Avoid a possible crash when logging an assertion + about mismatched magic numbers + +------------------------------------------------------------------- +Tue Jan 7 11:21:02 UTC 2020 - Bernhard Wiedemann + +- Update tor.service and add defaults-torrc + to work without dropped torctl (boo#1072274) +- Add tor-master.service to allow handling multiple tor daemons + +------------------------------------------------------------------- +Sat Dec 14 20:35:25 UTC 2019 - Andreas Stieger + +- tor 0.4.2.5: + * first stable release in the 0.4.2.x series + * improves reliability and stability + * several stability and correctness improvements for onion services + * fixes many smaller bugs present in previous series + +------------------------------------------------------------------- +Tue Dec 10 08:27:14 UTC 2019 - Andreas Stieger + +- tor 0.4.1.7: + * several bugfixes to improve stability and correctness + * fixes for relays relying on AccountingMax + +------------------------------------------------------------------- +Mon Oct 7 13:16:38 UTC 2019 - Martin Pluskal + +- Update dependnecnies: + * python3 instead of python + * add libpcap and seccomp +- Use more suitable macros for building and systemd dependencies + +------------------------------------------------------------------- +Thu Sep 19 13:02:59 UTC 2019 - Bernhard Wiedemann + +- update to 0.4.1.6 + * Tolerate systems (including some Linux installations) where + madvise MADV_DONTFORK / MADV_DONTDUMP are available at build-time, + but not at run time. + * Do not include the deprecated on Linux + * Fix the MAPADDRESS controller command to accept one or more arguments + * Always retry v2+v3 single onion service intro and rendezvous circuits + with a 3-hop path + * Use RFC 2397 data URL scheme to embed an image into tor-exit-notice.html + +------------------------------------------------------------------- +Tue Aug 20 15:43:45 UTC 2019 - Bernhard Wiedemann + +- update to 0.4.1.5 + * Onion service clients now add padding cells at the start of their + INTRODUCE and RENDEZVOUS circuits to make it look like + Exit traffic + * Add a generic publish-subscribe message-passing subsystem + * Controller commands are now parsed using a generalized parsing + subsystem + * Implement authenticated SENDMEs as detailed in proposal 289 + * Our node selection algorithm now excludes nodes in linear time + * Construct a fast secure pseudorandom number generator for + each thread, to use when performance is critical + * Consider our directory information to have changed when our list + of bridges changes + * Do not count previously configured working bridges towards our + total of working bridges + * When considering upgrading circuits from "waiting for guard" to + "open", always ignore circuits that are marked for close + * Properly clean up the introduction point map when circuits change + purpose + * Fix an unreachable bug in which an introduction point could try to + send an INTRODUCE_ACK + * Clients can now handle unknown status codes from INTRODUCE_ACK + cells +- Remove upstreamed tor-0.3.5.8-no-ssl-version-warning.patch +- Compile without -Werror to build with LTO (boo#1146548) +- Add fix-test.patch to workaround a LTO-induced test-failure + +------------------------------------------------------------------- +Fri Jul 26 12:23:05 UTC 2019 - matthias.gerstner@suse.com + +- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by + firewalld, see [1]. + + [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html + +------------------------------------------------------------------- +Mon May 20 12:55:12 UTC 2019 - Christophe Giboudeaux + +- Add the missing zlib requirement. + +------------------------------------------------------------------- +Fri May 10 09:46:26 UTC 2019 - Andreas Stieger + +- tor 0.4.0.5: + * new stable branch, but not a long-term support branch + * improvements for power management and bootstrap reporting + * preliminary backend support for circuit padding to prevent some + kinds of traffic analysis + * refactoring for long-term maintainability +- drop upstreamed tor-0.3.5.8-nonetwork.patch + +------------------------------------------------------------------- +Mon Apr 15 12:24:02 UTC 2019 - Bernhard Wiedemann + +- Add tor-0.3.5.8-no-ssl-version-warning.patch (boo#1129411) +- Update tor.tmpfiles to use /run instead of /var/run + +------------------------------------------------------------------- +Mon Feb 25 15:55:39 UTC 2019 - bwiedemann@suse.com + +- Add tor-0.3.5.8-nonetwork.patch to fix test failures + without network + +------------------------------------------------------------------- +Fri Feb 22 15:04:30 UTC 2019 - bwiedemann@suse.com + +- tor 0.3.5.8: + * CVE-2019-8955 prevent attackers from making tor run + out of memory and crash + * Allow SOCKS5 with empty username+password + * Update geoip and geoip6 to the February 5 2019 Maxmind + GeoLite2 Country database + * Select guards even if the consensus has expired, as long + as the consensus is still reasonably live + +------------------------------------------------------------------- +Mon Jan 7 23:16:55 UTC 2019 - astieger@suse.com + +- tor 0.3.5.7: + * first stable release in 0.3.5.x LTS branch + * support client authorization for v3 onion services + * cleanups to bootstrap reporting + * support for improved bandwidth measurement tools + * the default version for newly created onion services is now v3 + (HiddenServiceVersion option can be used to override) + * If stem is used, an update of stem mey be required + +------------------------------------------------------------------- +Mon Jan 7 23:01:18 UTC 2019 - astieger@suse.com + +- tor 0.3.4.10: + * OpenSSL compatibility fixes + * Fixes for relay bugs + * update fallback directory list + +------------------------------------------------------------------- +Sat Nov 3 08:45:43 UTC 2018 - astieger@suse.com + +- tor 0.3.4.9: + * Various bug fixes, including a bandwidth management bug that + was causing memory exhaustion on relays + +------------------------------------------------------------------- +Mon Sep 10 15:51:17 UTC 2018 - astieger@suse.com + +- tor 0.3.4.8 (boo#1107847): + * improvements for running in low-power and embedded environments + * preliminary changes for new bandwidth measurement system + * refine anti-denial-of-service code + +------------------------------------------------------------------- +Mon Sep 10 13:52:34 UTC 2018 - astieger@suse.com + +- tor 0.3.3.10: + * various build and compatibility fixes + * The control port now exposes the list of HTTPTunnelPorts and + ExtOrPorts via GETINFO net/listeners/httptunnel and + net/listeners/extor respectively + * Authorities no longer vote to make the subprotocol version + "LinkAuth=1" a requirement: it is unsupportable with NSS, and + hasn't been needed since Tor 0.3.0.1-alpha + * When voting for recommended versions, make sure that all of the + versions are well-formed and parsable + * various minor bug fixes on onion services + +------------------------------------------------------------------- +Sat Jul 14 18:31:57 UTC 2018 - astieger@suse.com + +- tor 0.3.3.9: + * move to a new bridge authority + * backport some bug fixes +- refresh upstream signing keyring + +------------------------------------------------------------------- +Mon Jul 9 19:38:14 UTC 2018 - astieger@suse.com + +- tor 0.3.3.8: + * directory authority memory leak fix + * various minor bug fixes + +------------------------------------------------------------------- +Tue Jun 12 16:59:58 UTC 2018 - astieger@suse.com + +- tor 0.3.3.7: + * Add an IPv6 address for the "dannenberg" directory authority + * Improve accuracy of the BUILDTIMEOUT_SET control port event's + TIMEOUT_RATE and CLOSE_RATE fields + * Only select relays when tor has descriptors that it prefers to + use for them, avoiding nonfatal errors later + +------------------------------------------------------------------- +Sun May 27 11:33:54 UTC 2018 - astieger@suse.com + +- tor 0.3.3.6: + * new stable release series + * controller support and other improvements for v3 onion services + * official support for embedding Tor within other application + * Improvements to IPv6 support + * Relay option ReducedExitPolicy to configure a reasonable default + * Revent DoS via malicious protocol version string (boo#1094283) + * Many other other bug fixes and improvements + +------------------------------------------------------------------- +Sat Mar 3 18:39:39 UTC 2018 - astieger@suse.com + +- tor 0.3.2.10: + * CVE-2018-0490: remote crash vulnerability against directory + authorities (boo#1083845, TROVE-2018-001) + * CVE-2018-0491: remote relay crash (boo#1083846, TROVE-2018-002) + * New system for improved resistance to DoS attacks against relays + * Various other bug fixes + +------------------------------------------------------------------- +Wed Jan 10 21:33:45 UTC 2018 - astieger@suse.com + +- tor 0.3.2.9: + * new onion service design (v3), not default + * new circuit scheduler algorithm for improved performance + * directory authority updates + * many other updates and improvements + +------------------------------------------------------------------- +Fri Dec 1 20:33:08 UTC 2017 - astieger@suse.com + +- tor 0.3.1.9 with the following security fixes that prevent some + traffic confirmation, DoS and other problems (bsc#1070849): + * CVE-2017-8819: Replay-cache ineffective for v2 onion services + * CVE-2017-8820: Remote DoS attack against directory authorities + * CVE-2017-8821: An attacker can make Tor ask for a password + * CVE-2017-8822: Relays can pick themselves in a circuit path + * CVE-2017-8823: Use-after-free in onion service v2 + +------------------------------------------------------------------- +Wed Oct 25 15:05:45 UTC 2017 - astieger@suse.com + +- tor 0.3.1.8: + * Add "Bastet" as a ninth directory authority to the default list + * The directory authority "Longclaw" has changed its IP address + * Fix a timing-based assertion failure that could occur when the + circuit out-of-memory handler freed a connection's output buffer + * Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 + Country database +- drop tor-0.3.1.7-fix-zstd-i586.patch, upstreamed + +------------------------------------------------------------------- +Wed Sep 20 14:44:09 UTC 2017 - astieger@suse.com + +- tor 0.3.1.7: + * Serve and download directory information in more compact + formats + * New padding padding system to resist netflow-based traffic + analysis + * Improve protection against identification of tor traffic by ISP + via ConnectionPadding option + * Reduce the number of long-term connections open between relays +- add tor-0.3.1.7-fix-zstd-i586.patch to fix 32 bit build with zstd + +------------------------------------------------------------------- +Mon Sep 18 16:38:59 UTC 2017 - astieger@suse.com + +- tor 0.3.0.11: + * CVE-2017-0380: hidden services with the SafeLogging option + disabled could disclose the stack TROVE-2017-008, boo#1059194 + * Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2 + Country database. + * drop tor-0.3.0.7-gcc7-fallthrough.patch, now upstream + +------------------------------------------------------------------- +Thu Aug 3 11:26:00 UTC 2017 - jloehel@suse.com + +- tor 0.3.0.10 + * Fix a typo that had prevented TPROXY-based transparent proxying + from working under Linux. + * Avoid an assertion failure bug affecting our implementation of + inet_pton(AF_INET6) on certain OpenBSD systems. + +------------------------------------------------------------------- +Fri Jun 30 11:53:59 UTC 2017 - astieger@suse.com + +- tor 0.3.0.9: + * CVE-2017-0377: Fix path selection bug that would allow a client + to use a guard that was in the same network family as a chosen + exit relay (bsc#1046845) + * Don't block bootstrapping when a primary bridge is offline and + tor cannot get its descriptor + * When starting with an old consensus, do not add new entry guards + unless the consensus is "reasonably live" (under 1 day old). + * Update geoip and geoip6 to the June 8 2017 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Thu Jun 8 18:47:31 UTC 2017 - astieger@suse.com + +- tor 0.3.0.8 fixing a pair of bugs that would allow an attacker to + remotely crash a hidden service with an assertion failure + * CVE-2017-0375: remotely triggerable assertion failure when a + hidden service handles a malformed BEGIN cell (bsc#1043455) + * CVE-2017-0376: remotely triggerable assertion failure caused by + receiving a BEGIN_DIR cell on a hidden service rendezvous + circuit (bsc#1043456) +- further bug fixes: + * link handshake fixes when changing x509 certificates + * Regenerate link and authentication certificates whenever the key + that signs them changes; also, regenerate link certificates + whenever the signed key changes + * When sending an Ed25519 signing->link certificate in a CERTS cell, + send the certificate that matches the x509 certificate that was + used on the TLS connection + * Stop rejecting v3 hidden service descriptors because their size + did not match an old padding rule + +------------------------------------------------------------------- +Wed May 31 10:01:51 UTC 2017 - astieger@suse.com + +- fix build with GCC 7: warning-errors on implicit fallthrough + add tor-0.3.0.7-gcc7-fallthrough.patch bsc#1041262 + +------------------------------------------------------------------- +Tue May 16 00:26:43 UTC 2017 - astieger@suse.com + +- tor 0.3.0.7: + * Fix an assertion failure in the hidden service directory code, + which could be used by an attacker to remotely cause a Tor + relay process to exit. TROVE-2017-002 bsc#1039211 + * Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 + Country database. + * Tor no longer refuses to download microdescriptors or + descriptors if they are listed as "published in the future" + * The getpid() system call is now permitted under the Linux + seccomp2 sandbox, to avoid crashing with versions of OpenSSL + (and other libraries) that attempt to learn the process's PID + by using the syscall rather than the VDSO code + +------------------------------------------------------------------- +Thu Apr 27 06:23:44 UTC 2017 - astieger@suse.com + +- tor 0.3.0.6: + * clients and relays now use Ed25519 keys to authenticate their + link connections to relays, rather than the old RSA1024 keys + that they used before. + * replace the guard selection and replacement algorithm to behave + more robustly in the presence of unreliable networks, and to + resist guard-capture attacks. + * numerous other small features and bugfixes + * groundwork for the upcoming hidden-services revamp + +------------------------------------------------------------------- +Wed Mar 1 22:45:42 UTC 2017 - astieger@suse.com + +- tor 0.2.9.10: + * directory authority: During voting, when marking a relay as a + probable sybil, do not clear its BadExit flag: sybils can still + be bad in other ways too. + * IPv6 Exits: Stop rejecting all IPv6 traffic on Exits whose exit + policy rejects any IPv6 addresses. Instead, only reject a port + over IPv6 if the exit policy rejects that port on more than an + IPv6 /16 of addresses. + * parsing: Fix an integer underflow bug when comparing malformed + Tor versions. This bug could crash Tor when built with + --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through + Tor 0.2.9.8, which were built with -ftrapv by default. In other + cases it was harmless. Part of TROVE-2017-001 boo#1027539 + * Directory authorities now reject descriptors that claim to be + malformed versions of Tor + * Reject version numbers with components that exceed INT32_MAX. + * Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 + Country database. + * The tor-resolve command line tool now rejects hostnames over 255 + characters in length + +------------------------------------------------------------------- +Tue Jan 24 06:19:19 UTC 2017 - astieger@suse.com + +- tor 0.2.9.9: + * Downgrade the "-ftrapv" option from "always on" to "only on + when --enable-expensive-hardening is provided." This hardening + option, like others, can turn survivable bugs into crashes -- + and having it on by default made a (relatively harmless) + integer overflow bug into a denial-of-service bug + * Fix a client-side onion service reachability bug + * Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Sun Jan 1 11:43:02 UTC 2017 - tchvatal@suse.com + +- Remove conditionals for the sle11 as we won't build there due to + openssl requirements. This reduces the logic in the spec file + quite a bit + +------------------------------------------------------------------- +Mon Dec 19 20:40:39 UTC 2016 - astieger@suse.com + +- tor 0.2.9.8, the first stable release in the 0.2.9.x series: + * make mandatory a number of security features that were formerly + optional + * support a new shared-randomness protocol that will form the + basis for next generation hidden services + * single-hop hidden service mode for optimizing .onion services + that don't actually want to be hidden, + * try harder not to overload the directory authorities with + excessive downloads + * support a better protocol versioning scheme for improved + compatibility with other implementations of the Tor protocol + * deprecated options for security: CacheDNS, CacheIPv4DNS, + CacheIPv6DNS, UseDNSCache, UseIPv4Cache, and UseIPv6Cache, + AllowDotExit, AllowInvalidNodes, AllowSingleHopCircuits, + AllowSingleHopExits, ClientDNSRejectInternalAddresses, + CloseHSClientCircuitsImmediatelyOnTimeout, + CloseHSServiceRendCircuitsImmediatelyOnTimeout, + ExcludeSingleHopRelays, FastFirstHopPK, TLSECGroup, + UseNTorHandshake, and WarnUnsafeSocks. + * *ListenAddress options are now deprecated as unnecessary: the + corresponding *Port options should be used instead. The + affected options are: + ControlListenAddress, DNSListenAddress, DirListenAddress, + NATDListenAddress, ORListenAddress, SocksListenAddress, + and TransListenAddress. + +------------------------------------------------------------------- +Mon Dec 19 20:29:49 UTC 2016 - astieger@suse.com + +- tor 0.2.8.12: + * CVE-2016-1254: A hostile hidden service could cause tor clients + to crash (bsc#1016343) + * update fallback directory list + * Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Tue Dec 13 06:41:55 UTC 2016 - bwiedemann@suse.com + +- recommend torsocks as it is needed by included torify + +------------------------------------------------------------------- +Sun Dec 11 19:40:35 UTC 2016 - astieger@suse.com + +- tor 0.2.8.11: + * Fix compilation with OpenSSL 1.1 + +------------------------------------------------------------------- +Fri Dec 2 16:58:06 UTC 2016 - astieger@suse.com + +- tor 0.2.8.10: + * When Tor leaves standby because of a new application request, + open circuits as needed to serve that request + * Clients now respond to new application stream requests + immediately when they arrive, rather than waiting up to one + second before starting to handle them + * small portability and memory handling issues + * Update geoip and geoip6 to the November 3 2016 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Wed Oct 19 09:08:12 UTC 2016 - astieger@suse.com + +- tor 0.2.8.9: + * security fix: prevent remote DoS TROVE-2016-10-001 boo#1005292 + * Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2 + Country database. + * Update signing key + +------------------------------------------------------------------- +Sat Sep 24 13:52:20 UTC 2016 - astieger@suse.com + +- tor 0.2.8.8: + * fixes some crash bugs when using bridges + * fixes a timing-dependent assertion + * removes broken fallbacks from the hard-coded fallback directory + list + * Updates geoip and geoip6 to the September 6 2016 Maxmind + GeoLite2 Country database + +------------------------------------------------------------------- +Wed Aug 24 21:01:13 UTC 2016 - astieger@suse.com + +- tor 0.2.8.7: + * The "Tonga" bridge authority has been retired; the new bridge + authority is "Bifroest" + * Only use the ReachableAddresses option to restrict the first + hop in a path. In earlier versions of 0.2.8.x, it would apply + to every hop in the path, with a possible degradation in + anonymity for anyone using an uncommon ReachableAddress setting + +------------------------------------------------------------------- +Sat Aug 13 17:44:24 UTC 2016 - astieger@suse.com + +- tor 0.2.8.6: + * improve client bootstrapping performance + * improved identity keys for relays (authority side) + * numerous bug fixes and performance improvements + +------------------------------------------------------------------- +Mon Mar 21 08:17:17 UTC 2016 - astieger@suse.com + +- adjust nologin shell for tor user boo#971872 + +------------------------------------------------------------------- +Fri Dec 11 14:41:37 UTC 2015 - mpluskal@suse.com + +- Make building more verbose +- Remove useless conditon for libevent, there is dependency for it + anyway + +------------------------------------------------------------------- +Fri Dec 11 13:35:32 UTC 2015 - astieger@suse.com + +- skip tests on ports + +------------------------------------------------------------------- +Fri Dec 11 07:43:48 UTC 2015 - astieger@suse.com + +- tor 0.2.7.6 fixes a major bug in entry guard selection, as well + as a minor bug in hidden service reliability. [boo#958729] + +------------------------------------------------------------------- +Tue Nov 24 20:35:59 UTC 2015 - astieger@suse.com + +- 0.2.7.5: + * More secure identity key type for relays + * Improve cryptography performance + * Resolve several longstanding hidden-service performance issues + * Improve controller support for hidden services +- Features removed: + * tor-fw-helper is no longer part of thie packaged, it was + re-implemented as a separate project +- Packaging changes: + * drop upstreamed patch + tor-0.2.6.10-malformed-hostname-safe-logging.patch + +------------------------------------------------------------------- +Wed Oct 14 10:59:41 UTC 2015 - astieger@suse.com + +- fix Factory build (ignore missing systemd-tmpfiles) + +------------------------------------------------------------------- +Wed Aug 26 20:02:21 UTC 2015 - astieger@suse.com + +- Malformed hostnames in socks5 requests were written to the log + regardless of SafeLogging option (CWE-532) [boo#943362] + add tor-0.2.6.10-malformed-hostname-safe-logging.patch + +------------------------------------------------------------------- +Sun Jul 12 20:54:48 UTC 2015 - astieger@suse.com + +- tor 0.2.6.10: + Significant stability and hidden service client fixes. + * Stop refusing to store updated hidden service descriptors on a + client. + * Stop crashing with an assertion failure when parsing certain + kinds of malformed or truncated microdescriptors. + * Stop random client-side assertion failures that could occur + when connecting to a busy hidden service, or connecting to a + hidden service while a NEWNYM is in progress. + +------------------------------------------------------------------- +Thu Jun 11 18:55:44 UTC 2015 - astieger@suse.com + +- tor 0.2.6.9: + Clients using circuit isolation should upgrade; + all directory authorities should upgrade. + * fixes a regression in the circuit isolation code + * increases the requirements for receiving an HSDir flag + * addresses some small bugs in the systemd and sandbox code. + +------------------------------------------------------------------- +Sat May 23 18:59:14 UTC 2015 - astieger@suse.com + +- tor 0.2.6.8: + This release fixes a bit of dodgy code in parsing INTRODUCE2 cells, + and fixes an authority-side bug in assigning the HSDir flag. All + directory authorities should upgrade. + - Revert commit that made directory authorities assign the HSDir + flag to relay without a DirPort; this was bad because such relays + can't handle BEGIN_DIR cells. + - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells + on a client authorized hidden service. + - Update geoip to the April 8 2015 Maxmind GeoLite2 Country + database. + - Update geoip6 to the April 8 2015 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Mon Apr 6 18:56:30 UTC 2015 - astieger@suse.com + +- tor 0.2.6.7 + This releases fixes two security issues that could be used by an + attacker to crash hidden services, or crash clients visiting + hidden services. Hidden services should upgrade as soon as + possible. [boo#926097] + This release also contains two simple improvements to make hidden + services a bit less vulnerable to denial-of-service attacks. + - Fix an issue that would allow a malicious client to trigger an + assertion failure and halt a hidden service. CVE-2015-2928 + - Fix a bug that could cause a client to crash with an assertion + failure when parsing a malformed hidden service descriptor. + CVE-2015-2929 + - Introduction points no longer allow multiple INTRODUCE1 cells + to arrive on the same circuit. This should make it more + expensive for attackers to overwhelm hidden services with + introductions. + - Decrease the amount of reattempts that a hidden service + performs when its rendezvous circuits fail. This reduces the + computational cost for running a hidden service under heavy + load. + +------------------------------------------------------------------- +Sun Mar 29 11:51:09 UTC 2015 - astieger@suse.com + +- tor 0.2.6.6, the first stable release in the 0.2.6 series: + * safety/security improvements + * correctness improvements + * performance improvements + * Client programs can be configured to use more kinds of sockets + * AutomapHosts works better + * multithreading backend is improved + * cell transmission is refactored + * test coverage is much higher + * more denial-of-service attacks are handled + * guard selection is improved to handle long-term guards better + * pluggable transports should work a bit better + * some annoying hidden service performance bugs addressed +- new minimal configuration file installed as active configuration + allows daemon to be run right after package installation +- build with systemd notifications where supported + +------------------------------------------------------------------- +Wed Mar 25 08:05:24 UTC 2015 - astieger@suse.com + +- add CVE IDs for 0.2.5.11 release + +------------------------------------------------------------------- +Thu Mar 19 21:36:34 UTC 2015 - astieger@suse.com + +- tor 0.2.5.11 [boo#923284]: + Contains several medium-level security fixes for relays and exit + nodes and also updates the list of directory authorities. + * Directory authority updates + * relay crashes trough assertion (CVE-2015-2688) + * exit node crash through assertion under high DNS load + (CVE-2015-2689) + * do not crash when receiving SIGHUP with the seccomp2 sandbox on + * do not crash sh during attempts to call wait4 + * new "GETINFO bw-event-cache" for controllers + * update geoip/geoip6 to the March 3 2015 + * Avoid crashing on malformed VirtualAddrNetworkIPv[4|6] config + * Fix a memory leak when using AutomapHostsOnResolve + * Allow directory authorities to fetch more data from one another + +------------------------------------------------------------------- +Fri Jan 23 22:04:27 UTC 2015 - andreas.stieger@gmx.de + +- fix build for SLE 12, libminiupnpc-devel not available + +------------------------------------------------------------------- +Fri Oct 24 20:48:14 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.5.10, the first stable release in the 0.2.5 series. + * improved denial-of-service resistance for relays + * new compiler hardening options + * system-call sandbox for hardened installations on Linux + (requires seccomp2) + * controller protocol has several new features + * improvements in resolving IPv6 addresses + * relays more CPU-efficient +- adjust tor-0.2.4.x-logrotate.patch to tor-0.2.5.x-logrotate.patch +- run unit tests + +------------------------------------------------------------------- +Thu Oct 23 20:35:26 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.4.25 [boo#902476] + Disables SSL3 in response to the recent "POODLE" attack (even + though POODLE does not affect Tor). + It also works around a crash bug caused by some operating systems' + response to the "POODLE" attack (which does affect Tor). + - Disable support for SSLv3. + - Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or + 1.0.1j, built with the 'no-ssl3' configuration option. + +------------------------------------------------------------------- +Wed Sep 24 17:52:08 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.4.24 [bnc#898268] + Fixes a bug that affects consistency and speed when connecting to + hidden services, and it updates the location of one of the + directory authorities. +- Major bugfixes: + * Clients now send the correct address for their chosen rendezvous + point when trying to access a hidden service. +- Directory authority changes: + * Change IP address for gabelmoo (v3 directory authority). +- Minor features (geoip): + * Update geoip and geoip6 to the August 7 2014 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Sat Sep 20 13:05:50 UTC 2014 - andreas.stieger@gmx.de + +- disable build with experimental feature bufferevents [bnc#897113] + +------------------------------------------------------------------- +Mon Aug 18 09:54:00 UTC 2014 - wagner-thomas@gmx.at + +- Added config file for firewall + +------------------------------------------------------------------- +Wed Jul 30 22:52:17 UTC 2014 - andreas.stieger@gmx.de + +- Tor 0.2.4.23 [bnc#889688] [CVE-2014-5117] + Slows down the risk from guard rotation and backports several + important fixes from the Tor 0.2.5 alpha release series. +- Major features: + - Clients now look at the "usecreatefast" consensus parameter to + decide whether to use CREATE_FAST or CREATE cells for the first hop + of their circuit. This approach can improve security on connections + where Tor's circuit handshake is stronger than the available TLS + connection security levels, but the tradeoff is more computational + load on guard relays. + - Make the number of entry guards configurable via a new + NumEntryGuards consensus parameter, and the number of directory + guards configurable via a new NumDirectoryGuards consensus + parameter. +- Major bugfixes: + - Fix a bug in the bounds-checking in the 32-bit curve25519-donna + implementation that caused incorrect results on 32-bit + implementations when certain malformed inputs were used along with + a small class of private ntor keys. +- Minor bugfixes: + - Warn and drop the circuit if we receive an inbound 'relay early' + cell. + - Correct a confusing error message when trying to extend a circuit + via the control protocol but we don't know a descriptor or + microdescriptor for one of the specified relays. + - Avoid an illegal read from stack when initializing the TLS module + using a version of OpenSSL without all of the ciphers used by the + v2 link handshake. + +------------------------------------------------------------------- +Fri Jun 6 18:51:36 UTC 2014 - andreas.stieger@gmx.de + +- do not own /var/run/tor for pid file, fixing Factory build + +------------------------------------------------------------------- +Sat May 17 23:13:54 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.4.22: + Backports numerous high-priority fixes. These include blocking + all authority signing keys that may have been affected by the + OpenSSL "heartbleed" bug, choosing a far more secure set of TLS + ciphersuites by default, closing a couple of memory leaks that + could be used to run a target relay out of RAM. +- Major features (security) + - Block authority signing keys that were used on authorities + vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160). +- Major bugfixes (security, OOM): + - Fix a memory leak that could occur if a microdescriptor parse + fails during the tokenizing step. +- Major bugfixes (TLS cipher selection): + - The relay ciphersuite list is now generated automatically based + on uniform criteria, and includes all OpenSSL ciphersuites with + acceptable strength and forward secrecy. + - Relays now trust themselves to have a better view than clients + of which TLS ciphersuites are better than others. + - Clients now try to advertise the same list of ciphersuites as + Firefox 28. +- further minor bug fixes, see ChangeLog +- fix logrotate on systemd-only setups without init scripts, + work tor-0.2.2.37-logrotate.patch to tor-0.2.4.x-logrotate.patch + +------------------------------------------------------------------- +Sat Apr 19 02:54:55 UTC 2014 - mook.moz+com.novell@gmail.com + +- Add tor-fw-helper for UPnP port forwarding; not used by default + +------------------------------------------------------------------- +Thu Mar 6 08:02:15 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.4.21 + Further improves security against potential adversaries who find + breaking 1024-bit crypto doable, and backports several stability + and robustness patches from the 0.2.5 branch. +- Major features (client security): + - When we choose a path for a 3-hop circuit, make sure it contains + at least one relay that supports the NTor circuit extension + handshake. Otherwise, there is a chance that we're building + a circuit that's worth attacking by an adversary who finds + breaking 1024-bit crypto doable, and that chance changes the game + theory. +- Major bugfixes: + - Do not treat streams that fail with reason + END_STREAM_REASON_INTERNAL as indicating a definite circuit failure, + since it could also indicate an ENETUNREACH connection error +- packaging changes: + - remove init script shadowing systemd unit + - general cleanup + +------------------------------------------------------------------- +Mon Jan 20 19:46:02 UTC 2014 - andreas.stieger@gmx.de + +- redaction of 0.2.4.20 changelog to include bug and CVE references + +------------------------------------------------------------------- +Fri Dec 27 20:55:26 UTC 2013 - andreas.stieger@gmx.de + +- tor 0.2.4.20 + fixes potentially poor random number generation for users who + 1) use OpenSSL 1.0.0 or later, + 2) set "HardwareAccel 1" in their torrc file, + 3) have "Sandy Bridge" or "Ivy Bridge" Intel processors + and + 4) have no state file in their DataDirectory (as would happen on + first start). + Users who generated relay or hidden service identity keys in such + a situation should discard them and generate new ones. + No 2 is not the default configuration for openSUSE. + [bnc#859421] [CVE-2013-7295] + This release also fixes a logic error that caused Tor clients to build + many more preemptive circuits than they actually need. +- Major bugfixes: + - Do not allow OpenSSL engines to replace the PRNG, even when + HardwareAccel is set. The only default builtin PRNG engine uses + the Intel RDRAND instruction to replace the entire PRNG, and + ignores all attempts to seed it with more entropy. That's + cryptographically stupid: the right response to a new alleged + entropy source is never to discard all previously used entropy + sources. Fixes bug 10402; works around behavior introduced in + OpenSSL 1.0.0. + - Fix assertion failure when AutomapHostsOnResolve yields an IPv6 + address. + - Avoid launching spurious extra circuits when a stream is pending. + This fixes a bug where any circuit that _wasn't_ unusable for new + streams would be treated as if it were, causing extra circuits to + be launched. +- Minor bugfixes: + - Avoid a crash bug when starting with a corrupted microdescriptor + cache file. + - If we fail to dump a previously cached microdescriptor to disk, avoid + freeing duplicate data later on. + +------------------------------------------------------------------- +Sat Dec 14 17:43:22 UTC 2013 - andreas.stieger@gmx.de + +- Tor 0.2.4.19, the first stable release in the 0.2.4 branch, features + a new circuit handshake and link encryption that use ECC to provide + better security and efficiency; makes relays better manage circuit + creation requests; uses "directory guards" to reduce client enumeration + risks; makes bridges collect and report statistics about the pluggable + transports they support; cleans up and improves our geoip database; + gets much closer to IPv6 support for clients, bridges, and relays; makes + directory authorities use measured bandwidths rather than advertised + ones when computing flags and thresholds; disables client-side DNS + caching to reduce tracking risks; and fixes a big bug in bridge + reachability testing. This release introduces two new design + abstractions in the code: a new "channel" abstraction between circuits + and or_connections to allow for implementing alternate relay-to-relay + transports, and a new "circuitmux" abstraction storing the queue of + circuits for a channel. The release also includes many stability, + security, and privacy fixes. +- full changelog relative to 0.2.3.x and 0.2.4.x RC series: + https://gitweb.torproject.org/tor.git?a=blob_plain;hb=release-0.2.4;f=ReleaseNotes + +------------------------------------------------------------------- +Sat Dec 7 12:04:08 UTC 2013 - andreas.stieger@gmx.de + +- tor-0.2.4.18-rc, improves stability, performance, and better + handling of edge cases. +- Major features: + - Re-enable TLS 1.1 and 1.2 when built with OpenSSL 1.0.1e or later. +- Major bugfixes: + - No longer stop reading or writing on cpuworker connections when + our rate limiting buckets go empty. + - If we are unable to save a microdescriptor to the journal, do not + drop it from memory and then reattempt downloading it. + - Stop trying to bootstrap all our directory information from + only our first guard. + - The new channel code sometimes lost track of in-progress circuits, + causing long-running clients to stop building new circuits. + +------------------------------------------------------------------- +Sat Oct 5 13:18:55 UTC 2013 - andreas.stieger@gmx.de + +- tor-0.2.4.17-rc +- major features in 0.2.4.x: + - improved client resilience + - support better link encryption with forward secrecy + - new NTor circuit handshake + - change relay queue for circuit create requests from size-based + limit to time-based limit + - many bug fixes and minor features + +------------------------------------------------------------------- +Fri May 24 22:51:24 UTC 2013 - andreas.stieger@gmx.de + +- add systemd support +- verify source tarball signature + +------------------------------------------------------------------- +Tue Nov 27 21:46:02 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.3.25, the first stable release in the 0.2.3 branch + + significantly reduced directory overhead (via microdescriptors) + + enormous crypto performance improvements for fast relays on new + enough hardware + + new v3 TLS handshake protocol that can better resist + fingerprinting + + support for protocol obfuscation plugins (pluggable transports) + + better scalability for hidden services + + IPv6 support for bridges + + performance improvements + + new "stream isolation" design to isolate different applications + on different circuits + + many stability, security, and privacy fixes + + Complete list of changes enumerated in: + https://lists.torproject.org/pipermail/tor-talk/2012-November/026554.html + https://gitweb.torproject.org/tor.git/blob/267c0e5aa14deeb2ca0d7997b4ef5a5c2bbf5fd4:/ReleaseNotes + + Tear down the circuit when receiving an unexpected SENDME cell. + [bnc#791374] CVE-2012-5573 +- build using --enable-bufferevents provided by Libevent 2.0.13 + +------------------------------------------------------------------- +Tue Nov 20 09:07:23 UTC 2012 - dimstar@opensuse.org + +- Fix useradd invocation: -o is useless without -u and newer + versions of pwdutils/shadowutils fail on this now. + +------------------------------------------------------------------- +Sat Sep 15 14:08:49 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.2.39 [bnc#780620] + Changes in version 0.2.2.39 - 2012-09-11 + Tor 0.2.2.39 fixes two more opportunities for remotely triggerable + assertions. + + o Security fixes: + - Fix an assertion failure in tor_timegm() that could be triggered + by a badly formatted directory object. + CVE-2012-4922 + - Do not crash when comparing an address with port value 0 to an + address policy. This bug could have been used to cause a remote + assertion failure by or against directory authorities, or to + allow some applications to crash clients. + CVE-2012-4419 + +------------------------------------------------------------------- +Mon Aug 20 19:11:57 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.2.38 [bnc#776642] + Changes in version 0.2.2.38 - 2012-08-12 + Tor 0.2.2.38 fixes a rare race condition that can crash exit relays; + fixes a remotely triggerable crash bug; and fixes a timing attack that + could in theory leak path information. + o Security fixes: + - Avoid read-from-freed-memory and double-free bugs that could occur + when a DNS request fails while launching it. + CVE-2012-3517 + - Avoid an uninitialized memory read when reading a vote or consensus + document that has an unrecognized flavor name. This read could + lead to a remote crash bug. + CVE-2012-3518 + - Try to leak less information about what relays a client is + choosing to a side-channel attacker. Previously, a Tor client would + stop iterating through the list of available relays as soon as it + had chosen one, thus finishing a little earlier when it picked + a router earlier in the list. If an attacker can recover this + timing information (nontrivial but not proven to be impossible), + they could learn some coarse-grained information about which relays + a client was picking (middle nodes in particular are likelier to + be affected than exits). The timing attack might be mitigated by + other factors, but it's best not to take chances. + CVE-2012-3519 + +------------------------------------------------------------------- +Fri Jun 15 19:45:01 UTC 2012 - andreas.stieger@gmx.de + +- add tor-0.2.2.37-logrotate.patch : add su option to logrotate to + fix W: suse-logrotate-user-writable-log-dir in Factory + +------------------------------------------------------------------- +Wed Jun 13 11:22:11 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.2.37 + Changes in version 0.2.2.37 - 2012-06-06 + Tor 0.2.2.37 introduces a workaround for a critical renegotiation + bug in OpenSSL 1.0.1 (where 20% of the Tor network can't talk to itself + currently). + + o Major bugfixes: + - Work around a bug in OpenSSL that broke renegotiation with TLS + 1.1 and TLS 1.2. Without this workaround, all attempts to speak + the v2 Tor connection protocol when both sides were using OpenSSL + 1.0.1 would fail. Resolves ticket 6033. + - When waiting for a client to renegotiate, don't allow it to add + any bytes to the input buffer. This fixes a potential DoS issue. + Fixes bugs 5934 and 6007; bugfix on 0.2.0.20-rc. + - Fix an edge case where if we fetch or publish a hidden service + descriptor, we might build a 4-hop circuit and then use that circuit + for exiting afterwards -- even if the new last hop doesn't obey our + ExitNodes config option. Fixes bug 5283; bugfix on 0.2.0.10-alpha. + + o Minor bugfixes: + - Fix a build warning with Clang 3.1 related to our use of vasprintf. + Fixes bug 5969. Bugfix on 0.2.2.11-alpha. + + o Minor features: + - Tell GCC and Clang to check for any errors in format strings passed + to the tor_v*(print|scan)f functions. + +------------------------------------------------------------------- +Wed Jun 6 20:46:46 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.2.36 + + Changes in version 0.2.2.36 - 2012-05-24 + o Directory authority changes: + - Change IP address for maatuska (v3 directory authority). + - Change IP address for ides (v3 directory authority), and rename + it to turtles. + + o Security fixes: + - When building or running with any version of OpenSSL earlier + than 0.9.8s or 1.0.0f, disable SSLv3 support. These OpenSSL + versions have a bug (CVE-2011-4576) in which their block cipher + padding includes uninitialized data, potentially leaking sensitive + information to any peer with whom they make a SSLv3 connection. Tor + does not use SSL v3 by default, but a hostile client or server + could force an SSLv3 connection in order to gain information that + they shouldn't have been able to get. The best solution here is to + upgrade to OpenSSL 0.9.8s or 1.0.0f (or later). But when building + or running with a non-upgraded OpenSSL, we disable SSLv3 entirely + to make sure that the bug can't happen. + - Never use a bridge or a controller-supplied node as an exit, even + if its exit policy allows it. Found by wanoskarnet. Fixes bug + 5342. Bugfix on 0.1.1.15-rc (for controller-purpose descriptors) + and 0.2.0.3-alpha (for bridge-purpose descriptors). + - Only build circuits if we have a sufficient threshold of the total + descriptors that are marked in the consensus with the "Exit" + flag. This mitigates an attack proposed by wanoskarnet, in which + all of a client's bridges collude to restrict the exit nodes that + the client knows about. Fixes bug 5343. + - Provide controllers with a safer way to implement the cookie + authentication mechanism. With the old method, if another locally + running program could convince a controller that it was the Tor + process, then that program could trick the controller into telling + it the contents of an arbitrary 32-byte file. The new "SAFECOOKIE" + authentication method uses a challenge-response approach to prevent + this attack. Fixes bug 5185; implements proposal 193. + + o Major bugfixes: + - Avoid logging uninitialized data when unable to decode a hidden + service descriptor cookie. Fixes bug 5647; bugfix on 0.2.1.5-alpha. + - Avoid a client-side assertion failure when receiving an INTRODUCE2 + cell on a general purpose circuit. Fixes bug 5644; bugfix on + 0.2.1.6-alpha. + - Fix builds when the path to sed, openssl, or sha1sum contains + spaces, which is pretty common on Windows. Fixes bug 5065; bugfix + on 0.2.2.1-alpha. + - Correct our replacements for the timeradd() and timersub() functions + on platforms that lack them (for example, Windows). The timersub() + function is used when expiring circuits, while timeradd() is + currently unused. Bug report and patch by Vektor. Fixes bug 4778; + bugfix on 0.2.2.24-alpha. + - Fix the SOCKET_OK test that we use to tell when socket + creation fails so that it works on Win64. Fixes part of bug 4533; + bugfix on 0.2.2.29-beta. Bug found by wanoskarnet. + + o Minor bugfixes: + - Reject out-of-range times like 23:59:61 in parse_rfc1123_time(). + Fixes bug 5346; bugfix on 0.0.8pre3. + - Make our number-parsing functions always treat too-large values + as an error, even when those values exceed the width of the + underlying type. Previously, if the caller provided these + functions with minima or maxima set to the extreme values of the + underlying integer type, these functions would return those + values on overflow rather than treating overflow as an error. + Fixes part of bug 5786; bugfix on 0.0.9. + - Older Linux kernels erroneously respond to strange nmap behavior + by having accept() return successfully with a zero-length + socket. When this happens, just close the connection. Previously, + we would try harder to learn the remote address: but there was + no such remote address to learn, and our method for trying to + learn it was incorrect. Fixes bugs 1240, 4745, and 4747. Bugfix + on 0.1.0.3-rc. Reported and diagnosed by "r1eo". + - Correct parsing of certain date types in parse_http_time(). + Without this patch, If-Modified-Since would behave + incorrectly. Fixes bug 5346; bugfix on 0.2.0.2-alpha. Patch from + Esteban Manchado Velázques. + - Change the BridgePassword feature (part of the "bridge community" + design, which is not yet implemented) to use a time-independent + comparison. The old behavior might have allowed an adversary + to use timing to guess the BridgePassword value. Fixes bug 5543; + bugfix on 0.2.0.14-alpha. + - Detect and reject certain misformed escape sequences in + configuration values. Previously, these values would cause us + to crash if received in a torrc file or over an authenticated + control port. Bug found by Esteban Manchado Velázquez, and + independently by Robert Connolly from Matta Consulting who further + noted that it allows a post-authentication heap overflow. Patch + by Alexander Schrijver. Fixes bugs 5090 and 5402 (CVE 2012-1668); + bugfix on 0.2.0.16-alpha. + - Fix a compile warning when using the --enable-openbsd-malloc + configure option. Fixes bug 5340; bugfix on 0.2.0.20-rc. + - During configure, detect when we're building with clang version + 3.0 or lower and disable the -Wnormalized=id and -Woverride-init + CFLAGS. clang doesn't support them yet. + - When sending an HTTP/1.1 proxy request, include a Host header. + Fixes bug 5593; bugfix on 0.2.2.1-alpha. + - Fix a NULL-pointer dereference on a badly formed SETCIRCUITPURPOSE + command. Found by mikeyc. Fixes bug 5796; bugfix on 0.2.2.9-alpha. + - If we hit the error case where routerlist_insert() replaces an + existing (old) server descriptor, make sure to remove that + server descriptor from the old_routers list. Fix related to bug + 1776. Bugfix on 0.2.2.18-alpha. + + o Minor bugfixes (documentation and log messages): + - Fix a typo in a log message in rend_service_rendezvous_has_opened(). + Fixes bug 4856; bugfix on Tor 0.0.6. + - Update "ClientOnly" man page entry to explain that there isn't + really any point to messing with it. Resolves ticket 5005. + - Document the GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays + directory authority option (introduced in Tor 0.2.2.34). + - Downgrade the "We're missing a certificate" message from notice + to info: people kept mistaking it for a real problem, whereas it + is seldom the problem even when we are failing to bootstrap. Fixes + bug 5067; bugfix on 0.2.0.10-alpha. + - Correctly spell "connect" in a log message on failure to create a + controlsocket. Fixes bug 4803; bugfix on 0.2.2.26-beta. + - Clarify the behavior of MaxCircuitDirtiness with hidden service + circuits. Fixes issue 5259. + + o Minor features: + - Directory authorities now reject versions of Tor older than + 0.2.1.30, and Tor versions between 0.2.2.1-alpha and 0.2.2.20-alpha + inclusive. These versions accounted for only a small fraction of + the Tor network, and have numerous known security issues. Resolves + issue 4788. + - Update to the May 1 2012 Maxmind GeoLite Country database. + + - Feature removal: + - When sending or relaying a RELAY_EARLY cell, we used to convert + it to a RELAY cell if the connection was using the v1 link + protocol. This was a workaround for older versions of Tor, which + didn't handle RELAY_EARLY cells properly. Now that all supported + versions can handle RELAY_EARLY cells, and now that we're enforcing + the "no RELAY_EXTEND commands except in RELAY_EARLY cells" rule, + remove this workaround. Addresses bug 4786. + +------------------------------------------------------------------- +Mon Jan 2 16:51:20 UTC 2012 - andreas.stieger@gmx.de + +- add CVE references in changelog, fixing bug #739133 + +------------------------------------------------------------------- +Fri Dec 16 20:37:05 UTC 2011 - andreas.stieger@gmx.de + +- update to upstream 0.2.2.35, which fixes a critical heap-overflow + security issue: CVE-2011-2778 For a full list of changes, see: + https://gitweb.torproject.org/tor.git/blob_plain/release-0.2.2:/ReleaseNotes + +------------------------------------------------------------------ +Mon Dec 12 15:42:09 UTC 2011 - cfarrell@suse.com + +- license update: BSD-3-Clause + SPDX format + +------------------------------------------------------------------- +Sun Dec 11 18:42:57 UTC 2011 - andreas.stieger@gmx.de + +- fix factory warning by removing INSTALL file from docs dir + +------------------------------------------------------------------- +Sun Dec 11 17:11:11 UTC 2011 - andreas.stieger@gmx.de + +- format spec file to include copyright notice + package is based on a former package in SUSE/openSUSE + +------------------------------------------------------------------- +Sun Dec 11 12:37:14 UTC 2011 - andreas.stieger@gmx.de + +- update license from "3-clause BSD" to "BSD3c" + +------------------------------------------------------------------- +Fri Oct 28 19:49:39 UTC 2011 - andreas.stieger@gmx.de + +- update to upstream 0.2.2.34 +- fixes CVE-2011-4895 Tor Bridge circuit building information disclosure +- fixes CVE-2011-4894 Tor DirPort information disclosure + +Changes in version 0.2.2.34 - 2011-10-26 + Tor 0.2.2.34 fixes a critical anonymity vulnerability where an attacker + can deanonymize Tor users. Everybody should upgrade. + + The attack relies on four components: 1) Clients reuse their TLS cert + when talking to different relays, so relays can recognize a user by + the identity key in her cert. 2) An attacker who knows the client's + identity key can probe each guard relay to see if that identity key + is connected to that guard relay right now. 3) A variety of active + attacks in the literature (starting from "Low-Cost Traffic Analysis + of Tor" by Murdoch and Danezis in 2005) allow a malicious website to + discover the guard relays that a Tor user visiting the website is using. + 4) Clients typically pick three guards at random, so the set of guards + for a given user could well be a unique fingerprint for her. This + release fixes components #1 and #2, which is enough to block the attack; + the other two remain as open research problems. Special thanks to + "frosty_un" for reporting the issue to us! + + Clients should upgrade so they are no longer recognizable by the TLS + certs they present. Relays should upgrade so they no longer allow a + remote attacker to probe them to test whether unpatched clients are + currently connected to them. + + This release also fixes several vulnerabilities that allow an attacker + to enumerate bridge relays. Some bridge enumeration attacks still + remain; see for example proposal 188. + + o Privacy/anonymity fixes (clients): + - Clients and bridges no longer send TLS certificate chains on + outgoing OR connections. Previously, each client or bridge would + use the same cert chain for all outgoing OR connections until + its IP address changes, which allowed any relay that the client + or bridge contacted to determine which entry guards it is using. + Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by "frosty_un". + - If a relay receives a CREATE_FAST cell on a TLS connection, it + no longer considers that connection as suitable for satisfying a + circuit EXTEND request. Now relays can protect clients from the + CVE-2011-2768 issue even if the clients haven't upgraded yet. + - Directory authorities no longer assign the Guard flag to relays + that haven't upgraded to the above "refuse EXTEND requests + to client connections" fix. Now directory authorities can + protect clients from the CVE-2011-2768 issue even if neither + the clients nor the relays have upgraded yet. There's a new + "GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays" config option + to let us transition smoothly, else tomorrow there would be no + guard relays. + + o Privacy/anonymity fixes (bridge enumeration): + - Bridge relays now do their directory fetches inside Tor TLS + connections, like all the other clients do, rather than connecting + directly to the DirPort like public relays do. Removes another + avenue for enumerating bridges. Fixes bug 4115; bugfix on 0.2.0.35. + - Bridges relays now build circuits for themselves in a more similar + way to how clients build them. Removes another avenue for + enumerating bridges. Fixes bug 4124; bugfix on 0.2.0.3-alpha, + when bridges were introduced. + - Bridges now refuse CREATE or CREATE_FAST cells on OR connections + that they initiated. Relays could distinguish incoming bridge + connections from client connections, creating another avenue for + enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha. + Found by "frosty_un". + + o Major bugfixes: + - Fix a crash bug when changing node restrictions while a DNS lookup + is in-progress. Fixes bug 4259; bugfix on 0.2.2.25-alpha. Bugfix + by "Tey'". + - Don't launch a useless circuit after failing to use one of a + hidden service's introduction points. Previously, we would + launch a new introduction circuit, but not set the hidden service + which that circuit was intended to connect to, so it would never + actually be used. A different piece of code would then create a + new introduction circuit correctly. Bug reported by katmagic and + found by Sebastian Hahn. Bugfix on 0.2.1.13-alpha; fixes bug 4212. + + o Minor bugfixes: + - Change an integer overflow check in the OpenBSD_Malloc code so + that GCC is less likely to eliminate it as impossible. Patch + from Mansour Moufid. Fixes bug 4059. + - When a hidden service turns an extra service-side introduction + circuit into a general-purpose circuit, free the rend_data and + intro_key fields first, so we won't leak memory if the circuit + is cannibalized for use as another service-side introduction + circuit. Bugfix on 0.2.1.7-alpha; fixes bug 4251. + - Bridges now skip DNS self-tests, to act a little more stealthily. + Fixes bug 4201; bugfix on 0.2.0.3-alpha, which first introduced + bridges. Patch by "warms0x". + - Fix internal bug-checking logic that was supposed to catch + failures in digest generation so that it will fail more robustly + if we ask for a nonexistent algorithm. Found by Coverity Scan. + Bugfix on 0.2.2.1-alpha; fixes Coverity CID 479. + - Report any failure in init_keys() calls launched because our + IP address has changed. Spotted by Coverity Scan. Bugfix on + 0.1.1.4-alpha; fixes CID 484. + + o Minor bugfixes (log messages and documentation): + - Remove a confusing dollar sign from the example fingerprint in the + man page, and also make the example fingerprint a valid one. Fixes + bug 4309; bugfix on 0.2.1.3-alpha. + - The next version of Windows will be called Windows 8, and it has + a major version of 6, minor version of 2. Correctly identify that + version instead of calling it "Very recent version". Resolves + ticket 4153; reported by funkstar. + - Downgrade log messages about circuit timeout calibration from + "notice" to "info": they don't require or suggest any human + intervention. Patch from Tom Lowenthal. Fixes bug 4063; + bugfix on 0.2.2.14-alpha. + + o Minor features: + - Turn on directory request statistics by default and include them in + extra-info descriptors. Don't break if we have no GeoIP database. + Backported from 0.2.3.1-alpha; implements ticket 3951. + - Update to the October 4 2011 Maxmind GeoLite Country database. + + +------------------------------------------------------------------- +Tue Sep 20 20:58:56 UTC 2011 - andreas.stieger@gmx.de + +- update to upstream 0.2.2.33 + +Changes in version 0.2.2.33 - 2011-09-13 + Tor 0.2.2.33 fixes several bugs, and includes a slight tweak to Tor's + TLS handshake that makes relays and bridges that run this new version + reachable from Iran again. + + o Major bugfixes: + - Avoid an assertion failure when reloading a configuration with + TrackExitHosts changes. Found and fixed by 'laruldan'. Fixes bug + 3923; bugfix on 0.2.2.25-alpha. + + o Minor features (security): + - Check for replays of the public-key encrypted portion of an + INTRODUCE1 cell, in addition to the current check for replays of + the g^x value. This prevents a possible class of active attacks + by an attacker who controls both an introduction point and a + rendezvous point, and who uses the malleability of AES-CTR to + alter the encrypted g^x portion of the INTRODUCE1 cell. We think + that these attacks are infeasible (requiring the attacker to send + on the order of zettabytes of altered cells in a short interval), + but we'd rather block them off in case there are any classes of + this attack that we missed. Reported by Willem Pinckaers. + + o Minor features: + - Adjust the expiration time on our SSL session certificates to + better match SSL certs seen in the wild. Resolves ticket 4014. + - Change the default required uptime for a relay to be accepted as + a HSDir (hidden service directory) from 24 hours to 25 hours. + Improves on 0.2.0.10-alpha; resolves ticket 2649. + - Add a VoteOnHidServDirectoriesV2 config option to allow directory + authorities to abstain from voting on assignment of the HSDir + consensus flag. Related to bug 2649. + - Update to the September 6 2011 Maxmind GeoLite Country database. + + o Minor bugfixes (documentation and log messages): + - Correct the man page to explain that HashedControlPassword and + CookieAuthentication can both be set, in which case either method + is sufficient to authenticate to Tor. Bugfix on 0.2.0.7-alpha, + when we decided to allow these config options to both be set. Issue + raised by bug 3898. + - Demote the 'replay detected' log message emitted when a hidden + service receives the same Diffie-Hellman public key in two different + INTRODUCE2 cells to info level. A normal Tor client can cause that + log message during its normal operation. Bugfix on 0.2.1.6-alpha; + fixes part of bug 2442. + - Demote the 'INTRODUCE2 cell is too {old,new}' log message to info + level. There is nothing that a hidden service's operator can do + to fix its clients' clocks. Bugfix on 0.2.1.6-alpha; fixes part + of bug 2442. + - Clarify a log message specifying the characters permitted in + HiddenServiceAuthorizeClient client names. Previously, the log + message said that "[A-Za-z0-9+-_]" were permitted; that could have + given the impression that every ASCII character between "+" and "_" + was permitted. Now we say "[A-Za-z0-9+_-]". Bugfix on 0.2.1.5-alpha. + + o Build fixes: + - Provide a substitute implementation of lround() for MSVC, which + apparently lacks it. Patch from Gisle Vanem. + - Clean up some code issues that prevented Tor from building on older + BSDs. Fixes bug 3894; reported by "grarpamp". + - Search for a platform-specific version of "ar" when cross-compiling. + Should fix builds on iOS. Resolves bug 3909, found by Marco Bonetti. + + +------------------------------------------------------------------- +Fri Sep 2 19:55:23 UTC 2011 - andreas.stieger@gmx.de + +- updated ot upstream 0.2.2.32 +- removed tor_initscript.patch +- fixes CVE-2011-4897 Tor Nickname information disclosure +- fixes CVE-2011-4896 Tor Bridge information disclosure + +Changes in version 0.2.2.32 - 2011-08-27 + The Tor 0.2.2 release series is dedicated to the memory of Andreas + Pfitzmann (1958-2010), a pioneer in anonymity and privacy research, + a founder of the PETS community, a leader in our field, a mentor, + and a friend. He left us with these words: "I had the possibility + to contribute to this world that is not as it should be. I hope I + could help in some areas to make the world a better place, and that + I could also encourage other people to be engaged in improving the + world. Please, stay engaged. This world needs you, your love, your + initiative -- now I cannot be part of that anymore." + + Tor 0.2.2.32, the first stable release in the 0.2.2 branch, is finally + ready. More than two years in the making, this release features improved + client performance and hidden service reliability, better compatibility + for Android, correct behavior for bridges that listen on more than + one address, more extensible and flexible directory object handling, + better reporting of network statistics, improved code security, and + many many other features and bugfixes. + + o Major features (client performance): + - When choosing which cells to relay first, relays now favor circuits + that have been quiet recently, to provide lower latency for + low-volume circuits. By default, relays enable or disable this + feature based on a setting in the consensus. They can override + this default by using the new "CircuitPriorityHalflife" config + option. Design and code by Ian Goldberg, Can Tang, and Chris + Alexander. + - Directory authorities now compute consensus weightings that instruct + clients how to weight relays flagged as Guard, Exit, Guard+Exit, + and no flag. Clients use these weightings to distribute network load + more evenly across these different relay types. The weightings are + in the consensus so we can change them globally in the future. Extra + thanks to "outofwords" for finding some nasty security bugs in + the first implementation of this feature. + + o Major features (client performance, circuit build timeout): + - Tor now tracks how long it takes to build client-side circuits + over time, and adapts its timeout to local network performance. + Since a circuit that takes a long time to build will also provide + bad performance, we get significant latency improvements by + discarding the slowest 20% of circuits. Specifically, Tor creates + circuits more aggressively than usual until it has enough data + points for a good timeout estimate. Implements proposal 151. + - Circuit build timeout constants can be controlled by consensus + parameters. We set good defaults for these parameters based on + experimentation on broadband and simulated high-latency links. + - Circuit build time learning can be disabled via consensus parameter + or by the client via a LearnCircuitBuildTimeout config option. We + also automatically disable circuit build time calculation if either + AuthoritativeDirectory is set, or if we fail to write our state + file. Implements ticket 1296. + + o Major features (relays use their capacity better): + - Set SO_REUSEADDR socket option on all sockets, not just + listeners. This should help busy exit nodes avoid running out of + useable ports just because all the ports have been used in the + near past. Resolves issue 2850. + - Relays now save observed peak bandwidth throughput rates to their + state file (along with total usage, which was already saved), + so that they can determine their correct estimated bandwidth on + restart. Resolves bug 1863, where Tor relays would reset their + estimated bandwidth to 0 after restarting. + - Lower the maximum weighted-fractional-uptime cutoff to 98%. This + should give us approximately 40-50% more Guard-flagged nodes, + improving the anonymity the Tor network can provide and also + decreasing the dropoff in throughput that relays experience when + they first get the Guard flag. + - Directory authorities now take changes in router IP address and + ORPort into account when determining router stability. Previously, + if a router changed its IP or ORPort, the authorities would not + treat it as having any downtime for the purposes of stability + calculation, whereas clients would experience downtime since the + change would take a while to propagate to them. Resolves issue 1035. + - New AccelName and AccelDir options add support for dynamic OpenSSL + hardware crypto acceleration engines. + + o Major features (relays control their load better): + - Exit relays now try harder to block exit attempts from unknown + relays, to make it harder for people to use them as one-hop proxies + a la tortunnel. Controlled by the refuseunknownexits consensus + parameter (currently enabled), or you can override it on your + relay with the RefuseUnknownExits torrc option. Resolves bug 1751; + based on a variant of proposal 163. + - Add separate per-conn write limiting to go with the per-conn read + limiting. We added a global write limit in Tor 0.1.2.5-alpha, + but never per-conn write limits. + - New consensus params "bwconnrate" and "bwconnburst" to let us + rate-limit client connections as they enter the network. It's + controlled in the consensus so we can turn it on and off for + experiments. It's starting out off. Based on proposal 163. + + o Major features (controllers): + - Export GeoIP information on bridge usage to controllers even if we + have not yet been running for 24 hours. Now Vidalia bridge operators + can get more accurate and immediate feedback about their + contributions to the network. + - Add an __OwningControllerProcess configuration option and a + TAKEOWNERSHIP control-port command. Now a Tor controller can ensure + that when it exits, Tor will shut down. Implements feature 3049. + + o Major features (directory authorities): + - Directory authorities now create, vote on, and serve multiple + parallel formats of directory data as part of their voting process. + Partially implements Proposal 162: "Publish the consensus in + multiple flavors". + - Directory authorities now agree on and publish small summaries + of router information that clients can use in place of regular + server descriptors. This transition will allow Tor 0.2.3 clients + to use far less bandwidth for downloading information about the + network. Begins the implementation of Proposal 158: "Clients + download consensus + microdescriptors". + - The directory voting system is now extensible to use multiple hash + algorithms for signatures and resource selection. Newer formats + are signed with SHA256, with a possibility for moving to a better + hash algorithm in the future. + - Directory authorities can now vote on arbitary integer values as + part of the consensus process. This is designed to help set + network-wide parameters. Implements proposal 167. + + o Major features and bugfixes (node selection): + - Revise and reconcile the meaning of the ExitNodes, EntryNodes, + ExcludeEntryNodes, ExcludeExitNodes, ExcludeNodes, and Strict*Nodes + options. Previously, we had been ambiguous in describing what + counted as an "exit" node, and what operations exactly "StrictNodes + 0" would permit. This created confusion when people saw nodes built + through unexpected circuits, and made it hard to tell real bugs from + surprises. Now the intended behavior is: + . "Exit", in the context of ExitNodes and ExcludeExitNodes, means + a node that delivers user traffic outside the Tor network. + . "Entry", in the context of EntryNodes, means a node used as the + first hop of a multihop circuit. It doesn't include direct + connections to directory servers. + . "ExcludeNodes" applies to all nodes. + . "StrictNodes" changes the behavior of ExcludeNodes only. When + StrictNodes is set, Tor should avoid all nodes listed in + ExcludeNodes, even when it will make user requests fail. When + StrictNodes is *not* set, then Tor should follow ExcludeNodes + whenever it can, except when it must use an excluded node to + perform self-tests, connect to a hidden service, provide a + hidden service, fulfill a .exit request, upload directory + information, or fetch directory information. + Collectively, the changes to implement the behavior fix bug 1090. + - If EntryNodes, ExitNodes, ExcludeNodes, or ExcludeExitNodes + change during a config reload, mark and discard all our origin + circuits. This fix should address edge cases where we change the + config options and but then choose a circuit that we created before + the change. + - Make EntryNodes config option much more aggressive even when + StrictNodes is not set. Before it would prepend your requested + entrynodes to your list of guard nodes, but feel free to use others + after that. Now it chooses only from your EntryNodes if any of + those are available, and only falls back to others if a) they're + all down and b) StrictNodes is not set. + - Now we refresh your entry guards from EntryNodes at each consensus + fetch -- rather than just at startup and then they slowly rot as + the network changes. + - Add support for the country code "{??}" in torrc options like + ExcludeNodes, to indicate all routers of unknown country. Closes + bug 1094. + - ExcludeNodes now takes precedence over EntryNodes and ExitNodes: if + a node is listed in both, it's treated as excluded. + - ExcludeNodes now applies to directory nodes -- as a preference if + StrictNodes is 0, or an absolute requirement if StrictNodes is 1. + Don't exclude all the directory authorities and set StrictNodes to 1 + unless you really want your Tor to break. + - ExcludeNodes and ExcludeExitNodes now override exit enclaving. + - ExcludeExitNodes now overrides .exit requests. + - We don't use bridges listed in ExcludeNodes. + - When StrictNodes is 1: + . We now apply ExcludeNodes to hidden service introduction points + and to rendezvous points selected by hidden service users. This + can make your hidden service less reliable: use it with caution! + . If we have used ExcludeNodes on ourself, do not try relay + reachability self-tests. + . If we have excluded all the directory authorities, we will not + even try to upload our descriptor if we're a relay. + . Do not honor .exit requests to an excluded node. + - When the set of permitted nodes changes, we now remove any mappings + introduced via TrackExitHosts to now-excluded nodes. Bugfix on + 0.1.0.1-rc. + - We never cannibalize a circuit that had excluded nodes on it, even + if StrictNodes is 0. Bugfix on 0.1.0.1-rc. + - Improve log messages related to excluded nodes. + + o Major features (misc): + - Numerous changes, bugfixes, and workarounds from Nathan Freitas + to help Tor build correctly for Android phones. + - The options SocksPort, ControlPort, and so on now all accept a + value "auto" that opens a socket on an OS-selected port. A + new ControlPortWriteToFile option tells Tor to write its + actual control port or ports to a chosen file. If the option + ControlPortFileGroupReadable is set, the file is created as + group-readable. Now users can run two Tor clients on the same + system without needing to manually mess with parameters. Resolves + part of ticket 3076. + - Tor now supports tunneling all of its outgoing connections over + a SOCKS proxy, using the SOCKS4Proxy and/or SOCKS5Proxy + configuration options. Code by Christopher Davis. + + o Code security improvements: + - Replace all potentially sensitive memory comparison operations + with versions whose runtime does not depend on the data being + compared. This will help resist a class of attacks where an + adversary can use variations in timing information to learn + sensitive data. Fix for one case of bug 3122. (Safe memcmp + implementation by Robert Ransom based partially on code by DJB.) + - Enable Address Space Layout Randomization (ASLR) and Data Execution + Prevention (DEP) by default on Windows to make it harder for + attackers to exploit vulnerabilities. Patch from John Brooks. + - New "--enable-gcc-hardening" ./configure flag (off by default) + to turn on gcc compile time hardening options. It ensures + that signed ints have defined behavior (-fwrapv), enables + -D_FORTIFY_SOURCE=2 (requiring -O2), adds stack smashing protection + with canaries (-fstack-protector-all), turns on ASLR protection if + supported by the kernel (-fPIE, -pie), and adds additional security + related warnings. Verified to work on Mac OS X and Debian Lenny. + - New "--enable-linker-hardening" ./configure flag (off by default) + to turn on ELF specific hardening features (relro, now). This does + not work with Mac OS X or any other non-ELF binary format. + - Always search the Windows system directory for system DLLs, and + nowhere else. Bugfix on 0.1.1.23; fixes bug 1954. + - New DisableAllSwap option. If set to 1, Tor will attempt to lock all + current and future memory pages via mlockall(). On supported + platforms (modern Linux and probably BSD but not Windows or OS X), + this should effectively disable any and all attempts to page out + memory. This option requires that you start your Tor as root -- + if you use DisableAllSwap, please consider using the User option + to properly reduce the privileges of your Tor. + + o Major bugfixes (crashes): + - Fix crash bug on platforms where gmtime and localtime can return + NULL. Windows 7 users were running into this one. Fixes part of bug + 2077. Bugfix on all versions of Tor. Found by boboper. + - Introduce minimum/maximum values that clients will believe + from the consensus. Now we'll have a better chance to avoid crashes + or worse when a consensus param has a weird value. + - Fix a rare crash bug that could occur when a client was configured + with a large number of bridges. Fixes bug 2629; bugfix on + 0.2.1.2-alpha. Bugfix by trac user "shitlei". + - Do not crash when our configuration file becomes unreadable, for + example due to a permissions change, between when we start up + and when a controller calls SAVECONF. Fixes bug 3135; bugfix + on 0.0.9pre6. + - If we're in the pathological case where there's no exit bandwidth + but there is non-exit bandwidth, or no guard bandwidth but there + is non-guard bandwidth, don't crash during path selection. Bugfix + on 0.2.0.3-alpha. + - Fix a crash bug when trying to initialize the evdns module in + Libevent 2. Bugfix on 0.2.1.16-rc. + + o Major bugfixes (stability): + - Fix an assert in parsing router descriptors containing IPv6 + addresses. This one took down the directory authorities when + somebody tried some experimental code. Bugfix on 0.2.1.3-alpha. + - Fix an uncommon assertion failure when running with DNSPort under + heavy load. Fixes bug 2933; bugfix on 0.2.0.1-alpha. + - Treat an unset $HOME like an empty $HOME rather than triggering an + assert. Bugfix on 0.0.8pre1; fixes bug 1522. + - More gracefully handle corrupt state files, removing asserts + in favor of saving a backup and resetting state. + - Instead of giving an assertion failure on an internal mismatch + on estimated freelist size, just log a BUG warning and try later. + Mitigates but does not fix bug 1125. + - Fix an assert that got triggered when using the TestingTorNetwork + configuration option and then issuing a GETINFO config-text control + command. Fixes bug 2250; bugfix on 0.2.1.2-alpha. + - If the cached cert file is unparseable, warn but don't exit. + + o Privacy fixes (relays/bridges): + - Don't list Windows capabilities in relay descriptors. We never made + use of them, and maybe it's a bad idea to publish them. Bugfix + on 0.1.1.8-alpha. + - If the Nickname configuration option isn't given, Tor would pick a + nickname based on the local hostname as the nickname for a relay. + Because nicknames are not very important in today's Tor and the + "Unnamed" nickname has been implemented, this is now problematic + behavior: It leaks information about the hostname without being + useful at all. Fixes bug 2979; bugfix on 0.1.2.2-alpha, which + introduced the Unnamed nickname. Reported by tagnaq. + - Maintain separate TLS contexts and certificates for incoming and + outgoing connections in bridge relays. Previously we would use the + same TLS contexts and certs for incoming and outgoing connections. + Bugfix on 0.2.0.3-alpha; addresses bug 988. + - Maintain separate identity keys for incoming and outgoing TLS + contexts in bridge relays. Previously we would use the same + identity keys for incoming and outgoing TLS contexts. Bugfix on + 0.2.0.3-alpha; addresses the other half of bug 988. + - Make the bridge directory authority refuse to answer directory + requests for "all descriptors". It used to include bridge + descriptors in its answer, which was a major information leak. + Found by "piebeer". Bugfix on 0.2.0.3-alpha. + + o Privacy fixes (clients): + - When receiving a hidden service descriptor, check that it is for + the hidden service we wanted. Previously, Tor would store any + hidden service descriptors that a directory gave it, whether it + wanted them or not. This wouldn't have let an attacker impersonate + a hidden service, but it did let directories pre-seed a client + with descriptors that it didn't want. Bugfix on 0.0.6. + - Start the process of disabling ".exit" address notation, since it + can be used for a variety of esoteric application-level attacks + on users. To reenable it, set "AllowDotExit 1" in your torrc. Fix + on 0.0.9rc5. + - Reject attempts at the client side to open connections to private + IP addresses (like 127.0.0.1, 10.0.0.1, and so on) with + a randomly chosen exit node. Attempts to do so are always + ill-defined, generally prevented by exit policies, and usually + in error. This will also help to detect loops in transparent + proxy configurations. You can disable this feature by setting + "ClientRejectInternalAddresses 0" in your torrc. + - Log a notice when we get a new control connection. Now it's easier + for security-conscious users to recognize when a local application + is knocking on their controller door. Suggested by bug 1196. + + o Privacy fixes (newnym): + - Avoid linkability based on cached hidden service descriptors: forget + all hidden service descriptors cached as a client when processing a + SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6. + - On SIGHUP, do not clear out all TrackHostExits mappings, client + DNS cache entries, and virtual address mappings: that's what + NEWNYM is for. Fixes bug 1345; bugfix on 0.1.0.1-rc. + - Don't attach new streams to old rendezvous circuits after SIGNAL + NEWNYM. Previously, we would keep using an existing rendezvous + circuit if it remained open (i.e. if it were kept open by a + long-lived stream, or if a new stream were attached to it before + Tor could notice that it was old and no longer in use). Bugfix on + 0.1.1.15-rc; fixes bug 3375. + + o Major bugfixes (relay bandwidth accounting): + - Fix a bug that could break accounting on 64-bit systems with large + time_t values, making them hibernate for impossibly long intervals. + Fixes bug 2146. Bugfix on 0.0.9pre6; fix by boboper. + - Fix a bug in bandwidth accounting that could make us use twice + the intended bandwidth when our interval start changes due to + daylight saving time. Now we tolerate skew in stored vs computed + interval starts: if the start of the period changes by no more than + 50% of the period's duration, we remember bytes that we transferred + in the old period. Fixes bug 1511; bugfix on 0.0.9pre5. + + o Major bugfixes (bridges): + - Bridges now use "reject *:*" as their default exit policy. Bugfix + on 0.2.0.3-alpha. Fixes bug 1113. + - If you configure your bridge with a known identity fingerprint, + and the bridge authority is unreachable (as it is in at least + one country now), fall back to directly requesting the descriptor + from the bridge. Finishes the feature started in 0.2.0.10-alpha; + closes bug 1138. + - Fix a bug where bridge users who configure the non-canonical + address of a bridge automatically switch to its canonical + address. If a bridge listens at more than one address, it + should be able to advertise those addresses independently and + any non-blocked addresses should continue to work. Bugfix on Tor + 0.2.0.3-alpha. Fixes bug 2510. + - If you configure Tor to use bridge A, and then quit and + configure Tor to use bridge B instead (or if you change Tor + to use bridge B via the controller), it would happily continue + to use bridge A if it's still reachable. While this behavior is + a feature if your goal is connectivity, in some scenarios it's a + dangerous bug. Bugfix on Tor 0.2.0.1-alpha; fixes bug 2511. + - When the controller configures a new bridge, don't wait 10 to 60 + seconds before trying to fetch its descriptor. Bugfix on + 0.2.0.3-alpha; fixes bug 3198 (suggested by 2355). + + o Major bugfixes (directory authorities): + - Many relays have been falling out of the consensus lately because + not enough authorities know about their descriptor for them to get + a majority of votes. When we deprecated the v2 directory protocol, + we got rid of the only way that v3 authorities can hear from each + other about other descriptors. Now authorities examine every v3 + vote for new descriptors, and fetch them from that authority. Bugfix + on 0.2.1.23. + - Authorities could be tricked into giving out the Exit flag to relays + that didn't allow exiting to any ports. This bug could screw + with load balancing and stats. Bugfix on 0.1.1.6-alpha; fixes bug + 1238. Bug discovered by Martin Kowalczyk. + - If all authorities restart at once right before a consensus vote, + nobody will vote about "Running", and clients will get a consensus + with no usable relays. Instead, authorities refuse to build a + consensus if this happens. Bugfix on 0.2.0.10-alpha; fixes bug 1066. + + o Major bugfixes (stream-level fairness): + - When receiving a circuit-level SENDME for a blocked circuit, try + to package cells fairly from all the streams that had previously + been blocked on that circuit. Previously, we had started with the + oldest stream, and allowed each stream to potentially exhaust + the circuit's package window. This gave older streams on any + given circuit priority over newer ones. Fixes bug 1937. Detected + originally by Camilo Viecco. This bug was introduced before the + first Tor release, in svn commit r152: it is the new winner of + the longest-lived bug prize. + - Fix a stream fairness bug that would cause newer streams on a given + circuit to get preference when reading bytes from the origin or + destination. Fixes bug 2210. Fix by Mashael AlSabah. This bug was + introduced before the first Tor release, in svn revision r152. + - When the exit relay got a circuit-level sendme cell, it started + reading on the exit streams, even if had 500 cells queued in the + circuit queue already, so the circuit queue just grew and grew in + some cases. We fix this by not re-enabling reading on receipt of a + sendme cell when the cell queue is blocked. Fixes bug 1653. Bugfix + on 0.2.0.1-alpha. Detected by Mashael AlSabah. Original patch by + "yetonetime". + - Newly created streams were allowed to read cells onto circuits, + even if the circuit's cell queue was blocked and waiting to drain. + This created potential unfairness, as older streams would be + blocked, but newer streams would gladly fill the queue completely. + We add code to detect this situation and prevent any stream from + getting more than one free cell. Bugfix on 0.2.0.1-alpha. Partially + fixes bug 1298. + + o Major bugfixes (hidden services): + - Apply circuit timeouts to opened hidden-service-related circuits + based on the correct start time. Previously, we would apply the + circuit build timeout based on time since the circuit's creation; + it was supposed to be applied based on time since the circuit + entered its current state. Bugfix on 0.0.6; fixes part of bug 1297. + - Improve hidden service robustness: When we find that we have + extended a hidden service's introduction circuit to a relay not + listed as an introduction point in the HS descriptor we currently + have, retry with an introduction point from the current + descriptor. Previously we would just give up. Fixes bugs 1024 and + 1930; bugfix on 0.2.0.10-alpha. + - Directory authorities now use data collected from their own + uptime observations when choosing whether to assign the HSDir flag + to relays, instead of trusting the uptime value the relay reports in + its descriptor. This change helps prevent an attack where a small + set of nodes with frequently-changing identity keys can blackhole + a hidden service. (Only authorities need upgrade; others will be + fine once they do.) Bugfix on 0.2.0.10-alpha; fixes bug 2709. + - Stop assigning the HSDir flag to relays that disable their + DirPort (and thus will refuse to answer directory requests). This + fix should dramatically improve the reachability of hidden services: + hidden services and hidden service clients pick six HSDir relays + to store and retrieve the hidden service descriptor, and currently + about half of the HSDir relays will refuse to work. Bugfix on + 0.2.0.10-alpha; fixes part of bug 1693. + + o Major bugfixes (misc): + - Clients now stop trying to use an exit node associated with a given + destination by TrackHostExits if they fail to reach that exit node. + Fixes bug 2999. Bugfix on 0.2.0.20-rc. + - Fix a regression that caused Tor to rebind its ports if it receives + SIGHUP while hibernating. Bugfix in 0.1.1.6-alpha; closes bug 919. + - Remove an extra pair of quotation marks around the error + message in control-port STATUS_GENERAL BUG events. Bugfix on + 0.1.2.6-alpha; fixes bug 3732. + + o Minor features (relays): + - Ensure that no empty [dirreq-](read|write)-history lines are added + to an extrainfo document. Implements ticket 2497. + - When bandwidth accounting is enabled, be more generous with how + much bandwidth we'll use up before entering "soft hibernation". + Previously, we'd refuse new connections and circuits once we'd + used up 95% of our allotment. Now, we use up 95% of our allotment, + AND make sure that we have no more than 500MB (or 3 hours of + expected traffic, whichever is lower) remaining before we enter + soft hibernation. + - Relays now log the reason for publishing a new relay descriptor, + so we have a better chance of hunting down instances of bug 1810. + Resolves ticket 3252. + - Log a little more clearly about the times at which we're no longer + accepting new connections (e.g. due to hibernating). Resolves + bug 2181. + - When AllowSingleHopExits is set, print a warning to explain to the + relay operator why most clients are avoiding her relay. + - Send END_STREAM_REASON_NOROUTE in response to EHOSTUNREACH errors. + Clients before 0.2.1.27 didn't handle NOROUTE correctly, but such + clients are already deprecated because of security bugs. + + o Minor features (network statistics): + - Directory mirrors that set "DirReqStatistics 1" write statistics + about directory requests to disk every 24 hours. As compared to the + "--enable-geoip-stats" ./configure flag in 0.2.1.x, there are a few + improvements: 1) stats are written to disk exactly every 24 hours; + 2) estimated shares of v2 and v3 requests are determined as mean + values, not at the end of a measurement period; 3) unresolved + requests are listed with country code '??'; 4) directories also + measure download times. + - Exit nodes that set "ExitPortStatistics 1" write statistics on the + number of exit streams and transferred bytes per port to disk every + 24 hours. + - Relays that set "CellStatistics 1" write statistics on how long + cells spend in their circuit queues to disk every 24 hours. + - Entry nodes that set "EntryStatistics 1" write statistics on the + rough number and origins of connecting clients to disk every 24 + hours. + - Relays that write any of the above statistics to disk and set + "ExtraInfoStatistics 1" include the past 24 hours of statistics in + their extra-info documents. Implements proposal 166. + + o Minor features (GeoIP and statistics): + - Provide a log message stating which geoip file we're parsing + instead of just stating that we're parsing the geoip file. + Implements ticket 2432. + - Make sure every relay writes a state file at least every 12 hours. + Previously, a relay could go for weeks without writing its state + file, and on a crash could lose its bandwidth history, capacity + estimates, client country statistics, and so on. Addresses bug 3012. + - Relays report the number of bytes spent on answering directory + requests in extra-info descriptors similar to {read,write}-history. + Implements enhancement 1790. + - Report only the top 10 ports in exit-port stats in order not to + exceed the maximum extra-info descriptor length of 50 KB. Implements + task 2196. + - If writing the state file to disk fails, wait up to an hour before + retrying again, rather than trying again each second. Fixes bug + 2346; bugfix on Tor 0.1.1.3-alpha. + - Delay geoip stats collection by bridges for 6 hours, not 2 hours, + when we switch from being a public relay to a bridge. Otherwise + there will still be clients that see the relay in their consensus, + and the stats will end up wrong. Bugfix on 0.2.1.15-rc; fixes + bug 932. + - Update to the August 2 2011 Maxmind GeoLite Country database. + + o Minor features (clients): + - When expiring circuits, use microsecond timers rather than + one-second timers. This can avoid an unpleasant situation where a + circuit is launched near the end of one second and expired right + near the beginning of the next, and prevent fluctuations in circuit + timeout values. + - If we've configured EntryNodes and our network goes away and/or all + our entrynodes get marked down, optimistically retry them all when + a new socks application request appears. Fixes bug 1882. + - Always perform router selections using weighted relay bandwidth, + even if we don't need a high capacity circuit at the time. Non-fast + circuits now only differ from fast ones in that they can use relays + not marked with the Fast flag. This "feature" could turn out to + be a horrible bug; we should investigate more before it goes into + a stable release. + - When we run out of directory information such that we can't build + circuits, but then get enough that we can build circuits, log when + we actually construct a circuit, so the user has a better chance of + knowing what's going on. Fixes bug 1362. + - Log SSL state transitions at debug level during handshake, and + include SSL states in error messages. This may help debug future + SSL handshake issues. + + o Minor features (directory authorities): + - When a router changes IP address or port, authorities now launch + a new reachability test for it. Implements ticket 1899. + - Directory authorities now reject relays running any versions of + Tor between 0.2.1.3-alpha and 0.2.1.18 inclusive; they have + known bugs that keep RELAY_EARLY cells from working on rendezvous + circuits. Followup to fix for bug 2081. + - Directory authorities now reject relays running any version of Tor + older than 0.2.0.26-rc. That version is the earliest that fetches + current directory information correctly. Fixes bug 2156. + - Directory authorities now do an immediate reachability check as soon + as they hear about a new relay. This change should slightly reduce + the time between setting up a relay and getting listed as running + in the consensus. It should also improve the time between setting + up a bridge and seeing use by bridge users. + - Directory authorities no longer launch a TLS connection to every + relay as they startup. Now that we have 2k+ descriptors cached, + the resulting network hiccup is becoming a burden. Besides, + authorities already avoid voting about Running for the first half + hour of their uptime. + - Directory authorities now log the source of a rejected POSTed v3 + networkstatus vote, so we can track failures better. + - Backport code from 0.2.3.x that allows directory authorities to + clean their microdescriptor caches. Needed to resolve bug 2230. + + o Minor features (hidden services): + - Use computed circuit-build timeouts to decide when to launch + parallel introduction circuits for hidden services. (Previously, + we would retry after 15 seconds.) + - Don't allow v0 hidden service authorities to act as clients. + Required by fix for bug 3000. + - Ignore SIGNAL NEWNYM commands on relay-only Tor instances. Required + by fix for bug 3000. + - Make hidden services work better in private Tor networks by not + requiring any uptime to join the hidden service descriptor + DHT. Implements ticket 2088. + - Log (at info level) when purging pieces of hidden-service-client + state because of SIGNAL NEWNYM. + + o Minor features (controller interface): + - New "GETINFO net/listeners/(type)" controller command to return + a list of addresses and ports that are bound for listeners for a + given connection type. This is useful when the user has configured + "SocksPort auto" and the controller needs to know which port got + chosen. Resolves another part of ticket 3076. + - Have the controller interface give a more useful message than + "Internal Error" in response to failed GETINFO requests. + - Add a TIMEOUT_RATE keyword to the BUILDTIMEOUT_SET control port + event, to give information on the current rate of circuit timeouts + over our stored history. + - The 'EXTENDCIRCUIT' control port command can now be used with + a circ id of 0 and no path. This feature will cause Tor to build + a new 'fast' general purpose circuit using its own path selection + algorithms. + - Added a BUILDTIMEOUT_SET controller event to describe changes + to the circuit build timeout. + - New controller command "getinfo config-text". It returns the + contents that Tor would write if you send it a SAVECONF command, + so the controller can write the file to disk itself. + + o Minor features (controller protocol): + - Add a new ControlSocketsGroupWritable configuration option: when + it is turned on, ControlSockets are group-writeable by the default + group of the current user. Patch by Jérémy Bobbio; implements + ticket 2972. + - Tor now refuses to create a ControlSocket in a directory that is + world-readable (or group-readable if ControlSocketsGroupWritable + is 0). This is necessary because some operating systems do not + enforce permissions on an AF_UNIX sockets. Permissions on the + directory holding the socket, however, seems to work everywhere. + - Warn when CookieAuthFileGroupReadable is set but CookieAuthFile is + not. This would lead to a cookie that is still not group readable. + Closes bug 1843. Suggested by katmagic. + - Future-proof the controller protocol a bit by ignoring keyword + arguments we do not recognize. + + o Minor features (more useful logging): + - Revise most log messages that refer to nodes by nickname to + instead use the "$key=nickname at address" format. This should be + more useful, especially since nicknames are less and less likely + to be unique. Resolves ticket 3045. + - When an HTTPS proxy reports "403 Forbidden", we now explain + what it means rather than calling it an unexpected status code. + Closes bug 2503. Patch from Michael Yakubovich. + - Rate-limit a warning about failures to download v2 networkstatus + documents. Resolves part of bug 1352. + - Rate-limit the "your application is giving Tor only an IP address" + warning. Addresses bug 2000; bugfix on 0.0.8pre2. + - Rate-limit "Failed to hand off onionskin" warnings. + - When logging a rate-limited warning, we now mention how many messages + got suppressed since the last warning. + - Make the formerly ugly "2 unknown, 7 missing key, 0 good, 0 bad, + 2 no signature, 4 required" messages about consensus signatures + easier to read, and make sure they get logged at the same severity + as the messages explaining which keys are which. Fixes bug 1290. + - Don't warn when we have a consensus that we can't verify because + of missing certificates, unless those certificates are ones + that we have been trying and failing to download. Fixes bug 1145. + + o Minor features (log domains): + - Add documentation for configuring logging at different severities in + different log domains. We've had this feature since 0.2.1.1-alpha, + but for some reason it never made it into the manpage. Fixes + bug 2215. + - Make it simpler to specify "All log domains except for A and B". + Previously you needed to say "[*,~A,~B]". Now you can just say + "[~A,~B]". + - Add a "LogMessageDomains 1" option to include the domains of log + messages along with the messages. Without this, there's no way + to use log domains without reading the source or doing a lot + of guessing. + - Add a new "Handshake" log domain for activities that happen + during the TLS handshake. + + o Minor features (build process): + - Make compilation with clang possible when using + "--enable-gcc-warnings" by removing two warning options that clang + hasn't implemented yet and by fixing a few warnings. Resolves + ticket 2696. + - Detect platforms that brokenly use a signed size_t, and refuse to + build there. Found and analyzed by doorss and rransom. + - Fix a bunch of compile warnings revealed by mingw with gcc 4.5. + Resolves bug 2314. + - Add support for statically linking zlib by specifying + "--enable-static-zlib", to go with our support for statically + linking openssl and libevent. Resolves bug 1358. + - Instead of adding the svn revision to the Tor version string, report + the git commit (when we're building from a git checkout). + - Rename the "log.h" header to "torlog.h" so as to conflict with fewer + system headers. + - New --digests command-line switch to output the digests of the + source files Tor was built with. + - Generate our manpage and HTML documentation using Asciidoc. This + change should make it easier to maintain the documentation, and + produce nicer HTML. The build process fails if asciidoc cannot + be found and building with asciidoc isn't disabled (via the + "--disable-asciidoc" argument to ./configure. Skipping the manpage + speeds up the build considerably. + + o Minor features (options / torrc): + - Warn when the same option is provided more than once in a torrc + file, on the command line, or in a single SETCONF statement, and + the option is one that only accepts a single line. Closes bug 1384. + - Warn when the user configures two HiddenServiceDir lines that point + to the same directory. Bugfix on 0.0.6 (the version introducing + HiddenServiceDir); fixes bug 3289. + - Add new "perconnbwrate" and "perconnbwburst" consensus params to + do individual connection-level rate limiting of clients. The torrc + config options with the same names trump the consensus params, if + both are present. Replaces the old "bwconnrate" and "bwconnburst" + consensus params which were broken from 0.2.2.7-alpha through + 0.2.2.14-alpha. Closes bug 1947. + - New config option "WarnUnsafeSocks 0" disables the warning that + occurs whenever Tor receives a socks handshake using a version of + the socks protocol that can only provide an IP address (rather + than a hostname). Setups that do DNS locally over Tor are fine, + and we shouldn't spam the logs in that case. + - New config option "CircuitStreamTimeout" to override our internal + timeout schedule for how many seconds until we detach a stream from + a circuit and try a new circuit. If your network is particularly + slow, you might want to set this to a number like 60. + - New options for SafeLogging to allow scrubbing only log messages + generated while acting as a relay. Specify "SafeLogging relay" if + you want to ensure that only messages known to originate from + client use of the Tor process will be logged unsafely. + - Time and memory units in the configuration file can now be set to + fractional units. For example, "2.5 GB" is now a valid value for + AccountingMax. + - Support line continuations in the torrc config file. If a line + ends with a single backslash character, the newline is ignored, and + the configuration value is treated as continuing on the next line. + Resolves bug 1929. + + o Minor features (unit tests): + - Revise our unit tests to use the "tinytest" framework, so we + can run tests in their own processes, have smarter setup/teardown + code, and so on. The unit test code has moved to its own + subdirectory, and has been split into multiple modules. + - Add a unit test for cross-platform directory-listing code. + - Add some forgotten return value checks during unit tests. Found + by coverity. + - Use GetTempDir to find the proper temporary directory location on + Windows when generating temporary files for the unit tests. Patch + by Gisle Vanem. + + o Minor features (misc): + - The "torify" script now uses torsocks where available. + - Make Libevent log messages get delivered to controllers later, + and not from inside the Libevent log handler. This prevents unsafe + reentrant Libevent calls while still letting the log messages + get through. + - Certain Tor clients (such as those behind check.torproject.org) may + want to fetch the consensus in an extra early manner. To enable this + a user may now set FetchDirInfoExtraEarly to 1. This also depends on + setting FetchDirInfoEarly to 1. Previous behavior will stay the same + as only certain clients who must have this information sooner should + set this option. + - Expand homedirs passed to tor-checkkey. This should silence a + coverity complaint about passing a user-supplied string into + open() without checking it. + - Make sure to disable DirPort if running as a bridge. DirPorts aren't + used on bridges, and it makes bridge scanning somewhat easier. + - Create the /var/run/tor directory on startup on OpenSUSE if it is + not already created. Patch from Andreas Stieger. Fixes bug 2573. + + o Minor bugfixes (relays): + - When a relay decides that its DNS is too broken for it to serve + as an exit server, it advertised itself as a non-exit, but + continued to act as an exit. This could create accidental + partitioning opportunities for users. Instead, if a relay is + going to advertise reject *:* as its exit policy, it should + really act with exit policy "reject *:*". Fixes bug 2366. + Bugfix on Tor 0.1.2.5-alpha. Bugfix by user "postman" on trac. + - Publish a router descriptor even if generating an extra-info + descriptor fails. Previously we would not publish a router + descriptor without an extra-info descriptor; this can cause fast + exit relays collecting exit-port statistics to drop from the + consensus. Bugfix on 0.1.2.9-rc; fixes bug 2195. + - When we're trying to guess whether we know our IP address as + a relay, we would log various ways that we failed to guess + our address, but never log that we ended up guessing it + successfully. Now add a log line to help confused and anxious + relay operators. Bugfix on 0.1.2.1-alpha; fixes bug 1534. + - For bandwidth accounting, calculate our expected bandwidth rate + based on the time during which we were active and not in + soft-hibernation during the last interval. Previously, we were + also considering the time spent in soft-hibernation. If this + was a long time, we would wind up underestimating our bandwidth + by a lot, and skewing our wakeup time towards the start of the + accounting interval. Fixes bug 1789. Bugfix on 0.0.9pre5. + - Demote a confusing TLS warning that relay operators might get when + someone tries to talk to their ORPort. It is not the operator's + fault, nor can they do anything about it. Fixes bug 1364; bugfix + on 0.2.0.14-alpha. + - Change "Application request when we're believed to be offline." + notice to "Application request when we haven't used client + functionality lately.", to clarify that it's not an error. Bugfix + on 0.0.9.3; fixes bug 1222. + + o Minor bugfixes (bridges): + - When a client starts or stops using bridges, never use a circuit + that was built before the configuration change. This behavior could + put at risk a user who uses bridges to ensure that her traffic + only goes to the chosen addresses. Bugfix on 0.2.0.3-alpha; fixes + bug 3200. + - Do not reset the bridge descriptor download status every time we + re-parse our configuration or get a configuration change. Fixes + bug 3019; bugfix on 0.2.0.3-alpha. + - Users couldn't configure a regular relay to be their bridge. It + didn't work because when Tor fetched the bridge descriptor, it found + that it already had it, and didn't realize that the purpose of the + descriptor had changed. Now we replace routers with a purpose other + than bridge with bridge descriptors when fetching them. Bugfix on + 0.1.1.9-alpha. Fixes bug 1776. + - In the special case where you configure a public exit relay as your + bridge, Tor would be willing to use that exit relay as the last + hop in your circuit as well. Now we fail that circuit instead. + Bugfix on 0.2.0.12-alpha. Fixes bug 2403. Reported by "piebeer". + + o Minor bugfixes (clients): + - We now ask the other side of a stream (the client or the exit) + for more data on that stream when the amount of queued data on + that stream dips low enough. Previously, we wouldn't ask the + other side for more data until either it sent us more data (which + it wasn't supposed to do if it had exhausted its window!) or we + had completely flushed all our queued data. This flow control fix + should improve throughput. Fixes bug 2756; bugfix on the earliest + released versions of Tor (svn commit r152). + - When a client finds that an origin circuit has run out of 16-bit + stream IDs, we now mark it as unusable for new streams. Previously, + we would try to close the entire circuit. Bugfix on 0.0.6. + - Make it explicit that we don't cannibalize one-hop circuits. This + happens in the wild, but doesn't turn out to be a problem because + we fortunately don't use those circuits. Many thanks to outofwords + for the initial analysis and to swissknife who confirmed that + two-hop circuits are actually created. + - Resolve an edge case in path weighting that could make us misweight + our relay selection. Fixes bug 1203; bugfix on 0.0.8rc1. + - Make the DNSPort option work with libevent 2.x. Don't alter the + behaviour for libevent 1.x. Fixes bug 1143. Found by SwissTorExit. + + o Minor bugfixes (directory authorities): + - Make directory authorities more accurate at recording when + relays that have failed several reachability tests became + unreachable, so we can provide more accuracy at assigning Stable, + Guard, HSDir, etc flags. Bugfix on 0.2.0.6-alpha. Resolves bug 2716. + - Directory authorities are now more robust to hops back in time + when calculating router stability. Previously, if a run of uptime + or downtime appeared to be negative, the calculation could give + incorrect results. Bugfix on 0.2.0.6-alpha; noticed when fixing + bug 1035. + - Directory authorities will now attempt to download consensuses + if their own efforts to make a live consensus have failed. This + change means authorities that restart will fetch a valid + consensus, and it means authorities that didn't agree with the + current consensus will still fetch and serve it if it has enough + signatures. Bugfix on 0.2.0.9-alpha; fixes bug 1300. + - Never vote for a server as "Running" if we have a descriptor for + it claiming to be hibernating, and that descriptor was published + more recently than our last contact with the server. Bugfix on + 0.2.0.3-alpha; fixes bug 911. + - Directory authorities no longer change their opinion of, or vote on, + whether a router is Running, unless they have themselves been + online long enough to have some idea. Bugfix on 0.2.0.6-alpha. + Fixes bug 1023. + + o Minor bugfixes (hidden services): + - Log malformed requests for rendezvous descriptors as protocol + warnings, not warnings. Also, use a more informative log message + in case someone sees it at log level warning without prior + info-level messages. Fixes bug 2748; bugfix on 0.2.0.10-alpha. + - Accept hidden service descriptors if we think we might be a hidden + service directory, regardless of what our consensus says. This + helps robustness, since clients and hidden services can sometimes + have a more up-to-date view of the network consensus than we do, + and if they think that the directory authorities list us a HSDir, + we might actually be one. Related to bug 2732; bugfix on + 0.2.0.10-alpha. + - Correct the warning displayed when a rendezvous descriptor exceeds + the maximum size. Fixes bug 2750; bugfix on 0.2.1.5-alpha. Found by + John Brooks. + - Clients and hidden services now use HSDir-flagged relays for hidden + service descriptor downloads and uploads even if the relays have no + DirPort set and the client has disabled TunnelDirConns. This will + eventually allow us to give the HSDir flag to relays with no + DirPort. Fixes bug 2722; bugfix on 0.2.1.6-alpha. + - Only limit the lengths of single HS descriptors, even when multiple + HS descriptors are published to an HSDir relay in a single POST + operation. Fixes bug 2948; bugfix on 0.2.1.5-alpha. Found by hsdir. + + o Minor bugfixes (controllers): + - Allow GETINFO fingerprint to return a fingerprint even when + we have not yet built a router descriptor. Fixes bug 3577; + bugfix on 0.2.0.1-alpha. + - Send a SUCCEEDED stream event to the controller when a reverse + resolve succeeded. Fixes bug 3536; bugfix on 0.0.8pre1. Issue + discovered by katmagic. + - Remove a trailing asterisk from "exit-policy/default" in the + output of the control port command "GETINFO info/names". Bugfix + on 0.1.2.5-alpha. + - Make the SIGNAL DUMP controller command work on FreeBSD. Fixes bug + 2917. Bugfix on 0.1.1.1-alpha. + - When we restart our relay, we might get a successful connection + from the outside before we've started our reachability tests, + triggering a warning: "ORPort found reachable, but I have no + routerinfo yet. Failing to inform controller of success." This + bug was harmless unless Tor is running under a controller + like Vidalia, in which case the controller would never get a + REACHABILITY_SUCCEEDED status event. Bugfix on 0.1.2.6-alpha; + fixes bug 1172. + - When a controller changes TrackHostExits, remove mappings for + hosts that should no longer have their exits tracked. Bugfix on + 0.1.0.1-rc. + - When a controller changes VirtualAddrNetwork, remove any mappings + for hosts that were automapped to the old network. Bugfix on + 0.1.1.19-rc. + - When a controller changes one of the AutomapHosts* options, remove + any mappings for hosts that should no longer be automapped. Bugfix + on 0.2.0.1-alpha. + - Fix an off-by-one error in calculating some controller command + argument lengths. Fortunately, this mistake is harmless since + the controller code does redundant NUL termination too. Found by + boboper. Bugfix on 0.1.1.1-alpha. + - Fix a bug in the controller interface where "GETINFO ns/asdaskljkl" + would return "551 Internal error" rather than "552 Unrecognized key + ns/asdaskljkl". Bugfix on 0.1.2.3-alpha. + - Don't spam the controller with events when we have no file + descriptors available. Bugfix on 0.2.1.5-alpha. (Rate-limiting + for log messages was already solved from bug 748.) + - Emit a GUARD DROPPED controller event for a case we missed. + - Ensure DNS requests launched by "RESOLVE" commands from the + controller respect the __LeaveStreamsUnattached setconf options. The + same goes for requests launched via DNSPort or transparent + proxying. Bugfix on 0.2.0.1-alpha; fixes bug 1525. + + o Minor bugfixes (config options): + - Tor used to limit HttpProxyAuthenticator values to 48 characters. + Change the limit to 512 characters by removing base64 newlines. + Fixes bug 2752. Fix by Michael Yakubovich. + - Complain if PublishServerDescriptor is given multiple arguments that + include 0 or 1. This configuration will be rejected in the future. + Bugfix on 0.2.0.1-alpha; closes bug 1107. + - Disallow BridgeRelay 1 and ORPort 0 at once in the configuration. + Bugfix on 0.2.0.13-alpha; closes bug 928. + + o Minor bugfixes (log subsystem fixes): + - When unable to format an address as a string, report its value + as "???" rather than reusing the last formatted address. Bugfix + on 0.2.1.5-alpha. + - Be more consistent in our treatment of file system paths. "~" should + get expanded to the user's home directory in the Log config option. + Fixes bug 2971; bugfix on 0.2.0.1-alpha, which introduced the + feature for the -f and --DataDirectory options. + + o Minor bugfixes (memory management): + - Don't stack-allocate the list of supplementary GIDs when we're + about to log them. Stack-allocating NGROUPS_MAX gid_t elements + could take up to 256K, which is way too much stack. Found by + Coverity; CID #450. Bugfix on 0.2.1.7-alpha. + - Save a couple bytes in memory allocation every time we escape + certain characters in a string. Patch from Florian Zumbiehl. + + o Minor bugfixes (protocol correctness): + - When checking for 1024-bit keys, check for 1024 bits, not 128 + bytes. This allows Tor to correctly discard keys of length 1017 + through 1023. Bugfix on 0.0.9pre5. + - Require that introduction point keys and onion handshake keys + have a public exponent of 65537. Starts to fix bug 3207; bugfix + on 0.2.0.10-alpha. + - Handle SOCKS messages longer than 128 bytes long correctly, rather + than waiting forever for them to finish. Fixes bug 2330; bugfix + on 0.2.0.16-alpha. Found by doorss. + - Never relay a cell for a circuit we have already destroyed. + Between marking a circuit as closeable and finally closing it, + it may have been possible for a few queued cells to get relayed, + even though they would have been immediately dropped by the next + OR in the circuit. Fixes bug 1184; bugfix on 0.2.0.1-alpha. + - Never queue a cell for a circuit that's already been marked + for close. + - Fix a spec conformance issue: the network-status-version token + must be the first token in a v3 consensus or vote. Discovered by + "parakeep". Bugfix on 0.2.0.3-alpha. + - A networkstatus vote must contain exactly one signature. Spec + conformance issue. Bugfix on 0.2.0.3-alpha. + - When asked about a DNS record type we don't support via a + client DNSPort, reply with NOTIMPL rather than an empty + reply. Patch by intrigeri. Fixes bug 3369; bugfix on 2.0.1-alpha. + - Make more fields in the controller protocol case-insensitive, since + control-spec.txt said they were. + + o Minor bugfixes (log messages): + - Fix a log message that said "bits" while displaying a value in + bytes. Found by wanoskarnet. Fixes bug 3318; bugfix on + 0.2.0.1-alpha. + - Downgrade "no current certificates known for authority" message from + Notice to Info. Fixes bug 2899; bugfix on 0.2.0.10-alpha. + - Correctly describe errors that occur when generating a TLS object. + Previously we would attribute them to a failure while generating a + TLS context. Patch by Robert Ransom. Bugfix on 0.1.0.4-rc; fixes + bug 1994. + - Fix an instance where a Tor directory mirror might accidentally + log the IP address of a misbehaving Tor client. Bugfix on + 0.1.0.1-rc. + - Stop logging at severity 'warn' when some other Tor client tries + to establish a circuit with us using weak DH keys. It's a protocol + violation, but that doesn't mean ordinary users need to hear about + it. Fixes the bug part of bug 1114. Bugfix on 0.1.0.13. + - If your relay can't keep up with the number of incoming create + cells, it would log one warning per failure into your logs. Limit + warnings to 1 per minute. Bugfix on 0.0.2pre10; fixes bug 1042. + + o Minor bugfixes (build fixes): + - Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option. + - When warning about missing zlib development packages during compile, + give the correct package names. Bugfix on 0.2.0.1-alpha. + - Fix warnings that newer versions of autoconf produce during + ./autogen.sh. These warnings appear to be harmless in our case, + but they were extremely verbose. Fixes bug 2020. + - Squash a compile warning on OpenBSD. Reported by Tas; fixes + bug 1848. + + o Minor bugfixes (portability): + - Write several files in text mode, on OSes that distinguish text + mode from binary mode (namely, Windows). These files are: + 'buffer-stats', 'dirreq-stats', and 'entry-stats' on relays + that collect those statistics; 'client_keys' and 'hostname' for + hidden services that use authentication; and (in the tor-gencert + utility) newly generated identity and signing keys. Previously, + we wouldn't specify text mode or binary mode, leading to an + assertion failure. Fixes bug 3607. Bugfix on 0.2.1.1-alpha (when + the DirRecordUsageByCountry option which would have triggered + the assertion failure was added), although this assertion failure + would have occurred in tor-gencert on Windows in 0.2.0.1-alpha. + - Selectively disable deprecation warnings on OS X because Lion + started deprecating the shipped copy of openssl. Fixes bug 3643. + - Use a wide type to hold sockets when built for 64-bit Windows. + Fixes bug 3270. + - Fix an issue that prevented static linking of libevent on + some platforms (notably Linux). Fixes bug 2698; bugfix on 0.2.1.23, + where we introduced the "--with-static-libevent" configure option. + - Fix a bug with our locking implementation on Windows that couldn't + correctly detect when a file was already locked. Fixes bug 2504, + bugfix on 0.2.1.6-alpha. + - Build correctly on OSX with zlib 1.2.4 and higher with all warnings + enabled. + - Fix IPv6-related connect() failures on some platforms (BSD, OS X). + Bugfix on 0.2.0.3-alpha; fixes first part of bug 2660. Patch by + "piebeer". + + o Minor bugfixes (code correctness): + - Always NUL-terminate the sun_path field of a sockaddr_un before + passing it to the kernel. (Not a security issue: kernels are + smart enough to reject bad sockaddr_uns.) Found by Coverity; + CID #428. Bugfix on Tor 0.2.0.3-alpha. + - Make connection_printf_to_buf()'s behaviour sane. Its callers + expect it to emit a CRLF iff the format string ends with CRLF; + it actually emitted a CRLF iff (a) the format string ended with + CRLF or (b) the resulting string was over 1023 characters long or + (c) the format string did not end with CRLF *and* the resulting + string was 1021 characters long or longer. Bugfix on 0.1.1.9-alpha; + fixes part of bug 3407. + - Make send_control_event_impl()'s behaviour sane. Its callers + expect it to always emit a CRLF at the end of the string; it + might have emitted extra control characters as well. Bugfix on + 0.1.1.9-alpha; fixes another part of bug 3407. + - Make crypto_rand_int() check the value of its input correctly. + Previously, it accepted values up to UINT_MAX, but could return a + negative number if given a value above INT_MAX+1. Found by George + Kadianakis. Fixes bug 3306; bugfix on 0.2.2pre14. + - Fix a potential null-pointer dereference while computing a + consensus. Bugfix on tor-0.2.0.3-alpha, found with the help of + clang's analyzer. + - If we fail to compute the identity digest of a v3 legacy keypair, + warn, and don't use a buffer-full of junk instead. Bugfix on + 0.2.1.1-alpha; fixes bug 3106. + - Resolve an untriggerable issue in smartlist_string_num_isin(), + where if the function had ever in the future been used to check + for the presence of a too-large number, it would have given an + incorrect result. (Fortunately, we only used it for 16-bit + values.) Fixes bug 3175; bugfix on 0.1.0.1-rc. + - Be more careful about reporting the correct error from a failed + connect() system call. Under some circumstances, it was possible to + look at an incorrect value for errno when sending the end reason. + Bugfix on 0.1.0.1-rc. + - Correctly handle an "impossible" overflow cases in connection byte + counting, where we write or read more than 4GB on an edge connection + in a single second. Bugfix on 0.1.2.8-beta. + - Avoid a double mark-for-free warning when failing to attach a + transparent proxy connection. Bugfix on 0.1.2.1-alpha. Fixes + bug 2279. + - Correctly detect failure to allocate an OpenSSL BIO. Fixes bug 2378; + found by "cypherpunks". This bug was introduced before the first + Tor release, in svn commit r110. + - Fix a bug in bandwidth history state parsing that could have been + triggered if a future version of Tor ever changed the timing + granularity at which bandwidth history is measured. Bugfix on + Tor 0.1.1.11-alpha. + - Add assertions to check for overflow in arguments to + base32_encode() and base32_decode(); fix a signed-unsigned + comparison there too. These bugs are not actually reachable in Tor, + but it's good to prevent future errors too. Found by doorss. + - Avoid a bogus overlapped memcpy in tor_addr_copy(). Reported by + "memcpyfail". + - Set target port in get_interface_address6() correctly. Bugfix + on 0.1.1.4-alpha and 0.2.0.3-alpha; fixes second part of bug 2660. + - Fix an impossible-to-actually-trigger buffer overflow in relay + descriptor generation. Bugfix on 0.1.0.15. + - Fix numerous small code-flaws found by Coverity Scan Rung 3. + + o Minor bugfixes (code improvements): + - After we free an internal connection structure, overwrite it + with a different memory value than we use for overwriting a freed + internal circuit structure. Should help with debugging. Suggested + by bug 1055. + - If OpenSSL fails to make a duplicate of a private or public key, log + an error message and try to exit cleanly. May help with debugging + if bug 1209 ever remanifests. + - Some options used different conventions for uppercasing of acronyms + when comparing manpage and source. Fix those in favor of the + manpage, as it makes sense to capitalize acronyms. + - Take a first step towards making or.h smaller by splitting out + function definitions for all source files in src/or/. Leave + structures and defines in or.h for now. + - Remove a few dead assignments during router parsing. Found by + coverity. + - Don't use 1-bit wide signed bit fields. Found by coverity. + - Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned. + None of the cases where we did this before were wrong, but by making + this change we avoid warnings. Fixes bug 2475; bugfix on 0.2.1.28. + - The memarea code now uses a sentinel value at the end of each area + to make sure nothing writes beyond the end of an area. This might + help debug some conceivable causes of bug 930. + - Always treat failure to allocate an RSA key as an unrecoverable + allocation error. + - Add some more defensive programming for architectures that can't + handle unaligned integer accesses. We don't know of any actual bugs + right now, but that's the best time to fix them. Fixes bug 1943. + + o Minor bugfixes (misc): + - Fix a rare bug in rend_fn unit tests: we would fail a test when + a randomly generated port is 0. Diagnosed by Matt Edman. Bugfix + on 0.2.0.10-alpha; fixes bug 1808. + - Where available, use Libevent 2.0's periodic timers so that our + once-per-second cleanup code gets called even more closely to + once per second than it would otherwise. Fixes bug 943. + - Ignore OutboundBindAddress when connecting to localhost. + Connections to localhost need to come _from_ localhost, or else + local servers (like DNS and outgoing HTTP/SOCKS proxies) will often + refuse to listen. + - Update our OpenSSL 0.9.8l fix so that it works with OpenSSL 0.9.8m + too. + - If any of the v3 certs we download are unparseable, we should + actually notice the failure so we don't retry indefinitely. Bugfix + on 0.2.0.x; reported by "rotator". + - When Tor fails to parse a descriptor of any kind, dump it to disk. + Might help diagnosing bug 1051. + - Make our 'torify' script more portable; if we have only one of + 'torsocks' or 'tsocks' installed, don't complain to the user; + and explain our warning about tsocks better. + - Fix some urls in the exit notice file and make it XHTML1.1 strict + compliant. Based on a patch from Christian Kujau. + + o Documentation changes: + - Modernize the doxygen configuration file slightly. Fixes bug 2707. + - Resolve all doxygen warnings except those for missing documentation. + Fixes bug 2705. + - Add doxygen documentation for more functions, fields, and types. + - Convert the HACKING file to asciidoc, and add a few new sections + to it, explaining how we use Git, how we make changelogs, and + what should go in a patch. + - Document the default socks host and port (127.0.0.1:9050) for + tor-resolve. + - Removed some unnecessary files from the source distribution. The + AUTHORS file has now been merged into the people page on the + website. The roadmaps and design doc can now be found in the + projects directory in svn. + + o Deprecated and removed features (config): + - Remove the torrc.complete file. It hasn't been kept up to date + and users will have better luck checking out the manpage. + - Remove the HSAuthorityRecordStats option that version 0 hidden + service authorities could use to track statistics of overall v0 + hidden service usage. + - Remove the obsolete "NoPublish" option; it has been flagged + as obsolete and has produced a warning since 0.1.1.18-rc. + - Caches no longer download and serve v2 networkstatus documents + unless FetchV2Networkstatus flag is set: these documents haven't + haven't been used by clients or relays since 0.2.0.x. Resolves + bug 3022. + + o Deprecated and removed features (controller): + - The controller no longer accepts the old obsolete "addr-mappings/" + or "unregistered-servers-" GETINFO values. + - The EXTENDED_EVENTS and VERBOSE_NAMES controller features are now + always on; using them is necessary for correct forward-compatible + controllers. + + o Deprecated and removed features (misc): + - Hidden services no longer publish version 0 descriptors, and clients + do not request or use version 0 descriptors. However, the old hidden + service authorities still accept and serve version 0 descriptors + when contacted by older hidden services/clients. + - Remove undocumented option "-F" from tor-resolve: it hasn't done + anything since 0.2.1.16-rc. + - Remove everything related to building the expert bundle for OS X. + It has confused many users, doesn't work right on OS X 10.6, + and is hard to get rid of once installed. Resolves bug 1274. + - Remove support for .noconnect style addresses. Nobody was using + them, and they provided another avenue for detecting Tor users + via application-level web tricks. + - When we fixed bug 1038 we had to put in a restriction not to send + RELAY_EARLY cells on rend circuits. This was necessary as long + as relays using Tor 0.2.1.3-alpha through 0.2.1.18-alpha were + active. Now remove this obsolete check. Resolves bug 2081. + - Remove workaround code to handle directory responses from servers + that had bug 539 (they would send HTTP status 503 responses _and_ + send a body too). Since only server versions before + 0.2.0.16-alpha/0.1.2.19 were affected, there is no longer reason to + keep the workaround in place. + - Remove the old 'fuzzy time' logic. It was supposed to be used for + handling calculations where we have a known amount of clock skew and + an allowed amount of unknown skew. But we only used it in three + places, and we never adjusted the known/unknown skew values. This is + still something we might want to do someday, but if we do, we'll + want to do it differently. + - Remove the "--enable-iphone" option to ./configure. According to + reports from Marco Bonetti, Tor builds fine without any special + tweaking on recent iPhone SDK versions. + +------------------------------------------------------------------- +Mon Feb 28 21:29:12 UTC 2011 - andreas.stieger@gmx.de + +- updated to upstram 0.2.1.30 + + Tor 0.2.1.30 fixes a variety of less critical bugs. The main other + change is a slight tweak to Tor's TLS handshake that makes relays + and bridges that run this new version reachable from Iran again. + We don't expect this tweak will win the arms race long-term, but it + buys us time until we roll out a better solution. + + o Major bugfixes: + - Stop sending a CLOCK_SKEW controller status event whenever + we fetch directory information from a relay that has a wrong clock. + Instead, only inform the controller when it's a trusted authority + that claims our clock is wrong. Bugfix on 0.1.2.6-alpha; fixes + the rest of bug 1074. + - Fix a bounds-checking error that could allow an attacker to + remotely crash a directory authority. Bugfix on 0.2.1.5-alpha. + Found by "piebeer". + - If relays set RelayBandwidthBurst but not RelayBandwidthRate, + Tor would ignore their RelayBandwidthBurst setting, + potentially using more bandwidth than expected. Bugfix on + 0.2.0.1-alpha. Reported by Paul Wouters. Fixes bug 2470. + - Ignore and warn if the user mistakenly sets "PublishServerDescriptor + hidserv" in her torrc. The 'hidserv' argument never controlled + publication of hidden service descriptors. Bugfix on 0.2.0.1-alpha. + + o Minor features: + - Adjust our TLS Diffie-Hellman parameters to match those used by + Apache's mod_ssl. + - Update to the February 1 2011 Maxmind GeoLite Country database. + + o Minor bugfixes: + - Check for and reject overly long directory certificates and + directory tokens before they have a chance to hit any assertions. + Bugfix on 0.2.1.28. Found by "doorss". + - Bring the logic that gathers routerinfos and assesses the + acceptability of circuits into line. This prevents a Tor OP from + getting locked in a cycle of choosing its local OR as an exit for a + path (due to a .exit request) and then rejecting the circuit because + its OR is not listed yet. It also prevents Tor clients from using an + OR running in the same instance as an exit (due to a .exit request) + if the OR does not meet the same requirements expected of an OR + running elsewhere. Fixes bug 1859; bugfix on 0.1.0.1-rc. + + o Packaging changes: + - Stop shipping the Tor specs files and development proposal documents + in the tarball. They are now in a separate git repository at + git://git.torproject.org/torspec.git + - Do not include Git version tags as though they are SVN tags when + generating a tarball from inside a repository that has switched + between branches. Bugfix on 0.2.1.15-rc; fixes bug 2402. + +------------------------------------------------------------------- +Wed Feb 16 21:13:00 UTC 2011 - andreas.stieger@gmx.de + +- fix bug #671821 - /var/run/tor might not exist + +------------------------------------------------------------------- +Mon Jan 17 19:47:20 UTC 2011 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.29 + + o Major bugfixes (security): + - Fix a heap overflow bug where an adversary could cause heap + corruption. This bug probably allows remote code execution + attacks. Reported by "debuger". Fixes CVE-2011-0427. Bugfix on + 0.1.2.10-rc. + - Prevent a denial-of-service attack by disallowing any + zlib-compressed data whose compression factor is implausibly + high. Fixes part of bug 2324; reported by "doorss". + - Zero out a few more keys in memory before freeing them. Fixes + bug 2384 and part of bug 2385. These key instances found by + "cypherpunks", based on Andrew Case's report about being able + to find sensitive data in Tor's memory space if you have enough + permissions. Bugfix on 0.0.2pre9. + + o Major bugfixes (crashes): + - Prevent calls to Libevent from inside Libevent log handlers. + This had potential to cause a nasty set of crashes, especially + if running Libevent with debug logging enabled, and running + Tor with a controller watching for low-severity log messages. + Bugfix on 0.1.0.2-rc. Fixes bug 2190. + - Add a check for SIZE_T_MAX to tor_realloc() to try to avoid + underflow errors there too. Fixes the other part of bug 2324. + - Fix a bug where we would assert if we ever had a + cached-descriptors.new file (or another file read directly into + memory) of exactly SIZE_T_CEILING bytes. Fixes bug 2326; bugfix + on 0.2.1.25. Found by doorss. + - Fix some potential asserts and parsing issues with grossly + malformed router caches. Fixes bug 2352; bugfix on Tor 0.2.1.27. + Found by doorss. + + o Minor bugfixes (other): + - Fix a bug with handling misformed replies to reverse DNS lookup + requests in DNSPort. Bugfix on Tor 0.2.0.1-alpha. Related to a + bug reported by doorss. + - Fix compilation on mingw when a pthreads compatibility library + has been installed. (We don't want to use it, so we shouldn't + be including pthread.h.) Fixes bug 2313; bugfix on 0.1.0.1-rc. + - Fix a bug where we would declare that we had run out of virtual + addresses when the address space was only half-exhausted. Bugfix + on 0.1.2.1-alpha. + - Correctly handle the case where AutomapHostsOnResolve is set but + no virtual addresses are available. Fixes bug 2328; bugfix on + 0.1.2.1-alpha. Bug found by doorss. + - Correctly handle wrapping around when we run out of virtual + address space. Found by cypherpunks, bugfix on 0.2.0.5-alpha. + + o Minor features: + - Update to the January 1 2011 Maxmind GeoLite Country database. + - Introduce output size checks on all of our decryption functions. + + o Build changes: + - Tor does not build packages correctly with Automake 1.6 and earlier; + added a check to Makefile.am to make sure that we're building with + Automake 1.7 or later. + - The 0.2.1.28 tarball was missing src/common/OpenBSD_malloc_Linux.c + because we built it with a too-old version of automake. Thus that + release broke ./configure --enable-openbsd-malloc, which is popular + among really fast exit relays on Linux. + +------------------------------------------------------------------- +Mon Dec 20 21:24:19 UTC 2010 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.28 + - Major bugfixes: + - Fix a remotely exploitable bug that could be used to crash instances + of Tor remotely by overflowing on the heap. Remote-code execution + hasn't been confirmed, but can't be ruled out. Everyone should + upgrade. Bugfix on the 0.1.1 series and later. + + - Directory authority changes: + - Change IP address and ports for gabelmoo (v3 directory authority). + + - Minor features: + - Update to the December 1 2010 Maxmind GeoLite Country database. + +------------------------------------------------------------------- +Fri Nov 26 17:12:40 UTC 2010 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.27 + +------------------------------------------------------------------- +Fri Aug 6 03:53:35 UTC 2010 - cristian.rodriguez@opensuse.org + +- %ghost the pid file so /var/run can be mounted tmpfs +- require logrotate + +------------------------------------------------------------------- +Sat May 29 17:50:51 UTC 2010 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.26 + +------------------------------------------------------------------- +Sun Mar 28 17:00:30 UTC 2010 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.25 + +------------------------------------------------------------------- +Mon Mar 1 20:49:13 UTC 2010 - andreas.stieger@gmx.de + +- new upstream version (0.2.1.24) + +------------------------------------------------------------------- +Fri Jan 29 13:34:55 UTC 2010 - puzel@novell.com + +- remove debug_package macro to make it build + +------------------------------------------------------------------- +Sun Jan 24 22:21:51 UTC 2010 - andreas.stieger@gmx.de + +- new upstream version (0.2.1.22) + diff --git a/tor.keyring b/tor.keyring new file mode 100644 index 0000000..581cf6d --- /dev/null +++ b/tor.keyring @@ -0,0 +1,686 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xjMEXegH3RYJKwYBBAHaRw8BAQdA1IMvjZzYALGBFe/ARHNSXuQjccz0HgOHBHRq +v8Pb4j/NH0FsZXhhbmRlciBGw6Zyw7h5IDxhaGZAMHg5MC5kaz7CmQQTFggAQQIb +AwUJCWYBgAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBBwbwAep9geqgVLAQL6n +sYCxSRkhBQJd6GooAhkBAAoJEL6nsYCxSRkhdqEA/0skJeGZkqRmlHPXqTFZMvbh +As2kY9Lm5LBGesjgQCspAPwJZagtqC5252zPFMlaIUu2hxcUeA+HwdLqnnl6Wjvs +Ac0kQWxleGFuZGVyIEbDpnLDuHkgPGFoZkBib3JuaGFjay5vcmc+wpYEExYIAD4W +IQQcG8AHqfYHqoFSwEC+p7GAsUkZIQUCXegKdwIbAwUJCWYBgAULCQgHAgYVCgkI +CwIEFgIDAQIeAQIXgAAKCRC+p7GAsUkZIRfkAP997/8J1lf3D7PiY21tPnB8d+5S +CXI/qI8mEfhaDZY+SAD/cfCblmB8CYzashZAbFM/6dwwNrNR7VBrzYyaRPhpkALN +IEFsZXhhbmRlciBGw6Zyw7h5IDxhaGZAZnNmZS5vcmc+wpYEExYIAD4WIQQcG8AH +qfYHqoFSwEC+p7GAsUkZIQUCXegKbwIbAwUJCWYBgAULCQgHAgYVCgkICwIEFgID +AQIeAQIXgAAKCRC+p7GAsUkZIdxtAQDuraf/2l/6BGDEAERL63OsjyN692MMur3P +KRy4kWdQzwEAod6V12Y5X3yjraPkbsiGC5QsXraAAz7ihSkIcJs0NgHNIEFsZXhh +bmRlciBGw6Zyw7h5IDxhaGZAaXJjNi5uZXQ+wpYEExYIAD4WIQQcG8AHqfYHqoFS +wEC+p7GAsUkZIQUCXegKVgIbAwUJCWYBgAULCQgHAgYVCgkICwIEFgIDAQIeAQIX +gAAKCRC+p7GAsUkZITd5AQDgi5qd1zBzUO9qzk8inT1xPxUjWoj7dj4hh7gFErut +vwD+JAxYHXrM0Kwg1F7nkf8XBfICTtx8do2QDNFO2nZvJgDNIUFsZXhhbmRlciBG +w6Zyw7h5IDxhaGZAaXJzc2kub3JnPsKWBBMWCAA+FiEEHBvAB6n2B6qBUsBAvqex +gLFJGSEFAl3oCmMCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ +vqexgLFJGSG+PAD7BECXB/S+eUWz118sqaiyrBtr/2msq89p7FNMswoOIlQBAMgO +1j8A5xW+hW8YOfiklahZh2TUHRVrcNhrE4R6PgELzSZBbGV4YW5kZXIgRsOmcsO4 +eSA8YWhmQHRvcnByb2plY3Qub3JnPsKWBBMWCAA+FiEEHBvAB6n2B6qBUsBAvqex +gLFJGSEFAl3oCoICGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ +vqexgLFJGSHOawEAts5tDnzSOw9O7xtKBujA06UKlyJMxxD3ARjPqm9BBV4A/jHu +wYvNLPJdVl1PPgYnmCJ1u7L5epfdagZRsHqQ5PkEzjMEXegMBBYJKwYBBAHaRw8B +AQdAQvnurKGUaemX/DTpmpSE5NtGyfxLWgW9WSvZbbbR+DPCeAQYFggAIBYhBBwb +wAep9geqgVLAQL6nsYCxSRkhBQJd6AwEAhsgAAoJEL6nsYCxSRkhLj4BAOMBgQBj +h8SJEOM6RqWT5SXb8HiDfdZqvgr8nCtffEewAP93G3tS+owZ3m4bTzkeBzTvay/7 +eq23AcJprL+sedUTBs44BF3oC/ASCisGAQQBl1UBBQEBB0C1S8DIQiC+5dfHix3b +eFUzD3Lrq5+5UYGkmp6lh+OaPwMBCAfCeAQYFggAIBYhBBwbwAep9geqgVLAQL6n +sYCxSRkhBQJd6AvwAhsMAAoJEL6nsYCxSRkhDJQBAJse48bTxe81zjXKuMt66QKa +RnBaDsY1EGaYk4Vyb6rxAQCtmsYhDHtiE2D2oFav+UULbeqdJyIOhPEPa31Rn4N5 +D84zBF3oC7wWCSsGAQQB2kcPAQEHQPdFLwvik9OFJ008OgdtSfe4LNlTuybXT4Pu +CuMuUgqcwsAvBBgWCAAgFiEEHBvAB6n2B6qBUsBAvqexgLFJGSEFAl3oC7wCGwIA +gQkQvqexgLFJGSF2IAQZFggAHRYhBFFBAkVNCofbB2eh675qBTHBipF5BQJd6Au8 +AAoJEL5qBTHBipF5qtoBAPTP2KTGDGl2OvDdwEzZ0uN7+VyiRPEGLUizwkyALsN7 +AQCInRWmKA4jrQzMgn5sC4yCKKW46/TA8PGX3kHZnYnNBfIXAP9ajF1eZVWy1BFl +ayUm3Z7tUF9w7qWTL0u+EZD1Nlnw9wD/dUZYPCNEPhsk/Bdrh+v6sBryagleM4Vc +6SM3xZaaxQI= +=GZkh +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsFNBFfinwwBEADNzG/Q6YTrH7oSfUERhopwCWWn/gsprtnUFK+O4enXPXQlisGt +OVNbc5GWoZibNPowjORN+kADB+ce+VBmVeh+4ZeJDjpsc+WXuVajDc0wNwG3I36m +8uNRPLMftBcxS1zUsMpwaqff5sDoqlBTwrvfLpHT0W1ecJX8Ew10zim58DzwQisR +Uv1rsGiyH/dFzs8m3jPdNjDZyyzGQK62hwp6Y/m11PiMYgGrvAa1ofjfkGRVxUgo +UUG8JG/AhGvMnHJjV923A7I8MspOm4H76wlEQLesPHJ5WPSBXTZ5jVgdWdp50fPR +JZOUT6gwkYF59SeZOcSFecdyuSb0W68/klD5PX0G8qQ5ko9beNm7Rs2aJKvY1MHU +n5rb00aulQFaYLFJ7LOTDqYDUkKYp7n4hw1X1yXO1MUYyk9J9WNO/Uo2psKXcBsd +ZjdEWj1dWHOhwswygndL7RxK/17psmod055S0uYkjA74J2eRSmPZ7ErIfUh85rQw +DZyYKh7B6AGjcpA1YyrAh6BgyJncP9x21dmip0ENrfg5rpcfHpTrOF8To8fpo4/y +vUL8kCxCCPJtkJiuXkGhV3oZsj2tWGvAclYqO7xe84vks+GgjG9Ydfga8JrvPMDz +YLX7aTDnZRiU2Z+FvtABMjmmPjAHj3hMx/o25Na4bQ7wBAPEUiESsnh1HwARAQAB +zSNOaWNrIE1hdGhld3NvbiA8bmlja21AYWx1bS5taXQuZWR1PsLBgQQTAQgAKwIb +AQIeAQIXgAIZAQULCQgHAgYVCgkICwIFFgMCAQAFAl97G2UFCRD+fdkACgkQ/kMA +nEYHsfsg8g//ToPK4HDWDmHOLcFKi2v33Q/aTA5TsfQb1pwHvAUepABf+bjwqu5o +/2K3HFqhn7HVl7vgpqFcAjf1u9H7Jh+R7buawoWQIxi5cWW0GIuX9gutzgVyP/36 +y6rrQnZwcY+vIvi7fmRx0VVd+bZMOsd5/XJQ2wkLDw/6ppRWIPY5Pg97M3+CD26r +MonWcghRkCO9g0PwAxmqYHZCxcJp5aEURLOzh8NtDllxsoaZK4H974tWtWk04BWH +koApQPFg0YYn3cTftAIanmgtuKARW5nAIzPnCS2576DjKyUbAis19nYRgv+CtMZQ +ohkyNEeDowf7UgFTI+AkbUBjxwKP71U7ZW+qynRYT125jTtTGOOkX5BQjx2Qg/sO +Vs7Ukyezw1GFWmka4ijpHRssvEdK1mKZLqH8OsMG6XE1xIDOIRnsNJzR0c4u3IGO +C3+TAQaokn1E45CcFwb39n6keFLVEIa+XnYDil5QC6w+16TMvK38q6dS5QnE04OS +errSuYfX4IFslhkaLXd7uAAb7qrSQzD//jmmiKjgyFuRnSHO/nlv7fsvpCtFNNX5 +stthayhtmKxvBSlyTgArcNiP0oQKVE3LO8y2qARGY1eOBMMC0ml0W053A/cfQOAa ++2UqQlvCQf/Qben24Bh4tKyW6The2k4aNSIN9tyIUAIASfgOtoye6J/CwYEEEwEI +ACsCGwECHgECF4ACGQEFCwkIBwIGFQoJCAsCBRYDAgEABQJbn5ngBQkHf2HUAAoJ +EP5DAJxGB7H7XPMQAJ6EXm4DaB1IlCrH+5U+QYXwwrKiBR+mHPBWuiEBSUbY4nOY +V+jK0647jljluyPXL7EUHli5RqajCvqZPfheAuRxNLlyznhJeLjdt/qBbTEgtOvo +QwsmmDwEogiStE/FrNypgGCqH6NLAEvHANn9UBDRsi/J6ccPDieIuxlQa5ksQCsR +zXTp19+39XWkeStIaaHx0w/x78IyAQHFZlxDI88/ZmUXfI2FWkOnp5dWcJhYJPGf +/E4n/aBbKZ6cB5OxEAX3uAt2fz625RuoFR9R03BjW1L8RJwKEa5fiBf8sG69dxmn +RWqebG5H4MhCemG9Pv1CGqK/bAiyIK6j2Dpj7K7F6j/0CePr7K0MrGjHOvT01bnt +ZI0jnNWGWS9M18M3mfdHM4Lof8kA8S/KIJ6gFAi0N5W8OVtzUx20IA1G2cRcrTYc +zyOpENDKOz26CRIi8SyJWmfR8N0HE5YlouT+xL09Vyo4i2Jck12t59DnKvCnsNLM +XuudDOALTGqyzK2t7njMblLWq/xL0A3DmcI4auX2OuxTyVm5UJkUk+2UT2GtzXne +2NIi07k8+5/xP84v/nWiNaaCFuPySfy1xmTYERt3EXgCs5r+qOCl2L4jzfe3EEsJ +NPKy8KWSitUjcc9VoOiZ48LDBEbY8LDDFliYkvwTyHK5fNjqLlNE8Jj4yX49wsGB +BBMBCAArAhsBAh4BAheABQkFo6E9AhkBBQJX5WLXBQsJCAcCBhUKCQgLAgUWAwIB +AAAKCRD+QwCcRgex+87WD/wP/UW4QljFB74PmDKY9c0uXmpbH3M9fyuLxSVofdYP +CU21mwjCwiWLBVhBGiMEJ9KtSQYFcK0mbcWG9dB2vvCyfgvbaGZPs0gczYpSo84V +64a5VX5uDujQQqWgZYVLal462M0A40mMRNxLrOzMMeSxZUtFjsvqygLjpTwuYJWf +dE24A/TAUUEX611eHzniQtRegfTGZwD5A6HA+WmSLRIgcPXfHNTwq75nHhLgFari +qRjzmfJfVkQjHhDC8tBp+NHkUv1b1me6b+POBnwYvOoH+tlKw4HLN5j1eXC/7H8L +xyC6XOQyq4uSMrVXIcLFVo4T6uG+yuboUknV97QogWCKuGUtl8zFF52EfZmUa1jx +kpF9F6OywY0K3tAYc/qXODQuWjmCPl3gk3CPK5B2P7QT6nhc+wCfwLQasMZxJv/m +7s/7jcyyAW2+EUi0Oo1m75XWH9/3s3TbZeFfFT6FsX4obNIWauBwr5cWRaeG0qoA +kIOysY57v9aKzc0bQaqJLspWiWMLs2CWXH4GGZf7glGeVgK/VY7pICGroT5PWhcQ +OmUJ8rx+Sj7fQ5UNtczA9mEFtCuFfZ9IXVs8kOaSTnCtH9NeeEwy/iFB8cgIEysx +T7T1n+IpT3mPjvVTGK1fu/EVhjk5VCgU4B0eCNsL4tSWXy41fRFA0auy/0o99G0T +7cLBfwQTAQgAKQIbAQcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheABQJX4qXJBQkF +o6E9AAoJEP5DAJxGB7H7TnAQAJs/XQk5Wx5Db/vMztwR3oRMPvG4NVHnA38fit8g +IWSMsB8AWJyMY1P/cFkJRpnQo/fF83Z/XinP0pKTEQ97+UIqvtndSTLUFacMirGh +yx025aTag+OLhyIe4xq19ZZEy3+YNq9nOGMIivWxGyvWUVjQYVwk2AAtFsC1FZtZ +4pVtte4Yd/Vq4nOTfmO+eejVmCvOHKr3xHET2+psiVS23j3aBJIShikPbmxRg+l+ +VbE7RLjk90Mv3PnGhqVfgnEEoYQZ/kppE7fnFb6pHgP4zBVRCoYVP3qCLv8WzoyZ +s/snYItAgGIHHv6OLDKn5SSSnmJho3+z6/PfCUBbLbz64vF0Itj8+6mwGlenMp2p +tPc8mvkEnvfHa11emmJVnFVJTKY9qkrft/kabb7AezPE7TgFuN0tTfoSsW00qNuL +QiRubdqknQ20C3ILCUiqPef7WajwlkQbe5KJE1f2HK6P3FhcveGkB5eG537/0BO6 +gH/Mv1Czu+sebDOcXwPeNPqNEFAqUmXxh5UFznQqETFej6DPP0HkMUlGnZi3o5g6 +jrUnMnzG6GLBYDmLAm26x1m7YMqLI23bxDLuBjIDZmLmcn2kYA/MbJhbWg9mnmis +0YK/5nXbbsZ8GtNhLP70T/mRW3c3loyTYtX2mtsmaGq64Uw2XlwQEtdZrpiQNnR8 +ExrHzSROaWNrIE1hdGhld3NvbiA8bmlja21AZnJlZWhhdmVuLm5ldD7CwX4EEwEI +ACgCGwECHgECF4AFCwkIBwIGFQoJCAsCBRYDAgEABQJfextxBQkQ/n3ZAAoJEP5D +AJxGB7H7eBwP/R3OpDnx7JtFOq22z0jcLjPLwmP+QqgOlIvSiqj66SplpEhPHcgf +4DgBu02RwE8ONAMo6McFvUH4tvI2NH3X8WET32APLe8/2cxhtZpH86gdnwTu1xGM +XQxz5sRppIhOtoowGWh+/e/t9owALOm/+IsHnxbX4ddIN6goB/mrlepRVRUODBnE +0K9oZG7VnnrB73Ip0+hqaDVmiGdOn7LSggl7ip7VZ5hUHXwvHg3dUknKapucMXFC +aqdelvYFt3NYQ2ZROAsAVLdi4k2dY9/WGNCgFHbdSGurJ19yGwttv57t+GUsG3OX +HEIMq52dkM4LOnbdVR2miV/jhFQ7J6i+mjZ5tYJiwrX9uFSOSzHbjWVCq5tlj1OH +s18s0zDO523p2YWS2LWaiDpThnRU092iGsNJZHaJmzA0T+7Ti/uaqqY9CjshYSBd +i0XUQ1LowzWDfBsVjV/u+BN80FYoszJzTAmiJW3GOrxbkhdb4nYptPKmY4YSSlLf +fOQ0y9Y+eUYMGe23xhejsYITS6THOunWmb/jlgK12Rd8AyrZVtD64szxAYqSXJ9r +x/k16KIl1z7JzJIRzBIrdHe8HTtuy9zs/oQgICPMrotKF6TCjHkH7prZFcCF09Ij +Rcc8ihpZ/C991HS4X4pN1MdQMuEIWVIAjxKh++gMYYzMjXUqBsjXjuBhwsF+BBMB +CAAoAhsBAh4BAheABQsJCAcCBhUKCQgLAgUWAwIBAAUCW5+Z8AUJB39h1AAKCRD+ +QwCcRgex+8yID/9lIunYmqatd4mTaiaAJIUHMjFh7d7J+3pXwOV2bpg/eBpFlonI +OC/8xnj+2CiKVusjF9WXoakOQUyXizPD7+fnUDzgQjmXxQTO3TCiXhSRdDdrcYcw +Z3Y+0rkK66QOv66S+NQGonG1qOJPjV8XSpLnuWb7bdk5qlaGquJIeoVQQpMZB9qe +0iwxgKeegJuOCRTQnPI7hoCpJX9+PowWR53JMi/Tks76B7XP/KF2TLR226oD3S/t +4Jup7LU5xP/IDCKWf641ZOoNdrCRc84nxeXcChjcX2eGNuBaceplLRQD3+ONZ9QE +HuQkbLfCQzs/NQTXxrB5NwBaBblJkNEY1i7GXeURGFE4ChD5eb6ba7m/uE7UOZ+F +wB0OpgUHIRlHrD/maVsd17mIsNo6WNRypXuzAlNNOVFgtnwVOpfm/OURzkLXeFjx +An4mJ/ca9SBYxtj9EYSp4OM1FjLNbm95Z1cQ7nxwQA98ZEa1yAr/TY6Z1Zpe8nHy +evsBLBWNPObW7nUjmfvIYzP7/xJTimwkagLGgSi+0R01HlHk1TlIYd5KyOFdXLui +4eEK5WFppqSCq4U2j8vaRwNKfUFryYOihBvpcZblRSl6+kuatcYF+m6tUQ0Pi5p5 +jO/nORRm9a8ertRSaxshcsavjrXpe7ZJ+yCCIe15MHVBSA/g687Wo8qJFMLBfgQT +AQgAKAIbAQUJBaOhPQIeAQIXgAUCV+Vi4QULCQgHAgYVCgkICwIFFgMCAQAACgkQ +/kMAnEYHsftQVBAAvOPy7R+ucWt6SSg3bw7CUtJozxujfNKpIb9xWJ6rhNWCPbyk +kAyWnHuWLxaRiADX+aTBLoGgNNJHBc5rYgcXgFaE26O2/QEEXV/0vJrPcmzR1t6M +0f4J9BTmoc+zLcgIYwPJl5HfyTPy+zZ/zorJ2CP5h6oaCYioyXVOEIhtO9pX/xRy +DI9CtFV0CuYrisPTr9CU09zwa4DQSvXcWSL1xyvijuMKE2tDvoYectdD+z7hZZAW +R7x7VktlS4WnbbTOMtrQ/EEQljLeoLz8gm0wwvSkRBnA01sBhFp+MWaw0slPBrBu +Nkmm3MygWDK+IU+JHTFr2E+6tSnEnAkZmQgLG3S+D8wUo3fY4iUnE0vxP4wvcx7f +/1ckzUsnOE1n4zOQTGefA89tFKOza8BG5/1BVhIUVztfXkKdeES9d4ynh6EKHOD1 +5a296IU7BKf1dAJgOchgktwKWbRQ8mKKpyExCYygno1EqBw1Wvv5UIvewPodAEJl +1zPHt4XKR/+bVhJQGeDsBoc3+tzqcDxyUOv22Euf85yvVhq9DXIAUQ8STY2xh/7S +YGIwf3WZp/3ry6HR40+LmUe6KXAAQSQQXOAZPAgC87j2mzMDTeQZ7bJ9wBQ6j7QR +/ebzs/6cHKeroNEbcoW6QhOwSnX01CU0REQdq9tCwYOcQ5lmjt8zNv6cB/XCwX8E +EwEIACkFAlfiphkCGwEFCQWjoT0HCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAK +CRD+QwCcRgex+xRCEACwAh/qUAj3EYe1XvMU+whr2h9HyW7qeIqHDqQc/LEt5UeI +XSqfoJV23nQSu3C3MT0mJR4UF2C0qOGOLNZVpsxOIE/dDpg0/8xABCNCrxJF3y+2 +DTUoVtujoftAYCP19MaIml05C+LDeoM1d4CmDbokYtm/KBbLnyc82nYaQHrlljRT +8mLAEia8ye9IR16gTPn3PGT5dn+0yWiZ+95BIKhJdVKCY4wMr46RiEi81+3LWDBl +Ariv+Ojg6hCoQPwC4kUR1tisxyWo4mnaOEkHM2fnFWcqxXqK3NHhHUk56A9EbfOw +4mxbntg4I9d9UuW+B8N/Po5y10RExGqyOQWxeGOpPQrJsb77iHA/3I94/0o3yVuR +PDMSftTVWgiaHqSJ212hITMZZU7eYuxbnOFd2dIgzU2Nt1a/h9putFoJOj37Rz3Y +5blIX36DChBOtwHwChYx39V0OETRnX7036RfkRK1+4DX6Ipz/e2dXmzrsReUbvys +vxPz11NVefjic11EINm737K5iamul3VO0MNZb2+PQDJsG33eF7EYhKIJdFrldaWP +A6Qz7ER/CnEPHMwGS/ccVzcH8KOa6VymZhUMjsyd7BHoMtiNZGZM45d3AjgANEOm +7XM/CQ7IA8ODo2h5eGRQBoYDEPPqE0jBuTtNi+5E/6sD8oxRKbc0EnblVFhD/M0l +TmljayBNYXRoZXdzb24gPG5pY2ttQHRvcnByb2plY3Qub3JnPsLBfgQTAQgAKAIb +AQIeAQIXgAULCQgHAgYVCgkICwIFFgMCAQAFAl97G3AFCRD+fdkACgkQ/kMAnEYH +sfshpw//eju0iMvlXvsTbib8b4Y2Q84m5TBPEmkKh94hi2KQA27b89WhGRG2gFFz +E7PsrtM0RbV9IvG2KHMvUK7zQsHqW9ang6UHeCBNpxWYMkzjH+nI8tyE0fMYaVpN +TlcC1/daZ15BDddwLPMayxq9fofpzP54t3Oehw3lg4oUMKkx4QSaDaK6x/v5yrc2 +QTYXxtJsojP2/RsQh9mGzoDESAvSbgj8oFjllcrTk8rEFkioiCLy/6DJ1uQ0xmuc +V1bfok3cU4C3PvfuqTJIP4VRhxt4+AH98FNfx+20DAjW/o8/rcZwmFdtbewAqLmk +ADMflmGQ9+oal6vn+b/TUbn1zuuuw2jOyqvVL0Bxg9KSDzPU5TrLIU5eAMwRwCSA +eIsRrHGUdx/HCJYG0MnvdhpoHSZMNsdFCeVmlOCfYN4jJy3iAOI9PUJn+R/MF606 +S89Mkwf0tRElY1b9wSUlIcp9OKzP7g732sB1KfHeI9W7LXRsXqTRca1pbCvc1Fda +JQCfFGXguLEZpMthG2xfkPal0LhqZ1riZOysisoPYCZCXG1Aq7FNrLdRrIqeqSdU +xkwFSTI+MCJwvdMUNnpZx5tQDI4kwQcWOINehkaAJgaJQJmhJpJCav2HzzNV6Ynv +/xN4I8e+euvWm8ipJigIHJF4CyVo1FVruiTtwvNdCJmzS8kgxDDCwX4EEwEIACgC +GwECHgECF4AFCwkIBwIGFQoJCAsCBRYDAgEABQJbn5nwBQkHf2HUAAoJEP5DAJxG +B7H7jjEP/0PVTL9eI1otZ9EGV4Wxv6fcX7gXJO1VZsRFWosae1neZjIjQ91dCzIk ++m+EnW7uNzubhxE6T3orMiITzM+UmQJE26+bOWT1cbKYkAUyjSck1S2DOITRP4iS +pu9DCM6XtU0kuClpKY6NmOYJaqPwfVTOah8IFKh6sWIJtzhiQf3s+hufOD+wWS7f +PIdo4qOHLggQYhQ8pG2PsiqJjSArpCqzfyG4SMMqOlDFgFxkx127qAqje3QlAu38 +gji5j3UVuBhb5s0eA4+HtVKcUpHWH6JMT8RALWM4eF0t0qUWYk6X63ScXr/J5gv4 +SGcrDv4ksCnE5Cr2gR2SUmYxhPfofBCx+3pPzExpEb4+qSe+S62pf+weKQU8XrAq +tP5LxIh6bG8ugE6Cs+J1kmQPEYjkONT8v3iRT0SfkNWRhyrYlQFPYA1F2E47FRpE +jdDnzIsez+HLDysmtdXsB0p/+1rDrriY8yJttXE9U8BSgTpukYifY+5c2c4vQWit +NlJyAY9sTPX1+KqnvMztYNZyFdcJifiY6tY990o3pabAlcwOgrayMFSMd/JrtEyD +jDk5M9dK1G9p0N9bkf92FfOP3SBo+9ScmF5A68jyFHrLQ8AXSuQF02s8WhNymgmV +Y1VugS6MsL+RGh8gTxCxaCBvExiMilmJPtrVTg4N7IzQYnYMeOidwsF+BBMBCAAo +AhsBBQkFo6E9Ah4BAheABQJX5WLhBQsJCAcCBhUKCQgLAgUWAwIBAAAKCRD+QwCc +Rgex+zFTEAC1GgGgpEJ4SFyREO4We3sgLadFJH5W0+f2xgYZKJsJHF6VgKcOcLYS ++xnb4T/XPSjoXgfTATj3lTKLJ5vwurx3LLjsUBYNE9kZOxd1dEUTMu2sN7ACd1s5 +dlasztgChRLO0K1GD2/dJcfvFF6xC6OJ7VtLuqp8Rlooui3/wRA6RLvk5hkFDjje +l/t2UHa9inYq96d7YpSlEF2It6p44kp73g+57ZaGwTHDlMvxpj1RZLCQ0ijEnajz +BxlDLJ6jRkYcRtG0enhQvvPYii3rXhKo5hK/XuBtNDysTR0ZXdPQMbHtsve4dxXC +Lg/0/Gm78tA27XVJIo6zgR7/qPJ8Is7/7wTNlh9VXnp0NE3SjKtIOxMdTJyoxVgy +06WJ41x0c6Wtt/AzUEOeMWRa5GLatci+KU8Szhn4Gddi9bdemtLPvzQyH0DFcU+5 +/IV36V/2rbWHr3zyAmM6t41YBzNKJNIVP6EbUiNwnfDUjii7QcphVPuYbk7F3wmB +UunQ6LYcbpYcTEaVMlrjDMwTbJnkDS3YFpn/vncn2GTDsaMUcGAf8REkUs/SB7mW +TTHn4R1/A8Ut6KJkqiMlwtonhyhsDRfkCplYePSs0TUlAopbr+Qm41ZYquw0myTb +3mVp9EgAwR3D9xGvgYkPyUvgCLbla3MxUkUn/16KWY7PzHvFfL/iEMLBfwQTAQgA +KQUCV+KmBwIbAQUJBaOhPQcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEP5D +AJxGB7H7xCEQAKH/X147T2z1QX5G4iYh3+LhbtqMVSGt64fhjmmTbX39D46+Aqrp +U9Jc44O6C/Qj3dMsIlGeoiqSyA7y7P1ICK2SW+T61z77VBLY7l6+taR4Tnr4hiNq +9ZSx4MPcgXpIxN60IpMVc7H3maNrX1+3r3B++LvC+kLl24b2jdIcBI+d0nsNDqS9 +m2m+vnLE+Wy6YdaF1TPGIVz9EidX09/kHNPGNp2Dk9S+5AdrQHjfqls/XXPIYWAX +J/A3Fx2lgpAqvRA+YMCD9cesPMf7IWCs19P/75venoT0clE1Lo3ghvigjMDaC18A +VK6GL3nos+qxl3x0aNNGrNveGMSUfoYE3lzjupTsIEDBwO5Y+uz48IAlPQuFDdwk +3q8FlhaBaTGsJ8z8iA/reeqiFmmH69kOOG8eAoR/UVZaVJU1zd0Zd7NmUADXLRuL +j+SNvf9nq670gZ8Hu6cAF5/9ilBL7bRO9EQ/J+uG1EldRARz4bXc32MEz4K+iLyI +krXVFkU7xOYIVm7EO5mTwkIDmqaOwtzXYVD8LP859a6u1vzkpgcBrNhWZXLcPLs9 +mUp273cByfMV/P78JwhlsdvXXcWd7Us6EfLtM6z8ZrXoVJtf1jG+7OylmttrGZ6X +patCUcnkYXhNZTw527bh+nKLOdGqOPY4Md6KZp9dFxjK+a3RTovA1QQhzSJOaWNr +IE1hdGhld3NvbiA8bmlja21Ad2FuZ2FmdS5uZXQ+wsF+BBMBCAAoAhsBAh4BAheA +BQsJCAcCBhUKCQgLAgUWAwIBAAUCX3sbcAUJEP592QAKCRD+QwCcRgex+1VqD/9Y +ksvGVLhmqk5GGk25NIepvq4upKPEt3oePZK/Bj9xNTMpUvmNa0+n6lERa9/bcdoE +er8PRiTKbOAijR5rgySN2gEpjJSDTcql4q5C5RQoO11OqcC6gEBk93BGZ2Ur2PpN +chxAmNH+hkVsmZVIbCVoYFXz2uNeT/q+0CJPzUGZYA8FadPdUeZ2lwa1lz7I9h2g +NQID+IrqV8MEpgTD207ERjdB0C8zua7J/DbnlfZN4zbjsaL/y8RCJkk3yG1YG2EC +DF5Q8bivkcYlSSTqrMo9WAiJLK7m03qKLfyKH5M9DM1kBCqppYPKEANB44vk++0G +EyYQL2gjICkXO5XrxJAVkBm/RzKVFAMvRx0SBqCG2NiywspTiVrXRGEe+0KQkkHI +8bPPVcrLGHE+x19W6s8YWHTRJj8F1xJOBy37PW+o9OpX5cfmJosNRh4zVZFPnuS+ +ytC1QNL9DxUBxgKy1UCKrlb5WTb6sQh03xDEU25uoOB9UmITk3Wd9MoqR0F59EZ5 +cqN8TKdfSup94mI6ecDRPOw9akZ1LNFpbiJ5E5EAiATCd4SEh5PxBDt7YK6/38Ik +4l8IoPinDSyJCVesJNRbWNIdwjpX31pplzK0GDE+1JLfHZJnVVD9X8edQQpwPIeU +bMN1XFd8kQs+xwCg6QQrtjRmLjjNDf/dnbmxSWoo68LBfgQTAQgAKAIbAQIeAQIX +gAULCQgHAgYVCgkICwIFFgMCAQAFAlufmfAFCQd/YdQACgkQ/kMAnEYHsfvYBhAA +xgEY8oNLZhC+0Ent53yUvs/dNN1+YcE/jmBKBflewwxTTSXOkervnMa1QLu4Xegr +/ttlGqjA5EakH5PtrQWfAb3u4B4NBrAGxN/WirL598RwwKEGo4PecNh7ADy40skq +OHNJQbEcaJ8ZAqFF/t+3C6CjVDuO36lHqDXEYytw/2XjY4CBtRF0lyTE5lRyI+DO +cWD9m7M2BZU61Vx/aK5OI5UaCqWtYWXl36gBJdV7APY+MA183Ly9EywCZFPb/il2 +RdmiM19ycENrIuDF1ZAqpFats3hZR4MW8WTS3BTGste/yBjjaS10bp5HiqVlZot3 +TT28OmeWqwjFaXC3mVE943/322Mslz1QFV4e1/S1umqIf0wIVu3jDSKeZ0bagdk5 +SK8yNWhZ2ClbtR2vSPLdA128hjaNfaxDYiXMOLFEy2FvZk3rUtNWbA5Mji2qhiIh +cm2jCkOGg5hKSfA3anEQfKXcEi8OTzEnLmvyEw0MNZgPBUUciJjgis7CWAlTn30c +6plwxJRhBE4tEvY5VzWNOMeTRhx1Sf7qp8vKMc2FnjZJUBI8xFe3vZ1qSFAKfuga ++SJM1+PbxQQM6N2q/hlJALW4WUpjvtvEQsWYYoDbBgWtsTtNaLYbetcS4EaA3lr+ +elwOTLiYcsPNaKD4ZAsDR8qiAzABJ3W5aGEV1VvF+7PCwX4EEwEIACgCGwEFCQWj +oT0CHgECF4AFAlflYuEFCwkIBwIGFQoJCAsCBRYDAgEAAAoJEP5DAJxGB7H7RCoQ +ALDD2Tu7CeSRsGiNRgJE1QNEvvoISDpr2LncgOwumsJg9gvLeOY5fve0AyVbyW/j +KkElOGbfGC5HO3JAX8s+uqJLoEF1TmYr/ldBRFDb9YsyYz2saBlnUWvWwcDI5HCH +fw8BRPw2MhGkB2nt+hQdEteKkaeHIjvkScFzqonsiq2IQknsbhmyDZj9coaxoCK1 +JL2xX8pDl24i8alhgDTu3rQJxppqBBixZ3tSXhsp2WSF2bSrjb97A6XxSfUrVqGs +FWqeCXDE53QSzAEYmFFpuL1kvi1jOXlr9CeTc4XGBP7HttPWU8bgnhA36HzW/MGd +hpJ6L7GVoACKhEsB5GTKEzobwONalHg60ufRNk+dIZMr7C2eEpjBKLYzgevAmbd9 +k0uOicbVqA24cNWjvNzuRxJGxCA9XQSt9FAhpiNcdvoeSXgxc8sZp3+0EUuyjYTn +ahLIk5KjvRRTkILeq1HAffomGvd2PfiT3Iq7vKGHhh5n4cXBMXi5DpAB36hKIC/U +LcGH9khKTlBxfeNntHMm+/mNqwrdKeAfC8MO0rBWXZdWZs4rwElPcoVtVxPY/CCr +J1vJqfnufc0ZUB8WguLoPxqPLC+ja7Pg/ALRQI1cbJnZD5hteAJ/dq2mZ4vS01Py +ztuwCKYTKIdj6yoMgnIYxmh9xty4FSSzodtHM3c0x5sZwsF/BBMBCAApBQJX4qYv +AhsBBQkFo6E9BwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQ/kMAnEYHsfsc +9w//XpLL93sf0hNPz281ql/zSVo8P3oLmYxzmJfiEAMKOLX9UivWD+oJR2iBTo0p +nhuP+/4a0IB08dIvTE0Y3DJNsx738F3CSP7ZHF5EFaIXEcyaCv4lncVELHBMiTCx +mA2Law011830pwug0jOUyv4T9+CElUhm4XT3k0CFxXtOMgQ0KA0IplxszhFOL7Vq +T4Qqokgdymjo7mLKLvXqKqs9XbZ9A+RYeKi/HwDqBfzhLC1ur9p5VmcA9PLJvQvY +B4S0RIM0utaVMP5vD6BRpmlQk+WkeJbzbZQFEJKzdOGVdQnSX/Y8qtdGTYwUDq9o +ZCEdrEraP/6uAzCccI6lkGoTSnQ+FUufOV0c6NZvmiaA9GkIwfq+O5M8Vhf67krA +rR8Avw5y8TmEsr9Sg7AgmW8rMDuNFF2ol+D2r5VJZgo48kICo1V6BSDN4pdY4sI1 +xrzha8fkQ2bXUvPDukEHs7JAXToK/f3GwMtwqWzmR5b5EO1Pytx9DK60I0ohjosk +8O/F/9cY+kkEXQ1hyu4FKhLia7HmJbdaKsaQSyqcVBUvkDm3MExl+fSx6S6F07kr +z9k4017irw8kOvpnV33dbXK+gzs7qFYY64Jn6tJMnYxTkyGqHDvPrCFVbUvIBQ5e ++Q/bghHJmzNJO/8ruvi0Enp6pioY/0bzr9TVtWCg0KNZPFnOwU0EV+U4tgEQAJx1 +gKVZwjJoFhF7TJ3VAJJ7JfwkGlxXOF+3TR7hhdmV3WwI019Cx4cUV21P7zVLYqt0 +jb+iPAK3aSFjTrCQZwUgvfM+s+G4byS6i6fbM9X6M8HKGuTqTRIKGaFjZlJ/ubBn +H/CyYpFD33WtEMJv1wBaz4EM3q1ROLsNAujCEzWD8PabG7atQKINnp2zXzpKO1Aw +gLYPJPrbKFJz4usYpdN8ULSnJSzIxqMoiJATRVnilnYCpcJeQnc2V3bH/ftEm2tK +SMRZuRefPggiMZZn5uEmTlBdyHMGFK+huqP51rw1EcvIi8Bxy65YoTjQDvrPuKtA +6pOQNK5XETfzWlnwBa1tG5QxhIg+AqEJFJ9AH1h/jPfy9ZGeE4PW/PJDa8Xnet6u +dhIqcyKrXNlyc+Cu/uLcTS/2LB7BgEouKKwbYpXv0LcZlkkkUb8biFLKW4bIx9+8 +YcZdAWUZQGvB/jOcxq1YR5Ke1jd6efPb7BTTAM/DL2dInwEEJkS5S+ecuuKWHnV+ +0iMzxzUUkCehEQ4apXejTRwbWe+H9eN1a1MKPGgTZrc98hhrVb+hST0Pl12fcY94 +botnk2Va1kzeAURYnlbwWADtbCtNB/inUIjOMxK8F0oIsu/i+lC/q+4x0V0wA5lM +sowWj1Q5A/sh+Mah8/v7Qh2LGkjGOH3xVbE6L76rABEBAAHCwWUEGAEIAA8CGwwF +Al97G8IFCRD75IwACgkQ/kMAnEYHsfs/+g/9HfQdh6DLeYXPUvTDEUYVUHlkZw61 +SjHPQy4SMMBTz7rALeBuxYpR7KTzLaCdtjiHBGGSgsEmQto/GLdT4Vt25zpx2uxK +/tOq041PYRRcZ/aK67M/N2CDmcsCzi9sm6HsOKJkZIwVIiQ10UZ1YT8FEdC8/Kzw +nxgmtG/iG2852dDS7Ar55GIuYjEob6emTbM8Z5L21vPvJRpxuvsqEiMMA/Oyi9jw +xhDVCHL+a7pWSR5hZuyvJE4W5zU3loZrLg7kezzbdhWcEENLPiLdw6mexhUeXgT5 +nnUwcLe6eFc6VHUUO2Q0vXF2mCHdQLOCGpykL0DWxxth07o0OSqTKIAeDwsh5YO3 +dYJ6V5UYVu84xBe5UF5RZ5XDWYyNbifrLiVtb50OBWLekwau/d2VqrlmWJaGrLJ8 +B9mxWN8zcWozZtQNDVSo8GU3L8LYY9Sb2nBxOAXRVCyuPwyeQcHamvuWokaUniav +gEcEEXP2RLlPdJOF6QV0i2mXc5AFq/CfylZOtRZ5WHvASqvtT5rulQ/oZ67v/0WI +LTDYXh34D8ukEU40WNT4cL0XHcXMLhZJ1AQUOn294aG1b2z3N0DrGx5/Mcscz5qT +O2tfvbM16jbttrFfjuGGvuTBnEtSaJMhVVmtdFg9MsMAwHMp8zBE/aSNDF5qmNai +o5TEFXO5W+BS3l/CwWUEGAEIAA8CGwwFAlufmjkFCQd8yIMACgkQ/kMAnEYHsfth +VQ//T2F0tYl9k4zW/IOR//GGHVHGuzESjjvyAAisBZZf+4fFCrHGgzb3XGmD96UH +8C6PB9ttSP6knWYJa4ohuX50iJusrvGlyAmOyTYfX4DfXdrPeMtvutSXCk8A0nR3 +lfpeGkhXDCt/MTuhKvQOrqupsbVbzZHOLdlGz+y3k2790dMMEUdCk7EXONfMyaOU +jI233n/MLhMHFVlOjPStU3+552i/yCKFctAwznxjhHO6rQbgJvEwQsXa2c9JnEtK +LSoj1j8IDICo75WWoMgbc9F+eNV1l8cya9FVWcJ4kfI/6adxj4ZKEMMl4FHPb3ct +9aasqll/cTnC2JEcnholP2ZvKa6asaprJb3Se0nesOJcsqwsq4Ylc4vjh5DDMCpU +Hqjgg4MP2u3WuL8nOOKdzgDpYOjitoGi19giFF0QRFDbtqZxo68LF4xo2069HYs6 +R++ZaAvcaKeB8WgM+QRhP/i67vLpYLeIKk4H9wOSKudIg3URCjTMdSPVJjmeJvq4 +ZfMM2In+CkrYGMJMW9Miaj1+KDEHRTGr6vOw8UkUD/x7O2pbFOfIaAPWNCLsJ9qK ++5N0yvY9FzVaKi0UwEc7KP7HA3HFRSM2VZLdVjqOPPIbxvcGNqU1WjpQxKc69ong +VvBF9RLjGsIqXbq3yygz0XosW6VC5mhRuIMcfa5FGltkGDrCwWUEGAEIAA8FAlfl +OLYCGwwFCQPCZwAACgkQ/kMAnEYHsfua7Q//ezGNpIkXijjXeS8HqxvP6yyAxWTD +I2cjynC8xqg170U7lmcYbvWsbAk0ml2TKkjPpORKPa6ywLBAKED6zUraqBEiEehw +aQiaJbPzxd7E9TWkapxXaNLuJnETbjdZgzAVSTcOcylLqeUJrIWfcDc3BVumi/Bu +dyuR2KWi42OwNHLV4L5K3rDng+whzGk49jrf3tpCXy1npBGYRDqgeRzzJnQS5K2f +XnFsBifbRn8PwtLKGGO6RYp7XWZTLP8+ZwfELVTulDox/OV7xSLRZUtF4woQrG+J +S9G2FOh6mES3ihuRUSjBRQZcKf9kEKqqcrpqPwtoPHIrmygz6eDz0Ea5idbFCGCv +AEARwTrmZe5dTzBAB3X/oobyQPex/QOV3OPIPw+HSY/ficyGHimizIB/x0QEN4L7 +GL8DZSLO4m9TEa7+Y4+XIBqa3Y5yXqUy52jCGt5QD7r1mu6fIuxyW2vffOk4H2jI +5SD/I1J3tipNgOFbjx/pQWjk2kZVoLKg60fcL8Q24TSm569vyj2r1+xFkKSWO8pX +1njIExUTePEUcWEcT7AdxrrPAf2WUxYPGGMTRfrcUw4+SKLzDqgFGC4nIi9y1flj +ZXEZBeG80R3GnU3hyeUwwdn344V+rMT/8k3He3nDEL+vIfEeubAV8Jz3hzou4SD1 +o2/lCOmP+XwQDODOwU0EV+U3SwEQAON6g9gDGhFIqHJNGBfkDAd7XzJ/dasMIqji +Orpjgnr90THlM5HXfuaWCVV+Yt1kAsI4woT8w7nAvNs/5v8Bq7aYQgseMMsdlHnN +CczVyoynxAwTJ3tDME53Kz4sLsu5NVCQ9uZ9Z/GcJHA8ARObJ2GROagFExPOIeri +GDyYFWDOgCmIjBz9VUT1PN2DOWpTAPjn30k4ZpWeN/hnf9V+WkOMbUaJFefCsIU5 +ExFhVCZn3J66M+YumclIlnyxEZgLs+xM/El471rX3bHm0z85XOj/wX73zIKpws3p +ucIFNO8PXIFGja5RzQVNM9nhpK6xOvelaHzDsX4sb5ILs2Y4x8bZYnU099sO1VGC +hfn+Y0ZQupdLUPnshi5dXTyzBTiYuBuKPihGUgm/awsMmAdSRB8vqZATDnvayjRw +6j0g1AfWDJBPVqUDY5XrztJkWifx6RF3CWCdSmrbcRrVVyoWTBx3alsIvTAUhZKE +4aISvzy5doMRVyMEbhqHEhbfRGt+toNEHmPdxIDLI7V6+CZ1EwwXNQIwK5MNWLrv +1QQexrqzVVdcxuQz/P91gLDxoCoBi8HBGsA/HL+GVd5oW1U1o8U3mm1SvLSeg+MF +WmiSpSOGpS9adKPwRyGy+giGRnCWJH2dcncSfB9S3XOimhqhNy3Eb98ttgl2AgaU +DO8M6Gu/ABEBAAHCw4QEGAEIAA8CGwIFAl97G6cFCRD75dwCKcFdIAQZAQgABgUC +V+U3SwAKCRBq/ubUnpK2Af+QEACuXfhlmATujXHC5oMpo6TWWUpNJk8r396sdJzl +sRmE+ST/bOaMpJuCCufUXVJupX6S0XuoWV3KyxF2b0RINzAqjjBw42kycoAvArr/ +yS+8ubp3Nv9HwD7WBWGIGPyS5MLDj4iyL9HXonVA5tT3pQQXBaSdybYhDn4PcOI/ +3bsQ6PhflHTFhpuRp4BhceL6whQUgGqoXGO9dpsvCjiCV1jqrZOt9ZmhvV3HwwX4 +37h70ne47IkJEO4OtYflW4quPu76vR+IpBVIkVVUPCQPipgnEllGV1Sn5Zhy0xG1 +Nakzq9bnlqnw2yIl0rFba653Dm1oS9rJ5WRcZwcz17YCsCVJLNE+VPw/EN+5y1dt +yZxpPn/0jvS8yPthhOw075ZVdBy2k2uv//5cEPR2eA+4vZEpmRD5yP2B8GKqTT8/ +/63ifzOAqKlnxQ800ZQV9fDP9ndaXHPJCBHJ3K1nzEoPtehgF0z7rCrd+M9doGuC +mSiJvig03iTsy/cVKTF+BnOCDkc5kMlU8zMsOmjizY3k6VUq4rW9sH70W5lLA+xn +TzJYTy+sUEV56K4bqFf/TXym7mVW9xY33BhFR2P4tvI9VXd99lPdbvJWKg9eJkYl +cHKAv6ldLCuv8z3f4OG6ecZjZI1tr696lUMN3JFeMJUzHJe/7UVy2Y+AxR0SXYc9 +0OX47wkQ/kMAnEYHsftCNBAAvHC4X+z1yIZ9d1kiEEbBrfYT6K+E5m8i6trhDJ/M +3BxQPcV5Zl8JqvHfc8eciSnp5aFpbpNpSMNGMWjvqDxYCI8/OkbWuulcXW7zTMaZ +8h+RdRie7havjBGfMrCYBwQX2BHwrXjhobEwnCfOX2VsIt0i/J/xpREQ21KvSvxk +hlWQGa5YXOjUdD951kZuw61HXajDQFsZzpL/RMX/n+qOfj3YUb5J7/55As4Ysett +vAW3tKzosCxCKcKuAJ3Z4frKF0X374FOfUmp/ncKOXtsXcLVYugVhHmuhTwy7wNN +3LCk+43ED3ZgxR0V7sykPUytkLKTECkWsCQohPBN6P5gaV1yY2OnXQGXm6qOy/Wc +uGmRfSG8btsnOSGbpgfHI7TK78ALSkvDr/mgEEsF9kgxaA0sWsUJsWayh/7LK/A3 +qQZp8JVU3wAuKdoatV7t3EznOdeg786ahx5lJ6FjzB290YvgX4Oynpal+agnhfxl +f9YpCZsOh46K6zy9Mr9JtqzNp2IfYGWoEAazsgc+w8RUmToHiz+D7z4IHJdH+iNH +slUfSf1sSAWBEQWxd8I1r+R0zX3Va+Tuk/qJYO05EyLnVbaOAVPjLvP8SNO0Fn0E +oGeAtZ2x6pbCaDWIknjDU6l3cwu+Uns11rSkY2cVV4eKVD2POqLyGejDmKC8fSFc +lLXCw4QEGAEIAA8CGwIFAlufmicFCQd8ydwCKcFdIAQZAQgABgUCV+U3SwAKCRBq +/ubUnpK2Af+QEACuXfhlmATujXHC5oMpo6TWWUpNJk8r396sdJzlsRmE+ST/bOaM +pJuCCufUXVJupX6S0XuoWV3KyxF2b0RINzAqjjBw42kycoAvArr/yS+8ubp3Nv9H +wD7WBWGIGPyS5MLDj4iyL9HXonVA5tT3pQQXBaSdybYhDn4PcOI/3bsQ6PhflHTF +hpuRp4BhceL6whQUgGqoXGO9dpsvCjiCV1jqrZOt9ZmhvV3HwwX437h70ne47IkJ +EO4OtYflW4quPu76vR+IpBVIkVVUPCQPipgnEllGV1Sn5Zhy0xG1Nakzq9bnlqnw +2yIl0rFba653Dm1oS9rJ5WRcZwcz17YCsCVJLNE+VPw/EN+5y1dtyZxpPn/0jvS8 +yPthhOw075ZVdBy2k2uv//5cEPR2eA+4vZEpmRD5yP2B8GKqTT8//63ifzOAqKln +xQ800ZQV9fDP9ndaXHPJCBHJ3K1nzEoPtehgF0z7rCrd+M9doGuCmSiJvig03iTs +y/cVKTF+BnOCDkc5kMlU8zMsOmjizY3k6VUq4rW9sH70W5lLA+xnTzJYTy+sUEV5 +6K4bqFf/TXym7mVW9xY33BhFR2P4tvI9VXd99lPdbvJWKg9eJkYlcHKAv6ldLCuv +8z3f4OG6ecZjZI1tr696lUMN3JFeMJUzHJe/7UVy2Y+AxR0SXYc90OX47wkQ/kMA +nEYHsfuDKQ/9Fpoq75+xgkbQno3vLC2aNJqHwk0LzEINgqSNVYPob+/dBf1u3lN5 +HHNKH1opin4EEknRulSWhU3C9oMy4MjN6rFqhS65M2f8jfG3qXHAUKDf4gL3ZHeP +qWEHVkE/Z5X/M3gZA87DgmskLuxWFyWoT7DFWkTb4TtJRdVs3R/zI+g52uM7UUV8 +QjG/ox9w7VdUXIn9Mg5TehBTqZCBsWx2lM1SOzK2R7Ax/IukppOb205RmqOKxZh8 +gj29StTlRoJy0RE6typfSrhyaTithX3gWKfkCm+LGzEwWtZoRstCRmEeD30Glnko +BXFMVKAvEXIGCdVyaugQYVMy5RXlQllg/3Qo2aoKhwCWUjVnJIDT8csrcYKgA+As +R+0RqXCSHDeJWhoeiUOnm/ZGa6g9z5f8t6z67jY/iXXSCw+jv1U9znYj0vuQIBWg +FbFC2C0xI9HBZIUgakeyUxnG3WRkChUV76ZG9EMuTfFaGanWG9MWzb6sX1oWVNru +PEvxdRlFhkr8M98kAQHKcBgVmK1eCwvBt+4DvJxVRCT5DADLL1pM3ZSb5e8ibkOY +a066rFPA6VBNxDkYOYBw2e2itzljh6M+Q9URIocFytK5PQsCxuTHqAK/Y50Oypgf +tw2aq3/J1W+QDO7Xmyu23GJGFZ1oCF0Wm6RlU7d9lHxclFwR2cptw8fCw4QEGAEI +AA8FAlflN0sCGwIFCQPCZwACKQkQ/kMAnEYHsfvBXSAEGQEIAAYFAlflN0sACgkQ +av7m1J6StgH/kBAArl34ZZgE7o1xwuaDKaOk1llKTSZPK9/erHSc5bEZhPkk/2zm +jKSbggrn1F1SbqV+ktF7qFldyssRdm9ESDcwKo4wcONpMnKALwK6/8kvvLm6dzb/ +R8A+1gVhiBj8kuTCw4+Isi/R16J1QObU96UEFwWkncm2IQ5+D3DiP927EOj4X5R0 +xYabkaeAYXHi+sIUFIBqqFxjvXabLwo4gldY6q2TrfWZob1dx8MF+N+4e9J3uOyJ +CRDuDrWH5VuKrj7u+r0fiKQVSJFVVDwkD4qYJxJZRldUp+WYctMRtTWpM6vW55ap +8NsiJdKxW2uudw5taEvayeVkXGcHM9e2ArAlSSzRPlT8PxDfuctXbcmcaT5/9I70 +vMj7YYTsNO+WVXQctpNrr//+XBD0dngPuL2RKZkQ+cj9gfBiqk0/P/+t4n8zgKip +Z8UPNNGUFfXwz/Z3WlxzyQgRydytZ8xKD7XoYBdM+6wq3fjPXaBrgpkoib4oNN4k +7Mv3FSkxfgZzgg5HOZDJVPMzLDpo4s2N5OlVKuK1vbB+9FuZSwPsZ08yWE8vrFBF +eeiuG6hX/018pu5lVvcWN9wYRUdj+LbyPVV3ffZT3W7yVioPXiZGJXBygL+pXSwr +r/M93+DhunnGY2SNba+vepVDDdyRXjCVMxyXv+1FctmPgMUdEl2HPdDl+O+waxAA +g7ZuiuuRAi70Q6aZFLlG259cyCmTmgwsbUAjFKtqTP5g9URgh1A0JZfS5/MYschS +fj8qBYsdChdP9VX/d0U9/LCc4sXL24XLnpTw7C9MeelndtXdxBxnPLUTby3ZQ19h +ZPc3l4XC52ej35iTG/lr2jQcBHI05fwBiUCuWn7hGiKk2TfUtUpFkcvXObrB2/CC +28Mg1d3NpYu79OY6raQoUGe34aVDdjbTDnx1nxARBfhJwfceid+j/Z6V3JKO0C1T +vKgJvBhc84kRKGT5/PVJR4dnXsYzdgWTDXVw2CUHKVS4taHoBuUAoTGOeu7M0WU1 +yMoYWsRQ2auMjxwP4w9sc7hTJt+Oj6o5vW1sBB47PHnl3lDWLt/iG+QL94N3aZXZ +1b4yeTzHi+AZYR9hs3kFpL9dq0WgS72j2BmcSkHdgdXRv5offNHyFNEMjxqB2+w1 +32xMCtNT4zWah0VJOsfFiAYPUZhDgCY155ULwJXJ+PTHyv2O983xJVmZhsRU+/Z5 +MoDtXDDeuCfL31nnKt42sRa1Ce+tHjJEoukT3Ng7GjV1lyuwZ3YX1UpN9BcM8aWr +KRUP30TqqjdlZLIMGoVv/z9rxYlSsLbn+P7nqaX8Vq8ZeoEh8iaQa+IB7NgXvoIg +cP4OP2yasPh/GwyuLN/DcnsMJjv+76tjXryzEH0ffZY= +=GKc2 +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: B744 17ED DF22 AC9F 9E90 F491 42E8 6A2A 11F4 8D36 +Comment: David Goulet +Comment: David Goulet +Comment: David Goulet + +xsBNBE3KySMBCADOeaVfjDRP3kb2YaDyZbEjPKXkIJivkBbEt9E5abcuipmIA8o6 +W+eYbnRDUZr0u/a6NjEhG35yNFRWpFpi4Gby9+0xjNvGjFj+hTjROFsph3ljGFKp +yYfJQejlFEjlub/7ehNdVrwJz5WnIpNz1UnoC7/rry6HzBtKIcXbEpLTnGAoqAmY +d78cv5h+9B5WzN48/63qIns5ZkzAZIQio3Y+n8B80NXDOiTh+9cFPfAk4xBVPIYk +8dDpCGeHA8E7htJsAkgn4A3wsxEwwKVf4AD5+E622BWYabFyCWetpNIBDsRAm2Di +s7LtxC7SRWd/e/91axtQ5u1bHFliVkRRbn9VABEBAAHNIERhdmlkIEdvdWxldCA8 +ZGdvdWxldEBldjBrZS5uZXQ+wsCTBBMBCAA9AhsDAh4BAheABAsECQoEFQgJCgMW +AQICGQEWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCYk7b+QUJFmVGVgAKCRBC6Goq +EfSNNiH0CACJCNbyooaIGDEJ6sNkwrwh9DZZFs+qyafJqz7KXd3d2MXcnlgAw6O2 +DYCAy6hlKNaANWQSFeYTjsoIWf7wC8fFnaWJscPx6+ZE8beUlQMiyzk0KQg8ie7x +Bfnl9Lmh4cnH+4b5A+A3GO8JrWf+gNAi182WJzq62SX7gK7EUT3H9oS3FSbhwYLS +Yf7WQMWpWJ6dS7PbUr78J8XiJDvm6GvEMMC34/aZTeRdhntNOu1B2tybA4BwxbuI +KMa8nneqd/lgXXTA3nFRbO6V/PiFcjoABNEUgqTDpgKypcl9GZ15D/sINX6wuIFf +519Qq1PWtmBZ9xPNHyzXt3wfA/88ticywsCTBBMBCAA9AhsDAh4BAheABAsECQoE +FQgJCgMWAQICGQEWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCYG92uQUJFIXhFgAK +CRBC6GoqEfSNNqLIB/9tFtZYDxWmpCBgokXkrJbTEhnYnxGJ+PzvFdswy+vPaf1+ +JsEnzqZS72bZYRfFyJXs5H3Q5pyIEt+/AIGJmafWXJNBkDiyx1+ZsXyqLlbXfWer +rzEIX6r2sPytAZ6OWDzbMnOlodEmJXVIWfVubXlkiSKFRQbORsqVzThcQ99yUGxD +8kGYGvWtTwZCJ3YgHHYecAOzwIEAKQjP7FnGqkFiV0aknJ1s7bHpU4MCu5nC53hw +oBWXtrNQD5h9woQCUco3yz/17tIPsbsLnlOIsywpy2WtQMUMr5UdEvkYFcVbYMQv +x0ZlebtPQ0P9n6lq/cna3kuDA7DshqIrRGIZDgzlwsCTBBMBCAA9AhsDAh4BAheA +BAsECQoEFQgJCgMWAQICGQEWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCXqsnzgUJ +EsGSKwAKCRBC6GoqEfSNNkARB/wMw153/mlVTcDFokfxlDtEuzDKx6GO3DMMJE3s +sPk81OtfT6gQsfdzI092AbAjzurNwGuEj52xJhJeQ0JnVn+YhsCohuQvmIRNBzDt +sK3U/93VNWMdSEIPFQZ4B589sZ2qtjpnHK1gEVqw+jImypYRP7FrQ7zWi6DEkC7T +uLTAToTRBeXKWoMAiT9F+kEmH45chYll+450/mSWdoyK3vAUw4GSFOeX2AoG5ka/ +2eLtuzTb3gWZriAkYAtmdgLFVeKjkCy9mQ2G6mSRvBfkJcWT8V3Mp2IkDl4PzeOi +SFUrm60ZuoR1pi+F6KE2IorFtKv272GNc4ys2HeqRqBpqIZHwsCTBBMBCAA9AhsD +Ah4BAheABAsECQoEFQgJCgMWAQICGQEWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUC +XMnawwUJEOBFIAAKCRBC6GoqEfSNNpeMB/9zAaVEcZPk+emYqeSDjaOnANAJLBYs +LCCfB23rdQkcfNzYbtsOvvRehxB1Mg9PNN4e3K/l6ZMFCauBGt6jOWiMkojAdDMS +p7vOXwrhQ66whpJjn6pIOjv2p/Z9VME1/e039z6DDCH/Oy/G8pEldIQZkzzP9YgL +ytoMBjEs6bFt7zDS5G90HHkugCUVK9WNLMKhrCbgLa0QVNTeHHFffJWo5jhCkZJ4 +Dw8x8ukbOIzsNWGYtUT1vdKTZCDYASaWEC+2duxJiWL5qcR7m7oGb2Ohcvq432Hl +c4gBVS/HCLmSw9Vn7s7C8aJicUn6e4RQhSXajYeyU9MZfoz+7ecaCTogwsCTBBMB +CAA9AhsDAh4BAheABAsECQoEFQgJCgMWAQICGQEWIQS3RBft3yKsn56Q9JFC6Goq +EfSNNgUCWuifjQUJDv8J6gAKCRBC6GoqEfSNNsvsCADILBT0LK0qjHxjM0YU+AK8 +OEcp1xaf32jPOyE3eZyro5QgVqAmsUM59Vk3R+cgrcfdwEOB78j6H1qJerCIA9he +RFpyLglJqmTFWdFMnYlAg9IInyIgPko6fK8X3E2DktyXNhUsfLWrKktjxNwU4tC5 +IIDboLDI6BjNMVtgcMyJRq1AB2iFBNydR1GQr8waF0ODaZLWeSB+QAkWCwLjIxLh +4mT22TVyGNFXhE988caesVlmDGgSiOviAZC3uCH0HI9aNAraE9hWUVkIp0nQEX1H +28if19LLlEfj6zJJVn1PhW0bggq5UQDEto+MIuq8YAuxvour3H9B6EESlJ3ncnyf +wsCTBBMBCAAmAhsDAh4BAheABAsECQoEFQgJCgMWAQICGQEFAlkHZSQFCQ0dz4EA +IQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNvT2B/0fsSkMvEIF60Tg +lEQC4Qs9MYAtBMyf9F1nF+UxIipPpSfobbjIcImbPzcmrAAlege5u0/oTSpYP4r3 +EVMoN2VOyy2afxLiOyPCHporyOzW0KUoi+rEq84FrxwtBL6mPjeEnzuYTRfG+DSJ +eo2uDOS/q28+MwPCJ7ZiLKH9zEODbqS7rUGVijakHShYszStYNSLV50835OfZ4vX +2Uawf3FP65UUKjbY9tbTeljjWXME7ZOkx3b2zEm9Ngbshsy9U2YWkjAYOXtAMA3k +EWPwP/zQBNtK7BHwjZ74uXBo06X+LmakMYZNL8sRjlL0O3FkMKuMKt+axsRs4SCZ +aJYkPw25wsCTBBMBCAAmAhsDAh4BAheABAsECQoEFQgJCgMWAQICGQEFAlcw7j4F +CQtHWJYAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNieACACCAn02 +e6w3AHy6npq89Yce5UuT2GSkjQwCYYUQpO+PsGPzM/RfPd6s3XquvDqC9+v1NvuT +T5ziI7HtfGZ1II3h6AsCMngZgYRN6T3lUoUKPS1lDYBtFS59iat6aFW4cVLUJSK2 +wQpP2yefcRAmxxPXfP6rKn2zeMGcsiuPUaXcsGgMa5vkqGoLunVF68yPlpv4al9r +GDK7PWq14yS7PW6sgQ6es7uXQ6eClr7oSv41V+EQkmFxNOpOlYO2iPl3CfigXs+v +zagvmV1qxSUAQwGjem22WnXY86x/nWp6hL9OxjAI4wTqOsbCda+R4uDhv+uDoq8B +229CYmKcoIUgui1cwsCSBBMBAgAmAhsDBQkJZgGAAh4BAheABAsECQoEFQgJCgMW +AQIFAk3K5V4CGQEAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNrTe +B/jgxz5vAPTQzxWCIpThmtbv8y7Aykmwy6A7oJUaoI2fnlXj00SFbLhhwHYI/vj0 +nXTH7RqwNKG62QJWCyKdtUsI1IcItkAx+hXOrW2Is1JY+WKe8CTFtlGk27x6hjKE +6w181a8QU+2KO6fdu6MKHE4k8QAzjSgbxx3IHSw+DMbOuePQc9KZCGHZTWdcrqer +7mr9Q+9hjTqIm89V6DG2forCoLaFS5CYBdouxMjLegKNL2ozwYuA6jTpwaVrurNe +z1w+38Q+9olH8suCM0VbFWFM9/BIC1Q/SohjE80FT9nThAfwqFTy6JdzaMjbcKKM +Rtsf+uz4nyU8KGfptA48yEHCwJUEEwECACgFAk3KySMCGwMFCQlmAYAGCwkIBwMC +BhUIAgkKCwQWAgMBAh4BAheAACEJEELoaioR9I02FiEEt0QX7d8irJ+ekPSRQuhq +KhH0jTY9MQgAo1nJFw25PSHDJKFfF91qIcO6y3eX3Gaag2DYu8nAMg7otmcZZjC5 +mn3r9l7jx/9A0zn4Ld112e2QsUk7VYI+ywiyhnXszPh8iRoLapyFUJUDpuW3cjhk +vBS//9qUXM++vxdzw1RaVEaMYIqD0jG/HYSIMvhMo5GLG8SeVoLDybEBK3s8S7ya +YahbgQQ0xDrArtNaWWWAE4UXpMCz7cf6MhZS7lfOfcgrrTMXNX5MWubpu5OcA42o +yR0aE3//OuAgmuQNcZ1RoRGMqGqKgjMyXXQ0f/3TrctdY9fLRqUkB8ZEj2d/4KN+ +gyPyYalMjPaWXeHmwBwE0VkEWHP7S7YJZM0hRGF2aWQgR291bGV0IDxkZ291bGV0 +QHJpc2V1cC5uZXQ+wsCUBBMBCAA+AhsDBQsJCAcDBRUKCQgLBRYDAgEAAh4BAheA +FiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmJO2/kFCRZlRlYACgkQQuhqKhH0jTYV +Owf/c5KA0BLCJ8V+zFTkQLSEKD/RfCkuRdC1fpNH2fuXZ6W1BKBRxFmVi4+lD+ij +4BbNTkWhifAGE+Xe4llnTRZZMlV+7A0/m98jsjS1P9QoLj+VwkEbNQ6k9ZoZM+rf +qHut3uTYp699rlE2HWsjQLjMgNyKfbipi+x9ZF2mVG1fbco43YiHFSL3S5WBn7vO +iHCkXNgmHpA8grJE2ecUEZWFWKqz3SJADCkMKoulOFhLtDPeWh5bJBfqBD5tyrzX +R1u/zz1AXo0fP1QF1dRWQCcrvfnLoP7PsECUUM1TuBw/yyE35/1Z0nyR81f9Bab3 +t3cH1e6wEdZfzeMIEiTQoz4qusLAlAQTAQgAPgIbAwULCQgHAwUVCgkICwUWAwIB +AAIeAQIXgBYhBLdEF+3fIqyfnpD0kULoaioR9I02BQJgb3a9BQkUheEWAAoJEELo +aioR9I02gugH/2+Zunp8kHXoaAFtOP9yWyhxO6Ei5IQfFE/tq371rWlVe2Jg8vSB +2IIqWr6+wmCQmfT0fT+zkHKEGlIl51Q9uwvux8ADoXheFt3DeCqCE99OQpbGaEo+ +j6NRfipCQUN7SWHZgLefph8qLZhTIdvfrXt0m+w/fZ/rpOZnxJL6JJKpEaJeI1/Z +Onf7Hulep5S85La4ElHh34n0QtceciCQUbprv6D7/KWfHz6CELIPbF86mM7Ff+Es +Ki3f6c0+oIA9cnp3D9ij/Qg16GFB0NwJ1tJykMXfFRGxoKMWQK4lJEUbn9hvshNa +4ALRPs3GtnsYvM/tzbVW7Grfm7ayti8pVRnCwJQEEwEIAD4CGwMFCwkIBwMFFQoJ +CAsFFgMCAQACHgECF4AWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCXqsnzgUJEsGS +KwAKCRBC6GoqEfSNNpRpB/48OeRBe9C5nscmwZKo+dbsj61+njkQj1A5vSKTadez +V5h5hX5lpm2hiUryklFAoTGZ49HltYpZGrzDyvL3RPT7BnCiK6uCYnqzyemk+1J4 +ZZ1rUALqjV+8KHtgS72bjBjGPDKK3d/+KK/FLg/iLkKl+5U8t9gk79aXT7xzSzb+ +PfSVi4VOpDi8gmIAcd+agvw5dUK/vI7gpXOgs91CfwbB/C3FJluFprxa8RsAurUw +qUfDbz8PkpTYbMzv84fm2j5H/2mQ+xcm19swG0/BaiWT1EBR91Q74xm4/0W3CJi9 +2tJKPXwRI1ZDfMH4iujLr5Yex22fmFFuF9Y7at1lbG1UwsCUBBMBCAA+AhsDBQsJ +CAcDBRUKCQgLBRYDAgEAAh4BAheAFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAlzJ +2scFCRDgRSAACgkQQuhqKhH0jTbxLggAmCQx2GentBz6PWZkRj48Y+KfVfr3SAxP +q8nCsdzwHHRM+vjxD+iAo9FbGojVRs9nfLSjmhDyEwfI3f9ypLZaIPBiAwdLzDol +4U0EdyVU7fgfVglSUwPJz+eNhvvUiJp/9u/s4hM0TE/LNtA/uNcKoaqAWQIPiEsd +2FebX8RVqs+pH/0TQO8RYv3R48wCQOOsj7kvkq/3s5ceA9SaZ7vsJ9ooiZhvbkk0 +INsdJWtQcJTYoiBE0DOYhkBX78u07Z1Zk5RUr+4LzI/FpQtlGLyeJ9eFOiyhk7nx +0dzPxZnKWoWLTzse1p/5hf0WQ9OTMdt50ru1RxmnruQgkK+MdGwQ+8LAlAQTAQgA +PgIbAwULCQgHAwUVCgkICwUWAwIBAAIeAQIXgBYhBLdEF+3fIqyfnpD0kULoaioR +9I02BQJa6J+OBQkO/wnqAAoJEELoaioR9I02KJwH/j7WC8qbiWW0lm/QmGtj1seZ +VeEkoEf3hYsyYi+sGq/rp3AkeOI+gr/P1G8Is1pTRuhzqLfzzt+NjLGKiaD0Iurh +5KkToSjwn+Y4aC7qRb4Fa3L3rvNixwNmpgJ/+F1Q7R+Ef+6kCEigICEW4xjYWJDl +61yCgnQdzMYwUOrI303hwWQb6aDRRkFp1J+V/D/pO9iA6deBwm0Lk2IinjeNuBDv +4LQN2Fc9GdvRi1cG2xSjpk6q0Xo00Lz6PIwZr645x8LQqnQI4vyBdrJllTght5+z +eY8VPgOtQ3K5UY8QuvQWZKY5bFc+PjRrajHFWYV8Mu9+KZMYSQBbanmSLU7F28TC +wJQEEwEIACcCGwMFCwkIBwMFFQoJCAsFFgMCAQACHgECF4AFAlkHZSQFCQ0dz4EA +IQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNsGPB/906Acyx+JhbcYf +cD/y1tvVB77LWf3MPn2JChTvkk8hL2keKdDPdPmkSOuJww3/cE5Sm8c/fBUudAXJ +Tt8pIJGc5vygFjlUbuO4PjtFNSOf7rkNdHTRyFrfAqFc4hF1aN0Ej1mSQSIV1VJJ +mpGQrQJfrBswUG8va2PqLWxIFy0z+Bo1uWwPPBveES9dIiqJKUsmM+aVyN+6wDuU +RBmNYPFdUfWRIpgRepgFotSMqokrSh5pPDHwjKDcnkDcSGQRmQl0C+6fEwjGjwwj +zDOPjvldfNH817FnHotovAY/TrezMAPQbyjh1dJJbR3/mUj82g2VZKR9YuUHo24/ +B9Udi+vkwsCUBBMBCAAnAhsDBQsJCAcDBRUKCQgLBRYDAgEAAh4BAheABQJXMO5B +BQkLR1iWACEJEELoaioR9I02FiEEt0QX7d8irJ+ekPSRQuhqKhH0jTZP/gf+ORBE +lFFMYSbbxHIS6NP+AcHqQaPRFTJ5Eths+FAdTh2XVgy8YWZxUC5/pwQzLtEWkxcA +1Ppw4sWCLh+pKQUDj4x6W+ET4U4Ysoar0jpNYslgkJvpwWwkhHDGVNeRE/EYbEHj +Yyb1ej7FDYkioqw8KI/UykGom5KHE0GnYPfaXyhia1FPVvXN+iSRjCDiIR+bARNW +R1RHjRqpPKmGa0J4eKsgOfEa2BIghdnfWgUKBWSMDD6S0t3xoUsDQnibVIRTjBi6 +Pygeuizbi2+n7AzinFNdvWQ8o6cDOFl8tpJ+HrIs2Uan4DPImjMg0ibsZ9eWgoj6 +8sRxPidaR9EiOT5g8cLAlAQTAQgAJwUCUhFFVwIbAwUJCWYBgAULCQgHAwUVCgkI +CwUWAwIBAAIeAQIXgAAhCRBC6GoqEfSNNhYhBLdEF+3fIqyfnpD0kULoaioR9I02 +MJQH/iLM7BLfXDeG41XOumR37ungugUzqmwLoN6jpKCUo68+qjP9hQdM/Uc8g15N +b2BFQrRzXRg5peOkXgPLIwoxy7j0auoqnjdXr7vpQPq1FzSslv9Cf9sjG7hTbbY+ +EXHrwZWFn2LoN1+OdtrKJdgm0+0k4VyRkQxRgPCdre9dvq9oqPKQ2pf271115s8D +wEvRmosAS/Z3uqinVsuEZjw1pU3u0fVKmqGZ9AuWg03arnFrJM+W5d9cc/6XxQNp +OEza9/CaudJ2ygy/MeujboglwIDO7sviNdJ4836qVXV66VLqt5zpQ3I3Fbjr7B/s +BOl3K3TEftMvlLmxIfj/CkHA/bvNJURhdmlkIEdvdWxldCA8ZGdvdWxldEB0b3Jw +cm9qZWN0Lm9yZz7CwJQEEwEIAD4CGwMFCwkIBwMFFQoJCAsFFgMCAQACHgECF4AW +IQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCYk7b+QUJFmVGVgAKCRBC6GoqEfSNNkWd +CACRF1LvZ24YvmFLLvM46Z0gPNVagtrjTRDLx/GkV0LnlOVCrcdW3cf/e5SEYuRP +Oz5rpEPlWMVAjjP5wkERxFgPBSRxAm/lKkPC63J2Qa5qDp75cJa2vcF5iQsVecG3 +8NzgrXlTNfpTOjas1jQKjOgh8do/6k96T2diMhYWGQvAehbkLPhrL69mVTywqrtY +UPXQJGP9BxPtHI+uO2umeJJyJbPitqVb3m+dofJFUeE8f6xO7ZHvrkvnbWpyfKm0 +QTzHz5aLjv/YSvxtSoVAxqRsuKsU5u6KA4xI3I8HZ+YPrCBeiXfwvME5WAwa0qKv +N6HDIrbBw66J19JUUQ+WvkfHwsCUBBMBCAA+AhsDBQsJCAcDBRUKCQgLBRYDAgEA +Ah4BAheAFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmBvdr4FCRSF4RYACgkQQuhq +KhH0jTZSsggAw0Lw9DaQ85h//Hb5pPOrMg0ktSXxhMRj7d2zlwsg1OD2ezlAnkIV +GcDoe7ok6r+zoBu7isG+WJ53C7i7T8mTQxNMJDmbzGdXMm7ZzmL5cj00EhBili7U +jpsMR/4D0NCcFez67CHe3WEl5DqNNgZFmfzD4kiLGRtptIz/hHjndeDjUHSjIPYA +0+Dg8ri4plkPDg+cT3IvP3NivgwDDhfst+ExLITCPBQh+ucVv2Z5dkNzKBmdkb1J +shi20zi74ii+w3XC7xHzk2RRmu3VMzO1QbHaEXhDvjf94vsGwPe/wLmGH5fI5D0x +ypQ954GsfS3lsbV+RomHS8964oLV8VaGp8LAlAQTAQgAPgIbAwULCQgHAwUVCgkI +CwUWAwIBAAIeAQIXgBYhBLdEF+3fIqyfnpD0kULoaioR9I02BQJeqyfOBQkSwZIr +AAoJEELoaioR9I02mWcIAKD/d3KKK6Tlnw3ezvreOw5/Z91WtyA/z72N6yByUj76 +wyw85gZb6FpXS+Igek/zQ0ARXM6keKRCng8UpvbRbPm7in9en5KSWeXEVRc33Xva +TuxCihHZZdr5osJDkLgDq5iKKfAHW6l6ToXT6SfaFUx3F30/DvIoiskP5Mjf8jga +DPW5ePgDe9McNUeeu/T5afxVebATxRYbGaiBgOmhL0azJV/g2ytx6vHrXjOxyYsZ +lXvj8WSUVG9E1tKRmNkO+vezXjitEYRT8vv5RH8rYpzJ1ZSfoHArXzIv1oeJCtrA +ztGclXvNk7FrBN6CMGJrDeWJI3ioW49ORkxKtrW57SvCwJQEEwEIAD4CGwMFCwkI +BwMFFQoJCAsFFgMCAQACHgECF4AWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCXMna +xwUJEOBFIAAKCRBC6GoqEfSNNuDdCAC1xCEFnjFOYrQTZYAwJECie7Ra/QSx9bmj +LD9eZt4QGayDdxHkYCLgxkzo/OErmlkq8weKqG+MjR7/l/2y7cVca6C2zYcrvszC +ynX5iNxJSxkAYcLxSkk6Kv1AbPty3nwN3WcCFhazK6S2hheZzEscWjfBlVGzEFXb +LcgkRpaiJgqcW7X6n3wMYg2DyGsPMkcHDN0tz6yQiOqq/bBKM6GshMA3/V+pYz+E +EeApE53/Nsofr5T249vf6Wd3t5MzOJB9D09G1iIQ7lfUBVS+E26dGSOH9cMkiZRy +FMOTGgDxjw2AjLQLltoEIAMPq8HKy/SaXWsZ10u68QsOx0yRuZCOwsCUBBMBCAA+ +AhsDBQsJCAcDBRUKCQgLBRYDAgEAAh4BAheAFiEEt0QX7d8irJ+ekPSRQuhqKhH0 +jTYFAlron44FCQ7/CeoACgkQQuhqKhH0jTZBYggAmcHPO+w13XMMs3vr2cpW3hM2 +seRXfPlI6PfQk0/VQjCsakvCP1c95agL5DUmIK/KDdXImOYQSnkjXCffMt7PKf4i +X7NOizsOfbmnxIgIO6dOcJs9Jsa2KCUZLr+aP4so1P3PpNPMmQsNeKCeksY/fj7O +F2wfNpZCVdU8K4swtdbIjjT3v/7LBwUsufGu3WNE66vnMowD/Qkn6IMR6m6gYPly +S/pjGh7uLnf+Le3YL5eQyzlY1Bqo2uuR+nWrqerNRb+RSNf0Ipuo+dUnqf+WC3pd +t9K7pNFsV++5p7aXD8WUlRvFfNNAzWEtNUGSIjgMDG+QXlE1XQF4OPFm1swRMcLA +lAQTAQgAJwIbAwULCQgHAwUVCgkICwUWAwIBAAIeAQIXgAUCWQdlJAUJDR3PgQAh +CRBC6GoqEfSNNhYhBLdEF+3fIqyfnpD0kULoaioR9I02isoIAMgZORLPCB6AG8AQ +6IHeSPYkyeb+zUjLZpLusbwRbuouzaQgt8TXj5CQQTonHGe/n77xBYa6dywOGyVx +LPDpywGal+fWbqj/rDPzBtWaRr9h6qhLkV9I7r1rT177y/PVhJuGKOBBs/FXgagh +bCaAHXaUETKcQnqb5LBrcuWSe+B5IXueFLVUQgA+zM2y4vVEV+7ltnKGauMVHC0k +6r/bxZAGcTcRjUsPdIgRSLLxPFyWS8EbFF5KjyoDIO1Ib+gJM61TKRVT3gJnvjyt +OB4yJWB3ePKk2GjHvKtrhro5U5ge6i+ldbiZh3swTy127ycngiADu+orYFK12awI +CxD1UjrCwJQEEwEIACcCGwMFCwkIBwMFFQoJCAsFFgMCAQACHgECF4AFAlcw7kEF +CQtHWJYAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNux4CACDqeH/ +YxTWSqmb1PjfF4CYtjqx7ObCb6AsSR9RcJ3Fp0DREpsto+MsOiOAD5benHnbud+c +MUrJNdozDHzByEn/jmETRVsbqWUp9eK5/3vtDkei6hFM9nmc5vYPJ9PSzCK4+rmf +m4HQOCtj2tLxgZLGZ9DSlxUV33UbB3xr5WilPuJ6D3tiOJKwJdHdwHXjfFGG96Gn +ILpkOroyiUA0gQbRbFOjgqxB/h0vX/qlvmsvM9L/XTXPz+rrnUg6UuP46S40lvWz +Lj0Zrs2ixDhoqYo5WG57n747D12vRD/UCKxLql6/d9IfvevmbBKKrprVICoSt1lE +ocXwE8DnquN5w5f9wsCUBBMBCAAnBQJTCejfAhsDBQkJZgGABQsJCAcDBRUKCQgL +BRYDAgEAAh4BAheAACEJEELoaioR9I02FiEEt0QX7d8irJ+ekPSRQuhqKhH0jTb1 +lwf+NXiMBqn6XydizQnNy2lO+bMVr4HhwsDznqcV9HHBzUnCtnR3kAVqD+tC5DKD +zimCtqhvys8xPNjzWIl0xzhNMHlls2D9lkACDQU4oywOm8tE05IXrF1Q6Zlf3PdJ +C+jhO4EGrTehHYoTZPwC6RQYZtTCl4UqPMxO2aSEU4R99BAw4mKpRTEGKXIZJBDJ +6kXWbg0ahx0DKFg0EB37z8NvJnN2cbI+5kdmt8ZRiqZg7W0GsY31a1W4EchX7K2g +P/ZN/VNBjGyJ01IdhxEUzM84XF82KWGKsfHH3diqxDZiQZH08kf3HJS8PHN8OnUd +v/uLEeg3uLyQUUTrRXhoZSrZgs7BTQRSL5QtARAAtVN7/CeTT7uJsUzQf/2a+fq1 +IVQWN3JPTZjDNQeSB/V8W0R83QH32awj1uvSljCtCKbtTrDj0foz+CBRHe4aJgm2 +iAzMxKY1SxJ+SBTVyAYVQ+orzIvzqi2URzAfTII/mmvFdZEuS67hkbHXFnTLlXj9 +m3SdWRpCIQlwLCFERvMdr+sPQ07HcUDpoASPgo6P2cJgidaxBgfasUTvru3dxeid +jRbv5defzcdsBqk1eAZ/G/YFOQUiGig60/G2SOlBR7HVmD/iVkSun6j18vPKpqr0 +VJ3sHGUO+KhJrc35QQ7C0ezYtOg6fhaO8PzOcMovnk/P0DGkl1Y3uG4d+h3IDVBA +1fTaX/joVSBVtddLiNkOwgKxw6OH+jjq/irXl6X/0LqNW/FdgK23fEsA0mv4vrUR +0ulDtsPagk3np7DgS5J/v+npGARoeLoj5QjyK4+/1RjMXq+DYW3piADJLW55xH4y +6M+OYpu9svQ60vr2Ae+3pNL7q/mppdixc/isXbOsjtoGSb5QUUOXbzhDWX960Jby +jZUn9Iao+eZRV11tMbMI4pWuL8JEWj8qpcnIyJhYi2hSf7TVq/Zw+PvEXkEAnpq3 +EMyN4Su9I1ZWoxyTiwZVMdOn6TEnkdfxB9aTd5vYvR9L+t5SpmXLBMXQygbg9xR1 +Gbh5EHVlhAobb0uSkYsAEQEAAcLAfAQYAQgAJgIbDBYhBLdEF+3fIqyfnpD0kULo +aioR9I02BQJiTtxDBQkSAHuWAAoJEELoaioR9I024lwH/1UtASIiEoZKhuVkv55b +jo3w422w3wwJTC5kooG1TOWmtHOo/JJ1rFxcIpkY6ftnC+p6YhEbxxk/3XAZtUNR +sJ9Zqemhp331AGq/44g/OYAZkQiNyNhjftj6JafvgU1Zauzi7w0xqhLMKBMDV09v +cbPeo+axUj7cvibHxYUUC2RWqkBxegXpa+Cq4YKpEEbXh510mwK11sUyxcPxsrkZ +hr97KdgY8RedpPDAxnQBGU7dIMDc3xVIX1uXXZpY+SyJb7QAMGTW+9jDPwDUeUYa +nV+eRwLotrkvSgKJ9GQ2F3Am0axV8iqob7unvbKYTtQcIR2P9X52sT0Pytt44W2K +xH3CwHwEGAEIACYCGwwWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCYG922wUJECEW +LgAKCRBC6GoqEfSNNir6CAC70rZbHWguzP4O7paEaS18CNJ6fDyvoq96j3sh/oYN +WE5l3tFPqTtKYwgn33bMoArNgV8i0zdNXem36VIGh2A/fLwvg8aneY+XAvt500QL +IqHWp8WalE5RkaHrnYhHuTTzwztuus/lSQPQnl72W9HMoZJ7mvUtk9VMbybD56Fx +mo5zru4kMJ0Qk3fYYUYk9hge5im3Sk8SeX3UnmJsmZpt7xj6eFvAuO2CoSJb53e1 +LV+exrV9A+cM83T2I20/Zk1A5rX6WaehttHG6sTVpgg+JMKj0HeOYrooPB803WH4 +RM04wziYFvCmDtPF5qmOvErqZtjaYa9wskkoXUAsgwGRwsB8BBgBCAAmAhsMFiEE +t0QX7d8irJ+ekPSRQuhqKhH0jTYFAl6rJ9kFCQ5cxywACgkQQuhqKhH0jTYAbggA +irnoh4NbeEgSwEIrFJ+lAOcA3KXya5MHnq47Y3L0Ezc/wz19NbMYsEYWn3x26w+R +p4VVd2KiARJN19Lf/AZ0pS05nVuTPPIsqBgS/sczO5NyCpPAlcrkNq9nOi4TEeF6 +X+4BWTcRGKSRKEEwumqfppGMkYmVwhvq5xktMTi1HOQkdiGeZ0KV3BKkRIOZJkrq +vhZiyKEW4PMylC2ByWsWMK5NAI2ljRxp1eUcJb5DTqld7fl4iZkjP1UGe3X6qoXt +CkGtnXy+SdlwIpqL0Ianen8frjwNsO3H4hFZJE17AfEFvINoeDHGpsDJSitS5KsT ++6P4Y3nuClPSpsEPEDSlLMLAfAQYAQgAJgIbDBYhBLdEF+3fIqyfnpD0kULoaioR +9I02BQJdWqePBQkNDEbiAAoJEELoaioR9I023UUH/RYw9CZga6hljJHBaAac+sOM +M4FfKkVHmokwYvd4Po2mRFy4wLkfgAp2pv2Z5lb9gILpiy9ORLscdBaQAa+xlbK6 +SUC/XaIEN8LqRP13noQGWQbqZ61hP5wludNi4tpfqM0Oj/GLDw5EE7gGDb10TmpP +MLwc4yun73Hgq8f9FerNZdkA8zvIrD3Bd09PDrm/oAt9KxGCHoVHxFp75An5LDs7 +fY6HZaSru9CoFqjYrOEDSqt/lSm6ZsOsqYbvaesG9zBnuINoY6lOTP9jWtURrGwq +gucakBg7Fg+tln1QyjzG1u7pLacDBGPqgAZCdz2OduL6G0tvpBEgq0ppg9DnqcHC +wHwEGAEIACYCGwwWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCXVg00QUJDQnUJAAK +CRBC6GoqEfSNNsHrB/9h7uqHGB07U9lX6V64iKFQbNjarWJKPyRZ8hbh3/Enh3QF +zmqZOgHfRU0nD4WLlaQT95tRyAvc6E54q8ALZqePPfDzJxxPd6/ywJ4+oojOjibN +MbO9mpLbMeSYgmnC98YQaGJ2MxPepBOpOLkwtFH07b/SU/QzK2/T+astNr62Wgvy +LbZ8wQZRmwfL2YF6xB5HptVD/+Xg8iSF5qHRAmqrk0ORqcf6NO+3JqSQ/okN67I1 +HVktxEAymaTDUp7Pi/b1WSPpBQL1WCheWdAkkruO3rGadqNON1Cq8mBPLlIR6Alo +7W3vl1QQ+EyxHH5EgENvqEgb3XGIdp2woXDmCZgBwsB8BBgBCAAmAhsMFiEEt0QX +7d8irJ+ekPSRQuhqKhH0jTYFAlt24EEFCQsof5QACgkQQuhqKhH0jTaMMAf/TFUG +cMSDu5a1ytd+5pjSGkEn3QxcwiNXv4s7L1VkCbcwqKejYXWFrnaFkzXROuY97LmL +ejRxnV/v+YKtJLxCrdG5bwr9zgqXUFvyOfKfC5Iy44dZGmrnUuT0jpSlA44VvXcN +LEFpEx56BUVhsZFUIuuWeyFELryLe4FSHH0S4VdNICMl/PUI5B+cIDC8NrGv5DYC +cy/OyOvkUqkxW09FSTv0tVUDVydDeWzan4STcnGf7IxiGkb+1XiDKqRSZrjp57RH +CIF8SpbBUxRsRXQc8zKZ8TP74xzXYVT1tLM60H4DqhvFxL4aZqYwSuMeOClNAoh9 +pBEm3t5EcZau6pAo1sLAfAQYAQgADwIbDAUCWYiUYwUJCToztgAhCRBC6GoqEfSN +NhYhBLdEF+3fIqyfnpD0kULoaioR9I02Kw4H/2DsLDtA7Gwfr9bKE6jDzfYKqnPt +97s8X+cKUYa2HIyAMA4tPAjbi2De3/ZSAOBYXNfe49qpmTvg+DNj+dGVKI0lLj/n +/ngK87SDTVAPi3zOPDOmnOs3J3fQj5f6fMOoqYRR7p3BNa7GcDiq/bJ1nkyMh0o+ +N50LzNMevq0KbVAQAXtYOYMWkS49lnT1gV9ZFITSiDAUK8S8vani84mcVxxrjwhc +d+Oy+k4rdnTGpZTayQOXZUS9u6AkSgUlNl6nyR6Vkn+AUi2E3SLUm6XE+aQKlBUq +jZlGSPWuQPQCeduGrdk0OvHuUt9ANhdEhopZLZuMKemOL1fjquaasp4IhGbCwHwE +GAEIAA8CGwwFAle4becFCQdqDTMAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC +6GoqEfSNNmBiB/wOjADNaQrDal06MfWPm2QZNAzytpAi2o48ZRBVueVsjpjMTGJH +I5pPQNjBClQptcaCuoBYubzKB4Ud9bOFqF2cs6Fb61RI9SguKU61LNF0wFAfFIDL +78vvlLWTfWk3sUyTSCz5Ll7Awi1L1P1tbTYrkF+WNCRAvUyUMGWXVfttSFTlWLV8 +LydP3+P1FYSllcRDowvU08hed6AajJfC2b7ECe9LW6IPJ3nLMihimQ3QffbJPmIl +KHm44PhZkEcDoNtk35bvUascINZOwFVLE5TtPmOJfSIgltO7Eip8IluZyhVFL5E/ +WmWGlB10JhHaZtleSgH0N+JWeKvllA450AwHwsB8BBgBCAAPAhsMBQJV8q6rBQkF +pE3sACEJEELoaioR9I02FiEEt0QX7d8irJ+ekPSRQuhqKhH0jTZRKgf+PhNUR0er ++HWhlya6pUJISzPQvlUKCBksilDE9xNlH7sN+xxUT1l1Ktc8BrlCE8mJna6DTu1F +S5BWcIZp/2zU7R5ndVqqZa537X3wXZbIBOddCWYTI1WsC762Ihk9BcJhTVKizrPU +b4rdYQk4REao8hVL93K+k815e5sobg6YkL+q7ctTK0SO/8hiVWqw4nWDV6brXAEZ +F63cLc5RLlhtjgqPk32m1zcva0blLi9d6/BrJEjjJCL8EYZhS3zX6zZ89hNvt2zv +5+QjwdmxRIT02e2YlLCIwAIJfAuGq6vZdk9xr07nAexTZ4OMZUPudzxXda8qKgdE +7JA38ftiLarCwsLAfAQYAQgADwIbDAUCVBDTxAUJA8JzDAAhCRBC6GoqEfSNNhYh +BLdEF+3fIqyfnpD0kULoaioR9I02CdkH/RfqMPmyHREzTe+YZQfell4+cDHGdrOP +kBYeDV6PDkG2ykuVlrBpT/MVO3MPm+UQ3z3QnlQ8PPArfcypvin8D+wZwKEyDuOc +1i7oiVCZPu6FcA5D29mTINp7ftw9KmR2IfxwPd0afGUM8rUE3gKdVnCzniIS8tpQ +0LxkK+Vxaa3lvQcGogvMiJUAHcb7hR25/nNjzAtZPm0swq5fED+1IFyUYjN4bGZc +33N/UtiTNbems2C0474nXHkexNJUN/Ra533OGZwetlcOlWNEqxJSysIS5ZfDh3dD +RpKjqG2RAAMS2lJEVRfKhbPO1fa2eJVVpLJYexeZh+Fl5TfFmqx6BhvCwHwEGAEI +AA8FAlIvlC0CGwwFCQHhM4AAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6Goq +EfSNNlpRCAC4i/XcrcoBB0hVIPAu7E29n3m29jEvMg+06RulbLDI2D9zyt9kKBCZ +dcjzYVMzUxEDTbpcfiYls23/bDhR32JyFaSvs18Sb9F6AmwJy0TOaeoPToIsQN3r +uTbUdSIJzsusjrafWS4gKQRhP4AmRXWQzXU0XmVy8cOfur3HcRH1frkOKS+d1EMu +chpI5F39TsH3/RTg31gEBB+xtwAbTbwz5tWYBQvq4N8uItNDiStY6j1Ncl54/l+0 +1TeiArIjryi8g5nr46uGYbC/YGn2ACx5VwpvEOuO0mCf+cwQPj5S5Ra30mNGT915 +4b2lP+U/hRBR8ex6Khur6wN5T8mww6jdzsNNBE3K2S4QEADWHqS7zXq3mbnK6VRS +AtAYQkQWSuPqrlXWZNFMdxVi4Lglj4T+UQXsbCn9rsgISlRWCdxmDOJ7eOjj1zo2 +OA0UPnenZOXOB2n8LvhzrIPp9jq7x10qDTDcakXIjvfYqWco6VawbmLjwP25rDJx +u1uoZRQNeCCxQp6aDBrq7AmWrUwd0WfZ5eGOKUrZkg4Sk1EayExwhAz/1Hwvieyz +neWfdRDYzikgLZCxUcL6O6PKHSXg8qQFnd6Br+aJv34FaE9QOzNx1fev3SDDS/Hj +47twkZKu8u0B/pViDvwLcYEieVbHrGwlehvqLAn7jEe+uc+oDpJiMNZDDVW7LWF/ +PoQ5qTxQFeoU9DuQZxSGna1zGcHO4MJCBf5ENiRlhirncWEGsEAQXoGqvP4Gn3hz +7CSjk4eanQjyisrlA5aM0w1eIxVOJxsIjNFV8ewf081aLCqjxD8n5XdY5mnHj/g3 +CNXQ5JEa4mB3WUqXLXC8at9IVxPNpRX5oTT5GtkKGNgPVTqveDcgNc82DBFbxmju +PfkDtyvoHOq1Lu8PGxRN+/l2xhZKoL62qux69GYNQmsLV6WSf9DryOk7ATbbWsHB +oD0DzmfylhFpGzTjlEmNV1uOfms4sCF58WoD7uRUwNs2kelnVcgKqVjTm/72855n +9S9SWSCeDEVw6BCjQp0/md8L1wAECw/8DqIYY8LEtZGEnBSauejVnv8WTM7F/QJD +cslXtj9ocQefxNSQq+EdgJUrUOITowwd/ZtthJlROckJwuAgqSguhv0tXD/iba6i +nAv7WByVTTXcOjAiTn3icz4HJVByDmECxmk6s1TvxD9UpbsaNSsmuK/RvkVL0IlL +jpNkJx6mlTlls1JcUsCUifmkwbDUeeps+u2mMVpbjDPCJWeMtv16ckrA0v/ooxeX +B9HgAnWCKXHoCGPII8EEQuKZ58KYaPez8kRTLPqxZC+jhU51R5aT3OluB8iyKdii +i8STKry1morREksjqzkewnycS8fyAAbq2k/LKYHgEjVtSPemAP7DIY60Vsl3Df0U +07j0h4c2BPUkV1fMC9Okmx8Oy5YpDlm9BOrB6I8XHy7ZDYpHDfHb0uIpjwX5J664 +/RtsBaFnb/0LRBr7MkGd4eSoHQwydWNNXakrtepOeOoNxBVmmxSly000wzxGS3xO +Pfuy4s5HEDScuITOzc5R3+oCwOl0pfji+zLnaHVQdiaRep+PAVlzuckyvvQTVa3o +ub65NlPQc7qanIHqE8aQ2Lgjiq2VQI/S0V5QhGn/pX2FP4Oxs4eU29nY/Hgq/j5u +ZOljrL7pp1hwgQtPkE8/EmUQ9oFTYhT+SxpikC9UalAo5IVSqci3662K9YB2sn89 +YTgmVVXCi1HCwHwEGAECAA8FAk3K2S4CGwwFCQlmAYAAIQkQQuhqKhH0jTYWIQS3 +RBft3yKsn56Q9JFC6GoqEfSNNp1pB/9OZoK4Zj8fi6Ruu7q0+tCOm9k3tvQ0FZsm +3QKPLhcilFy0QBabnZ71ih0AzKxPVoKrtHBENZ1hQ58B4lv+zE8LQf4F0gO9ybcD +vlwpTtAlX8il4kONIHeJQmJ1KHi3vKxIM3+i+Igdm5eDyTY2IFTMAjDshMWl0CJK +oPzwZYRZlXoogfrTWrMUPnvz7a7IUb0Kza2GQdq5fQXRiuAImSn9lY8GOLdiLovg +afIrzAaylpgDShiAV9qKm2BfJEpHm9AzuubNPY5tQX3hwlUE7I/DY/nY8LEra2kF +fMhrtPimujMIu32gmJvJe/nHS/z5d4YdUC4H/SDsYqPNRfpacaLP +=T3bO +-----END PGP PUBLIC KEY BLOCK----- diff --git a/tor.service b/tor.service new file mode 100644 index 0000000..d40972a --- /dev/null +++ b/tor.service @@ -0,0 +1,53 @@ +[Unit] +Description=Anonymizing overlay network for TCP +After=syslog.target network.target nss-lookup.target +PartOf=tor-master.service +ReloadPropagatedFrom=tor-master.service + +[Service] +Type=notify +NotifyAccess=all +#User=tor +ExecStartPre=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc --verify-config --user tor --hush +ExecStart=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc --user tor --hush +ExecReload=/bin/kill -HUP ${MAINPID} +KillSignal=SIGINT +TimeoutSec=30 +Restart=on-failure +RestartSec=1 +WatchdogSec=1m +LimitNOFILE=32768 + +# Hardening +CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PermissionsStartOnly=yes +PrivateDevices=yes +PrivateNetwork=no +PrivateUsers=no +PrivateTmp=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectSystem=strict +ProtectHostname=yes +ReadOnlyDirectories=/ +ReadWriteDirectories=/run/tor +ReadWriteDirectories=/var/lib/tor +ReadWriteDirectories=/var/log/tor +RemoveIPC=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=~@cpu-emulation @obsolete @raw-io @mount @module @debug @clock @reboot @swap +UMask=77 + +[Install] +WantedBy=multi-user.target diff --git a/tor.spec b/tor.spec new file mode 100644 index 0000000..ef1b362 --- /dev/null +++ b/tor.spec @@ -0,0 +1,172 @@ +# +# spec file for package tor +# +# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2024 Andreas Stieger +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define toruser %{name} +%define torgroup %{name} +%define home_dir %{_localstatedir}/lib/empty +Name: tor +Version: 0.4.8.13 +Release: 0 +Summary: Anonymizing overlay network for TCP (The onion router) +License: BSD-3-Clause +URL: https://www.torproject.org/ +Source0: https://www.torproject.org/dist/%{name}-%{version}.tar.gz +# https://support.torproject.org/little-t-tor/verify-little-t-tor/ +Source2: tor.keyring +Source3: tor.service +Source4: tor.tmpfiles +Source5: defaults-torrc +Source6: tor-master.service +Source100: https://www.torproject.org/dist/%{name}-%{version}.tar.gz.sha256sum +Source101: https://www.torproject.org/dist/%{name}-%{version}.tar.gz.sha256sum.asc +Patch0: tor-0.2.5.x-logrotate.patch +Patch1: fix-test.patch +BuildRequires: openssl-devel >= 1.0.1 +BuildRequires: pkgconfig >= 0.9.0 +BuildRequires: pwdutils +BuildRequires: python3-base +BuildRequires: pkgconfig(libcap) +BuildRequires: pkgconfig(libevent) >= 2.0.10 +BuildRequires: pkgconfig(liblzma) +BuildRequires: pkgconfig(libseccomp) +BuildRequires: pkgconfig(libsystemd) +BuildRequires: pkgconfig(libzstd) +BuildRequires: pkgconfig(systemd) +BuildRequires: pkgconfig(zlib) +Requires: logrotate +Requires(post): %fillup_prereq +Recommends: torsocks +Provides: group(%{torgroup}) +Provides: user(%{toruser}) +%systemd_ordering +BuildRequires: libscrypt-devel + +%description +Tor is a connection-based low-latency anonymous communication system. + +This package provides the "tor" program, which serves as both a client and +a relay node. Scripts will automatically create a "%{toruser}" user and +a "%{torgroup}" group, and set tor up to run as a daemon when the system +is rebooted. + +Applications connect to the local Tor proxy using the SOCKS +protocol. The tor client chooses a path through a set of relays, in +which each relay knows its predecessor and successor, but no +others. Traffic flowing down the circuit is unwrapped by a symmetric +key at each relay, which reveals the downstream relay. + +Warnings: Tor does no protocol cleaning. That means there is a danger +that application protocols and associated programs can be induced to +reveal information about the initiator. Tor depends on Privoxy or +similar protocol cleaners to solve this problem. This is alpha code, +and is even more likely than released code to have anonymity-spoiling +bugs. The present network is small -- this further reduces the +strength of the anonymity provided. Tor is not presently suitable +for high-stakes anonymity. + +%prep +( cd $(dirname %{SOURCE0}) && echo "$(cat %{SOURCE100} | cut -d' ' -f1) tor-%{version}.tar.gz" | sha256sum --check ) +%autosetup -p1 + +%build +%configure \ + --disable-silent-rules \ + --with-tor-user=%{toruser} \ + --with-tor-group=%{torgroup} \ + --enable-systemd \ + --enable-lzma \ + --enable-zstd \ + --enable-unittests \ + --enable-gcc-warnings-advisory \ + --docdir=%{_docdir}/%{name} +%make_build + +%install +%make_install + +# missing dirs +install -d -m 700 \ + %{buildroot}%{_localstatedir}/lib/%{name} \ + %{buildroot}%{_localstatedir}/tmp/%{name} + +install -d -m 755 \ + %{buildroot}%{_localstatedir}/log/%{name} \ + %{buildroot}/%{_sbindir} + +install -m 644 -D %{SOURCE3} %{buildroot}/%{_unitdir}/%{name}.service +install -m 644 -D %{SOURCE6} %{buildroot}/%{_unitdir}/%{name}-master.service +install -m 644 %{SOURCE5} %{buildroot}%{_datadir}/tor/defaults-torrc +install -d -m 0755 %{buildroot}%{_tmpfilesdir}/ +install -m 0644 %{SOURCE4} %{buildroot}%{_tmpfilesdir}/%{name}.conf +ln -s -f service %{buildroot}%{_sbindir}/rc%{name} +ln -s -f service %{buildroot}%{_sbindir}/rc%{name}-master + +# sample config files +install -p -m 644 -D src/config/torrc.{sample,minimal} %{buildroot}/%{_sysconfdir}/%{name} +install -p -m 644 src/config/torrc.minimal %{buildroot}/%{_sysconfdir}/%{name}/torrc + +# logrotate conf +sed -i -e "s|_tor|tor|g" contrib/operator-tools/tor.logrotate +install -D -m 644 contrib/operator-tools/tor.logrotate %{buildroot}/%{_sysconfdir}/logrotate.d/%{name} + +%check +%ifnarch ppc ppc64 ppc64le aarch64 armv7l i586 +%make_build check || ( + find -type f -name test-suite.log -print -exec cat {} + + exit 42 +) +%endif + +%pre +getent group %{torgroup} >/dev/null || groupadd -r %{torgroup} +getent passwd %{toruser} >/dev/null || useradd -r -g %{torgroup} -d %{home_dir} -s /sbin/nologin -c "User for %{name}" %{toruser} +%service_add_pre tor.service tor-master.service + +%post +%fillup_only +%service_add_post tor.service tor-master.service +systemd-tmpfiles --create %{_tmpfilesdir}/tor.conf || : + +%preun +%service_del_preun tor.service tor-master.service + +%postun +%service_del_postun tor.service tor-master.service + +%files +%license LICENSE +%doc README* ChangeLog doc/HACKING doc/man/*.html +%{_mandir}/man*/* +%{_bindir}/* +%dir %{_datadir}/%{name} +%{_datadir}/%{name}/geoip* +%{_datadir}/%{name}/defaults-torrc +%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/logrotate.d/%{name} +%dir %attr(0755,root,%{torgroup}) %{_sysconfdir}/%{name} +%config(noreplace) %attr(0644,root,%{torgroup}) %{_sysconfdir}/%{name}/torrc +%config %attr(0644,root,%{torgroup}) %{_sysconfdir}/%{name}/torrc.* +%attr(0700,%{toruser},%{torgroup}) %dir %{_localstatedir}/lib/%{name} +%attr(0750,%{toruser},%{torgroup}) %dir %{_localstatedir}/log/%{name} +%{_unitdir}/%{name}.service +%{_unitdir}/%{name}-master.service +%{_tmpfilesdir}/%{name}.conf +%{_sbindir}/rc%{name} +%{_sbindir}/rc%{name}-master + +%changelog diff --git a/tor.tmpfiles b/tor.tmpfiles new file mode 100644 index 0000000..adfce77 --- /dev/null +++ b/tor.tmpfiles @@ -0,0 +1 @@ +D /run/tor 0755 tor tor - -- 2.51.1 From 815f6f2e0d5f6a9941d6b86162c2178ae4af4699fb707f0523ef37dd415e9753 Mon Sep 17 00:00:00 2001 From: Bernhard Wiedemann Date: Wed, 5 Feb 2025 18:29:26 +0000 Subject: [PATCH 2/6] tor 0.4.8.14 * bugfix for onion service directory cache * test-network now unconditionally includes IPv6 * Regenerate fallback directories 2025-02-05 * Update the geoip files to 2025-02-05 * Fix a pointer free OBS-URL: https://build.opensuse.org/package/show/network/tor?expand=0&rev=279 --- .gitattributes | 23 + .gitignore | 1 + defaults-torrc | 11 + fix-test.patch | 21 + tor-0.2.5.x-logrotate.patch | 29 + tor-0.4.8.12.tar.gz | 3 + tor-0.4.8.12.tar.gz.sha256sum | 1 + tor-0.4.8.12.tar.gz.sha256sum.asc | 18 + tor-0.4.8.13.tar.gz | 3 + tor-0.4.8.13.tar.gz.sha256sum | 1 + tor-0.4.8.13.tar.gz.sha256sum.asc | 18 + tor-0.4.8.14.tar.gz | 3 + tor-0.4.8.14.tar.gz.sha256sum | 1 + tor-0.4.8.14.tar.gz.sha256sum.asc | 18 + tor-master.service | 16 + tor.changes | 3185 +++++++++++++++++++++++++++++ tor.keyring | 686 +++++++ tor.service | 53 + tor.spec | 172 ++ tor.tmpfiles | 1 + 20 files changed, 4264 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 defaults-torrc create mode 100644 fix-test.patch create mode 100644 tor-0.2.5.x-logrotate.patch create mode 100644 tor-0.4.8.12.tar.gz create mode 100644 tor-0.4.8.12.tar.gz.sha256sum create mode 100644 tor-0.4.8.12.tar.gz.sha256sum.asc create mode 100644 tor-0.4.8.13.tar.gz create mode 100644 tor-0.4.8.13.tar.gz.sha256sum create mode 100644 tor-0.4.8.13.tar.gz.sha256sum.asc create mode 100644 tor-0.4.8.14.tar.gz create mode 100644 tor-0.4.8.14.tar.gz.sha256sum create mode 100644 tor-0.4.8.14.tar.gz.sha256sum.asc create mode 100644 tor-master.service create mode 100644 tor.changes create mode 100644 tor.keyring create mode 100644 tor.service create mode 100644 tor.spec create mode 100644 tor.tmpfiles diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/defaults-torrc b/defaults-torrc new file mode 100644 index 0000000..bf7923e --- /dev/null +++ b/defaults-torrc @@ -0,0 +1,11 @@ +DataDirectory /var/lib/tor +PidFile /var/run/tor/tor.pid +Log notice syslog +ControlSocket /var/run/tor/control GroupWritable RelaxDirModeCheck +ControlSocketsGroupWritable 1 +SocksPort unix:/var/run/tor/socks WorldWritable +SocksPort 9050 + +CookieAuthentication 1 +CookieAuthFileGroupReadable 1 +CookieAuthFile /var/run/tor/control.authcookie diff --git a/fix-test.patch b/fix-test.patch new file mode 100644 index 0000000..9eedcfd --- /dev/null +++ b/fix-test.patch @@ -0,0 +1,21 @@ +commit 0384f5b3efbb041e2bc0080a6b6259e1b96815af +Author: Bernhard M. Wiedemann +Date: Wed Aug 21 11:36:05 2019 +0200 + + Workaround a LTO-induced test-failure + + https://bugzilla.opensuse.org/show_bug.cgi?id=1146548#c3 + +diff --git a/src/test/bt_test.py b/src/test/bt_test.py +index f9ca79efd..07026164a 100755 +--- a/src/test/bt_test.py ++++ b/src/test/bt_test.py +@@ -30,7 +30,7 @@ def matches(lines, funcs): + else: + return True + +-FUNCNAMES = "crash oh_what a_tangled_web we_weave main".split() ++FUNCNAMES = "oh_what a_tangled_web we_weave main".split() + + LINES = sys.stdin.readlines() + diff --git a/tor-0.2.5.x-logrotate.patch b/tor-0.2.5.x-logrotate.patch new file mode 100644 index 0000000..c08d015 --- /dev/null +++ b/tor-0.2.5.x-logrotate.patch @@ -0,0 +1,29 @@ +From: Andreas Stieger +Subject: openSUSE specific logrotate fixes +Date: Sun, 18 May 2014 00:10:32 +0100 +Upstream: no +References: + +* add su to logrotate config to fix W: suse-logrotate-user-writable-log-dir +* use "service tor" instead of "/etc/init.d/tor" to reload after logrotate + to fix logrotate on systemd-only setups without init script (by seife) + +--- + contrib/operator-tools/tor.logrotate.in | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: tor-0.2.5.10/contrib/operator-tools/tor.logrotate.in +=================================================================== +--- tor-0.2.5.10.orig/contrib/operator-tools/tor.logrotate.in 2014-06-27 22:45:19.000000000 +0100 ++++ tor-0.2.5.10/contrib/operator-tools/tor.logrotate.in 2014-10-24 20:22:54.000000000 +0100 +@@ -7,8 +7,9 @@ + notifempty + # you may need to change the username/groupname below + create 0640 _tor _tor ++ su _tor _tor + sharedscripts + postrotate +- /etc/init.d/tor reload > /dev/null ++ /usr/bin/systemctl try-reload-or-restart tor + endscript + } diff --git a/tor-0.4.8.12.tar.gz b/tor-0.4.8.12.tar.gz new file mode 100644 index 0000000..5f65915 --- /dev/null +++ b/tor-0.4.8.12.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ca7cc735d98e3747b58f2f3cc14f804dd789fa0fb333a84dcb6bd70adbb8c874 +size 9687430 diff --git a/tor-0.4.8.12.tar.gz.sha256sum b/tor-0.4.8.12.tar.gz.sha256sum new file mode 100644 index 0000000..644490a --- /dev/null +++ b/tor-0.4.8.12.tar.gz.sha256sum @@ -0,0 +1 @@ +ca7cc735d98e3747b58f2f3cc14f804dd789fa0fb333a84dcb6bd70adbb8c874 tor-0.4.8.12.tar.gz diff --git a/tor-0.4.8.12.tar.gz.sha256sum.asc b/tor-0.4.8.12.tar.gz.sha256sum.asc new file mode 100644 index 0000000..8a0263c --- /dev/null +++ b/tor-0.4.8.12.tar.gz.sha256sum.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmZhuq0ACgkQQuhqKhH0 +jTYZXAf+J26VUvM2M1DsjeUAMOZPEtNsQ0voIN9jeXFHUt7p3tqa2aBe8gJ5IREC +MtFK6MJLjJEHf6javbwoZuXXQ+xepJftPdJ9AR2bGlTConWE0VNVvfigawFHyKZn +Sdt6JyB2AesWl0HLIZnOXeSLy8JA12s/HPWtt8Fsf94drZwQsSl+WQGHr787JugF +aYmNRR4L+y46xL5HXbJ8KTc/UKPNlT+1vvwoAisofOQywrIJZGFsKpaowNiW9RWi +MXUdjmPjKJZ8vn+FQG0ZOmahUWMOMYIt6fWmkttI5KF6HajtGNTG4A+A5+QMBoif +N/VyJsISI2beHBAgAgPNGsXAa0FsIA== +=2gNt +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNATURE----- + +iHUEABYKAB0WIQRRQQJFTQqH2wdnoeu+agUxwYqReQUCZmHEggAKCRC+agUxwYqR +eVRoAP0SI+tzoCS06Pf1EJ0Mvea/ACIDZ5+XCaf9U0urRciMhgEA4BjvVG7I2cD8 +vGcxbkRtg4h9vZTr8rhdtSczdo3KYAY= +=C9WI +-----END PGP SIGNATURE----- diff --git a/tor-0.4.8.13.tar.gz b/tor-0.4.8.13.tar.gz new file mode 100644 index 0000000..582dde4 --- /dev/null +++ b/tor-0.4.8.13.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9baf26c387a2820b3942da572146e6eb77c2bc66862af6297cd02a074e6fba28 +size 9912610 diff --git a/tor-0.4.8.13.tar.gz.sha256sum b/tor-0.4.8.13.tar.gz.sha256sum new file mode 100644 index 0000000..0a3a86a --- /dev/null +++ b/tor-0.4.8.13.tar.gz.sha256sum @@ -0,0 +1 @@ +9baf26c387a2820b3942da572146e6eb77c2bc66862af6297cd02a074e6fba28 tor-0.4.8.13.tar.gz diff --git a/tor-0.4.8.13.tar.gz.sha256sum.asc b/tor-0.4.8.13.tar.gz.sha256sum.asc new file mode 100644 index 0000000..7e0fec9 --- /dev/null +++ b/tor-0.4.8.13.tar.gz.sha256sum.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmcaXcgACgkQQuhqKhH0 +jTY76wgAwOXmC2L3o594jJTXXAooZRkdQL/wAk4o6iNKFHmwiyIz/MGVTcrQBQSN +Hv3dQUhe3G3Z42M7GnJlEkFDA9Z6iBprkg0y9cD7nbmqC9nkB1zMdrUXdXOgMulG +sybEgzRFqTLVQmJzA4/tcGcjU+AXCqG13z1ScHOZP3Ev8S6yPntfax42hnFewAoW +OLSaYU68PGZ88uO2lAe65Hr/detdfJeWsG0rKK6jtCkej49qijiERemKZKCMTpYc +iW8DGA0n/O1p+qOHF4e0Du7lzhP1CckI5HeWZS2wgtqDKol1Kw86zugPfYWyh/V+ +WWEofhVb2OZOHed1qL9OeutDfdNtcg== +=NXg7 +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNATURE----- + +iHUEABYKAB0WIQRRQQJFTQqH2wdnoeu+agUxwYqReQUCZxpelAAKCRC+agUxwYqR +eV+2AP99m5nYfq/z1P7SYUpW1ddreizjFqlaQvJ1QhbZbpqc+AD+LxmvhDxM7+6S +8vyZWFHZYQ8ehhMftF70qM6o9NpQHgs= +=4Hya +-----END PGP SIGNATURE----- diff --git a/tor-0.4.8.14.tar.gz b/tor-0.4.8.14.tar.gz new file mode 100644 index 0000000..94d8d65 --- /dev/null +++ b/tor-0.4.8.14.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5047e1ded12d9aac4eb858f7634a627714dd58ce99053d517691a4b304a66d10 +size 9965322 diff --git a/tor-0.4.8.14.tar.gz.sha256sum b/tor-0.4.8.14.tar.gz.sha256sum new file mode 100644 index 0000000..12b1c1b --- /dev/null +++ b/tor-0.4.8.14.tar.gz.sha256sum @@ -0,0 +1 @@ +5047e1ded12d9aac4eb858f7634a627714dd58ce99053d517691a4b304a66d10 tor-0.4.8.14.tar.gz diff --git a/tor-0.4.8.14.tar.gz.sha256sum.asc b/tor-0.4.8.14.tar.gz.sha256sum.asc new file mode 100644 index 0000000..7e1b75d --- /dev/null +++ b/tor-0.4.8.14.tar.gz.sha256sum.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmejd6AACgkQQuhqKhH0 +jTY6yQf+K0xq5gMonH60H7/JXbwSjlbOEJ6+np3iBY781MtYfwS0LdcirgLx4JGK +6+UFq87sIKnobyNGap5OhU4Wao+id6jJRo8gaM18ogkSTbdqK0iDILbtz2rL5ghF +Y2MLMmHHW0oSCQdO6N0dqMqKATXs0lFyVWbO9i4nR2wJnldk837JSl9USpP0pMUx +YL9DPN38y2QAbnSx0cRfoHH72gpDCAlxkW4pG1BYvVswaNzsY3xHeCb7ibiw3hm4 +9UyTgLC13HEedb66vok+rGzH7PilpX2rGxuhhTFSwRy5G+tv8BT6eBDSO5yuOFNT ++uRdGGW7VMo4jVbpnsLi84zPPAZsNg== +=OLaG +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNATURE----- + +iHUEABYKAB0WIQRRQQJFTQqH2wdnoeu+agUxwYqReQUCZ6N4XwAKCRC+agUxwYqR +ea5DAQDr6kp7EtlHvgdBRmO/LlK93shDnM0lWsriBh3EHjse7wD/dJYEaHgCEPja +R1UKjD+dijMe3/ogEcoCAGQHk+Ak1wE= +=5r4b +-----END PGP SIGNATURE----- diff --git a/tor-master.service b/tor-master.service new file mode 100644 index 0000000..1426f4f --- /dev/null +++ b/tor-master.service @@ -0,0 +1,16 @@ +# Use tor-master.service to restart/reload/stop the main tor.service and +# all instances of tor@.service that are running. +# +# systemd targets cannot be reloaded so this is a service instead. + +[Unit] +Description=Anonymizing overlay network for TCP (multi-instance master) + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/true +ExecReload=/bin/true + +[Install] +WantedBy=multi-user.target diff --git a/tor.changes b/tor.changes new file mode 100644 index 0000000..6dbb8e0 --- /dev/null +++ b/tor.changes @@ -0,0 +1,3185 @@ +------------------------------------------------------------------- +Wed Feb 5 18:26:41 UTC 2025 - Bernhard Wiedemann + +- tor 0.4.8.14 + * bugfix for onion service directory cache + * test-network now unconditionally includes IPv6 + * Regenerate fallback directories 2025-02-05 + * Update the geoip files to 2025-02-05 + * Fix a pointer free + +------------------------------------------------------------------- +Fri Dec 27 21:55:57 UTC 2024 - Andreas Stieger + +- tor 0.4.8.13 + * Conflux related client circuit building performance bugfix + * Fix minor memory leaks + * Add STATUS TYPE=version handler for Pluggable Transport + +------------------------------------------------------------------- +Tue Jun 11 10:05:46 UTC 2024 - Bernhard Wiedemann + +- tor 0.4.8.12 + * Minor features and bugfixes + * See https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.8/ReleaseNotes + +------------------------------------------------------------------- +Thu Apr 11 06:50:01 UTC 2024 - Bernhard Wiedemann + +- tor 0.4.8.11 + * Minor features and bugfixes + * See https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.8/ReleaseNotes + +------------------------------------------------------------------- +Wed Feb 14 15:50:14 UTC 2024 - Martin Pluskal + +- Enables scrypt support unconditionally + +------------------------------------------------------------------- +Mon Feb 5 09:01:39 UTC 2024 - Andreas Stieger + +- fix users/groups with rpm 4.19 + +------------------------------------------------------------------- +Fri Dec 8 21:51:16 UTC 2023 - Bernhard Wiedemann + +- tor 0.4.8.10: + * (TROVE-2023-007, exit) (boo#1217918) + - fix a a UAF and NULL pointer dereference crash on Exit relays + +------------------------------------------------------------------- +Thu Nov 9 14:29:00 UTC 2023 - Bernhard Wiedemann + +- tor 0.4.8.9: + * (onion service, TROVE-2023-006): + - Fix a possible hard assert on a NULL pointer + * (guard usage): + - When Tor excluded a guard due to temporary circuit restrictions, + it considered *additional* primary guards for potential usage by + that circuit. + +------------------------------------------------------------------- +Fri Nov 3 20:51:01 UTC 2023 - Andreas Stieger + +- tor 0.4.8.8: + * Mitigate an issue when Tor compiled with OpenSSL can crash during + handshake with a remote relay. (TROVE-2023-004, boo#1216873) + * Regenerate fallback directories generated on November 03, 2023. + * Update the geoip files to match the IPFire Location Database, as + retrieved on 2023/11/03 + * directory authority: Look at the network parameter + "maxunmeasuredbw" with the correct spelling + * vanguards addon support: Count the conflux linked cell as + valid when it is successfully processed. This will quiet a + spurious warn in the vanguards addon + +------------------------------------------------------------------- +Mon Sep 25 20:15:52 UTC 2023 - Andreas Stieger + +- tor 0.4.8.7: + * Fix an issue that prevented us from pre-building more conflux + sets after existing sets had been used + +------------------------------------------------------------------- +Tue Sep 19 16:52:36 UTC 2023 - Andreas Stieger + +- tor 0.4.8.6: + * onion service: Fix a reliability issue where services were + expiring their introduction points every consensus update. + This caused connectivity issues for clients caching the old + descriptor and intro points + * Log the input and output buffer sizes when we detect a potential + compression bomb + * Disable multiple BUG warnings of a missing relay identity key when + starting an instance of Tor compiled without relay support + * When reporting a pseudo-networkstatus as a bridge authority, or + answering "ns/purpose/*" controller requests, include accurate + published-on dates from our list of router descriptors + * Use less frightening language and lower the log-level of our + run-time ABI compatibility check message in our Zstd + compression subsystem + +------------------------------------------------------------------- +Wed Aug 30 18:50:03 UTC 2023 - Andreas Stieger + +- tor 0.4.8.5: + * bugfixes creating log BUG stacktrace + +------------------------------------------------------------------- +Sun Aug 27 15:23:43 UTC 2023 - Andreas Stieger + +- tor 0.4.8.4: + * Extend DoS protection to partially opened channels and known + relays + * Dynamic Proof-Of-Work protocol to thwart flooding DoS attacks + against hidden services. Disabled by default, enable via + "HiddenServicePoW" in torrc + * Implement conflux traffic splitting + * Directory authorities and relays now interact properly with + directory authorities if they change addresses + +------------------------------------------------------------------- +Sun Jul 30 07:33:04 UTC 2023 - Andreas Stieger + +- tor 0.4.7.14: + * bugfix affecting vanguards (onion service), and minor fixes + +------------------------------------------------------------------- +Fri Mar 10 08:27:57 UTC 2023 - Martin Pluskal + +- Enable support for scrypt() + +------------------------------------------------------------------- +Fri Jan 13 06:29:25 UTC 2023 - Bernhard Wiedemann + +- tor 0.4.7.13: + * fix SafeSocks option to avoid DNS leaks (boo#1207110, TROVE-2022-002) + * improve congestion control + * fix relay channel handling + +------------------------------------------------------------------- +Tue Dec 6 21:10:57 UTC 2022 - Andreas Stieger + +- tor 0.4.7.12: + * new key for moria1 + * new metrics are exported on the MetricsPort for the congestion + control subsystem + +------------------------------------------------------------------- +Thu Nov 10 19:14:54 UTC 2022 - Andreas Stieger + +- tor 0.4.7.11: + * Improve security of DNS cache by randomly clipping the TTL + value (boo#1205307, TROVE-2021-009) + * Improved defenses against network-wide DoS, multiple counters + and metrics added to MetricsPorts + * Apply circuit creation anti-DoS defenses if the outbound + circuit max cell queue size is reached too many times. This + introduces two new consensus parameters to control the queue + size limit and number of times allowed to go over that limit. + * Directory authority updates + * IPFire database and geoip updates + * Bump the maximum amount of CPU that can be used from 16 to 128. + The NumCPUs torrc option overrides this hardcoded maximum. + * onion service: set a higher circuit build timeout for opened + client rendezvous circuit to avoid timeouts and retry load + * Make the service retry a rendezvous if the circuit is being + repurposed for measurements + +------------------------------------------------------------------- +Fri Aug 12 15:52:53 UTC 2022 - Andreas Stieger + +- tor 0.4.7.10 + * IPFire location database did not have proper ARIN network + allocations - affected circuit path selection and relay metrics + +------------------------------------------------------------------- +Thu Aug 11 16:39:24 UTC 2022 - Andreas Stieger + +- tor 0.4.7.9 (boo#1202336) + * major fixes aimed at reducing memory pressure on relays + * prevent a possible side-channel + * major bugfix related to congestion control + * major bugfix related to Vanguard L2 layer node selection + +------------------------------------------------------------------- +Thu Jun 16 17:08:53 UTC 2022 - Bernhard Wiedemann + +- tor 0.4.7.8 + * Fix a scenario where RTT estimation can become wedged, seriously + degrading congestion control performance on all circuits. This + impacts clients, onion services, and relays, and can be triggered + remotely by a malicious endpoint. + (TROVE-2022-001, CVE-2022-33903, boo#1200672) + * Regenerate fallback directories generated on June 17, 2022. + * Update the geoip files to match the IPFire Location Database, as + retrieved on 2022/06/17. + * Allow the rseq system call in the sandbox + * logging bug fixes + +------------------------------------------------------------------- +Wed Apr 27 18:29:58 UTC 2022 - Andreas Stieger + +- tor 0.4.7.7 + * New feature: Congestion control to improve traffic speed and + stability on the network once a majority of Exit nodes upgrade + boo#1198949 + * Directory authorities: improved handling of "MiddleOnly" relays + * Improved mitigation against guard discovery attacks on clients + and short-lived services + * Improve observed performance under DNS load + * Improve handling of overload state + * end-of-life relays running version 0.4.2.x, 0.4.3.x, + 0.4.4.x and 0.4.5 alphas/rc, 0.3.5.x are now rejected + * Onion service v2 addresses are no longer recognized + +------------------------------------------------------------------- +Sun Feb 6 01:10:07 UTC 2022 - Bernhard Wiedemann + +- tor 0.4.6.10 + * minor bugfixes and features + * https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.6/ReleaseNotes + +------------------------------------------------------------------- +Fri Dec 17 18:54:05 UTC 2021 - Andreas Stieger + +- tor 0.4.6.9: + * remove the DNS timeout metric from the overload general signal + * regenerate fallback directories generated on December 15, 2021 + * Update the geoip files to match the IPFire Location Database, + as retrieved on 2021/12/15 + * Reject IPv6-only DirPort + +------------------------------------------------------------------- +Sat Nov 13 11:02:55 UTC 2021 - Andreas Stieger + +- tor 0.4.6.8: + * Improving reporting of general overload state for DNS timeout + errors by relays + * Regenerate fallback directories for October 2021 + * Bug fixes for onion services + * CVE-2021-22929: do not log v2 onion services access attempt + warnings on disk excessively (TROVE-2021-008, boo#1192658) + +------------------------------------------------------------------- +Tue Aug 24 09:11:38 UTC 2021 - Jan Engelhardt + +- Reduce boilerplate generated by %service_*. + +------------------------------------------------------------------- +Tue Aug 17 18:52:40 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.6.7: + * Fix a DoS via a remotely triggerable assertion failure + (boo#1189489, TROVE-2021-007, CVE-2021-38385) + +------------------------------------------------------------------- +Tue Jul 6 07:13:19 UTC 2021 - Bernhard Wiedemann + +- Add missing service_add_pre tor-master.service + +------------------------------------------------------------------- +Thu Jul 1 11:13:23 UTC 2021 - Andreas Stieger + +- tor 0.4.6.6: + * Fix a compilation error with gcc 7, drop tor-0.4.6.5-gcc7.patch + * Enable the deterministic RNG for unit tests that covers the + address set bloomfilter-based API's + +------------------------------------------------------------------- +Wed Jun 16 20:32:43 UTC 2021 - Andreas Stieger + +- tor 0.4.6.5 + * Add controller support for creating v3 onion services with + client auth + * When voting on a relay with a Sybil-like appearance, add the + Sybil flag when clearing out the other flags. This lets a relay + operator know why their relay hasn't been included in the + consensus + * Relays now report how overloaded they are + * Add a new DoS subsystem to control the rate of client + connections for relays + * Relays now publish statistics about v3 onions services + * Improve circuit timeout algorithm for client performance +- add tor-0.4.6.5-gcc7.patch to fix build with gcc7 + +------------------------------------------------------------------- +Mon Jun 14 18:06:34 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.5.9 + * Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell (CVE-2021-34548, boo#1187322) + * Detect more failure conditions from the OpenSSL RNG code (boo#1187323) + * Resist a hashtable-based CPU denial-of-service attack against relays (CVE-2021-34549, boo#1187324) + * Fix an out-of-bounds memory access in v3 onion service descriptor parsing (CVE-2021-34550, boo#1187325) + +------------------------------------------------------------------- +Tue May 11 01:54:10 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.5.8 + * https://lists.torproject.org/pipermail/tor-announce/2021-May/000219.html + * allow Linux sandbox with Glibc 2.33 + * work with autoconf 2.70+ + * several other minor features and bugfixes (see announcement) + +------------------------------------------------------------------- +Sat Apr 24 19:07:24 UTC 2021 - Andreas Stieger + +- fix packaging warnings related to tor-master service + +------------------------------------------------------------------- +Fri Apr 23 21:22:30 UTC 2021 - Andreas Stieger + +- Fix logging issue due to systemd picking up stdout - boo#1181244 + Continue to log notices to syslog by default. +- actually build with lzma/zstd +- skip i586 tests (boo#1179331) + +------------------------------------------------------------------- +Tue Mar 16 23:38:53 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.5.7 + * https://lists.torproject.org/pipermail/tor-announce/2021-March/000216.html + * Fix 2 denial of service security issues (boo#1183726) + + Disable the dump_desc() function that we used to dump unparseable + information to disk (CVE-2021-28089) + + Fix a bug in appending detached signatures to a pending consensus + document that could be used to crash a directory authority + (CVE-2021-28090) + * Ship geoip files based on the IPFire Location Database + +------------------------------------------------------------------- +Tue Feb 16 07:49:14 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.5.6 + * https://lists.torproject.org/pipermail/tor-announce/2021-February/000214.html + * Introduce a new MetricsPort HTTP interface + * Support IPv6 in the torrc Address option + * Add event-tracing library support for USDT and LTTng-UST + * Try to read N of N bytes on a TLS connection +- Drop upstream tor-practracker.patch + +------------------------------------------------------------------- +Fri Feb 5 08:16:39 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.4.7 + * https://blog.torproject.org/node/1990 + * Stop requiring a live consensus for v3 clients and services + * Re-entry into the network is now denied at the Exit level + * Fix undefined behavior on our Keccak library + * Strip '\r' characters when reading text files on Unix platforms + * Handle partial SOCKS5 messages correctly +- Add tor-practracker.patch to fix tests + +------------------------------------------------------------------- +Wed Jan 27 06:16:46 UTC 2021 - Bernhard Wiedemann + +- Restrict service permissions with systemd + +------------------------------------------------------------------- +Thu Nov 12 17:02:48 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.4.6 + * Check channels+circuits on relays more thoroughly + (TROVE-2020-005, boo#1178741) + +------------------------------------------------------------------- +Tue Sep 15 14:51:40 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.4.5 + * Improve guard selection + * IPv6 improvements + +------------------------------------------------------------------- +Wed Aug 19 09:49:51 UTC 2020 - Dominique Leuenberger + +- Use %{_tmpfilesdir} instead of abusing %{_libexecdir}/tmpfiles.d. + +------------------------------------------------------------------- +Thu Jul 9 17:27:13 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.3.6 + * Fix a crash due to an out-of-bound memory access (CVE-2020-15572) + * Some minor fixes + +------------------------------------------------------------------- +Mon Jun 29 08:57:42 UTC 2020 - Bernhard Wiedemann + +- Fix logrotate to not fail when tor is stopped (boo#1164275) + +------------------------------------------------------------------- +Fri May 15 18:58:11 UTC 2020 - Andreas Stieger + +- tor 0.4.3.5: + * first stable release in the 0.4.3.x series + * implement functionality needed for OnionBalance with v3 onion + services + * significant refactoring of our configuration and controller + functionality + * Add support for banning a relay's ed25519 keys in the + approved-routers file in support for migrating away from RSA + * support OR connections through a HAProxy server + +------------------------------------------------------------------- +Wed Mar 18 20:52:20 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.2.7 + * CVE-2020-10592: CPU consumption DoS and timing patterns (boo#1167013) + * CVE-2020-10593: circuit padding memory leak (boo#1167014) + * Directory authorities now signal bandwidth pressure to clients + * Avoid excess logging on bug when flushing a buffer to a TLS connection + +------------------------------------------------------------------- +Fri Jan 31 08:32:28 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.2.6 + * Correct how we use libseccomp + * Fix crash when reloading logging configuration while the + experimental sandbox is enabled + * Avoid a possible crash when logging an assertion + about mismatched magic numbers + +------------------------------------------------------------------- +Tue Jan 7 11:21:02 UTC 2020 - Bernhard Wiedemann + +- Update tor.service and add defaults-torrc + to work without dropped torctl (boo#1072274) +- Add tor-master.service to allow handling multiple tor daemons + +------------------------------------------------------------------- +Sat Dec 14 20:35:25 UTC 2019 - Andreas Stieger + +- tor 0.4.2.5: + * first stable release in the 0.4.2.x series + * improves reliability and stability + * several stability and correctness improvements for onion services + * fixes many smaller bugs present in previous series + +------------------------------------------------------------------- +Tue Dec 10 08:27:14 UTC 2019 - Andreas Stieger + +- tor 0.4.1.7: + * several bugfixes to improve stability and correctness + * fixes for relays relying on AccountingMax + +------------------------------------------------------------------- +Mon Oct 7 13:16:38 UTC 2019 - Martin Pluskal + +- Update dependnecnies: + * python3 instead of python + * add libpcap and seccomp +- Use more suitable macros for building and systemd dependencies + +------------------------------------------------------------------- +Thu Sep 19 13:02:59 UTC 2019 - Bernhard Wiedemann + +- update to 0.4.1.6 + * Tolerate systems (including some Linux installations) where + madvise MADV_DONTFORK / MADV_DONTDUMP are available at build-time, + but not at run time. + * Do not include the deprecated on Linux + * Fix the MAPADDRESS controller command to accept one or more arguments + * Always retry v2+v3 single onion service intro and rendezvous circuits + with a 3-hop path + * Use RFC 2397 data URL scheme to embed an image into tor-exit-notice.html + +------------------------------------------------------------------- +Tue Aug 20 15:43:45 UTC 2019 - Bernhard Wiedemann + +- update to 0.4.1.5 + * Onion service clients now add padding cells at the start of their + INTRODUCE and RENDEZVOUS circuits to make it look like + Exit traffic + * Add a generic publish-subscribe message-passing subsystem + * Controller commands are now parsed using a generalized parsing + subsystem + * Implement authenticated SENDMEs as detailed in proposal 289 + * Our node selection algorithm now excludes nodes in linear time + * Construct a fast secure pseudorandom number generator for + each thread, to use when performance is critical + * Consider our directory information to have changed when our list + of bridges changes + * Do not count previously configured working bridges towards our + total of working bridges + * When considering upgrading circuits from "waiting for guard" to + "open", always ignore circuits that are marked for close + * Properly clean up the introduction point map when circuits change + purpose + * Fix an unreachable bug in which an introduction point could try to + send an INTRODUCE_ACK + * Clients can now handle unknown status codes from INTRODUCE_ACK + cells +- Remove upstreamed tor-0.3.5.8-no-ssl-version-warning.patch +- Compile without -Werror to build with LTO (boo#1146548) +- Add fix-test.patch to workaround a LTO-induced test-failure + +------------------------------------------------------------------- +Fri Jul 26 12:23:05 UTC 2019 - matthias.gerstner@suse.com + +- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by + firewalld, see [1]. + + [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html + +------------------------------------------------------------------- +Mon May 20 12:55:12 UTC 2019 - Christophe Giboudeaux + +- Add the missing zlib requirement. + +------------------------------------------------------------------- +Fri May 10 09:46:26 UTC 2019 - Andreas Stieger + +- tor 0.4.0.5: + * new stable branch, but not a long-term support branch + * improvements for power management and bootstrap reporting + * preliminary backend support for circuit padding to prevent some + kinds of traffic analysis + * refactoring for long-term maintainability +- drop upstreamed tor-0.3.5.8-nonetwork.patch + +------------------------------------------------------------------- +Mon Apr 15 12:24:02 UTC 2019 - Bernhard Wiedemann + +- Add tor-0.3.5.8-no-ssl-version-warning.patch (boo#1129411) +- Update tor.tmpfiles to use /run instead of /var/run + +------------------------------------------------------------------- +Mon Feb 25 15:55:39 UTC 2019 - bwiedemann@suse.com + +- Add tor-0.3.5.8-nonetwork.patch to fix test failures + without network + +------------------------------------------------------------------- +Fri Feb 22 15:04:30 UTC 2019 - bwiedemann@suse.com + +- tor 0.3.5.8: + * CVE-2019-8955 prevent attackers from making tor run + out of memory and crash + * Allow SOCKS5 with empty username+password + * Update geoip and geoip6 to the February 5 2019 Maxmind + GeoLite2 Country database + * Select guards even if the consensus has expired, as long + as the consensus is still reasonably live + +------------------------------------------------------------------- +Mon Jan 7 23:16:55 UTC 2019 - astieger@suse.com + +- tor 0.3.5.7: + * first stable release in 0.3.5.x LTS branch + * support client authorization for v3 onion services + * cleanups to bootstrap reporting + * support for improved bandwidth measurement tools + * the default version for newly created onion services is now v3 + (HiddenServiceVersion option can be used to override) + * If stem is used, an update of stem mey be required + +------------------------------------------------------------------- +Mon Jan 7 23:01:18 UTC 2019 - astieger@suse.com + +- tor 0.3.4.10: + * OpenSSL compatibility fixes + * Fixes for relay bugs + * update fallback directory list + +------------------------------------------------------------------- +Sat Nov 3 08:45:43 UTC 2018 - astieger@suse.com + +- tor 0.3.4.9: + * Various bug fixes, including a bandwidth management bug that + was causing memory exhaustion on relays + +------------------------------------------------------------------- +Mon Sep 10 15:51:17 UTC 2018 - astieger@suse.com + +- tor 0.3.4.8 (boo#1107847): + * improvements for running in low-power and embedded environments + * preliminary changes for new bandwidth measurement system + * refine anti-denial-of-service code + +------------------------------------------------------------------- +Mon Sep 10 13:52:34 UTC 2018 - astieger@suse.com + +- tor 0.3.3.10: + * various build and compatibility fixes + * The control port now exposes the list of HTTPTunnelPorts and + ExtOrPorts via GETINFO net/listeners/httptunnel and + net/listeners/extor respectively + * Authorities no longer vote to make the subprotocol version + "LinkAuth=1" a requirement: it is unsupportable with NSS, and + hasn't been needed since Tor 0.3.0.1-alpha + * When voting for recommended versions, make sure that all of the + versions are well-formed and parsable + * various minor bug fixes on onion services + +------------------------------------------------------------------- +Sat Jul 14 18:31:57 UTC 2018 - astieger@suse.com + +- tor 0.3.3.9: + * move to a new bridge authority + * backport some bug fixes +- refresh upstream signing keyring + +------------------------------------------------------------------- +Mon Jul 9 19:38:14 UTC 2018 - astieger@suse.com + +- tor 0.3.3.8: + * directory authority memory leak fix + * various minor bug fixes + +------------------------------------------------------------------- +Tue Jun 12 16:59:58 UTC 2018 - astieger@suse.com + +- tor 0.3.3.7: + * Add an IPv6 address for the "dannenberg" directory authority + * Improve accuracy of the BUILDTIMEOUT_SET control port event's + TIMEOUT_RATE and CLOSE_RATE fields + * Only select relays when tor has descriptors that it prefers to + use for them, avoiding nonfatal errors later + +------------------------------------------------------------------- +Sun May 27 11:33:54 UTC 2018 - astieger@suse.com + +- tor 0.3.3.6: + * new stable release series + * controller support and other improvements for v3 onion services + * official support for embedding Tor within other application + * Improvements to IPv6 support + * Relay option ReducedExitPolicy to configure a reasonable default + * Revent DoS via malicious protocol version string (boo#1094283) + * Many other other bug fixes and improvements + +------------------------------------------------------------------- +Sat Mar 3 18:39:39 UTC 2018 - astieger@suse.com + +- tor 0.3.2.10: + * CVE-2018-0490: remote crash vulnerability against directory + authorities (boo#1083845, TROVE-2018-001) + * CVE-2018-0491: remote relay crash (boo#1083846, TROVE-2018-002) + * New system for improved resistance to DoS attacks against relays + * Various other bug fixes + +------------------------------------------------------------------- +Wed Jan 10 21:33:45 UTC 2018 - astieger@suse.com + +- tor 0.3.2.9: + * new onion service design (v3), not default + * new circuit scheduler algorithm for improved performance + * directory authority updates + * many other updates and improvements + +------------------------------------------------------------------- +Fri Dec 1 20:33:08 UTC 2017 - astieger@suse.com + +- tor 0.3.1.9 with the following security fixes that prevent some + traffic confirmation, DoS and other problems (bsc#1070849): + * CVE-2017-8819: Replay-cache ineffective for v2 onion services + * CVE-2017-8820: Remote DoS attack against directory authorities + * CVE-2017-8821: An attacker can make Tor ask for a password + * CVE-2017-8822: Relays can pick themselves in a circuit path + * CVE-2017-8823: Use-after-free in onion service v2 + +------------------------------------------------------------------- +Wed Oct 25 15:05:45 UTC 2017 - astieger@suse.com + +- tor 0.3.1.8: + * Add "Bastet" as a ninth directory authority to the default list + * The directory authority "Longclaw" has changed its IP address + * Fix a timing-based assertion failure that could occur when the + circuit out-of-memory handler freed a connection's output buffer + * Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 + Country database +- drop tor-0.3.1.7-fix-zstd-i586.patch, upstreamed + +------------------------------------------------------------------- +Wed Sep 20 14:44:09 UTC 2017 - astieger@suse.com + +- tor 0.3.1.7: + * Serve and download directory information in more compact + formats + * New padding padding system to resist netflow-based traffic + analysis + * Improve protection against identification of tor traffic by ISP + via ConnectionPadding option + * Reduce the number of long-term connections open between relays +- add tor-0.3.1.7-fix-zstd-i586.patch to fix 32 bit build with zstd + +------------------------------------------------------------------- +Mon Sep 18 16:38:59 UTC 2017 - astieger@suse.com + +- tor 0.3.0.11: + * CVE-2017-0380: hidden services with the SafeLogging option + disabled could disclose the stack TROVE-2017-008, boo#1059194 + * Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2 + Country database. + * drop tor-0.3.0.7-gcc7-fallthrough.patch, now upstream + +------------------------------------------------------------------- +Thu Aug 3 11:26:00 UTC 2017 - jloehel@suse.com + +- tor 0.3.0.10 + * Fix a typo that had prevented TPROXY-based transparent proxying + from working under Linux. + * Avoid an assertion failure bug affecting our implementation of + inet_pton(AF_INET6) on certain OpenBSD systems. + +------------------------------------------------------------------- +Fri Jun 30 11:53:59 UTC 2017 - astieger@suse.com + +- tor 0.3.0.9: + * CVE-2017-0377: Fix path selection bug that would allow a client + to use a guard that was in the same network family as a chosen + exit relay (bsc#1046845) + * Don't block bootstrapping when a primary bridge is offline and + tor cannot get its descriptor + * When starting with an old consensus, do not add new entry guards + unless the consensus is "reasonably live" (under 1 day old). + * Update geoip and geoip6 to the June 8 2017 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Thu Jun 8 18:47:31 UTC 2017 - astieger@suse.com + +- tor 0.3.0.8 fixing a pair of bugs that would allow an attacker to + remotely crash a hidden service with an assertion failure + * CVE-2017-0375: remotely triggerable assertion failure when a + hidden service handles a malformed BEGIN cell (bsc#1043455) + * CVE-2017-0376: remotely triggerable assertion failure caused by + receiving a BEGIN_DIR cell on a hidden service rendezvous + circuit (bsc#1043456) +- further bug fixes: + * link handshake fixes when changing x509 certificates + * Regenerate link and authentication certificates whenever the key + that signs them changes; also, regenerate link certificates + whenever the signed key changes + * When sending an Ed25519 signing->link certificate in a CERTS cell, + send the certificate that matches the x509 certificate that was + used on the TLS connection + * Stop rejecting v3 hidden service descriptors because their size + did not match an old padding rule + +------------------------------------------------------------------- +Wed May 31 10:01:51 UTC 2017 - astieger@suse.com + +- fix build with GCC 7: warning-errors on implicit fallthrough + add tor-0.3.0.7-gcc7-fallthrough.patch bsc#1041262 + +------------------------------------------------------------------- +Tue May 16 00:26:43 UTC 2017 - astieger@suse.com + +- tor 0.3.0.7: + * Fix an assertion failure in the hidden service directory code, + which could be used by an attacker to remotely cause a Tor + relay process to exit. TROVE-2017-002 bsc#1039211 + * Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 + Country database. + * Tor no longer refuses to download microdescriptors or + descriptors if they are listed as "published in the future" + * The getpid() system call is now permitted under the Linux + seccomp2 sandbox, to avoid crashing with versions of OpenSSL + (and other libraries) that attempt to learn the process's PID + by using the syscall rather than the VDSO code + +------------------------------------------------------------------- +Thu Apr 27 06:23:44 UTC 2017 - astieger@suse.com + +- tor 0.3.0.6: + * clients and relays now use Ed25519 keys to authenticate their + link connections to relays, rather than the old RSA1024 keys + that they used before. + * replace the guard selection and replacement algorithm to behave + more robustly in the presence of unreliable networks, and to + resist guard-capture attacks. + * numerous other small features and bugfixes + * groundwork for the upcoming hidden-services revamp + +------------------------------------------------------------------- +Wed Mar 1 22:45:42 UTC 2017 - astieger@suse.com + +- tor 0.2.9.10: + * directory authority: During voting, when marking a relay as a + probable sybil, do not clear its BadExit flag: sybils can still + be bad in other ways too. + * IPv6 Exits: Stop rejecting all IPv6 traffic on Exits whose exit + policy rejects any IPv6 addresses. Instead, only reject a port + over IPv6 if the exit policy rejects that port on more than an + IPv6 /16 of addresses. + * parsing: Fix an integer underflow bug when comparing malformed + Tor versions. This bug could crash Tor when built with + --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through + Tor 0.2.9.8, which were built with -ftrapv by default. In other + cases it was harmless. Part of TROVE-2017-001 boo#1027539 + * Directory authorities now reject descriptors that claim to be + malformed versions of Tor + * Reject version numbers with components that exceed INT32_MAX. + * Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 + Country database. + * The tor-resolve command line tool now rejects hostnames over 255 + characters in length + +------------------------------------------------------------------- +Tue Jan 24 06:19:19 UTC 2017 - astieger@suse.com + +- tor 0.2.9.9: + * Downgrade the "-ftrapv" option from "always on" to "only on + when --enable-expensive-hardening is provided." This hardening + option, like others, can turn survivable bugs into crashes -- + and having it on by default made a (relatively harmless) + integer overflow bug into a denial-of-service bug + * Fix a client-side onion service reachability bug + * Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Sun Jan 1 11:43:02 UTC 2017 - tchvatal@suse.com + +- Remove conditionals for the sle11 as we won't build there due to + openssl requirements. This reduces the logic in the spec file + quite a bit + +------------------------------------------------------------------- +Mon Dec 19 20:40:39 UTC 2016 - astieger@suse.com + +- tor 0.2.9.8, the first stable release in the 0.2.9.x series: + * make mandatory a number of security features that were formerly + optional + * support a new shared-randomness protocol that will form the + basis for next generation hidden services + * single-hop hidden service mode for optimizing .onion services + that don't actually want to be hidden, + * try harder not to overload the directory authorities with + excessive downloads + * support a better protocol versioning scheme for improved + compatibility with other implementations of the Tor protocol + * deprecated options for security: CacheDNS, CacheIPv4DNS, + CacheIPv6DNS, UseDNSCache, UseIPv4Cache, and UseIPv6Cache, + AllowDotExit, AllowInvalidNodes, AllowSingleHopCircuits, + AllowSingleHopExits, ClientDNSRejectInternalAddresses, + CloseHSClientCircuitsImmediatelyOnTimeout, + CloseHSServiceRendCircuitsImmediatelyOnTimeout, + ExcludeSingleHopRelays, FastFirstHopPK, TLSECGroup, + UseNTorHandshake, and WarnUnsafeSocks. + * *ListenAddress options are now deprecated as unnecessary: the + corresponding *Port options should be used instead. The + affected options are: + ControlListenAddress, DNSListenAddress, DirListenAddress, + NATDListenAddress, ORListenAddress, SocksListenAddress, + and TransListenAddress. + +------------------------------------------------------------------- +Mon Dec 19 20:29:49 UTC 2016 - astieger@suse.com + +- tor 0.2.8.12: + * CVE-2016-1254: A hostile hidden service could cause tor clients + to crash (bsc#1016343) + * update fallback directory list + * Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Tue Dec 13 06:41:55 UTC 2016 - bwiedemann@suse.com + +- recommend torsocks as it is needed by included torify + +------------------------------------------------------------------- +Sun Dec 11 19:40:35 UTC 2016 - astieger@suse.com + +- tor 0.2.8.11: + * Fix compilation with OpenSSL 1.1 + +------------------------------------------------------------------- +Fri Dec 2 16:58:06 UTC 2016 - astieger@suse.com + +- tor 0.2.8.10: + * When Tor leaves standby because of a new application request, + open circuits as needed to serve that request + * Clients now respond to new application stream requests + immediately when they arrive, rather than waiting up to one + second before starting to handle them + * small portability and memory handling issues + * Update geoip and geoip6 to the November 3 2016 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Wed Oct 19 09:08:12 UTC 2016 - astieger@suse.com + +- tor 0.2.8.9: + * security fix: prevent remote DoS TROVE-2016-10-001 boo#1005292 + * Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2 + Country database. + * Update signing key + +------------------------------------------------------------------- +Sat Sep 24 13:52:20 UTC 2016 - astieger@suse.com + +- tor 0.2.8.8: + * fixes some crash bugs when using bridges + * fixes a timing-dependent assertion + * removes broken fallbacks from the hard-coded fallback directory + list + * Updates geoip and geoip6 to the September 6 2016 Maxmind + GeoLite2 Country database + +------------------------------------------------------------------- +Wed Aug 24 21:01:13 UTC 2016 - astieger@suse.com + +- tor 0.2.8.7: + * The "Tonga" bridge authority has been retired; the new bridge + authority is "Bifroest" + * Only use the ReachableAddresses option to restrict the first + hop in a path. In earlier versions of 0.2.8.x, it would apply + to every hop in the path, with a possible degradation in + anonymity for anyone using an uncommon ReachableAddress setting + +------------------------------------------------------------------- +Sat Aug 13 17:44:24 UTC 2016 - astieger@suse.com + +- tor 0.2.8.6: + * improve client bootstrapping performance + * improved identity keys for relays (authority side) + * numerous bug fixes and performance improvements + +------------------------------------------------------------------- +Mon Mar 21 08:17:17 UTC 2016 - astieger@suse.com + +- adjust nologin shell for tor user boo#971872 + +------------------------------------------------------------------- +Fri Dec 11 14:41:37 UTC 2015 - mpluskal@suse.com + +- Make building more verbose +- Remove useless conditon for libevent, there is dependency for it + anyway + +------------------------------------------------------------------- +Fri Dec 11 13:35:32 UTC 2015 - astieger@suse.com + +- skip tests on ports + +------------------------------------------------------------------- +Fri Dec 11 07:43:48 UTC 2015 - astieger@suse.com + +- tor 0.2.7.6 fixes a major bug in entry guard selection, as well + as a minor bug in hidden service reliability. [boo#958729] + +------------------------------------------------------------------- +Tue Nov 24 20:35:59 UTC 2015 - astieger@suse.com + +- 0.2.7.5: + * More secure identity key type for relays + * Improve cryptography performance + * Resolve several longstanding hidden-service performance issues + * Improve controller support for hidden services +- Features removed: + * tor-fw-helper is no longer part of thie packaged, it was + re-implemented as a separate project +- Packaging changes: + * drop upstreamed patch + tor-0.2.6.10-malformed-hostname-safe-logging.patch + +------------------------------------------------------------------- +Wed Oct 14 10:59:41 UTC 2015 - astieger@suse.com + +- fix Factory build (ignore missing systemd-tmpfiles) + +------------------------------------------------------------------- +Wed Aug 26 20:02:21 UTC 2015 - astieger@suse.com + +- Malformed hostnames in socks5 requests were written to the log + regardless of SafeLogging option (CWE-532) [boo#943362] + add tor-0.2.6.10-malformed-hostname-safe-logging.patch + +------------------------------------------------------------------- +Sun Jul 12 20:54:48 UTC 2015 - astieger@suse.com + +- tor 0.2.6.10: + Significant stability and hidden service client fixes. + * Stop refusing to store updated hidden service descriptors on a + client. + * Stop crashing with an assertion failure when parsing certain + kinds of malformed or truncated microdescriptors. + * Stop random client-side assertion failures that could occur + when connecting to a busy hidden service, or connecting to a + hidden service while a NEWNYM is in progress. + +------------------------------------------------------------------- +Thu Jun 11 18:55:44 UTC 2015 - astieger@suse.com + +- tor 0.2.6.9: + Clients using circuit isolation should upgrade; + all directory authorities should upgrade. + * fixes a regression in the circuit isolation code + * increases the requirements for receiving an HSDir flag + * addresses some small bugs in the systemd and sandbox code. + +------------------------------------------------------------------- +Sat May 23 18:59:14 UTC 2015 - astieger@suse.com + +- tor 0.2.6.8: + This release fixes a bit of dodgy code in parsing INTRODUCE2 cells, + and fixes an authority-side bug in assigning the HSDir flag. All + directory authorities should upgrade. + - Revert commit that made directory authorities assign the HSDir + flag to relay without a DirPort; this was bad because such relays + can't handle BEGIN_DIR cells. + - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells + on a client authorized hidden service. + - Update geoip to the April 8 2015 Maxmind GeoLite2 Country + database. + - Update geoip6 to the April 8 2015 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Mon Apr 6 18:56:30 UTC 2015 - astieger@suse.com + +- tor 0.2.6.7 + This releases fixes two security issues that could be used by an + attacker to crash hidden services, or crash clients visiting + hidden services. Hidden services should upgrade as soon as + possible. [boo#926097] + This release also contains two simple improvements to make hidden + services a bit less vulnerable to denial-of-service attacks. + - Fix an issue that would allow a malicious client to trigger an + assertion failure and halt a hidden service. CVE-2015-2928 + - Fix a bug that could cause a client to crash with an assertion + failure when parsing a malformed hidden service descriptor. + CVE-2015-2929 + - Introduction points no longer allow multiple INTRODUCE1 cells + to arrive on the same circuit. This should make it more + expensive for attackers to overwhelm hidden services with + introductions. + - Decrease the amount of reattempts that a hidden service + performs when its rendezvous circuits fail. This reduces the + computational cost for running a hidden service under heavy + load. + +------------------------------------------------------------------- +Sun Mar 29 11:51:09 UTC 2015 - astieger@suse.com + +- tor 0.2.6.6, the first stable release in the 0.2.6 series: + * safety/security improvements + * correctness improvements + * performance improvements + * Client programs can be configured to use more kinds of sockets + * AutomapHosts works better + * multithreading backend is improved + * cell transmission is refactored + * test coverage is much higher + * more denial-of-service attacks are handled + * guard selection is improved to handle long-term guards better + * pluggable transports should work a bit better + * some annoying hidden service performance bugs addressed +- new minimal configuration file installed as active configuration + allows daemon to be run right after package installation +- build with systemd notifications where supported + +------------------------------------------------------------------- +Wed Mar 25 08:05:24 UTC 2015 - astieger@suse.com + +- add CVE IDs for 0.2.5.11 release + +------------------------------------------------------------------- +Thu Mar 19 21:36:34 UTC 2015 - astieger@suse.com + +- tor 0.2.5.11 [boo#923284]: + Contains several medium-level security fixes for relays and exit + nodes and also updates the list of directory authorities. + * Directory authority updates + * relay crashes trough assertion (CVE-2015-2688) + * exit node crash through assertion under high DNS load + (CVE-2015-2689) + * do not crash when receiving SIGHUP with the seccomp2 sandbox on + * do not crash sh during attempts to call wait4 + * new "GETINFO bw-event-cache" for controllers + * update geoip/geoip6 to the March 3 2015 + * Avoid crashing on malformed VirtualAddrNetworkIPv[4|6] config + * Fix a memory leak when using AutomapHostsOnResolve + * Allow directory authorities to fetch more data from one another + +------------------------------------------------------------------- +Fri Jan 23 22:04:27 UTC 2015 - andreas.stieger@gmx.de + +- fix build for SLE 12, libminiupnpc-devel not available + +------------------------------------------------------------------- +Fri Oct 24 20:48:14 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.5.10, the first stable release in the 0.2.5 series. + * improved denial-of-service resistance for relays + * new compiler hardening options + * system-call sandbox for hardened installations on Linux + (requires seccomp2) + * controller protocol has several new features + * improvements in resolving IPv6 addresses + * relays more CPU-efficient +- adjust tor-0.2.4.x-logrotate.patch to tor-0.2.5.x-logrotate.patch +- run unit tests + +------------------------------------------------------------------- +Thu Oct 23 20:35:26 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.4.25 [boo#902476] + Disables SSL3 in response to the recent "POODLE" attack (even + though POODLE does not affect Tor). + It also works around a crash bug caused by some operating systems' + response to the "POODLE" attack (which does affect Tor). + - Disable support for SSLv3. + - Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or + 1.0.1j, built with the 'no-ssl3' configuration option. + +------------------------------------------------------------------- +Wed Sep 24 17:52:08 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.4.24 [bnc#898268] + Fixes a bug that affects consistency and speed when connecting to + hidden services, and it updates the location of one of the + directory authorities. +- Major bugfixes: + * Clients now send the correct address for their chosen rendezvous + point when trying to access a hidden service. +- Directory authority changes: + * Change IP address for gabelmoo (v3 directory authority). +- Minor features (geoip): + * Update geoip and geoip6 to the August 7 2014 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Sat Sep 20 13:05:50 UTC 2014 - andreas.stieger@gmx.de + +- disable build with experimental feature bufferevents [bnc#897113] + +------------------------------------------------------------------- +Mon Aug 18 09:54:00 UTC 2014 - wagner-thomas@gmx.at + +- Added config file for firewall + +------------------------------------------------------------------- +Wed Jul 30 22:52:17 UTC 2014 - andreas.stieger@gmx.de + +- Tor 0.2.4.23 [bnc#889688] [CVE-2014-5117] + Slows down the risk from guard rotation and backports several + important fixes from the Tor 0.2.5 alpha release series. +- Major features: + - Clients now look at the "usecreatefast" consensus parameter to + decide whether to use CREATE_FAST or CREATE cells for the first hop + of their circuit. This approach can improve security on connections + where Tor's circuit handshake is stronger than the available TLS + connection security levels, but the tradeoff is more computational + load on guard relays. + - Make the number of entry guards configurable via a new + NumEntryGuards consensus parameter, and the number of directory + guards configurable via a new NumDirectoryGuards consensus + parameter. +- Major bugfixes: + - Fix a bug in the bounds-checking in the 32-bit curve25519-donna + implementation that caused incorrect results on 32-bit + implementations when certain malformed inputs were used along with + a small class of private ntor keys. +- Minor bugfixes: + - Warn and drop the circuit if we receive an inbound 'relay early' + cell. + - Correct a confusing error message when trying to extend a circuit + via the control protocol but we don't know a descriptor or + microdescriptor for one of the specified relays. + - Avoid an illegal read from stack when initializing the TLS module + using a version of OpenSSL without all of the ciphers used by the + v2 link handshake. + +------------------------------------------------------------------- +Fri Jun 6 18:51:36 UTC 2014 - andreas.stieger@gmx.de + +- do not own /var/run/tor for pid file, fixing Factory build + +------------------------------------------------------------------- +Sat May 17 23:13:54 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.4.22: + Backports numerous high-priority fixes. These include blocking + all authority signing keys that may have been affected by the + OpenSSL "heartbleed" bug, choosing a far more secure set of TLS + ciphersuites by default, closing a couple of memory leaks that + could be used to run a target relay out of RAM. +- Major features (security) + - Block authority signing keys that were used on authorities + vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160). +- Major bugfixes (security, OOM): + - Fix a memory leak that could occur if a microdescriptor parse + fails during the tokenizing step. +- Major bugfixes (TLS cipher selection): + - The relay ciphersuite list is now generated automatically based + on uniform criteria, and includes all OpenSSL ciphersuites with + acceptable strength and forward secrecy. + - Relays now trust themselves to have a better view than clients + of which TLS ciphersuites are better than others. + - Clients now try to advertise the same list of ciphersuites as + Firefox 28. +- further minor bug fixes, see ChangeLog +- fix logrotate on systemd-only setups without init scripts, + work tor-0.2.2.37-logrotate.patch to tor-0.2.4.x-logrotate.patch + +------------------------------------------------------------------- +Sat Apr 19 02:54:55 UTC 2014 - mook.moz+com.novell@gmail.com + +- Add tor-fw-helper for UPnP port forwarding; not used by default + +------------------------------------------------------------------- +Thu Mar 6 08:02:15 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.4.21 + Further improves security against potential adversaries who find + breaking 1024-bit crypto doable, and backports several stability + and robustness patches from the 0.2.5 branch. +- Major features (client security): + - When we choose a path for a 3-hop circuit, make sure it contains + at least one relay that supports the NTor circuit extension + handshake. Otherwise, there is a chance that we're building + a circuit that's worth attacking by an adversary who finds + breaking 1024-bit crypto doable, and that chance changes the game + theory. +- Major bugfixes: + - Do not treat streams that fail with reason + END_STREAM_REASON_INTERNAL as indicating a definite circuit failure, + since it could also indicate an ENETUNREACH connection error +- packaging changes: + - remove init script shadowing systemd unit + - general cleanup + +------------------------------------------------------------------- +Mon Jan 20 19:46:02 UTC 2014 - andreas.stieger@gmx.de + +- redaction of 0.2.4.20 changelog to include bug and CVE references + +------------------------------------------------------------------- +Fri Dec 27 20:55:26 UTC 2013 - andreas.stieger@gmx.de + +- tor 0.2.4.20 + fixes potentially poor random number generation for users who + 1) use OpenSSL 1.0.0 or later, + 2) set "HardwareAccel 1" in their torrc file, + 3) have "Sandy Bridge" or "Ivy Bridge" Intel processors + and + 4) have no state file in their DataDirectory (as would happen on + first start). + Users who generated relay or hidden service identity keys in such + a situation should discard them and generate new ones. + No 2 is not the default configuration for openSUSE. + [bnc#859421] [CVE-2013-7295] + This release also fixes a logic error that caused Tor clients to build + many more preemptive circuits than they actually need. +- Major bugfixes: + - Do not allow OpenSSL engines to replace the PRNG, even when + HardwareAccel is set. The only default builtin PRNG engine uses + the Intel RDRAND instruction to replace the entire PRNG, and + ignores all attempts to seed it with more entropy. That's + cryptographically stupid: the right response to a new alleged + entropy source is never to discard all previously used entropy + sources. Fixes bug 10402; works around behavior introduced in + OpenSSL 1.0.0. + - Fix assertion failure when AutomapHostsOnResolve yields an IPv6 + address. + - Avoid launching spurious extra circuits when a stream is pending. + This fixes a bug where any circuit that _wasn't_ unusable for new + streams would be treated as if it were, causing extra circuits to + be launched. +- Minor bugfixes: + - Avoid a crash bug when starting with a corrupted microdescriptor + cache file. + - If we fail to dump a previously cached microdescriptor to disk, avoid + freeing duplicate data later on. + +------------------------------------------------------------------- +Sat Dec 14 17:43:22 UTC 2013 - andreas.stieger@gmx.de + +- Tor 0.2.4.19, the first stable release in the 0.2.4 branch, features + a new circuit handshake and link encryption that use ECC to provide + better security and efficiency; makes relays better manage circuit + creation requests; uses "directory guards" to reduce client enumeration + risks; makes bridges collect and report statistics about the pluggable + transports they support; cleans up and improves our geoip database; + gets much closer to IPv6 support for clients, bridges, and relays; makes + directory authorities use measured bandwidths rather than advertised + ones when computing flags and thresholds; disables client-side DNS + caching to reduce tracking risks; and fixes a big bug in bridge + reachability testing. This release introduces two new design + abstractions in the code: a new "channel" abstraction between circuits + and or_connections to allow for implementing alternate relay-to-relay + transports, and a new "circuitmux" abstraction storing the queue of + circuits for a channel. The release also includes many stability, + security, and privacy fixes. +- full changelog relative to 0.2.3.x and 0.2.4.x RC series: + https://gitweb.torproject.org/tor.git?a=blob_plain;hb=release-0.2.4;f=ReleaseNotes + +------------------------------------------------------------------- +Sat Dec 7 12:04:08 UTC 2013 - andreas.stieger@gmx.de + +- tor-0.2.4.18-rc, improves stability, performance, and better + handling of edge cases. +- Major features: + - Re-enable TLS 1.1 and 1.2 when built with OpenSSL 1.0.1e or later. +- Major bugfixes: + - No longer stop reading or writing on cpuworker connections when + our rate limiting buckets go empty. + - If we are unable to save a microdescriptor to the journal, do not + drop it from memory and then reattempt downloading it. + - Stop trying to bootstrap all our directory information from + only our first guard. + - The new channel code sometimes lost track of in-progress circuits, + causing long-running clients to stop building new circuits. + +------------------------------------------------------------------- +Sat Oct 5 13:18:55 UTC 2013 - andreas.stieger@gmx.de + +- tor-0.2.4.17-rc +- major features in 0.2.4.x: + - improved client resilience + - support better link encryption with forward secrecy + - new NTor circuit handshake + - change relay queue for circuit create requests from size-based + limit to time-based limit + - many bug fixes and minor features + +------------------------------------------------------------------- +Fri May 24 22:51:24 UTC 2013 - andreas.stieger@gmx.de + +- add systemd support +- verify source tarball signature + +------------------------------------------------------------------- +Tue Nov 27 21:46:02 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.3.25, the first stable release in the 0.2.3 branch + + significantly reduced directory overhead (via microdescriptors) + + enormous crypto performance improvements for fast relays on new + enough hardware + + new v3 TLS handshake protocol that can better resist + fingerprinting + + support for protocol obfuscation plugins (pluggable transports) + + better scalability for hidden services + + IPv6 support for bridges + + performance improvements + + new "stream isolation" design to isolate different applications + on different circuits + + many stability, security, and privacy fixes + + Complete list of changes enumerated in: + https://lists.torproject.org/pipermail/tor-talk/2012-November/026554.html + https://gitweb.torproject.org/tor.git/blob/267c0e5aa14deeb2ca0d7997b4ef5a5c2bbf5fd4:/ReleaseNotes + + Tear down the circuit when receiving an unexpected SENDME cell. + [bnc#791374] CVE-2012-5573 +- build using --enable-bufferevents provided by Libevent 2.0.13 + +------------------------------------------------------------------- +Tue Nov 20 09:07:23 UTC 2012 - dimstar@opensuse.org + +- Fix useradd invocation: -o is useless without -u and newer + versions of pwdutils/shadowutils fail on this now. + +------------------------------------------------------------------- +Sat Sep 15 14:08:49 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.2.39 [bnc#780620] + Changes in version 0.2.2.39 - 2012-09-11 + Tor 0.2.2.39 fixes two more opportunities for remotely triggerable + assertions. + + o Security fixes: + - Fix an assertion failure in tor_timegm() that could be triggered + by a badly formatted directory object. + CVE-2012-4922 + - Do not crash when comparing an address with port value 0 to an + address policy. This bug could have been used to cause a remote + assertion failure by or against directory authorities, or to + allow some applications to crash clients. + CVE-2012-4419 + +------------------------------------------------------------------- +Mon Aug 20 19:11:57 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.2.38 [bnc#776642] + Changes in version 0.2.2.38 - 2012-08-12 + Tor 0.2.2.38 fixes a rare race condition that can crash exit relays; + fixes a remotely triggerable crash bug; and fixes a timing attack that + could in theory leak path information. + o Security fixes: + - Avoid read-from-freed-memory and double-free bugs that could occur + when a DNS request fails while launching it. + CVE-2012-3517 + - Avoid an uninitialized memory read when reading a vote or consensus + document that has an unrecognized flavor name. This read could + lead to a remote crash bug. + CVE-2012-3518 + - Try to leak less information about what relays a client is + choosing to a side-channel attacker. Previously, a Tor client would + stop iterating through the list of available relays as soon as it + had chosen one, thus finishing a little earlier when it picked + a router earlier in the list. If an attacker can recover this + timing information (nontrivial but not proven to be impossible), + they could learn some coarse-grained information about which relays + a client was picking (middle nodes in particular are likelier to + be affected than exits). The timing attack might be mitigated by + other factors, but it's best not to take chances. + CVE-2012-3519 + +------------------------------------------------------------------- +Fri Jun 15 19:45:01 UTC 2012 - andreas.stieger@gmx.de + +- add tor-0.2.2.37-logrotate.patch : add su option to logrotate to + fix W: suse-logrotate-user-writable-log-dir in Factory + +------------------------------------------------------------------- +Wed Jun 13 11:22:11 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.2.37 + Changes in version 0.2.2.37 - 2012-06-06 + Tor 0.2.2.37 introduces a workaround for a critical renegotiation + bug in OpenSSL 1.0.1 (where 20% of the Tor network can't talk to itself + currently). + + o Major bugfixes: + - Work around a bug in OpenSSL that broke renegotiation with TLS + 1.1 and TLS 1.2. Without this workaround, all attempts to speak + the v2 Tor connection protocol when both sides were using OpenSSL + 1.0.1 would fail. Resolves ticket 6033. + - When waiting for a client to renegotiate, don't allow it to add + any bytes to the input buffer. This fixes a potential DoS issue. + Fixes bugs 5934 and 6007; bugfix on 0.2.0.20-rc. + - Fix an edge case where if we fetch or publish a hidden service + descriptor, we might build a 4-hop circuit and then use that circuit + for exiting afterwards -- even if the new last hop doesn't obey our + ExitNodes config option. Fixes bug 5283; bugfix on 0.2.0.10-alpha. + + o Minor bugfixes: + - Fix a build warning with Clang 3.1 related to our use of vasprintf. + Fixes bug 5969. Bugfix on 0.2.2.11-alpha. + + o Minor features: + - Tell GCC and Clang to check for any errors in format strings passed + to the tor_v*(print|scan)f functions. + +------------------------------------------------------------------- +Wed Jun 6 20:46:46 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.2.36 + + Changes in version 0.2.2.36 - 2012-05-24 + o Directory authority changes: + - Change IP address for maatuska (v3 directory authority). + - Change IP address for ides (v3 directory authority), and rename + it to turtles. + + o Security fixes: + - When building or running with any version of OpenSSL earlier + than 0.9.8s or 1.0.0f, disable SSLv3 support. These OpenSSL + versions have a bug (CVE-2011-4576) in which their block cipher + padding includes uninitialized data, potentially leaking sensitive + information to any peer with whom they make a SSLv3 connection. Tor + does not use SSL v3 by default, but a hostile client or server + could force an SSLv3 connection in order to gain information that + they shouldn't have been able to get. The best solution here is to + upgrade to OpenSSL 0.9.8s or 1.0.0f (or later). But when building + or running with a non-upgraded OpenSSL, we disable SSLv3 entirely + to make sure that the bug can't happen. + - Never use a bridge or a controller-supplied node as an exit, even + if its exit policy allows it. Found by wanoskarnet. Fixes bug + 5342. Bugfix on 0.1.1.15-rc (for controller-purpose descriptors) + and 0.2.0.3-alpha (for bridge-purpose descriptors). + - Only build circuits if we have a sufficient threshold of the total + descriptors that are marked in the consensus with the "Exit" + flag. This mitigates an attack proposed by wanoskarnet, in which + all of a client's bridges collude to restrict the exit nodes that + the client knows about. Fixes bug 5343. + - Provide controllers with a safer way to implement the cookie + authentication mechanism. With the old method, if another locally + running program could convince a controller that it was the Tor + process, then that program could trick the controller into telling + it the contents of an arbitrary 32-byte file. The new "SAFECOOKIE" + authentication method uses a challenge-response approach to prevent + this attack. Fixes bug 5185; implements proposal 193. + + o Major bugfixes: + - Avoid logging uninitialized data when unable to decode a hidden + service descriptor cookie. Fixes bug 5647; bugfix on 0.2.1.5-alpha. + - Avoid a client-side assertion failure when receiving an INTRODUCE2 + cell on a general purpose circuit. Fixes bug 5644; bugfix on + 0.2.1.6-alpha. + - Fix builds when the path to sed, openssl, or sha1sum contains + spaces, which is pretty common on Windows. Fixes bug 5065; bugfix + on 0.2.2.1-alpha. + - Correct our replacements for the timeradd() and timersub() functions + on platforms that lack them (for example, Windows). The timersub() + function is used when expiring circuits, while timeradd() is + currently unused. Bug report and patch by Vektor. Fixes bug 4778; + bugfix on 0.2.2.24-alpha. + - Fix the SOCKET_OK test that we use to tell when socket + creation fails so that it works on Win64. Fixes part of bug 4533; + bugfix on 0.2.2.29-beta. Bug found by wanoskarnet. + + o Minor bugfixes: + - Reject out-of-range times like 23:59:61 in parse_rfc1123_time(). + Fixes bug 5346; bugfix on 0.0.8pre3. + - Make our number-parsing functions always treat too-large values + as an error, even when those values exceed the width of the + underlying type. Previously, if the caller provided these + functions with minima or maxima set to the extreme values of the + underlying integer type, these functions would return those + values on overflow rather than treating overflow as an error. + Fixes part of bug 5786; bugfix on 0.0.9. + - Older Linux kernels erroneously respond to strange nmap behavior + by having accept() return successfully with a zero-length + socket. When this happens, just close the connection. Previously, + we would try harder to learn the remote address: but there was + no such remote address to learn, and our method for trying to + learn it was incorrect. Fixes bugs 1240, 4745, and 4747. Bugfix + on 0.1.0.3-rc. Reported and diagnosed by "r1eo". + - Correct parsing of certain date types in parse_http_time(). + Without this patch, If-Modified-Since would behave + incorrectly. Fixes bug 5346; bugfix on 0.2.0.2-alpha. Patch from + Esteban Manchado Velázques. + - Change the BridgePassword feature (part of the "bridge community" + design, which is not yet implemented) to use a time-independent + comparison. The old behavior might have allowed an adversary + to use timing to guess the BridgePassword value. Fixes bug 5543; + bugfix on 0.2.0.14-alpha. + - Detect and reject certain misformed escape sequences in + configuration values. Previously, these values would cause us + to crash if received in a torrc file or over an authenticated + control port. Bug found by Esteban Manchado Velázquez, and + independently by Robert Connolly from Matta Consulting who further + noted that it allows a post-authentication heap overflow. Patch + by Alexander Schrijver. Fixes bugs 5090 and 5402 (CVE 2012-1668); + bugfix on 0.2.0.16-alpha. + - Fix a compile warning when using the --enable-openbsd-malloc + configure option. Fixes bug 5340; bugfix on 0.2.0.20-rc. + - During configure, detect when we're building with clang version + 3.0 or lower and disable the -Wnormalized=id and -Woverride-init + CFLAGS. clang doesn't support them yet. + - When sending an HTTP/1.1 proxy request, include a Host header. + Fixes bug 5593; bugfix on 0.2.2.1-alpha. + - Fix a NULL-pointer dereference on a badly formed SETCIRCUITPURPOSE + command. Found by mikeyc. Fixes bug 5796; bugfix on 0.2.2.9-alpha. + - If we hit the error case where routerlist_insert() replaces an + existing (old) server descriptor, make sure to remove that + server descriptor from the old_routers list. Fix related to bug + 1776. Bugfix on 0.2.2.18-alpha. + + o Minor bugfixes (documentation and log messages): + - Fix a typo in a log message in rend_service_rendezvous_has_opened(). + Fixes bug 4856; bugfix on Tor 0.0.6. + - Update "ClientOnly" man page entry to explain that there isn't + really any point to messing with it. Resolves ticket 5005. + - Document the GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays + directory authority option (introduced in Tor 0.2.2.34). + - Downgrade the "We're missing a certificate" message from notice + to info: people kept mistaking it for a real problem, whereas it + is seldom the problem even when we are failing to bootstrap. Fixes + bug 5067; bugfix on 0.2.0.10-alpha. + - Correctly spell "connect" in a log message on failure to create a + controlsocket. Fixes bug 4803; bugfix on 0.2.2.26-beta. + - Clarify the behavior of MaxCircuitDirtiness with hidden service + circuits. Fixes issue 5259. + + o Minor features: + - Directory authorities now reject versions of Tor older than + 0.2.1.30, and Tor versions between 0.2.2.1-alpha and 0.2.2.20-alpha + inclusive. These versions accounted for only a small fraction of + the Tor network, and have numerous known security issues. Resolves + issue 4788. + - Update to the May 1 2012 Maxmind GeoLite Country database. + + - Feature removal: + - When sending or relaying a RELAY_EARLY cell, we used to convert + it to a RELAY cell if the connection was using the v1 link + protocol. This was a workaround for older versions of Tor, which + didn't handle RELAY_EARLY cells properly. Now that all supported + versions can handle RELAY_EARLY cells, and now that we're enforcing + the "no RELAY_EXTEND commands except in RELAY_EARLY cells" rule, + remove this workaround. Addresses bug 4786. + +------------------------------------------------------------------- +Mon Jan 2 16:51:20 UTC 2012 - andreas.stieger@gmx.de + +- add CVE references in changelog, fixing bug #739133 + +------------------------------------------------------------------- +Fri Dec 16 20:37:05 UTC 2011 - andreas.stieger@gmx.de + +- update to upstream 0.2.2.35, which fixes a critical heap-overflow + security issue: CVE-2011-2778 For a full list of changes, see: + https://gitweb.torproject.org/tor.git/blob_plain/release-0.2.2:/ReleaseNotes + +------------------------------------------------------------------ +Mon Dec 12 15:42:09 UTC 2011 - cfarrell@suse.com + +- license update: BSD-3-Clause + SPDX format + +------------------------------------------------------------------- +Sun Dec 11 18:42:57 UTC 2011 - andreas.stieger@gmx.de + +- fix factory warning by removing INSTALL file from docs dir + +------------------------------------------------------------------- +Sun Dec 11 17:11:11 UTC 2011 - andreas.stieger@gmx.de + +- format spec file to include copyright notice + package is based on a former package in SUSE/openSUSE + +------------------------------------------------------------------- +Sun Dec 11 12:37:14 UTC 2011 - andreas.stieger@gmx.de + +- update license from "3-clause BSD" to "BSD3c" + +------------------------------------------------------------------- +Fri Oct 28 19:49:39 UTC 2011 - andreas.stieger@gmx.de + +- update to upstream 0.2.2.34 +- fixes CVE-2011-4895 Tor Bridge circuit building information disclosure +- fixes CVE-2011-4894 Tor DirPort information disclosure + +Changes in version 0.2.2.34 - 2011-10-26 + Tor 0.2.2.34 fixes a critical anonymity vulnerability where an attacker + can deanonymize Tor users. Everybody should upgrade. + + The attack relies on four components: 1) Clients reuse their TLS cert + when talking to different relays, so relays can recognize a user by + the identity key in her cert. 2) An attacker who knows the client's + identity key can probe each guard relay to see if that identity key + is connected to that guard relay right now. 3) A variety of active + attacks in the literature (starting from "Low-Cost Traffic Analysis + of Tor" by Murdoch and Danezis in 2005) allow a malicious website to + discover the guard relays that a Tor user visiting the website is using. + 4) Clients typically pick three guards at random, so the set of guards + for a given user could well be a unique fingerprint for her. This + release fixes components #1 and #2, which is enough to block the attack; + the other two remain as open research problems. Special thanks to + "frosty_un" for reporting the issue to us! + + Clients should upgrade so they are no longer recognizable by the TLS + certs they present. Relays should upgrade so they no longer allow a + remote attacker to probe them to test whether unpatched clients are + currently connected to them. + + This release also fixes several vulnerabilities that allow an attacker + to enumerate bridge relays. Some bridge enumeration attacks still + remain; see for example proposal 188. + + o Privacy/anonymity fixes (clients): + - Clients and bridges no longer send TLS certificate chains on + outgoing OR connections. Previously, each client or bridge would + use the same cert chain for all outgoing OR connections until + its IP address changes, which allowed any relay that the client + or bridge contacted to determine which entry guards it is using. + Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by "frosty_un". + - If a relay receives a CREATE_FAST cell on a TLS connection, it + no longer considers that connection as suitable for satisfying a + circuit EXTEND request. Now relays can protect clients from the + CVE-2011-2768 issue even if the clients haven't upgraded yet. + - Directory authorities no longer assign the Guard flag to relays + that haven't upgraded to the above "refuse EXTEND requests + to client connections" fix. Now directory authorities can + protect clients from the CVE-2011-2768 issue even if neither + the clients nor the relays have upgraded yet. There's a new + "GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays" config option + to let us transition smoothly, else tomorrow there would be no + guard relays. + + o Privacy/anonymity fixes (bridge enumeration): + - Bridge relays now do their directory fetches inside Tor TLS + connections, like all the other clients do, rather than connecting + directly to the DirPort like public relays do. Removes another + avenue for enumerating bridges. Fixes bug 4115; bugfix on 0.2.0.35. + - Bridges relays now build circuits for themselves in a more similar + way to how clients build them. Removes another avenue for + enumerating bridges. Fixes bug 4124; bugfix on 0.2.0.3-alpha, + when bridges were introduced. + - Bridges now refuse CREATE or CREATE_FAST cells on OR connections + that they initiated. Relays could distinguish incoming bridge + connections from client connections, creating another avenue for + enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha. + Found by "frosty_un". + + o Major bugfixes: + - Fix a crash bug when changing node restrictions while a DNS lookup + is in-progress. Fixes bug 4259; bugfix on 0.2.2.25-alpha. Bugfix + by "Tey'". + - Don't launch a useless circuit after failing to use one of a + hidden service's introduction points. Previously, we would + launch a new introduction circuit, but not set the hidden service + which that circuit was intended to connect to, so it would never + actually be used. A different piece of code would then create a + new introduction circuit correctly. Bug reported by katmagic and + found by Sebastian Hahn. Bugfix on 0.2.1.13-alpha; fixes bug 4212. + + o Minor bugfixes: + - Change an integer overflow check in the OpenBSD_Malloc code so + that GCC is less likely to eliminate it as impossible. Patch + from Mansour Moufid. Fixes bug 4059. + - When a hidden service turns an extra service-side introduction + circuit into a general-purpose circuit, free the rend_data and + intro_key fields first, so we won't leak memory if the circuit + is cannibalized for use as another service-side introduction + circuit. Bugfix on 0.2.1.7-alpha; fixes bug 4251. + - Bridges now skip DNS self-tests, to act a little more stealthily. + Fixes bug 4201; bugfix on 0.2.0.3-alpha, which first introduced + bridges. Patch by "warms0x". + - Fix internal bug-checking logic that was supposed to catch + failures in digest generation so that it will fail more robustly + if we ask for a nonexistent algorithm. Found by Coverity Scan. + Bugfix on 0.2.2.1-alpha; fixes Coverity CID 479. + - Report any failure in init_keys() calls launched because our + IP address has changed. Spotted by Coverity Scan. Bugfix on + 0.1.1.4-alpha; fixes CID 484. + + o Minor bugfixes (log messages and documentation): + - Remove a confusing dollar sign from the example fingerprint in the + man page, and also make the example fingerprint a valid one. Fixes + bug 4309; bugfix on 0.2.1.3-alpha. + - The next version of Windows will be called Windows 8, and it has + a major version of 6, minor version of 2. Correctly identify that + version instead of calling it "Very recent version". Resolves + ticket 4153; reported by funkstar. + - Downgrade log messages about circuit timeout calibration from + "notice" to "info": they don't require or suggest any human + intervention. Patch from Tom Lowenthal. Fixes bug 4063; + bugfix on 0.2.2.14-alpha. + + o Minor features: + - Turn on directory request statistics by default and include them in + extra-info descriptors. Don't break if we have no GeoIP database. + Backported from 0.2.3.1-alpha; implements ticket 3951. + - Update to the October 4 2011 Maxmind GeoLite Country database. + + +------------------------------------------------------------------- +Tue Sep 20 20:58:56 UTC 2011 - andreas.stieger@gmx.de + +- update to upstream 0.2.2.33 + +Changes in version 0.2.2.33 - 2011-09-13 + Tor 0.2.2.33 fixes several bugs, and includes a slight tweak to Tor's + TLS handshake that makes relays and bridges that run this new version + reachable from Iran again. + + o Major bugfixes: + - Avoid an assertion failure when reloading a configuration with + TrackExitHosts changes. Found and fixed by 'laruldan'. Fixes bug + 3923; bugfix on 0.2.2.25-alpha. + + o Minor features (security): + - Check for replays of the public-key encrypted portion of an + INTRODUCE1 cell, in addition to the current check for replays of + the g^x value. This prevents a possible class of active attacks + by an attacker who controls both an introduction point and a + rendezvous point, and who uses the malleability of AES-CTR to + alter the encrypted g^x portion of the INTRODUCE1 cell. We think + that these attacks are infeasible (requiring the attacker to send + on the order of zettabytes of altered cells in a short interval), + but we'd rather block them off in case there are any classes of + this attack that we missed. Reported by Willem Pinckaers. + + o Minor features: + - Adjust the expiration time on our SSL session certificates to + better match SSL certs seen in the wild. Resolves ticket 4014. + - Change the default required uptime for a relay to be accepted as + a HSDir (hidden service directory) from 24 hours to 25 hours. + Improves on 0.2.0.10-alpha; resolves ticket 2649. + - Add a VoteOnHidServDirectoriesV2 config option to allow directory + authorities to abstain from voting on assignment of the HSDir + consensus flag. Related to bug 2649. + - Update to the September 6 2011 Maxmind GeoLite Country database. + + o Minor bugfixes (documentation and log messages): + - Correct the man page to explain that HashedControlPassword and + CookieAuthentication can both be set, in which case either method + is sufficient to authenticate to Tor. Bugfix on 0.2.0.7-alpha, + when we decided to allow these config options to both be set. Issue + raised by bug 3898. + - Demote the 'replay detected' log message emitted when a hidden + service receives the same Diffie-Hellman public key in two different + INTRODUCE2 cells to info level. A normal Tor client can cause that + log message during its normal operation. Bugfix on 0.2.1.6-alpha; + fixes part of bug 2442. + - Demote the 'INTRODUCE2 cell is too {old,new}' log message to info + level. There is nothing that a hidden service's operator can do + to fix its clients' clocks. Bugfix on 0.2.1.6-alpha; fixes part + of bug 2442. + - Clarify a log message specifying the characters permitted in + HiddenServiceAuthorizeClient client names. Previously, the log + message said that "[A-Za-z0-9+-_]" were permitted; that could have + given the impression that every ASCII character between "+" and "_" + was permitted. Now we say "[A-Za-z0-9+_-]". Bugfix on 0.2.1.5-alpha. + + o Build fixes: + - Provide a substitute implementation of lround() for MSVC, which + apparently lacks it. Patch from Gisle Vanem. + - Clean up some code issues that prevented Tor from building on older + BSDs. Fixes bug 3894; reported by "grarpamp". + - Search for a platform-specific version of "ar" when cross-compiling. + Should fix builds on iOS. Resolves bug 3909, found by Marco Bonetti. + + +------------------------------------------------------------------- +Fri Sep 2 19:55:23 UTC 2011 - andreas.stieger@gmx.de + +- updated ot upstream 0.2.2.32 +- removed tor_initscript.patch +- fixes CVE-2011-4897 Tor Nickname information disclosure +- fixes CVE-2011-4896 Tor Bridge information disclosure + +Changes in version 0.2.2.32 - 2011-08-27 + The Tor 0.2.2 release series is dedicated to the memory of Andreas + Pfitzmann (1958-2010), a pioneer in anonymity and privacy research, + a founder of the PETS community, a leader in our field, a mentor, + and a friend. He left us with these words: "I had the possibility + to contribute to this world that is not as it should be. I hope I + could help in some areas to make the world a better place, and that + I could also encourage other people to be engaged in improving the + world. Please, stay engaged. This world needs you, your love, your + initiative -- now I cannot be part of that anymore." + + Tor 0.2.2.32, the first stable release in the 0.2.2 branch, is finally + ready. More than two years in the making, this release features improved + client performance and hidden service reliability, better compatibility + for Android, correct behavior for bridges that listen on more than + one address, more extensible and flexible directory object handling, + better reporting of network statistics, improved code security, and + many many other features and bugfixes. + + o Major features (client performance): + - When choosing which cells to relay first, relays now favor circuits + that have been quiet recently, to provide lower latency for + low-volume circuits. By default, relays enable or disable this + feature based on a setting in the consensus. They can override + this default by using the new "CircuitPriorityHalflife" config + option. Design and code by Ian Goldberg, Can Tang, and Chris + Alexander. + - Directory authorities now compute consensus weightings that instruct + clients how to weight relays flagged as Guard, Exit, Guard+Exit, + and no flag. Clients use these weightings to distribute network load + more evenly across these different relay types. The weightings are + in the consensus so we can change them globally in the future. Extra + thanks to "outofwords" for finding some nasty security bugs in + the first implementation of this feature. + + o Major features (client performance, circuit build timeout): + - Tor now tracks how long it takes to build client-side circuits + over time, and adapts its timeout to local network performance. + Since a circuit that takes a long time to build will also provide + bad performance, we get significant latency improvements by + discarding the slowest 20% of circuits. Specifically, Tor creates + circuits more aggressively than usual until it has enough data + points for a good timeout estimate. Implements proposal 151. + - Circuit build timeout constants can be controlled by consensus + parameters. We set good defaults for these parameters based on + experimentation on broadband and simulated high-latency links. + - Circuit build time learning can be disabled via consensus parameter + or by the client via a LearnCircuitBuildTimeout config option. We + also automatically disable circuit build time calculation if either + AuthoritativeDirectory is set, or if we fail to write our state + file. Implements ticket 1296. + + o Major features (relays use their capacity better): + - Set SO_REUSEADDR socket option on all sockets, not just + listeners. This should help busy exit nodes avoid running out of + useable ports just because all the ports have been used in the + near past. Resolves issue 2850. + - Relays now save observed peak bandwidth throughput rates to their + state file (along with total usage, which was already saved), + so that they can determine their correct estimated bandwidth on + restart. Resolves bug 1863, where Tor relays would reset their + estimated bandwidth to 0 after restarting. + - Lower the maximum weighted-fractional-uptime cutoff to 98%. This + should give us approximately 40-50% more Guard-flagged nodes, + improving the anonymity the Tor network can provide and also + decreasing the dropoff in throughput that relays experience when + they first get the Guard flag. + - Directory authorities now take changes in router IP address and + ORPort into account when determining router stability. Previously, + if a router changed its IP or ORPort, the authorities would not + treat it as having any downtime for the purposes of stability + calculation, whereas clients would experience downtime since the + change would take a while to propagate to them. Resolves issue 1035. + - New AccelName and AccelDir options add support for dynamic OpenSSL + hardware crypto acceleration engines. + + o Major features (relays control their load better): + - Exit relays now try harder to block exit attempts from unknown + relays, to make it harder for people to use them as one-hop proxies + a la tortunnel. Controlled by the refuseunknownexits consensus + parameter (currently enabled), or you can override it on your + relay with the RefuseUnknownExits torrc option. Resolves bug 1751; + based on a variant of proposal 163. + - Add separate per-conn write limiting to go with the per-conn read + limiting. We added a global write limit in Tor 0.1.2.5-alpha, + but never per-conn write limits. + - New consensus params "bwconnrate" and "bwconnburst" to let us + rate-limit client connections as they enter the network. It's + controlled in the consensus so we can turn it on and off for + experiments. It's starting out off. Based on proposal 163. + + o Major features (controllers): + - Export GeoIP information on bridge usage to controllers even if we + have not yet been running for 24 hours. Now Vidalia bridge operators + can get more accurate and immediate feedback about their + contributions to the network. + - Add an __OwningControllerProcess configuration option and a + TAKEOWNERSHIP control-port command. Now a Tor controller can ensure + that when it exits, Tor will shut down. Implements feature 3049. + + o Major features (directory authorities): + - Directory authorities now create, vote on, and serve multiple + parallel formats of directory data as part of their voting process. + Partially implements Proposal 162: "Publish the consensus in + multiple flavors". + - Directory authorities now agree on and publish small summaries + of router information that clients can use in place of regular + server descriptors. This transition will allow Tor 0.2.3 clients + to use far less bandwidth for downloading information about the + network. Begins the implementation of Proposal 158: "Clients + download consensus + microdescriptors". + - The directory voting system is now extensible to use multiple hash + algorithms for signatures and resource selection. Newer formats + are signed with SHA256, with a possibility for moving to a better + hash algorithm in the future. + - Directory authorities can now vote on arbitary integer values as + part of the consensus process. This is designed to help set + network-wide parameters. Implements proposal 167. + + o Major features and bugfixes (node selection): + - Revise and reconcile the meaning of the ExitNodes, EntryNodes, + ExcludeEntryNodes, ExcludeExitNodes, ExcludeNodes, and Strict*Nodes + options. Previously, we had been ambiguous in describing what + counted as an "exit" node, and what operations exactly "StrictNodes + 0" would permit. This created confusion when people saw nodes built + through unexpected circuits, and made it hard to tell real bugs from + surprises. Now the intended behavior is: + . "Exit", in the context of ExitNodes and ExcludeExitNodes, means + a node that delivers user traffic outside the Tor network. + . "Entry", in the context of EntryNodes, means a node used as the + first hop of a multihop circuit. It doesn't include direct + connections to directory servers. + . "ExcludeNodes" applies to all nodes. + . "StrictNodes" changes the behavior of ExcludeNodes only. When + StrictNodes is set, Tor should avoid all nodes listed in + ExcludeNodes, even when it will make user requests fail. When + StrictNodes is *not* set, then Tor should follow ExcludeNodes + whenever it can, except when it must use an excluded node to + perform self-tests, connect to a hidden service, provide a + hidden service, fulfill a .exit request, upload directory + information, or fetch directory information. + Collectively, the changes to implement the behavior fix bug 1090. + - If EntryNodes, ExitNodes, ExcludeNodes, or ExcludeExitNodes + change during a config reload, mark and discard all our origin + circuits. This fix should address edge cases where we change the + config options and but then choose a circuit that we created before + the change. + - Make EntryNodes config option much more aggressive even when + StrictNodes is not set. Before it would prepend your requested + entrynodes to your list of guard nodes, but feel free to use others + after that. Now it chooses only from your EntryNodes if any of + those are available, and only falls back to others if a) they're + all down and b) StrictNodes is not set. + - Now we refresh your entry guards from EntryNodes at each consensus + fetch -- rather than just at startup and then they slowly rot as + the network changes. + - Add support for the country code "{??}" in torrc options like + ExcludeNodes, to indicate all routers of unknown country. Closes + bug 1094. + - ExcludeNodes now takes precedence over EntryNodes and ExitNodes: if + a node is listed in both, it's treated as excluded. + - ExcludeNodes now applies to directory nodes -- as a preference if + StrictNodes is 0, or an absolute requirement if StrictNodes is 1. + Don't exclude all the directory authorities and set StrictNodes to 1 + unless you really want your Tor to break. + - ExcludeNodes and ExcludeExitNodes now override exit enclaving. + - ExcludeExitNodes now overrides .exit requests. + - We don't use bridges listed in ExcludeNodes. + - When StrictNodes is 1: + . We now apply ExcludeNodes to hidden service introduction points + and to rendezvous points selected by hidden service users. This + can make your hidden service less reliable: use it with caution! + . If we have used ExcludeNodes on ourself, do not try relay + reachability self-tests. + . If we have excluded all the directory authorities, we will not + even try to upload our descriptor if we're a relay. + . Do not honor .exit requests to an excluded node. + - When the set of permitted nodes changes, we now remove any mappings + introduced via TrackExitHosts to now-excluded nodes. Bugfix on + 0.1.0.1-rc. + - We never cannibalize a circuit that had excluded nodes on it, even + if StrictNodes is 0. Bugfix on 0.1.0.1-rc. + - Improve log messages related to excluded nodes. + + o Major features (misc): + - Numerous changes, bugfixes, and workarounds from Nathan Freitas + to help Tor build correctly for Android phones. + - The options SocksPort, ControlPort, and so on now all accept a + value "auto" that opens a socket on an OS-selected port. A + new ControlPortWriteToFile option tells Tor to write its + actual control port or ports to a chosen file. If the option + ControlPortFileGroupReadable is set, the file is created as + group-readable. Now users can run two Tor clients on the same + system without needing to manually mess with parameters. Resolves + part of ticket 3076. + - Tor now supports tunneling all of its outgoing connections over + a SOCKS proxy, using the SOCKS4Proxy and/or SOCKS5Proxy + configuration options. Code by Christopher Davis. + + o Code security improvements: + - Replace all potentially sensitive memory comparison operations + with versions whose runtime does not depend on the data being + compared. This will help resist a class of attacks where an + adversary can use variations in timing information to learn + sensitive data. Fix for one case of bug 3122. (Safe memcmp + implementation by Robert Ransom based partially on code by DJB.) + - Enable Address Space Layout Randomization (ASLR) and Data Execution + Prevention (DEP) by default on Windows to make it harder for + attackers to exploit vulnerabilities. Patch from John Brooks. + - New "--enable-gcc-hardening" ./configure flag (off by default) + to turn on gcc compile time hardening options. It ensures + that signed ints have defined behavior (-fwrapv), enables + -D_FORTIFY_SOURCE=2 (requiring -O2), adds stack smashing protection + with canaries (-fstack-protector-all), turns on ASLR protection if + supported by the kernel (-fPIE, -pie), and adds additional security + related warnings. Verified to work on Mac OS X and Debian Lenny. + - New "--enable-linker-hardening" ./configure flag (off by default) + to turn on ELF specific hardening features (relro, now). This does + not work with Mac OS X or any other non-ELF binary format. + - Always search the Windows system directory for system DLLs, and + nowhere else. Bugfix on 0.1.1.23; fixes bug 1954. + - New DisableAllSwap option. If set to 1, Tor will attempt to lock all + current and future memory pages via mlockall(). On supported + platforms (modern Linux and probably BSD but not Windows or OS X), + this should effectively disable any and all attempts to page out + memory. This option requires that you start your Tor as root -- + if you use DisableAllSwap, please consider using the User option + to properly reduce the privileges of your Tor. + + o Major bugfixes (crashes): + - Fix crash bug on platforms where gmtime and localtime can return + NULL. Windows 7 users were running into this one. Fixes part of bug + 2077. Bugfix on all versions of Tor. Found by boboper. + - Introduce minimum/maximum values that clients will believe + from the consensus. Now we'll have a better chance to avoid crashes + or worse when a consensus param has a weird value. + - Fix a rare crash bug that could occur when a client was configured + with a large number of bridges. Fixes bug 2629; bugfix on + 0.2.1.2-alpha. Bugfix by trac user "shitlei". + - Do not crash when our configuration file becomes unreadable, for + example due to a permissions change, between when we start up + and when a controller calls SAVECONF. Fixes bug 3135; bugfix + on 0.0.9pre6. + - If we're in the pathological case where there's no exit bandwidth + but there is non-exit bandwidth, or no guard bandwidth but there + is non-guard bandwidth, don't crash during path selection. Bugfix + on 0.2.0.3-alpha. + - Fix a crash bug when trying to initialize the evdns module in + Libevent 2. Bugfix on 0.2.1.16-rc. + + o Major bugfixes (stability): + - Fix an assert in parsing router descriptors containing IPv6 + addresses. This one took down the directory authorities when + somebody tried some experimental code. Bugfix on 0.2.1.3-alpha. + - Fix an uncommon assertion failure when running with DNSPort under + heavy load. Fixes bug 2933; bugfix on 0.2.0.1-alpha. + - Treat an unset $HOME like an empty $HOME rather than triggering an + assert. Bugfix on 0.0.8pre1; fixes bug 1522. + - More gracefully handle corrupt state files, removing asserts + in favor of saving a backup and resetting state. + - Instead of giving an assertion failure on an internal mismatch + on estimated freelist size, just log a BUG warning and try later. + Mitigates but does not fix bug 1125. + - Fix an assert that got triggered when using the TestingTorNetwork + configuration option and then issuing a GETINFO config-text control + command. Fixes bug 2250; bugfix on 0.2.1.2-alpha. + - If the cached cert file is unparseable, warn but don't exit. + + o Privacy fixes (relays/bridges): + - Don't list Windows capabilities in relay descriptors. We never made + use of them, and maybe it's a bad idea to publish them. Bugfix + on 0.1.1.8-alpha. + - If the Nickname configuration option isn't given, Tor would pick a + nickname based on the local hostname as the nickname for a relay. + Because nicknames are not very important in today's Tor and the + "Unnamed" nickname has been implemented, this is now problematic + behavior: It leaks information about the hostname without being + useful at all. Fixes bug 2979; bugfix on 0.1.2.2-alpha, which + introduced the Unnamed nickname. Reported by tagnaq. + - Maintain separate TLS contexts and certificates for incoming and + outgoing connections in bridge relays. Previously we would use the + same TLS contexts and certs for incoming and outgoing connections. + Bugfix on 0.2.0.3-alpha; addresses bug 988. + - Maintain separate identity keys for incoming and outgoing TLS + contexts in bridge relays. Previously we would use the same + identity keys for incoming and outgoing TLS contexts. Bugfix on + 0.2.0.3-alpha; addresses the other half of bug 988. + - Make the bridge directory authority refuse to answer directory + requests for "all descriptors". It used to include bridge + descriptors in its answer, which was a major information leak. + Found by "piebeer". Bugfix on 0.2.0.3-alpha. + + o Privacy fixes (clients): + - When receiving a hidden service descriptor, check that it is for + the hidden service we wanted. Previously, Tor would store any + hidden service descriptors that a directory gave it, whether it + wanted them or not. This wouldn't have let an attacker impersonate + a hidden service, but it did let directories pre-seed a client + with descriptors that it didn't want. Bugfix on 0.0.6. + - Start the process of disabling ".exit" address notation, since it + can be used for a variety of esoteric application-level attacks + on users. To reenable it, set "AllowDotExit 1" in your torrc. Fix + on 0.0.9rc5. + - Reject attempts at the client side to open connections to private + IP addresses (like 127.0.0.1, 10.0.0.1, and so on) with + a randomly chosen exit node. Attempts to do so are always + ill-defined, generally prevented by exit policies, and usually + in error. This will also help to detect loops in transparent + proxy configurations. You can disable this feature by setting + "ClientRejectInternalAddresses 0" in your torrc. + - Log a notice when we get a new control connection. Now it's easier + for security-conscious users to recognize when a local application + is knocking on their controller door. Suggested by bug 1196. + + o Privacy fixes (newnym): + - Avoid linkability based on cached hidden service descriptors: forget + all hidden service descriptors cached as a client when processing a + SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6. + - On SIGHUP, do not clear out all TrackHostExits mappings, client + DNS cache entries, and virtual address mappings: that's what + NEWNYM is for. Fixes bug 1345; bugfix on 0.1.0.1-rc. + - Don't attach new streams to old rendezvous circuits after SIGNAL + NEWNYM. Previously, we would keep using an existing rendezvous + circuit if it remained open (i.e. if it were kept open by a + long-lived stream, or if a new stream were attached to it before + Tor could notice that it was old and no longer in use). Bugfix on + 0.1.1.15-rc; fixes bug 3375. + + o Major bugfixes (relay bandwidth accounting): + - Fix a bug that could break accounting on 64-bit systems with large + time_t values, making them hibernate for impossibly long intervals. + Fixes bug 2146. Bugfix on 0.0.9pre6; fix by boboper. + - Fix a bug in bandwidth accounting that could make us use twice + the intended bandwidth when our interval start changes due to + daylight saving time. Now we tolerate skew in stored vs computed + interval starts: if the start of the period changes by no more than + 50% of the period's duration, we remember bytes that we transferred + in the old period. Fixes bug 1511; bugfix on 0.0.9pre5. + + o Major bugfixes (bridges): + - Bridges now use "reject *:*" as their default exit policy. Bugfix + on 0.2.0.3-alpha. Fixes bug 1113. + - If you configure your bridge with a known identity fingerprint, + and the bridge authority is unreachable (as it is in at least + one country now), fall back to directly requesting the descriptor + from the bridge. Finishes the feature started in 0.2.0.10-alpha; + closes bug 1138. + - Fix a bug where bridge users who configure the non-canonical + address of a bridge automatically switch to its canonical + address. If a bridge listens at more than one address, it + should be able to advertise those addresses independently and + any non-blocked addresses should continue to work. Bugfix on Tor + 0.2.0.3-alpha. Fixes bug 2510. + - If you configure Tor to use bridge A, and then quit and + configure Tor to use bridge B instead (or if you change Tor + to use bridge B via the controller), it would happily continue + to use bridge A if it's still reachable. While this behavior is + a feature if your goal is connectivity, in some scenarios it's a + dangerous bug. Bugfix on Tor 0.2.0.1-alpha; fixes bug 2511. + - When the controller configures a new bridge, don't wait 10 to 60 + seconds before trying to fetch its descriptor. Bugfix on + 0.2.0.3-alpha; fixes bug 3198 (suggested by 2355). + + o Major bugfixes (directory authorities): + - Many relays have been falling out of the consensus lately because + not enough authorities know about their descriptor for them to get + a majority of votes. When we deprecated the v2 directory protocol, + we got rid of the only way that v3 authorities can hear from each + other about other descriptors. Now authorities examine every v3 + vote for new descriptors, and fetch them from that authority. Bugfix + on 0.2.1.23. + - Authorities could be tricked into giving out the Exit flag to relays + that didn't allow exiting to any ports. This bug could screw + with load balancing and stats. Bugfix on 0.1.1.6-alpha; fixes bug + 1238. Bug discovered by Martin Kowalczyk. + - If all authorities restart at once right before a consensus vote, + nobody will vote about "Running", and clients will get a consensus + with no usable relays. Instead, authorities refuse to build a + consensus if this happens. Bugfix on 0.2.0.10-alpha; fixes bug 1066. + + o Major bugfixes (stream-level fairness): + - When receiving a circuit-level SENDME for a blocked circuit, try + to package cells fairly from all the streams that had previously + been blocked on that circuit. Previously, we had started with the + oldest stream, and allowed each stream to potentially exhaust + the circuit's package window. This gave older streams on any + given circuit priority over newer ones. Fixes bug 1937. Detected + originally by Camilo Viecco. This bug was introduced before the + first Tor release, in svn commit r152: it is the new winner of + the longest-lived bug prize. + - Fix a stream fairness bug that would cause newer streams on a given + circuit to get preference when reading bytes from the origin or + destination. Fixes bug 2210. Fix by Mashael AlSabah. This bug was + introduced before the first Tor release, in svn revision r152. + - When the exit relay got a circuit-level sendme cell, it started + reading on the exit streams, even if had 500 cells queued in the + circuit queue already, so the circuit queue just grew and grew in + some cases. We fix this by not re-enabling reading on receipt of a + sendme cell when the cell queue is blocked. Fixes bug 1653. Bugfix + on 0.2.0.1-alpha. Detected by Mashael AlSabah. Original patch by + "yetonetime". + - Newly created streams were allowed to read cells onto circuits, + even if the circuit's cell queue was blocked and waiting to drain. + This created potential unfairness, as older streams would be + blocked, but newer streams would gladly fill the queue completely. + We add code to detect this situation and prevent any stream from + getting more than one free cell. Bugfix on 0.2.0.1-alpha. Partially + fixes bug 1298. + + o Major bugfixes (hidden services): + - Apply circuit timeouts to opened hidden-service-related circuits + based on the correct start time. Previously, we would apply the + circuit build timeout based on time since the circuit's creation; + it was supposed to be applied based on time since the circuit + entered its current state. Bugfix on 0.0.6; fixes part of bug 1297. + - Improve hidden service robustness: When we find that we have + extended a hidden service's introduction circuit to a relay not + listed as an introduction point in the HS descriptor we currently + have, retry with an introduction point from the current + descriptor. Previously we would just give up. Fixes bugs 1024 and + 1930; bugfix on 0.2.0.10-alpha. + - Directory authorities now use data collected from their own + uptime observations when choosing whether to assign the HSDir flag + to relays, instead of trusting the uptime value the relay reports in + its descriptor. This change helps prevent an attack where a small + set of nodes with frequently-changing identity keys can blackhole + a hidden service. (Only authorities need upgrade; others will be + fine once they do.) Bugfix on 0.2.0.10-alpha; fixes bug 2709. + - Stop assigning the HSDir flag to relays that disable their + DirPort (and thus will refuse to answer directory requests). This + fix should dramatically improve the reachability of hidden services: + hidden services and hidden service clients pick six HSDir relays + to store and retrieve the hidden service descriptor, and currently + about half of the HSDir relays will refuse to work. Bugfix on + 0.2.0.10-alpha; fixes part of bug 1693. + + o Major bugfixes (misc): + - Clients now stop trying to use an exit node associated with a given + destination by TrackHostExits if they fail to reach that exit node. + Fixes bug 2999. Bugfix on 0.2.0.20-rc. + - Fix a regression that caused Tor to rebind its ports if it receives + SIGHUP while hibernating. Bugfix in 0.1.1.6-alpha; closes bug 919. + - Remove an extra pair of quotation marks around the error + message in control-port STATUS_GENERAL BUG events. Bugfix on + 0.1.2.6-alpha; fixes bug 3732. + + o Minor features (relays): + - Ensure that no empty [dirreq-](read|write)-history lines are added + to an extrainfo document. Implements ticket 2497. + - When bandwidth accounting is enabled, be more generous with how + much bandwidth we'll use up before entering "soft hibernation". + Previously, we'd refuse new connections and circuits once we'd + used up 95% of our allotment. Now, we use up 95% of our allotment, + AND make sure that we have no more than 500MB (or 3 hours of + expected traffic, whichever is lower) remaining before we enter + soft hibernation. + - Relays now log the reason for publishing a new relay descriptor, + so we have a better chance of hunting down instances of bug 1810. + Resolves ticket 3252. + - Log a little more clearly about the times at which we're no longer + accepting new connections (e.g. due to hibernating). Resolves + bug 2181. + - When AllowSingleHopExits is set, print a warning to explain to the + relay operator why most clients are avoiding her relay. + - Send END_STREAM_REASON_NOROUTE in response to EHOSTUNREACH errors. + Clients before 0.2.1.27 didn't handle NOROUTE correctly, but such + clients are already deprecated because of security bugs. + + o Minor features (network statistics): + - Directory mirrors that set "DirReqStatistics 1" write statistics + about directory requests to disk every 24 hours. As compared to the + "--enable-geoip-stats" ./configure flag in 0.2.1.x, there are a few + improvements: 1) stats are written to disk exactly every 24 hours; + 2) estimated shares of v2 and v3 requests are determined as mean + values, not at the end of a measurement period; 3) unresolved + requests are listed with country code '??'; 4) directories also + measure download times. + - Exit nodes that set "ExitPortStatistics 1" write statistics on the + number of exit streams and transferred bytes per port to disk every + 24 hours. + - Relays that set "CellStatistics 1" write statistics on how long + cells spend in their circuit queues to disk every 24 hours. + - Entry nodes that set "EntryStatistics 1" write statistics on the + rough number and origins of connecting clients to disk every 24 + hours. + - Relays that write any of the above statistics to disk and set + "ExtraInfoStatistics 1" include the past 24 hours of statistics in + their extra-info documents. Implements proposal 166. + + o Minor features (GeoIP and statistics): + - Provide a log message stating which geoip file we're parsing + instead of just stating that we're parsing the geoip file. + Implements ticket 2432. + - Make sure every relay writes a state file at least every 12 hours. + Previously, a relay could go for weeks without writing its state + file, and on a crash could lose its bandwidth history, capacity + estimates, client country statistics, and so on. Addresses bug 3012. + - Relays report the number of bytes spent on answering directory + requests in extra-info descriptors similar to {read,write}-history. + Implements enhancement 1790. + - Report only the top 10 ports in exit-port stats in order not to + exceed the maximum extra-info descriptor length of 50 KB. Implements + task 2196. + - If writing the state file to disk fails, wait up to an hour before + retrying again, rather than trying again each second. Fixes bug + 2346; bugfix on Tor 0.1.1.3-alpha. + - Delay geoip stats collection by bridges for 6 hours, not 2 hours, + when we switch from being a public relay to a bridge. Otherwise + there will still be clients that see the relay in their consensus, + and the stats will end up wrong. Bugfix on 0.2.1.15-rc; fixes + bug 932. + - Update to the August 2 2011 Maxmind GeoLite Country database. + + o Minor features (clients): + - When expiring circuits, use microsecond timers rather than + one-second timers. This can avoid an unpleasant situation where a + circuit is launched near the end of one second and expired right + near the beginning of the next, and prevent fluctuations in circuit + timeout values. + - If we've configured EntryNodes and our network goes away and/or all + our entrynodes get marked down, optimistically retry them all when + a new socks application request appears. Fixes bug 1882. + - Always perform router selections using weighted relay bandwidth, + even if we don't need a high capacity circuit at the time. Non-fast + circuits now only differ from fast ones in that they can use relays + not marked with the Fast flag. This "feature" could turn out to + be a horrible bug; we should investigate more before it goes into + a stable release. + - When we run out of directory information such that we can't build + circuits, but then get enough that we can build circuits, log when + we actually construct a circuit, so the user has a better chance of + knowing what's going on. Fixes bug 1362. + - Log SSL state transitions at debug level during handshake, and + include SSL states in error messages. This may help debug future + SSL handshake issues. + + o Minor features (directory authorities): + - When a router changes IP address or port, authorities now launch + a new reachability test for it. Implements ticket 1899. + - Directory authorities now reject relays running any versions of + Tor between 0.2.1.3-alpha and 0.2.1.18 inclusive; they have + known bugs that keep RELAY_EARLY cells from working on rendezvous + circuits. Followup to fix for bug 2081. + - Directory authorities now reject relays running any version of Tor + older than 0.2.0.26-rc. That version is the earliest that fetches + current directory information correctly. Fixes bug 2156. + - Directory authorities now do an immediate reachability check as soon + as they hear about a new relay. This change should slightly reduce + the time between setting up a relay and getting listed as running + in the consensus. It should also improve the time between setting + up a bridge and seeing use by bridge users. + - Directory authorities no longer launch a TLS connection to every + relay as they startup. Now that we have 2k+ descriptors cached, + the resulting network hiccup is becoming a burden. Besides, + authorities already avoid voting about Running for the first half + hour of their uptime. + - Directory authorities now log the source of a rejected POSTed v3 + networkstatus vote, so we can track failures better. + - Backport code from 0.2.3.x that allows directory authorities to + clean their microdescriptor caches. Needed to resolve bug 2230. + + o Minor features (hidden services): + - Use computed circuit-build timeouts to decide when to launch + parallel introduction circuits for hidden services. (Previously, + we would retry after 15 seconds.) + - Don't allow v0 hidden service authorities to act as clients. + Required by fix for bug 3000. + - Ignore SIGNAL NEWNYM commands on relay-only Tor instances. Required + by fix for bug 3000. + - Make hidden services work better in private Tor networks by not + requiring any uptime to join the hidden service descriptor + DHT. Implements ticket 2088. + - Log (at info level) when purging pieces of hidden-service-client + state because of SIGNAL NEWNYM. + + o Minor features (controller interface): + - New "GETINFO net/listeners/(type)" controller command to return + a list of addresses and ports that are bound for listeners for a + given connection type. This is useful when the user has configured + "SocksPort auto" and the controller needs to know which port got + chosen. Resolves another part of ticket 3076. + - Have the controller interface give a more useful message than + "Internal Error" in response to failed GETINFO requests. + - Add a TIMEOUT_RATE keyword to the BUILDTIMEOUT_SET control port + event, to give information on the current rate of circuit timeouts + over our stored history. + - The 'EXTENDCIRCUIT' control port command can now be used with + a circ id of 0 and no path. This feature will cause Tor to build + a new 'fast' general purpose circuit using its own path selection + algorithms. + - Added a BUILDTIMEOUT_SET controller event to describe changes + to the circuit build timeout. + - New controller command "getinfo config-text". It returns the + contents that Tor would write if you send it a SAVECONF command, + so the controller can write the file to disk itself. + + o Minor features (controller protocol): + - Add a new ControlSocketsGroupWritable configuration option: when + it is turned on, ControlSockets are group-writeable by the default + group of the current user. Patch by Jérémy Bobbio; implements + ticket 2972. + - Tor now refuses to create a ControlSocket in a directory that is + world-readable (or group-readable if ControlSocketsGroupWritable + is 0). This is necessary because some operating systems do not + enforce permissions on an AF_UNIX sockets. Permissions on the + directory holding the socket, however, seems to work everywhere. + - Warn when CookieAuthFileGroupReadable is set but CookieAuthFile is + not. This would lead to a cookie that is still not group readable. + Closes bug 1843. Suggested by katmagic. + - Future-proof the controller protocol a bit by ignoring keyword + arguments we do not recognize. + + o Minor features (more useful logging): + - Revise most log messages that refer to nodes by nickname to + instead use the "$key=nickname at address" format. This should be + more useful, especially since nicknames are less and less likely + to be unique. Resolves ticket 3045. + - When an HTTPS proxy reports "403 Forbidden", we now explain + what it means rather than calling it an unexpected status code. + Closes bug 2503. Patch from Michael Yakubovich. + - Rate-limit a warning about failures to download v2 networkstatus + documents. Resolves part of bug 1352. + - Rate-limit the "your application is giving Tor only an IP address" + warning. Addresses bug 2000; bugfix on 0.0.8pre2. + - Rate-limit "Failed to hand off onionskin" warnings. + - When logging a rate-limited warning, we now mention how many messages + got suppressed since the last warning. + - Make the formerly ugly "2 unknown, 7 missing key, 0 good, 0 bad, + 2 no signature, 4 required" messages about consensus signatures + easier to read, and make sure they get logged at the same severity + as the messages explaining which keys are which. Fixes bug 1290. + - Don't warn when we have a consensus that we can't verify because + of missing certificates, unless those certificates are ones + that we have been trying and failing to download. Fixes bug 1145. + + o Minor features (log domains): + - Add documentation for configuring logging at different severities in + different log domains. We've had this feature since 0.2.1.1-alpha, + but for some reason it never made it into the manpage. Fixes + bug 2215. + - Make it simpler to specify "All log domains except for A and B". + Previously you needed to say "[*,~A,~B]". Now you can just say + "[~A,~B]". + - Add a "LogMessageDomains 1" option to include the domains of log + messages along with the messages. Without this, there's no way + to use log domains without reading the source or doing a lot + of guessing. + - Add a new "Handshake" log domain for activities that happen + during the TLS handshake. + + o Minor features (build process): + - Make compilation with clang possible when using + "--enable-gcc-warnings" by removing two warning options that clang + hasn't implemented yet and by fixing a few warnings. Resolves + ticket 2696. + - Detect platforms that brokenly use a signed size_t, and refuse to + build there. Found and analyzed by doorss and rransom. + - Fix a bunch of compile warnings revealed by mingw with gcc 4.5. + Resolves bug 2314. + - Add support for statically linking zlib by specifying + "--enable-static-zlib", to go with our support for statically + linking openssl and libevent. Resolves bug 1358. + - Instead of adding the svn revision to the Tor version string, report + the git commit (when we're building from a git checkout). + - Rename the "log.h" header to "torlog.h" so as to conflict with fewer + system headers. + - New --digests command-line switch to output the digests of the + source files Tor was built with. + - Generate our manpage and HTML documentation using Asciidoc. This + change should make it easier to maintain the documentation, and + produce nicer HTML. The build process fails if asciidoc cannot + be found and building with asciidoc isn't disabled (via the + "--disable-asciidoc" argument to ./configure. Skipping the manpage + speeds up the build considerably. + + o Minor features (options / torrc): + - Warn when the same option is provided more than once in a torrc + file, on the command line, or in a single SETCONF statement, and + the option is one that only accepts a single line. Closes bug 1384. + - Warn when the user configures two HiddenServiceDir lines that point + to the same directory. Bugfix on 0.0.6 (the version introducing + HiddenServiceDir); fixes bug 3289. + - Add new "perconnbwrate" and "perconnbwburst" consensus params to + do individual connection-level rate limiting of clients. The torrc + config options with the same names trump the consensus params, if + both are present. Replaces the old "bwconnrate" and "bwconnburst" + consensus params which were broken from 0.2.2.7-alpha through + 0.2.2.14-alpha. Closes bug 1947. + - New config option "WarnUnsafeSocks 0" disables the warning that + occurs whenever Tor receives a socks handshake using a version of + the socks protocol that can only provide an IP address (rather + than a hostname). Setups that do DNS locally over Tor are fine, + and we shouldn't spam the logs in that case. + - New config option "CircuitStreamTimeout" to override our internal + timeout schedule for how many seconds until we detach a stream from + a circuit and try a new circuit. If your network is particularly + slow, you might want to set this to a number like 60. + - New options for SafeLogging to allow scrubbing only log messages + generated while acting as a relay. Specify "SafeLogging relay" if + you want to ensure that only messages known to originate from + client use of the Tor process will be logged unsafely. + - Time and memory units in the configuration file can now be set to + fractional units. For example, "2.5 GB" is now a valid value for + AccountingMax. + - Support line continuations in the torrc config file. If a line + ends with a single backslash character, the newline is ignored, and + the configuration value is treated as continuing on the next line. + Resolves bug 1929. + + o Minor features (unit tests): + - Revise our unit tests to use the "tinytest" framework, so we + can run tests in their own processes, have smarter setup/teardown + code, and so on. The unit test code has moved to its own + subdirectory, and has been split into multiple modules. + - Add a unit test for cross-platform directory-listing code. + - Add some forgotten return value checks during unit tests. Found + by coverity. + - Use GetTempDir to find the proper temporary directory location on + Windows when generating temporary files for the unit tests. Patch + by Gisle Vanem. + + o Minor features (misc): + - The "torify" script now uses torsocks where available. + - Make Libevent log messages get delivered to controllers later, + and not from inside the Libevent log handler. This prevents unsafe + reentrant Libevent calls while still letting the log messages + get through. + - Certain Tor clients (such as those behind check.torproject.org) may + want to fetch the consensus in an extra early manner. To enable this + a user may now set FetchDirInfoExtraEarly to 1. This also depends on + setting FetchDirInfoEarly to 1. Previous behavior will stay the same + as only certain clients who must have this information sooner should + set this option. + - Expand homedirs passed to tor-checkkey. This should silence a + coverity complaint about passing a user-supplied string into + open() without checking it. + - Make sure to disable DirPort if running as a bridge. DirPorts aren't + used on bridges, and it makes bridge scanning somewhat easier. + - Create the /var/run/tor directory on startup on OpenSUSE if it is + not already created. Patch from Andreas Stieger. Fixes bug 2573. + + o Minor bugfixes (relays): + - When a relay decides that its DNS is too broken for it to serve + as an exit server, it advertised itself as a non-exit, but + continued to act as an exit. This could create accidental + partitioning opportunities for users. Instead, if a relay is + going to advertise reject *:* as its exit policy, it should + really act with exit policy "reject *:*". Fixes bug 2366. + Bugfix on Tor 0.1.2.5-alpha. Bugfix by user "postman" on trac. + - Publish a router descriptor even if generating an extra-info + descriptor fails. Previously we would not publish a router + descriptor without an extra-info descriptor; this can cause fast + exit relays collecting exit-port statistics to drop from the + consensus. Bugfix on 0.1.2.9-rc; fixes bug 2195. + - When we're trying to guess whether we know our IP address as + a relay, we would log various ways that we failed to guess + our address, but never log that we ended up guessing it + successfully. Now add a log line to help confused and anxious + relay operators. Bugfix on 0.1.2.1-alpha; fixes bug 1534. + - For bandwidth accounting, calculate our expected bandwidth rate + based on the time during which we were active and not in + soft-hibernation during the last interval. Previously, we were + also considering the time spent in soft-hibernation. If this + was a long time, we would wind up underestimating our bandwidth + by a lot, and skewing our wakeup time towards the start of the + accounting interval. Fixes bug 1789. Bugfix on 0.0.9pre5. + - Demote a confusing TLS warning that relay operators might get when + someone tries to talk to their ORPort. It is not the operator's + fault, nor can they do anything about it. Fixes bug 1364; bugfix + on 0.2.0.14-alpha. + - Change "Application request when we're believed to be offline." + notice to "Application request when we haven't used client + functionality lately.", to clarify that it's not an error. Bugfix + on 0.0.9.3; fixes bug 1222. + + o Minor bugfixes (bridges): + - When a client starts or stops using bridges, never use a circuit + that was built before the configuration change. This behavior could + put at risk a user who uses bridges to ensure that her traffic + only goes to the chosen addresses. Bugfix on 0.2.0.3-alpha; fixes + bug 3200. + - Do not reset the bridge descriptor download status every time we + re-parse our configuration or get a configuration change. Fixes + bug 3019; bugfix on 0.2.0.3-alpha. + - Users couldn't configure a regular relay to be their bridge. It + didn't work because when Tor fetched the bridge descriptor, it found + that it already had it, and didn't realize that the purpose of the + descriptor had changed. Now we replace routers with a purpose other + than bridge with bridge descriptors when fetching them. Bugfix on + 0.1.1.9-alpha. Fixes bug 1776. + - In the special case where you configure a public exit relay as your + bridge, Tor would be willing to use that exit relay as the last + hop in your circuit as well. Now we fail that circuit instead. + Bugfix on 0.2.0.12-alpha. Fixes bug 2403. Reported by "piebeer". + + o Minor bugfixes (clients): + - We now ask the other side of a stream (the client or the exit) + for more data on that stream when the amount of queued data on + that stream dips low enough. Previously, we wouldn't ask the + other side for more data until either it sent us more data (which + it wasn't supposed to do if it had exhausted its window!) or we + had completely flushed all our queued data. This flow control fix + should improve throughput. Fixes bug 2756; bugfix on the earliest + released versions of Tor (svn commit r152). + - When a client finds that an origin circuit has run out of 16-bit + stream IDs, we now mark it as unusable for new streams. Previously, + we would try to close the entire circuit. Bugfix on 0.0.6. + - Make it explicit that we don't cannibalize one-hop circuits. This + happens in the wild, but doesn't turn out to be a problem because + we fortunately don't use those circuits. Many thanks to outofwords + for the initial analysis and to swissknife who confirmed that + two-hop circuits are actually created. + - Resolve an edge case in path weighting that could make us misweight + our relay selection. Fixes bug 1203; bugfix on 0.0.8rc1. + - Make the DNSPort option work with libevent 2.x. Don't alter the + behaviour for libevent 1.x. Fixes bug 1143. Found by SwissTorExit. + + o Minor bugfixes (directory authorities): + - Make directory authorities more accurate at recording when + relays that have failed several reachability tests became + unreachable, so we can provide more accuracy at assigning Stable, + Guard, HSDir, etc flags. Bugfix on 0.2.0.6-alpha. Resolves bug 2716. + - Directory authorities are now more robust to hops back in time + when calculating router stability. Previously, if a run of uptime + or downtime appeared to be negative, the calculation could give + incorrect results. Bugfix on 0.2.0.6-alpha; noticed when fixing + bug 1035. + - Directory authorities will now attempt to download consensuses + if their own efforts to make a live consensus have failed. This + change means authorities that restart will fetch a valid + consensus, and it means authorities that didn't agree with the + current consensus will still fetch and serve it if it has enough + signatures. Bugfix on 0.2.0.9-alpha; fixes bug 1300. + - Never vote for a server as "Running" if we have a descriptor for + it claiming to be hibernating, and that descriptor was published + more recently than our last contact with the server. Bugfix on + 0.2.0.3-alpha; fixes bug 911. + - Directory authorities no longer change their opinion of, or vote on, + whether a router is Running, unless they have themselves been + online long enough to have some idea. Bugfix on 0.2.0.6-alpha. + Fixes bug 1023. + + o Minor bugfixes (hidden services): + - Log malformed requests for rendezvous descriptors as protocol + warnings, not warnings. Also, use a more informative log message + in case someone sees it at log level warning without prior + info-level messages. Fixes bug 2748; bugfix on 0.2.0.10-alpha. + - Accept hidden service descriptors if we think we might be a hidden + service directory, regardless of what our consensus says. This + helps robustness, since clients and hidden services can sometimes + have a more up-to-date view of the network consensus than we do, + and if they think that the directory authorities list us a HSDir, + we might actually be one. Related to bug 2732; bugfix on + 0.2.0.10-alpha. + - Correct the warning displayed when a rendezvous descriptor exceeds + the maximum size. Fixes bug 2750; bugfix on 0.2.1.5-alpha. Found by + John Brooks. + - Clients and hidden services now use HSDir-flagged relays for hidden + service descriptor downloads and uploads even if the relays have no + DirPort set and the client has disabled TunnelDirConns. This will + eventually allow us to give the HSDir flag to relays with no + DirPort. Fixes bug 2722; bugfix on 0.2.1.6-alpha. + - Only limit the lengths of single HS descriptors, even when multiple + HS descriptors are published to an HSDir relay in a single POST + operation. Fixes bug 2948; bugfix on 0.2.1.5-alpha. Found by hsdir. + + o Minor bugfixes (controllers): + - Allow GETINFO fingerprint to return a fingerprint even when + we have not yet built a router descriptor. Fixes bug 3577; + bugfix on 0.2.0.1-alpha. + - Send a SUCCEEDED stream event to the controller when a reverse + resolve succeeded. Fixes bug 3536; bugfix on 0.0.8pre1. Issue + discovered by katmagic. + - Remove a trailing asterisk from "exit-policy/default" in the + output of the control port command "GETINFO info/names". Bugfix + on 0.1.2.5-alpha. + - Make the SIGNAL DUMP controller command work on FreeBSD. Fixes bug + 2917. Bugfix on 0.1.1.1-alpha. + - When we restart our relay, we might get a successful connection + from the outside before we've started our reachability tests, + triggering a warning: "ORPort found reachable, but I have no + routerinfo yet. Failing to inform controller of success." This + bug was harmless unless Tor is running under a controller + like Vidalia, in which case the controller would never get a + REACHABILITY_SUCCEEDED status event. Bugfix on 0.1.2.6-alpha; + fixes bug 1172. + - When a controller changes TrackHostExits, remove mappings for + hosts that should no longer have their exits tracked. Bugfix on + 0.1.0.1-rc. + - When a controller changes VirtualAddrNetwork, remove any mappings + for hosts that were automapped to the old network. Bugfix on + 0.1.1.19-rc. + - When a controller changes one of the AutomapHosts* options, remove + any mappings for hosts that should no longer be automapped. Bugfix + on 0.2.0.1-alpha. + - Fix an off-by-one error in calculating some controller command + argument lengths. Fortunately, this mistake is harmless since + the controller code does redundant NUL termination too. Found by + boboper. Bugfix on 0.1.1.1-alpha. + - Fix a bug in the controller interface where "GETINFO ns/asdaskljkl" + would return "551 Internal error" rather than "552 Unrecognized key + ns/asdaskljkl". Bugfix on 0.1.2.3-alpha. + - Don't spam the controller with events when we have no file + descriptors available. Bugfix on 0.2.1.5-alpha. (Rate-limiting + for log messages was already solved from bug 748.) + - Emit a GUARD DROPPED controller event for a case we missed. + - Ensure DNS requests launched by "RESOLVE" commands from the + controller respect the __LeaveStreamsUnattached setconf options. The + same goes for requests launched via DNSPort or transparent + proxying. Bugfix on 0.2.0.1-alpha; fixes bug 1525. + + o Minor bugfixes (config options): + - Tor used to limit HttpProxyAuthenticator values to 48 characters. + Change the limit to 512 characters by removing base64 newlines. + Fixes bug 2752. Fix by Michael Yakubovich. + - Complain if PublishServerDescriptor is given multiple arguments that + include 0 or 1. This configuration will be rejected in the future. + Bugfix on 0.2.0.1-alpha; closes bug 1107. + - Disallow BridgeRelay 1 and ORPort 0 at once in the configuration. + Bugfix on 0.2.0.13-alpha; closes bug 928. + + o Minor bugfixes (log subsystem fixes): + - When unable to format an address as a string, report its value + as "???" rather than reusing the last formatted address. Bugfix + on 0.2.1.5-alpha. + - Be more consistent in our treatment of file system paths. "~" should + get expanded to the user's home directory in the Log config option. + Fixes bug 2971; bugfix on 0.2.0.1-alpha, which introduced the + feature for the -f and --DataDirectory options. + + o Minor bugfixes (memory management): + - Don't stack-allocate the list of supplementary GIDs when we're + about to log them. Stack-allocating NGROUPS_MAX gid_t elements + could take up to 256K, which is way too much stack. Found by + Coverity; CID #450. Bugfix on 0.2.1.7-alpha. + - Save a couple bytes in memory allocation every time we escape + certain characters in a string. Patch from Florian Zumbiehl. + + o Minor bugfixes (protocol correctness): + - When checking for 1024-bit keys, check for 1024 bits, not 128 + bytes. This allows Tor to correctly discard keys of length 1017 + through 1023. Bugfix on 0.0.9pre5. + - Require that introduction point keys and onion handshake keys + have a public exponent of 65537. Starts to fix bug 3207; bugfix + on 0.2.0.10-alpha. + - Handle SOCKS messages longer than 128 bytes long correctly, rather + than waiting forever for them to finish. Fixes bug 2330; bugfix + on 0.2.0.16-alpha. Found by doorss. + - Never relay a cell for a circuit we have already destroyed. + Between marking a circuit as closeable and finally closing it, + it may have been possible for a few queued cells to get relayed, + even though they would have been immediately dropped by the next + OR in the circuit. Fixes bug 1184; bugfix on 0.2.0.1-alpha. + - Never queue a cell for a circuit that's already been marked + for close. + - Fix a spec conformance issue: the network-status-version token + must be the first token in a v3 consensus or vote. Discovered by + "parakeep". Bugfix on 0.2.0.3-alpha. + - A networkstatus vote must contain exactly one signature. Spec + conformance issue. Bugfix on 0.2.0.3-alpha. + - When asked about a DNS record type we don't support via a + client DNSPort, reply with NOTIMPL rather than an empty + reply. Patch by intrigeri. Fixes bug 3369; bugfix on 2.0.1-alpha. + - Make more fields in the controller protocol case-insensitive, since + control-spec.txt said they were. + + o Minor bugfixes (log messages): + - Fix a log message that said "bits" while displaying a value in + bytes. Found by wanoskarnet. Fixes bug 3318; bugfix on + 0.2.0.1-alpha. + - Downgrade "no current certificates known for authority" message from + Notice to Info. Fixes bug 2899; bugfix on 0.2.0.10-alpha. + - Correctly describe errors that occur when generating a TLS object. + Previously we would attribute them to a failure while generating a + TLS context. Patch by Robert Ransom. Bugfix on 0.1.0.4-rc; fixes + bug 1994. + - Fix an instance where a Tor directory mirror might accidentally + log the IP address of a misbehaving Tor client. Bugfix on + 0.1.0.1-rc. + - Stop logging at severity 'warn' when some other Tor client tries + to establish a circuit with us using weak DH keys. It's a protocol + violation, but that doesn't mean ordinary users need to hear about + it. Fixes the bug part of bug 1114. Bugfix on 0.1.0.13. + - If your relay can't keep up with the number of incoming create + cells, it would log one warning per failure into your logs. Limit + warnings to 1 per minute. Bugfix on 0.0.2pre10; fixes bug 1042. + + o Minor bugfixes (build fixes): + - Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option. + - When warning about missing zlib development packages during compile, + give the correct package names. Bugfix on 0.2.0.1-alpha. + - Fix warnings that newer versions of autoconf produce during + ./autogen.sh. These warnings appear to be harmless in our case, + but they were extremely verbose. Fixes bug 2020. + - Squash a compile warning on OpenBSD. Reported by Tas; fixes + bug 1848. + + o Minor bugfixes (portability): + - Write several files in text mode, on OSes that distinguish text + mode from binary mode (namely, Windows). These files are: + 'buffer-stats', 'dirreq-stats', and 'entry-stats' on relays + that collect those statistics; 'client_keys' and 'hostname' for + hidden services that use authentication; and (in the tor-gencert + utility) newly generated identity and signing keys. Previously, + we wouldn't specify text mode or binary mode, leading to an + assertion failure. Fixes bug 3607. Bugfix on 0.2.1.1-alpha (when + the DirRecordUsageByCountry option which would have triggered + the assertion failure was added), although this assertion failure + would have occurred in tor-gencert on Windows in 0.2.0.1-alpha. + - Selectively disable deprecation warnings on OS X because Lion + started deprecating the shipped copy of openssl. Fixes bug 3643. + - Use a wide type to hold sockets when built for 64-bit Windows. + Fixes bug 3270. + - Fix an issue that prevented static linking of libevent on + some platforms (notably Linux). Fixes bug 2698; bugfix on 0.2.1.23, + where we introduced the "--with-static-libevent" configure option. + - Fix a bug with our locking implementation on Windows that couldn't + correctly detect when a file was already locked. Fixes bug 2504, + bugfix on 0.2.1.6-alpha. + - Build correctly on OSX with zlib 1.2.4 and higher with all warnings + enabled. + - Fix IPv6-related connect() failures on some platforms (BSD, OS X). + Bugfix on 0.2.0.3-alpha; fixes first part of bug 2660. Patch by + "piebeer". + + o Minor bugfixes (code correctness): + - Always NUL-terminate the sun_path field of a sockaddr_un before + passing it to the kernel. (Not a security issue: kernels are + smart enough to reject bad sockaddr_uns.) Found by Coverity; + CID #428. Bugfix on Tor 0.2.0.3-alpha. + - Make connection_printf_to_buf()'s behaviour sane. Its callers + expect it to emit a CRLF iff the format string ends with CRLF; + it actually emitted a CRLF iff (a) the format string ended with + CRLF or (b) the resulting string was over 1023 characters long or + (c) the format string did not end with CRLF *and* the resulting + string was 1021 characters long or longer. Bugfix on 0.1.1.9-alpha; + fixes part of bug 3407. + - Make send_control_event_impl()'s behaviour sane. Its callers + expect it to always emit a CRLF at the end of the string; it + might have emitted extra control characters as well. Bugfix on + 0.1.1.9-alpha; fixes another part of bug 3407. + - Make crypto_rand_int() check the value of its input correctly. + Previously, it accepted values up to UINT_MAX, but could return a + negative number if given a value above INT_MAX+1. Found by George + Kadianakis. Fixes bug 3306; bugfix on 0.2.2pre14. + - Fix a potential null-pointer dereference while computing a + consensus. Bugfix on tor-0.2.0.3-alpha, found with the help of + clang's analyzer. + - If we fail to compute the identity digest of a v3 legacy keypair, + warn, and don't use a buffer-full of junk instead. Bugfix on + 0.2.1.1-alpha; fixes bug 3106. + - Resolve an untriggerable issue in smartlist_string_num_isin(), + where if the function had ever in the future been used to check + for the presence of a too-large number, it would have given an + incorrect result. (Fortunately, we only used it for 16-bit + values.) Fixes bug 3175; bugfix on 0.1.0.1-rc. + - Be more careful about reporting the correct error from a failed + connect() system call. Under some circumstances, it was possible to + look at an incorrect value for errno when sending the end reason. + Bugfix on 0.1.0.1-rc. + - Correctly handle an "impossible" overflow cases in connection byte + counting, where we write or read more than 4GB on an edge connection + in a single second. Bugfix on 0.1.2.8-beta. + - Avoid a double mark-for-free warning when failing to attach a + transparent proxy connection. Bugfix on 0.1.2.1-alpha. Fixes + bug 2279. + - Correctly detect failure to allocate an OpenSSL BIO. Fixes bug 2378; + found by "cypherpunks". This bug was introduced before the first + Tor release, in svn commit r110. + - Fix a bug in bandwidth history state parsing that could have been + triggered if a future version of Tor ever changed the timing + granularity at which bandwidth history is measured. Bugfix on + Tor 0.1.1.11-alpha. + - Add assertions to check for overflow in arguments to + base32_encode() and base32_decode(); fix a signed-unsigned + comparison there too. These bugs are not actually reachable in Tor, + but it's good to prevent future errors too. Found by doorss. + - Avoid a bogus overlapped memcpy in tor_addr_copy(). Reported by + "memcpyfail". + - Set target port in get_interface_address6() correctly. Bugfix + on 0.1.1.4-alpha and 0.2.0.3-alpha; fixes second part of bug 2660. + - Fix an impossible-to-actually-trigger buffer overflow in relay + descriptor generation. Bugfix on 0.1.0.15. + - Fix numerous small code-flaws found by Coverity Scan Rung 3. + + o Minor bugfixes (code improvements): + - After we free an internal connection structure, overwrite it + with a different memory value than we use for overwriting a freed + internal circuit structure. Should help with debugging. Suggested + by bug 1055. + - If OpenSSL fails to make a duplicate of a private or public key, log + an error message and try to exit cleanly. May help with debugging + if bug 1209 ever remanifests. + - Some options used different conventions for uppercasing of acronyms + when comparing manpage and source. Fix those in favor of the + manpage, as it makes sense to capitalize acronyms. + - Take a first step towards making or.h smaller by splitting out + function definitions for all source files in src/or/. Leave + structures and defines in or.h for now. + - Remove a few dead assignments during router parsing. Found by + coverity. + - Don't use 1-bit wide signed bit fields. Found by coverity. + - Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned. + None of the cases where we did this before were wrong, but by making + this change we avoid warnings. Fixes bug 2475; bugfix on 0.2.1.28. + - The memarea code now uses a sentinel value at the end of each area + to make sure nothing writes beyond the end of an area. This might + help debug some conceivable causes of bug 930. + - Always treat failure to allocate an RSA key as an unrecoverable + allocation error. + - Add some more defensive programming for architectures that can't + handle unaligned integer accesses. We don't know of any actual bugs + right now, but that's the best time to fix them. Fixes bug 1943. + + o Minor bugfixes (misc): + - Fix a rare bug in rend_fn unit tests: we would fail a test when + a randomly generated port is 0. Diagnosed by Matt Edman. Bugfix + on 0.2.0.10-alpha; fixes bug 1808. + - Where available, use Libevent 2.0's periodic timers so that our + once-per-second cleanup code gets called even more closely to + once per second than it would otherwise. Fixes bug 943. + - Ignore OutboundBindAddress when connecting to localhost. + Connections to localhost need to come _from_ localhost, or else + local servers (like DNS and outgoing HTTP/SOCKS proxies) will often + refuse to listen. + - Update our OpenSSL 0.9.8l fix so that it works with OpenSSL 0.9.8m + too. + - If any of the v3 certs we download are unparseable, we should + actually notice the failure so we don't retry indefinitely. Bugfix + on 0.2.0.x; reported by "rotator". + - When Tor fails to parse a descriptor of any kind, dump it to disk. + Might help diagnosing bug 1051. + - Make our 'torify' script more portable; if we have only one of + 'torsocks' or 'tsocks' installed, don't complain to the user; + and explain our warning about tsocks better. + - Fix some urls in the exit notice file and make it XHTML1.1 strict + compliant. Based on a patch from Christian Kujau. + + o Documentation changes: + - Modernize the doxygen configuration file slightly. Fixes bug 2707. + - Resolve all doxygen warnings except those for missing documentation. + Fixes bug 2705. + - Add doxygen documentation for more functions, fields, and types. + - Convert the HACKING file to asciidoc, and add a few new sections + to it, explaining how we use Git, how we make changelogs, and + what should go in a patch. + - Document the default socks host and port (127.0.0.1:9050) for + tor-resolve. + - Removed some unnecessary files from the source distribution. The + AUTHORS file has now been merged into the people page on the + website. The roadmaps and design doc can now be found in the + projects directory in svn. + + o Deprecated and removed features (config): + - Remove the torrc.complete file. It hasn't been kept up to date + and users will have better luck checking out the manpage. + - Remove the HSAuthorityRecordStats option that version 0 hidden + service authorities could use to track statistics of overall v0 + hidden service usage. + - Remove the obsolete "NoPublish" option; it has been flagged + as obsolete and has produced a warning since 0.1.1.18-rc. + - Caches no longer download and serve v2 networkstatus documents + unless FetchV2Networkstatus flag is set: these documents haven't + haven't been used by clients or relays since 0.2.0.x. Resolves + bug 3022. + + o Deprecated and removed features (controller): + - The controller no longer accepts the old obsolete "addr-mappings/" + or "unregistered-servers-" GETINFO values. + - The EXTENDED_EVENTS and VERBOSE_NAMES controller features are now + always on; using them is necessary for correct forward-compatible + controllers. + + o Deprecated and removed features (misc): + - Hidden services no longer publish version 0 descriptors, and clients + do not request or use version 0 descriptors. However, the old hidden + service authorities still accept and serve version 0 descriptors + when contacted by older hidden services/clients. + - Remove undocumented option "-F" from tor-resolve: it hasn't done + anything since 0.2.1.16-rc. + - Remove everything related to building the expert bundle for OS X. + It has confused many users, doesn't work right on OS X 10.6, + and is hard to get rid of once installed. Resolves bug 1274. + - Remove support for .noconnect style addresses. Nobody was using + them, and they provided another avenue for detecting Tor users + via application-level web tricks. + - When we fixed bug 1038 we had to put in a restriction not to send + RELAY_EARLY cells on rend circuits. This was necessary as long + as relays using Tor 0.2.1.3-alpha through 0.2.1.18-alpha were + active. Now remove this obsolete check. Resolves bug 2081. + - Remove workaround code to handle directory responses from servers + that had bug 539 (they would send HTTP status 503 responses _and_ + send a body too). Since only server versions before + 0.2.0.16-alpha/0.1.2.19 were affected, there is no longer reason to + keep the workaround in place. + - Remove the old 'fuzzy time' logic. It was supposed to be used for + handling calculations where we have a known amount of clock skew and + an allowed amount of unknown skew. But we only used it in three + places, and we never adjusted the known/unknown skew values. This is + still something we might want to do someday, but if we do, we'll + want to do it differently. + - Remove the "--enable-iphone" option to ./configure. According to + reports from Marco Bonetti, Tor builds fine without any special + tweaking on recent iPhone SDK versions. + +------------------------------------------------------------------- +Mon Feb 28 21:29:12 UTC 2011 - andreas.stieger@gmx.de + +- updated to upstram 0.2.1.30 + + Tor 0.2.1.30 fixes a variety of less critical bugs. The main other + change is a slight tweak to Tor's TLS handshake that makes relays + and bridges that run this new version reachable from Iran again. + We don't expect this tweak will win the arms race long-term, but it + buys us time until we roll out a better solution. + + o Major bugfixes: + - Stop sending a CLOCK_SKEW controller status event whenever + we fetch directory information from a relay that has a wrong clock. + Instead, only inform the controller when it's a trusted authority + that claims our clock is wrong. Bugfix on 0.1.2.6-alpha; fixes + the rest of bug 1074. + - Fix a bounds-checking error that could allow an attacker to + remotely crash a directory authority. Bugfix on 0.2.1.5-alpha. + Found by "piebeer". + - If relays set RelayBandwidthBurst but not RelayBandwidthRate, + Tor would ignore their RelayBandwidthBurst setting, + potentially using more bandwidth than expected. Bugfix on + 0.2.0.1-alpha. Reported by Paul Wouters. Fixes bug 2470. + - Ignore and warn if the user mistakenly sets "PublishServerDescriptor + hidserv" in her torrc. The 'hidserv' argument never controlled + publication of hidden service descriptors. Bugfix on 0.2.0.1-alpha. + + o Minor features: + - Adjust our TLS Diffie-Hellman parameters to match those used by + Apache's mod_ssl. + - Update to the February 1 2011 Maxmind GeoLite Country database. + + o Minor bugfixes: + - Check for and reject overly long directory certificates and + directory tokens before they have a chance to hit any assertions. + Bugfix on 0.2.1.28. Found by "doorss". + - Bring the logic that gathers routerinfos and assesses the + acceptability of circuits into line. This prevents a Tor OP from + getting locked in a cycle of choosing its local OR as an exit for a + path (due to a .exit request) and then rejecting the circuit because + its OR is not listed yet. It also prevents Tor clients from using an + OR running in the same instance as an exit (due to a .exit request) + if the OR does not meet the same requirements expected of an OR + running elsewhere. Fixes bug 1859; bugfix on 0.1.0.1-rc. + + o Packaging changes: + - Stop shipping the Tor specs files and development proposal documents + in the tarball. They are now in a separate git repository at + git://git.torproject.org/torspec.git + - Do not include Git version tags as though they are SVN tags when + generating a tarball from inside a repository that has switched + between branches. Bugfix on 0.2.1.15-rc; fixes bug 2402. + +------------------------------------------------------------------- +Wed Feb 16 21:13:00 UTC 2011 - andreas.stieger@gmx.de + +- fix bug #671821 - /var/run/tor might not exist + +------------------------------------------------------------------- +Mon Jan 17 19:47:20 UTC 2011 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.29 + + o Major bugfixes (security): + - Fix a heap overflow bug where an adversary could cause heap + corruption. This bug probably allows remote code execution + attacks. Reported by "debuger". Fixes CVE-2011-0427. Bugfix on + 0.1.2.10-rc. + - Prevent a denial-of-service attack by disallowing any + zlib-compressed data whose compression factor is implausibly + high. Fixes part of bug 2324; reported by "doorss". + - Zero out a few more keys in memory before freeing them. Fixes + bug 2384 and part of bug 2385. These key instances found by + "cypherpunks", based on Andrew Case's report about being able + to find sensitive data in Tor's memory space if you have enough + permissions. Bugfix on 0.0.2pre9. + + o Major bugfixes (crashes): + - Prevent calls to Libevent from inside Libevent log handlers. + This had potential to cause a nasty set of crashes, especially + if running Libevent with debug logging enabled, and running + Tor with a controller watching for low-severity log messages. + Bugfix on 0.1.0.2-rc. Fixes bug 2190. + - Add a check for SIZE_T_MAX to tor_realloc() to try to avoid + underflow errors there too. Fixes the other part of bug 2324. + - Fix a bug where we would assert if we ever had a + cached-descriptors.new file (or another file read directly into + memory) of exactly SIZE_T_CEILING bytes. Fixes bug 2326; bugfix + on 0.2.1.25. Found by doorss. + - Fix some potential asserts and parsing issues with grossly + malformed router caches. Fixes bug 2352; bugfix on Tor 0.2.1.27. + Found by doorss. + + o Minor bugfixes (other): + - Fix a bug with handling misformed replies to reverse DNS lookup + requests in DNSPort. Bugfix on Tor 0.2.0.1-alpha. Related to a + bug reported by doorss. + - Fix compilation on mingw when a pthreads compatibility library + has been installed. (We don't want to use it, so we shouldn't + be including pthread.h.) Fixes bug 2313; bugfix on 0.1.0.1-rc. + - Fix a bug where we would declare that we had run out of virtual + addresses when the address space was only half-exhausted. Bugfix + on 0.1.2.1-alpha. + - Correctly handle the case where AutomapHostsOnResolve is set but + no virtual addresses are available. Fixes bug 2328; bugfix on + 0.1.2.1-alpha. Bug found by doorss. + - Correctly handle wrapping around when we run out of virtual + address space. Found by cypherpunks, bugfix on 0.2.0.5-alpha. + + o Minor features: + - Update to the January 1 2011 Maxmind GeoLite Country database. + - Introduce output size checks on all of our decryption functions. + + o Build changes: + - Tor does not build packages correctly with Automake 1.6 and earlier; + added a check to Makefile.am to make sure that we're building with + Automake 1.7 or later. + - The 0.2.1.28 tarball was missing src/common/OpenBSD_malloc_Linux.c + because we built it with a too-old version of automake. Thus that + release broke ./configure --enable-openbsd-malloc, which is popular + among really fast exit relays on Linux. + +------------------------------------------------------------------- +Mon Dec 20 21:24:19 UTC 2010 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.28 + - Major bugfixes: + - Fix a remotely exploitable bug that could be used to crash instances + of Tor remotely by overflowing on the heap. Remote-code execution + hasn't been confirmed, but can't be ruled out. Everyone should + upgrade. Bugfix on the 0.1.1 series and later. + + - Directory authority changes: + - Change IP address and ports for gabelmoo (v3 directory authority). + + - Minor features: + - Update to the December 1 2010 Maxmind GeoLite Country database. + +------------------------------------------------------------------- +Fri Nov 26 17:12:40 UTC 2010 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.27 + +------------------------------------------------------------------- +Fri Aug 6 03:53:35 UTC 2010 - cristian.rodriguez@opensuse.org + +- %ghost the pid file so /var/run can be mounted tmpfs +- require logrotate + +------------------------------------------------------------------- +Sat May 29 17:50:51 UTC 2010 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.26 + +------------------------------------------------------------------- +Sun Mar 28 17:00:30 UTC 2010 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.25 + +------------------------------------------------------------------- +Mon Mar 1 20:49:13 UTC 2010 - andreas.stieger@gmx.de + +- new upstream version (0.2.1.24) + +------------------------------------------------------------------- +Fri Jan 29 13:34:55 UTC 2010 - puzel@novell.com + +- remove debug_package macro to make it build + +------------------------------------------------------------------- +Sun Jan 24 22:21:51 UTC 2010 - andreas.stieger@gmx.de + +- new upstream version (0.2.1.22) + diff --git a/tor.keyring b/tor.keyring new file mode 100644 index 0000000..581cf6d --- /dev/null +++ b/tor.keyring @@ -0,0 +1,686 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xjMEXegH3RYJKwYBBAHaRw8BAQdA1IMvjZzYALGBFe/ARHNSXuQjccz0HgOHBHRq +v8Pb4j/NH0FsZXhhbmRlciBGw6Zyw7h5IDxhaGZAMHg5MC5kaz7CmQQTFggAQQIb +AwUJCWYBgAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBBwbwAep9geqgVLAQL6n +sYCxSRkhBQJd6GooAhkBAAoJEL6nsYCxSRkhdqEA/0skJeGZkqRmlHPXqTFZMvbh +As2kY9Lm5LBGesjgQCspAPwJZagtqC5252zPFMlaIUu2hxcUeA+HwdLqnnl6Wjvs +Ac0kQWxleGFuZGVyIEbDpnLDuHkgPGFoZkBib3JuaGFjay5vcmc+wpYEExYIAD4W +IQQcG8AHqfYHqoFSwEC+p7GAsUkZIQUCXegKdwIbAwUJCWYBgAULCQgHAgYVCgkI +CwIEFgIDAQIeAQIXgAAKCRC+p7GAsUkZIRfkAP997/8J1lf3D7PiY21tPnB8d+5S +CXI/qI8mEfhaDZY+SAD/cfCblmB8CYzashZAbFM/6dwwNrNR7VBrzYyaRPhpkALN +IEFsZXhhbmRlciBGw6Zyw7h5IDxhaGZAZnNmZS5vcmc+wpYEExYIAD4WIQQcG8AH +qfYHqoFSwEC+p7GAsUkZIQUCXegKbwIbAwUJCWYBgAULCQgHAgYVCgkICwIEFgID +AQIeAQIXgAAKCRC+p7GAsUkZIdxtAQDuraf/2l/6BGDEAERL63OsjyN692MMur3P +KRy4kWdQzwEAod6V12Y5X3yjraPkbsiGC5QsXraAAz7ihSkIcJs0NgHNIEFsZXhh +bmRlciBGw6Zyw7h5IDxhaGZAaXJjNi5uZXQ+wpYEExYIAD4WIQQcG8AHqfYHqoFS +wEC+p7GAsUkZIQUCXegKVgIbAwUJCWYBgAULCQgHAgYVCgkICwIEFgIDAQIeAQIX +gAAKCRC+p7GAsUkZITd5AQDgi5qd1zBzUO9qzk8inT1xPxUjWoj7dj4hh7gFErut +vwD+JAxYHXrM0Kwg1F7nkf8XBfICTtx8do2QDNFO2nZvJgDNIUFsZXhhbmRlciBG +w6Zyw7h5IDxhaGZAaXJzc2kub3JnPsKWBBMWCAA+FiEEHBvAB6n2B6qBUsBAvqex +gLFJGSEFAl3oCmMCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ +vqexgLFJGSG+PAD7BECXB/S+eUWz118sqaiyrBtr/2msq89p7FNMswoOIlQBAMgO +1j8A5xW+hW8YOfiklahZh2TUHRVrcNhrE4R6PgELzSZBbGV4YW5kZXIgRsOmcsO4 +eSA8YWhmQHRvcnByb2plY3Qub3JnPsKWBBMWCAA+FiEEHBvAB6n2B6qBUsBAvqex +gLFJGSEFAl3oCoICGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ +vqexgLFJGSHOawEAts5tDnzSOw9O7xtKBujA06UKlyJMxxD3ARjPqm9BBV4A/jHu +wYvNLPJdVl1PPgYnmCJ1u7L5epfdagZRsHqQ5PkEzjMEXegMBBYJKwYBBAHaRw8B +AQdAQvnurKGUaemX/DTpmpSE5NtGyfxLWgW9WSvZbbbR+DPCeAQYFggAIBYhBBwb +wAep9geqgVLAQL6nsYCxSRkhBQJd6AwEAhsgAAoJEL6nsYCxSRkhLj4BAOMBgQBj +h8SJEOM6RqWT5SXb8HiDfdZqvgr8nCtffEewAP93G3tS+owZ3m4bTzkeBzTvay/7 +eq23AcJprL+sedUTBs44BF3oC/ASCisGAQQBl1UBBQEBB0C1S8DIQiC+5dfHix3b +eFUzD3Lrq5+5UYGkmp6lh+OaPwMBCAfCeAQYFggAIBYhBBwbwAep9geqgVLAQL6n +sYCxSRkhBQJd6AvwAhsMAAoJEL6nsYCxSRkhDJQBAJse48bTxe81zjXKuMt66QKa +RnBaDsY1EGaYk4Vyb6rxAQCtmsYhDHtiE2D2oFav+UULbeqdJyIOhPEPa31Rn4N5 +D84zBF3oC7wWCSsGAQQB2kcPAQEHQPdFLwvik9OFJ008OgdtSfe4LNlTuybXT4Pu +CuMuUgqcwsAvBBgWCAAgFiEEHBvAB6n2B6qBUsBAvqexgLFJGSEFAl3oC7wCGwIA +gQkQvqexgLFJGSF2IAQZFggAHRYhBFFBAkVNCofbB2eh675qBTHBipF5BQJd6Au8 +AAoJEL5qBTHBipF5qtoBAPTP2KTGDGl2OvDdwEzZ0uN7+VyiRPEGLUizwkyALsN7 +AQCInRWmKA4jrQzMgn5sC4yCKKW46/TA8PGX3kHZnYnNBfIXAP9ajF1eZVWy1BFl +ayUm3Z7tUF9w7qWTL0u+EZD1Nlnw9wD/dUZYPCNEPhsk/Bdrh+v6sBryagleM4Vc +6SM3xZaaxQI= +=GZkh +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsFNBFfinwwBEADNzG/Q6YTrH7oSfUERhopwCWWn/gsprtnUFK+O4enXPXQlisGt +OVNbc5GWoZibNPowjORN+kADB+ce+VBmVeh+4ZeJDjpsc+WXuVajDc0wNwG3I36m +8uNRPLMftBcxS1zUsMpwaqff5sDoqlBTwrvfLpHT0W1ecJX8Ew10zim58DzwQisR +Uv1rsGiyH/dFzs8m3jPdNjDZyyzGQK62hwp6Y/m11PiMYgGrvAa1ofjfkGRVxUgo +UUG8JG/AhGvMnHJjV923A7I8MspOm4H76wlEQLesPHJ5WPSBXTZ5jVgdWdp50fPR +JZOUT6gwkYF59SeZOcSFecdyuSb0W68/klD5PX0G8qQ5ko9beNm7Rs2aJKvY1MHU +n5rb00aulQFaYLFJ7LOTDqYDUkKYp7n4hw1X1yXO1MUYyk9J9WNO/Uo2psKXcBsd +ZjdEWj1dWHOhwswygndL7RxK/17psmod055S0uYkjA74J2eRSmPZ7ErIfUh85rQw +DZyYKh7B6AGjcpA1YyrAh6BgyJncP9x21dmip0ENrfg5rpcfHpTrOF8To8fpo4/y +vUL8kCxCCPJtkJiuXkGhV3oZsj2tWGvAclYqO7xe84vks+GgjG9Ydfga8JrvPMDz +YLX7aTDnZRiU2Z+FvtABMjmmPjAHj3hMx/o25Na4bQ7wBAPEUiESsnh1HwARAQAB +zSNOaWNrIE1hdGhld3NvbiA8bmlja21AYWx1bS5taXQuZWR1PsLBgQQTAQgAKwIb +AQIeAQIXgAIZAQULCQgHAgYVCgkICwIFFgMCAQAFAl97G2UFCRD+fdkACgkQ/kMA +nEYHsfsg8g//ToPK4HDWDmHOLcFKi2v33Q/aTA5TsfQb1pwHvAUepABf+bjwqu5o +/2K3HFqhn7HVl7vgpqFcAjf1u9H7Jh+R7buawoWQIxi5cWW0GIuX9gutzgVyP/36 +y6rrQnZwcY+vIvi7fmRx0VVd+bZMOsd5/XJQ2wkLDw/6ppRWIPY5Pg97M3+CD26r +MonWcghRkCO9g0PwAxmqYHZCxcJp5aEURLOzh8NtDllxsoaZK4H974tWtWk04BWH +koApQPFg0YYn3cTftAIanmgtuKARW5nAIzPnCS2576DjKyUbAis19nYRgv+CtMZQ +ohkyNEeDowf7UgFTI+AkbUBjxwKP71U7ZW+qynRYT125jTtTGOOkX5BQjx2Qg/sO +Vs7Ukyezw1GFWmka4ijpHRssvEdK1mKZLqH8OsMG6XE1xIDOIRnsNJzR0c4u3IGO +C3+TAQaokn1E45CcFwb39n6keFLVEIa+XnYDil5QC6w+16TMvK38q6dS5QnE04OS +errSuYfX4IFslhkaLXd7uAAb7qrSQzD//jmmiKjgyFuRnSHO/nlv7fsvpCtFNNX5 +stthayhtmKxvBSlyTgArcNiP0oQKVE3LO8y2qARGY1eOBMMC0ml0W053A/cfQOAa ++2UqQlvCQf/Qben24Bh4tKyW6The2k4aNSIN9tyIUAIASfgOtoye6J/CwYEEEwEI +ACsCGwECHgECF4ACGQEFCwkIBwIGFQoJCAsCBRYDAgEABQJbn5ngBQkHf2HUAAoJ +EP5DAJxGB7H7XPMQAJ6EXm4DaB1IlCrH+5U+QYXwwrKiBR+mHPBWuiEBSUbY4nOY +V+jK0647jljluyPXL7EUHli5RqajCvqZPfheAuRxNLlyznhJeLjdt/qBbTEgtOvo +QwsmmDwEogiStE/FrNypgGCqH6NLAEvHANn9UBDRsi/J6ccPDieIuxlQa5ksQCsR +zXTp19+39XWkeStIaaHx0w/x78IyAQHFZlxDI88/ZmUXfI2FWkOnp5dWcJhYJPGf +/E4n/aBbKZ6cB5OxEAX3uAt2fz625RuoFR9R03BjW1L8RJwKEa5fiBf8sG69dxmn +RWqebG5H4MhCemG9Pv1CGqK/bAiyIK6j2Dpj7K7F6j/0CePr7K0MrGjHOvT01bnt +ZI0jnNWGWS9M18M3mfdHM4Lof8kA8S/KIJ6gFAi0N5W8OVtzUx20IA1G2cRcrTYc +zyOpENDKOz26CRIi8SyJWmfR8N0HE5YlouT+xL09Vyo4i2Jck12t59DnKvCnsNLM +XuudDOALTGqyzK2t7njMblLWq/xL0A3DmcI4auX2OuxTyVm5UJkUk+2UT2GtzXne +2NIi07k8+5/xP84v/nWiNaaCFuPySfy1xmTYERt3EXgCs5r+qOCl2L4jzfe3EEsJ +NPKy8KWSitUjcc9VoOiZ48LDBEbY8LDDFliYkvwTyHK5fNjqLlNE8Jj4yX49wsGB +BBMBCAArAhsBAh4BAheABQkFo6E9AhkBBQJX5WLXBQsJCAcCBhUKCQgLAgUWAwIB +AAAKCRD+QwCcRgex+87WD/wP/UW4QljFB74PmDKY9c0uXmpbH3M9fyuLxSVofdYP +CU21mwjCwiWLBVhBGiMEJ9KtSQYFcK0mbcWG9dB2vvCyfgvbaGZPs0gczYpSo84V +64a5VX5uDujQQqWgZYVLal462M0A40mMRNxLrOzMMeSxZUtFjsvqygLjpTwuYJWf +dE24A/TAUUEX611eHzniQtRegfTGZwD5A6HA+WmSLRIgcPXfHNTwq75nHhLgFari +qRjzmfJfVkQjHhDC8tBp+NHkUv1b1me6b+POBnwYvOoH+tlKw4HLN5j1eXC/7H8L +xyC6XOQyq4uSMrVXIcLFVo4T6uG+yuboUknV97QogWCKuGUtl8zFF52EfZmUa1jx +kpF9F6OywY0K3tAYc/qXODQuWjmCPl3gk3CPK5B2P7QT6nhc+wCfwLQasMZxJv/m +7s/7jcyyAW2+EUi0Oo1m75XWH9/3s3TbZeFfFT6FsX4obNIWauBwr5cWRaeG0qoA +kIOysY57v9aKzc0bQaqJLspWiWMLs2CWXH4GGZf7glGeVgK/VY7pICGroT5PWhcQ +OmUJ8rx+Sj7fQ5UNtczA9mEFtCuFfZ9IXVs8kOaSTnCtH9NeeEwy/iFB8cgIEysx +T7T1n+IpT3mPjvVTGK1fu/EVhjk5VCgU4B0eCNsL4tSWXy41fRFA0auy/0o99G0T +7cLBfwQTAQgAKQIbAQcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheABQJX4qXJBQkF +o6E9AAoJEP5DAJxGB7H7TnAQAJs/XQk5Wx5Db/vMztwR3oRMPvG4NVHnA38fit8g +IWSMsB8AWJyMY1P/cFkJRpnQo/fF83Z/XinP0pKTEQ97+UIqvtndSTLUFacMirGh +yx025aTag+OLhyIe4xq19ZZEy3+YNq9nOGMIivWxGyvWUVjQYVwk2AAtFsC1FZtZ +4pVtte4Yd/Vq4nOTfmO+eejVmCvOHKr3xHET2+psiVS23j3aBJIShikPbmxRg+l+ +VbE7RLjk90Mv3PnGhqVfgnEEoYQZ/kppE7fnFb6pHgP4zBVRCoYVP3qCLv8WzoyZ +s/snYItAgGIHHv6OLDKn5SSSnmJho3+z6/PfCUBbLbz64vF0Itj8+6mwGlenMp2p +tPc8mvkEnvfHa11emmJVnFVJTKY9qkrft/kabb7AezPE7TgFuN0tTfoSsW00qNuL +QiRubdqknQ20C3ILCUiqPef7WajwlkQbe5KJE1f2HK6P3FhcveGkB5eG537/0BO6 +gH/Mv1Czu+sebDOcXwPeNPqNEFAqUmXxh5UFznQqETFej6DPP0HkMUlGnZi3o5g6 +jrUnMnzG6GLBYDmLAm26x1m7YMqLI23bxDLuBjIDZmLmcn2kYA/MbJhbWg9mnmis +0YK/5nXbbsZ8GtNhLP70T/mRW3c3loyTYtX2mtsmaGq64Uw2XlwQEtdZrpiQNnR8 +ExrHzSROaWNrIE1hdGhld3NvbiA8bmlja21AZnJlZWhhdmVuLm5ldD7CwX4EEwEI +ACgCGwECHgECF4AFCwkIBwIGFQoJCAsCBRYDAgEABQJfextxBQkQ/n3ZAAoJEP5D +AJxGB7H7eBwP/R3OpDnx7JtFOq22z0jcLjPLwmP+QqgOlIvSiqj66SplpEhPHcgf +4DgBu02RwE8ONAMo6McFvUH4tvI2NH3X8WET32APLe8/2cxhtZpH86gdnwTu1xGM +XQxz5sRppIhOtoowGWh+/e/t9owALOm/+IsHnxbX4ddIN6goB/mrlepRVRUODBnE +0K9oZG7VnnrB73Ip0+hqaDVmiGdOn7LSggl7ip7VZ5hUHXwvHg3dUknKapucMXFC +aqdelvYFt3NYQ2ZROAsAVLdi4k2dY9/WGNCgFHbdSGurJ19yGwttv57t+GUsG3OX +HEIMq52dkM4LOnbdVR2miV/jhFQ7J6i+mjZ5tYJiwrX9uFSOSzHbjWVCq5tlj1OH +s18s0zDO523p2YWS2LWaiDpThnRU092iGsNJZHaJmzA0T+7Ti/uaqqY9CjshYSBd +i0XUQ1LowzWDfBsVjV/u+BN80FYoszJzTAmiJW3GOrxbkhdb4nYptPKmY4YSSlLf +fOQ0y9Y+eUYMGe23xhejsYITS6THOunWmb/jlgK12Rd8AyrZVtD64szxAYqSXJ9r +x/k16KIl1z7JzJIRzBIrdHe8HTtuy9zs/oQgICPMrotKF6TCjHkH7prZFcCF09Ij +Rcc8ihpZ/C991HS4X4pN1MdQMuEIWVIAjxKh++gMYYzMjXUqBsjXjuBhwsF+BBMB +CAAoAhsBAh4BAheABQsJCAcCBhUKCQgLAgUWAwIBAAUCW5+Z8AUJB39h1AAKCRD+ +QwCcRgex+8yID/9lIunYmqatd4mTaiaAJIUHMjFh7d7J+3pXwOV2bpg/eBpFlonI +OC/8xnj+2CiKVusjF9WXoakOQUyXizPD7+fnUDzgQjmXxQTO3TCiXhSRdDdrcYcw +Z3Y+0rkK66QOv66S+NQGonG1qOJPjV8XSpLnuWb7bdk5qlaGquJIeoVQQpMZB9qe +0iwxgKeegJuOCRTQnPI7hoCpJX9+PowWR53JMi/Tks76B7XP/KF2TLR226oD3S/t +4Jup7LU5xP/IDCKWf641ZOoNdrCRc84nxeXcChjcX2eGNuBaceplLRQD3+ONZ9QE +HuQkbLfCQzs/NQTXxrB5NwBaBblJkNEY1i7GXeURGFE4ChD5eb6ba7m/uE7UOZ+F +wB0OpgUHIRlHrD/maVsd17mIsNo6WNRypXuzAlNNOVFgtnwVOpfm/OURzkLXeFjx +An4mJ/ca9SBYxtj9EYSp4OM1FjLNbm95Z1cQ7nxwQA98ZEa1yAr/TY6Z1Zpe8nHy +evsBLBWNPObW7nUjmfvIYzP7/xJTimwkagLGgSi+0R01HlHk1TlIYd5KyOFdXLui +4eEK5WFppqSCq4U2j8vaRwNKfUFryYOihBvpcZblRSl6+kuatcYF+m6tUQ0Pi5p5 +jO/nORRm9a8ertRSaxshcsavjrXpe7ZJ+yCCIe15MHVBSA/g687Wo8qJFMLBfgQT +AQgAKAIbAQUJBaOhPQIeAQIXgAUCV+Vi4QULCQgHAgYVCgkICwIFFgMCAQAACgkQ +/kMAnEYHsftQVBAAvOPy7R+ucWt6SSg3bw7CUtJozxujfNKpIb9xWJ6rhNWCPbyk +kAyWnHuWLxaRiADX+aTBLoGgNNJHBc5rYgcXgFaE26O2/QEEXV/0vJrPcmzR1t6M +0f4J9BTmoc+zLcgIYwPJl5HfyTPy+zZ/zorJ2CP5h6oaCYioyXVOEIhtO9pX/xRy +DI9CtFV0CuYrisPTr9CU09zwa4DQSvXcWSL1xyvijuMKE2tDvoYectdD+z7hZZAW +R7x7VktlS4WnbbTOMtrQ/EEQljLeoLz8gm0wwvSkRBnA01sBhFp+MWaw0slPBrBu +Nkmm3MygWDK+IU+JHTFr2E+6tSnEnAkZmQgLG3S+D8wUo3fY4iUnE0vxP4wvcx7f +/1ckzUsnOE1n4zOQTGefA89tFKOza8BG5/1BVhIUVztfXkKdeES9d4ynh6EKHOD1 +5a296IU7BKf1dAJgOchgktwKWbRQ8mKKpyExCYygno1EqBw1Wvv5UIvewPodAEJl +1zPHt4XKR/+bVhJQGeDsBoc3+tzqcDxyUOv22Euf85yvVhq9DXIAUQ8STY2xh/7S +YGIwf3WZp/3ry6HR40+LmUe6KXAAQSQQXOAZPAgC87j2mzMDTeQZ7bJ9wBQ6j7QR +/ebzs/6cHKeroNEbcoW6QhOwSnX01CU0REQdq9tCwYOcQ5lmjt8zNv6cB/XCwX8E +EwEIACkFAlfiphkCGwEFCQWjoT0HCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAK +CRD+QwCcRgex+xRCEACwAh/qUAj3EYe1XvMU+whr2h9HyW7qeIqHDqQc/LEt5UeI +XSqfoJV23nQSu3C3MT0mJR4UF2C0qOGOLNZVpsxOIE/dDpg0/8xABCNCrxJF3y+2 +DTUoVtujoftAYCP19MaIml05C+LDeoM1d4CmDbokYtm/KBbLnyc82nYaQHrlljRT +8mLAEia8ye9IR16gTPn3PGT5dn+0yWiZ+95BIKhJdVKCY4wMr46RiEi81+3LWDBl +Ariv+Ojg6hCoQPwC4kUR1tisxyWo4mnaOEkHM2fnFWcqxXqK3NHhHUk56A9EbfOw +4mxbntg4I9d9UuW+B8N/Po5y10RExGqyOQWxeGOpPQrJsb77iHA/3I94/0o3yVuR +PDMSftTVWgiaHqSJ212hITMZZU7eYuxbnOFd2dIgzU2Nt1a/h9putFoJOj37Rz3Y +5blIX36DChBOtwHwChYx39V0OETRnX7036RfkRK1+4DX6Ipz/e2dXmzrsReUbvys +vxPz11NVefjic11EINm737K5iamul3VO0MNZb2+PQDJsG33eF7EYhKIJdFrldaWP +A6Qz7ER/CnEPHMwGS/ccVzcH8KOa6VymZhUMjsyd7BHoMtiNZGZM45d3AjgANEOm +7XM/CQ7IA8ODo2h5eGRQBoYDEPPqE0jBuTtNi+5E/6sD8oxRKbc0EnblVFhD/M0l +TmljayBNYXRoZXdzb24gPG5pY2ttQHRvcnByb2plY3Qub3JnPsLBfgQTAQgAKAIb +AQIeAQIXgAULCQgHAgYVCgkICwIFFgMCAQAFAl97G3AFCRD+fdkACgkQ/kMAnEYH +sfshpw//eju0iMvlXvsTbib8b4Y2Q84m5TBPEmkKh94hi2KQA27b89WhGRG2gFFz +E7PsrtM0RbV9IvG2KHMvUK7zQsHqW9ang6UHeCBNpxWYMkzjH+nI8tyE0fMYaVpN +TlcC1/daZ15BDddwLPMayxq9fofpzP54t3Oehw3lg4oUMKkx4QSaDaK6x/v5yrc2 +QTYXxtJsojP2/RsQh9mGzoDESAvSbgj8oFjllcrTk8rEFkioiCLy/6DJ1uQ0xmuc +V1bfok3cU4C3PvfuqTJIP4VRhxt4+AH98FNfx+20DAjW/o8/rcZwmFdtbewAqLmk +ADMflmGQ9+oal6vn+b/TUbn1zuuuw2jOyqvVL0Bxg9KSDzPU5TrLIU5eAMwRwCSA +eIsRrHGUdx/HCJYG0MnvdhpoHSZMNsdFCeVmlOCfYN4jJy3iAOI9PUJn+R/MF606 +S89Mkwf0tRElY1b9wSUlIcp9OKzP7g732sB1KfHeI9W7LXRsXqTRca1pbCvc1Fda +JQCfFGXguLEZpMthG2xfkPal0LhqZ1riZOysisoPYCZCXG1Aq7FNrLdRrIqeqSdU +xkwFSTI+MCJwvdMUNnpZx5tQDI4kwQcWOINehkaAJgaJQJmhJpJCav2HzzNV6Ynv +/xN4I8e+euvWm8ipJigIHJF4CyVo1FVruiTtwvNdCJmzS8kgxDDCwX4EEwEIACgC +GwECHgECF4AFCwkIBwIGFQoJCAsCBRYDAgEABQJbn5nwBQkHf2HUAAoJEP5DAJxG +B7H7jjEP/0PVTL9eI1otZ9EGV4Wxv6fcX7gXJO1VZsRFWosae1neZjIjQ91dCzIk ++m+EnW7uNzubhxE6T3orMiITzM+UmQJE26+bOWT1cbKYkAUyjSck1S2DOITRP4iS +pu9DCM6XtU0kuClpKY6NmOYJaqPwfVTOah8IFKh6sWIJtzhiQf3s+hufOD+wWS7f +PIdo4qOHLggQYhQ8pG2PsiqJjSArpCqzfyG4SMMqOlDFgFxkx127qAqje3QlAu38 +gji5j3UVuBhb5s0eA4+HtVKcUpHWH6JMT8RALWM4eF0t0qUWYk6X63ScXr/J5gv4 +SGcrDv4ksCnE5Cr2gR2SUmYxhPfofBCx+3pPzExpEb4+qSe+S62pf+weKQU8XrAq +tP5LxIh6bG8ugE6Cs+J1kmQPEYjkONT8v3iRT0SfkNWRhyrYlQFPYA1F2E47FRpE +jdDnzIsez+HLDysmtdXsB0p/+1rDrriY8yJttXE9U8BSgTpukYifY+5c2c4vQWit +NlJyAY9sTPX1+KqnvMztYNZyFdcJifiY6tY990o3pabAlcwOgrayMFSMd/JrtEyD +jDk5M9dK1G9p0N9bkf92FfOP3SBo+9ScmF5A68jyFHrLQ8AXSuQF02s8WhNymgmV +Y1VugS6MsL+RGh8gTxCxaCBvExiMilmJPtrVTg4N7IzQYnYMeOidwsF+BBMBCAAo +AhsBBQkFo6E9Ah4BAheABQJX5WLhBQsJCAcCBhUKCQgLAgUWAwIBAAAKCRD+QwCc +Rgex+zFTEAC1GgGgpEJ4SFyREO4We3sgLadFJH5W0+f2xgYZKJsJHF6VgKcOcLYS ++xnb4T/XPSjoXgfTATj3lTKLJ5vwurx3LLjsUBYNE9kZOxd1dEUTMu2sN7ACd1s5 +dlasztgChRLO0K1GD2/dJcfvFF6xC6OJ7VtLuqp8Rlooui3/wRA6RLvk5hkFDjje +l/t2UHa9inYq96d7YpSlEF2It6p44kp73g+57ZaGwTHDlMvxpj1RZLCQ0ijEnajz +BxlDLJ6jRkYcRtG0enhQvvPYii3rXhKo5hK/XuBtNDysTR0ZXdPQMbHtsve4dxXC +Lg/0/Gm78tA27XVJIo6zgR7/qPJ8Is7/7wTNlh9VXnp0NE3SjKtIOxMdTJyoxVgy +06WJ41x0c6Wtt/AzUEOeMWRa5GLatci+KU8Szhn4Gddi9bdemtLPvzQyH0DFcU+5 +/IV36V/2rbWHr3zyAmM6t41YBzNKJNIVP6EbUiNwnfDUjii7QcphVPuYbk7F3wmB +UunQ6LYcbpYcTEaVMlrjDMwTbJnkDS3YFpn/vncn2GTDsaMUcGAf8REkUs/SB7mW +TTHn4R1/A8Ut6KJkqiMlwtonhyhsDRfkCplYePSs0TUlAopbr+Qm41ZYquw0myTb +3mVp9EgAwR3D9xGvgYkPyUvgCLbla3MxUkUn/16KWY7PzHvFfL/iEMLBfwQTAQgA +KQUCV+KmBwIbAQUJBaOhPQcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEP5D +AJxGB7H7xCEQAKH/X147T2z1QX5G4iYh3+LhbtqMVSGt64fhjmmTbX39D46+Aqrp +U9Jc44O6C/Qj3dMsIlGeoiqSyA7y7P1ICK2SW+T61z77VBLY7l6+taR4Tnr4hiNq +9ZSx4MPcgXpIxN60IpMVc7H3maNrX1+3r3B++LvC+kLl24b2jdIcBI+d0nsNDqS9 +m2m+vnLE+Wy6YdaF1TPGIVz9EidX09/kHNPGNp2Dk9S+5AdrQHjfqls/XXPIYWAX +J/A3Fx2lgpAqvRA+YMCD9cesPMf7IWCs19P/75venoT0clE1Lo3ghvigjMDaC18A +VK6GL3nos+qxl3x0aNNGrNveGMSUfoYE3lzjupTsIEDBwO5Y+uz48IAlPQuFDdwk +3q8FlhaBaTGsJ8z8iA/reeqiFmmH69kOOG8eAoR/UVZaVJU1zd0Zd7NmUADXLRuL +j+SNvf9nq670gZ8Hu6cAF5/9ilBL7bRO9EQ/J+uG1EldRARz4bXc32MEz4K+iLyI +krXVFkU7xOYIVm7EO5mTwkIDmqaOwtzXYVD8LP859a6u1vzkpgcBrNhWZXLcPLs9 +mUp273cByfMV/P78JwhlsdvXXcWd7Us6EfLtM6z8ZrXoVJtf1jG+7OylmttrGZ6X +patCUcnkYXhNZTw527bh+nKLOdGqOPY4Md6KZp9dFxjK+a3RTovA1QQhzSJOaWNr +IE1hdGhld3NvbiA8bmlja21Ad2FuZ2FmdS5uZXQ+wsF+BBMBCAAoAhsBAh4BAheA +BQsJCAcCBhUKCQgLAgUWAwIBAAUCX3sbcAUJEP592QAKCRD+QwCcRgex+1VqD/9Y +ksvGVLhmqk5GGk25NIepvq4upKPEt3oePZK/Bj9xNTMpUvmNa0+n6lERa9/bcdoE +er8PRiTKbOAijR5rgySN2gEpjJSDTcql4q5C5RQoO11OqcC6gEBk93BGZ2Ur2PpN +chxAmNH+hkVsmZVIbCVoYFXz2uNeT/q+0CJPzUGZYA8FadPdUeZ2lwa1lz7I9h2g +NQID+IrqV8MEpgTD207ERjdB0C8zua7J/DbnlfZN4zbjsaL/y8RCJkk3yG1YG2EC +DF5Q8bivkcYlSSTqrMo9WAiJLK7m03qKLfyKH5M9DM1kBCqppYPKEANB44vk++0G +EyYQL2gjICkXO5XrxJAVkBm/RzKVFAMvRx0SBqCG2NiywspTiVrXRGEe+0KQkkHI +8bPPVcrLGHE+x19W6s8YWHTRJj8F1xJOBy37PW+o9OpX5cfmJosNRh4zVZFPnuS+ +ytC1QNL9DxUBxgKy1UCKrlb5WTb6sQh03xDEU25uoOB9UmITk3Wd9MoqR0F59EZ5 +cqN8TKdfSup94mI6ecDRPOw9akZ1LNFpbiJ5E5EAiATCd4SEh5PxBDt7YK6/38Ik +4l8IoPinDSyJCVesJNRbWNIdwjpX31pplzK0GDE+1JLfHZJnVVD9X8edQQpwPIeU +bMN1XFd8kQs+xwCg6QQrtjRmLjjNDf/dnbmxSWoo68LBfgQTAQgAKAIbAQIeAQIX +gAULCQgHAgYVCgkICwIFFgMCAQAFAlufmfAFCQd/YdQACgkQ/kMAnEYHsfvYBhAA +xgEY8oNLZhC+0Ent53yUvs/dNN1+YcE/jmBKBflewwxTTSXOkervnMa1QLu4Xegr +/ttlGqjA5EakH5PtrQWfAb3u4B4NBrAGxN/WirL598RwwKEGo4PecNh7ADy40skq +OHNJQbEcaJ8ZAqFF/t+3C6CjVDuO36lHqDXEYytw/2XjY4CBtRF0lyTE5lRyI+DO +cWD9m7M2BZU61Vx/aK5OI5UaCqWtYWXl36gBJdV7APY+MA183Ly9EywCZFPb/il2 +RdmiM19ycENrIuDF1ZAqpFats3hZR4MW8WTS3BTGste/yBjjaS10bp5HiqVlZot3 +TT28OmeWqwjFaXC3mVE943/322Mslz1QFV4e1/S1umqIf0wIVu3jDSKeZ0bagdk5 +SK8yNWhZ2ClbtR2vSPLdA128hjaNfaxDYiXMOLFEy2FvZk3rUtNWbA5Mji2qhiIh +cm2jCkOGg5hKSfA3anEQfKXcEi8OTzEnLmvyEw0MNZgPBUUciJjgis7CWAlTn30c +6plwxJRhBE4tEvY5VzWNOMeTRhx1Sf7qp8vKMc2FnjZJUBI8xFe3vZ1qSFAKfuga ++SJM1+PbxQQM6N2q/hlJALW4WUpjvtvEQsWYYoDbBgWtsTtNaLYbetcS4EaA3lr+ +elwOTLiYcsPNaKD4ZAsDR8qiAzABJ3W5aGEV1VvF+7PCwX4EEwEIACgCGwEFCQWj +oT0CHgECF4AFAlflYuEFCwkIBwIGFQoJCAsCBRYDAgEAAAoJEP5DAJxGB7H7RCoQ +ALDD2Tu7CeSRsGiNRgJE1QNEvvoISDpr2LncgOwumsJg9gvLeOY5fve0AyVbyW/j +KkElOGbfGC5HO3JAX8s+uqJLoEF1TmYr/ldBRFDb9YsyYz2saBlnUWvWwcDI5HCH +fw8BRPw2MhGkB2nt+hQdEteKkaeHIjvkScFzqonsiq2IQknsbhmyDZj9coaxoCK1 +JL2xX8pDl24i8alhgDTu3rQJxppqBBixZ3tSXhsp2WSF2bSrjb97A6XxSfUrVqGs +FWqeCXDE53QSzAEYmFFpuL1kvi1jOXlr9CeTc4XGBP7HttPWU8bgnhA36HzW/MGd +hpJ6L7GVoACKhEsB5GTKEzobwONalHg60ufRNk+dIZMr7C2eEpjBKLYzgevAmbd9 +k0uOicbVqA24cNWjvNzuRxJGxCA9XQSt9FAhpiNcdvoeSXgxc8sZp3+0EUuyjYTn +ahLIk5KjvRRTkILeq1HAffomGvd2PfiT3Iq7vKGHhh5n4cXBMXi5DpAB36hKIC/U +LcGH9khKTlBxfeNntHMm+/mNqwrdKeAfC8MO0rBWXZdWZs4rwElPcoVtVxPY/CCr +J1vJqfnufc0ZUB8WguLoPxqPLC+ja7Pg/ALRQI1cbJnZD5hteAJ/dq2mZ4vS01Py +ztuwCKYTKIdj6yoMgnIYxmh9xty4FSSzodtHM3c0x5sZwsF/BBMBCAApBQJX4qYv +AhsBBQkFo6E9BwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQ/kMAnEYHsfsc +9w//XpLL93sf0hNPz281ql/zSVo8P3oLmYxzmJfiEAMKOLX9UivWD+oJR2iBTo0p +nhuP+/4a0IB08dIvTE0Y3DJNsx738F3CSP7ZHF5EFaIXEcyaCv4lncVELHBMiTCx +mA2Law011830pwug0jOUyv4T9+CElUhm4XT3k0CFxXtOMgQ0KA0IplxszhFOL7Vq +T4Qqokgdymjo7mLKLvXqKqs9XbZ9A+RYeKi/HwDqBfzhLC1ur9p5VmcA9PLJvQvY +B4S0RIM0utaVMP5vD6BRpmlQk+WkeJbzbZQFEJKzdOGVdQnSX/Y8qtdGTYwUDq9o +ZCEdrEraP/6uAzCccI6lkGoTSnQ+FUufOV0c6NZvmiaA9GkIwfq+O5M8Vhf67krA +rR8Avw5y8TmEsr9Sg7AgmW8rMDuNFF2ol+D2r5VJZgo48kICo1V6BSDN4pdY4sI1 +xrzha8fkQ2bXUvPDukEHs7JAXToK/f3GwMtwqWzmR5b5EO1Pytx9DK60I0ohjosk +8O/F/9cY+kkEXQ1hyu4FKhLia7HmJbdaKsaQSyqcVBUvkDm3MExl+fSx6S6F07kr +z9k4017irw8kOvpnV33dbXK+gzs7qFYY64Jn6tJMnYxTkyGqHDvPrCFVbUvIBQ5e ++Q/bghHJmzNJO/8ruvi0Enp6pioY/0bzr9TVtWCg0KNZPFnOwU0EV+U4tgEQAJx1 +gKVZwjJoFhF7TJ3VAJJ7JfwkGlxXOF+3TR7hhdmV3WwI019Cx4cUV21P7zVLYqt0 +jb+iPAK3aSFjTrCQZwUgvfM+s+G4byS6i6fbM9X6M8HKGuTqTRIKGaFjZlJ/ubBn +H/CyYpFD33WtEMJv1wBaz4EM3q1ROLsNAujCEzWD8PabG7atQKINnp2zXzpKO1Aw +gLYPJPrbKFJz4usYpdN8ULSnJSzIxqMoiJATRVnilnYCpcJeQnc2V3bH/ftEm2tK +SMRZuRefPggiMZZn5uEmTlBdyHMGFK+huqP51rw1EcvIi8Bxy65YoTjQDvrPuKtA +6pOQNK5XETfzWlnwBa1tG5QxhIg+AqEJFJ9AH1h/jPfy9ZGeE4PW/PJDa8Xnet6u +dhIqcyKrXNlyc+Cu/uLcTS/2LB7BgEouKKwbYpXv0LcZlkkkUb8biFLKW4bIx9+8 +YcZdAWUZQGvB/jOcxq1YR5Ke1jd6efPb7BTTAM/DL2dInwEEJkS5S+ecuuKWHnV+ +0iMzxzUUkCehEQ4apXejTRwbWe+H9eN1a1MKPGgTZrc98hhrVb+hST0Pl12fcY94 +botnk2Va1kzeAURYnlbwWADtbCtNB/inUIjOMxK8F0oIsu/i+lC/q+4x0V0wA5lM +sowWj1Q5A/sh+Mah8/v7Qh2LGkjGOH3xVbE6L76rABEBAAHCwWUEGAEIAA8CGwwF +Al97G8IFCRD75IwACgkQ/kMAnEYHsfs/+g/9HfQdh6DLeYXPUvTDEUYVUHlkZw61 +SjHPQy4SMMBTz7rALeBuxYpR7KTzLaCdtjiHBGGSgsEmQto/GLdT4Vt25zpx2uxK +/tOq041PYRRcZ/aK67M/N2CDmcsCzi9sm6HsOKJkZIwVIiQ10UZ1YT8FEdC8/Kzw +nxgmtG/iG2852dDS7Ar55GIuYjEob6emTbM8Z5L21vPvJRpxuvsqEiMMA/Oyi9jw +xhDVCHL+a7pWSR5hZuyvJE4W5zU3loZrLg7kezzbdhWcEENLPiLdw6mexhUeXgT5 +nnUwcLe6eFc6VHUUO2Q0vXF2mCHdQLOCGpykL0DWxxth07o0OSqTKIAeDwsh5YO3 +dYJ6V5UYVu84xBe5UF5RZ5XDWYyNbifrLiVtb50OBWLekwau/d2VqrlmWJaGrLJ8 +B9mxWN8zcWozZtQNDVSo8GU3L8LYY9Sb2nBxOAXRVCyuPwyeQcHamvuWokaUniav +gEcEEXP2RLlPdJOF6QV0i2mXc5AFq/CfylZOtRZ5WHvASqvtT5rulQ/oZ67v/0WI +LTDYXh34D8ukEU40WNT4cL0XHcXMLhZJ1AQUOn294aG1b2z3N0DrGx5/Mcscz5qT +O2tfvbM16jbttrFfjuGGvuTBnEtSaJMhVVmtdFg9MsMAwHMp8zBE/aSNDF5qmNai +o5TEFXO5W+BS3l/CwWUEGAEIAA8CGwwFAlufmjkFCQd8yIMACgkQ/kMAnEYHsfth +VQ//T2F0tYl9k4zW/IOR//GGHVHGuzESjjvyAAisBZZf+4fFCrHGgzb3XGmD96UH +8C6PB9ttSP6knWYJa4ohuX50iJusrvGlyAmOyTYfX4DfXdrPeMtvutSXCk8A0nR3 +lfpeGkhXDCt/MTuhKvQOrqupsbVbzZHOLdlGz+y3k2790dMMEUdCk7EXONfMyaOU +jI233n/MLhMHFVlOjPStU3+552i/yCKFctAwznxjhHO6rQbgJvEwQsXa2c9JnEtK +LSoj1j8IDICo75WWoMgbc9F+eNV1l8cya9FVWcJ4kfI/6adxj4ZKEMMl4FHPb3ct +9aasqll/cTnC2JEcnholP2ZvKa6asaprJb3Se0nesOJcsqwsq4Ylc4vjh5DDMCpU +Hqjgg4MP2u3WuL8nOOKdzgDpYOjitoGi19giFF0QRFDbtqZxo68LF4xo2069HYs6 +R++ZaAvcaKeB8WgM+QRhP/i67vLpYLeIKk4H9wOSKudIg3URCjTMdSPVJjmeJvq4 +ZfMM2In+CkrYGMJMW9Miaj1+KDEHRTGr6vOw8UkUD/x7O2pbFOfIaAPWNCLsJ9qK ++5N0yvY9FzVaKi0UwEc7KP7HA3HFRSM2VZLdVjqOPPIbxvcGNqU1WjpQxKc69ong +VvBF9RLjGsIqXbq3yygz0XosW6VC5mhRuIMcfa5FGltkGDrCwWUEGAEIAA8FAlfl +OLYCGwwFCQPCZwAACgkQ/kMAnEYHsfua7Q//ezGNpIkXijjXeS8HqxvP6yyAxWTD +I2cjynC8xqg170U7lmcYbvWsbAk0ml2TKkjPpORKPa6ywLBAKED6zUraqBEiEehw +aQiaJbPzxd7E9TWkapxXaNLuJnETbjdZgzAVSTcOcylLqeUJrIWfcDc3BVumi/Bu +dyuR2KWi42OwNHLV4L5K3rDng+whzGk49jrf3tpCXy1npBGYRDqgeRzzJnQS5K2f +XnFsBifbRn8PwtLKGGO6RYp7XWZTLP8+ZwfELVTulDox/OV7xSLRZUtF4woQrG+J +S9G2FOh6mES3ihuRUSjBRQZcKf9kEKqqcrpqPwtoPHIrmygz6eDz0Ea5idbFCGCv +AEARwTrmZe5dTzBAB3X/oobyQPex/QOV3OPIPw+HSY/ficyGHimizIB/x0QEN4L7 +GL8DZSLO4m9TEa7+Y4+XIBqa3Y5yXqUy52jCGt5QD7r1mu6fIuxyW2vffOk4H2jI +5SD/I1J3tipNgOFbjx/pQWjk2kZVoLKg60fcL8Q24TSm569vyj2r1+xFkKSWO8pX +1njIExUTePEUcWEcT7AdxrrPAf2WUxYPGGMTRfrcUw4+SKLzDqgFGC4nIi9y1flj +ZXEZBeG80R3GnU3hyeUwwdn344V+rMT/8k3He3nDEL+vIfEeubAV8Jz3hzou4SD1 +o2/lCOmP+XwQDODOwU0EV+U3SwEQAON6g9gDGhFIqHJNGBfkDAd7XzJ/dasMIqji +Orpjgnr90THlM5HXfuaWCVV+Yt1kAsI4woT8w7nAvNs/5v8Bq7aYQgseMMsdlHnN +CczVyoynxAwTJ3tDME53Kz4sLsu5NVCQ9uZ9Z/GcJHA8ARObJ2GROagFExPOIeri +GDyYFWDOgCmIjBz9VUT1PN2DOWpTAPjn30k4ZpWeN/hnf9V+WkOMbUaJFefCsIU5 +ExFhVCZn3J66M+YumclIlnyxEZgLs+xM/El471rX3bHm0z85XOj/wX73zIKpws3p +ucIFNO8PXIFGja5RzQVNM9nhpK6xOvelaHzDsX4sb5ILs2Y4x8bZYnU099sO1VGC +hfn+Y0ZQupdLUPnshi5dXTyzBTiYuBuKPihGUgm/awsMmAdSRB8vqZATDnvayjRw +6j0g1AfWDJBPVqUDY5XrztJkWifx6RF3CWCdSmrbcRrVVyoWTBx3alsIvTAUhZKE +4aISvzy5doMRVyMEbhqHEhbfRGt+toNEHmPdxIDLI7V6+CZ1EwwXNQIwK5MNWLrv +1QQexrqzVVdcxuQz/P91gLDxoCoBi8HBGsA/HL+GVd5oW1U1o8U3mm1SvLSeg+MF +WmiSpSOGpS9adKPwRyGy+giGRnCWJH2dcncSfB9S3XOimhqhNy3Eb98ttgl2AgaU +DO8M6Gu/ABEBAAHCw4QEGAEIAA8CGwIFAl97G6cFCRD75dwCKcFdIAQZAQgABgUC +V+U3SwAKCRBq/ubUnpK2Af+QEACuXfhlmATujXHC5oMpo6TWWUpNJk8r396sdJzl +sRmE+ST/bOaMpJuCCufUXVJupX6S0XuoWV3KyxF2b0RINzAqjjBw42kycoAvArr/ +yS+8ubp3Nv9HwD7WBWGIGPyS5MLDj4iyL9HXonVA5tT3pQQXBaSdybYhDn4PcOI/ +3bsQ6PhflHTFhpuRp4BhceL6whQUgGqoXGO9dpsvCjiCV1jqrZOt9ZmhvV3HwwX4 +37h70ne47IkJEO4OtYflW4quPu76vR+IpBVIkVVUPCQPipgnEllGV1Sn5Zhy0xG1 +Nakzq9bnlqnw2yIl0rFba653Dm1oS9rJ5WRcZwcz17YCsCVJLNE+VPw/EN+5y1dt +yZxpPn/0jvS8yPthhOw075ZVdBy2k2uv//5cEPR2eA+4vZEpmRD5yP2B8GKqTT8/ +/63ifzOAqKlnxQ800ZQV9fDP9ndaXHPJCBHJ3K1nzEoPtehgF0z7rCrd+M9doGuC +mSiJvig03iTsy/cVKTF+BnOCDkc5kMlU8zMsOmjizY3k6VUq4rW9sH70W5lLA+xn +TzJYTy+sUEV56K4bqFf/TXym7mVW9xY33BhFR2P4tvI9VXd99lPdbvJWKg9eJkYl +cHKAv6ldLCuv8z3f4OG6ecZjZI1tr696lUMN3JFeMJUzHJe/7UVy2Y+AxR0SXYc9 +0OX47wkQ/kMAnEYHsftCNBAAvHC4X+z1yIZ9d1kiEEbBrfYT6K+E5m8i6trhDJ/M +3BxQPcV5Zl8JqvHfc8eciSnp5aFpbpNpSMNGMWjvqDxYCI8/OkbWuulcXW7zTMaZ +8h+RdRie7havjBGfMrCYBwQX2BHwrXjhobEwnCfOX2VsIt0i/J/xpREQ21KvSvxk +hlWQGa5YXOjUdD951kZuw61HXajDQFsZzpL/RMX/n+qOfj3YUb5J7/55As4Ysett +vAW3tKzosCxCKcKuAJ3Z4frKF0X374FOfUmp/ncKOXtsXcLVYugVhHmuhTwy7wNN +3LCk+43ED3ZgxR0V7sykPUytkLKTECkWsCQohPBN6P5gaV1yY2OnXQGXm6qOy/Wc +uGmRfSG8btsnOSGbpgfHI7TK78ALSkvDr/mgEEsF9kgxaA0sWsUJsWayh/7LK/A3 +qQZp8JVU3wAuKdoatV7t3EznOdeg786ahx5lJ6FjzB290YvgX4Oynpal+agnhfxl +f9YpCZsOh46K6zy9Mr9JtqzNp2IfYGWoEAazsgc+w8RUmToHiz+D7z4IHJdH+iNH +slUfSf1sSAWBEQWxd8I1r+R0zX3Va+Tuk/qJYO05EyLnVbaOAVPjLvP8SNO0Fn0E +oGeAtZ2x6pbCaDWIknjDU6l3cwu+Uns11rSkY2cVV4eKVD2POqLyGejDmKC8fSFc +lLXCw4QEGAEIAA8CGwIFAlufmicFCQd8ydwCKcFdIAQZAQgABgUCV+U3SwAKCRBq +/ubUnpK2Af+QEACuXfhlmATujXHC5oMpo6TWWUpNJk8r396sdJzlsRmE+ST/bOaM +pJuCCufUXVJupX6S0XuoWV3KyxF2b0RINzAqjjBw42kycoAvArr/yS+8ubp3Nv9H +wD7WBWGIGPyS5MLDj4iyL9HXonVA5tT3pQQXBaSdybYhDn4PcOI/3bsQ6PhflHTF +hpuRp4BhceL6whQUgGqoXGO9dpsvCjiCV1jqrZOt9ZmhvV3HwwX437h70ne47IkJ +EO4OtYflW4quPu76vR+IpBVIkVVUPCQPipgnEllGV1Sn5Zhy0xG1Nakzq9bnlqnw +2yIl0rFba653Dm1oS9rJ5WRcZwcz17YCsCVJLNE+VPw/EN+5y1dtyZxpPn/0jvS8 +yPthhOw075ZVdBy2k2uv//5cEPR2eA+4vZEpmRD5yP2B8GKqTT8//63ifzOAqKln +xQ800ZQV9fDP9ndaXHPJCBHJ3K1nzEoPtehgF0z7rCrd+M9doGuCmSiJvig03iTs +y/cVKTF+BnOCDkc5kMlU8zMsOmjizY3k6VUq4rW9sH70W5lLA+xnTzJYTy+sUEV5 +6K4bqFf/TXym7mVW9xY33BhFR2P4tvI9VXd99lPdbvJWKg9eJkYlcHKAv6ldLCuv +8z3f4OG6ecZjZI1tr696lUMN3JFeMJUzHJe/7UVy2Y+AxR0SXYc90OX47wkQ/kMA +nEYHsfuDKQ/9Fpoq75+xgkbQno3vLC2aNJqHwk0LzEINgqSNVYPob+/dBf1u3lN5 +HHNKH1opin4EEknRulSWhU3C9oMy4MjN6rFqhS65M2f8jfG3qXHAUKDf4gL3ZHeP +qWEHVkE/Z5X/M3gZA87DgmskLuxWFyWoT7DFWkTb4TtJRdVs3R/zI+g52uM7UUV8 +QjG/ox9w7VdUXIn9Mg5TehBTqZCBsWx2lM1SOzK2R7Ax/IukppOb205RmqOKxZh8 +gj29StTlRoJy0RE6typfSrhyaTithX3gWKfkCm+LGzEwWtZoRstCRmEeD30Glnko +BXFMVKAvEXIGCdVyaugQYVMy5RXlQllg/3Qo2aoKhwCWUjVnJIDT8csrcYKgA+As +R+0RqXCSHDeJWhoeiUOnm/ZGa6g9z5f8t6z67jY/iXXSCw+jv1U9znYj0vuQIBWg +FbFC2C0xI9HBZIUgakeyUxnG3WRkChUV76ZG9EMuTfFaGanWG9MWzb6sX1oWVNru +PEvxdRlFhkr8M98kAQHKcBgVmK1eCwvBt+4DvJxVRCT5DADLL1pM3ZSb5e8ibkOY +a066rFPA6VBNxDkYOYBw2e2itzljh6M+Q9URIocFytK5PQsCxuTHqAK/Y50Oypgf +tw2aq3/J1W+QDO7Xmyu23GJGFZ1oCF0Wm6RlU7d9lHxclFwR2cptw8fCw4QEGAEI +AA8FAlflN0sCGwIFCQPCZwACKQkQ/kMAnEYHsfvBXSAEGQEIAAYFAlflN0sACgkQ +av7m1J6StgH/kBAArl34ZZgE7o1xwuaDKaOk1llKTSZPK9/erHSc5bEZhPkk/2zm +jKSbggrn1F1SbqV+ktF7qFldyssRdm9ESDcwKo4wcONpMnKALwK6/8kvvLm6dzb/ +R8A+1gVhiBj8kuTCw4+Isi/R16J1QObU96UEFwWkncm2IQ5+D3DiP927EOj4X5R0 +xYabkaeAYXHi+sIUFIBqqFxjvXabLwo4gldY6q2TrfWZob1dx8MF+N+4e9J3uOyJ +CRDuDrWH5VuKrj7u+r0fiKQVSJFVVDwkD4qYJxJZRldUp+WYctMRtTWpM6vW55ap +8NsiJdKxW2uudw5taEvayeVkXGcHM9e2ArAlSSzRPlT8PxDfuctXbcmcaT5/9I70 +vMj7YYTsNO+WVXQctpNrr//+XBD0dngPuL2RKZkQ+cj9gfBiqk0/P/+t4n8zgKip +Z8UPNNGUFfXwz/Z3WlxzyQgRydytZ8xKD7XoYBdM+6wq3fjPXaBrgpkoib4oNN4k +7Mv3FSkxfgZzgg5HOZDJVPMzLDpo4s2N5OlVKuK1vbB+9FuZSwPsZ08yWE8vrFBF +eeiuG6hX/018pu5lVvcWN9wYRUdj+LbyPVV3ffZT3W7yVioPXiZGJXBygL+pXSwr +r/M93+DhunnGY2SNba+vepVDDdyRXjCVMxyXv+1FctmPgMUdEl2HPdDl+O+waxAA +g7ZuiuuRAi70Q6aZFLlG259cyCmTmgwsbUAjFKtqTP5g9URgh1A0JZfS5/MYschS +fj8qBYsdChdP9VX/d0U9/LCc4sXL24XLnpTw7C9MeelndtXdxBxnPLUTby3ZQ19h +ZPc3l4XC52ej35iTG/lr2jQcBHI05fwBiUCuWn7hGiKk2TfUtUpFkcvXObrB2/CC +28Mg1d3NpYu79OY6raQoUGe34aVDdjbTDnx1nxARBfhJwfceid+j/Z6V3JKO0C1T +vKgJvBhc84kRKGT5/PVJR4dnXsYzdgWTDXVw2CUHKVS4taHoBuUAoTGOeu7M0WU1 +yMoYWsRQ2auMjxwP4w9sc7hTJt+Oj6o5vW1sBB47PHnl3lDWLt/iG+QL94N3aZXZ +1b4yeTzHi+AZYR9hs3kFpL9dq0WgS72j2BmcSkHdgdXRv5offNHyFNEMjxqB2+w1 +32xMCtNT4zWah0VJOsfFiAYPUZhDgCY155ULwJXJ+PTHyv2O983xJVmZhsRU+/Z5 +MoDtXDDeuCfL31nnKt42sRa1Ce+tHjJEoukT3Ng7GjV1lyuwZ3YX1UpN9BcM8aWr +KRUP30TqqjdlZLIMGoVv/z9rxYlSsLbn+P7nqaX8Vq8ZeoEh8iaQa+IB7NgXvoIg +cP4OP2yasPh/GwyuLN/DcnsMJjv+76tjXryzEH0ffZY= +=GKc2 +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: B744 17ED DF22 AC9F 9E90 F491 42E8 6A2A 11F4 8D36 +Comment: David Goulet +Comment: David Goulet +Comment: David Goulet + +xsBNBE3KySMBCADOeaVfjDRP3kb2YaDyZbEjPKXkIJivkBbEt9E5abcuipmIA8o6 +W+eYbnRDUZr0u/a6NjEhG35yNFRWpFpi4Gby9+0xjNvGjFj+hTjROFsph3ljGFKp +yYfJQejlFEjlub/7ehNdVrwJz5WnIpNz1UnoC7/rry6HzBtKIcXbEpLTnGAoqAmY +d78cv5h+9B5WzN48/63qIns5ZkzAZIQio3Y+n8B80NXDOiTh+9cFPfAk4xBVPIYk +8dDpCGeHA8E7htJsAkgn4A3wsxEwwKVf4AD5+E622BWYabFyCWetpNIBDsRAm2Di +s7LtxC7SRWd/e/91axtQ5u1bHFliVkRRbn9VABEBAAHNIERhdmlkIEdvdWxldCA8 +ZGdvdWxldEBldjBrZS5uZXQ+wsCTBBMBCAA9AhsDAh4BAheABAsECQoEFQgJCgMW +AQICGQEWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCYk7b+QUJFmVGVgAKCRBC6Goq +EfSNNiH0CACJCNbyooaIGDEJ6sNkwrwh9DZZFs+qyafJqz7KXd3d2MXcnlgAw6O2 +DYCAy6hlKNaANWQSFeYTjsoIWf7wC8fFnaWJscPx6+ZE8beUlQMiyzk0KQg8ie7x +Bfnl9Lmh4cnH+4b5A+A3GO8JrWf+gNAi182WJzq62SX7gK7EUT3H9oS3FSbhwYLS +Yf7WQMWpWJ6dS7PbUr78J8XiJDvm6GvEMMC34/aZTeRdhntNOu1B2tybA4BwxbuI +KMa8nneqd/lgXXTA3nFRbO6V/PiFcjoABNEUgqTDpgKypcl9GZ15D/sINX6wuIFf +519Qq1PWtmBZ9xPNHyzXt3wfA/88ticywsCTBBMBCAA9AhsDAh4BAheABAsECQoE +FQgJCgMWAQICGQEWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCYG92uQUJFIXhFgAK +CRBC6GoqEfSNNqLIB/9tFtZYDxWmpCBgokXkrJbTEhnYnxGJ+PzvFdswy+vPaf1+ +JsEnzqZS72bZYRfFyJXs5H3Q5pyIEt+/AIGJmafWXJNBkDiyx1+ZsXyqLlbXfWer +rzEIX6r2sPytAZ6OWDzbMnOlodEmJXVIWfVubXlkiSKFRQbORsqVzThcQ99yUGxD +8kGYGvWtTwZCJ3YgHHYecAOzwIEAKQjP7FnGqkFiV0aknJ1s7bHpU4MCu5nC53hw +oBWXtrNQD5h9woQCUco3yz/17tIPsbsLnlOIsywpy2WtQMUMr5UdEvkYFcVbYMQv +x0ZlebtPQ0P9n6lq/cna3kuDA7DshqIrRGIZDgzlwsCTBBMBCAA9AhsDAh4BAheA +BAsECQoEFQgJCgMWAQICGQEWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCXqsnzgUJ +EsGSKwAKCRBC6GoqEfSNNkARB/wMw153/mlVTcDFokfxlDtEuzDKx6GO3DMMJE3s +sPk81OtfT6gQsfdzI092AbAjzurNwGuEj52xJhJeQ0JnVn+YhsCohuQvmIRNBzDt +sK3U/93VNWMdSEIPFQZ4B589sZ2qtjpnHK1gEVqw+jImypYRP7FrQ7zWi6DEkC7T +uLTAToTRBeXKWoMAiT9F+kEmH45chYll+450/mSWdoyK3vAUw4GSFOeX2AoG5ka/ +2eLtuzTb3gWZriAkYAtmdgLFVeKjkCy9mQ2G6mSRvBfkJcWT8V3Mp2IkDl4PzeOi +SFUrm60ZuoR1pi+F6KE2IorFtKv272GNc4ys2HeqRqBpqIZHwsCTBBMBCAA9AhsD +Ah4BAheABAsECQoEFQgJCgMWAQICGQEWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUC +XMnawwUJEOBFIAAKCRBC6GoqEfSNNpeMB/9zAaVEcZPk+emYqeSDjaOnANAJLBYs +LCCfB23rdQkcfNzYbtsOvvRehxB1Mg9PNN4e3K/l6ZMFCauBGt6jOWiMkojAdDMS +p7vOXwrhQ66whpJjn6pIOjv2p/Z9VME1/e039z6DDCH/Oy/G8pEldIQZkzzP9YgL +ytoMBjEs6bFt7zDS5G90HHkugCUVK9WNLMKhrCbgLa0QVNTeHHFffJWo5jhCkZJ4 +Dw8x8ukbOIzsNWGYtUT1vdKTZCDYASaWEC+2duxJiWL5qcR7m7oGb2Ohcvq432Hl +c4gBVS/HCLmSw9Vn7s7C8aJicUn6e4RQhSXajYeyU9MZfoz+7ecaCTogwsCTBBMB +CAA9AhsDAh4BAheABAsECQoEFQgJCgMWAQICGQEWIQS3RBft3yKsn56Q9JFC6Goq +EfSNNgUCWuifjQUJDv8J6gAKCRBC6GoqEfSNNsvsCADILBT0LK0qjHxjM0YU+AK8 +OEcp1xaf32jPOyE3eZyro5QgVqAmsUM59Vk3R+cgrcfdwEOB78j6H1qJerCIA9he +RFpyLglJqmTFWdFMnYlAg9IInyIgPko6fK8X3E2DktyXNhUsfLWrKktjxNwU4tC5 +IIDboLDI6BjNMVtgcMyJRq1AB2iFBNydR1GQr8waF0ODaZLWeSB+QAkWCwLjIxLh +4mT22TVyGNFXhE988caesVlmDGgSiOviAZC3uCH0HI9aNAraE9hWUVkIp0nQEX1H +28if19LLlEfj6zJJVn1PhW0bggq5UQDEto+MIuq8YAuxvour3H9B6EESlJ3ncnyf +wsCTBBMBCAAmAhsDAh4BAheABAsECQoEFQgJCgMWAQICGQEFAlkHZSQFCQ0dz4EA +IQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNvT2B/0fsSkMvEIF60Tg +lEQC4Qs9MYAtBMyf9F1nF+UxIipPpSfobbjIcImbPzcmrAAlege5u0/oTSpYP4r3 +EVMoN2VOyy2afxLiOyPCHporyOzW0KUoi+rEq84FrxwtBL6mPjeEnzuYTRfG+DSJ +eo2uDOS/q28+MwPCJ7ZiLKH9zEODbqS7rUGVijakHShYszStYNSLV50835OfZ4vX +2Uawf3FP65UUKjbY9tbTeljjWXME7ZOkx3b2zEm9Ngbshsy9U2YWkjAYOXtAMA3k +EWPwP/zQBNtK7BHwjZ74uXBo06X+LmakMYZNL8sRjlL0O3FkMKuMKt+axsRs4SCZ +aJYkPw25wsCTBBMBCAAmAhsDAh4BAheABAsECQoEFQgJCgMWAQICGQEFAlcw7j4F +CQtHWJYAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNieACACCAn02 +e6w3AHy6npq89Yce5UuT2GSkjQwCYYUQpO+PsGPzM/RfPd6s3XquvDqC9+v1NvuT +T5ziI7HtfGZ1II3h6AsCMngZgYRN6T3lUoUKPS1lDYBtFS59iat6aFW4cVLUJSK2 +wQpP2yefcRAmxxPXfP6rKn2zeMGcsiuPUaXcsGgMa5vkqGoLunVF68yPlpv4al9r +GDK7PWq14yS7PW6sgQ6es7uXQ6eClr7oSv41V+EQkmFxNOpOlYO2iPl3CfigXs+v +zagvmV1qxSUAQwGjem22WnXY86x/nWp6hL9OxjAI4wTqOsbCda+R4uDhv+uDoq8B +229CYmKcoIUgui1cwsCSBBMBAgAmAhsDBQkJZgGAAh4BAheABAsECQoEFQgJCgMW +AQIFAk3K5V4CGQEAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNrTe +B/jgxz5vAPTQzxWCIpThmtbv8y7Aykmwy6A7oJUaoI2fnlXj00SFbLhhwHYI/vj0 +nXTH7RqwNKG62QJWCyKdtUsI1IcItkAx+hXOrW2Is1JY+WKe8CTFtlGk27x6hjKE +6w181a8QU+2KO6fdu6MKHE4k8QAzjSgbxx3IHSw+DMbOuePQc9KZCGHZTWdcrqer +7mr9Q+9hjTqIm89V6DG2forCoLaFS5CYBdouxMjLegKNL2ozwYuA6jTpwaVrurNe +z1w+38Q+9olH8suCM0VbFWFM9/BIC1Q/SohjE80FT9nThAfwqFTy6JdzaMjbcKKM +Rtsf+uz4nyU8KGfptA48yEHCwJUEEwECACgFAk3KySMCGwMFCQlmAYAGCwkIBwMC +BhUIAgkKCwQWAgMBAh4BAheAACEJEELoaioR9I02FiEEt0QX7d8irJ+ekPSRQuhq +KhH0jTY9MQgAo1nJFw25PSHDJKFfF91qIcO6y3eX3Gaag2DYu8nAMg7otmcZZjC5 +mn3r9l7jx/9A0zn4Ld112e2QsUk7VYI+ywiyhnXszPh8iRoLapyFUJUDpuW3cjhk +vBS//9qUXM++vxdzw1RaVEaMYIqD0jG/HYSIMvhMo5GLG8SeVoLDybEBK3s8S7ya +YahbgQQ0xDrArtNaWWWAE4UXpMCz7cf6MhZS7lfOfcgrrTMXNX5MWubpu5OcA42o +yR0aE3//OuAgmuQNcZ1RoRGMqGqKgjMyXXQ0f/3TrctdY9fLRqUkB8ZEj2d/4KN+ +gyPyYalMjPaWXeHmwBwE0VkEWHP7S7YJZM0hRGF2aWQgR291bGV0IDxkZ291bGV0 +QHJpc2V1cC5uZXQ+wsCUBBMBCAA+AhsDBQsJCAcDBRUKCQgLBRYDAgEAAh4BAheA +FiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmJO2/kFCRZlRlYACgkQQuhqKhH0jTYV +Owf/c5KA0BLCJ8V+zFTkQLSEKD/RfCkuRdC1fpNH2fuXZ6W1BKBRxFmVi4+lD+ij +4BbNTkWhifAGE+Xe4llnTRZZMlV+7A0/m98jsjS1P9QoLj+VwkEbNQ6k9ZoZM+rf +qHut3uTYp699rlE2HWsjQLjMgNyKfbipi+x9ZF2mVG1fbco43YiHFSL3S5WBn7vO +iHCkXNgmHpA8grJE2ecUEZWFWKqz3SJADCkMKoulOFhLtDPeWh5bJBfqBD5tyrzX +R1u/zz1AXo0fP1QF1dRWQCcrvfnLoP7PsECUUM1TuBw/yyE35/1Z0nyR81f9Bab3 +t3cH1e6wEdZfzeMIEiTQoz4qusLAlAQTAQgAPgIbAwULCQgHAwUVCgkICwUWAwIB +AAIeAQIXgBYhBLdEF+3fIqyfnpD0kULoaioR9I02BQJgb3a9BQkUheEWAAoJEELo +aioR9I02gugH/2+Zunp8kHXoaAFtOP9yWyhxO6Ei5IQfFE/tq371rWlVe2Jg8vSB +2IIqWr6+wmCQmfT0fT+zkHKEGlIl51Q9uwvux8ADoXheFt3DeCqCE99OQpbGaEo+ +j6NRfipCQUN7SWHZgLefph8qLZhTIdvfrXt0m+w/fZ/rpOZnxJL6JJKpEaJeI1/Z +Onf7Hulep5S85La4ElHh34n0QtceciCQUbprv6D7/KWfHz6CELIPbF86mM7Ff+Es +Ki3f6c0+oIA9cnp3D9ij/Qg16GFB0NwJ1tJykMXfFRGxoKMWQK4lJEUbn9hvshNa +4ALRPs3GtnsYvM/tzbVW7Grfm7ayti8pVRnCwJQEEwEIAD4CGwMFCwkIBwMFFQoJ +CAsFFgMCAQACHgECF4AWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCXqsnzgUJEsGS +KwAKCRBC6GoqEfSNNpRpB/48OeRBe9C5nscmwZKo+dbsj61+njkQj1A5vSKTadez +V5h5hX5lpm2hiUryklFAoTGZ49HltYpZGrzDyvL3RPT7BnCiK6uCYnqzyemk+1J4 +ZZ1rUALqjV+8KHtgS72bjBjGPDKK3d/+KK/FLg/iLkKl+5U8t9gk79aXT7xzSzb+ +PfSVi4VOpDi8gmIAcd+agvw5dUK/vI7gpXOgs91CfwbB/C3FJluFprxa8RsAurUw +qUfDbz8PkpTYbMzv84fm2j5H/2mQ+xcm19swG0/BaiWT1EBR91Q74xm4/0W3CJi9 +2tJKPXwRI1ZDfMH4iujLr5Yex22fmFFuF9Y7at1lbG1UwsCUBBMBCAA+AhsDBQsJ +CAcDBRUKCQgLBRYDAgEAAh4BAheAFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAlzJ +2scFCRDgRSAACgkQQuhqKhH0jTbxLggAmCQx2GentBz6PWZkRj48Y+KfVfr3SAxP +q8nCsdzwHHRM+vjxD+iAo9FbGojVRs9nfLSjmhDyEwfI3f9ypLZaIPBiAwdLzDol +4U0EdyVU7fgfVglSUwPJz+eNhvvUiJp/9u/s4hM0TE/LNtA/uNcKoaqAWQIPiEsd +2FebX8RVqs+pH/0TQO8RYv3R48wCQOOsj7kvkq/3s5ceA9SaZ7vsJ9ooiZhvbkk0 +INsdJWtQcJTYoiBE0DOYhkBX78u07Z1Zk5RUr+4LzI/FpQtlGLyeJ9eFOiyhk7nx +0dzPxZnKWoWLTzse1p/5hf0WQ9OTMdt50ru1RxmnruQgkK+MdGwQ+8LAlAQTAQgA +PgIbAwULCQgHAwUVCgkICwUWAwIBAAIeAQIXgBYhBLdEF+3fIqyfnpD0kULoaioR +9I02BQJa6J+OBQkO/wnqAAoJEELoaioR9I02KJwH/j7WC8qbiWW0lm/QmGtj1seZ +VeEkoEf3hYsyYi+sGq/rp3AkeOI+gr/P1G8Is1pTRuhzqLfzzt+NjLGKiaD0Iurh +5KkToSjwn+Y4aC7qRb4Fa3L3rvNixwNmpgJ/+F1Q7R+Ef+6kCEigICEW4xjYWJDl +61yCgnQdzMYwUOrI303hwWQb6aDRRkFp1J+V/D/pO9iA6deBwm0Lk2IinjeNuBDv +4LQN2Fc9GdvRi1cG2xSjpk6q0Xo00Lz6PIwZr645x8LQqnQI4vyBdrJllTght5+z +eY8VPgOtQ3K5UY8QuvQWZKY5bFc+PjRrajHFWYV8Mu9+KZMYSQBbanmSLU7F28TC +wJQEEwEIACcCGwMFCwkIBwMFFQoJCAsFFgMCAQACHgECF4AFAlkHZSQFCQ0dz4EA +IQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNsGPB/906Acyx+JhbcYf +cD/y1tvVB77LWf3MPn2JChTvkk8hL2keKdDPdPmkSOuJww3/cE5Sm8c/fBUudAXJ +Tt8pIJGc5vygFjlUbuO4PjtFNSOf7rkNdHTRyFrfAqFc4hF1aN0Ej1mSQSIV1VJJ +mpGQrQJfrBswUG8va2PqLWxIFy0z+Bo1uWwPPBveES9dIiqJKUsmM+aVyN+6wDuU +RBmNYPFdUfWRIpgRepgFotSMqokrSh5pPDHwjKDcnkDcSGQRmQl0C+6fEwjGjwwj +zDOPjvldfNH817FnHotovAY/TrezMAPQbyjh1dJJbR3/mUj82g2VZKR9YuUHo24/ +B9Udi+vkwsCUBBMBCAAnAhsDBQsJCAcDBRUKCQgLBRYDAgEAAh4BAheABQJXMO5B +BQkLR1iWACEJEELoaioR9I02FiEEt0QX7d8irJ+ekPSRQuhqKhH0jTZP/gf+ORBE +lFFMYSbbxHIS6NP+AcHqQaPRFTJ5Eths+FAdTh2XVgy8YWZxUC5/pwQzLtEWkxcA +1Ppw4sWCLh+pKQUDj4x6W+ET4U4Ysoar0jpNYslgkJvpwWwkhHDGVNeRE/EYbEHj +Yyb1ej7FDYkioqw8KI/UykGom5KHE0GnYPfaXyhia1FPVvXN+iSRjCDiIR+bARNW +R1RHjRqpPKmGa0J4eKsgOfEa2BIghdnfWgUKBWSMDD6S0t3xoUsDQnibVIRTjBi6 +Pygeuizbi2+n7AzinFNdvWQ8o6cDOFl8tpJ+HrIs2Uan4DPImjMg0ibsZ9eWgoj6 +8sRxPidaR9EiOT5g8cLAlAQTAQgAJwUCUhFFVwIbAwUJCWYBgAULCQgHAwUVCgkI +CwUWAwIBAAIeAQIXgAAhCRBC6GoqEfSNNhYhBLdEF+3fIqyfnpD0kULoaioR9I02 +MJQH/iLM7BLfXDeG41XOumR37ungugUzqmwLoN6jpKCUo68+qjP9hQdM/Uc8g15N +b2BFQrRzXRg5peOkXgPLIwoxy7j0auoqnjdXr7vpQPq1FzSslv9Cf9sjG7hTbbY+ +EXHrwZWFn2LoN1+OdtrKJdgm0+0k4VyRkQxRgPCdre9dvq9oqPKQ2pf271115s8D +wEvRmosAS/Z3uqinVsuEZjw1pU3u0fVKmqGZ9AuWg03arnFrJM+W5d9cc/6XxQNp +OEza9/CaudJ2ygy/MeujboglwIDO7sviNdJ4836qVXV66VLqt5zpQ3I3Fbjr7B/s +BOl3K3TEftMvlLmxIfj/CkHA/bvNJURhdmlkIEdvdWxldCA8ZGdvdWxldEB0b3Jw +cm9qZWN0Lm9yZz7CwJQEEwEIAD4CGwMFCwkIBwMFFQoJCAsFFgMCAQACHgECF4AW +IQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCYk7b+QUJFmVGVgAKCRBC6GoqEfSNNkWd +CACRF1LvZ24YvmFLLvM46Z0gPNVagtrjTRDLx/GkV0LnlOVCrcdW3cf/e5SEYuRP +Oz5rpEPlWMVAjjP5wkERxFgPBSRxAm/lKkPC63J2Qa5qDp75cJa2vcF5iQsVecG3 +8NzgrXlTNfpTOjas1jQKjOgh8do/6k96T2diMhYWGQvAehbkLPhrL69mVTywqrtY +UPXQJGP9BxPtHI+uO2umeJJyJbPitqVb3m+dofJFUeE8f6xO7ZHvrkvnbWpyfKm0 +QTzHz5aLjv/YSvxtSoVAxqRsuKsU5u6KA4xI3I8HZ+YPrCBeiXfwvME5WAwa0qKv +N6HDIrbBw66J19JUUQ+WvkfHwsCUBBMBCAA+AhsDBQsJCAcDBRUKCQgLBRYDAgEA +Ah4BAheAFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmBvdr4FCRSF4RYACgkQQuhq +KhH0jTZSsggAw0Lw9DaQ85h//Hb5pPOrMg0ktSXxhMRj7d2zlwsg1OD2ezlAnkIV +GcDoe7ok6r+zoBu7isG+WJ53C7i7T8mTQxNMJDmbzGdXMm7ZzmL5cj00EhBili7U +jpsMR/4D0NCcFez67CHe3WEl5DqNNgZFmfzD4kiLGRtptIz/hHjndeDjUHSjIPYA +0+Dg8ri4plkPDg+cT3IvP3NivgwDDhfst+ExLITCPBQh+ucVv2Z5dkNzKBmdkb1J +shi20zi74ii+w3XC7xHzk2RRmu3VMzO1QbHaEXhDvjf94vsGwPe/wLmGH5fI5D0x +ypQ954GsfS3lsbV+RomHS8964oLV8VaGp8LAlAQTAQgAPgIbAwULCQgHAwUVCgkI +CwUWAwIBAAIeAQIXgBYhBLdEF+3fIqyfnpD0kULoaioR9I02BQJeqyfOBQkSwZIr +AAoJEELoaioR9I02mWcIAKD/d3KKK6Tlnw3ezvreOw5/Z91WtyA/z72N6yByUj76 +wyw85gZb6FpXS+Igek/zQ0ARXM6keKRCng8UpvbRbPm7in9en5KSWeXEVRc33Xva +TuxCihHZZdr5osJDkLgDq5iKKfAHW6l6ToXT6SfaFUx3F30/DvIoiskP5Mjf8jga +DPW5ePgDe9McNUeeu/T5afxVebATxRYbGaiBgOmhL0azJV/g2ytx6vHrXjOxyYsZ +lXvj8WSUVG9E1tKRmNkO+vezXjitEYRT8vv5RH8rYpzJ1ZSfoHArXzIv1oeJCtrA +ztGclXvNk7FrBN6CMGJrDeWJI3ioW49ORkxKtrW57SvCwJQEEwEIAD4CGwMFCwkI +BwMFFQoJCAsFFgMCAQACHgECF4AWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCXMna +xwUJEOBFIAAKCRBC6GoqEfSNNuDdCAC1xCEFnjFOYrQTZYAwJECie7Ra/QSx9bmj +LD9eZt4QGayDdxHkYCLgxkzo/OErmlkq8weKqG+MjR7/l/2y7cVca6C2zYcrvszC +ynX5iNxJSxkAYcLxSkk6Kv1AbPty3nwN3WcCFhazK6S2hheZzEscWjfBlVGzEFXb +LcgkRpaiJgqcW7X6n3wMYg2DyGsPMkcHDN0tz6yQiOqq/bBKM6GshMA3/V+pYz+E +EeApE53/Nsofr5T249vf6Wd3t5MzOJB9D09G1iIQ7lfUBVS+E26dGSOH9cMkiZRy +FMOTGgDxjw2AjLQLltoEIAMPq8HKy/SaXWsZ10u68QsOx0yRuZCOwsCUBBMBCAA+ +AhsDBQsJCAcDBRUKCQgLBRYDAgEAAh4BAheAFiEEt0QX7d8irJ+ekPSRQuhqKhH0 +jTYFAlron44FCQ7/CeoACgkQQuhqKhH0jTZBYggAmcHPO+w13XMMs3vr2cpW3hM2 +seRXfPlI6PfQk0/VQjCsakvCP1c95agL5DUmIK/KDdXImOYQSnkjXCffMt7PKf4i +X7NOizsOfbmnxIgIO6dOcJs9Jsa2KCUZLr+aP4so1P3PpNPMmQsNeKCeksY/fj7O +F2wfNpZCVdU8K4swtdbIjjT3v/7LBwUsufGu3WNE66vnMowD/Qkn6IMR6m6gYPly +S/pjGh7uLnf+Le3YL5eQyzlY1Bqo2uuR+nWrqerNRb+RSNf0Ipuo+dUnqf+WC3pd +t9K7pNFsV++5p7aXD8WUlRvFfNNAzWEtNUGSIjgMDG+QXlE1XQF4OPFm1swRMcLA +lAQTAQgAJwIbAwULCQgHAwUVCgkICwUWAwIBAAIeAQIXgAUCWQdlJAUJDR3PgQAh +CRBC6GoqEfSNNhYhBLdEF+3fIqyfnpD0kULoaioR9I02isoIAMgZORLPCB6AG8AQ +6IHeSPYkyeb+zUjLZpLusbwRbuouzaQgt8TXj5CQQTonHGe/n77xBYa6dywOGyVx +LPDpywGal+fWbqj/rDPzBtWaRr9h6qhLkV9I7r1rT177y/PVhJuGKOBBs/FXgagh +bCaAHXaUETKcQnqb5LBrcuWSe+B5IXueFLVUQgA+zM2y4vVEV+7ltnKGauMVHC0k +6r/bxZAGcTcRjUsPdIgRSLLxPFyWS8EbFF5KjyoDIO1Ib+gJM61TKRVT3gJnvjyt +OB4yJWB3ePKk2GjHvKtrhro5U5ge6i+ldbiZh3swTy127ycngiADu+orYFK12awI +CxD1UjrCwJQEEwEIACcCGwMFCwkIBwMFFQoJCAsFFgMCAQACHgECF4AFAlcw7kEF +CQtHWJYAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNux4CACDqeH/ +YxTWSqmb1PjfF4CYtjqx7ObCb6AsSR9RcJ3Fp0DREpsto+MsOiOAD5benHnbud+c +MUrJNdozDHzByEn/jmETRVsbqWUp9eK5/3vtDkei6hFM9nmc5vYPJ9PSzCK4+rmf +m4HQOCtj2tLxgZLGZ9DSlxUV33UbB3xr5WilPuJ6D3tiOJKwJdHdwHXjfFGG96Gn +ILpkOroyiUA0gQbRbFOjgqxB/h0vX/qlvmsvM9L/XTXPz+rrnUg6UuP46S40lvWz +Lj0Zrs2ixDhoqYo5WG57n747D12vRD/UCKxLql6/d9IfvevmbBKKrprVICoSt1lE +ocXwE8DnquN5w5f9wsCUBBMBCAAnBQJTCejfAhsDBQkJZgGABQsJCAcDBRUKCQgL +BRYDAgEAAh4BAheAACEJEELoaioR9I02FiEEt0QX7d8irJ+ekPSRQuhqKhH0jTb1 +lwf+NXiMBqn6XydizQnNy2lO+bMVr4HhwsDznqcV9HHBzUnCtnR3kAVqD+tC5DKD +zimCtqhvys8xPNjzWIl0xzhNMHlls2D9lkACDQU4oywOm8tE05IXrF1Q6Zlf3PdJ +C+jhO4EGrTehHYoTZPwC6RQYZtTCl4UqPMxO2aSEU4R99BAw4mKpRTEGKXIZJBDJ +6kXWbg0ahx0DKFg0EB37z8NvJnN2cbI+5kdmt8ZRiqZg7W0GsY31a1W4EchX7K2g +P/ZN/VNBjGyJ01IdhxEUzM84XF82KWGKsfHH3diqxDZiQZH08kf3HJS8PHN8OnUd +v/uLEeg3uLyQUUTrRXhoZSrZgs7BTQRSL5QtARAAtVN7/CeTT7uJsUzQf/2a+fq1 +IVQWN3JPTZjDNQeSB/V8W0R83QH32awj1uvSljCtCKbtTrDj0foz+CBRHe4aJgm2 +iAzMxKY1SxJ+SBTVyAYVQ+orzIvzqi2URzAfTII/mmvFdZEuS67hkbHXFnTLlXj9 +m3SdWRpCIQlwLCFERvMdr+sPQ07HcUDpoASPgo6P2cJgidaxBgfasUTvru3dxeid +jRbv5defzcdsBqk1eAZ/G/YFOQUiGig60/G2SOlBR7HVmD/iVkSun6j18vPKpqr0 +VJ3sHGUO+KhJrc35QQ7C0ezYtOg6fhaO8PzOcMovnk/P0DGkl1Y3uG4d+h3IDVBA +1fTaX/joVSBVtddLiNkOwgKxw6OH+jjq/irXl6X/0LqNW/FdgK23fEsA0mv4vrUR +0ulDtsPagk3np7DgS5J/v+npGARoeLoj5QjyK4+/1RjMXq+DYW3piADJLW55xH4y +6M+OYpu9svQ60vr2Ae+3pNL7q/mppdixc/isXbOsjtoGSb5QUUOXbzhDWX960Jby +jZUn9Iao+eZRV11tMbMI4pWuL8JEWj8qpcnIyJhYi2hSf7TVq/Zw+PvEXkEAnpq3 +EMyN4Su9I1ZWoxyTiwZVMdOn6TEnkdfxB9aTd5vYvR9L+t5SpmXLBMXQygbg9xR1 +Gbh5EHVlhAobb0uSkYsAEQEAAcLAfAQYAQgAJgIbDBYhBLdEF+3fIqyfnpD0kULo +aioR9I02BQJiTtxDBQkSAHuWAAoJEELoaioR9I024lwH/1UtASIiEoZKhuVkv55b +jo3w422w3wwJTC5kooG1TOWmtHOo/JJ1rFxcIpkY6ftnC+p6YhEbxxk/3XAZtUNR +sJ9Zqemhp331AGq/44g/OYAZkQiNyNhjftj6JafvgU1Zauzi7w0xqhLMKBMDV09v +cbPeo+axUj7cvibHxYUUC2RWqkBxegXpa+Cq4YKpEEbXh510mwK11sUyxcPxsrkZ +hr97KdgY8RedpPDAxnQBGU7dIMDc3xVIX1uXXZpY+SyJb7QAMGTW+9jDPwDUeUYa +nV+eRwLotrkvSgKJ9GQ2F3Am0axV8iqob7unvbKYTtQcIR2P9X52sT0Pytt44W2K +xH3CwHwEGAEIACYCGwwWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCYG922wUJECEW +LgAKCRBC6GoqEfSNNir6CAC70rZbHWguzP4O7paEaS18CNJ6fDyvoq96j3sh/oYN +WE5l3tFPqTtKYwgn33bMoArNgV8i0zdNXem36VIGh2A/fLwvg8aneY+XAvt500QL +IqHWp8WalE5RkaHrnYhHuTTzwztuus/lSQPQnl72W9HMoZJ7mvUtk9VMbybD56Fx +mo5zru4kMJ0Qk3fYYUYk9hge5im3Sk8SeX3UnmJsmZpt7xj6eFvAuO2CoSJb53e1 +LV+exrV9A+cM83T2I20/Zk1A5rX6WaehttHG6sTVpgg+JMKj0HeOYrooPB803WH4 +RM04wziYFvCmDtPF5qmOvErqZtjaYa9wskkoXUAsgwGRwsB8BBgBCAAmAhsMFiEE +t0QX7d8irJ+ekPSRQuhqKhH0jTYFAl6rJ9kFCQ5cxywACgkQQuhqKhH0jTYAbggA +irnoh4NbeEgSwEIrFJ+lAOcA3KXya5MHnq47Y3L0Ezc/wz19NbMYsEYWn3x26w+R +p4VVd2KiARJN19Lf/AZ0pS05nVuTPPIsqBgS/sczO5NyCpPAlcrkNq9nOi4TEeF6 +X+4BWTcRGKSRKEEwumqfppGMkYmVwhvq5xktMTi1HOQkdiGeZ0KV3BKkRIOZJkrq +vhZiyKEW4PMylC2ByWsWMK5NAI2ljRxp1eUcJb5DTqld7fl4iZkjP1UGe3X6qoXt +CkGtnXy+SdlwIpqL0Ianen8frjwNsO3H4hFZJE17AfEFvINoeDHGpsDJSitS5KsT ++6P4Y3nuClPSpsEPEDSlLMLAfAQYAQgAJgIbDBYhBLdEF+3fIqyfnpD0kULoaioR +9I02BQJdWqePBQkNDEbiAAoJEELoaioR9I023UUH/RYw9CZga6hljJHBaAac+sOM +M4FfKkVHmokwYvd4Po2mRFy4wLkfgAp2pv2Z5lb9gILpiy9ORLscdBaQAa+xlbK6 +SUC/XaIEN8LqRP13noQGWQbqZ61hP5wludNi4tpfqM0Oj/GLDw5EE7gGDb10TmpP +MLwc4yun73Hgq8f9FerNZdkA8zvIrD3Bd09PDrm/oAt9KxGCHoVHxFp75An5LDs7 +fY6HZaSru9CoFqjYrOEDSqt/lSm6ZsOsqYbvaesG9zBnuINoY6lOTP9jWtURrGwq +gucakBg7Fg+tln1QyjzG1u7pLacDBGPqgAZCdz2OduL6G0tvpBEgq0ppg9DnqcHC +wHwEGAEIACYCGwwWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCXVg00QUJDQnUJAAK +CRBC6GoqEfSNNsHrB/9h7uqHGB07U9lX6V64iKFQbNjarWJKPyRZ8hbh3/Enh3QF +zmqZOgHfRU0nD4WLlaQT95tRyAvc6E54q8ALZqePPfDzJxxPd6/ywJ4+oojOjibN +MbO9mpLbMeSYgmnC98YQaGJ2MxPepBOpOLkwtFH07b/SU/QzK2/T+astNr62Wgvy +LbZ8wQZRmwfL2YF6xB5HptVD/+Xg8iSF5qHRAmqrk0ORqcf6NO+3JqSQ/okN67I1 +HVktxEAymaTDUp7Pi/b1WSPpBQL1WCheWdAkkruO3rGadqNON1Cq8mBPLlIR6Alo +7W3vl1QQ+EyxHH5EgENvqEgb3XGIdp2woXDmCZgBwsB8BBgBCAAmAhsMFiEEt0QX +7d8irJ+ekPSRQuhqKhH0jTYFAlt24EEFCQsof5QACgkQQuhqKhH0jTaMMAf/TFUG +cMSDu5a1ytd+5pjSGkEn3QxcwiNXv4s7L1VkCbcwqKejYXWFrnaFkzXROuY97LmL +ejRxnV/v+YKtJLxCrdG5bwr9zgqXUFvyOfKfC5Iy44dZGmrnUuT0jpSlA44VvXcN +LEFpEx56BUVhsZFUIuuWeyFELryLe4FSHH0S4VdNICMl/PUI5B+cIDC8NrGv5DYC +cy/OyOvkUqkxW09FSTv0tVUDVydDeWzan4STcnGf7IxiGkb+1XiDKqRSZrjp57RH +CIF8SpbBUxRsRXQc8zKZ8TP74xzXYVT1tLM60H4DqhvFxL4aZqYwSuMeOClNAoh9 +pBEm3t5EcZau6pAo1sLAfAQYAQgADwIbDAUCWYiUYwUJCToztgAhCRBC6GoqEfSN +NhYhBLdEF+3fIqyfnpD0kULoaioR9I02Kw4H/2DsLDtA7Gwfr9bKE6jDzfYKqnPt +97s8X+cKUYa2HIyAMA4tPAjbi2De3/ZSAOBYXNfe49qpmTvg+DNj+dGVKI0lLj/n +/ngK87SDTVAPi3zOPDOmnOs3J3fQj5f6fMOoqYRR7p3BNa7GcDiq/bJ1nkyMh0o+ +N50LzNMevq0KbVAQAXtYOYMWkS49lnT1gV9ZFITSiDAUK8S8vani84mcVxxrjwhc +d+Oy+k4rdnTGpZTayQOXZUS9u6AkSgUlNl6nyR6Vkn+AUi2E3SLUm6XE+aQKlBUq +jZlGSPWuQPQCeduGrdk0OvHuUt9ANhdEhopZLZuMKemOL1fjquaasp4IhGbCwHwE +GAEIAA8CGwwFAle4becFCQdqDTMAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC +6GoqEfSNNmBiB/wOjADNaQrDal06MfWPm2QZNAzytpAi2o48ZRBVueVsjpjMTGJH +I5pPQNjBClQptcaCuoBYubzKB4Ud9bOFqF2cs6Fb61RI9SguKU61LNF0wFAfFIDL +78vvlLWTfWk3sUyTSCz5Ll7Awi1L1P1tbTYrkF+WNCRAvUyUMGWXVfttSFTlWLV8 +LydP3+P1FYSllcRDowvU08hed6AajJfC2b7ECe9LW6IPJ3nLMihimQ3QffbJPmIl +KHm44PhZkEcDoNtk35bvUascINZOwFVLE5TtPmOJfSIgltO7Eip8IluZyhVFL5E/ +WmWGlB10JhHaZtleSgH0N+JWeKvllA450AwHwsB8BBgBCAAPAhsMBQJV8q6rBQkF +pE3sACEJEELoaioR9I02FiEEt0QX7d8irJ+ekPSRQuhqKhH0jTZRKgf+PhNUR0er ++HWhlya6pUJISzPQvlUKCBksilDE9xNlH7sN+xxUT1l1Ktc8BrlCE8mJna6DTu1F +S5BWcIZp/2zU7R5ndVqqZa537X3wXZbIBOddCWYTI1WsC762Ihk9BcJhTVKizrPU +b4rdYQk4REao8hVL93K+k815e5sobg6YkL+q7ctTK0SO/8hiVWqw4nWDV6brXAEZ +F63cLc5RLlhtjgqPk32m1zcva0blLi9d6/BrJEjjJCL8EYZhS3zX6zZ89hNvt2zv +5+QjwdmxRIT02e2YlLCIwAIJfAuGq6vZdk9xr07nAexTZ4OMZUPudzxXda8qKgdE +7JA38ftiLarCwsLAfAQYAQgADwIbDAUCVBDTxAUJA8JzDAAhCRBC6GoqEfSNNhYh +BLdEF+3fIqyfnpD0kULoaioR9I02CdkH/RfqMPmyHREzTe+YZQfell4+cDHGdrOP +kBYeDV6PDkG2ykuVlrBpT/MVO3MPm+UQ3z3QnlQ8PPArfcypvin8D+wZwKEyDuOc +1i7oiVCZPu6FcA5D29mTINp7ftw9KmR2IfxwPd0afGUM8rUE3gKdVnCzniIS8tpQ +0LxkK+Vxaa3lvQcGogvMiJUAHcb7hR25/nNjzAtZPm0swq5fED+1IFyUYjN4bGZc +33N/UtiTNbems2C0474nXHkexNJUN/Ra533OGZwetlcOlWNEqxJSysIS5ZfDh3dD +RpKjqG2RAAMS2lJEVRfKhbPO1fa2eJVVpLJYexeZh+Fl5TfFmqx6BhvCwHwEGAEI +AA8FAlIvlC0CGwwFCQHhM4AAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6Goq +EfSNNlpRCAC4i/XcrcoBB0hVIPAu7E29n3m29jEvMg+06RulbLDI2D9zyt9kKBCZ +dcjzYVMzUxEDTbpcfiYls23/bDhR32JyFaSvs18Sb9F6AmwJy0TOaeoPToIsQN3r +uTbUdSIJzsusjrafWS4gKQRhP4AmRXWQzXU0XmVy8cOfur3HcRH1frkOKS+d1EMu +chpI5F39TsH3/RTg31gEBB+xtwAbTbwz5tWYBQvq4N8uItNDiStY6j1Ncl54/l+0 +1TeiArIjryi8g5nr46uGYbC/YGn2ACx5VwpvEOuO0mCf+cwQPj5S5Ra30mNGT915 +4b2lP+U/hRBR8ex6Khur6wN5T8mww6jdzsNNBE3K2S4QEADWHqS7zXq3mbnK6VRS +AtAYQkQWSuPqrlXWZNFMdxVi4Lglj4T+UQXsbCn9rsgISlRWCdxmDOJ7eOjj1zo2 +OA0UPnenZOXOB2n8LvhzrIPp9jq7x10qDTDcakXIjvfYqWco6VawbmLjwP25rDJx +u1uoZRQNeCCxQp6aDBrq7AmWrUwd0WfZ5eGOKUrZkg4Sk1EayExwhAz/1Hwvieyz +neWfdRDYzikgLZCxUcL6O6PKHSXg8qQFnd6Br+aJv34FaE9QOzNx1fev3SDDS/Hj +47twkZKu8u0B/pViDvwLcYEieVbHrGwlehvqLAn7jEe+uc+oDpJiMNZDDVW7LWF/ +PoQ5qTxQFeoU9DuQZxSGna1zGcHO4MJCBf5ENiRlhirncWEGsEAQXoGqvP4Gn3hz +7CSjk4eanQjyisrlA5aM0w1eIxVOJxsIjNFV8ewf081aLCqjxD8n5XdY5mnHj/g3 +CNXQ5JEa4mB3WUqXLXC8at9IVxPNpRX5oTT5GtkKGNgPVTqveDcgNc82DBFbxmju +PfkDtyvoHOq1Lu8PGxRN+/l2xhZKoL62qux69GYNQmsLV6WSf9DryOk7ATbbWsHB +oD0DzmfylhFpGzTjlEmNV1uOfms4sCF58WoD7uRUwNs2kelnVcgKqVjTm/72855n +9S9SWSCeDEVw6BCjQp0/md8L1wAECw/8DqIYY8LEtZGEnBSauejVnv8WTM7F/QJD +cslXtj9ocQefxNSQq+EdgJUrUOITowwd/ZtthJlROckJwuAgqSguhv0tXD/iba6i +nAv7WByVTTXcOjAiTn3icz4HJVByDmECxmk6s1TvxD9UpbsaNSsmuK/RvkVL0IlL +jpNkJx6mlTlls1JcUsCUifmkwbDUeeps+u2mMVpbjDPCJWeMtv16ckrA0v/ooxeX +B9HgAnWCKXHoCGPII8EEQuKZ58KYaPez8kRTLPqxZC+jhU51R5aT3OluB8iyKdii +i8STKry1morREksjqzkewnycS8fyAAbq2k/LKYHgEjVtSPemAP7DIY60Vsl3Df0U +07j0h4c2BPUkV1fMC9Okmx8Oy5YpDlm9BOrB6I8XHy7ZDYpHDfHb0uIpjwX5J664 +/RtsBaFnb/0LRBr7MkGd4eSoHQwydWNNXakrtepOeOoNxBVmmxSly000wzxGS3xO +Pfuy4s5HEDScuITOzc5R3+oCwOl0pfji+zLnaHVQdiaRep+PAVlzuckyvvQTVa3o +ub65NlPQc7qanIHqE8aQ2Lgjiq2VQI/S0V5QhGn/pX2FP4Oxs4eU29nY/Hgq/j5u +ZOljrL7pp1hwgQtPkE8/EmUQ9oFTYhT+SxpikC9UalAo5IVSqci3662K9YB2sn89 +YTgmVVXCi1HCwHwEGAECAA8FAk3K2S4CGwwFCQlmAYAAIQkQQuhqKhH0jTYWIQS3 +RBft3yKsn56Q9JFC6GoqEfSNNp1pB/9OZoK4Zj8fi6Ruu7q0+tCOm9k3tvQ0FZsm +3QKPLhcilFy0QBabnZ71ih0AzKxPVoKrtHBENZ1hQ58B4lv+zE8LQf4F0gO9ybcD +vlwpTtAlX8il4kONIHeJQmJ1KHi3vKxIM3+i+Igdm5eDyTY2IFTMAjDshMWl0CJK +oPzwZYRZlXoogfrTWrMUPnvz7a7IUb0Kza2GQdq5fQXRiuAImSn9lY8GOLdiLovg +afIrzAaylpgDShiAV9qKm2BfJEpHm9AzuubNPY5tQX3hwlUE7I/DY/nY8LEra2kF +fMhrtPimujMIu32gmJvJe/nHS/z5d4YdUC4H/SDsYqPNRfpacaLP +=T3bO +-----END PGP PUBLIC KEY BLOCK----- diff --git a/tor.service b/tor.service new file mode 100644 index 0000000..d40972a --- /dev/null +++ b/tor.service @@ -0,0 +1,53 @@ +[Unit] +Description=Anonymizing overlay network for TCP +After=syslog.target network.target nss-lookup.target +PartOf=tor-master.service +ReloadPropagatedFrom=tor-master.service + +[Service] +Type=notify +NotifyAccess=all +#User=tor +ExecStartPre=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc --verify-config --user tor --hush +ExecStart=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc --user tor --hush +ExecReload=/bin/kill -HUP ${MAINPID} +KillSignal=SIGINT +TimeoutSec=30 +Restart=on-failure +RestartSec=1 +WatchdogSec=1m +LimitNOFILE=32768 + +# Hardening +CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PermissionsStartOnly=yes +PrivateDevices=yes +PrivateNetwork=no +PrivateUsers=no +PrivateTmp=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectSystem=strict +ProtectHostname=yes +ReadOnlyDirectories=/ +ReadWriteDirectories=/run/tor +ReadWriteDirectories=/var/lib/tor +ReadWriteDirectories=/var/log/tor +RemoveIPC=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=~@cpu-emulation @obsolete @raw-io @mount @module @debug @clock @reboot @swap +UMask=77 + +[Install] +WantedBy=multi-user.target diff --git a/tor.spec b/tor.spec new file mode 100644 index 0000000..33d2df1 --- /dev/null +++ b/tor.spec @@ -0,0 +1,172 @@ +# +# spec file for package tor +# +# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2024 Andreas Stieger +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define toruser %{name} +%define torgroup %{name} +%define home_dir %{_localstatedir}/lib/empty +Name: tor +Version: 0.4.8.14 +Release: 0 +Summary: Anonymizing overlay network for TCP (The onion router) +License: BSD-3-Clause +URL: https://www.torproject.org/ +Source0: https://www.torproject.org/dist/%{name}-%{version}.tar.gz +# https://support.torproject.org/little-t-tor/verify-little-t-tor/ +Source2: tor.keyring +Source3: tor.service +Source4: tor.tmpfiles +Source5: defaults-torrc +Source6: tor-master.service +Source100: https://www.torproject.org/dist/%{name}-%{version}.tar.gz.sha256sum +Source101: https://www.torproject.org/dist/%{name}-%{version}.tar.gz.sha256sum.asc +Patch0: tor-0.2.5.x-logrotate.patch +Patch1: fix-test.patch +BuildRequires: openssl-devel >= 1.0.1 +BuildRequires: pkgconfig >= 0.9.0 +BuildRequires: pwdutils +BuildRequires: python3-base +BuildRequires: pkgconfig(libcap) +BuildRequires: pkgconfig(libevent) >= 2.0.10 +BuildRequires: pkgconfig(liblzma) +BuildRequires: pkgconfig(libseccomp) +BuildRequires: pkgconfig(libsystemd) +BuildRequires: pkgconfig(libzstd) +BuildRequires: pkgconfig(systemd) +BuildRequires: pkgconfig(zlib) +Requires: logrotate +Requires(post): %fillup_prereq +Recommends: torsocks +Provides: group(%{torgroup}) +Provides: user(%{toruser}) +%systemd_ordering +BuildRequires: libscrypt-devel + +%description +Tor is a connection-based low-latency anonymous communication system. + +This package provides the "tor" program, which serves as both a client and +a relay node. Scripts will automatically create a "%{toruser}" user and +a "%{torgroup}" group, and set tor up to run as a daemon when the system +is rebooted. + +Applications connect to the local Tor proxy using the SOCKS +protocol. The tor client chooses a path through a set of relays, in +which each relay knows its predecessor and successor, but no +others. Traffic flowing down the circuit is unwrapped by a symmetric +key at each relay, which reveals the downstream relay. + +Warnings: Tor does no protocol cleaning. That means there is a danger +that application protocols and associated programs can be induced to +reveal information about the initiator. Tor depends on Privoxy or +similar protocol cleaners to solve this problem. This is alpha code, +and is even more likely than released code to have anonymity-spoiling +bugs. The present network is small -- this further reduces the +strength of the anonymity provided. Tor is not presently suitable +for high-stakes anonymity. + +%prep +( cd $(dirname %{SOURCE0}) && echo "$(cat %{SOURCE100} | cut -d' ' -f1) tor-%{version}.tar.gz" | sha256sum --check ) +%autosetup -p1 + +%build +%configure \ + --disable-silent-rules \ + --with-tor-user=%{toruser} \ + --with-tor-group=%{torgroup} \ + --enable-systemd \ + --enable-lzma \ + --enable-zstd \ + --enable-unittests \ + --enable-gcc-warnings-advisory \ + --docdir=%{_docdir}/%{name} +%make_build + +%install +%make_install + +# missing dirs +install -d -m 700 \ + %{buildroot}%{_localstatedir}/lib/%{name} \ + %{buildroot}%{_localstatedir}/tmp/%{name} + +install -d -m 755 \ + %{buildroot}%{_localstatedir}/log/%{name} \ + %{buildroot}/%{_sbindir} + +install -m 644 -D %{SOURCE3} %{buildroot}/%{_unitdir}/%{name}.service +install -m 644 -D %{SOURCE6} %{buildroot}/%{_unitdir}/%{name}-master.service +install -m 644 %{SOURCE5} %{buildroot}%{_datadir}/tor/defaults-torrc +install -d -m 0755 %{buildroot}%{_tmpfilesdir}/ +install -m 0644 %{SOURCE4} %{buildroot}%{_tmpfilesdir}/%{name}.conf +ln -s -f service %{buildroot}%{_sbindir}/rc%{name} +ln -s -f service %{buildroot}%{_sbindir}/rc%{name}-master + +# sample config files +install -p -m 644 -D src/config/torrc.{sample,minimal} %{buildroot}/%{_sysconfdir}/%{name} +install -p -m 644 src/config/torrc.minimal %{buildroot}/%{_sysconfdir}/%{name}/torrc + +# logrotate conf +sed -i -e "s|_tor|tor|g" contrib/operator-tools/tor.logrotate +install -D -m 644 contrib/operator-tools/tor.logrotate %{buildroot}/%{_sysconfdir}/logrotate.d/%{name} + +%check +%ifnarch ppc ppc64 ppc64le aarch64 armv7l i586 +%make_build check || ( + find -type f -name test-suite.log -print -exec cat {} + + exit 42 +) +%endif + +%pre +getent group %{torgroup} >/dev/null || groupadd -r %{torgroup} +getent passwd %{toruser} >/dev/null || useradd -r -g %{torgroup} -d %{home_dir} -s /sbin/nologin -c "User for %{name}" %{toruser} +%service_add_pre tor.service tor-master.service + +%post +%fillup_only +%service_add_post tor.service tor-master.service +systemd-tmpfiles --create %{_tmpfilesdir}/tor.conf || : + +%preun +%service_del_preun tor.service tor-master.service + +%postun +%service_del_postun tor.service tor-master.service + +%files +%license LICENSE +%doc README* ChangeLog doc/HACKING doc/man/*.html +%{_mandir}/man*/* +%{_bindir}/* +%dir %{_datadir}/%{name} +%{_datadir}/%{name}/geoip* +%{_datadir}/%{name}/defaults-torrc +%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/logrotate.d/%{name} +%dir %attr(0755,root,%{torgroup}) %{_sysconfdir}/%{name} +%config(noreplace) %attr(0644,root,%{torgroup}) %{_sysconfdir}/%{name}/torrc +%config %attr(0644,root,%{torgroup}) %{_sysconfdir}/%{name}/torrc.* +%attr(0700,%{toruser},%{torgroup}) %dir %{_localstatedir}/lib/%{name} +%attr(0750,%{toruser},%{torgroup}) %dir %{_localstatedir}/log/%{name} +%{_unitdir}/%{name}.service +%{_unitdir}/%{name}-master.service +%{_tmpfilesdir}/%{name}.conf +%{_sbindir}/rc%{name} +%{_sbindir}/rc%{name}-master + +%changelog diff --git a/tor.tmpfiles b/tor.tmpfiles new file mode 100644 index 0000000..adfce77 --- /dev/null +++ b/tor.tmpfiles @@ -0,0 +1 @@ +D /run/tor 0755 tor tor - -- 2.51.1 From 38f6549f1bec898e88a0fac643ab41d341117951c09d320c109d2d475be02dc3 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Tue, 22 Apr 2025 09:51:57 +0000 Subject: [PATCH 3/6] tor 0.4.8.16 OBS-URL: https://build.opensuse.org/package/show/network/tor?expand=0&rev=281 --- .gitattributes | 23 + .gitignore | 1 + defaults-torrc | 11 + fix-test.patch | 21 + tor-0.2.5.x-logrotate.patch | 29 + tor-0.4.8.12.tar.gz | 3 + tor-0.4.8.12.tar.gz.sha256sum | 1 + tor-0.4.8.12.tar.gz.sha256sum.asc | 18 + tor-0.4.8.13.tar.gz | 3 + tor-0.4.8.13.tar.gz.sha256sum | 1 + tor-0.4.8.13.tar.gz.sha256sum.asc | 18 + tor-0.4.8.14.tar.gz | 3 + tor-0.4.8.14.tar.gz.sha256sum | 1 + tor-0.4.8.14.tar.gz.sha256sum.asc | 18 + tor-0.4.8.16.tar.gz | 3 + tor-0.4.8.16.tar.gz.sha256sum | 1 + tor-0.4.8.16.tar.gz.sha256sum.asc | 18 + tor-master.service | 16 + tor.changes | 3194 +++++++++++++++++++++++++++++ tor.keyring | 686 +++++++ tor.service | 53 + tor.spec | 172 ++ tor.tmpfiles | 1 + 23 files changed, 4295 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 defaults-torrc create mode 100644 fix-test.patch create mode 100644 tor-0.2.5.x-logrotate.patch create mode 100644 tor-0.4.8.12.tar.gz create mode 100644 tor-0.4.8.12.tar.gz.sha256sum create mode 100644 tor-0.4.8.12.tar.gz.sha256sum.asc create mode 100644 tor-0.4.8.13.tar.gz create mode 100644 tor-0.4.8.13.tar.gz.sha256sum create mode 100644 tor-0.4.8.13.tar.gz.sha256sum.asc create mode 100644 tor-0.4.8.14.tar.gz create mode 100644 tor-0.4.8.14.tar.gz.sha256sum create mode 100644 tor-0.4.8.14.tar.gz.sha256sum.asc create mode 100644 tor-0.4.8.16.tar.gz create mode 100644 tor-0.4.8.16.tar.gz.sha256sum create mode 100644 tor-0.4.8.16.tar.gz.sha256sum.asc create mode 100644 tor-master.service create mode 100644 tor.changes create mode 100644 tor.keyring create mode 100644 tor.service create mode 100644 tor.spec create mode 100644 tor.tmpfiles diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/defaults-torrc b/defaults-torrc new file mode 100644 index 0000000..bf7923e --- /dev/null +++ b/defaults-torrc @@ -0,0 +1,11 @@ +DataDirectory /var/lib/tor +PidFile /var/run/tor/tor.pid +Log notice syslog +ControlSocket /var/run/tor/control GroupWritable RelaxDirModeCheck +ControlSocketsGroupWritable 1 +SocksPort unix:/var/run/tor/socks WorldWritable +SocksPort 9050 + +CookieAuthentication 1 +CookieAuthFileGroupReadable 1 +CookieAuthFile /var/run/tor/control.authcookie diff --git a/fix-test.patch b/fix-test.patch new file mode 100644 index 0000000..9eedcfd --- /dev/null +++ b/fix-test.patch @@ -0,0 +1,21 @@ +commit 0384f5b3efbb041e2bc0080a6b6259e1b96815af +Author: Bernhard M. Wiedemann +Date: Wed Aug 21 11:36:05 2019 +0200 + + Workaround a LTO-induced test-failure + + https://bugzilla.opensuse.org/show_bug.cgi?id=1146548#c3 + +diff --git a/src/test/bt_test.py b/src/test/bt_test.py +index f9ca79efd..07026164a 100755 +--- a/src/test/bt_test.py ++++ b/src/test/bt_test.py +@@ -30,7 +30,7 @@ def matches(lines, funcs): + else: + return True + +-FUNCNAMES = "crash oh_what a_tangled_web we_weave main".split() ++FUNCNAMES = "oh_what a_tangled_web we_weave main".split() + + LINES = sys.stdin.readlines() + diff --git a/tor-0.2.5.x-logrotate.patch b/tor-0.2.5.x-logrotate.patch new file mode 100644 index 0000000..c08d015 --- /dev/null +++ b/tor-0.2.5.x-logrotate.patch @@ -0,0 +1,29 @@ +From: Andreas Stieger +Subject: openSUSE specific logrotate fixes +Date: Sun, 18 May 2014 00:10:32 +0100 +Upstream: no +References: + +* add su to logrotate config to fix W: suse-logrotate-user-writable-log-dir +* use "service tor" instead of "/etc/init.d/tor" to reload after logrotate + to fix logrotate on systemd-only setups without init script (by seife) + +--- + contrib/operator-tools/tor.logrotate.in | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: tor-0.2.5.10/contrib/operator-tools/tor.logrotate.in +=================================================================== +--- tor-0.2.5.10.orig/contrib/operator-tools/tor.logrotate.in 2014-06-27 22:45:19.000000000 +0100 ++++ tor-0.2.5.10/contrib/operator-tools/tor.logrotate.in 2014-10-24 20:22:54.000000000 +0100 +@@ -7,8 +7,9 @@ + notifempty + # you may need to change the username/groupname below + create 0640 _tor _tor ++ su _tor _tor + sharedscripts + postrotate +- /etc/init.d/tor reload > /dev/null ++ /usr/bin/systemctl try-reload-or-restart tor + endscript + } diff --git a/tor-0.4.8.12.tar.gz b/tor-0.4.8.12.tar.gz new file mode 100644 index 0000000..5f65915 --- /dev/null +++ b/tor-0.4.8.12.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ca7cc735d98e3747b58f2f3cc14f804dd789fa0fb333a84dcb6bd70adbb8c874 +size 9687430 diff --git a/tor-0.4.8.12.tar.gz.sha256sum b/tor-0.4.8.12.tar.gz.sha256sum new file mode 100644 index 0000000..644490a --- /dev/null +++ b/tor-0.4.8.12.tar.gz.sha256sum @@ -0,0 +1 @@ +ca7cc735d98e3747b58f2f3cc14f804dd789fa0fb333a84dcb6bd70adbb8c874 tor-0.4.8.12.tar.gz diff --git a/tor-0.4.8.12.tar.gz.sha256sum.asc b/tor-0.4.8.12.tar.gz.sha256sum.asc new file mode 100644 index 0000000..8a0263c --- /dev/null +++ b/tor-0.4.8.12.tar.gz.sha256sum.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmZhuq0ACgkQQuhqKhH0 +jTYZXAf+J26VUvM2M1DsjeUAMOZPEtNsQ0voIN9jeXFHUt7p3tqa2aBe8gJ5IREC +MtFK6MJLjJEHf6javbwoZuXXQ+xepJftPdJ9AR2bGlTConWE0VNVvfigawFHyKZn +Sdt6JyB2AesWl0HLIZnOXeSLy8JA12s/HPWtt8Fsf94drZwQsSl+WQGHr787JugF +aYmNRR4L+y46xL5HXbJ8KTc/UKPNlT+1vvwoAisofOQywrIJZGFsKpaowNiW9RWi +MXUdjmPjKJZ8vn+FQG0ZOmahUWMOMYIt6fWmkttI5KF6HajtGNTG4A+A5+QMBoif +N/VyJsISI2beHBAgAgPNGsXAa0FsIA== +=2gNt +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNATURE----- + +iHUEABYKAB0WIQRRQQJFTQqH2wdnoeu+agUxwYqReQUCZmHEggAKCRC+agUxwYqR +eVRoAP0SI+tzoCS06Pf1EJ0Mvea/ACIDZ5+XCaf9U0urRciMhgEA4BjvVG7I2cD8 +vGcxbkRtg4h9vZTr8rhdtSczdo3KYAY= +=C9WI +-----END PGP SIGNATURE----- diff --git a/tor-0.4.8.13.tar.gz b/tor-0.4.8.13.tar.gz new file mode 100644 index 0000000..582dde4 --- /dev/null +++ b/tor-0.4.8.13.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9baf26c387a2820b3942da572146e6eb77c2bc66862af6297cd02a074e6fba28 +size 9912610 diff --git a/tor-0.4.8.13.tar.gz.sha256sum b/tor-0.4.8.13.tar.gz.sha256sum new file mode 100644 index 0000000..0a3a86a --- /dev/null +++ b/tor-0.4.8.13.tar.gz.sha256sum @@ -0,0 +1 @@ +9baf26c387a2820b3942da572146e6eb77c2bc66862af6297cd02a074e6fba28 tor-0.4.8.13.tar.gz diff --git a/tor-0.4.8.13.tar.gz.sha256sum.asc b/tor-0.4.8.13.tar.gz.sha256sum.asc new file mode 100644 index 0000000..7e0fec9 --- /dev/null +++ b/tor-0.4.8.13.tar.gz.sha256sum.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmcaXcgACgkQQuhqKhH0 +jTY76wgAwOXmC2L3o594jJTXXAooZRkdQL/wAk4o6iNKFHmwiyIz/MGVTcrQBQSN +Hv3dQUhe3G3Z42M7GnJlEkFDA9Z6iBprkg0y9cD7nbmqC9nkB1zMdrUXdXOgMulG +sybEgzRFqTLVQmJzA4/tcGcjU+AXCqG13z1ScHOZP3Ev8S6yPntfax42hnFewAoW +OLSaYU68PGZ88uO2lAe65Hr/detdfJeWsG0rKK6jtCkej49qijiERemKZKCMTpYc +iW8DGA0n/O1p+qOHF4e0Du7lzhP1CckI5HeWZS2wgtqDKol1Kw86zugPfYWyh/V+ +WWEofhVb2OZOHed1qL9OeutDfdNtcg== +=NXg7 +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNATURE----- + +iHUEABYKAB0WIQRRQQJFTQqH2wdnoeu+agUxwYqReQUCZxpelAAKCRC+agUxwYqR +eV+2AP99m5nYfq/z1P7SYUpW1ddreizjFqlaQvJ1QhbZbpqc+AD+LxmvhDxM7+6S +8vyZWFHZYQ8ehhMftF70qM6o9NpQHgs= +=4Hya +-----END PGP SIGNATURE----- diff --git a/tor-0.4.8.14.tar.gz b/tor-0.4.8.14.tar.gz new file mode 100644 index 0000000..94d8d65 --- /dev/null +++ b/tor-0.4.8.14.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5047e1ded12d9aac4eb858f7634a627714dd58ce99053d517691a4b304a66d10 +size 9965322 diff --git a/tor-0.4.8.14.tar.gz.sha256sum b/tor-0.4.8.14.tar.gz.sha256sum new file mode 100644 index 0000000..12b1c1b --- /dev/null +++ b/tor-0.4.8.14.tar.gz.sha256sum @@ -0,0 +1 @@ +5047e1ded12d9aac4eb858f7634a627714dd58ce99053d517691a4b304a66d10 tor-0.4.8.14.tar.gz diff --git a/tor-0.4.8.14.tar.gz.sha256sum.asc b/tor-0.4.8.14.tar.gz.sha256sum.asc new file mode 100644 index 0000000..7e1b75d --- /dev/null +++ b/tor-0.4.8.14.tar.gz.sha256sum.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmejd6AACgkQQuhqKhH0 +jTY6yQf+K0xq5gMonH60H7/JXbwSjlbOEJ6+np3iBY781MtYfwS0LdcirgLx4JGK +6+UFq87sIKnobyNGap5OhU4Wao+id6jJRo8gaM18ogkSTbdqK0iDILbtz2rL5ghF +Y2MLMmHHW0oSCQdO6N0dqMqKATXs0lFyVWbO9i4nR2wJnldk837JSl9USpP0pMUx +YL9DPN38y2QAbnSx0cRfoHH72gpDCAlxkW4pG1BYvVswaNzsY3xHeCb7ibiw3hm4 +9UyTgLC13HEedb66vok+rGzH7PilpX2rGxuhhTFSwRy5G+tv8BT6eBDSO5yuOFNT ++uRdGGW7VMo4jVbpnsLi84zPPAZsNg== +=OLaG +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNATURE----- + +iHUEABYKAB0WIQRRQQJFTQqH2wdnoeu+agUxwYqReQUCZ6N4XwAKCRC+agUxwYqR +ea5DAQDr6kp7EtlHvgdBRmO/LlK93shDnM0lWsriBh3EHjse7wD/dJYEaHgCEPja +R1UKjD+dijMe3/ogEcoCAGQHk+Ak1wE= +=5r4b +-----END PGP SIGNATURE----- diff --git a/tor-0.4.8.16.tar.gz b/tor-0.4.8.16.tar.gz new file mode 100644 index 0000000..cf954de --- /dev/null +++ b/tor-0.4.8.16.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6540dd377a120fb8e7d27530aa3b7ff72a0fa5b4f670fe1d64c987c1cfd390cb +size 9930424 diff --git a/tor-0.4.8.16.tar.gz.sha256sum b/tor-0.4.8.16.tar.gz.sha256sum new file mode 100644 index 0000000..0ede6e2 --- /dev/null +++ b/tor-0.4.8.16.tar.gz.sha256sum @@ -0,0 +1 @@ +6540dd377a120fb8e7d27530aa3b7ff72a0fa5b4f670fe1d64c987c1cfd390cb tor-0.4.8.16.tar.gz diff --git a/tor-0.4.8.16.tar.gz.sha256sum.asc b/tor-0.4.8.16.tar.gz.sha256sum.asc new file mode 100644 index 0000000..36b4ab0 --- /dev/null +++ b/tor-0.4.8.16.tar.gz.sha256sum.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmfhekEACgkQQuhqKhH0 +jTa2BAf/YsuzMshcoLnnF6HbL3FcrSTkJjXQMh1Hy9f2ZRC15zC+pQuI0AZopWoS +3k2men7offxk7MELIVsIyZSdbNPexcOH53NHYQBXRrrHDEvJtjAHAW+QwSeJ6vEG +FaSxB+raEmtmIKgHbHWR1uYiyuHOs7Zzsl4jMZWyP0623SNi57Vc89ZKh3zDcu95 +0Pz9KNPw8QzGfDV7/RpgSXxF+PBRq7FFjJgc+CoTkQGy7cbhw3hl7DjSm76F/Tuj +k3v/dF8yJWGPQIZqenGbpun2IcO0+DX6kdLmDJoYtlzhvnO2dwQ/8t/nRW/KcyPI +7ZtGlXhr+jeNm+8zV4zsSMu4FyvjKA== +=yrh/ +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNATURE----- + +iHUEABYKAB0WIQRRQQJFTQqH2wdnoeu+agUxwYqReQUCZ+F9AAAKCRC+agUxwYqR +ea0eAP9AaASX6sf8IMTfA3oKL/UskFCPQpluCA0UrdeU07jN1QEAwn0za8bnTAti +iWERNqC4BvHrQybEbSxkwk3bbGABmgc= +=Wyz1 +-----END PGP SIGNATURE----- diff --git a/tor-master.service b/tor-master.service new file mode 100644 index 0000000..1426f4f --- /dev/null +++ b/tor-master.service @@ -0,0 +1,16 @@ +# Use tor-master.service to restart/reload/stop the main tor.service and +# all instances of tor@.service that are running. +# +# systemd targets cannot be reloaded so this is a service instead. + +[Unit] +Description=Anonymizing overlay network for TCP (multi-instance master) + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/true +ExecReload=/bin/true + +[Install] +WantedBy=multi-user.target diff --git a/tor.changes b/tor.changes new file mode 100644 index 0000000..c909676 --- /dev/null +++ b/tor.changes @@ -0,0 +1,3194 @@ +------------------------------------------------------------------- +Mon Apr 21 16:20:45 UTC 2025 - Andreas Stieger + +- tor 0.4.8.16 + * fix typo in a directory authority rule file + * fix a sandbox issue for bandwidth authority and a conflux issue + on the control port + * client fix about relay flag usage + +------------------------------------------------------------------- +Wed Feb 5 18:26:41 UTC 2025 - Bernhard Wiedemann + +- tor 0.4.8.14 + * bugfix for onion service directory cache + * test-network now unconditionally includes IPv6 + * Regenerate fallback directories 2025-02-05 + * Update the geoip files to 2025-02-05 + * Fix a pointer free + +------------------------------------------------------------------- +Fri Dec 27 21:55:57 UTC 2024 - Andreas Stieger + +- tor 0.4.8.13 + * Conflux related client circuit building performance bugfix + * Fix minor memory leaks + * Add STATUS TYPE=version handler for Pluggable Transport + +------------------------------------------------------------------- +Tue Jun 11 10:05:46 UTC 2024 - Bernhard Wiedemann + +- tor 0.4.8.12 + * Minor features and bugfixes + * See https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.8/ReleaseNotes + +------------------------------------------------------------------- +Thu Apr 11 06:50:01 UTC 2024 - Bernhard Wiedemann + +- tor 0.4.8.11 + * Minor features and bugfixes + * See https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.8/ReleaseNotes + +------------------------------------------------------------------- +Wed Feb 14 15:50:14 UTC 2024 - Martin Pluskal + +- Enables scrypt support unconditionally + +------------------------------------------------------------------- +Mon Feb 5 09:01:39 UTC 2024 - Andreas Stieger + +- fix users/groups with rpm 4.19 + +------------------------------------------------------------------- +Fri Dec 8 21:51:16 UTC 2023 - Bernhard Wiedemann + +- tor 0.4.8.10: + * (TROVE-2023-007, exit) (boo#1217918) + - fix a a UAF and NULL pointer dereference crash on Exit relays + +------------------------------------------------------------------- +Thu Nov 9 14:29:00 UTC 2023 - Bernhard Wiedemann + +- tor 0.4.8.9: + * (onion service, TROVE-2023-006): + - Fix a possible hard assert on a NULL pointer + * (guard usage): + - When Tor excluded a guard due to temporary circuit restrictions, + it considered *additional* primary guards for potential usage by + that circuit. + +------------------------------------------------------------------- +Fri Nov 3 20:51:01 UTC 2023 - Andreas Stieger + +- tor 0.4.8.8: + * Mitigate an issue when Tor compiled with OpenSSL can crash during + handshake with a remote relay. (TROVE-2023-004, boo#1216873) + * Regenerate fallback directories generated on November 03, 2023. + * Update the geoip files to match the IPFire Location Database, as + retrieved on 2023/11/03 + * directory authority: Look at the network parameter + "maxunmeasuredbw" with the correct spelling + * vanguards addon support: Count the conflux linked cell as + valid when it is successfully processed. This will quiet a + spurious warn in the vanguards addon + +------------------------------------------------------------------- +Mon Sep 25 20:15:52 UTC 2023 - Andreas Stieger + +- tor 0.4.8.7: + * Fix an issue that prevented us from pre-building more conflux + sets after existing sets had been used + +------------------------------------------------------------------- +Tue Sep 19 16:52:36 UTC 2023 - Andreas Stieger + +- tor 0.4.8.6: + * onion service: Fix a reliability issue where services were + expiring their introduction points every consensus update. + This caused connectivity issues for clients caching the old + descriptor and intro points + * Log the input and output buffer sizes when we detect a potential + compression bomb + * Disable multiple BUG warnings of a missing relay identity key when + starting an instance of Tor compiled without relay support + * When reporting a pseudo-networkstatus as a bridge authority, or + answering "ns/purpose/*" controller requests, include accurate + published-on dates from our list of router descriptors + * Use less frightening language and lower the log-level of our + run-time ABI compatibility check message in our Zstd + compression subsystem + +------------------------------------------------------------------- +Wed Aug 30 18:50:03 UTC 2023 - Andreas Stieger + +- tor 0.4.8.5: + * bugfixes creating log BUG stacktrace + +------------------------------------------------------------------- +Sun Aug 27 15:23:43 UTC 2023 - Andreas Stieger + +- tor 0.4.8.4: + * Extend DoS protection to partially opened channels and known + relays + * Dynamic Proof-Of-Work protocol to thwart flooding DoS attacks + against hidden services. Disabled by default, enable via + "HiddenServicePoW" in torrc + * Implement conflux traffic splitting + * Directory authorities and relays now interact properly with + directory authorities if they change addresses + +------------------------------------------------------------------- +Sun Jul 30 07:33:04 UTC 2023 - Andreas Stieger + +- tor 0.4.7.14: + * bugfix affecting vanguards (onion service), and minor fixes + +------------------------------------------------------------------- +Fri Mar 10 08:27:57 UTC 2023 - Martin Pluskal + +- Enable support for scrypt() + +------------------------------------------------------------------- +Fri Jan 13 06:29:25 UTC 2023 - Bernhard Wiedemann + +- tor 0.4.7.13: + * fix SafeSocks option to avoid DNS leaks (boo#1207110, TROVE-2022-002) + * improve congestion control + * fix relay channel handling + +------------------------------------------------------------------- +Tue Dec 6 21:10:57 UTC 2022 - Andreas Stieger + +- tor 0.4.7.12: + * new key for moria1 + * new metrics are exported on the MetricsPort for the congestion + control subsystem + +------------------------------------------------------------------- +Thu Nov 10 19:14:54 UTC 2022 - Andreas Stieger + +- tor 0.4.7.11: + * Improve security of DNS cache by randomly clipping the TTL + value (boo#1205307, TROVE-2021-009) + * Improved defenses against network-wide DoS, multiple counters + and metrics added to MetricsPorts + * Apply circuit creation anti-DoS defenses if the outbound + circuit max cell queue size is reached too many times. This + introduces two new consensus parameters to control the queue + size limit and number of times allowed to go over that limit. + * Directory authority updates + * IPFire database and geoip updates + * Bump the maximum amount of CPU that can be used from 16 to 128. + The NumCPUs torrc option overrides this hardcoded maximum. + * onion service: set a higher circuit build timeout for opened + client rendezvous circuit to avoid timeouts and retry load + * Make the service retry a rendezvous if the circuit is being + repurposed for measurements + +------------------------------------------------------------------- +Fri Aug 12 15:52:53 UTC 2022 - Andreas Stieger + +- tor 0.4.7.10 + * IPFire location database did not have proper ARIN network + allocations - affected circuit path selection and relay metrics + +------------------------------------------------------------------- +Thu Aug 11 16:39:24 UTC 2022 - Andreas Stieger + +- tor 0.4.7.9 (boo#1202336) + * major fixes aimed at reducing memory pressure on relays + * prevent a possible side-channel + * major bugfix related to congestion control + * major bugfix related to Vanguard L2 layer node selection + +------------------------------------------------------------------- +Thu Jun 16 17:08:53 UTC 2022 - Bernhard Wiedemann + +- tor 0.4.7.8 + * Fix a scenario where RTT estimation can become wedged, seriously + degrading congestion control performance on all circuits. This + impacts clients, onion services, and relays, and can be triggered + remotely by a malicious endpoint. + (TROVE-2022-001, CVE-2022-33903, boo#1200672) + * Regenerate fallback directories generated on June 17, 2022. + * Update the geoip files to match the IPFire Location Database, as + retrieved on 2022/06/17. + * Allow the rseq system call in the sandbox + * logging bug fixes + +------------------------------------------------------------------- +Wed Apr 27 18:29:58 UTC 2022 - Andreas Stieger + +- tor 0.4.7.7 + * New feature: Congestion control to improve traffic speed and + stability on the network once a majority of Exit nodes upgrade + boo#1198949 + * Directory authorities: improved handling of "MiddleOnly" relays + * Improved mitigation against guard discovery attacks on clients + and short-lived services + * Improve observed performance under DNS load + * Improve handling of overload state + * end-of-life relays running version 0.4.2.x, 0.4.3.x, + 0.4.4.x and 0.4.5 alphas/rc, 0.3.5.x are now rejected + * Onion service v2 addresses are no longer recognized + +------------------------------------------------------------------- +Sun Feb 6 01:10:07 UTC 2022 - Bernhard Wiedemann + +- tor 0.4.6.10 + * minor bugfixes and features + * https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.6/ReleaseNotes + +------------------------------------------------------------------- +Fri Dec 17 18:54:05 UTC 2021 - Andreas Stieger + +- tor 0.4.6.9: + * remove the DNS timeout metric from the overload general signal + * regenerate fallback directories generated on December 15, 2021 + * Update the geoip files to match the IPFire Location Database, + as retrieved on 2021/12/15 + * Reject IPv6-only DirPort + +------------------------------------------------------------------- +Sat Nov 13 11:02:55 UTC 2021 - Andreas Stieger + +- tor 0.4.6.8: + * Improving reporting of general overload state for DNS timeout + errors by relays + * Regenerate fallback directories for October 2021 + * Bug fixes for onion services + * CVE-2021-22929: do not log v2 onion services access attempt + warnings on disk excessively (TROVE-2021-008, boo#1192658) + +------------------------------------------------------------------- +Tue Aug 24 09:11:38 UTC 2021 - Jan Engelhardt + +- Reduce boilerplate generated by %service_*. + +------------------------------------------------------------------- +Tue Aug 17 18:52:40 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.6.7: + * Fix a DoS via a remotely triggerable assertion failure + (boo#1189489, TROVE-2021-007, CVE-2021-38385) + +------------------------------------------------------------------- +Tue Jul 6 07:13:19 UTC 2021 - Bernhard Wiedemann + +- Add missing service_add_pre tor-master.service + +------------------------------------------------------------------- +Thu Jul 1 11:13:23 UTC 2021 - Andreas Stieger + +- tor 0.4.6.6: + * Fix a compilation error with gcc 7, drop tor-0.4.6.5-gcc7.patch + * Enable the deterministic RNG for unit tests that covers the + address set bloomfilter-based API's + +------------------------------------------------------------------- +Wed Jun 16 20:32:43 UTC 2021 - Andreas Stieger + +- tor 0.4.6.5 + * Add controller support for creating v3 onion services with + client auth + * When voting on a relay with a Sybil-like appearance, add the + Sybil flag when clearing out the other flags. This lets a relay + operator know why their relay hasn't been included in the + consensus + * Relays now report how overloaded they are + * Add a new DoS subsystem to control the rate of client + connections for relays + * Relays now publish statistics about v3 onions services + * Improve circuit timeout algorithm for client performance +- add tor-0.4.6.5-gcc7.patch to fix build with gcc7 + +------------------------------------------------------------------- +Mon Jun 14 18:06:34 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.5.9 + * Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell (CVE-2021-34548, boo#1187322) + * Detect more failure conditions from the OpenSSL RNG code (boo#1187323) + * Resist a hashtable-based CPU denial-of-service attack against relays (CVE-2021-34549, boo#1187324) + * Fix an out-of-bounds memory access in v3 onion service descriptor parsing (CVE-2021-34550, boo#1187325) + +------------------------------------------------------------------- +Tue May 11 01:54:10 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.5.8 + * https://lists.torproject.org/pipermail/tor-announce/2021-May/000219.html + * allow Linux sandbox with Glibc 2.33 + * work with autoconf 2.70+ + * several other minor features and bugfixes (see announcement) + +------------------------------------------------------------------- +Sat Apr 24 19:07:24 UTC 2021 - Andreas Stieger + +- fix packaging warnings related to tor-master service + +------------------------------------------------------------------- +Fri Apr 23 21:22:30 UTC 2021 - Andreas Stieger + +- Fix logging issue due to systemd picking up stdout - boo#1181244 + Continue to log notices to syslog by default. +- actually build with lzma/zstd +- skip i586 tests (boo#1179331) + +------------------------------------------------------------------- +Tue Mar 16 23:38:53 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.5.7 + * https://lists.torproject.org/pipermail/tor-announce/2021-March/000216.html + * Fix 2 denial of service security issues (boo#1183726) + + Disable the dump_desc() function that we used to dump unparseable + information to disk (CVE-2021-28089) + + Fix a bug in appending detached signatures to a pending consensus + document that could be used to crash a directory authority + (CVE-2021-28090) + * Ship geoip files based on the IPFire Location Database + +------------------------------------------------------------------- +Tue Feb 16 07:49:14 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.5.6 + * https://lists.torproject.org/pipermail/tor-announce/2021-February/000214.html + * Introduce a new MetricsPort HTTP interface + * Support IPv6 in the torrc Address option + * Add event-tracing library support for USDT and LTTng-UST + * Try to read N of N bytes on a TLS connection +- Drop upstream tor-practracker.patch + +------------------------------------------------------------------- +Fri Feb 5 08:16:39 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.4.7 + * https://blog.torproject.org/node/1990 + * Stop requiring a live consensus for v3 clients and services + * Re-entry into the network is now denied at the Exit level + * Fix undefined behavior on our Keccak library + * Strip '\r' characters when reading text files on Unix platforms + * Handle partial SOCKS5 messages correctly +- Add tor-practracker.patch to fix tests + +------------------------------------------------------------------- +Wed Jan 27 06:16:46 UTC 2021 - Bernhard Wiedemann + +- Restrict service permissions with systemd + +------------------------------------------------------------------- +Thu Nov 12 17:02:48 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.4.6 + * Check channels+circuits on relays more thoroughly + (TROVE-2020-005, boo#1178741) + +------------------------------------------------------------------- +Tue Sep 15 14:51:40 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.4.5 + * Improve guard selection + * IPv6 improvements + +------------------------------------------------------------------- +Wed Aug 19 09:49:51 UTC 2020 - Dominique Leuenberger + +- Use %{_tmpfilesdir} instead of abusing %{_libexecdir}/tmpfiles.d. + +------------------------------------------------------------------- +Thu Jul 9 17:27:13 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.3.6 + * Fix a crash due to an out-of-bound memory access (CVE-2020-15572) + * Some minor fixes + +------------------------------------------------------------------- +Mon Jun 29 08:57:42 UTC 2020 - Bernhard Wiedemann + +- Fix logrotate to not fail when tor is stopped (boo#1164275) + +------------------------------------------------------------------- +Fri May 15 18:58:11 UTC 2020 - Andreas Stieger + +- tor 0.4.3.5: + * first stable release in the 0.4.3.x series + * implement functionality needed for OnionBalance with v3 onion + services + * significant refactoring of our configuration and controller + functionality + * Add support for banning a relay's ed25519 keys in the + approved-routers file in support for migrating away from RSA + * support OR connections through a HAProxy server + +------------------------------------------------------------------- +Wed Mar 18 20:52:20 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.2.7 + * CVE-2020-10592: CPU consumption DoS and timing patterns (boo#1167013) + * CVE-2020-10593: circuit padding memory leak (boo#1167014) + * Directory authorities now signal bandwidth pressure to clients + * Avoid excess logging on bug when flushing a buffer to a TLS connection + +------------------------------------------------------------------- +Fri Jan 31 08:32:28 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.2.6 + * Correct how we use libseccomp + * Fix crash when reloading logging configuration while the + experimental sandbox is enabled + * Avoid a possible crash when logging an assertion + about mismatched magic numbers + +------------------------------------------------------------------- +Tue Jan 7 11:21:02 UTC 2020 - Bernhard Wiedemann + +- Update tor.service and add defaults-torrc + to work without dropped torctl (boo#1072274) +- Add tor-master.service to allow handling multiple tor daemons + +------------------------------------------------------------------- +Sat Dec 14 20:35:25 UTC 2019 - Andreas Stieger + +- tor 0.4.2.5: + * first stable release in the 0.4.2.x series + * improves reliability and stability + * several stability and correctness improvements for onion services + * fixes many smaller bugs present in previous series + +------------------------------------------------------------------- +Tue Dec 10 08:27:14 UTC 2019 - Andreas Stieger + +- tor 0.4.1.7: + * several bugfixes to improve stability and correctness + * fixes for relays relying on AccountingMax + +------------------------------------------------------------------- +Mon Oct 7 13:16:38 UTC 2019 - Martin Pluskal + +- Update dependnecnies: + * python3 instead of python + * add libpcap and seccomp +- Use more suitable macros for building and systemd dependencies + +------------------------------------------------------------------- +Thu Sep 19 13:02:59 UTC 2019 - Bernhard Wiedemann + +- update to 0.4.1.6 + * Tolerate systems (including some Linux installations) where + madvise MADV_DONTFORK / MADV_DONTDUMP are available at build-time, + but not at run time. + * Do not include the deprecated on Linux + * Fix the MAPADDRESS controller command to accept one or more arguments + * Always retry v2+v3 single onion service intro and rendezvous circuits + with a 3-hop path + * Use RFC 2397 data URL scheme to embed an image into tor-exit-notice.html + +------------------------------------------------------------------- +Tue Aug 20 15:43:45 UTC 2019 - Bernhard Wiedemann + +- update to 0.4.1.5 + * Onion service clients now add padding cells at the start of their + INTRODUCE and RENDEZVOUS circuits to make it look like + Exit traffic + * Add a generic publish-subscribe message-passing subsystem + * Controller commands are now parsed using a generalized parsing + subsystem + * Implement authenticated SENDMEs as detailed in proposal 289 + * Our node selection algorithm now excludes nodes in linear time + * Construct a fast secure pseudorandom number generator for + each thread, to use when performance is critical + * Consider our directory information to have changed when our list + of bridges changes + * Do not count previously configured working bridges towards our + total of working bridges + * When considering upgrading circuits from "waiting for guard" to + "open", always ignore circuits that are marked for close + * Properly clean up the introduction point map when circuits change + purpose + * Fix an unreachable bug in which an introduction point could try to + send an INTRODUCE_ACK + * Clients can now handle unknown status codes from INTRODUCE_ACK + cells +- Remove upstreamed tor-0.3.5.8-no-ssl-version-warning.patch +- Compile without -Werror to build with LTO (boo#1146548) +- Add fix-test.patch to workaround a LTO-induced test-failure + +------------------------------------------------------------------- +Fri Jul 26 12:23:05 UTC 2019 - matthias.gerstner@suse.com + +- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by + firewalld, see [1]. + + [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html + +------------------------------------------------------------------- +Mon May 20 12:55:12 UTC 2019 - Christophe Giboudeaux + +- Add the missing zlib requirement. + +------------------------------------------------------------------- +Fri May 10 09:46:26 UTC 2019 - Andreas Stieger + +- tor 0.4.0.5: + * new stable branch, but not a long-term support branch + * improvements for power management and bootstrap reporting + * preliminary backend support for circuit padding to prevent some + kinds of traffic analysis + * refactoring for long-term maintainability +- drop upstreamed tor-0.3.5.8-nonetwork.patch + +------------------------------------------------------------------- +Mon Apr 15 12:24:02 UTC 2019 - Bernhard Wiedemann + +- Add tor-0.3.5.8-no-ssl-version-warning.patch (boo#1129411) +- Update tor.tmpfiles to use /run instead of /var/run + +------------------------------------------------------------------- +Mon Feb 25 15:55:39 UTC 2019 - bwiedemann@suse.com + +- Add tor-0.3.5.8-nonetwork.patch to fix test failures + without network + +------------------------------------------------------------------- +Fri Feb 22 15:04:30 UTC 2019 - bwiedemann@suse.com + +- tor 0.3.5.8: + * CVE-2019-8955 prevent attackers from making tor run + out of memory and crash + * Allow SOCKS5 with empty username+password + * Update geoip and geoip6 to the February 5 2019 Maxmind + GeoLite2 Country database + * Select guards even if the consensus has expired, as long + as the consensus is still reasonably live + +------------------------------------------------------------------- +Mon Jan 7 23:16:55 UTC 2019 - astieger@suse.com + +- tor 0.3.5.7: + * first stable release in 0.3.5.x LTS branch + * support client authorization for v3 onion services + * cleanups to bootstrap reporting + * support for improved bandwidth measurement tools + * the default version for newly created onion services is now v3 + (HiddenServiceVersion option can be used to override) + * If stem is used, an update of stem mey be required + +------------------------------------------------------------------- +Mon Jan 7 23:01:18 UTC 2019 - astieger@suse.com + +- tor 0.3.4.10: + * OpenSSL compatibility fixes + * Fixes for relay bugs + * update fallback directory list + +------------------------------------------------------------------- +Sat Nov 3 08:45:43 UTC 2018 - astieger@suse.com + +- tor 0.3.4.9: + * Various bug fixes, including a bandwidth management bug that + was causing memory exhaustion on relays + +------------------------------------------------------------------- +Mon Sep 10 15:51:17 UTC 2018 - astieger@suse.com + +- tor 0.3.4.8 (boo#1107847): + * improvements for running in low-power and embedded environments + * preliminary changes for new bandwidth measurement system + * refine anti-denial-of-service code + +------------------------------------------------------------------- +Mon Sep 10 13:52:34 UTC 2018 - astieger@suse.com + +- tor 0.3.3.10: + * various build and compatibility fixes + * The control port now exposes the list of HTTPTunnelPorts and + ExtOrPorts via GETINFO net/listeners/httptunnel and + net/listeners/extor respectively + * Authorities no longer vote to make the subprotocol version + "LinkAuth=1" a requirement: it is unsupportable with NSS, and + hasn't been needed since Tor 0.3.0.1-alpha + * When voting for recommended versions, make sure that all of the + versions are well-formed and parsable + * various minor bug fixes on onion services + +------------------------------------------------------------------- +Sat Jul 14 18:31:57 UTC 2018 - astieger@suse.com + +- tor 0.3.3.9: + * move to a new bridge authority + * backport some bug fixes +- refresh upstream signing keyring + +------------------------------------------------------------------- +Mon Jul 9 19:38:14 UTC 2018 - astieger@suse.com + +- tor 0.3.3.8: + * directory authority memory leak fix + * various minor bug fixes + +------------------------------------------------------------------- +Tue Jun 12 16:59:58 UTC 2018 - astieger@suse.com + +- tor 0.3.3.7: + * Add an IPv6 address for the "dannenberg" directory authority + * Improve accuracy of the BUILDTIMEOUT_SET control port event's + TIMEOUT_RATE and CLOSE_RATE fields + * Only select relays when tor has descriptors that it prefers to + use for them, avoiding nonfatal errors later + +------------------------------------------------------------------- +Sun May 27 11:33:54 UTC 2018 - astieger@suse.com + +- tor 0.3.3.6: + * new stable release series + * controller support and other improvements for v3 onion services + * official support for embedding Tor within other application + * Improvements to IPv6 support + * Relay option ReducedExitPolicy to configure a reasonable default + * Revent DoS via malicious protocol version string (boo#1094283) + * Many other other bug fixes and improvements + +------------------------------------------------------------------- +Sat Mar 3 18:39:39 UTC 2018 - astieger@suse.com + +- tor 0.3.2.10: + * CVE-2018-0490: remote crash vulnerability against directory + authorities (boo#1083845, TROVE-2018-001) + * CVE-2018-0491: remote relay crash (boo#1083846, TROVE-2018-002) + * New system for improved resistance to DoS attacks against relays + * Various other bug fixes + +------------------------------------------------------------------- +Wed Jan 10 21:33:45 UTC 2018 - astieger@suse.com + +- tor 0.3.2.9: + * new onion service design (v3), not default + * new circuit scheduler algorithm for improved performance + * directory authority updates + * many other updates and improvements + +------------------------------------------------------------------- +Fri Dec 1 20:33:08 UTC 2017 - astieger@suse.com + +- tor 0.3.1.9 with the following security fixes that prevent some + traffic confirmation, DoS and other problems (bsc#1070849): + * CVE-2017-8819: Replay-cache ineffective for v2 onion services + * CVE-2017-8820: Remote DoS attack against directory authorities + * CVE-2017-8821: An attacker can make Tor ask for a password + * CVE-2017-8822: Relays can pick themselves in a circuit path + * CVE-2017-8823: Use-after-free in onion service v2 + +------------------------------------------------------------------- +Wed Oct 25 15:05:45 UTC 2017 - astieger@suse.com + +- tor 0.3.1.8: + * Add "Bastet" as a ninth directory authority to the default list + * The directory authority "Longclaw" has changed its IP address + * Fix a timing-based assertion failure that could occur when the + circuit out-of-memory handler freed a connection's output buffer + * Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 + Country database +- drop tor-0.3.1.7-fix-zstd-i586.patch, upstreamed + +------------------------------------------------------------------- +Wed Sep 20 14:44:09 UTC 2017 - astieger@suse.com + +- tor 0.3.1.7: + * Serve and download directory information in more compact + formats + * New padding padding system to resist netflow-based traffic + analysis + * Improve protection against identification of tor traffic by ISP + via ConnectionPadding option + * Reduce the number of long-term connections open between relays +- add tor-0.3.1.7-fix-zstd-i586.patch to fix 32 bit build with zstd + +------------------------------------------------------------------- +Mon Sep 18 16:38:59 UTC 2017 - astieger@suse.com + +- tor 0.3.0.11: + * CVE-2017-0380: hidden services with the SafeLogging option + disabled could disclose the stack TROVE-2017-008, boo#1059194 + * Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2 + Country database. + * drop tor-0.3.0.7-gcc7-fallthrough.patch, now upstream + +------------------------------------------------------------------- +Thu Aug 3 11:26:00 UTC 2017 - jloehel@suse.com + +- tor 0.3.0.10 + * Fix a typo that had prevented TPROXY-based transparent proxying + from working under Linux. + * Avoid an assertion failure bug affecting our implementation of + inet_pton(AF_INET6) on certain OpenBSD systems. + +------------------------------------------------------------------- +Fri Jun 30 11:53:59 UTC 2017 - astieger@suse.com + +- tor 0.3.0.9: + * CVE-2017-0377: Fix path selection bug that would allow a client + to use a guard that was in the same network family as a chosen + exit relay (bsc#1046845) + * Don't block bootstrapping when a primary bridge is offline and + tor cannot get its descriptor + * When starting with an old consensus, do not add new entry guards + unless the consensus is "reasonably live" (under 1 day old). + * Update geoip and geoip6 to the June 8 2017 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Thu Jun 8 18:47:31 UTC 2017 - astieger@suse.com + +- tor 0.3.0.8 fixing a pair of bugs that would allow an attacker to + remotely crash a hidden service with an assertion failure + * CVE-2017-0375: remotely triggerable assertion failure when a + hidden service handles a malformed BEGIN cell (bsc#1043455) + * CVE-2017-0376: remotely triggerable assertion failure caused by + receiving a BEGIN_DIR cell on a hidden service rendezvous + circuit (bsc#1043456) +- further bug fixes: + * link handshake fixes when changing x509 certificates + * Regenerate link and authentication certificates whenever the key + that signs them changes; also, regenerate link certificates + whenever the signed key changes + * When sending an Ed25519 signing->link certificate in a CERTS cell, + send the certificate that matches the x509 certificate that was + used on the TLS connection + * Stop rejecting v3 hidden service descriptors because their size + did not match an old padding rule + +------------------------------------------------------------------- +Wed May 31 10:01:51 UTC 2017 - astieger@suse.com + +- fix build with GCC 7: warning-errors on implicit fallthrough + add tor-0.3.0.7-gcc7-fallthrough.patch bsc#1041262 + +------------------------------------------------------------------- +Tue May 16 00:26:43 UTC 2017 - astieger@suse.com + +- tor 0.3.0.7: + * Fix an assertion failure in the hidden service directory code, + which could be used by an attacker to remotely cause a Tor + relay process to exit. TROVE-2017-002 bsc#1039211 + * Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 + Country database. + * Tor no longer refuses to download microdescriptors or + descriptors if they are listed as "published in the future" + * The getpid() system call is now permitted under the Linux + seccomp2 sandbox, to avoid crashing with versions of OpenSSL + (and other libraries) that attempt to learn the process's PID + by using the syscall rather than the VDSO code + +------------------------------------------------------------------- +Thu Apr 27 06:23:44 UTC 2017 - astieger@suse.com + +- tor 0.3.0.6: + * clients and relays now use Ed25519 keys to authenticate their + link connections to relays, rather than the old RSA1024 keys + that they used before. + * replace the guard selection and replacement algorithm to behave + more robustly in the presence of unreliable networks, and to + resist guard-capture attacks. + * numerous other small features and bugfixes + * groundwork for the upcoming hidden-services revamp + +------------------------------------------------------------------- +Wed Mar 1 22:45:42 UTC 2017 - astieger@suse.com + +- tor 0.2.9.10: + * directory authority: During voting, when marking a relay as a + probable sybil, do not clear its BadExit flag: sybils can still + be bad in other ways too. + * IPv6 Exits: Stop rejecting all IPv6 traffic on Exits whose exit + policy rejects any IPv6 addresses. Instead, only reject a port + over IPv6 if the exit policy rejects that port on more than an + IPv6 /16 of addresses. + * parsing: Fix an integer underflow bug when comparing malformed + Tor versions. This bug could crash Tor when built with + --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through + Tor 0.2.9.8, which were built with -ftrapv by default. In other + cases it was harmless. Part of TROVE-2017-001 boo#1027539 + * Directory authorities now reject descriptors that claim to be + malformed versions of Tor + * Reject version numbers with components that exceed INT32_MAX. + * Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 + Country database. + * The tor-resolve command line tool now rejects hostnames over 255 + characters in length + +------------------------------------------------------------------- +Tue Jan 24 06:19:19 UTC 2017 - astieger@suse.com + +- tor 0.2.9.9: + * Downgrade the "-ftrapv" option from "always on" to "only on + when --enable-expensive-hardening is provided." This hardening + option, like others, can turn survivable bugs into crashes -- + and having it on by default made a (relatively harmless) + integer overflow bug into a denial-of-service bug + * Fix a client-side onion service reachability bug + * Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Sun Jan 1 11:43:02 UTC 2017 - tchvatal@suse.com + +- Remove conditionals for the sle11 as we won't build there due to + openssl requirements. This reduces the logic in the spec file + quite a bit + +------------------------------------------------------------------- +Mon Dec 19 20:40:39 UTC 2016 - astieger@suse.com + +- tor 0.2.9.8, the first stable release in the 0.2.9.x series: + * make mandatory a number of security features that were formerly + optional + * support a new shared-randomness protocol that will form the + basis for next generation hidden services + * single-hop hidden service mode for optimizing .onion services + that don't actually want to be hidden, + * try harder not to overload the directory authorities with + excessive downloads + * support a better protocol versioning scheme for improved + compatibility with other implementations of the Tor protocol + * deprecated options for security: CacheDNS, CacheIPv4DNS, + CacheIPv6DNS, UseDNSCache, UseIPv4Cache, and UseIPv6Cache, + AllowDotExit, AllowInvalidNodes, AllowSingleHopCircuits, + AllowSingleHopExits, ClientDNSRejectInternalAddresses, + CloseHSClientCircuitsImmediatelyOnTimeout, + CloseHSServiceRendCircuitsImmediatelyOnTimeout, + ExcludeSingleHopRelays, FastFirstHopPK, TLSECGroup, + UseNTorHandshake, and WarnUnsafeSocks. + * *ListenAddress options are now deprecated as unnecessary: the + corresponding *Port options should be used instead. The + affected options are: + ControlListenAddress, DNSListenAddress, DirListenAddress, + NATDListenAddress, ORListenAddress, SocksListenAddress, + and TransListenAddress. + +------------------------------------------------------------------- +Mon Dec 19 20:29:49 UTC 2016 - astieger@suse.com + +- tor 0.2.8.12: + * CVE-2016-1254: A hostile hidden service could cause tor clients + to crash (bsc#1016343) + * update fallback directory list + * Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Tue Dec 13 06:41:55 UTC 2016 - bwiedemann@suse.com + +- recommend torsocks as it is needed by included torify + +------------------------------------------------------------------- +Sun Dec 11 19:40:35 UTC 2016 - astieger@suse.com + +- tor 0.2.8.11: + * Fix compilation with OpenSSL 1.1 + +------------------------------------------------------------------- +Fri Dec 2 16:58:06 UTC 2016 - astieger@suse.com + +- tor 0.2.8.10: + * When Tor leaves standby because of a new application request, + open circuits as needed to serve that request + * Clients now respond to new application stream requests + immediately when they arrive, rather than waiting up to one + second before starting to handle them + * small portability and memory handling issues + * Update geoip and geoip6 to the November 3 2016 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Wed Oct 19 09:08:12 UTC 2016 - astieger@suse.com + +- tor 0.2.8.9: + * security fix: prevent remote DoS TROVE-2016-10-001 boo#1005292 + * Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2 + Country database. + * Update signing key + +------------------------------------------------------------------- +Sat Sep 24 13:52:20 UTC 2016 - astieger@suse.com + +- tor 0.2.8.8: + * fixes some crash bugs when using bridges + * fixes a timing-dependent assertion + * removes broken fallbacks from the hard-coded fallback directory + list + * Updates geoip and geoip6 to the September 6 2016 Maxmind + GeoLite2 Country database + +------------------------------------------------------------------- +Wed Aug 24 21:01:13 UTC 2016 - astieger@suse.com + +- tor 0.2.8.7: + * The "Tonga" bridge authority has been retired; the new bridge + authority is "Bifroest" + * Only use the ReachableAddresses option to restrict the first + hop in a path. In earlier versions of 0.2.8.x, it would apply + to every hop in the path, with a possible degradation in + anonymity for anyone using an uncommon ReachableAddress setting + +------------------------------------------------------------------- +Sat Aug 13 17:44:24 UTC 2016 - astieger@suse.com + +- tor 0.2.8.6: + * improve client bootstrapping performance + * improved identity keys for relays (authority side) + * numerous bug fixes and performance improvements + +------------------------------------------------------------------- +Mon Mar 21 08:17:17 UTC 2016 - astieger@suse.com + +- adjust nologin shell for tor user boo#971872 + +------------------------------------------------------------------- +Fri Dec 11 14:41:37 UTC 2015 - mpluskal@suse.com + +- Make building more verbose +- Remove useless conditon for libevent, there is dependency for it + anyway + +------------------------------------------------------------------- +Fri Dec 11 13:35:32 UTC 2015 - astieger@suse.com + +- skip tests on ports + +------------------------------------------------------------------- +Fri Dec 11 07:43:48 UTC 2015 - astieger@suse.com + +- tor 0.2.7.6 fixes a major bug in entry guard selection, as well + as a minor bug in hidden service reliability. [boo#958729] + +------------------------------------------------------------------- +Tue Nov 24 20:35:59 UTC 2015 - astieger@suse.com + +- 0.2.7.5: + * More secure identity key type for relays + * Improve cryptography performance + * Resolve several longstanding hidden-service performance issues + * Improve controller support for hidden services +- Features removed: + * tor-fw-helper is no longer part of thie packaged, it was + re-implemented as a separate project +- Packaging changes: + * drop upstreamed patch + tor-0.2.6.10-malformed-hostname-safe-logging.patch + +------------------------------------------------------------------- +Wed Oct 14 10:59:41 UTC 2015 - astieger@suse.com + +- fix Factory build (ignore missing systemd-tmpfiles) + +------------------------------------------------------------------- +Wed Aug 26 20:02:21 UTC 2015 - astieger@suse.com + +- Malformed hostnames in socks5 requests were written to the log + regardless of SafeLogging option (CWE-532) [boo#943362] + add tor-0.2.6.10-malformed-hostname-safe-logging.patch + +------------------------------------------------------------------- +Sun Jul 12 20:54:48 UTC 2015 - astieger@suse.com + +- tor 0.2.6.10: + Significant stability and hidden service client fixes. + * Stop refusing to store updated hidden service descriptors on a + client. + * Stop crashing with an assertion failure when parsing certain + kinds of malformed or truncated microdescriptors. + * Stop random client-side assertion failures that could occur + when connecting to a busy hidden service, or connecting to a + hidden service while a NEWNYM is in progress. + +------------------------------------------------------------------- +Thu Jun 11 18:55:44 UTC 2015 - astieger@suse.com + +- tor 0.2.6.9: + Clients using circuit isolation should upgrade; + all directory authorities should upgrade. + * fixes a regression in the circuit isolation code + * increases the requirements for receiving an HSDir flag + * addresses some small bugs in the systemd and sandbox code. + +------------------------------------------------------------------- +Sat May 23 18:59:14 UTC 2015 - astieger@suse.com + +- tor 0.2.6.8: + This release fixes a bit of dodgy code in parsing INTRODUCE2 cells, + and fixes an authority-side bug in assigning the HSDir flag. All + directory authorities should upgrade. + - Revert commit that made directory authorities assign the HSDir + flag to relay without a DirPort; this was bad because such relays + can't handle BEGIN_DIR cells. + - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells + on a client authorized hidden service. + - Update geoip to the April 8 2015 Maxmind GeoLite2 Country + database. + - Update geoip6 to the April 8 2015 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Mon Apr 6 18:56:30 UTC 2015 - astieger@suse.com + +- tor 0.2.6.7 + This releases fixes two security issues that could be used by an + attacker to crash hidden services, or crash clients visiting + hidden services. Hidden services should upgrade as soon as + possible. [boo#926097] + This release also contains two simple improvements to make hidden + services a bit less vulnerable to denial-of-service attacks. + - Fix an issue that would allow a malicious client to trigger an + assertion failure and halt a hidden service. CVE-2015-2928 + - Fix a bug that could cause a client to crash with an assertion + failure when parsing a malformed hidden service descriptor. + CVE-2015-2929 + - Introduction points no longer allow multiple INTRODUCE1 cells + to arrive on the same circuit. This should make it more + expensive for attackers to overwhelm hidden services with + introductions. + - Decrease the amount of reattempts that a hidden service + performs when its rendezvous circuits fail. This reduces the + computational cost for running a hidden service under heavy + load. + +------------------------------------------------------------------- +Sun Mar 29 11:51:09 UTC 2015 - astieger@suse.com + +- tor 0.2.6.6, the first stable release in the 0.2.6 series: + * safety/security improvements + * correctness improvements + * performance improvements + * Client programs can be configured to use more kinds of sockets + * AutomapHosts works better + * multithreading backend is improved + * cell transmission is refactored + * test coverage is much higher + * more denial-of-service attacks are handled + * guard selection is improved to handle long-term guards better + * pluggable transports should work a bit better + * some annoying hidden service performance bugs addressed +- new minimal configuration file installed as active configuration + allows daemon to be run right after package installation +- build with systemd notifications where supported + +------------------------------------------------------------------- +Wed Mar 25 08:05:24 UTC 2015 - astieger@suse.com + +- add CVE IDs for 0.2.5.11 release + +------------------------------------------------------------------- +Thu Mar 19 21:36:34 UTC 2015 - astieger@suse.com + +- tor 0.2.5.11 [boo#923284]: + Contains several medium-level security fixes for relays and exit + nodes and also updates the list of directory authorities. + * Directory authority updates + * relay crashes trough assertion (CVE-2015-2688) + * exit node crash through assertion under high DNS load + (CVE-2015-2689) + * do not crash when receiving SIGHUP with the seccomp2 sandbox on + * do not crash sh during attempts to call wait4 + * new "GETINFO bw-event-cache" for controllers + * update geoip/geoip6 to the March 3 2015 + * Avoid crashing on malformed VirtualAddrNetworkIPv[4|6] config + * Fix a memory leak when using AutomapHostsOnResolve + * Allow directory authorities to fetch more data from one another + +------------------------------------------------------------------- +Fri Jan 23 22:04:27 UTC 2015 - andreas.stieger@gmx.de + +- fix build for SLE 12, libminiupnpc-devel not available + +------------------------------------------------------------------- +Fri Oct 24 20:48:14 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.5.10, the first stable release in the 0.2.5 series. + * improved denial-of-service resistance for relays + * new compiler hardening options + * system-call sandbox for hardened installations on Linux + (requires seccomp2) + * controller protocol has several new features + * improvements in resolving IPv6 addresses + * relays more CPU-efficient +- adjust tor-0.2.4.x-logrotate.patch to tor-0.2.5.x-logrotate.patch +- run unit tests + +------------------------------------------------------------------- +Thu Oct 23 20:35:26 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.4.25 [boo#902476] + Disables SSL3 in response to the recent "POODLE" attack (even + though POODLE does not affect Tor). + It also works around a crash bug caused by some operating systems' + response to the "POODLE" attack (which does affect Tor). + - Disable support for SSLv3. + - Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or + 1.0.1j, built with the 'no-ssl3' configuration option. + +------------------------------------------------------------------- +Wed Sep 24 17:52:08 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.4.24 [bnc#898268] + Fixes a bug that affects consistency and speed when connecting to + hidden services, and it updates the location of one of the + directory authorities. +- Major bugfixes: + * Clients now send the correct address for their chosen rendezvous + point when trying to access a hidden service. +- Directory authority changes: + * Change IP address for gabelmoo (v3 directory authority). +- Minor features (geoip): + * Update geoip and geoip6 to the August 7 2014 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Sat Sep 20 13:05:50 UTC 2014 - andreas.stieger@gmx.de + +- disable build with experimental feature bufferevents [bnc#897113] + +------------------------------------------------------------------- +Mon Aug 18 09:54:00 UTC 2014 - wagner-thomas@gmx.at + +- Added config file for firewall + +------------------------------------------------------------------- +Wed Jul 30 22:52:17 UTC 2014 - andreas.stieger@gmx.de + +- Tor 0.2.4.23 [bnc#889688] [CVE-2014-5117] + Slows down the risk from guard rotation and backports several + important fixes from the Tor 0.2.5 alpha release series. +- Major features: + - Clients now look at the "usecreatefast" consensus parameter to + decide whether to use CREATE_FAST or CREATE cells for the first hop + of their circuit. This approach can improve security on connections + where Tor's circuit handshake is stronger than the available TLS + connection security levels, but the tradeoff is more computational + load on guard relays. + - Make the number of entry guards configurable via a new + NumEntryGuards consensus parameter, and the number of directory + guards configurable via a new NumDirectoryGuards consensus + parameter. +- Major bugfixes: + - Fix a bug in the bounds-checking in the 32-bit curve25519-donna + implementation that caused incorrect results on 32-bit + implementations when certain malformed inputs were used along with + a small class of private ntor keys. +- Minor bugfixes: + - Warn and drop the circuit if we receive an inbound 'relay early' + cell. + - Correct a confusing error message when trying to extend a circuit + via the control protocol but we don't know a descriptor or + microdescriptor for one of the specified relays. + - Avoid an illegal read from stack when initializing the TLS module + using a version of OpenSSL without all of the ciphers used by the + v2 link handshake. + +------------------------------------------------------------------- +Fri Jun 6 18:51:36 UTC 2014 - andreas.stieger@gmx.de + +- do not own /var/run/tor for pid file, fixing Factory build + +------------------------------------------------------------------- +Sat May 17 23:13:54 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.4.22: + Backports numerous high-priority fixes. These include blocking + all authority signing keys that may have been affected by the + OpenSSL "heartbleed" bug, choosing a far more secure set of TLS + ciphersuites by default, closing a couple of memory leaks that + could be used to run a target relay out of RAM. +- Major features (security) + - Block authority signing keys that were used on authorities + vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160). +- Major bugfixes (security, OOM): + - Fix a memory leak that could occur if a microdescriptor parse + fails during the tokenizing step. +- Major bugfixes (TLS cipher selection): + - The relay ciphersuite list is now generated automatically based + on uniform criteria, and includes all OpenSSL ciphersuites with + acceptable strength and forward secrecy. + - Relays now trust themselves to have a better view than clients + of which TLS ciphersuites are better than others. + - Clients now try to advertise the same list of ciphersuites as + Firefox 28. +- further minor bug fixes, see ChangeLog +- fix logrotate on systemd-only setups without init scripts, + work tor-0.2.2.37-logrotate.patch to tor-0.2.4.x-logrotate.patch + +------------------------------------------------------------------- +Sat Apr 19 02:54:55 UTC 2014 - mook.moz+com.novell@gmail.com + +- Add tor-fw-helper for UPnP port forwarding; not used by default + +------------------------------------------------------------------- +Thu Mar 6 08:02:15 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.4.21 + Further improves security against potential adversaries who find + breaking 1024-bit crypto doable, and backports several stability + and robustness patches from the 0.2.5 branch. +- Major features (client security): + - When we choose a path for a 3-hop circuit, make sure it contains + at least one relay that supports the NTor circuit extension + handshake. Otherwise, there is a chance that we're building + a circuit that's worth attacking by an adversary who finds + breaking 1024-bit crypto doable, and that chance changes the game + theory. +- Major bugfixes: + - Do not treat streams that fail with reason + END_STREAM_REASON_INTERNAL as indicating a definite circuit failure, + since it could also indicate an ENETUNREACH connection error +- packaging changes: + - remove init script shadowing systemd unit + - general cleanup + +------------------------------------------------------------------- +Mon Jan 20 19:46:02 UTC 2014 - andreas.stieger@gmx.de + +- redaction of 0.2.4.20 changelog to include bug and CVE references + +------------------------------------------------------------------- +Fri Dec 27 20:55:26 UTC 2013 - andreas.stieger@gmx.de + +- tor 0.2.4.20 + fixes potentially poor random number generation for users who + 1) use OpenSSL 1.0.0 or later, + 2) set "HardwareAccel 1" in their torrc file, + 3) have "Sandy Bridge" or "Ivy Bridge" Intel processors + and + 4) have no state file in their DataDirectory (as would happen on + first start). + Users who generated relay or hidden service identity keys in such + a situation should discard them and generate new ones. + No 2 is not the default configuration for openSUSE. + [bnc#859421] [CVE-2013-7295] + This release also fixes a logic error that caused Tor clients to build + many more preemptive circuits than they actually need. +- Major bugfixes: + - Do not allow OpenSSL engines to replace the PRNG, even when + HardwareAccel is set. The only default builtin PRNG engine uses + the Intel RDRAND instruction to replace the entire PRNG, and + ignores all attempts to seed it with more entropy. That's + cryptographically stupid: the right response to a new alleged + entropy source is never to discard all previously used entropy + sources. Fixes bug 10402; works around behavior introduced in + OpenSSL 1.0.0. + - Fix assertion failure when AutomapHostsOnResolve yields an IPv6 + address. + - Avoid launching spurious extra circuits when a stream is pending. + This fixes a bug where any circuit that _wasn't_ unusable for new + streams would be treated as if it were, causing extra circuits to + be launched. +- Minor bugfixes: + - Avoid a crash bug when starting with a corrupted microdescriptor + cache file. + - If we fail to dump a previously cached microdescriptor to disk, avoid + freeing duplicate data later on. + +------------------------------------------------------------------- +Sat Dec 14 17:43:22 UTC 2013 - andreas.stieger@gmx.de + +- Tor 0.2.4.19, the first stable release in the 0.2.4 branch, features + a new circuit handshake and link encryption that use ECC to provide + better security and efficiency; makes relays better manage circuit + creation requests; uses "directory guards" to reduce client enumeration + risks; makes bridges collect and report statistics about the pluggable + transports they support; cleans up and improves our geoip database; + gets much closer to IPv6 support for clients, bridges, and relays; makes + directory authorities use measured bandwidths rather than advertised + ones when computing flags and thresholds; disables client-side DNS + caching to reduce tracking risks; and fixes a big bug in bridge + reachability testing. This release introduces two new design + abstractions in the code: a new "channel" abstraction between circuits + and or_connections to allow for implementing alternate relay-to-relay + transports, and a new "circuitmux" abstraction storing the queue of + circuits for a channel. The release also includes many stability, + security, and privacy fixes. +- full changelog relative to 0.2.3.x and 0.2.4.x RC series: + https://gitweb.torproject.org/tor.git?a=blob_plain;hb=release-0.2.4;f=ReleaseNotes + +------------------------------------------------------------------- +Sat Dec 7 12:04:08 UTC 2013 - andreas.stieger@gmx.de + +- tor-0.2.4.18-rc, improves stability, performance, and better + handling of edge cases. +- Major features: + - Re-enable TLS 1.1 and 1.2 when built with OpenSSL 1.0.1e or later. +- Major bugfixes: + - No longer stop reading or writing on cpuworker connections when + our rate limiting buckets go empty. + - If we are unable to save a microdescriptor to the journal, do not + drop it from memory and then reattempt downloading it. + - Stop trying to bootstrap all our directory information from + only our first guard. + - The new channel code sometimes lost track of in-progress circuits, + causing long-running clients to stop building new circuits. + +------------------------------------------------------------------- +Sat Oct 5 13:18:55 UTC 2013 - andreas.stieger@gmx.de + +- tor-0.2.4.17-rc +- major features in 0.2.4.x: + - improved client resilience + - support better link encryption with forward secrecy + - new NTor circuit handshake + - change relay queue for circuit create requests from size-based + limit to time-based limit + - many bug fixes and minor features + +------------------------------------------------------------------- +Fri May 24 22:51:24 UTC 2013 - andreas.stieger@gmx.de + +- add systemd support +- verify source tarball signature + +------------------------------------------------------------------- +Tue Nov 27 21:46:02 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.3.25, the first stable release in the 0.2.3 branch + + significantly reduced directory overhead (via microdescriptors) + + enormous crypto performance improvements for fast relays on new + enough hardware + + new v3 TLS handshake protocol that can better resist + fingerprinting + + support for protocol obfuscation plugins (pluggable transports) + + better scalability for hidden services + + IPv6 support for bridges + + performance improvements + + new "stream isolation" design to isolate different applications + on different circuits + + many stability, security, and privacy fixes + + Complete list of changes enumerated in: + https://lists.torproject.org/pipermail/tor-talk/2012-November/026554.html + https://gitweb.torproject.org/tor.git/blob/267c0e5aa14deeb2ca0d7997b4ef5a5c2bbf5fd4:/ReleaseNotes + + Tear down the circuit when receiving an unexpected SENDME cell. + [bnc#791374] CVE-2012-5573 +- build using --enable-bufferevents provided by Libevent 2.0.13 + +------------------------------------------------------------------- +Tue Nov 20 09:07:23 UTC 2012 - dimstar@opensuse.org + +- Fix useradd invocation: -o is useless without -u and newer + versions of pwdutils/shadowutils fail on this now. + +------------------------------------------------------------------- +Sat Sep 15 14:08:49 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.2.39 [bnc#780620] + Changes in version 0.2.2.39 - 2012-09-11 + Tor 0.2.2.39 fixes two more opportunities for remotely triggerable + assertions. + + o Security fixes: + - Fix an assertion failure in tor_timegm() that could be triggered + by a badly formatted directory object. + CVE-2012-4922 + - Do not crash when comparing an address with port value 0 to an + address policy. This bug could have been used to cause a remote + assertion failure by or against directory authorities, or to + allow some applications to crash clients. + CVE-2012-4419 + +------------------------------------------------------------------- +Mon Aug 20 19:11:57 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.2.38 [bnc#776642] + Changes in version 0.2.2.38 - 2012-08-12 + Tor 0.2.2.38 fixes a rare race condition that can crash exit relays; + fixes a remotely triggerable crash bug; and fixes a timing attack that + could in theory leak path information. + o Security fixes: + - Avoid read-from-freed-memory and double-free bugs that could occur + when a DNS request fails while launching it. + CVE-2012-3517 + - Avoid an uninitialized memory read when reading a vote or consensus + document that has an unrecognized flavor name. This read could + lead to a remote crash bug. + CVE-2012-3518 + - Try to leak less information about what relays a client is + choosing to a side-channel attacker. Previously, a Tor client would + stop iterating through the list of available relays as soon as it + had chosen one, thus finishing a little earlier when it picked + a router earlier in the list. If an attacker can recover this + timing information (nontrivial but not proven to be impossible), + they could learn some coarse-grained information about which relays + a client was picking (middle nodes in particular are likelier to + be affected than exits). The timing attack might be mitigated by + other factors, but it's best not to take chances. + CVE-2012-3519 + +------------------------------------------------------------------- +Fri Jun 15 19:45:01 UTC 2012 - andreas.stieger@gmx.de + +- add tor-0.2.2.37-logrotate.patch : add su option to logrotate to + fix W: suse-logrotate-user-writable-log-dir in Factory + +------------------------------------------------------------------- +Wed Jun 13 11:22:11 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.2.37 + Changes in version 0.2.2.37 - 2012-06-06 + Tor 0.2.2.37 introduces a workaround for a critical renegotiation + bug in OpenSSL 1.0.1 (where 20% of the Tor network can't talk to itself + currently). + + o Major bugfixes: + - Work around a bug in OpenSSL that broke renegotiation with TLS + 1.1 and TLS 1.2. Without this workaround, all attempts to speak + the v2 Tor connection protocol when both sides were using OpenSSL + 1.0.1 would fail. Resolves ticket 6033. + - When waiting for a client to renegotiate, don't allow it to add + any bytes to the input buffer. This fixes a potential DoS issue. + Fixes bugs 5934 and 6007; bugfix on 0.2.0.20-rc. + - Fix an edge case where if we fetch or publish a hidden service + descriptor, we might build a 4-hop circuit and then use that circuit + for exiting afterwards -- even if the new last hop doesn't obey our + ExitNodes config option. Fixes bug 5283; bugfix on 0.2.0.10-alpha. + + o Minor bugfixes: + - Fix a build warning with Clang 3.1 related to our use of vasprintf. + Fixes bug 5969. Bugfix on 0.2.2.11-alpha. + + o Minor features: + - Tell GCC and Clang to check for any errors in format strings passed + to the tor_v*(print|scan)f functions. + +------------------------------------------------------------------- +Wed Jun 6 20:46:46 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.2.36 + + Changes in version 0.2.2.36 - 2012-05-24 + o Directory authority changes: + - Change IP address for maatuska (v3 directory authority). + - Change IP address for ides (v3 directory authority), and rename + it to turtles. + + o Security fixes: + - When building or running with any version of OpenSSL earlier + than 0.9.8s or 1.0.0f, disable SSLv3 support. These OpenSSL + versions have a bug (CVE-2011-4576) in which their block cipher + padding includes uninitialized data, potentially leaking sensitive + information to any peer with whom they make a SSLv3 connection. Tor + does not use SSL v3 by default, but a hostile client or server + could force an SSLv3 connection in order to gain information that + they shouldn't have been able to get. The best solution here is to + upgrade to OpenSSL 0.9.8s or 1.0.0f (or later). But when building + or running with a non-upgraded OpenSSL, we disable SSLv3 entirely + to make sure that the bug can't happen. + - Never use a bridge or a controller-supplied node as an exit, even + if its exit policy allows it. Found by wanoskarnet. Fixes bug + 5342. Bugfix on 0.1.1.15-rc (for controller-purpose descriptors) + and 0.2.0.3-alpha (for bridge-purpose descriptors). + - Only build circuits if we have a sufficient threshold of the total + descriptors that are marked in the consensus with the "Exit" + flag. This mitigates an attack proposed by wanoskarnet, in which + all of a client's bridges collude to restrict the exit nodes that + the client knows about. Fixes bug 5343. + - Provide controllers with a safer way to implement the cookie + authentication mechanism. With the old method, if another locally + running program could convince a controller that it was the Tor + process, then that program could trick the controller into telling + it the contents of an arbitrary 32-byte file. The new "SAFECOOKIE" + authentication method uses a challenge-response approach to prevent + this attack. Fixes bug 5185; implements proposal 193. + + o Major bugfixes: + - Avoid logging uninitialized data when unable to decode a hidden + service descriptor cookie. Fixes bug 5647; bugfix on 0.2.1.5-alpha. + - Avoid a client-side assertion failure when receiving an INTRODUCE2 + cell on a general purpose circuit. Fixes bug 5644; bugfix on + 0.2.1.6-alpha. + - Fix builds when the path to sed, openssl, or sha1sum contains + spaces, which is pretty common on Windows. Fixes bug 5065; bugfix + on 0.2.2.1-alpha. + - Correct our replacements for the timeradd() and timersub() functions + on platforms that lack them (for example, Windows). The timersub() + function is used when expiring circuits, while timeradd() is + currently unused. Bug report and patch by Vektor. Fixes bug 4778; + bugfix on 0.2.2.24-alpha. + - Fix the SOCKET_OK test that we use to tell when socket + creation fails so that it works on Win64. Fixes part of bug 4533; + bugfix on 0.2.2.29-beta. Bug found by wanoskarnet. + + o Minor bugfixes: + - Reject out-of-range times like 23:59:61 in parse_rfc1123_time(). + Fixes bug 5346; bugfix on 0.0.8pre3. + - Make our number-parsing functions always treat too-large values + as an error, even when those values exceed the width of the + underlying type. Previously, if the caller provided these + functions with minima or maxima set to the extreme values of the + underlying integer type, these functions would return those + values on overflow rather than treating overflow as an error. + Fixes part of bug 5786; bugfix on 0.0.9. + - Older Linux kernels erroneously respond to strange nmap behavior + by having accept() return successfully with a zero-length + socket. When this happens, just close the connection. Previously, + we would try harder to learn the remote address: but there was + no such remote address to learn, and our method for trying to + learn it was incorrect. Fixes bugs 1240, 4745, and 4747. Bugfix + on 0.1.0.3-rc. Reported and diagnosed by "r1eo". + - Correct parsing of certain date types in parse_http_time(). + Without this patch, If-Modified-Since would behave + incorrectly. Fixes bug 5346; bugfix on 0.2.0.2-alpha. Patch from + Esteban Manchado Velázques. + - Change the BridgePassword feature (part of the "bridge community" + design, which is not yet implemented) to use a time-independent + comparison. The old behavior might have allowed an adversary + to use timing to guess the BridgePassword value. Fixes bug 5543; + bugfix on 0.2.0.14-alpha. + - Detect and reject certain misformed escape sequences in + configuration values. Previously, these values would cause us + to crash if received in a torrc file or over an authenticated + control port. Bug found by Esteban Manchado Velázquez, and + independently by Robert Connolly from Matta Consulting who further + noted that it allows a post-authentication heap overflow. Patch + by Alexander Schrijver. Fixes bugs 5090 and 5402 (CVE 2012-1668); + bugfix on 0.2.0.16-alpha. + - Fix a compile warning when using the --enable-openbsd-malloc + configure option. Fixes bug 5340; bugfix on 0.2.0.20-rc. + - During configure, detect when we're building with clang version + 3.0 or lower and disable the -Wnormalized=id and -Woverride-init + CFLAGS. clang doesn't support them yet. + - When sending an HTTP/1.1 proxy request, include a Host header. + Fixes bug 5593; bugfix on 0.2.2.1-alpha. + - Fix a NULL-pointer dereference on a badly formed SETCIRCUITPURPOSE + command. Found by mikeyc. Fixes bug 5796; bugfix on 0.2.2.9-alpha. + - If we hit the error case where routerlist_insert() replaces an + existing (old) server descriptor, make sure to remove that + server descriptor from the old_routers list. Fix related to bug + 1776. Bugfix on 0.2.2.18-alpha. + + o Minor bugfixes (documentation and log messages): + - Fix a typo in a log message in rend_service_rendezvous_has_opened(). + Fixes bug 4856; bugfix on Tor 0.0.6. + - Update "ClientOnly" man page entry to explain that there isn't + really any point to messing with it. Resolves ticket 5005. + - Document the GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays + directory authority option (introduced in Tor 0.2.2.34). + - Downgrade the "We're missing a certificate" message from notice + to info: people kept mistaking it for a real problem, whereas it + is seldom the problem even when we are failing to bootstrap. Fixes + bug 5067; bugfix on 0.2.0.10-alpha. + - Correctly spell "connect" in a log message on failure to create a + controlsocket. Fixes bug 4803; bugfix on 0.2.2.26-beta. + - Clarify the behavior of MaxCircuitDirtiness with hidden service + circuits. Fixes issue 5259. + + o Minor features: + - Directory authorities now reject versions of Tor older than + 0.2.1.30, and Tor versions between 0.2.2.1-alpha and 0.2.2.20-alpha + inclusive. These versions accounted for only a small fraction of + the Tor network, and have numerous known security issues. Resolves + issue 4788. + - Update to the May 1 2012 Maxmind GeoLite Country database. + + - Feature removal: + - When sending or relaying a RELAY_EARLY cell, we used to convert + it to a RELAY cell if the connection was using the v1 link + protocol. This was a workaround for older versions of Tor, which + didn't handle RELAY_EARLY cells properly. Now that all supported + versions can handle RELAY_EARLY cells, and now that we're enforcing + the "no RELAY_EXTEND commands except in RELAY_EARLY cells" rule, + remove this workaround. Addresses bug 4786. + +------------------------------------------------------------------- +Mon Jan 2 16:51:20 UTC 2012 - andreas.stieger@gmx.de + +- add CVE references in changelog, fixing bug #739133 + +------------------------------------------------------------------- +Fri Dec 16 20:37:05 UTC 2011 - andreas.stieger@gmx.de + +- update to upstream 0.2.2.35, which fixes a critical heap-overflow + security issue: CVE-2011-2778 For a full list of changes, see: + https://gitweb.torproject.org/tor.git/blob_plain/release-0.2.2:/ReleaseNotes + +------------------------------------------------------------------ +Mon Dec 12 15:42:09 UTC 2011 - cfarrell@suse.com + +- license update: BSD-3-Clause + SPDX format + +------------------------------------------------------------------- +Sun Dec 11 18:42:57 UTC 2011 - andreas.stieger@gmx.de + +- fix factory warning by removing INSTALL file from docs dir + +------------------------------------------------------------------- +Sun Dec 11 17:11:11 UTC 2011 - andreas.stieger@gmx.de + +- format spec file to include copyright notice + package is based on a former package in SUSE/openSUSE + +------------------------------------------------------------------- +Sun Dec 11 12:37:14 UTC 2011 - andreas.stieger@gmx.de + +- update license from "3-clause BSD" to "BSD3c" + +------------------------------------------------------------------- +Fri Oct 28 19:49:39 UTC 2011 - andreas.stieger@gmx.de + +- update to upstream 0.2.2.34 +- fixes CVE-2011-4895 Tor Bridge circuit building information disclosure +- fixes CVE-2011-4894 Tor DirPort information disclosure + +Changes in version 0.2.2.34 - 2011-10-26 + Tor 0.2.2.34 fixes a critical anonymity vulnerability where an attacker + can deanonymize Tor users. Everybody should upgrade. + + The attack relies on four components: 1) Clients reuse their TLS cert + when talking to different relays, so relays can recognize a user by + the identity key in her cert. 2) An attacker who knows the client's + identity key can probe each guard relay to see if that identity key + is connected to that guard relay right now. 3) A variety of active + attacks in the literature (starting from "Low-Cost Traffic Analysis + of Tor" by Murdoch and Danezis in 2005) allow a malicious website to + discover the guard relays that a Tor user visiting the website is using. + 4) Clients typically pick three guards at random, so the set of guards + for a given user could well be a unique fingerprint for her. This + release fixes components #1 and #2, which is enough to block the attack; + the other two remain as open research problems. Special thanks to + "frosty_un" for reporting the issue to us! + + Clients should upgrade so they are no longer recognizable by the TLS + certs they present. Relays should upgrade so they no longer allow a + remote attacker to probe them to test whether unpatched clients are + currently connected to them. + + This release also fixes several vulnerabilities that allow an attacker + to enumerate bridge relays. Some bridge enumeration attacks still + remain; see for example proposal 188. + + o Privacy/anonymity fixes (clients): + - Clients and bridges no longer send TLS certificate chains on + outgoing OR connections. Previously, each client or bridge would + use the same cert chain for all outgoing OR connections until + its IP address changes, which allowed any relay that the client + or bridge contacted to determine which entry guards it is using. + Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by "frosty_un". + - If a relay receives a CREATE_FAST cell on a TLS connection, it + no longer considers that connection as suitable for satisfying a + circuit EXTEND request. Now relays can protect clients from the + CVE-2011-2768 issue even if the clients haven't upgraded yet. + - Directory authorities no longer assign the Guard flag to relays + that haven't upgraded to the above "refuse EXTEND requests + to client connections" fix. Now directory authorities can + protect clients from the CVE-2011-2768 issue even if neither + the clients nor the relays have upgraded yet. There's a new + "GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays" config option + to let us transition smoothly, else tomorrow there would be no + guard relays. + + o Privacy/anonymity fixes (bridge enumeration): + - Bridge relays now do their directory fetches inside Tor TLS + connections, like all the other clients do, rather than connecting + directly to the DirPort like public relays do. Removes another + avenue for enumerating bridges. Fixes bug 4115; bugfix on 0.2.0.35. + - Bridges relays now build circuits for themselves in a more similar + way to how clients build them. Removes another avenue for + enumerating bridges. Fixes bug 4124; bugfix on 0.2.0.3-alpha, + when bridges were introduced. + - Bridges now refuse CREATE or CREATE_FAST cells on OR connections + that they initiated. Relays could distinguish incoming bridge + connections from client connections, creating another avenue for + enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha. + Found by "frosty_un". + + o Major bugfixes: + - Fix a crash bug when changing node restrictions while a DNS lookup + is in-progress. Fixes bug 4259; bugfix on 0.2.2.25-alpha. Bugfix + by "Tey'". + - Don't launch a useless circuit after failing to use one of a + hidden service's introduction points. Previously, we would + launch a new introduction circuit, but not set the hidden service + which that circuit was intended to connect to, so it would never + actually be used. A different piece of code would then create a + new introduction circuit correctly. Bug reported by katmagic and + found by Sebastian Hahn. Bugfix on 0.2.1.13-alpha; fixes bug 4212. + + o Minor bugfixes: + - Change an integer overflow check in the OpenBSD_Malloc code so + that GCC is less likely to eliminate it as impossible. Patch + from Mansour Moufid. Fixes bug 4059. + - When a hidden service turns an extra service-side introduction + circuit into a general-purpose circuit, free the rend_data and + intro_key fields first, so we won't leak memory if the circuit + is cannibalized for use as another service-side introduction + circuit. Bugfix on 0.2.1.7-alpha; fixes bug 4251. + - Bridges now skip DNS self-tests, to act a little more stealthily. + Fixes bug 4201; bugfix on 0.2.0.3-alpha, which first introduced + bridges. Patch by "warms0x". + - Fix internal bug-checking logic that was supposed to catch + failures in digest generation so that it will fail more robustly + if we ask for a nonexistent algorithm. Found by Coverity Scan. + Bugfix on 0.2.2.1-alpha; fixes Coverity CID 479. + - Report any failure in init_keys() calls launched because our + IP address has changed. Spotted by Coverity Scan. Bugfix on + 0.1.1.4-alpha; fixes CID 484. + + o Minor bugfixes (log messages and documentation): + - Remove a confusing dollar sign from the example fingerprint in the + man page, and also make the example fingerprint a valid one. Fixes + bug 4309; bugfix on 0.2.1.3-alpha. + - The next version of Windows will be called Windows 8, and it has + a major version of 6, minor version of 2. Correctly identify that + version instead of calling it "Very recent version". Resolves + ticket 4153; reported by funkstar. + - Downgrade log messages about circuit timeout calibration from + "notice" to "info": they don't require or suggest any human + intervention. Patch from Tom Lowenthal. Fixes bug 4063; + bugfix on 0.2.2.14-alpha. + + o Minor features: + - Turn on directory request statistics by default and include them in + extra-info descriptors. Don't break if we have no GeoIP database. + Backported from 0.2.3.1-alpha; implements ticket 3951. + - Update to the October 4 2011 Maxmind GeoLite Country database. + + +------------------------------------------------------------------- +Tue Sep 20 20:58:56 UTC 2011 - andreas.stieger@gmx.de + +- update to upstream 0.2.2.33 + +Changes in version 0.2.2.33 - 2011-09-13 + Tor 0.2.2.33 fixes several bugs, and includes a slight tweak to Tor's + TLS handshake that makes relays and bridges that run this new version + reachable from Iran again. + + o Major bugfixes: + - Avoid an assertion failure when reloading a configuration with + TrackExitHosts changes. Found and fixed by 'laruldan'. Fixes bug + 3923; bugfix on 0.2.2.25-alpha. + + o Minor features (security): + - Check for replays of the public-key encrypted portion of an + INTRODUCE1 cell, in addition to the current check for replays of + the g^x value. This prevents a possible class of active attacks + by an attacker who controls both an introduction point and a + rendezvous point, and who uses the malleability of AES-CTR to + alter the encrypted g^x portion of the INTRODUCE1 cell. We think + that these attacks are infeasible (requiring the attacker to send + on the order of zettabytes of altered cells in a short interval), + but we'd rather block them off in case there are any classes of + this attack that we missed. Reported by Willem Pinckaers. + + o Minor features: + - Adjust the expiration time on our SSL session certificates to + better match SSL certs seen in the wild. Resolves ticket 4014. + - Change the default required uptime for a relay to be accepted as + a HSDir (hidden service directory) from 24 hours to 25 hours. + Improves on 0.2.0.10-alpha; resolves ticket 2649. + - Add a VoteOnHidServDirectoriesV2 config option to allow directory + authorities to abstain from voting on assignment of the HSDir + consensus flag. Related to bug 2649. + - Update to the September 6 2011 Maxmind GeoLite Country database. + + o Minor bugfixes (documentation and log messages): + - Correct the man page to explain that HashedControlPassword and + CookieAuthentication can both be set, in which case either method + is sufficient to authenticate to Tor. Bugfix on 0.2.0.7-alpha, + when we decided to allow these config options to both be set. Issue + raised by bug 3898. + - Demote the 'replay detected' log message emitted when a hidden + service receives the same Diffie-Hellman public key in two different + INTRODUCE2 cells to info level. A normal Tor client can cause that + log message during its normal operation. Bugfix on 0.2.1.6-alpha; + fixes part of bug 2442. + - Demote the 'INTRODUCE2 cell is too {old,new}' log message to info + level. There is nothing that a hidden service's operator can do + to fix its clients' clocks. Bugfix on 0.2.1.6-alpha; fixes part + of bug 2442. + - Clarify a log message specifying the characters permitted in + HiddenServiceAuthorizeClient client names. Previously, the log + message said that "[A-Za-z0-9+-_]" were permitted; that could have + given the impression that every ASCII character between "+" and "_" + was permitted. Now we say "[A-Za-z0-9+_-]". Bugfix on 0.2.1.5-alpha. + + o Build fixes: + - Provide a substitute implementation of lround() for MSVC, which + apparently lacks it. Patch from Gisle Vanem. + - Clean up some code issues that prevented Tor from building on older + BSDs. Fixes bug 3894; reported by "grarpamp". + - Search for a platform-specific version of "ar" when cross-compiling. + Should fix builds on iOS. Resolves bug 3909, found by Marco Bonetti. + + +------------------------------------------------------------------- +Fri Sep 2 19:55:23 UTC 2011 - andreas.stieger@gmx.de + +- updated ot upstream 0.2.2.32 +- removed tor_initscript.patch +- fixes CVE-2011-4897 Tor Nickname information disclosure +- fixes CVE-2011-4896 Tor Bridge information disclosure + +Changes in version 0.2.2.32 - 2011-08-27 + The Tor 0.2.2 release series is dedicated to the memory of Andreas + Pfitzmann (1958-2010), a pioneer in anonymity and privacy research, + a founder of the PETS community, a leader in our field, a mentor, + and a friend. He left us with these words: "I had the possibility + to contribute to this world that is not as it should be. I hope I + could help in some areas to make the world a better place, and that + I could also encourage other people to be engaged in improving the + world. Please, stay engaged. This world needs you, your love, your + initiative -- now I cannot be part of that anymore." + + Tor 0.2.2.32, the first stable release in the 0.2.2 branch, is finally + ready. More than two years in the making, this release features improved + client performance and hidden service reliability, better compatibility + for Android, correct behavior for bridges that listen on more than + one address, more extensible and flexible directory object handling, + better reporting of network statistics, improved code security, and + many many other features and bugfixes. + + o Major features (client performance): + - When choosing which cells to relay first, relays now favor circuits + that have been quiet recently, to provide lower latency for + low-volume circuits. By default, relays enable or disable this + feature based on a setting in the consensus. They can override + this default by using the new "CircuitPriorityHalflife" config + option. Design and code by Ian Goldberg, Can Tang, and Chris + Alexander. + - Directory authorities now compute consensus weightings that instruct + clients how to weight relays flagged as Guard, Exit, Guard+Exit, + and no flag. Clients use these weightings to distribute network load + more evenly across these different relay types. The weightings are + in the consensus so we can change them globally in the future. Extra + thanks to "outofwords" for finding some nasty security bugs in + the first implementation of this feature. + + o Major features (client performance, circuit build timeout): + - Tor now tracks how long it takes to build client-side circuits + over time, and adapts its timeout to local network performance. + Since a circuit that takes a long time to build will also provide + bad performance, we get significant latency improvements by + discarding the slowest 20% of circuits. Specifically, Tor creates + circuits more aggressively than usual until it has enough data + points for a good timeout estimate. Implements proposal 151. + - Circuit build timeout constants can be controlled by consensus + parameters. We set good defaults for these parameters based on + experimentation on broadband and simulated high-latency links. + - Circuit build time learning can be disabled via consensus parameter + or by the client via a LearnCircuitBuildTimeout config option. We + also automatically disable circuit build time calculation if either + AuthoritativeDirectory is set, or if we fail to write our state + file. Implements ticket 1296. + + o Major features (relays use their capacity better): + - Set SO_REUSEADDR socket option on all sockets, not just + listeners. This should help busy exit nodes avoid running out of + useable ports just because all the ports have been used in the + near past. Resolves issue 2850. + - Relays now save observed peak bandwidth throughput rates to their + state file (along with total usage, which was already saved), + so that they can determine their correct estimated bandwidth on + restart. Resolves bug 1863, where Tor relays would reset their + estimated bandwidth to 0 after restarting. + - Lower the maximum weighted-fractional-uptime cutoff to 98%. This + should give us approximately 40-50% more Guard-flagged nodes, + improving the anonymity the Tor network can provide and also + decreasing the dropoff in throughput that relays experience when + they first get the Guard flag. + - Directory authorities now take changes in router IP address and + ORPort into account when determining router stability. Previously, + if a router changed its IP or ORPort, the authorities would not + treat it as having any downtime for the purposes of stability + calculation, whereas clients would experience downtime since the + change would take a while to propagate to them. Resolves issue 1035. + - New AccelName and AccelDir options add support for dynamic OpenSSL + hardware crypto acceleration engines. + + o Major features (relays control their load better): + - Exit relays now try harder to block exit attempts from unknown + relays, to make it harder for people to use them as one-hop proxies + a la tortunnel. Controlled by the refuseunknownexits consensus + parameter (currently enabled), or you can override it on your + relay with the RefuseUnknownExits torrc option. Resolves bug 1751; + based on a variant of proposal 163. + - Add separate per-conn write limiting to go with the per-conn read + limiting. We added a global write limit in Tor 0.1.2.5-alpha, + but never per-conn write limits. + - New consensus params "bwconnrate" and "bwconnburst" to let us + rate-limit client connections as they enter the network. It's + controlled in the consensus so we can turn it on and off for + experiments. It's starting out off. Based on proposal 163. + + o Major features (controllers): + - Export GeoIP information on bridge usage to controllers even if we + have not yet been running for 24 hours. Now Vidalia bridge operators + can get more accurate and immediate feedback about their + contributions to the network. + - Add an __OwningControllerProcess configuration option and a + TAKEOWNERSHIP control-port command. Now a Tor controller can ensure + that when it exits, Tor will shut down. Implements feature 3049. + + o Major features (directory authorities): + - Directory authorities now create, vote on, and serve multiple + parallel formats of directory data as part of their voting process. + Partially implements Proposal 162: "Publish the consensus in + multiple flavors". + - Directory authorities now agree on and publish small summaries + of router information that clients can use in place of regular + server descriptors. This transition will allow Tor 0.2.3 clients + to use far less bandwidth for downloading information about the + network. Begins the implementation of Proposal 158: "Clients + download consensus + microdescriptors". + - The directory voting system is now extensible to use multiple hash + algorithms for signatures and resource selection. Newer formats + are signed with SHA256, with a possibility for moving to a better + hash algorithm in the future. + - Directory authorities can now vote on arbitary integer values as + part of the consensus process. This is designed to help set + network-wide parameters. Implements proposal 167. + + o Major features and bugfixes (node selection): + - Revise and reconcile the meaning of the ExitNodes, EntryNodes, + ExcludeEntryNodes, ExcludeExitNodes, ExcludeNodes, and Strict*Nodes + options. Previously, we had been ambiguous in describing what + counted as an "exit" node, and what operations exactly "StrictNodes + 0" would permit. This created confusion when people saw nodes built + through unexpected circuits, and made it hard to tell real bugs from + surprises. Now the intended behavior is: + . "Exit", in the context of ExitNodes and ExcludeExitNodes, means + a node that delivers user traffic outside the Tor network. + . "Entry", in the context of EntryNodes, means a node used as the + first hop of a multihop circuit. It doesn't include direct + connections to directory servers. + . "ExcludeNodes" applies to all nodes. + . "StrictNodes" changes the behavior of ExcludeNodes only. When + StrictNodes is set, Tor should avoid all nodes listed in + ExcludeNodes, even when it will make user requests fail. When + StrictNodes is *not* set, then Tor should follow ExcludeNodes + whenever it can, except when it must use an excluded node to + perform self-tests, connect to a hidden service, provide a + hidden service, fulfill a .exit request, upload directory + information, or fetch directory information. + Collectively, the changes to implement the behavior fix bug 1090. + - If EntryNodes, ExitNodes, ExcludeNodes, or ExcludeExitNodes + change during a config reload, mark and discard all our origin + circuits. This fix should address edge cases where we change the + config options and but then choose a circuit that we created before + the change. + - Make EntryNodes config option much more aggressive even when + StrictNodes is not set. Before it would prepend your requested + entrynodes to your list of guard nodes, but feel free to use others + after that. Now it chooses only from your EntryNodes if any of + those are available, and only falls back to others if a) they're + all down and b) StrictNodes is not set. + - Now we refresh your entry guards from EntryNodes at each consensus + fetch -- rather than just at startup and then they slowly rot as + the network changes. + - Add support for the country code "{??}" in torrc options like + ExcludeNodes, to indicate all routers of unknown country. Closes + bug 1094. + - ExcludeNodes now takes precedence over EntryNodes and ExitNodes: if + a node is listed in both, it's treated as excluded. + - ExcludeNodes now applies to directory nodes -- as a preference if + StrictNodes is 0, or an absolute requirement if StrictNodes is 1. + Don't exclude all the directory authorities and set StrictNodes to 1 + unless you really want your Tor to break. + - ExcludeNodes and ExcludeExitNodes now override exit enclaving. + - ExcludeExitNodes now overrides .exit requests. + - We don't use bridges listed in ExcludeNodes. + - When StrictNodes is 1: + . We now apply ExcludeNodes to hidden service introduction points + and to rendezvous points selected by hidden service users. This + can make your hidden service less reliable: use it with caution! + . If we have used ExcludeNodes on ourself, do not try relay + reachability self-tests. + . If we have excluded all the directory authorities, we will not + even try to upload our descriptor if we're a relay. + . Do not honor .exit requests to an excluded node. + - When the set of permitted nodes changes, we now remove any mappings + introduced via TrackExitHosts to now-excluded nodes. Bugfix on + 0.1.0.1-rc. + - We never cannibalize a circuit that had excluded nodes on it, even + if StrictNodes is 0. Bugfix on 0.1.0.1-rc. + - Improve log messages related to excluded nodes. + + o Major features (misc): + - Numerous changes, bugfixes, and workarounds from Nathan Freitas + to help Tor build correctly for Android phones. + - The options SocksPort, ControlPort, and so on now all accept a + value "auto" that opens a socket on an OS-selected port. A + new ControlPortWriteToFile option tells Tor to write its + actual control port or ports to a chosen file. If the option + ControlPortFileGroupReadable is set, the file is created as + group-readable. Now users can run two Tor clients on the same + system without needing to manually mess with parameters. Resolves + part of ticket 3076. + - Tor now supports tunneling all of its outgoing connections over + a SOCKS proxy, using the SOCKS4Proxy and/or SOCKS5Proxy + configuration options. Code by Christopher Davis. + + o Code security improvements: + - Replace all potentially sensitive memory comparison operations + with versions whose runtime does not depend on the data being + compared. This will help resist a class of attacks where an + adversary can use variations in timing information to learn + sensitive data. Fix for one case of bug 3122. (Safe memcmp + implementation by Robert Ransom based partially on code by DJB.) + - Enable Address Space Layout Randomization (ASLR) and Data Execution + Prevention (DEP) by default on Windows to make it harder for + attackers to exploit vulnerabilities. Patch from John Brooks. + - New "--enable-gcc-hardening" ./configure flag (off by default) + to turn on gcc compile time hardening options. It ensures + that signed ints have defined behavior (-fwrapv), enables + -D_FORTIFY_SOURCE=2 (requiring -O2), adds stack smashing protection + with canaries (-fstack-protector-all), turns on ASLR protection if + supported by the kernel (-fPIE, -pie), and adds additional security + related warnings. Verified to work on Mac OS X and Debian Lenny. + - New "--enable-linker-hardening" ./configure flag (off by default) + to turn on ELF specific hardening features (relro, now). This does + not work with Mac OS X or any other non-ELF binary format. + - Always search the Windows system directory for system DLLs, and + nowhere else. Bugfix on 0.1.1.23; fixes bug 1954. + - New DisableAllSwap option. If set to 1, Tor will attempt to lock all + current and future memory pages via mlockall(). On supported + platforms (modern Linux and probably BSD but not Windows or OS X), + this should effectively disable any and all attempts to page out + memory. This option requires that you start your Tor as root -- + if you use DisableAllSwap, please consider using the User option + to properly reduce the privileges of your Tor. + + o Major bugfixes (crashes): + - Fix crash bug on platforms where gmtime and localtime can return + NULL. Windows 7 users were running into this one. Fixes part of bug + 2077. Bugfix on all versions of Tor. Found by boboper. + - Introduce minimum/maximum values that clients will believe + from the consensus. Now we'll have a better chance to avoid crashes + or worse when a consensus param has a weird value. + - Fix a rare crash bug that could occur when a client was configured + with a large number of bridges. Fixes bug 2629; bugfix on + 0.2.1.2-alpha. Bugfix by trac user "shitlei". + - Do not crash when our configuration file becomes unreadable, for + example due to a permissions change, between when we start up + and when a controller calls SAVECONF. Fixes bug 3135; bugfix + on 0.0.9pre6. + - If we're in the pathological case where there's no exit bandwidth + but there is non-exit bandwidth, or no guard bandwidth but there + is non-guard bandwidth, don't crash during path selection. Bugfix + on 0.2.0.3-alpha. + - Fix a crash bug when trying to initialize the evdns module in + Libevent 2. Bugfix on 0.2.1.16-rc. + + o Major bugfixes (stability): + - Fix an assert in parsing router descriptors containing IPv6 + addresses. This one took down the directory authorities when + somebody tried some experimental code. Bugfix on 0.2.1.3-alpha. + - Fix an uncommon assertion failure when running with DNSPort under + heavy load. Fixes bug 2933; bugfix on 0.2.0.1-alpha. + - Treat an unset $HOME like an empty $HOME rather than triggering an + assert. Bugfix on 0.0.8pre1; fixes bug 1522. + - More gracefully handle corrupt state files, removing asserts + in favor of saving a backup and resetting state. + - Instead of giving an assertion failure on an internal mismatch + on estimated freelist size, just log a BUG warning and try later. + Mitigates but does not fix bug 1125. + - Fix an assert that got triggered when using the TestingTorNetwork + configuration option and then issuing a GETINFO config-text control + command. Fixes bug 2250; bugfix on 0.2.1.2-alpha. + - If the cached cert file is unparseable, warn but don't exit. + + o Privacy fixes (relays/bridges): + - Don't list Windows capabilities in relay descriptors. We never made + use of them, and maybe it's a bad idea to publish them. Bugfix + on 0.1.1.8-alpha. + - If the Nickname configuration option isn't given, Tor would pick a + nickname based on the local hostname as the nickname for a relay. + Because nicknames are not very important in today's Tor and the + "Unnamed" nickname has been implemented, this is now problematic + behavior: It leaks information about the hostname without being + useful at all. Fixes bug 2979; bugfix on 0.1.2.2-alpha, which + introduced the Unnamed nickname. Reported by tagnaq. + - Maintain separate TLS contexts and certificates for incoming and + outgoing connections in bridge relays. Previously we would use the + same TLS contexts and certs for incoming and outgoing connections. + Bugfix on 0.2.0.3-alpha; addresses bug 988. + - Maintain separate identity keys for incoming and outgoing TLS + contexts in bridge relays. Previously we would use the same + identity keys for incoming and outgoing TLS contexts. Bugfix on + 0.2.0.3-alpha; addresses the other half of bug 988. + - Make the bridge directory authority refuse to answer directory + requests for "all descriptors". It used to include bridge + descriptors in its answer, which was a major information leak. + Found by "piebeer". Bugfix on 0.2.0.3-alpha. + + o Privacy fixes (clients): + - When receiving a hidden service descriptor, check that it is for + the hidden service we wanted. Previously, Tor would store any + hidden service descriptors that a directory gave it, whether it + wanted them or not. This wouldn't have let an attacker impersonate + a hidden service, but it did let directories pre-seed a client + with descriptors that it didn't want. Bugfix on 0.0.6. + - Start the process of disabling ".exit" address notation, since it + can be used for a variety of esoteric application-level attacks + on users. To reenable it, set "AllowDotExit 1" in your torrc. Fix + on 0.0.9rc5. + - Reject attempts at the client side to open connections to private + IP addresses (like 127.0.0.1, 10.0.0.1, and so on) with + a randomly chosen exit node. Attempts to do so are always + ill-defined, generally prevented by exit policies, and usually + in error. This will also help to detect loops in transparent + proxy configurations. You can disable this feature by setting + "ClientRejectInternalAddresses 0" in your torrc. + - Log a notice when we get a new control connection. Now it's easier + for security-conscious users to recognize when a local application + is knocking on their controller door. Suggested by bug 1196. + + o Privacy fixes (newnym): + - Avoid linkability based on cached hidden service descriptors: forget + all hidden service descriptors cached as a client when processing a + SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6. + - On SIGHUP, do not clear out all TrackHostExits mappings, client + DNS cache entries, and virtual address mappings: that's what + NEWNYM is for. Fixes bug 1345; bugfix on 0.1.0.1-rc. + - Don't attach new streams to old rendezvous circuits after SIGNAL + NEWNYM. Previously, we would keep using an existing rendezvous + circuit if it remained open (i.e. if it were kept open by a + long-lived stream, or if a new stream were attached to it before + Tor could notice that it was old and no longer in use). Bugfix on + 0.1.1.15-rc; fixes bug 3375. + + o Major bugfixes (relay bandwidth accounting): + - Fix a bug that could break accounting on 64-bit systems with large + time_t values, making them hibernate for impossibly long intervals. + Fixes bug 2146. Bugfix on 0.0.9pre6; fix by boboper. + - Fix a bug in bandwidth accounting that could make us use twice + the intended bandwidth when our interval start changes due to + daylight saving time. Now we tolerate skew in stored vs computed + interval starts: if the start of the period changes by no more than + 50% of the period's duration, we remember bytes that we transferred + in the old period. Fixes bug 1511; bugfix on 0.0.9pre5. + + o Major bugfixes (bridges): + - Bridges now use "reject *:*" as their default exit policy. Bugfix + on 0.2.0.3-alpha. Fixes bug 1113. + - If you configure your bridge with a known identity fingerprint, + and the bridge authority is unreachable (as it is in at least + one country now), fall back to directly requesting the descriptor + from the bridge. Finishes the feature started in 0.2.0.10-alpha; + closes bug 1138. + - Fix a bug where bridge users who configure the non-canonical + address of a bridge automatically switch to its canonical + address. If a bridge listens at more than one address, it + should be able to advertise those addresses independently and + any non-blocked addresses should continue to work. Bugfix on Tor + 0.2.0.3-alpha. Fixes bug 2510. + - If you configure Tor to use bridge A, and then quit and + configure Tor to use bridge B instead (or if you change Tor + to use bridge B via the controller), it would happily continue + to use bridge A if it's still reachable. While this behavior is + a feature if your goal is connectivity, in some scenarios it's a + dangerous bug. Bugfix on Tor 0.2.0.1-alpha; fixes bug 2511. + - When the controller configures a new bridge, don't wait 10 to 60 + seconds before trying to fetch its descriptor. Bugfix on + 0.2.0.3-alpha; fixes bug 3198 (suggested by 2355). + + o Major bugfixes (directory authorities): + - Many relays have been falling out of the consensus lately because + not enough authorities know about their descriptor for them to get + a majority of votes. When we deprecated the v2 directory protocol, + we got rid of the only way that v3 authorities can hear from each + other about other descriptors. Now authorities examine every v3 + vote for new descriptors, and fetch them from that authority. Bugfix + on 0.2.1.23. + - Authorities could be tricked into giving out the Exit flag to relays + that didn't allow exiting to any ports. This bug could screw + with load balancing and stats. Bugfix on 0.1.1.6-alpha; fixes bug + 1238. Bug discovered by Martin Kowalczyk. + - If all authorities restart at once right before a consensus vote, + nobody will vote about "Running", and clients will get a consensus + with no usable relays. Instead, authorities refuse to build a + consensus if this happens. Bugfix on 0.2.0.10-alpha; fixes bug 1066. + + o Major bugfixes (stream-level fairness): + - When receiving a circuit-level SENDME for a blocked circuit, try + to package cells fairly from all the streams that had previously + been blocked on that circuit. Previously, we had started with the + oldest stream, and allowed each stream to potentially exhaust + the circuit's package window. This gave older streams on any + given circuit priority over newer ones. Fixes bug 1937. Detected + originally by Camilo Viecco. This bug was introduced before the + first Tor release, in svn commit r152: it is the new winner of + the longest-lived bug prize. + - Fix a stream fairness bug that would cause newer streams on a given + circuit to get preference when reading bytes from the origin or + destination. Fixes bug 2210. Fix by Mashael AlSabah. This bug was + introduced before the first Tor release, in svn revision r152. + - When the exit relay got a circuit-level sendme cell, it started + reading on the exit streams, even if had 500 cells queued in the + circuit queue already, so the circuit queue just grew and grew in + some cases. We fix this by not re-enabling reading on receipt of a + sendme cell when the cell queue is blocked. Fixes bug 1653. Bugfix + on 0.2.0.1-alpha. Detected by Mashael AlSabah. Original patch by + "yetonetime". + - Newly created streams were allowed to read cells onto circuits, + even if the circuit's cell queue was blocked and waiting to drain. + This created potential unfairness, as older streams would be + blocked, but newer streams would gladly fill the queue completely. + We add code to detect this situation and prevent any stream from + getting more than one free cell. Bugfix on 0.2.0.1-alpha. Partially + fixes bug 1298. + + o Major bugfixes (hidden services): + - Apply circuit timeouts to opened hidden-service-related circuits + based on the correct start time. Previously, we would apply the + circuit build timeout based on time since the circuit's creation; + it was supposed to be applied based on time since the circuit + entered its current state. Bugfix on 0.0.6; fixes part of bug 1297. + - Improve hidden service robustness: When we find that we have + extended a hidden service's introduction circuit to a relay not + listed as an introduction point in the HS descriptor we currently + have, retry with an introduction point from the current + descriptor. Previously we would just give up. Fixes bugs 1024 and + 1930; bugfix on 0.2.0.10-alpha. + - Directory authorities now use data collected from their own + uptime observations when choosing whether to assign the HSDir flag + to relays, instead of trusting the uptime value the relay reports in + its descriptor. This change helps prevent an attack where a small + set of nodes with frequently-changing identity keys can blackhole + a hidden service. (Only authorities need upgrade; others will be + fine once they do.) Bugfix on 0.2.0.10-alpha; fixes bug 2709. + - Stop assigning the HSDir flag to relays that disable their + DirPort (and thus will refuse to answer directory requests). This + fix should dramatically improve the reachability of hidden services: + hidden services and hidden service clients pick six HSDir relays + to store and retrieve the hidden service descriptor, and currently + about half of the HSDir relays will refuse to work. Bugfix on + 0.2.0.10-alpha; fixes part of bug 1693. + + o Major bugfixes (misc): + - Clients now stop trying to use an exit node associated with a given + destination by TrackHostExits if they fail to reach that exit node. + Fixes bug 2999. Bugfix on 0.2.0.20-rc. + - Fix a regression that caused Tor to rebind its ports if it receives + SIGHUP while hibernating. Bugfix in 0.1.1.6-alpha; closes bug 919. + - Remove an extra pair of quotation marks around the error + message in control-port STATUS_GENERAL BUG events. Bugfix on + 0.1.2.6-alpha; fixes bug 3732. + + o Minor features (relays): + - Ensure that no empty [dirreq-](read|write)-history lines are added + to an extrainfo document. Implements ticket 2497. + - When bandwidth accounting is enabled, be more generous with how + much bandwidth we'll use up before entering "soft hibernation". + Previously, we'd refuse new connections and circuits once we'd + used up 95% of our allotment. Now, we use up 95% of our allotment, + AND make sure that we have no more than 500MB (or 3 hours of + expected traffic, whichever is lower) remaining before we enter + soft hibernation. + - Relays now log the reason for publishing a new relay descriptor, + so we have a better chance of hunting down instances of bug 1810. + Resolves ticket 3252. + - Log a little more clearly about the times at which we're no longer + accepting new connections (e.g. due to hibernating). Resolves + bug 2181. + - When AllowSingleHopExits is set, print a warning to explain to the + relay operator why most clients are avoiding her relay. + - Send END_STREAM_REASON_NOROUTE in response to EHOSTUNREACH errors. + Clients before 0.2.1.27 didn't handle NOROUTE correctly, but such + clients are already deprecated because of security bugs. + + o Minor features (network statistics): + - Directory mirrors that set "DirReqStatistics 1" write statistics + about directory requests to disk every 24 hours. As compared to the + "--enable-geoip-stats" ./configure flag in 0.2.1.x, there are a few + improvements: 1) stats are written to disk exactly every 24 hours; + 2) estimated shares of v2 and v3 requests are determined as mean + values, not at the end of a measurement period; 3) unresolved + requests are listed with country code '??'; 4) directories also + measure download times. + - Exit nodes that set "ExitPortStatistics 1" write statistics on the + number of exit streams and transferred bytes per port to disk every + 24 hours. + - Relays that set "CellStatistics 1" write statistics on how long + cells spend in their circuit queues to disk every 24 hours. + - Entry nodes that set "EntryStatistics 1" write statistics on the + rough number and origins of connecting clients to disk every 24 + hours. + - Relays that write any of the above statistics to disk and set + "ExtraInfoStatistics 1" include the past 24 hours of statistics in + their extra-info documents. Implements proposal 166. + + o Minor features (GeoIP and statistics): + - Provide a log message stating which geoip file we're parsing + instead of just stating that we're parsing the geoip file. + Implements ticket 2432. + - Make sure every relay writes a state file at least every 12 hours. + Previously, a relay could go for weeks without writing its state + file, and on a crash could lose its bandwidth history, capacity + estimates, client country statistics, and so on. Addresses bug 3012. + - Relays report the number of bytes spent on answering directory + requests in extra-info descriptors similar to {read,write}-history. + Implements enhancement 1790. + - Report only the top 10 ports in exit-port stats in order not to + exceed the maximum extra-info descriptor length of 50 KB. Implements + task 2196. + - If writing the state file to disk fails, wait up to an hour before + retrying again, rather than trying again each second. Fixes bug + 2346; bugfix on Tor 0.1.1.3-alpha. + - Delay geoip stats collection by bridges for 6 hours, not 2 hours, + when we switch from being a public relay to a bridge. Otherwise + there will still be clients that see the relay in their consensus, + and the stats will end up wrong. Bugfix on 0.2.1.15-rc; fixes + bug 932. + - Update to the August 2 2011 Maxmind GeoLite Country database. + + o Minor features (clients): + - When expiring circuits, use microsecond timers rather than + one-second timers. This can avoid an unpleasant situation where a + circuit is launched near the end of one second and expired right + near the beginning of the next, and prevent fluctuations in circuit + timeout values. + - If we've configured EntryNodes and our network goes away and/or all + our entrynodes get marked down, optimistically retry them all when + a new socks application request appears. Fixes bug 1882. + - Always perform router selections using weighted relay bandwidth, + even if we don't need a high capacity circuit at the time. Non-fast + circuits now only differ from fast ones in that they can use relays + not marked with the Fast flag. This "feature" could turn out to + be a horrible bug; we should investigate more before it goes into + a stable release. + - When we run out of directory information such that we can't build + circuits, but then get enough that we can build circuits, log when + we actually construct a circuit, so the user has a better chance of + knowing what's going on. Fixes bug 1362. + - Log SSL state transitions at debug level during handshake, and + include SSL states in error messages. This may help debug future + SSL handshake issues. + + o Minor features (directory authorities): + - When a router changes IP address or port, authorities now launch + a new reachability test for it. Implements ticket 1899. + - Directory authorities now reject relays running any versions of + Tor between 0.2.1.3-alpha and 0.2.1.18 inclusive; they have + known bugs that keep RELAY_EARLY cells from working on rendezvous + circuits. Followup to fix for bug 2081. + - Directory authorities now reject relays running any version of Tor + older than 0.2.0.26-rc. That version is the earliest that fetches + current directory information correctly. Fixes bug 2156. + - Directory authorities now do an immediate reachability check as soon + as they hear about a new relay. This change should slightly reduce + the time between setting up a relay and getting listed as running + in the consensus. It should also improve the time between setting + up a bridge and seeing use by bridge users. + - Directory authorities no longer launch a TLS connection to every + relay as they startup. Now that we have 2k+ descriptors cached, + the resulting network hiccup is becoming a burden. Besides, + authorities already avoid voting about Running for the first half + hour of their uptime. + - Directory authorities now log the source of a rejected POSTed v3 + networkstatus vote, so we can track failures better. + - Backport code from 0.2.3.x that allows directory authorities to + clean their microdescriptor caches. Needed to resolve bug 2230. + + o Minor features (hidden services): + - Use computed circuit-build timeouts to decide when to launch + parallel introduction circuits for hidden services. (Previously, + we would retry after 15 seconds.) + - Don't allow v0 hidden service authorities to act as clients. + Required by fix for bug 3000. + - Ignore SIGNAL NEWNYM commands on relay-only Tor instances. Required + by fix for bug 3000. + - Make hidden services work better in private Tor networks by not + requiring any uptime to join the hidden service descriptor + DHT. Implements ticket 2088. + - Log (at info level) when purging pieces of hidden-service-client + state because of SIGNAL NEWNYM. + + o Minor features (controller interface): + - New "GETINFO net/listeners/(type)" controller command to return + a list of addresses and ports that are bound for listeners for a + given connection type. This is useful when the user has configured + "SocksPort auto" and the controller needs to know which port got + chosen. Resolves another part of ticket 3076. + - Have the controller interface give a more useful message than + "Internal Error" in response to failed GETINFO requests. + - Add a TIMEOUT_RATE keyword to the BUILDTIMEOUT_SET control port + event, to give information on the current rate of circuit timeouts + over our stored history. + - The 'EXTENDCIRCUIT' control port command can now be used with + a circ id of 0 and no path. This feature will cause Tor to build + a new 'fast' general purpose circuit using its own path selection + algorithms. + - Added a BUILDTIMEOUT_SET controller event to describe changes + to the circuit build timeout. + - New controller command "getinfo config-text". It returns the + contents that Tor would write if you send it a SAVECONF command, + so the controller can write the file to disk itself. + + o Minor features (controller protocol): + - Add a new ControlSocketsGroupWritable configuration option: when + it is turned on, ControlSockets are group-writeable by the default + group of the current user. Patch by Jérémy Bobbio; implements + ticket 2972. + - Tor now refuses to create a ControlSocket in a directory that is + world-readable (or group-readable if ControlSocketsGroupWritable + is 0). This is necessary because some operating systems do not + enforce permissions on an AF_UNIX sockets. Permissions on the + directory holding the socket, however, seems to work everywhere. + - Warn when CookieAuthFileGroupReadable is set but CookieAuthFile is + not. This would lead to a cookie that is still not group readable. + Closes bug 1843. Suggested by katmagic. + - Future-proof the controller protocol a bit by ignoring keyword + arguments we do not recognize. + + o Minor features (more useful logging): + - Revise most log messages that refer to nodes by nickname to + instead use the "$key=nickname at address" format. This should be + more useful, especially since nicknames are less and less likely + to be unique. Resolves ticket 3045. + - When an HTTPS proxy reports "403 Forbidden", we now explain + what it means rather than calling it an unexpected status code. + Closes bug 2503. Patch from Michael Yakubovich. + - Rate-limit a warning about failures to download v2 networkstatus + documents. Resolves part of bug 1352. + - Rate-limit the "your application is giving Tor only an IP address" + warning. Addresses bug 2000; bugfix on 0.0.8pre2. + - Rate-limit "Failed to hand off onionskin" warnings. + - When logging a rate-limited warning, we now mention how many messages + got suppressed since the last warning. + - Make the formerly ugly "2 unknown, 7 missing key, 0 good, 0 bad, + 2 no signature, 4 required" messages about consensus signatures + easier to read, and make sure they get logged at the same severity + as the messages explaining which keys are which. Fixes bug 1290. + - Don't warn when we have a consensus that we can't verify because + of missing certificates, unless those certificates are ones + that we have been trying and failing to download. Fixes bug 1145. + + o Minor features (log domains): + - Add documentation for configuring logging at different severities in + different log domains. We've had this feature since 0.2.1.1-alpha, + but for some reason it never made it into the manpage. Fixes + bug 2215. + - Make it simpler to specify "All log domains except for A and B". + Previously you needed to say "[*,~A,~B]". Now you can just say + "[~A,~B]". + - Add a "LogMessageDomains 1" option to include the domains of log + messages along with the messages. Without this, there's no way + to use log domains without reading the source or doing a lot + of guessing. + - Add a new "Handshake" log domain for activities that happen + during the TLS handshake. + + o Minor features (build process): + - Make compilation with clang possible when using + "--enable-gcc-warnings" by removing two warning options that clang + hasn't implemented yet and by fixing a few warnings. Resolves + ticket 2696. + - Detect platforms that brokenly use a signed size_t, and refuse to + build there. Found and analyzed by doorss and rransom. + - Fix a bunch of compile warnings revealed by mingw with gcc 4.5. + Resolves bug 2314. + - Add support for statically linking zlib by specifying + "--enable-static-zlib", to go with our support for statically + linking openssl and libevent. Resolves bug 1358. + - Instead of adding the svn revision to the Tor version string, report + the git commit (when we're building from a git checkout). + - Rename the "log.h" header to "torlog.h" so as to conflict with fewer + system headers. + - New --digests command-line switch to output the digests of the + source files Tor was built with. + - Generate our manpage and HTML documentation using Asciidoc. This + change should make it easier to maintain the documentation, and + produce nicer HTML. The build process fails if asciidoc cannot + be found and building with asciidoc isn't disabled (via the + "--disable-asciidoc" argument to ./configure. Skipping the manpage + speeds up the build considerably. + + o Minor features (options / torrc): + - Warn when the same option is provided more than once in a torrc + file, on the command line, or in a single SETCONF statement, and + the option is one that only accepts a single line. Closes bug 1384. + - Warn when the user configures two HiddenServiceDir lines that point + to the same directory. Bugfix on 0.0.6 (the version introducing + HiddenServiceDir); fixes bug 3289. + - Add new "perconnbwrate" and "perconnbwburst" consensus params to + do individual connection-level rate limiting of clients. The torrc + config options with the same names trump the consensus params, if + both are present. Replaces the old "bwconnrate" and "bwconnburst" + consensus params which were broken from 0.2.2.7-alpha through + 0.2.2.14-alpha. Closes bug 1947. + - New config option "WarnUnsafeSocks 0" disables the warning that + occurs whenever Tor receives a socks handshake using a version of + the socks protocol that can only provide an IP address (rather + than a hostname). Setups that do DNS locally over Tor are fine, + and we shouldn't spam the logs in that case. + - New config option "CircuitStreamTimeout" to override our internal + timeout schedule for how many seconds until we detach a stream from + a circuit and try a new circuit. If your network is particularly + slow, you might want to set this to a number like 60. + - New options for SafeLogging to allow scrubbing only log messages + generated while acting as a relay. Specify "SafeLogging relay" if + you want to ensure that only messages known to originate from + client use of the Tor process will be logged unsafely. + - Time and memory units in the configuration file can now be set to + fractional units. For example, "2.5 GB" is now a valid value for + AccountingMax. + - Support line continuations in the torrc config file. If a line + ends with a single backslash character, the newline is ignored, and + the configuration value is treated as continuing on the next line. + Resolves bug 1929. + + o Minor features (unit tests): + - Revise our unit tests to use the "tinytest" framework, so we + can run tests in their own processes, have smarter setup/teardown + code, and so on. The unit test code has moved to its own + subdirectory, and has been split into multiple modules. + - Add a unit test for cross-platform directory-listing code. + - Add some forgotten return value checks during unit tests. Found + by coverity. + - Use GetTempDir to find the proper temporary directory location on + Windows when generating temporary files for the unit tests. Patch + by Gisle Vanem. + + o Minor features (misc): + - The "torify" script now uses torsocks where available. + - Make Libevent log messages get delivered to controllers later, + and not from inside the Libevent log handler. This prevents unsafe + reentrant Libevent calls while still letting the log messages + get through. + - Certain Tor clients (such as those behind check.torproject.org) may + want to fetch the consensus in an extra early manner. To enable this + a user may now set FetchDirInfoExtraEarly to 1. This also depends on + setting FetchDirInfoEarly to 1. Previous behavior will stay the same + as only certain clients who must have this information sooner should + set this option. + - Expand homedirs passed to tor-checkkey. This should silence a + coverity complaint about passing a user-supplied string into + open() without checking it. + - Make sure to disable DirPort if running as a bridge. DirPorts aren't + used on bridges, and it makes bridge scanning somewhat easier. + - Create the /var/run/tor directory on startup on OpenSUSE if it is + not already created. Patch from Andreas Stieger. Fixes bug 2573. + + o Minor bugfixes (relays): + - When a relay decides that its DNS is too broken for it to serve + as an exit server, it advertised itself as a non-exit, but + continued to act as an exit. This could create accidental + partitioning opportunities for users. Instead, if a relay is + going to advertise reject *:* as its exit policy, it should + really act with exit policy "reject *:*". Fixes bug 2366. + Bugfix on Tor 0.1.2.5-alpha. Bugfix by user "postman" on trac. + - Publish a router descriptor even if generating an extra-info + descriptor fails. Previously we would not publish a router + descriptor without an extra-info descriptor; this can cause fast + exit relays collecting exit-port statistics to drop from the + consensus. Bugfix on 0.1.2.9-rc; fixes bug 2195. + - When we're trying to guess whether we know our IP address as + a relay, we would log various ways that we failed to guess + our address, but never log that we ended up guessing it + successfully. Now add a log line to help confused and anxious + relay operators. Bugfix on 0.1.2.1-alpha; fixes bug 1534. + - For bandwidth accounting, calculate our expected bandwidth rate + based on the time during which we were active and not in + soft-hibernation during the last interval. Previously, we were + also considering the time spent in soft-hibernation. If this + was a long time, we would wind up underestimating our bandwidth + by a lot, and skewing our wakeup time towards the start of the + accounting interval. Fixes bug 1789. Bugfix on 0.0.9pre5. + - Demote a confusing TLS warning that relay operators might get when + someone tries to talk to their ORPort. It is not the operator's + fault, nor can they do anything about it. Fixes bug 1364; bugfix + on 0.2.0.14-alpha. + - Change "Application request when we're believed to be offline." + notice to "Application request when we haven't used client + functionality lately.", to clarify that it's not an error. Bugfix + on 0.0.9.3; fixes bug 1222. + + o Minor bugfixes (bridges): + - When a client starts or stops using bridges, never use a circuit + that was built before the configuration change. This behavior could + put at risk a user who uses bridges to ensure that her traffic + only goes to the chosen addresses. Bugfix on 0.2.0.3-alpha; fixes + bug 3200. + - Do not reset the bridge descriptor download status every time we + re-parse our configuration or get a configuration change. Fixes + bug 3019; bugfix on 0.2.0.3-alpha. + - Users couldn't configure a regular relay to be their bridge. It + didn't work because when Tor fetched the bridge descriptor, it found + that it already had it, and didn't realize that the purpose of the + descriptor had changed. Now we replace routers with a purpose other + than bridge with bridge descriptors when fetching them. Bugfix on + 0.1.1.9-alpha. Fixes bug 1776. + - In the special case where you configure a public exit relay as your + bridge, Tor would be willing to use that exit relay as the last + hop in your circuit as well. Now we fail that circuit instead. + Bugfix on 0.2.0.12-alpha. Fixes bug 2403. Reported by "piebeer". + + o Minor bugfixes (clients): + - We now ask the other side of a stream (the client or the exit) + for more data on that stream when the amount of queued data on + that stream dips low enough. Previously, we wouldn't ask the + other side for more data until either it sent us more data (which + it wasn't supposed to do if it had exhausted its window!) or we + had completely flushed all our queued data. This flow control fix + should improve throughput. Fixes bug 2756; bugfix on the earliest + released versions of Tor (svn commit r152). + - When a client finds that an origin circuit has run out of 16-bit + stream IDs, we now mark it as unusable for new streams. Previously, + we would try to close the entire circuit. Bugfix on 0.0.6. + - Make it explicit that we don't cannibalize one-hop circuits. This + happens in the wild, but doesn't turn out to be a problem because + we fortunately don't use those circuits. Many thanks to outofwords + for the initial analysis and to swissknife who confirmed that + two-hop circuits are actually created. + - Resolve an edge case in path weighting that could make us misweight + our relay selection. Fixes bug 1203; bugfix on 0.0.8rc1. + - Make the DNSPort option work with libevent 2.x. Don't alter the + behaviour for libevent 1.x. Fixes bug 1143. Found by SwissTorExit. + + o Minor bugfixes (directory authorities): + - Make directory authorities more accurate at recording when + relays that have failed several reachability tests became + unreachable, so we can provide more accuracy at assigning Stable, + Guard, HSDir, etc flags. Bugfix on 0.2.0.6-alpha. Resolves bug 2716. + - Directory authorities are now more robust to hops back in time + when calculating router stability. Previously, if a run of uptime + or downtime appeared to be negative, the calculation could give + incorrect results. Bugfix on 0.2.0.6-alpha; noticed when fixing + bug 1035. + - Directory authorities will now attempt to download consensuses + if their own efforts to make a live consensus have failed. This + change means authorities that restart will fetch a valid + consensus, and it means authorities that didn't agree with the + current consensus will still fetch and serve it if it has enough + signatures. Bugfix on 0.2.0.9-alpha; fixes bug 1300. + - Never vote for a server as "Running" if we have a descriptor for + it claiming to be hibernating, and that descriptor was published + more recently than our last contact with the server. Bugfix on + 0.2.0.3-alpha; fixes bug 911. + - Directory authorities no longer change their opinion of, or vote on, + whether a router is Running, unless they have themselves been + online long enough to have some idea. Bugfix on 0.2.0.6-alpha. + Fixes bug 1023. + + o Minor bugfixes (hidden services): + - Log malformed requests for rendezvous descriptors as protocol + warnings, not warnings. Also, use a more informative log message + in case someone sees it at log level warning without prior + info-level messages. Fixes bug 2748; bugfix on 0.2.0.10-alpha. + - Accept hidden service descriptors if we think we might be a hidden + service directory, regardless of what our consensus says. This + helps robustness, since clients and hidden services can sometimes + have a more up-to-date view of the network consensus than we do, + and if they think that the directory authorities list us a HSDir, + we might actually be one. Related to bug 2732; bugfix on + 0.2.0.10-alpha. + - Correct the warning displayed when a rendezvous descriptor exceeds + the maximum size. Fixes bug 2750; bugfix on 0.2.1.5-alpha. Found by + John Brooks. + - Clients and hidden services now use HSDir-flagged relays for hidden + service descriptor downloads and uploads even if the relays have no + DirPort set and the client has disabled TunnelDirConns. This will + eventually allow us to give the HSDir flag to relays with no + DirPort. Fixes bug 2722; bugfix on 0.2.1.6-alpha. + - Only limit the lengths of single HS descriptors, even when multiple + HS descriptors are published to an HSDir relay in a single POST + operation. Fixes bug 2948; bugfix on 0.2.1.5-alpha. Found by hsdir. + + o Minor bugfixes (controllers): + - Allow GETINFO fingerprint to return a fingerprint even when + we have not yet built a router descriptor. Fixes bug 3577; + bugfix on 0.2.0.1-alpha. + - Send a SUCCEEDED stream event to the controller when a reverse + resolve succeeded. Fixes bug 3536; bugfix on 0.0.8pre1. Issue + discovered by katmagic. + - Remove a trailing asterisk from "exit-policy/default" in the + output of the control port command "GETINFO info/names". Bugfix + on 0.1.2.5-alpha. + - Make the SIGNAL DUMP controller command work on FreeBSD. Fixes bug + 2917. Bugfix on 0.1.1.1-alpha. + - When we restart our relay, we might get a successful connection + from the outside before we've started our reachability tests, + triggering a warning: "ORPort found reachable, but I have no + routerinfo yet. Failing to inform controller of success." This + bug was harmless unless Tor is running under a controller + like Vidalia, in which case the controller would never get a + REACHABILITY_SUCCEEDED status event. Bugfix on 0.1.2.6-alpha; + fixes bug 1172. + - When a controller changes TrackHostExits, remove mappings for + hosts that should no longer have their exits tracked. Bugfix on + 0.1.0.1-rc. + - When a controller changes VirtualAddrNetwork, remove any mappings + for hosts that were automapped to the old network. Bugfix on + 0.1.1.19-rc. + - When a controller changes one of the AutomapHosts* options, remove + any mappings for hosts that should no longer be automapped. Bugfix + on 0.2.0.1-alpha. + - Fix an off-by-one error in calculating some controller command + argument lengths. Fortunately, this mistake is harmless since + the controller code does redundant NUL termination too. Found by + boboper. Bugfix on 0.1.1.1-alpha. + - Fix a bug in the controller interface where "GETINFO ns/asdaskljkl" + would return "551 Internal error" rather than "552 Unrecognized key + ns/asdaskljkl". Bugfix on 0.1.2.3-alpha. + - Don't spam the controller with events when we have no file + descriptors available. Bugfix on 0.2.1.5-alpha. (Rate-limiting + for log messages was already solved from bug 748.) + - Emit a GUARD DROPPED controller event for a case we missed. + - Ensure DNS requests launched by "RESOLVE" commands from the + controller respect the __LeaveStreamsUnattached setconf options. The + same goes for requests launched via DNSPort or transparent + proxying. Bugfix on 0.2.0.1-alpha; fixes bug 1525. + + o Minor bugfixes (config options): + - Tor used to limit HttpProxyAuthenticator values to 48 characters. + Change the limit to 512 characters by removing base64 newlines. + Fixes bug 2752. Fix by Michael Yakubovich. + - Complain if PublishServerDescriptor is given multiple arguments that + include 0 or 1. This configuration will be rejected in the future. + Bugfix on 0.2.0.1-alpha; closes bug 1107. + - Disallow BridgeRelay 1 and ORPort 0 at once in the configuration. + Bugfix on 0.2.0.13-alpha; closes bug 928. + + o Minor bugfixes (log subsystem fixes): + - When unable to format an address as a string, report its value + as "???" rather than reusing the last formatted address. Bugfix + on 0.2.1.5-alpha. + - Be more consistent in our treatment of file system paths. "~" should + get expanded to the user's home directory in the Log config option. + Fixes bug 2971; bugfix on 0.2.0.1-alpha, which introduced the + feature for the -f and --DataDirectory options. + + o Minor bugfixes (memory management): + - Don't stack-allocate the list of supplementary GIDs when we're + about to log them. Stack-allocating NGROUPS_MAX gid_t elements + could take up to 256K, which is way too much stack. Found by + Coverity; CID #450. Bugfix on 0.2.1.7-alpha. + - Save a couple bytes in memory allocation every time we escape + certain characters in a string. Patch from Florian Zumbiehl. + + o Minor bugfixes (protocol correctness): + - When checking for 1024-bit keys, check for 1024 bits, not 128 + bytes. This allows Tor to correctly discard keys of length 1017 + through 1023. Bugfix on 0.0.9pre5. + - Require that introduction point keys and onion handshake keys + have a public exponent of 65537. Starts to fix bug 3207; bugfix + on 0.2.0.10-alpha. + - Handle SOCKS messages longer than 128 bytes long correctly, rather + than waiting forever for them to finish. Fixes bug 2330; bugfix + on 0.2.0.16-alpha. Found by doorss. + - Never relay a cell for a circuit we have already destroyed. + Between marking a circuit as closeable and finally closing it, + it may have been possible for a few queued cells to get relayed, + even though they would have been immediately dropped by the next + OR in the circuit. Fixes bug 1184; bugfix on 0.2.0.1-alpha. + - Never queue a cell for a circuit that's already been marked + for close. + - Fix a spec conformance issue: the network-status-version token + must be the first token in a v3 consensus or vote. Discovered by + "parakeep". Bugfix on 0.2.0.3-alpha. + - A networkstatus vote must contain exactly one signature. Spec + conformance issue. Bugfix on 0.2.0.3-alpha. + - When asked about a DNS record type we don't support via a + client DNSPort, reply with NOTIMPL rather than an empty + reply. Patch by intrigeri. Fixes bug 3369; bugfix on 2.0.1-alpha. + - Make more fields in the controller protocol case-insensitive, since + control-spec.txt said they were. + + o Minor bugfixes (log messages): + - Fix a log message that said "bits" while displaying a value in + bytes. Found by wanoskarnet. Fixes bug 3318; bugfix on + 0.2.0.1-alpha. + - Downgrade "no current certificates known for authority" message from + Notice to Info. Fixes bug 2899; bugfix on 0.2.0.10-alpha. + - Correctly describe errors that occur when generating a TLS object. + Previously we would attribute them to a failure while generating a + TLS context. Patch by Robert Ransom. Bugfix on 0.1.0.4-rc; fixes + bug 1994. + - Fix an instance where a Tor directory mirror might accidentally + log the IP address of a misbehaving Tor client. Bugfix on + 0.1.0.1-rc. + - Stop logging at severity 'warn' when some other Tor client tries + to establish a circuit with us using weak DH keys. It's a protocol + violation, but that doesn't mean ordinary users need to hear about + it. Fixes the bug part of bug 1114. Bugfix on 0.1.0.13. + - If your relay can't keep up with the number of incoming create + cells, it would log one warning per failure into your logs. Limit + warnings to 1 per minute. Bugfix on 0.0.2pre10; fixes bug 1042. + + o Minor bugfixes (build fixes): + - Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option. + - When warning about missing zlib development packages during compile, + give the correct package names. Bugfix on 0.2.0.1-alpha. + - Fix warnings that newer versions of autoconf produce during + ./autogen.sh. These warnings appear to be harmless in our case, + but they were extremely verbose. Fixes bug 2020. + - Squash a compile warning on OpenBSD. Reported by Tas; fixes + bug 1848. + + o Minor bugfixes (portability): + - Write several files in text mode, on OSes that distinguish text + mode from binary mode (namely, Windows). These files are: + 'buffer-stats', 'dirreq-stats', and 'entry-stats' on relays + that collect those statistics; 'client_keys' and 'hostname' for + hidden services that use authentication; and (in the tor-gencert + utility) newly generated identity and signing keys. Previously, + we wouldn't specify text mode or binary mode, leading to an + assertion failure. Fixes bug 3607. Bugfix on 0.2.1.1-alpha (when + the DirRecordUsageByCountry option which would have triggered + the assertion failure was added), although this assertion failure + would have occurred in tor-gencert on Windows in 0.2.0.1-alpha. + - Selectively disable deprecation warnings on OS X because Lion + started deprecating the shipped copy of openssl. Fixes bug 3643. + - Use a wide type to hold sockets when built for 64-bit Windows. + Fixes bug 3270. + - Fix an issue that prevented static linking of libevent on + some platforms (notably Linux). Fixes bug 2698; bugfix on 0.2.1.23, + where we introduced the "--with-static-libevent" configure option. + - Fix a bug with our locking implementation on Windows that couldn't + correctly detect when a file was already locked. Fixes bug 2504, + bugfix on 0.2.1.6-alpha. + - Build correctly on OSX with zlib 1.2.4 and higher with all warnings + enabled. + - Fix IPv6-related connect() failures on some platforms (BSD, OS X). + Bugfix on 0.2.0.3-alpha; fixes first part of bug 2660. Patch by + "piebeer". + + o Minor bugfixes (code correctness): + - Always NUL-terminate the sun_path field of a sockaddr_un before + passing it to the kernel. (Not a security issue: kernels are + smart enough to reject bad sockaddr_uns.) Found by Coverity; + CID #428. Bugfix on Tor 0.2.0.3-alpha. + - Make connection_printf_to_buf()'s behaviour sane. Its callers + expect it to emit a CRLF iff the format string ends with CRLF; + it actually emitted a CRLF iff (a) the format string ended with + CRLF or (b) the resulting string was over 1023 characters long or + (c) the format string did not end with CRLF *and* the resulting + string was 1021 characters long or longer. Bugfix on 0.1.1.9-alpha; + fixes part of bug 3407. + - Make send_control_event_impl()'s behaviour sane. Its callers + expect it to always emit a CRLF at the end of the string; it + might have emitted extra control characters as well. Bugfix on + 0.1.1.9-alpha; fixes another part of bug 3407. + - Make crypto_rand_int() check the value of its input correctly. + Previously, it accepted values up to UINT_MAX, but could return a + negative number if given a value above INT_MAX+1. Found by George + Kadianakis. Fixes bug 3306; bugfix on 0.2.2pre14. + - Fix a potential null-pointer dereference while computing a + consensus. Bugfix on tor-0.2.0.3-alpha, found with the help of + clang's analyzer. + - If we fail to compute the identity digest of a v3 legacy keypair, + warn, and don't use a buffer-full of junk instead. Bugfix on + 0.2.1.1-alpha; fixes bug 3106. + - Resolve an untriggerable issue in smartlist_string_num_isin(), + where if the function had ever in the future been used to check + for the presence of a too-large number, it would have given an + incorrect result. (Fortunately, we only used it for 16-bit + values.) Fixes bug 3175; bugfix on 0.1.0.1-rc. + - Be more careful about reporting the correct error from a failed + connect() system call. Under some circumstances, it was possible to + look at an incorrect value for errno when sending the end reason. + Bugfix on 0.1.0.1-rc. + - Correctly handle an "impossible" overflow cases in connection byte + counting, where we write or read more than 4GB on an edge connection + in a single second. Bugfix on 0.1.2.8-beta. + - Avoid a double mark-for-free warning when failing to attach a + transparent proxy connection. Bugfix on 0.1.2.1-alpha. Fixes + bug 2279. + - Correctly detect failure to allocate an OpenSSL BIO. Fixes bug 2378; + found by "cypherpunks". This bug was introduced before the first + Tor release, in svn commit r110. + - Fix a bug in bandwidth history state parsing that could have been + triggered if a future version of Tor ever changed the timing + granularity at which bandwidth history is measured. Bugfix on + Tor 0.1.1.11-alpha. + - Add assertions to check for overflow in arguments to + base32_encode() and base32_decode(); fix a signed-unsigned + comparison there too. These bugs are not actually reachable in Tor, + but it's good to prevent future errors too. Found by doorss. + - Avoid a bogus overlapped memcpy in tor_addr_copy(). Reported by + "memcpyfail". + - Set target port in get_interface_address6() correctly. Bugfix + on 0.1.1.4-alpha and 0.2.0.3-alpha; fixes second part of bug 2660. + - Fix an impossible-to-actually-trigger buffer overflow in relay + descriptor generation. Bugfix on 0.1.0.15. + - Fix numerous small code-flaws found by Coverity Scan Rung 3. + + o Minor bugfixes (code improvements): + - After we free an internal connection structure, overwrite it + with a different memory value than we use for overwriting a freed + internal circuit structure. Should help with debugging. Suggested + by bug 1055. + - If OpenSSL fails to make a duplicate of a private or public key, log + an error message and try to exit cleanly. May help with debugging + if bug 1209 ever remanifests. + - Some options used different conventions for uppercasing of acronyms + when comparing manpage and source. Fix those in favor of the + manpage, as it makes sense to capitalize acronyms. + - Take a first step towards making or.h smaller by splitting out + function definitions for all source files in src/or/. Leave + structures and defines in or.h for now. + - Remove a few dead assignments during router parsing. Found by + coverity. + - Don't use 1-bit wide signed bit fields. Found by coverity. + - Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned. + None of the cases where we did this before were wrong, but by making + this change we avoid warnings. Fixes bug 2475; bugfix on 0.2.1.28. + - The memarea code now uses a sentinel value at the end of each area + to make sure nothing writes beyond the end of an area. This might + help debug some conceivable causes of bug 930. + - Always treat failure to allocate an RSA key as an unrecoverable + allocation error. + - Add some more defensive programming for architectures that can't + handle unaligned integer accesses. We don't know of any actual bugs + right now, but that's the best time to fix them. Fixes bug 1943. + + o Minor bugfixes (misc): + - Fix a rare bug in rend_fn unit tests: we would fail a test when + a randomly generated port is 0. Diagnosed by Matt Edman. Bugfix + on 0.2.0.10-alpha; fixes bug 1808. + - Where available, use Libevent 2.0's periodic timers so that our + once-per-second cleanup code gets called even more closely to + once per second than it would otherwise. Fixes bug 943. + - Ignore OutboundBindAddress when connecting to localhost. + Connections to localhost need to come _from_ localhost, or else + local servers (like DNS and outgoing HTTP/SOCKS proxies) will often + refuse to listen. + - Update our OpenSSL 0.9.8l fix so that it works with OpenSSL 0.9.8m + too. + - If any of the v3 certs we download are unparseable, we should + actually notice the failure so we don't retry indefinitely. Bugfix + on 0.2.0.x; reported by "rotator". + - When Tor fails to parse a descriptor of any kind, dump it to disk. + Might help diagnosing bug 1051. + - Make our 'torify' script more portable; if we have only one of + 'torsocks' or 'tsocks' installed, don't complain to the user; + and explain our warning about tsocks better. + - Fix some urls in the exit notice file and make it XHTML1.1 strict + compliant. Based on a patch from Christian Kujau. + + o Documentation changes: + - Modernize the doxygen configuration file slightly. Fixes bug 2707. + - Resolve all doxygen warnings except those for missing documentation. + Fixes bug 2705. + - Add doxygen documentation for more functions, fields, and types. + - Convert the HACKING file to asciidoc, and add a few new sections + to it, explaining how we use Git, how we make changelogs, and + what should go in a patch. + - Document the default socks host and port (127.0.0.1:9050) for + tor-resolve. + - Removed some unnecessary files from the source distribution. The + AUTHORS file has now been merged into the people page on the + website. The roadmaps and design doc can now be found in the + projects directory in svn. + + o Deprecated and removed features (config): + - Remove the torrc.complete file. It hasn't been kept up to date + and users will have better luck checking out the manpage. + - Remove the HSAuthorityRecordStats option that version 0 hidden + service authorities could use to track statistics of overall v0 + hidden service usage. + - Remove the obsolete "NoPublish" option; it has been flagged + as obsolete and has produced a warning since 0.1.1.18-rc. + - Caches no longer download and serve v2 networkstatus documents + unless FetchV2Networkstatus flag is set: these documents haven't + haven't been used by clients or relays since 0.2.0.x. Resolves + bug 3022. + + o Deprecated and removed features (controller): + - The controller no longer accepts the old obsolete "addr-mappings/" + or "unregistered-servers-" GETINFO values. + - The EXTENDED_EVENTS and VERBOSE_NAMES controller features are now + always on; using them is necessary for correct forward-compatible + controllers. + + o Deprecated and removed features (misc): + - Hidden services no longer publish version 0 descriptors, and clients + do not request or use version 0 descriptors. However, the old hidden + service authorities still accept and serve version 0 descriptors + when contacted by older hidden services/clients. + - Remove undocumented option "-F" from tor-resolve: it hasn't done + anything since 0.2.1.16-rc. + - Remove everything related to building the expert bundle for OS X. + It has confused many users, doesn't work right on OS X 10.6, + and is hard to get rid of once installed. Resolves bug 1274. + - Remove support for .noconnect style addresses. Nobody was using + them, and they provided another avenue for detecting Tor users + via application-level web tricks. + - When we fixed bug 1038 we had to put in a restriction not to send + RELAY_EARLY cells on rend circuits. This was necessary as long + as relays using Tor 0.2.1.3-alpha through 0.2.1.18-alpha were + active. Now remove this obsolete check. Resolves bug 2081. + - Remove workaround code to handle directory responses from servers + that had bug 539 (they would send HTTP status 503 responses _and_ + send a body too). Since only server versions before + 0.2.0.16-alpha/0.1.2.19 were affected, there is no longer reason to + keep the workaround in place. + - Remove the old 'fuzzy time' logic. It was supposed to be used for + handling calculations where we have a known amount of clock skew and + an allowed amount of unknown skew. But we only used it in three + places, and we never adjusted the known/unknown skew values. This is + still something we might want to do someday, but if we do, we'll + want to do it differently. + - Remove the "--enable-iphone" option to ./configure. According to + reports from Marco Bonetti, Tor builds fine without any special + tweaking on recent iPhone SDK versions. + +------------------------------------------------------------------- +Mon Feb 28 21:29:12 UTC 2011 - andreas.stieger@gmx.de + +- updated to upstram 0.2.1.30 + + Tor 0.2.1.30 fixes a variety of less critical bugs. The main other + change is a slight tweak to Tor's TLS handshake that makes relays + and bridges that run this new version reachable from Iran again. + We don't expect this tweak will win the arms race long-term, but it + buys us time until we roll out a better solution. + + o Major bugfixes: + - Stop sending a CLOCK_SKEW controller status event whenever + we fetch directory information from a relay that has a wrong clock. + Instead, only inform the controller when it's a trusted authority + that claims our clock is wrong. Bugfix on 0.1.2.6-alpha; fixes + the rest of bug 1074. + - Fix a bounds-checking error that could allow an attacker to + remotely crash a directory authority. Bugfix on 0.2.1.5-alpha. + Found by "piebeer". + - If relays set RelayBandwidthBurst but not RelayBandwidthRate, + Tor would ignore their RelayBandwidthBurst setting, + potentially using more bandwidth than expected. Bugfix on + 0.2.0.1-alpha. Reported by Paul Wouters. Fixes bug 2470. + - Ignore and warn if the user mistakenly sets "PublishServerDescriptor + hidserv" in her torrc. The 'hidserv' argument never controlled + publication of hidden service descriptors. Bugfix on 0.2.0.1-alpha. + + o Minor features: + - Adjust our TLS Diffie-Hellman parameters to match those used by + Apache's mod_ssl. + - Update to the February 1 2011 Maxmind GeoLite Country database. + + o Minor bugfixes: + - Check for and reject overly long directory certificates and + directory tokens before they have a chance to hit any assertions. + Bugfix on 0.2.1.28. Found by "doorss". + - Bring the logic that gathers routerinfos and assesses the + acceptability of circuits into line. This prevents a Tor OP from + getting locked in a cycle of choosing its local OR as an exit for a + path (due to a .exit request) and then rejecting the circuit because + its OR is not listed yet. It also prevents Tor clients from using an + OR running in the same instance as an exit (due to a .exit request) + if the OR does not meet the same requirements expected of an OR + running elsewhere. Fixes bug 1859; bugfix on 0.1.0.1-rc. + + o Packaging changes: + - Stop shipping the Tor specs files and development proposal documents + in the tarball. They are now in a separate git repository at + git://git.torproject.org/torspec.git + - Do not include Git version tags as though they are SVN tags when + generating a tarball from inside a repository that has switched + between branches. Bugfix on 0.2.1.15-rc; fixes bug 2402. + +------------------------------------------------------------------- +Wed Feb 16 21:13:00 UTC 2011 - andreas.stieger@gmx.de + +- fix bug #671821 - /var/run/tor might not exist + +------------------------------------------------------------------- +Mon Jan 17 19:47:20 UTC 2011 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.29 + + o Major bugfixes (security): + - Fix a heap overflow bug where an adversary could cause heap + corruption. This bug probably allows remote code execution + attacks. Reported by "debuger". Fixes CVE-2011-0427. Bugfix on + 0.1.2.10-rc. + - Prevent a denial-of-service attack by disallowing any + zlib-compressed data whose compression factor is implausibly + high. Fixes part of bug 2324; reported by "doorss". + - Zero out a few more keys in memory before freeing them. Fixes + bug 2384 and part of bug 2385. These key instances found by + "cypherpunks", based on Andrew Case's report about being able + to find sensitive data in Tor's memory space if you have enough + permissions. Bugfix on 0.0.2pre9. + + o Major bugfixes (crashes): + - Prevent calls to Libevent from inside Libevent log handlers. + This had potential to cause a nasty set of crashes, especially + if running Libevent with debug logging enabled, and running + Tor with a controller watching for low-severity log messages. + Bugfix on 0.1.0.2-rc. Fixes bug 2190. + - Add a check for SIZE_T_MAX to tor_realloc() to try to avoid + underflow errors there too. Fixes the other part of bug 2324. + - Fix a bug where we would assert if we ever had a + cached-descriptors.new file (or another file read directly into + memory) of exactly SIZE_T_CEILING bytes. Fixes bug 2326; bugfix + on 0.2.1.25. Found by doorss. + - Fix some potential asserts and parsing issues with grossly + malformed router caches. Fixes bug 2352; bugfix on Tor 0.2.1.27. + Found by doorss. + + o Minor bugfixes (other): + - Fix a bug with handling misformed replies to reverse DNS lookup + requests in DNSPort. Bugfix on Tor 0.2.0.1-alpha. Related to a + bug reported by doorss. + - Fix compilation on mingw when a pthreads compatibility library + has been installed. (We don't want to use it, so we shouldn't + be including pthread.h.) Fixes bug 2313; bugfix on 0.1.0.1-rc. + - Fix a bug where we would declare that we had run out of virtual + addresses when the address space was only half-exhausted. Bugfix + on 0.1.2.1-alpha. + - Correctly handle the case where AutomapHostsOnResolve is set but + no virtual addresses are available. Fixes bug 2328; bugfix on + 0.1.2.1-alpha. Bug found by doorss. + - Correctly handle wrapping around when we run out of virtual + address space. Found by cypherpunks, bugfix on 0.2.0.5-alpha. + + o Minor features: + - Update to the January 1 2011 Maxmind GeoLite Country database. + - Introduce output size checks on all of our decryption functions. + + o Build changes: + - Tor does not build packages correctly with Automake 1.6 and earlier; + added a check to Makefile.am to make sure that we're building with + Automake 1.7 or later. + - The 0.2.1.28 tarball was missing src/common/OpenBSD_malloc_Linux.c + because we built it with a too-old version of automake. Thus that + release broke ./configure --enable-openbsd-malloc, which is popular + among really fast exit relays on Linux. + +------------------------------------------------------------------- +Mon Dec 20 21:24:19 UTC 2010 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.28 + - Major bugfixes: + - Fix a remotely exploitable bug that could be used to crash instances + of Tor remotely by overflowing on the heap. Remote-code execution + hasn't been confirmed, but can't be ruled out. Everyone should + upgrade. Bugfix on the 0.1.1 series and later. + + - Directory authority changes: + - Change IP address and ports for gabelmoo (v3 directory authority). + + - Minor features: + - Update to the December 1 2010 Maxmind GeoLite Country database. + +------------------------------------------------------------------- +Fri Nov 26 17:12:40 UTC 2010 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.27 + +------------------------------------------------------------------- +Fri Aug 6 03:53:35 UTC 2010 - cristian.rodriguez@opensuse.org + +- %ghost the pid file so /var/run can be mounted tmpfs +- require logrotate + +------------------------------------------------------------------- +Sat May 29 17:50:51 UTC 2010 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.26 + +------------------------------------------------------------------- +Sun Mar 28 17:00:30 UTC 2010 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.25 + +------------------------------------------------------------------- +Mon Mar 1 20:49:13 UTC 2010 - andreas.stieger@gmx.de + +- new upstream version (0.2.1.24) + +------------------------------------------------------------------- +Fri Jan 29 13:34:55 UTC 2010 - puzel@novell.com + +- remove debug_package macro to make it build + +------------------------------------------------------------------- +Sun Jan 24 22:21:51 UTC 2010 - andreas.stieger@gmx.de + +- new upstream version (0.2.1.22) + diff --git a/tor.keyring b/tor.keyring new file mode 100644 index 0000000..581cf6d --- /dev/null +++ b/tor.keyring @@ -0,0 +1,686 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xjMEXegH3RYJKwYBBAHaRw8BAQdA1IMvjZzYALGBFe/ARHNSXuQjccz0HgOHBHRq +v8Pb4j/NH0FsZXhhbmRlciBGw6Zyw7h5IDxhaGZAMHg5MC5kaz7CmQQTFggAQQIb +AwUJCWYBgAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBBwbwAep9geqgVLAQL6n +sYCxSRkhBQJd6GooAhkBAAoJEL6nsYCxSRkhdqEA/0skJeGZkqRmlHPXqTFZMvbh +As2kY9Lm5LBGesjgQCspAPwJZagtqC5252zPFMlaIUu2hxcUeA+HwdLqnnl6Wjvs +Ac0kQWxleGFuZGVyIEbDpnLDuHkgPGFoZkBib3JuaGFjay5vcmc+wpYEExYIAD4W +IQQcG8AHqfYHqoFSwEC+p7GAsUkZIQUCXegKdwIbAwUJCWYBgAULCQgHAgYVCgkI +CwIEFgIDAQIeAQIXgAAKCRC+p7GAsUkZIRfkAP997/8J1lf3D7PiY21tPnB8d+5S +CXI/qI8mEfhaDZY+SAD/cfCblmB8CYzashZAbFM/6dwwNrNR7VBrzYyaRPhpkALN +IEFsZXhhbmRlciBGw6Zyw7h5IDxhaGZAZnNmZS5vcmc+wpYEExYIAD4WIQQcG8AH +qfYHqoFSwEC+p7GAsUkZIQUCXegKbwIbAwUJCWYBgAULCQgHAgYVCgkICwIEFgID +AQIeAQIXgAAKCRC+p7GAsUkZIdxtAQDuraf/2l/6BGDEAERL63OsjyN692MMur3P +KRy4kWdQzwEAod6V12Y5X3yjraPkbsiGC5QsXraAAz7ihSkIcJs0NgHNIEFsZXhh +bmRlciBGw6Zyw7h5IDxhaGZAaXJjNi5uZXQ+wpYEExYIAD4WIQQcG8AHqfYHqoFS +wEC+p7GAsUkZIQUCXegKVgIbAwUJCWYBgAULCQgHAgYVCgkICwIEFgIDAQIeAQIX +gAAKCRC+p7GAsUkZITd5AQDgi5qd1zBzUO9qzk8inT1xPxUjWoj7dj4hh7gFErut +vwD+JAxYHXrM0Kwg1F7nkf8XBfICTtx8do2QDNFO2nZvJgDNIUFsZXhhbmRlciBG +w6Zyw7h5IDxhaGZAaXJzc2kub3JnPsKWBBMWCAA+FiEEHBvAB6n2B6qBUsBAvqex +gLFJGSEFAl3oCmMCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ +vqexgLFJGSG+PAD7BECXB/S+eUWz118sqaiyrBtr/2msq89p7FNMswoOIlQBAMgO +1j8A5xW+hW8YOfiklahZh2TUHRVrcNhrE4R6PgELzSZBbGV4YW5kZXIgRsOmcsO4 +eSA8YWhmQHRvcnByb2plY3Qub3JnPsKWBBMWCAA+FiEEHBvAB6n2B6qBUsBAvqex +gLFJGSEFAl3oCoICGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ +vqexgLFJGSHOawEAts5tDnzSOw9O7xtKBujA06UKlyJMxxD3ARjPqm9BBV4A/jHu +wYvNLPJdVl1PPgYnmCJ1u7L5epfdagZRsHqQ5PkEzjMEXegMBBYJKwYBBAHaRw8B +AQdAQvnurKGUaemX/DTpmpSE5NtGyfxLWgW9WSvZbbbR+DPCeAQYFggAIBYhBBwb +wAep9geqgVLAQL6nsYCxSRkhBQJd6AwEAhsgAAoJEL6nsYCxSRkhLj4BAOMBgQBj +h8SJEOM6RqWT5SXb8HiDfdZqvgr8nCtffEewAP93G3tS+owZ3m4bTzkeBzTvay/7 +eq23AcJprL+sedUTBs44BF3oC/ASCisGAQQBl1UBBQEBB0C1S8DIQiC+5dfHix3b +eFUzD3Lrq5+5UYGkmp6lh+OaPwMBCAfCeAQYFggAIBYhBBwbwAep9geqgVLAQL6n +sYCxSRkhBQJd6AvwAhsMAAoJEL6nsYCxSRkhDJQBAJse48bTxe81zjXKuMt66QKa +RnBaDsY1EGaYk4Vyb6rxAQCtmsYhDHtiE2D2oFav+UULbeqdJyIOhPEPa31Rn4N5 +D84zBF3oC7wWCSsGAQQB2kcPAQEHQPdFLwvik9OFJ008OgdtSfe4LNlTuybXT4Pu +CuMuUgqcwsAvBBgWCAAgFiEEHBvAB6n2B6qBUsBAvqexgLFJGSEFAl3oC7wCGwIA +gQkQvqexgLFJGSF2IAQZFggAHRYhBFFBAkVNCofbB2eh675qBTHBipF5BQJd6Au8 +AAoJEL5qBTHBipF5qtoBAPTP2KTGDGl2OvDdwEzZ0uN7+VyiRPEGLUizwkyALsN7 +AQCInRWmKA4jrQzMgn5sC4yCKKW46/TA8PGX3kHZnYnNBfIXAP9ajF1eZVWy1BFl +ayUm3Z7tUF9w7qWTL0u+EZD1Nlnw9wD/dUZYPCNEPhsk/Bdrh+v6sBryagleM4Vc +6SM3xZaaxQI= +=GZkh +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsFNBFfinwwBEADNzG/Q6YTrH7oSfUERhopwCWWn/gsprtnUFK+O4enXPXQlisGt +OVNbc5GWoZibNPowjORN+kADB+ce+VBmVeh+4ZeJDjpsc+WXuVajDc0wNwG3I36m +8uNRPLMftBcxS1zUsMpwaqff5sDoqlBTwrvfLpHT0W1ecJX8Ew10zim58DzwQisR +Uv1rsGiyH/dFzs8m3jPdNjDZyyzGQK62hwp6Y/m11PiMYgGrvAa1ofjfkGRVxUgo +UUG8JG/AhGvMnHJjV923A7I8MspOm4H76wlEQLesPHJ5WPSBXTZ5jVgdWdp50fPR +JZOUT6gwkYF59SeZOcSFecdyuSb0W68/klD5PX0G8qQ5ko9beNm7Rs2aJKvY1MHU +n5rb00aulQFaYLFJ7LOTDqYDUkKYp7n4hw1X1yXO1MUYyk9J9WNO/Uo2psKXcBsd +ZjdEWj1dWHOhwswygndL7RxK/17psmod055S0uYkjA74J2eRSmPZ7ErIfUh85rQw +DZyYKh7B6AGjcpA1YyrAh6BgyJncP9x21dmip0ENrfg5rpcfHpTrOF8To8fpo4/y +vUL8kCxCCPJtkJiuXkGhV3oZsj2tWGvAclYqO7xe84vks+GgjG9Ydfga8JrvPMDz +YLX7aTDnZRiU2Z+FvtABMjmmPjAHj3hMx/o25Na4bQ7wBAPEUiESsnh1HwARAQAB +zSNOaWNrIE1hdGhld3NvbiA8bmlja21AYWx1bS5taXQuZWR1PsLBgQQTAQgAKwIb +AQIeAQIXgAIZAQULCQgHAgYVCgkICwIFFgMCAQAFAl97G2UFCRD+fdkACgkQ/kMA +nEYHsfsg8g//ToPK4HDWDmHOLcFKi2v33Q/aTA5TsfQb1pwHvAUepABf+bjwqu5o +/2K3HFqhn7HVl7vgpqFcAjf1u9H7Jh+R7buawoWQIxi5cWW0GIuX9gutzgVyP/36 +y6rrQnZwcY+vIvi7fmRx0VVd+bZMOsd5/XJQ2wkLDw/6ppRWIPY5Pg97M3+CD26r +MonWcghRkCO9g0PwAxmqYHZCxcJp5aEURLOzh8NtDllxsoaZK4H974tWtWk04BWH +koApQPFg0YYn3cTftAIanmgtuKARW5nAIzPnCS2576DjKyUbAis19nYRgv+CtMZQ +ohkyNEeDowf7UgFTI+AkbUBjxwKP71U7ZW+qynRYT125jTtTGOOkX5BQjx2Qg/sO +Vs7Ukyezw1GFWmka4ijpHRssvEdK1mKZLqH8OsMG6XE1xIDOIRnsNJzR0c4u3IGO +C3+TAQaokn1E45CcFwb39n6keFLVEIa+XnYDil5QC6w+16TMvK38q6dS5QnE04OS +errSuYfX4IFslhkaLXd7uAAb7qrSQzD//jmmiKjgyFuRnSHO/nlv7fsvpCtFNNX5 +stthayhtmKxvBSlyTgArcNiP0oQKVE3LO8y2qARGY1eOBMMC0ml0W053A/cfQOAa ++2UqQlvCQf/Qben24Bh4tKyW6The2k4aNSIN9tyIUAIASfgOtoye6J/CwYEEEwEI +ACsCGwECHgECF4ACGQEFCwkIBwIGFQoJCAsCBRYDAgEABQJbn5ngBQkHf2HUAAoJ +EP5DAJxGB7H7XPMQAJ6EXm4DaB1IlCrH+5U+QYXwwrKiBR+mHPBWuiEBSUbY4nOY +V+jK0647jljluyPXL7EUHli5RqajCvqZPfheAuRxNLlyznhJeLjdt/qBbTEgtOvo +QwsmmDwEogiStE/FrNypgGCqH6NLAEvHANn9UBDRsi/J6ccPDieIuxlQa5ksQCsR +zXTp19+39XWkeStIaaHx0w/x78IyAQHFZlxDI88/ZmUXfI2FWkOnp5dWcJhYJPGf +/E4n/aBbKZ6cB5OxEAX3uAt2fz625RuoFR9R03BjW1L8RJwKEa5fiBf8sG69dxmn +RWqebG5H4MhCemG9Pv1CGqK/bAiyIK6j2Dpj7K7F6j/0CePr7K0MrGjHOvT01bnt +ZI0jnNWGWS9M18M3mfdHM4Lof8kA8S/KIJ6gFAi0N5W8OVtzUx20IA1G2cRcrTYc +zyOpENDKOz26CRIi8SyJWmfR8N0HE5YlouT+xL09Vyo4i2Jck12t59DnKvCnsNLM +XuudDOALTGqyzK2t7njMblLWq/xL0A3DmcI4auX2OuxTyVm5UJkUk+2UT2GtzXne +2NIi07k8+5/xP84v/nWiNaaCFuPySfy1xmTYERt3EXgCs5r+qOCl2L4jzfe3EEsJ +NPKy8KWSitUjcc9VoOiZ48LDBEbY8LDDFliYkvwTyHK5fNjqLlNE8Jj4yX49wsGB +BBMBCAArAhsBAh4BAheABQkFo6E9AhkBBQJX5WLXBQsJCAcCBhUKCQgLAgUWAwIB +AAAKCRD+QwCcRgex+87WD/wP/UW4QljFB74PmDKY9c0uXmpbH3M9fyuLxSVofdYP +CU21mwjCwiWLBVhBGiMEJ9KtSQYFcK0mbcWG9dB2vvCyfgvbaGZPs0gczYpSo84V +64a5VX5uDujQQqWgZYVLal462M0A40mMRNxLrOzMMeSxZUtFjsvqygLjpTwuYJWf +dE24A/TAUUEX611eHzniQtRegfTGZwD5A6HA+WmSLRIgcPXfHNTwq75nHhLgFari +qRjzmfJfVkQjHhDC8tBp+NHkUv1b1me6b+POBnwYvOoH+tlKw4HLN5j1eXC/7H8L +xyC6XOQyq4uSMrVXIcLFVo4T6uG+yuboUknV97QogWCKuGUtl8zFF52EfZmUa1jx +kpF9F6OywY0K3tAYc/qXODQuWjmCPl3gk3CPK5B2P7QT6nhc+wCfwLQasMZxJv/m +7s/7jcyyAW2+EUi0Oo1m75XWH9/3s3TbZeFfFT6FsX4obNIWauBwr5cWRaeG0qoA +kIOysY57v9aKzc0bQaqJLspWiWMLs2CWXH4GGZf7glGeVgK/VY7pICGroT5PWhcQ +OmUJ8rx+Sj7fQ5UNtczA9mEFtCuFfZ9IXVs8kOaSTnCtH9NeeEwy/iFB8cgIEysx +T7T1n+IpT3mPjvVTGK1fu/EVhjk5VCgU4B0eCNsL4tSWXy41fRFA0auy/0o99G0T +7cLBfwQTAQgAKQIbAQcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheABQJX4qXJBQkF +o6E9AAoJEP5DAJxGB7H7TnAQAJs/XQk5Wx5Db/vMztwR3oRMPvG4NVHnA38fit8g +IWSMsB8AWJyMY1P/cFkJRpnQo/fF83Z/XinP0pKTEQ97+UIqvtndSTLUFacMirGh +yx025aTag+OLhyIe4xq19ZZEy3+YNq9nOGMIivWxGyvWUVjQYVwk2AAtFsC1FZtZ +4pVtte4Yd/Vq4nOTfmO+eejVmCvOHKr3xHET2+psiVS23j3aBJIShikPbmxRg+l+ +VbE7RLjk90Mv3PnGhqVfgnEEoYQZ/kppE7fnFb6pHgP4zBVRCoYVP3qCLv8WzoyZ +s/snYItAgGIHHv6OLDKn5SSSnmJho3+z6/PfCUBbLbz64vF0Itj8+6mwGlenMp2p +tPc8mvkEnvfHa11emmJVnFVJTKY9qkrft/kabb7AezPE7TgFuN0tTfoSsW00qNuL +QiRubdqknQ20C3ILCUiqPef7WajwlkQbe5KJE1f2HK6P3FhcveGkB5eG537/0BO6 +gH/Mv1Czu+sebDOcXwPeNPqNEFAqUmXxh5UFznQqETFej6DPP0HkMUlGnZi3o5g6 +jrUnMnzG6GLBYDmLAm26x1m7YMqLI23bxDLuBjIDZmLmcn2kYA/MbJhbWg9mnmis +0YK/5nXbbsZ8GtNhLP70T/mRW3c3loyTYtX2mtsmaGq64Uw2XlwQEtdZrpiQNnR8 +ExrHzSROaWNrIE1hdGhld3NvbiA8bmlja21AZnJlZWhhdmVuLm5ldD7CwX4EEwEI +ACgCGwECHgECF4AFCwkIBwIGFQoJCAsCBRYDAgEABQJfextxBQkQ/n3ZAAoJEP5D +AJxGB7H7eBwP/R3OpDnx7JtFOq22z0jcLjPLwmP+QqgOlIvSiqj66SplpEhPHcgf +4DgBu02RwE8ONAMo6McFvUH4tvI2NH3X8WET32APLe8/2cxhtZpH86gdnwTu1xGM +XQxz5sRppIhOtoowGWh+/e/t9owALOm/+IsHnxbX4ddIN6goB/mrlepRVRUODBnE +0K9oZG7VnnrB73Ip0+hqaDVmiGdOn7LSggl7ip7VZ5hUHXwvHg3dUknKapucMXFC +aqdelvYFt3NYQ2ZROAsAVLdi4k2dY9/WGNCgFHbdSGurJ19yGwttv57t+GUsG3OX +HEIMq52dkM4LOnbdVR2miV/jhFQ7J6i+mjZ5tYJiwrX9uFSOSzHbjWVCq5tlj1OH +s18s0zDO523p2YWS2LWaiDpThnRU092iGsNJZHaJmzA0T+7Ti/uaqqY9CjshYSBd +i0XUQ1LowzWDfBsVjV/u+BN80FYoszJzTAmiJW3GOrxbkhdb4nYptPKmY4YSSlLf +fOQ0y9Y+eUYMGe23xhejsYITS6THOunWmb/jlgK12Rd8AyrZVtD64szxAYqSXJ9r +x/k16KIl1z7JzJIRzBIrdHe8HTtuy9zs/oQgICPMrotKF6TCjHkH7prZFcCF09Ij +Rcc8ihpZ/C991HS4X4pN1MdQMuEIWVIAjxKh++gMYYzMjXUqBsjXjuBhwsF+BBMB +CAAoAhsBAh4BAheABQsJCAcCBhUKCQgLAgUWAwIBAAUCW5+Z8AUJB39h1AAKCRD+ +QwCcRgex+8yID/9lIunYmqatd4mTaiaAJIUHMjFh7d7J+3pXwOV2bpg/eBpFlonI +OC/8xnj+2CiKVusjF9WXoakOQUyXizPD7+fnUDzgQjmXxQTO3TCiXhSRdDdrcYcw +Z3Y+0rkK66QOv66S+NQGonG1qOJPjV8XSpLnuWb7bdk5qlaGquJIeoVQQpMZB9qe +0iwxgKeegJuOCRTQnPI7hoCpJX9+PowWR53JMi/Tks76B7XP/KF2TLR226oD3S/t +4Jup7LU5xP/IDCKWf641ZOoNdrCRc84nxeXcChjcX2eGNuBaceplLRQD3+ONZ9QE +HuQkbLfCQzs/NQTXxrB5NwBaBblJkNEY1i7GXeURGFE4ChD5eb6ba7m/uE7UOZ+F +wB0OpgUHIRlHrD/maVsd17mIsNo6WNRypXuzAlNNOVFgtnwVOpfm/OURzkLXeFjx +An4mJ/ca9SBYxtj9EYSp4OM1FjLNbm95Z1cQ7nxwQA98ZEa1yAr/TY6Z1Zpe8nHy +evsBLBWNPObW7nUjmfvIYzP7/xJTimwkagLGgSi+0R01HlHk1TlIYd5KyOFdXLui +4eEK5WFppqSCq4U2j8vaRwNKfUFryYOihBvpcZblRSl6+kuatcYF+m6tUQ0Pi5p5 +jO/nORRm9a8ertRSaxshcsavjrXpe7ZJ+yCCIe15MHVBSA/g687Wo8qJFMLBfgQT +AQgAKAIbAQUJBaOhPQIeAQIXgAUCV+Vi4QULCQgHAgYVCgkICwIFFgMCAQAACgkQ +/kMAnEYHsftQVBAAvOPy7R+ucWt6SSg3bw7CUtJozxujfNKpIb9xWJ6rhNWCPbyk +kAyWnHuWLxaRiADX+aTBLoGgNNJHBc5rYgcXgFaE26O2/QEEXV/0vJrPcmzR1t6M +0f4J9BTmoc+zLcgIYwPJl5HfyTPy+zZ/zorJ2CP5h6oaCYioyXVOEIhtO9pX/xRy +DI9CtFV0CuYrisPTr9CU09zwa4DQSvXcWSL1xyvijuMKE2tDvoYectdD+z7hZZAW +R7x7VktlS4WnbbTOMtrQ/EEQljLeoLz8gm0wwvSkRBnA01sBhFp+MWaw0slPBrBu +Nkmm3MygWDK+IU+JHTFr2E+6tSnEnAkZmQgLG3S+D8wUo3fY4iUnE0vxP4wvcx7f +/1ckzUsnOE1n4zOQTGefA89tFKOza8BG5/1BVhIUVztfXkKdeES9d4ynh6EKHOD1 +5a296IU7BKf1dAJgOchgktwKWbRQ8mKKpyExCYygno1EqBw1Wvv5UIvewPodAEJl +1zPHt4XKR/+bVhJQGeDsBoc3+tzqcDxyUOv22Euf85yvVhq9DXIAUQ8STY2xh/7S +YGIwf3WZp/3ry6HR40+LmUe6KXAAQSQQXOAZPAgC87j2mzMDTeQZ7bJ9wBQ6j7QR +/ebzs/6cHKeroNEbcoW6QhOwSnX01CU0REQdq9tCwYOcQ5lmjt8zNv6cB/XCwX8E +EwEIACkFAlfiphkCGwEFCQWjoT0HCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAK +CRD+QwCcRgex+xRCEACwAh/qUAj3EYe1XvMU+whr2h9HyW7qeIqHDqQc/LEt5UeI +XSqfoJV23nQSu3C3MT0mJR4UF2C0qOGOLNZVpsxOIE/dDpg0/8xABCNCrxJF3y+2 +DTUoVtujoftAYCP19MaIml05C+LDeoM1d4CmDbokYtm/KBbLnyc82nYaQHrlljRT +8mLAEia8ye9IR16gTPn3PGT5dn+0yWiZ+95BIKhJdVKCY4wMr46RiEi81+3LWDBl +Ariv+Ojg6hCoQPwC4kUR1tisxyWo4mnaOEkHM2fnFWcqxXqK3NHhHUk56A9EbfOw +4mxbntg4I9d9UuW+B8N/Po5y10RExGqyOQWxeGOpPQrJsb77iHA/3I94/0o3yVuR +PDMSftTVWgiaHqSJ212hITMZZU7eYuxbnOFd2dIgzU2Nt1a/h9putFoJOj37Rz3Y +5blIX36DChBOtwHwChYx39V0OETRnX7036RfkRK1+4DX6Ipz/e2dXmzrsReUbvys +vxPz11NVefjic11EINm737K5iamul3VO0MNZb2+PQDJsG33eF7EYhKIJdFrldaWP +A6Qz7ER/CnEPHMwGS/ccVzcH8KOa6VymZhUMjsyd7BHoMtiNZGZM45d3AjgANEOm +7XM/CQ7IA8ODo2h5eGRQBoYDEPPqE0jBuTtNi+5E/6sD8oxRKbc0EnblVFhD/M0l +TmljayBNYXRoZXdzb24gPG5pY2ttQHRvcnByb2plY3Qub3JnPsLBfgQTAQgAKAIb +AQIeAQIXgAULCQgHAgYVCgkICwIFFgMCAQAFAl97G3AFCRD+fdkACgkQ/kMAnEYH +sfshpw//eju0iMvlXvsTbib8b4Y2Q84m5TBPEmkKh94hi2KQA27b89WhGRG2gFFz +E7PsrtM0RbV9IvG2KHMvUK7zQsHqW9ang6UHeCBNpxWYMkzjH+nI8tyE0fMYaVpN +TlcC1/daZ15BDddwLPMayxq9fofpzP54t3Oehw3lg4oUMKkx4QSaDaK6x/v5yrc2 +QTYXxtJsojP2/RsQh9mGzoDESAvSbgj8oFjllcrTk8rEFkioiCLy/6DJ1uQ0xmuc +V1bfok3cU4C3PvfuqTJIP4VRhxt4+AH98FNfx+20DAjW/o8/rcZwmFdtbewAqLmk +ADMflmGQ9+oal6vn+b/TUbn1zuuuw2jOyqvVL0Bxg9KSDzPU5TrLIU5eAMwRwCSA +eIsRrHGUdx/HCJYG0MnvdhpoHSZMNsdFCeVmlOCfYN4jJy3iAOI9PUJn+R/MF606 +S89Mkwf0tRElY1b9wSUlIcp9OKzP7g732sB1KfHeI9W7LXRsXqTRca1pbCvc1Fda +JQCfFGXguLEZpMthG2xfkPal0LhqZ1riZOysisoPYCZCXG1Aq7FNrLdRrIqeqSdU +xkwFSTI+MCJwvdMUNnpZx5tQDI4kwQcWOINehkaAJgaJQJmhJpJCav2HzzNV6Ynv +/xN4I8e+euvWm8ipJigIHJF4CyVo1FVruiTtwvNdCJmzS8kgxDDCwX4EEwEIACgC +GwECHgECF4AFCwkIBwIGFQoJCAsCBRYDAgEABQJbn5nwBQkHf2HUAAoJEP5DAJxG +B7H7jjEP/0PVTL9eI1otZ9EGV4Wxv6fcX7gXJO1VZsRFWosae1neZjIjQ91dCzIk ++m+EnW7uNzubhxE6T3orMiITzM+UmQJE26+bOWT1cbKYkAUyjSck1S2DOITRP4iS +pu9DCM6XtU0kuClpKY6NmOYJaqPwfVTOah8IFKh6sWIJtzhiQf3s+hufOD+wWS7f +PIdo4qOHLggQYhQ8pG2PsiqJjSArpCqzfyG4SMMqOlDFgFxkx127qAqje3QlAu38 +gji5j3UVuBhb5s0eA4+HtVKcUpHWH6JMT8RALWM4eF0t0qUWYk6X63ScXr/J5gv4 +SGcrDv4ksCnE5Cr2gR2SUmYxhPfofBCx+3pPzExpEb4+qSe+S62pf+weKQU8XrAq +tP5LxIh6bG8ugE6Cs+J1kmQPEYjkONT8v3iRT0SfkNWRhyrYlQFPYA1F2E47FRpE +jdDnzIsez+HLDysmtdXsB0p/+1rDrriY8yJttXE9U8BSgTpukYifY+5c2c4vQWit +NlJyAY9sTPX1+KqnvMztYNZyFdcJifiY6tY990o3pabAlcwOgrayMFSMd/JrtEyD +jDk5M9dK1G9p0N9bkf92FfOP3SBo+9ScmF5A68jyFHrLQ8AXSuQF02s8WhNymgmV +Y1VugS6MsL+RGh8gTxCxaCBvExiMilmJPtrVTg4N7IzQYnYMeOidwsF+BBMBCAAo +AhsBBQkFo6E9Ah4BAheABQJX5WLhBQsJCAcCBhUKCQgLAgUWAwIBAAAKCRD+QwCc +Rgex+zFTEAC1GgGgpEJ4SFyREO4We3sgLadFJH5W0+f2xgYZKJsJHF6VgKcOcLYS ++xnb4T/XPSjoXgfTATj3lTKLJ5vwurx3LLjsUBYNE9kZOxd1dEUTMu2sN7ACd1s5 +dlasztgChRLO0K1GD2/dJcfvFF6xC6OJ7VtLuqp8Rlooui3/wRA6RLvk5hkFDjje +l/t2UHa9inYq96d7YpSlEF2It6p44kp73g+57ZaGwTHDlMvxpj1RZLCQ0ijEnajz +BxlDLJ6jRkYcRtG0enhQvvPYii3rXhKo5hK/XuBtNDysTR0ZXdPQMbHtsve4dxXC +Lg/0/Gm78tA27XVJIo6zgR7/qPJ8Is7/7wTNlh9VXnp0NE3SjKtIOxMdTJyoxVgy +06WJ41x0c6Wtt/AzUEOeMWRa5GLatci+KU8Szhn4Gddi9bdemtLPvzQyH0DFcU+5 +/IV36V/2rbWHr3zyAmM6t41YBzNKJNIVP6EbUiNwnfDUjii7QcphVPuYbk7F3wmB +UunQ6LYcbpYcTEaVMlrjDMwTbJnkDS3YFpn/vncn2GTDsaMUcGAf8REkUs/SB7mW +TTHn4R1/A8Ut6KJkqiMlwtonhyhsDRfkCplYePSs0TUlAopbr+Qm41ZYquw0myTb +3mVp9EgAwR3D9xGvgYkPyUvgCLbla3MxUkUn/16KWY7PzHvFfL/iEMLBfwQTAQgA +KQUCV+KmBwIbAQUJBaOhPQcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEP5D +AJxGB7H7xCEQAKH/X147T2z1QX5G4iYh3+LhbtqMVSGt64fhjmmTbX39D46+Aqrp +U9Jc44O6C/Qj3dMsIlGeoiqSyA7y7P1ICK2SW+T61z77VBLY7l6+taR4Tnr4hiNq +9ZSx4MPcgXpIxN60IpMVc7H3maNrX1+3r3B++LvC+kLl24b2jdIcBI+d0nsNDqS9 +m2m+vnLE+Wy6YdaF1TPGIVz9EidX09/kHNPGNp2Dk9S+5AdrQHjfqls/XXPIYWAX +J/A3Fx2lgpAqvRA+YMCD9cesPMf7IWCs19P/75venoT0clE1Lo3ghvigjMDaC18A +VK6GL3nos+qxl3x0aNNGrNveGMSUfoYE3lzjupTsIEDBwO5Y+uz48IAlPQuFDdwk +3q8FlhaBaTGsJ8z8iA/reeqiFmmH69kOOG8eAoR/UVZaVJU1zd0Zd7NmUADXLRuL +j+SNvf9nq670gZ8Hu6cAF5/9ilBL7bRO9EQ/J+uG1EldRARz4bXc32MEz4K+iLyI +krXVFkU7xOYIVm7EO5mTwkIDmqaOwtzXYVD8LP859a6u1vzkpgcBrNhWZXLcPLs9 +mUp273cByfMV/P78JwhlsdvXXcWd7Us6EfLtM6z8ZrXoVJtf1jG+7OylmttrGZ6X +patCUcnkYXhNZTw527bh+nKLOdGqOPY4Md6KZp9dFxjK+a3RTovA1QQhzSJOaWNr +IE1hdGhld3NvbiA8bmlja21Ad2FuZ2FmdS5uZXQ+wsF+BBMBCAAoAhsBAh4BAheA +BQsJCAcCBhUKCQgLAgUWAwIBAAUCX3sbcAUJEP592QAKCRD+QwCcRgex+1VqD/9Y +ksvGVLhmqk5GGk25NIepvq4upKPEt3oePZK/Bj9xNTMpUvmNa0+n6lERa9/bcdoE +er8PRiTKbOAijR5rgySN2gEpjJSDTcql4q5C5RQoO11OqcC6gEBk93BGZ2Ur2PpN +chxAmNH+hkVsmZVIbCVoYFXz2uNeT/q+0CJPzUGZYA8FadPdUeZ2lwa1lz7I9h2g +NQID+IrqV8MEpgTD207ERjdB0C8zua7J/DbnlfZN4zbjsaL/y8RCJkk3yG1YG2EC +DF5Q8bivkcYlSSTqrMo9WAiJLK7m03qKLfyKH5M9DM1kBCqppYPKEANB44vk++0G +EyYQL2gjICkXO5XrxJAVkBm/RzKVFAMvRx0SBqCG2NiywspTiVrXRGEe+0KQkkHI +8bPPVcrLGHE+x19W6s8YWHTRJj8F1xJOBy37PW+o9OpX5cfmJosNRh4zVZFPnuS+ +ytC1QNL9DxUBxgKy1UCKrlb5WTb6sQh03xDEU25uoOB9UmITk3Wd9MoqR0F59EZ5 +cqN8TKdfSup94mI6ecDRPOw9akZ1LNFpbiJ5E5EAiATCd4SEh5PxBDt7YK6/38Ik +4l8IoPinDSyJCVesJNRbWNIdwjpX31pplzK0GDE+1JLfHZJnVVD9X8edQQpwPIeU +bMN1XFd8kQs+xwCg6QQrtjRmLjjNDf/dnbmxSWoo68LBfgQTAQgAKAIbAQIeAQIX +gAULCQgHAgYVCgkICwIFFgMCAQAFAlufmfAFCQd/YdQACgkQ/kMAnEYHsfvYBhAA +xgEY8oNLZhC+0Ent53yUvs/dNN1+YcE/jmBKBflewwxTTSXOkervnMa1QLu4Xegr +/ttlGqjA5EakH5PtrQWfAb3u4B4NBrAGxN/WirL598RwwKEGo4PecNh7ADy40skq +OHNJQbEcaJ8ZAqFF/t+3C6CjVDuO36lHqDXEYytw/2XjY4CBtRF0lyTE5lRyI+DO +cWD9m7M2BZU61Vx/aK5OI5UaCqWtYWXl36gBJdV7APY+MA183Ly9EywCZFPb/il2 +RdmiM19ycENrIuDF1ZAqpFats3hZR4MW8WTS3BTGste/yBjjaS10bp5HiqVlZot3 +TT28OmeWqwjFaXC3mVE943/322Mslz1QFV4e1/S1umqIf0wIVu3jDSKeZ0bagdk5 +SK8yNWhZ2ClbtR2vSPLdA128hjaNfaxDYiXMOLFEy2FvZk3rUtNWbA5Mji2qhiIh +cm2jCkOGg5hKSfA3anEQfKXcEi8OTzEnLmvyEw0MNZgPBUUciJjgis7CWAlTn30c +6plwxJRhBE4tEvY5VzWNOMeTRhx1Sf7qp8vKMc2FnjZJUBI8xFe3vZ1qSFAKfuga ++SJM1+PbxQQM6N2q/hlJALW4WUpjvtvEQsWYYoDbBgWtsTtNaLYbetcS4EaA3lr+ +elwOTLiYcsPNaKD4ZAsDR8qiAzABJ3W5aGEV1VvF+7PCwX4EEwEIACgCGwEFCQWj +oT0CHgECF4AFAlflYuEFCwkIBwIGFQoJCAsCBRYDAgEAAAoJEP5DAJxGB7H7RCoQ +ALDD2Tu7CeSRsGiNRgJE1QNEvvoISDpr2LncgOwumsJg9gvLeOY5fve0AyVbyW/j +KkElOGbfGC5HO3JAX8s+uqJLoEF1TmYr/ldBRFDb9YsyYz2saBlnUWvWwcDI5HCH +fw8BRPw2MhGkB2nt+hQdEteKkaeHIjvkScFzqonsiq2IQknsbhmyDZj9coaxoCK1 +JL2xX8pDl24i8alhgDTu3rQJxppqBBixZ3tSXhsp2WSF2bSrjb97A6XxSfUrVqGs +FWqeCXDE53QSzAEYmFFpuL1kvi1jOXlr9CeTc4XGBP7HttPWU8bgnhA36HzW/MGd +hpJ6L7GVoACKhEsB5GTKEzobwONalHg60ufRNk+dIZMr7C2eEpjBKLYzgevAmbd9 +k0uOicbVqA24cNWjvNzuRxJGxCA9XQSt9FAhpiNcdvoeSXgxc8sZp3+0EUuyjYTn +ahLIk5KjvRRTkILeq1HAffomGvd2PfiT3Iq7vKGHhh5n4cXBMXi5DpAB36hKIC/U +LcGH9khKTlBxfeNntHMm+/mNqwrdKeAfC8MO0rBWXZdWZs4rwElPcoVtVxPY/CCr +J1vJqfnufc0ZUB8WguLoPxqPLC+ja7Pg/ALRQI1cbJnZD5hteAJ/dq2mZ4vS01Py +ztuwCKYTKIdj6yoMgnIYxmh9xty4FSSzodtHM3c0x5sZwsF/BBMBCAApBQJX4qYv +AhsBBQkFo6E9BwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQ/kMAnEYHsfsc +9w//XpLL93sf0hNPz281ql/zSVo8P3oLmYxzmJfiEAMKOLX9UivWD+oJR2iBTo0p +nhuP+/4a0IB08dIvTE0Y3DJNsx738F3CSP7ZHF5EFaIXEcyaCv4lncVELHBMiTCx +mA2Law011830pwug0jOUyv4T9+CElUhm4XT3k0CFxXtOMgQ0KA0IplxszhFOL7Vq +T4Qqokgdymjo7mLKLvXqKqs9XbZ9A+RYeKi/HwDqBfzhLC1ur9p5VmcA9PLJvQvY +B4S0RIM0utaVMP5vD6BRpmlQk+WkeJbzbZQFEJKzdOGVdQnSX/Y8qtdGTYwUDq9o +ZCEdrEraP/6uAzCccI6lkGoTSnQ+FUufOV0c6NZvmiaA9GkIwfq+O5M8Vhf67krA +rR8Avw5y8TmEsr9Sg7AgmW8rMDuNFF2ol+D2r5VJZgo48kICo1V6BSDN4pdY4sI1 +xrzha8fkQ2bXUvPDukEHs7JAXToK/f3GwMtwqWzmR5b5EO1Pytx9DK60I0ohjosk +8O/F/9cY+kkEXQ1hyu4FKhLia7HmJbdaKsaQSyqcVBUvkDm3MExl+fSx6S6F07kr +z9k4017irw8kOvpnV33dbXK+gzs7qFYY64Jn6tJMnYxTkyGqHDvPrCFVbUvIBQ5e ++Q/bghHJmzNJO/8ruvi0Enp6pioY/0bzr9TVtWCg0KNZPFnOwU0EV+U4tgEQAJx1 +gKVZwjJoFhF7TJ3VAJJ7JfwkGlxXOF+3TR7hhdmV3WwI019Cx4cUV21P7zVLYqt0 +jb+iPAK3aSFjTrCQZwUgvfM+s+G4byS6i6fbM9X6M8HKGuTqTRIKGaFjZlJ/ubBn +H/CyYpFD33WtEMJv1wBaz4EM3q1ROLsNAujCEzWD8PabG7atQKINnp2zXzpKO1Aw +gLYPJPrbKFJz4usYpdN8ULSnJSzIxqMoiJATRVnilnYCpcJeQnc2V3bH/ftEm2tK +SMRZuRefPggiMZZn5uEmTlBdyHMGFK+huqP51rw1EcvIi8Bxy65YoTjQDvrPuKtA +6pOQNK5XETfzWlnwBa1tG5QxhIg+AqEJFJ9AH1h/jPfy9ZGeE4PW/PJDa8Xnet6u +dhIqcyKrXNlyc+Cu/uLcTS/2LB7BgEouKKwbYpXv0LcZlkkkUb8biFLKW4bIx9+8 +YcZdAWUZQGvB/jOcxq1YR5Ke1jd6efPb7BTTAM/DL2dInwEEJkS5S+ecuuKWHnV+ +0iMzxzUUkCehEQ4apXejTRwbWe+H9eN1a1MKPGgTZrc98hhrVb+hST0Pl12fcY94 +botnk2Va1kzeAURYnlbwWADtbCtNB/inUIjOMxK8F0oIsu/i+lC/q+4x0V0wA5lM +sowWj1Q5A/sh+Mah8/v7Qh2LGkjGOH3xVbE6L76rABEBAAHCwWUEGAEIAA8CGwwF +Al97G8IFCRD75IwACgkQ/kMAnEYHsfs/+g/9HfQdh6DLeYXPUvTDEUYVUHlkZw61 +SjHPQy4SMMBTz7rALeBuxYpR7KTzLaCdtjiHBGGSgsEmQto/GLdT4Vt25zpx2uxK +/tOq041PYRRcZ/aK67M/N2CDmcsCzi9sm6HsOKJkZIwVIiQ10UZ1YT8FEdC8/Kzw +nxgmtG/iG2852dDS7Ar55GIuYjEob6emTbM8Z5L21vPvJRpxuvsqEiMMA/Oyi9jw +xhDVCHL+a7pWSR5hZuyvJE4W5zU3loZrLg7kezzbdhWcEENLPiLdw6mexhUeXgT5 +nnUwcLe6eFc6VHUUO2Q0vXF2mCHdQLOCGpykL0DWxxth07o0OSqTKIAeDwsh5YO3 +dYJ6V5UYVu84xBe5UF5RZ5XDWYyNbifrLiVtb50OBWLekwau/d2VqrlmWJaGrLJ8 +B9mxWN8zcWozZtQNDVSo8GU3L8LYY9Sb2nBxOAXRVCyuPwyeQcHamvuWokaUniav +gEcEEXP2RLlPdJOF6QV0i2mXc5AFq/CfylZOtRZ5WHvASqvtT5rulQ/oZ67v/0WI +LTDYXh34D8ukEU40WNT4cL0XHcXMLhZJ1AQUOn294aG1b2z3N0DrGx5/Mcscz5qT +O2tfvbM16jbttrFfjuGGvuTBnEtSaJMhVVmtdFg9MsMAwHMp8zBE/aSNDF5qmNai +o5TEFXO5W+BS3l/CwWUEGAEIAA8CGwwFAlufmjkFCQd8yIMACgkQ/kMAnEYHsfth +VQ//T2F0tYl9k4zW/IOR//GGHVHGuzESjjvyAAisBZZf+4fFCrHGgzb3XGmD96UH +8C6PB9ttSP6knWYJa4ohuX50iJusrvGlyAmOyTYfX4DfXdrPeMtvutSXCk8A0nR3 +lfpeGkhXDCt/MTuhKvQOrqupsbVbzZHOLdlGz+y3k2790dMMEUdCk7EXONfMyaOU +jI233n/MLhMHFVlOjPStU3+552i/yCKFctAwznxjhHO6rQbgJvEwQsXa2c9JnEtK +LSoj1j8IDICo75WWoMgbc9F+eNV1l8cya9FVWcJ4kfI/6adxj4ZKEMMl4FHPb3ct +9aasqll/cTnC2JEcnholP2ZvKa6asaprJb3Se0nesOJcsqwsq4Ylc4vjh5DDMCpU +Hqjgg4MP2u3WuL8nOOKdzgDpYOjitoGi19giFF0QRFDbtqZxo68LF4xo2069HYs6 +R++ZaAvcaKeB8WgM+QRhP/i67vLpYLeIKk4H9wOSKudIg3URCjTMdSPVJjmeJvq4 +ZfMM2In+CkrYGMJMW9Miaj1+KDEHRTGr6vOw8UkUD/x7O2pbFOfIaAPWNCLsJ9qK ++5N0yvY9FzVaKi0UwEc7KP7HA3HFRSM2VZLdVjqOPPIbxvcGNqU1WjpQxKc69ong +VvBF9RLjGsIqXbq3yygz0XosW6VC5mhRuIMcfa5FGltkGDrCwWUEGAEIAA8FAlfl +OLYCGwwFCQPCZwAACgkQ/kMAnEYHsfua7Q//ezGNpIkXijjXeS8HqxvP6yyAxWTD +I2cjynC8xqg170U7lmcYbvWsbAk0ml2TKkjPpORKPa6ywLBAKED6zUraqBEiEehw +aQiaJbPzxd7E9TWkapxXaNLuJnETbjdZgzAVSTcOcylLqeUJrIWfcDc3BVumi/Bu +dyuR2KWi42OwNHLV4L5K3rDng+whzGk49jrf3tpCXy1npBGYRDqgeRzzJnQS5K2f +XnFsBifbRn8PwtLKGGO6RYp7XWZTLP8+ZwfELVTulDox/OV7xSLRZUtF4woQrG+J +S9G2FOh6mES3ihuRUSjBRQZcKf9kEKqqcrpqPwtoPHIrmygz6eDz0Ea5idbFCGCv +AEARwTrmZe5dTzBAB3X/oobyQPex/QOV3OPIPw+HSY/ficyGHimizIB/x0QEN4L7 +GL8DZSLO4m9TEa7+Y4+XIBqa3Y5yXqUy52jCGt5QD7r1mu6fIuxyW2vffOk4H2jI +5SD/I1J3tipNgOFbjx/pQWjk2kZVoLKg60fcL8Q24TSm569vyj2r1+xFkKSWO8pX +1njIExUTePEUcWEcT7AdxrrPAf2WUxYPGGMTRfrcUw4+SKLzDqgFGC4nIi9y1flj +ZXEZBeG80R3GnU3hyeUwwdn344V+rMT/8k3He3nDEL+vIfEeubAV8Jz3hzou4SD1 +o2/lCOmP+XwQDODOwU0EV+U3SwEQAON6g9gDGhFIqHJNGBfkDAd7XzJ/dasMIqji +Orpjgnr90THlM5HXfuaWCVV+Yt1kAsI4woT8w7nAvNs/5v8Bq7aYQgseMMsdlHnN +CczVyoynxAwTJ3tDME53Kz4sLsu5NVCQ9uZ9Z/GcJHA8ARObJ2GROagFExPOIeri +GDyYFWDOgCmIjBz9VUT1PN2DOWpTAPjn30k4ZpWeN/hnf9V+WkOMbUaJFefCsIU5 +ExFhVCZn3J66M+YumclIlnyxEZgLs+xM/El471rX3bHm0z85XOj/wX73zIKpws3p +ucIFNO8PXIFGja5RzQVNM9nhpK6xOvelaHzDsX4sb5ILs2Y4x8bZYnU099sO1VGC +hfn+Y0ZQupdLUPnshi5dXTyzBTiYuBuKPihGUgm/awsMmAdSRB8vqZATDnvayjRw +6j0g1AfWDJBPVqUDY5XrztJkWifx6RF3CWCdSmrbcRrVVyoWTBx3alsIvTAUhZKE +4aISvzy5doMRVyMEbhqHEhbfRGt+toNEHmPdxIDLI7V6+CZ1EwwXNQIwK5MNWLrv +1QQexrqzVVdcxuQz/P91gLDxoCoBi8HBGsA/HL+GVd5oW1U1o8U3mm1SvLSeg+MF +WmiSpSOGpS9adKPwRyGy+giGRnCWJH2dcncSfB9S3XOimhqhNy3Eb98ttgl2AgaU +DO8M6Gu/ABEBAAHCw4QEGAEIAA8CGwIFAl97G6cFCRD75dwCKcFdIAQZAQgABgUC +V+U3SwAKCRBq/ubUnpK2Af+QEACuXfhlmATujXHC5oMpo6TWWUpNJk8r396sdJzl +sRmE+ST/bOaMpJuCCufUXVJupX6S0XuoWV3KyxF2b0RINzAqjjBw42kycoAvArr/ +yS+8ubp3Nv9HwD7WBWGIGPyS5MLDj4iyL9HXonVA5tT3pQQXBaSdybYhDn4PcOI/ +3bsQ6PhflHTFhpuRp4BhceL6whQUgGqoXGO9dpsvCjiCV1jqrZOt9ZmhvV3HwwX4 +37h70ne47IkJEO4OtYflW4quPu76vR+IpBVIkVVUPCQPipgnEllGV1Sn5Zhy0xG1 +Nakzq9bnlqnw2yIl0rFba653Dm1oS9rJ5WRcZwcz17YCsCVJLNE+VPw/EN+5y1dt +yZxpPn/0jvS8yPthhOw075ZVdBy2k2uv//5cEPR2eA+4vZEpmRD5yP2B8GKqTT8/ +/63ifzOAqKlnxQ800ZQV9fDP9ndaXHPJCBHJ3K1nzEoPtehgF0z7rCrd+M9doGuC +mSiJvig03iTsy/cVKTF+BnOCDkc5kMlU8zMsOmjizY3k6VUq4rW9sH70W5lLA+xn +TzJYTy+sUEV56K4bqFf/TXym7mVW9xY33BhFR2P4tvI9VXd99lPdbvJWKg9eJkYl +cHKAv6ldLCuv8z3f4OG6ecZjZI1tr696lUMN3JFeMJUzHJe/7UVy2Y+AxR0SXYc9 +0OX47wkQ/kMAnEYHsftCNBAAvHC4X+z1yIZ9d1kiEEbBrfYT6K+E5m8i6trhDJ/M +3BxQPcV5Zl8JqvHfc8eciSnp5aFpbpNpSMNGMWjvqDxYCI8/OkbWuulcXW7zTMaZ +8h+RdRie7havjBGfMrCYBwQX2BHwrXjhobEwnCfOX2VsIt0i/J/xpREQ21KvSvxk +hlWQGa5YXOjUdD951kZuw61HXajDQFsZzpL/RMX/n+qOfj3YUb5J7/55As4Ysett +vAW3tKzosCxCKcKuAJ3Z4frKF0X374FOfUmp/ncKOXtsXcLVYugVhHmuhTwy7wNN +3LCk+43ED3ZgxR0V7sykPUytkLKTECkWsCQohPBN6P5gaV1yY2OnXQGXm6qOy/Wc +uGmRfSG8btsnOSGbpgfHI7TK78ALSkvDr/mgEEsF9kgxaA0sWsUJsWayh/7LK/A3 +qQZp8JVU3wAuKdoatV7t3EznOdeg786ahx5lJ6FjzB290YvgX4Oynpal+agnhfxl +f9YpCZsOh46K6zy9Mr9JtqzNp2IfYGWoEAazsgc+w8RUmToHiz+D7z4IHJdH+iNH +slUfSf1sSAWBEQWxd8I1r+R0zX3Va+Tuk/qJYO05EyLnVbaOAVPjLvP8SNO0Fn0E +oGeAtZ2x6pbCaDWIknjDU6l3cwu+Uns11rSkY2cVV4eKVD2POqLyGejDmKC8fSFc +lLXCw4QEGAEIAA8CGwIFAlufmicFCQd8ydwCKcFdIAQZAQgABgUCV+U3SwAKCRBq +/ubUnpK2Af+QEACuXfhlmATujXHC5oMpo6TWWUpNJk8r396sdJzlsRmE+ST/bOaM +pJuCCufUXVJupX6S0XuoWV3KyxF2b0RINzAqjjBw42kycoAvArr/yS+8ubp3Nv9H +wD7WBWGIGPyS5MLDj4iyL9HXonVA5tT3pQQXBaSdybYhDn4PcOI/3bsQ6PhflHTF +hpuRp4BhceL6whQUgGqoXGO9dpsvCjiCV1jqrZOt9ZmhvV3HwwX437h70ne47IkJ +EO4OtYflW4quPu76vR+IpBVIkVVUPCQPipgnEllGV1Sn5Zhy0xG1Nakzq9bnlqnw +2yIl0rFba653Dm1oS9rJ5WRcZwcz17YCsCVJLNE+VPw/EN+5y1dtyZxpPn/0jvS8 +yPthhOw075ZVdBy2k2uv//5cEPR2eA+4vZEpmRD5yP2B8GKqTT8//63ifzOAqKln +xQ800ZQV9fDP9ndaXHPJCBHJ3K1nzEoPtehgF0z7rCrd+M9doGuCmSiJvig03iTs +y/cVKTF+BnOCDkc5kMlU8zMsOmjizY3k6VUq4rW9sH70W5lLA+xnTzJYTy+sUEV5 +6K4bqFf/TXym7mVW9xY33BhFR2P4tvI9VXd99lPdbvJWKg9eJkYlcHKAv6ldLCuv +8z3f4OG6ecZjZI1tr696lUMN3JFeMJUzHJe/7UVy2Y+AxR0SXYc90OX47wkQ/kMA +nEYHsfuDKQ/9Fpoq75+xgkbQno3vLC2aNJqHwk0LzEINgqSNVYPob+/dBf1u3lN5 +HHNKH1opin4EEknRulSWhU3C9oMy4MjN6rFqhS65M2f8jfG3qXHAUKDf4gL3ZHeP +qWEHVkE/Z5X/M3gZA87DgmskLuxWFyWoT7DFWkTb4TtJRdVs3R/zI+g52uM7UUV8 +QjG/ox9w7VdUXIn9Mg5TehBTqZCBsWx2lM1SOzK2R7Ax/IukppOb205RmqOKxZh8 +gj29StTlRoJy0RE6typfSrhyaTithX3gWKfkCm+LGzEwWtZoRstCRmEeD30Glnko +BXFMVKAvEXIGCdVyaugQYVMy5RXlQllg/3Qo2aoKhwCWUjVnJIDT8csrcYKgA+As +R+0RqXCSHDeJWhoeiUOnm/ZGa6g9z5f8t6z67jY/iXXSCw+jv1U9znYj0vuQIBWg +FbFC2C0xI9HBZIUgakeyUxnG3WRkChUV76ZG9EMuTfFaGanWG9MWzb6sX1oWVNru +PEvxdRlFhkr8M98kAQHKcBgVmK1eCwvBt+4DvJxVRCT5DADLL1pM3ZSb5e8ibkOY +a066rFPA6VBNxDkYOYBw2e2itzljh6M+Q9URIocFytK5PQsCxuTHqAK/Y50Oypgf +tw2aq3/J1W+QDO7Xmyu23GJGFZ1oCF0Wm6RlU7d9lHxclFwR2cptw8fCw4QEGAEI +AA8FAlflN0sCGwIFCQPCZwACKQkQ/kMAnEYHsfvBXSAEGQEIAAYFAlflN0sACgkQ +av7m1J6StgH/kBAArl34ZZgE7o1xwuaDKaOk1llKTSZPK9/erHSc5bEZhPkk/2zm +jKSbggrn1F1SbqV+ktF7qFldyssRdm9ESDcwKo4wcONpMnKALwK6/8kvvLm6dzb/ +R8A+1gVhiBj8kuTCw4+Isi/R16J1QObU96UEFwWkncm2IQ5+D3DiP927EOj4X5R0 +xYabkaeAYXHi+sIUFIBqqFxjvXabLwo4gldY6q2TrfWZob1dx8MF+N+4e9J3uOyJ +CRDuDrWH5VuKrj7u+r0fiKQVSJFVVDwkD4qYJxJZRldUp+WYctMRtTWpM6vW55ap +8NsiJdKxW2uudw5taEvayeVkXGcHM9e2ArAlSSzRPlT8PxDfuctXbcmcaT5/9I70 +vMj7YYTsNO+WVXQctpNrr//+XBD0dngPuL2RKZkQ+cj9gfBiqk0/P/+t4n8zgKip +Z8UPNNGUFfXwz/Z3WlxzyQgRydytZ8xKD7XoYBdM+6wq3fjPXaBrgpkoib4oNN4k +7Mv3FSkxfgZzgg5HOZDJVPMzLDpo4s2N5OlVKuK1vbB+9FuZSwPsZ08yWE8vrFBF +eeiuG6hX/018pu5lVvcWN9wYRUdj+LbyPVV3ffZT3W7yVioPXiZGJXBygL+pXSwr +r/M93+DhunnGY2SNba+vepVDDdyRXjCVMxyXv+1FctmPgMUdEl2HPdDl+O+waxAA +g7ZuiuuRAi70Q6aZFLlG259cyCmTmgwsbUAjFKtqTP5g9URgh1A0JZfS5/MYschS +fj8qBYsdChdP9VX/d0U9/LCc4sXL24XLnpTw7C9MeelndtXdxBxnPLUTby3ZQ19h +ZPc3l4XC52ej35iTG/lr2jQcBHI05fwBiUCuWn7hGiKk2TfUtUpFkcvXObrB2/CC +28Mg1d3NpYu79OY6raQoUGe34aVDdjbTDnx1nxARBfhJwfceid+j/Z6V3JKO0C1T +vKgJvBhc84kRKGT5/PVJR4dnXsYzdgWTDXVw2CUHKVS4taHoBuUAoTGOeu7M0WU1 +yMoYWsRQ2auMjxwP4w9sc7hTJt+Oj6o5vW1sBB47PHnl3lDWLt/iG+QL94N3aZXZ +1b4yeTzHi+AZYR9hs3kFpL9dq0WgS72j2BmcSkHdgdXRv5offNHyFNEMjxqB2+w1 +32xMCtNT4zWah0VJOsfFiAYPUZhDgCY155ULwJXJ+PTHyv2O983xJVmZhsRU+/Z5 +MoDtXDDeuCfL31nnKt42sRa1Ce+tHjJEoukT3Ng7GjV1lyuwZ3YX1UpN9BcM8aWr +KRUP30TqqjdlZLIMGoVv/z9rxYlSsLbn+P7nqaX8Vq8ZeoEh8iaQa+IB7NgXvoIg +cP4OP2yasPh/GwyuLN/DcnsMJjv+76tjXryzEH0ffZY= +=GKc2 +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: B744 17ED DF22 AC9F 9E90 F491 42E8 6A2A 11F4 8D36 +Comment: David Goulet +Comment: David Goulet +Comment: David Goulet + +xsBNBE3KySMBCADOeaVfjDRP3kb2YaDyZbEjPKXkIJivkBbEt9E5abcuipmIA8o6 +W+eYbnRDUZr0u/a6NjEhG35yNFRWpFpi4Gby9+0xjNvGjFj+hTjROFsph3ljGFKp +yYfJQejlFEjlub/7ehNdVrwJz5WnIpNz1UnoC7/rry6HzBtKIcXbEpLTnGAoqAmY +d78cv5h+9B5WzN48/63qIns5ZkzAZIQio3Y+n8B80NXDOiTh+9cFPfAk4xBVPIYk +8dDpCGeHA8E7htJsAkgn4A3wsxEwwKVf4AD5+E622BWYabFyCWetpNIBDsRAm2Di +s7LtxC7SRWd/e/91axtQ5u1bHFliVkRRbn9VABEBAAHNIERhdmlkIEdvdWxldCA8 +ZGdvdWxldEBldjBrZS5uZXQ+wsCTBBMBCAA9AhsDAh4BAheABAsECQoEFQgJCgMW +AQICGQEWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCYk7b+QUJFmVGVgAKCRBC6Goq +EfSNNiH0CACJCNbyooaIGDEJ6sNkwrwh9DZZFs+qyafJqz7KXd3d2MXcnlgAw6O2 +DYCAy6hlKNaANWQSFeYTjsoIWf7wC8fFnaWJscPx6+ZE8beUlQMiyzk0KQg8ie7x +Bfnl9Lmh4cnH+4b5A+A3GO8JrWf+gNAi182WJzq62SX7gK7EUT3H9oS3FSbhwYLS +Yf7WQMWpWJ6dS7PbUr78J8XiJDvm6GvEMMC34/aZTeRdhntNOu1B2tybA4BwxbuI +KMa8nneqd/lgXXTA3nFRbO6V/PiFcjoABNEUgqTDpgKypcl9GZ15D/sINX6wuIFf +519Qq1PWtmBZ9xPNHyzXt3wfA/88ticywsCTBBMBCAA9AhsDAh4BAheABAsECQoE +FQgJCgMWAQICGQEWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCYG92uQUJFIXhFgAK +CRBC6GoqEfSNNqLIB/9tFtZYDxWmpCBgokXkrJbTEhnYnxGJ+PzvFdswy+vPaf1+ +JsEnzqZS72bZYRfFyJXs5H3Q5pyIEt+/AIGJmafWXJNBkDiyx1+ZsXyqLlbXfWer +rzEIX6r2sPytAZ6OWDzbMnOlodEmJXVIWfVubXlkiSKFRQbORsqVzThcQ99yUGxD +8kGYGvWtTwZCJ3YgHHYecAOzwIEAKQjP7FnGqkFiV0aknJ1s7bHpU4MCu5nC53hw +oBWXtrNQD5h9woQCUco3yz/17tIPsbsLnlOIsywpy2WtQMUMr5UdEvkYFcVbYMQv +x0ZlebtPQ0P9n6lq/cna3kuDA7DshqIrRGIZDgzlwsCTBBMBCAA9AhsDAh4BAheA +BAsECQoEFQgJCgMWAQICGQEWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCXqsnzgUJ +EsGSKwAKCRBC6GoqEfSNNkARB/wMw153/mlVTcDFokfxlDtEuzDKx6GO3DMMJE3s +sPk81OtfT6gQsfdzI092AbAjzurNwGuEj52xJhJeQ0JnVn+YhsCohuQvmIRNBzDt +sK3U/93VNWMdSEIPFQZ4B589sZ2qtjpnHK1gEVqw+jImypYRP7FrQ7zWi6DEkC7T +uLTAToTRBeXKWoMAiT9F+kEmH45chYll+450/mSWdoyK3vAUw4GSFOeX2AoG5ka/ +2eLtuzTb3gWZriAkYAtmdgLFVeKjkCy9mQ2G6mSRvBfkJcWT8V3Mp2IkDl4PzeOi +SFUrm60ZuoR1pi+F6KE2IorFtKv272GNc4ys2HeqRqBpqIZHwsCTBBMBCAA9AhsD +Ah4BAheABAsECQoEFQgJCgMWAQICGQEWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUC +XMnawwUJEOBFIAAKCRBC6GoqEfSNNpeMB/9zAaVEcZPk+emYqeSDjaOnANAJLBYs +LCCfB23rdQkcfNzYbtsOvvRehxB1Mg9PNN4e3K/l6ZMFCauBGt6jOWiMkojAdDMS +p7vOXwrhQ66whpJjn6pIOjv2p/Z9VME1/e039z6DDCH/Oy/G8pEldIQZkzzP9YgL +ytoMBjEs6bFt7zDS5G90HHkugCUVK9WNLMKhrCbgLa0QVNTeHHFffJWo5jhCkZJ4 +Dw8x8ukbOIzsNWGYtUT1vdKTZCDYASaWEC+2duxJiWL5qcR7m7oGb2Ohcvq432Hl +c4gBVS/HCLmSw9Vn7s7C8aJicUn6e4RQhSXajYeyU9MZfoz+7ecaCTogwsCTBBMB +CAA9AhsDAh4BAheABAsECQoEFQgJCgMWAQICGQEWIQS3RBft3yKsn56Q9JFC6Goq +EfSNNgUCWuifjQUJDv8J6gAKCRBC6GoqEfSNNsvsCADILBT0LK0qjHxjM0YU+AK8 +OEcp1xaf32jPOyE3eZyro5QgVqAmsUM59Vk3R+cgrcfdwEOB78j6H1qJerCIA9he +RFpyLglJqmTFWdFMnYlAg9IInyIgPko6fK8X3E2DktyXNhUsfLWrKktjxNwU4tC5 +IIDboLDI6BjNMVtgcMyJRq1AB2iFBNydR1GQr8waF0ODaZLWeSB+QAkWCwLjIxLh +4mT22TVyGNFXhE988caesVlmDGgSiOviAZC3uCH0HI9aNAraE9hWUVkIp0nQEX1H +28if19LLlEfj6zJJVn1PhW0bggq5UQDEto+MIuq8YAuxvour3H9B6EESlJ3ncnyf +wsCTBBMBCAAmAhsDAh4BAheABAsECQoEFQgJCgMWAQICGQEFAlkHZSQFCQ0dz4EA +IQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNvT2B/0fsSkMvEIF60Tg +lEQC4Qs9MYAtBMyf9F1nF+UxIipPpSfobbjIcImbPzcmrAAlege5u0/oTSpYP4r3 +EVMoN2VOyy2afxLiOyPCHporyOzW0KUoi+rEq84FrxwtBL6mPjeEnzuYTRfG+DSJ +eo2uDOS/q28+MwPCJ7ZiLKH9zEODbqS7rUGVijakHShYszStYNSLV50835OfZ4vX +2Uawf3FP65UUKjbY9tbTeljjWXME7ZOkx3b2zEm9Ngbshsy9U2YWkjAYOXtAMA3k +EWPwP/zQBNtK7BHwjZ74uXBo06X+LmakMYZNL8sRjlL0O3FkMKuMKt+axsRs4SCZ +aJYkPw25wsCTBBMBCAAmAhsDAh4BAheABAsECQoEFQgJCgMWAQICGQEFAlcw7j4F +CQtHWJYAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNieACACCAn02 +e6w3AHy6npq89Yce5UuT2GSkjQwCYYUQpO+PsGPzM/RfPd6s3XquvDqC9+v1NvuT +T5ziI7HtfGZ1II3h6AsCMngZgYRN6T3lUoUKPS1lDYBtFS59iat6aFW4cVLUJSK2 +wQpP2yefcRAmxxPXfP6rKn2zeMGcsiuPUaXcsGgMa5vkqGoLunVF68yPlpv4al9r +GDK7PWq14yS7PW6sgQ6es7uXQ6eClr7oSv41V+EQkmFxNOpOlYO2iPl3CfigXs+v +zagvmV1qxSUAQwGjem22WnXY86x/nWp6hL9OxjAI4wTqOsbCda+R4uDhv+uDoq8B +229CYmKcoIUgui1cwsCSBBMBAgAmAhsDBQkJZgGAAh4BAheABAsECQoEFQgJCgMW +AQIFAk3K5V4CGQEAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNrTe +B/jgxz5vAPTQzxWCIpThmtbv8y7Aykmwy6A7oJUaoI2fnlXj00SFbLhhwHYI/vj0 +nXTH7RqwNKG62QJWCyKdtUsI1IcItkAx+hXOrW2Is1JY+WKe8CTFtlGk27x6hjKE +6w181a8QU+2KO6fdu6MKHE4k8QAzjSgbxx3IHSw+DMbOuePQc9KZCGHZTWdcrqer +7mr9Q+9hjTqIm89V6DG2forCoLaFS5CYBdouxMjLegKNL2ozwYuA6jTpwaVrurNe +z1w+38Q+9olH8suCM0VbFWFM9/BIC1Q/SohjE80FT9nThAfwqFTy6JdzaMjbcKKM +Rtsf+uz4nyU8KGfptA48yEHCwJUEEwECACgFAk3KySMCGwMFCQlmAYAGCwkIBwMC +BhUIAgkKCwQWAgMBAh4BAheAACEJEELoaioR9I02FiEEt0QX7d8irJ+ekPSRQuhq +KhH0jTY9MQgAo1nJFw25PSHDJKFfF91qIcO6y3eX3Gaag2DYu8nAMg7otmcZZjC5 +mn3r9l7jx/9A0zn4Ld112e2QsUk7VYI+ywiyhnXszPh8iRoLapyFUJUDpuW3cjhk +vBS//9qUXM++vxdzw1RaVEaMYIqD0jG/HYSIMvhMo5GLG8SeVoLDybEBK3s8S7ya +YahbgQQ0xDrArtNaWWWAE4UXpMCz7cf6MhZS7lfOfcgrrTMXNX5MWubpu5OcA42o +yR0aE3//OuAgmuQNcZ1RoRGMqGqKgjMyXXQ0f/3TrctdY9fLRqUkB8ZEj2d/4KN+ +gyPyYalMjPaWXeHmwBwE0VkEWHP7S7YJZM0hRGF2aWQgR291bGV0IDxkZ291bGV0 +QHJpc2V1cC5uZXQ+wsCUBBMBCAA+AhsDBQsJCAcDBRUKCQgLBRYDAgEAAh4BAheA +FiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmJO2/kFCRZlRlYACgkQQuhqKhH0jTYV +Owf/c5KA0BLCJ8V+zFTkQLSEKD/RfCkuRdC1fpNH2fuXZ6W1BKBRxFmVi4+lD+ij +4BbNTkWhifAGE+Xe4llnTRZZMlV+7A0/m98jsjS1P9QoLj+VwkEbNQ6k9ZoZM+rf +qHut3uTYp699rlE2HWsjQLjMgNyKfbipi+x9ZF2mVG1fbco43YiHFSL3S5WBn7vO +iHCkXNgmHpA8grJE2ecUEZWFWKqz3SJADCkMKoulOFhLtDPeWh5bJBfqBD5tyrzX +R1u/zz1AXo0fP1QF1dRWQCcrvfnLoP7PsECUUM1TuBw/yyE35/1Z0nyR81f9Bab3 +t3cH1e6wEdZfzeMIEiTQoz4qusLAlAQTAQgAPgIbAwULCQgHAwUVCgkICwUWAwIB +AAIeAQIXgBYhBLdEF+3fIqyfnpD0kULoaioR9I02BQJgb3a9BQkUheEWAAoJEELo +aioR9I02gugH/2+Zunp8kHXoaAFtOP9yWyhxO6Ei5IQfFE/tq371rWlVe2Jg8vSB +2IIqWr6+wmCQmfT0fT+zkHKEGlIl51Q9uwvux8ADoXheFt3DeCqCE99OQpbGaEo+ +j6NRfipCQUN7SWHZgLefph8qLZhTIdvfrXt0m+w/fZ/rpOZnxJL6JJKpEaJeI1/Z +Onf7Hulep5S85La4ElHh34n0QtceciCQUbprv6D7/KWfHz6CELIPbF86mM7Ff+Es +Ki3f6c0+oIA9cnp3D9ij/Qg16GFB0NwJ1tJykMXfFRGxoKMWQK4lJEUbn9hvshNa +4ALRPs3GtnsYvM/tzbVW7Grfm7ayti8pVRnCwJQEEwEIAD4CGwMFCwkIBwMFFQoJ +CAsFFgMCAQACHgECF4AWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCXqsnzgUJEsGS +KwAKCRBC6GoqEfSNNpRpB/48OeRBe9C5nscmwZKo+dbsj61+njkQj1A5vSKTadez +V5h5hX5lpm2hiUryklFAoTGZ49HltYpZGrzDyvL3RPT7BnCiK6uCYnqzyemk+1J4 +ZZ1rUALqjV+8KHtgS72bjBjGPDKK3d/+KK/FLg/iLkKl+5U8t9gk79aXT7xzSzb+ +PfSVi4VOpDi8gmIAcd+agvw5dUK/vI7gpXOgs91CfwbB/C3FJluFprxa8RsAurUw +qUfDbz8PkpTYbMzv84fm2j5H/2mQ+xcm19swG0/BaiWT1EBR91Q74xm4/0W3CJi9 +2tJKPXwRI1ZDfMH4iujLr5Yex22fmFFuF9Y7at1lbG1UwsCUBBMBCAA+AhsDBQsJ +CAcDBRUKCQgLBRYDAgEAAh4BAheAFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAlzJ +2scFCRDgRSAACgkQQuhqKhH0jTbxLggAmCQx2GentBz6PWZkRj48Y+KfVfr3SAxP +q8nCsdzwHHRM+vjxD+iAo9FbGojVRs9nfLSjmhDyEwfI3f9ypLZaIPBiAwdLzDol +4U0EdyVU7fgfVglSUwPJz+eNhvvUiJp/9u/s4hM0TE/LNtA/uNcKoaqAWQIPiEsd +2FebX8RVqs+pH/0TQO8RYv3R48wCQOOsj7kvkq/3s5ceA9SaZ7vsJ9ooiZhvbkk0 +INsdJWtQcJTYoiBE0DOYhkBX78u07Z1Zk5RUr+4LzI/FpQtlGLyeJ9eFOiyhk7nx +0dzPxZnKWoWLTzse1p/5hf0WQ9OTMdt50ru1RxmnruQgkK+MdGwQ+8LAlAQTAQgA +PgIbAwULCQgHAwUVCgkICwUWAwIBAAIeAQIXgBYhBLdEF+3fIqyfnpD0kULoaioR +9I02BQJa6J+OBQkO/wnqAAoJEELoaioR9I02KJwH/j7WC8qbiWW0lm/QmGtj1seZ +VeEkoEf3hYsyYi+sGq/rp3AkeOI+gr/P1G8Is1pTRuhzqLfzzt+NjLGKiaD0Iurh +5KkToSjwn+Y4aC7qRb4Fa3L3rvNixwNmpgJ/+F1Q7R+Ef+6kCEigICEW4xjYWJDl +61yCgnQdzMYwUOrI303hwWQb6aDRRkFp1J+V/D/pO9iA6deBwm0Lk2IinjeNuBDv +4LQN2Fc9GdvRi1cG2xSjpk6q0Xo00Lz6PIwZr645x8LQqnQI4vyBdrJllTght5+z +eY8VPgOtQ3K5UY8QuvQWZKY5bFc+PjRrajHFWYV8Mu9+KZMYSQBbanmSLU7F28TC +wJQEEwEIACcCGwMFCwkIBwMFFQoJCAsFFgMCAQACHgECF4AFAlkHZSQFCQ0dz4EA +IQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNsGPB/906Acyx+JhbcYf +cD/y1tvVB77LWf3MPn2JChTvkk8hL2keKdDPdPmkSOuJww3/cE5Sm8c/fBUudAXJ +Tt8pIJGc5vygFjlUbuO4PjtFNSOf7rkNdHTRyFrfAqFc4hF1aN0Ej1mSQSIV1VJJ +mpGQrQJfrBswUG8va2PqLWxIFy0z+Bo1uWwPPBveES9dIiqJKUsmM+aVyN+6wDuU +RBmNYPFdUfWRIpgRepgFotSMqokrSh5pPDHwjKDcnkDcSGQRmQl0C+6fEwjGjwwj +zDOPjvldfNH817FnHotovAY/TrezMAPQbyjh1dJJbR3/mUj82g2VZKR9YuUHo24/ +B9Udi+vkwsCUBBMBCAAnAhsDBQsJCAcDBRUKCQgLBRYDAgEAAh4BAheABQJXMO5B +BQkLR1iWACEJEELoaioR9I02FiEEt0QX7d8irJ+ekPSRQuhqKhH0jTZP/gf+ORBE +lFFMYSbbxHIS6NP+AcHqQaPRFTJ5Eths+FAdTh2XVgy8YWZxUC5/pwQzLtEWkxcA +1Ppw4sWCLh+pKQUDj4x6W+ET4U4Ysoar0jpNYslgkJvpwWwkhHDGVNeRE/EYbEHj +Yyb1ej7FDYkioqw8KI/UykGom5KHE0GnYPfaXyhia1FPVvXN+iSRjCDiIR+bARNW +R1RHjRqpPKmGa0J4eKsgOfEa2BIghdnfWgUKBWSMDD6S0t3xoUsDQnibVIRTjBi6 +Pygeuizbi2+n7AzinFNdvWQ8o6cDOFl8tpJ+HrIs2Uan4DPImjMg0ibsZ9eWgoj6 +8sRxPidaR9EiOT5g8cLAlAQTAQgAJwUCUhFFVwIbAwUJCWYBgAULCQgHAwUVCgkI +CwUWAwIBAAIeAQIXgAAhCRBC6GoqEfSNNhYhBLdEF+3fIqyfnpD0kULoaioR9I02 +MJQH/iLM7BLfXDeG41XOumR37ungugUzqmwLoN6jpKCUo68+qjP9hQdM/Uc8g15N +b2BFQrRzXRg5peOkXgPLIwoxy7j0auoqnjdXr7vpQPq1FzSslv9Cf9sjG7hTbbY+ +EXHrwZWFn2LoN1+OdtrKJdgm0+0k4VyRkQxRgPCdre9dvq9oqPKQ2pf271115s8D +wEvRmosAS/Z3uqinVsuEZjw1pU3u0fVKmqGZ9AuWg03arnFrJM+W5d9cc/6XxQNp +OEza9/CaudJ2ygy/MeujboglwIDO7sviNdJ4836qVXV66VLqt5zpQ3I3Fbjr7B/s +BOl3K3TEftMvlLmxIfj/CkHA/bvNJURhdmlkIEdvdWxldCA8ZGdvdWxldEB0b3Jw +cm9qZWN0Lm9yZz7CwJQEEwEIAD4CGwMFCwkIBwMFFQoJCAsFFgMCAQACHgECF4AW +IQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCYk7b+QUJFmVGVgAKCRBC6GoqEfSNNkWd +CACRF1LvZ24YvmFLLvM46Z0gPNVagtrjTRDLx/GkV0LnlOVCrcdW3cf/e5SEYuRP +Oz5rpEPlWMVAjjP5wkERxFgPBSRxAm/lKkPC63J2Qa5qDp75cJa2vcF5iQsVecG3 +8NzgrXlTNfpTOjas1jQKjOgh8do/6k96T2diMhYWGQvAehbkLPhrL69mVTywqrtY +UPXQJGP9BxPtHI+uO2umeJJyJbPitqVb3m+dofJFUeE8f6xO7ZHvrkvnbWpyfKm0 +QTzHz5aLjv/YSvxtSoVAxqRsuKsU5u6KA4xI3I8HZ+YPrCBeiXfwvME5WAwa0qKv +N6HDIrbBw66J19JUUQ+WvkfHwsCUBBMBCAA+AhsDBQsJCAcDBRUKCQgLBRYDAgEA +Ah4BAheAFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmBvdr4FCRSF4RYACgkQQuhq +KhH0jTZSsggAw0Lw9DaQ85h//Hb5pPOrMg0ktSXxhMRj7d2zlwsg1OD2ezlAnkIV +GcDoe7ok6r+zoBu7isG+WJ53C7i7T8mTQxNMJDmbzGdXMm7ZzmL5cj00EhBili7U +jpsMR/4D0NCcFez67CHe3WEl5DqNNgZFmfzD4kiLGRtptIz/hHjndeDjUHSjIPYA +0+Dg8ri4plkPDg+cT3IvP3NivgwDDhfst+ExLITCPBQh+ucVv2Z5dkNzKBmdkb1J +shi20zi74ii+w3XC7xHzk2RRmu3VMzO1QbHaEXhDvjf94vsGwPe/wLmGH5fI5D0x +ypQ954GsfS3lsbV+RomHS8964oLV8VaGp8LAlAQTAQgAPgIbAwULCQgHAwUVCgkI +CwUWAwIBAAIeAQIXgBYhBLdEF+3fIqyfnpD0kULoaioR9I02BQJeqyfOBQkSwZIr +AAoJEELoaioR9I02mWcIAKD/d3KKK6Tlnw3ezvreOw5/Z91WtyA/z72N6yByUj76 +wyw85gZb6FpXS+Igek/zQ0ARXM6keKRCng8UpvbRbPm7in9en5KSWeXEVRc33Xva +TuxCihHZZdr5osJDkLgDq5iKKfAHW6l6ToXT6SfaFUx3F30/DvIoiskP5Mjf8jga +DPW5ePgDe9McNUeeu/T5afxVebATxRYbGaiBgOmhL0azJV/g2ytx6vHrXjOxyYsZ +lXvj8WSUVG9E1tKRmNkO+vezXjitEYRT8vv5RH8rYpzJ1ZSfoHArXzIv1oeJCtrA +ztGclXvNk7FrBN6CMGJrDeWJI3ioW49ORkxKtrW57SvCwJQEEwEIAD4CGwMFCwkI +BwMFFQoJCAsFFgMCAQACHgECF4AWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCXMna +xwUJEOBFIAAKCRBC6GoqEfSNNuDdCAC1xCEFnjFOYrQTZYAwJECie7Ra/QSx9bmj +LD9eZt4QGayDdxHkYCLgxkzo/OErmlkq8weKqG+MjR7/l/2y7cVca6C2zYcrvszC +ynX5iNxJSxkAYcLxSkk6Kv1AbPty3nwN3WcCFhazK6S2hheZzEscWjfBlVGzEFXb +LcgkRpaiJgqcW7X6n3wMYg2DyGsPMkcHDN0tz6yQiOqq/bBKM6GshMA3/V+pYz+E +EeApE53/Nsofr5T249vf6Wd3t5MzOJB9D09G1iIQ7lfUBVS+E26dGSOH9cMkiZRy +FMOTGgDxjw2AjLQLltoEIAMPq8HKy/SaXWsZ10u68QsOx0yRuZCOwsCUBBMBCAA+ +AhsDBQsJCAcDBRUKCQgLBRYDAgEAAh4BAheAFiEEt0QX7d8irJ+ekPSRQuhqKhH0 +jTYFAlron44FCQ7/CeoACgkQQuhqKhH0jTZBYggAmcHPO+w13XMMs3vr2cpW3hM2 +seRXfPlI6PfQk0/VQjCsakvCP1c95agL5DUmIK/KDdXImOYQSnkjXCffMt7PKf4i +X7NOizsOfbmnxIgIO6dOcJs9Jsa2KCUZLr+aP4so1P3PpNPMmQsNeKCeksY/fj7O +F2wfNpZCVdU8K4swtdbIjjT3v/7LBwUsufGu3WNE66vnMowD/Qkn6IMR6m6gYPly +S/pjGh7uLnf+Le3YL5eQyzlY1Bqo2uuR+nWrqerNRb+RSNf0Ipuo+dUnqf+WC3pd +t9K7pNFsV++5p7aXD8WUlRvFfNNAzWEtNUGSIjgMDG+QXlE1XQF4OPFm1swRMcLA +lAQTAQgAJwIbAwULCQgHAwUVCgkICwUWAwIBAAIeAQIXgAUCWQdlJAUJDR3PgQAh +CRBC6GoqEfSNNhYhBLdEF+3fIqyfnpD0kULoaioR9I02isoIAMgZORLPCB6AG8AQ +6IHeSPYkyeb+zUjLZpLusbwRbuouzaQgt8TXj5CQQTonHGe/n77xBYa6dywOGyVx +LPDpywGal+fWbqj/rDPzBtWaRr9h6qhLkV9I7r1rT177y/PVhJuGKOBBs/FXgagh +bCaAHXaUETKcQnqb5LBrcuWSe+B5IXueFLVUQgA+zM2y4vVEV+7ltnKGauMVHC0k +6r/bxZAGcTcRjUsPdIgRSLLxPFyWS8EbFF5KjyoDIO1Ib+gJM61TKRVT3gJnvjyt +OB4yJWB3ePKk2GjHvKtrhro5U5ge6i+ldbiZh3swTy127ycngiADu+orYFK12awI +CxD1UjrCwJQEEwEIACcCGwMFCwkIBwMFFQoJCAsFFgMCAQACHgECF4AFAlcw7kEF +CQtHWJYAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNux4CACDqeH/ +YxTWSqmb1PjfF4CYtjqx7ObCb6AsSR9RcJ3Fp0DREpsto+MsOiOAD5benHnbud+c +MUrJNdozDHzByEn/jmETRVsbqWUp9eK5/3vtDkei6hFM9nmc5vYPJ9PSzCK4+rmf +m4HQOCtj2tLxgZLGZ9DSlxUV33UbB3xr5WilPuJ6D3tiOJKwJdHdwHXjfFGG96Gn +ILpkOroyiUA0gQbRbFOjgqxB/h0vX/qlvmsvM9L/XTXPz+rrnUg6UuP46S40lvWz +Lj0Zrs2ixDhoqYo5WG57n747D12vRD/UCKxLql6/d9IfvevmbBKKrprVICoSt1lE +ocXwE8DnquN5w5f9wsCUBBMBCAAnBQJTCejfAhsDBQkJZgGABQsJCAcDBRUKCQgL +BRYDAgEAAh4BAheAACEJEELoaioR9I02FiEEt0QX7d8irJ+ekPSRQuhqKhH0jTb1 +lwf+NXiMBqn6XydizQnNy2lO+bMVr4HhwsDznqcV9HHBzUnCtnR3kAVqD+tC5DKD +zimCtqhvys8xPNjzWIl0xzhNMHlls2D9lkACDQU4oywOm8tE05IXrF1Q6Zlf3PdJ +C+jhO4EGrTehHYoTZPwC6RQYZtTCl4UqPMxO2aSEU4R99BAw4mKpRTEGKXIZJBDJ +6kXWbg0ahx0DKFg0EB37z8NvJnN2cbI+5kdmt8ZRiqZg7W0GsY31a1W4EchX7K2g +P/ZN/VNBjGyJ01IdhxEUzM84XF82KWGKsfHH3diqxDZiQZH08kf3HJS8PHN8OnUd +v/uLEeg3uLyQUUTrRXhoZSrZgs7BTQRSL5QtARAAtVN7/CeTT7uJsUzQf/2a+fq1 +IVQWN3JPTZjDNQeSB/V8W0R83QH32awj1uvSljCtCKbtTrDj0foz+CBRHe4aJgm2 +iAzMxKY1SxJ+SBTVyAYVQ+orzIvzqi2URzAfTII/mmvFdZEuS67hkbHXFnTLlXj9 +m3SdWRpCIQlwLCFERvMdr+sPQ07HcUDpoASPgo6P2cJgidaxBgfasUTvru3dxeid +jRbv5defzcdsBqk1eAZ/G/YFOQUiGig60/G2SOlBR7HVmD/iVkSun6j18vPKpqr0 +VJ3sHGUO+KhJrc35QQ7C0ezYtOg6fhaO8PzOcMovnk/P0DGkl1Y3uG4d+h3IDVBA +1fTaX/joVSBVtddLiNkOwgKxw6OH+jjq/irXl6X/0LqNW/FdgK23fEsA0mv4vrUR +0ulDtsPagk3np7DgS5J/v+npGARoeLoj5QjyK4+/1RjMXq+DYW3piADJLW55xH4y +6M+OYpu9svQ60vr2Ae+3pNL7q/mppdixc/isXbOsjtoGSb5QUUOXbzhDWX960Jby +jZUn9Iao+eZRV11tMbMI4pWuL8JEWj8qpcnIyJhYi2hSf7TVq/Zw+PvEXkEAnpq3 +EMyN4Su9I1ZWoxyTiwZVMdOn6TEnkdfxB9aTd5vYvR9L+t5SpmXLBMXQygbg9xR1 +Gbh5EHVlhAobb0uSkYsAEQEAAcLAfAQYAQgAJgIbDBYhBLdEF+3fIqyfnpD0kULo +aioR9I02BQJiTtxDBQkSAHuWAAoJEELoaioR9I024lwH/1UtASIiEoZKhuVkv55b +jo3w422w3wwJTC5kooG1TOWmtHOo/JJ1rFxcIpkY6ftnC+p6YhEbxxk/3XAZtUNR +sJ9Zqemhp331AGq/44g/OYAZkQiNyNhjftj6JafvgU1Zauzi7w0xqhLMKBMDV09v +cbPeo+axUj7cvibHxYUUC2RWqkBxegXpa+Cq4YKpEEbXh510mwK11sUyxcPxsrkZ +hr97KdgY8RedpPDAxnQBGU7dIMDc3xVIX1uXXZpY+SyJb7QAMGTW+9jDPwDUeUYa +nV+eRwLotrkvSgKJ9GQ2F3Am0axV8iqob7unvbKYTtQcIR2P9X52sT0Pytt44W2K +xH3CwHwEGAEIACYCGwwWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCYG922wUJECEW +LgAKCRBC6GoqEfSNNir6CAC70rZbHWguzP4O7paEaS18CNJ6fDyvoq96j3sh/oYN +WE5l3tFPqTtKYwgn33bMoArNgV8i0zdNXem36VIGh2A/fLwvg8aneY+XAvt500QL +IqHWp8WalE5RkaHrnYhHuTTzwztuus/lSQPQnl72W9HMoZJ7mvUtk9VMbybD56Fx +mo5zru4kMJ0Qk3fYYUYk9hge5im3Sk8SeX3UnmJsmZpt7xj6eFvAuO2CoSJb53e1 +LV+exrV9A+cM83T2I20/Zk1A5rX6WaehttHG6sTVpgg+JMKj0HeOYrooPB803WH4 +RM04wziYFvCmDtPF5qmOvErqZtjaYa9wskkoXUAsgwGRwsB8BBgBCAAmAhsMFiEE +t0QX7d8irJ+ekPSRQuhqKhH0jTYFAl6rJ9kFCQ5cxywACgkQQuhqKhH0jTYAbggA +irnoh4NbeEgSwEIrFJ+lAOcA3KXya5MHnq47Y3L0Ezc/wz19NbMYsEYWn3x26w+R +p4VVd2KiARJN19Lf/AZ0pS05nVuTPPIsqBgS/sczO5NyCpPAlcrkNq9nOi4TEeF6 +X+4BWTcRGKSRKEEwumqfppGMkYmVwhvq5xktMTi1HOQkdiGeZ0KV3BKkRIOZJkrq +vhZiyKEW4PMylC2ByWsWMK5NAI2ljRxp1eUcJb5DTqld7fl4iZkjP1UGe3X6qoXt +CkGtnXy+SdlwIpqL0Ianen8frjwNsO3H4hFZJE17AfEFvINoeDHGpsDJSitS5KsT ++6P4Y3nuClPSpsEPEDSlLMLAfAQYAQgAJgIbDBYhBLdEF+3fIqyfnpD0kULoaioR +9I02BQJdWqePBQkNDEbiAAoJEELoaioR9I023UUH/RYw9CZga6hljJHBaAac+sOM +M4FfKkVHmokwYvd4Po2mRFy4wLkfgAp2pv2Z5lb9gILpiy9ORLscdBaQAa+xlbK6 +SUC/XaIEN8LqRP13noQGWQbqZ61hP5wludNi4tpfqM0Oj/GLDw5EE7gGDb10TmpP +MLwc4yun73Hgq8f9FerNZdkA8zvIrD3Bd09PDrm/oAt9KxGCHoVHxFp75An5LDs7 +fY6HZaSru9CoFqjYrOEDSqt/lSm6ZsOsqYbvaesG9zBnuINoY6lOTP9jWtURrGwq +gucakBg7Fg+tln1QyjzG1u7pLacDBGPqgAZCdz2OduL6G0tvpBEgq0ppg9DnqcHC +wHwEGAEIACYCGwwWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCXVg00QUJDQnUJAAK +CRBC6GoqEfSNNsHrB/9h7uqHGB07U9lX6V64iKFQbNjarWJKPyRZ8hbh3/Enh3QF +zmqZOgHfRU0nD4WLlaQT95tRyAvc6E54q8ALZqePPfDzJxxPd6/ywJ4+oojOjibN +MbO9mpLbMeSYgmnC98YQaGJ2MxPepBOpOLkwtFH07b/SU/QzK2/T+astNr62Wgvy +LbZ8wQZRmwfL2YF6xB5HptVD/+Xg8iSF5qHRAmqrk0ORqcf6NO+3JqSQ/okN67I1 +HVktxEAymaTDUp7Pi/b1WSPpBQL1WCheWdAkkruO3rGadqNON1Cq8mBPLlIR6Alo +7W3vl1QQ+EyxHH5EgENvqEgb3XGIdp2woXDmCZgBwsB8BBgBCAAmAhsMFiEEt0QX +7d8irJ+ekPSRQuhqKhH0jTYFAlt24EEFCQsof5QACgkQQuhqKhH0jTaMMAf/TFUG +cMSDu5a1ytd+5pjSGkEn3QxcwiNXv4s7L1VkCbcwqKejYXWFrnaFkzXROuY97LmL +ejRxnV/v+YKtJLxCrdG5bwr9zgqXUFvyOfKfC5Iy44dZGmrnUuT0jpSlA44VvXcN +LEFpEx56BUVhsZFUIuuWeyFELryLe4FSHH0S4VdNICMl/PUI5B+cIDC8NrGv5DYC +cy/OyOvkUqkxW09FSTv0tVUDVydDeWzan4STcnGf7IxiGkb+1XiDKqRSZrjp57RH +CIF8SpbBUxRsRXQc8zKZ8TP74xzXYVT1tLM60H4DqhvFxL4aZqYwSuMeOClNAoh9 +pBEm3t5EcZau6pAo1sLAfAQYAQgADwIbDAUCWYiUYwUJCToztgAhCRBC6GoqEfSN +NhYhBLdEF+3fIqyfnpD0kULoaioR9I02Kw4H/2DsLDtA7Gwfr9bKE6jDzfYKqnPt +97s8X+cKUYa2HIyAMA4tPAjbi2De3/ZSAOBYXNfe49qpmTvg+DNj+dGVKI0lLj/n +/ngK87SDTVAPi3zOPDOmnOs3J3fQj5f6fMOoqYRR7p3BNa7GcDiq/bJ1nkyMh0o+ +N50LzNMevq0KbVAQAXtYOYMWkS49lnT1gV9ZFITSiDAUK8S8vani84mcVxxrjwhc +d+Oy+k4rdnTGpZTayQOXZUS9u6AkSgUlNl6nyR6Vkn+AUi2E3SLUm6XE+aQKlBUq +jZlGSPWuQPQCeduGrdk0OvHuUt9ANhdEhopZLZuMKemOL1fjquaasp4IhGbCwHwE +GAEIAA8CGwwFAle4becFCQdqDTMAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC +6GoqEfSNNmBiB/wOjADNaQrDal06MfWPm2QZNAzytpAi2o48ZRBVueVsjpjMTGJH +I5pPQNjBClQptcaCuoBYubzKB4Ud9bOFqF2cs6Fb61RI9SguKU61LNF0wFAfFIDL +78vvlLWTfWk3sUyTSCz5Ll7Awi1L1P1tbTYrkF+WNCRAvUyUMGWXVfttSFTlWLV8 +LydP3+P1FYSllcRDowvU08hed6AajJfC2b7ECe9LW6IPJ3nLMihimQ3QffbJPmIl +KHm44PhZkEcDoNtk35bvUascINZOwFVLE5TtPmOJfSIgltO7Eip8IluZyhVFL5E/ +WmWGlB10JhHaZtleSgH0N+JWeKvllA450AwHwsB8BBgBCAAPAhsMBQJV8q6rBQkF +pE3sACEJEELoaioR9I02FiEEt0QX7d8irJ+ekPSRQuhqKhH0jTZRKgf+PhNUR0er ++HWhlya6pUJISzPQvlUKCBksilDE9xNlH7sN+xxUT1l1Ktc8BrlCE8mJna6DTu1F +S5BWcIZp/2zU7R5ndVqqZa537X3wXZbIBOddCWYTI1WsC762Ihk9BcJhTVKizrPU +b4rdYQk4REao8hVL93K+k815e5sobg6YkL+q7ctTK0SO/8hiVWqw4nWDV6brXAEZ +F63cLc5RLlhtjgqPk32m1zcva0blLi9d6/BrJEjjJCL8EYZhS3zX6zZ89hNvt2zv +5+QjwdmxRIT02e2YlLCIwAIJfAuGq6vZdk9xr07nAexTZ4OMZUPudzxXda8qKgdE +7JA38ftiLarCwsLAfAQYAQgADwIbDAUCVBDTxAUJA8JzDAAhCRBC6GoqEfSNNhYh +BLdEF+3fIqyfnpD0kULoaioR9I02CdkH/RfqMPmyHREzTe+YZQfell4+cDHGdrOP +kBYeDV6PDkG2ykuVlrBpT/MVO3MPm+UQ3z3QnlQ8PPArfcypvin8D+wZwKEyDuOc +1i7oiVCZPu6FcA5D29mTINp7ftw9KmR2IfxwPd0afGUM8rUE3gKdVnCzniIS8tpQ +0LxkK+Vxaa3lvQcGogvMiJUAHcb7hR25/nNjzAtZPm0swq5fED+1IFyUYjN4bGZc +33N/UtiTNbems2C0474nXHkexNJUN/Ra533OGZwetlcOlWNEqxJSysIS5ZfDh3dD +RpKjqG2RAAMS2lJEVRfKhbPO1fa2eJVVpLJYexeZh+Fl5TfFmqx6BhvCwHwEGAEI +AA8FAlIvlC0CGwwFCQHhM4AAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6Goq +EfSNNlpRCAC4i/XcrcoBB0hVIPAu7E29n3m29jEvMg+06RulbLDI2D9zyt9kKBCZ +dcjzYVMzUxEDTbpcfiYls23/bDhR32JyFaSvs18Sb9F6AmwJy0TOaeoPToIsQN3r +uTbUdSIJzsusjrafWS4gKQRhP4AmRXWQzXU0XmVy8cOfur3HcRH1frkOKS+d1EMu +chpI5F39TsH3/RTg31gEBB+xtwAbTbwz5tWYBQvq4N8uItNDiStY6j1Ncl54/l+0 +1TeiArIjryi8g5nr46uGYbC/YGn2ACx5VwpvEOuO0mCf+cwQPj5S5Ra30mNGT915 +4b2lP+U/hRBR8ex6Khur6wN5T8mww6jdzsNNBE3K2S4QEADWHqS7zXq3mbnK6VRS +AtAYQkQWSuPqrlXWZNFMdxVi4Lglj4T+UQXsbCn9rsgISlRWCdxmDOJ7eOjj1zo2 +OA0UPnenZOXOB2n8LvhzrIPp9jq7x10qDTDcakXIjvfYqWco6VawbmLjwP25rDJx +u1uoZRQNeCCxQp6aDBrq7AmWrUwd0WfZ5eGOKUrZkg4Sk1EayExwhAz/1Hwvieyz +neWfdRDYzikgLZCxUcL6O6PKHSXg8qQFnd6Br+aJv34FaE9QOzNx1fev3SDDS/Hj +47twkZKu8u0B/pViDvwLcYEieVbHrGwlehvqLAn7jEe+uc+oDpJiMNZDDVW7LWF/ +PoQ5qTxQFeoU9DuQZxSGna1zGcHO4MJCBf5ENiRlhirncWEGsEAQXoGqvP4Gn3hz +7CSjk4eanQjyisrlA5aM0w1eIxVOJxsIjNFV8ewf081aLCqjxD8n5XdY5mnHj/g3 +CNXQ5JEa4mB3WUqXLXC8at9IVxPNpRX5oTT5GtkKGNgPVTqveDcgNc82DBFbxmju +PfkDtyvoHOq1Lu8PGxRN+/l2xhZKoL62qux69GYNQmsLV6WSf9DryOk7ATbbWsHB +oD0DzmfylhFpGzTjlEmNV1uOfms4sCF58WoD7uRUwNs2kelnVcgKqVjTm/72855n +9S9SWSCeDEVw6BCjQp0/md8L1wAECw/8DqIYY8LEtZGEnBSauejVnv8WTM7F/QJD +cslXtj9ocQefxNSQq+EdgJUrUOITowwd/ZtthJlROckJwuAgqSguhv0tXD/iba6i +nAv7WByVTTXcOjAiTn3icz4HJVByDmECxmk6s1TvxD9UpbsaNSsmuK/RvkVL0IlL +jpNkJx6mlTlls1JcUsCUifmkwbDUeeps+u2mMVpbjDPCJWeMtv16ckrA0v/ooxeX +B9HgAnWCKXHoCGPII8EEQuKZ58KYaPez8kRTLPqxZC+jhU51R5aT3OluB8iyKdii +i8STKry1morREksjqzkewnycS8fyAAbq2k/LKYHgEjVtSPemAP7DIY60Vsl3Df0U +07j0h4c2BPUkV1fMC9Okmx8Oy5YpDlm9BOrB6I8XHy7ZDYpHDfHb0uIpjwX5J664 +/RtsBaFnb/0LRBr7MkGd4eSoHQwydWNNXakrtepOeOoNxBVmmxSly000wzxGS3xO +Pfuy4s5HEDScuITOzc5R3+oCwOl0pfji+zLnaHVQdiaRep+PAVlzuckyvvQTVa3o +ub65NlPQc7qanIHqE8aQ2Lgjiq2VQI/S0V5QhGn/pX2FP4Oxs4eU29nY/Hgq/j5u +ZOljrL7pp1hwgQtPkE8/EmUQ9oFTYhT+SxpikC9UalAo5IVSqci3662K9YB2sn89 +YTgmVVXCi1HCwHwEGAECAA8FAk3K2S4CGwwFCQlmAYAAIQkQQuhqKhH0jTYWIQS3 +RBft3yKsn56Q9JFC6GoqEfSNNp1pB/9OZoK4Zj8fi6Ruu7q0+tCOm9k3tvQ0FZsm +3QKPLhcilFy0QBabnZ71ih0AzKxPVoKrtHBENZ1hQ58B4lv+zE8LQf4F0gO9ybcD +vlwpTtAlX8il4kONIHeJQmJ1KHi3vKxIM3+i+Igdm5eDyTY2IFTMAjDshMWl0CJK +oPzwZYRZlXoogfrTWrMUPnvz7a7IUb0Kza2GQdq5fQXRiuAImSn9lY8GOLdiLovg +afIrzAaylpgDShiAV9qKm2BfJEpHm9AzuubNPY5tQX3hwlUE7I/DY/nY8LEra2kF +fMhrtPimujMIu32gmJvJe/nHS/z5d4YdUC4H/SDsYqPNRfpacaLP +=T3bO +-----END PGP PUBLIC KEY BLOCK----- diff --git a/tor.service b/tor.service new file mode 100644 index 0000000..d40972a --- /dev/null +++ b/tor.service @@ -0,0 +1,53 @@ +[Unit] +Description=Anonymizing overlay network for TCP +After=syslog.target network.target nss-lookup.target +PartOf=tor-master.service +ReloadPropagatedFrom=tor-master.service + +[Service] +Type=notify +NotifyAccess=all +#User=tor +ExecStartPre=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc --verify-config --user tor --hush +ExecStart=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc --user tor --hush +ExecReload=/bin/kill -HUP ${MAINPID} +KillSignal=SIGINT +TimeoutSec=30 +Restart=on-failure +RestartSec=1 +WatchdogSec=1m +LimitNOFILE=32768 + +# Hardening +CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PermissionsStartOnly=yes +PrivateDevices=yes +PrivateNetwork=no +PrivateUsers=no +PrivateTmp=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectSystem=strict +ProtectHostname=yes +ReadOnlyDirectories=/ +ReadWriteDirectories=/run/tor +ReadWriteDirectories=/var/lib/tor +ReadWriteDirectories=/var/log/tor +RemoveIPC=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=~@cpu-emulation @obsolete @raw-io @mount @module @debug @clock @reboot @swap +UMask=77 + +[Install] +WantedBy=multi-user.target diff --git a/tor.spec b/tor.spec new file mode 100644 index 0000000..95e222e --- /dev/null +++ b/tor.spec @@ -0,0 +1,172 @@ +# +# spec file for package tor +# +# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 Andreas Stieger +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define toruser %{name} +%define torgroup %{name} +%define home_dir %{_localstatedir}/lib/empty +Name: tor +Version: 0.4.8.16 +Release: 0 +Summary: Anonymizing overlay network for TCP (The onion router) +License: BSD-3-Clause +URL: https://www.torproject.org/ +Source0: https://www.torproject.org/dist/%{name}-%{version}.tar.gz +# https://support.torproject.org/little-t-tor/verify-little-t-tor/ +Source2: tor.keyring +Source3: tor.service +Source4: tor.tmpfiles +Source5: defaults-torrc +Source6: tor-master.service +Source100: https://www.torproject.org/dist/%{name}-%{version}.tar.gz.sha256sum +Source101: https://www.torproject.org/dist/%{name}-%{version}.tar.gz.sha256sum.asc +Patch0: tor-0.2.5.x-logrotate.patch +Patch1: fix-test.patch +BuildRequires: openssl-devel >= 1.0.1 +BuildRequires: pkgconfig >= 0.9.0 +BuildRequires: pwdutils +BuildRequires: python3-base +BuildRequires: pkgconfig(libcap) +BuildRequires: pkgconfig(libevent) >= 2.0.10 +BuildRequires: pkgconfig(liblzma) +BuildRequires: pkgconfig(libseccomp) +BuildRequires: pkgconfig(libsystemd) +BuildRequires: pkgconfig(libzstd) +BuildRequires: pkgconfig(systemd) +BuildRequires: pkgconfig(zlib) +Requires: logrotate +Requires(post): %fillup_prereq +Recommends: torsocks +Provides: group(%{torgroup}) +Provides: user(%{toruser}) +%systemd_ordering +BuildRequires: libscrypt-devel + +%description +Tor is a connection-based low-latency anonymous communication system. + +This package provides the "tor" program, which serves as both a client and +a relay node. Scripts will automatically create a "%{toruser}" user and +a "%{torgroup}" group, and set tor up to run as a daemon when the system +is rebooted. + +Applications connect to the local Tor proxy using the SOCKS +protocol. The tor client chooses a path through a set of relays, in +which each relay knows its predecessor and successor, but no +others. Traffic flowing down the circuit is unwrapped by a symmetric +key at each relay, which reveals the downstream relay. + +Warnings: Tor does no protocol cleaning. That means there is a danger +that application protocols and associated programs can be induced to +reveal information about the initiator. Tor depends on Privoxy or +similar protocol cleaners to solve this problem. This is alpha code, +and is even more likely than released code to have anonymity-spoiling +bugs. The present network is small -- this further reduces the +strength of the anonymity provided. Tor is not presently suitable +for high-stakes anonymity. + +%prep +( cd $(dirname %{SOURCE0}) && echo "$(cat %{SOURCE100} | cut -d' ' -f1) tor-%{version}.tar.gz" | sha256sum --check ) +%autosetup -p1 + +%build +%configure \ + --disable-silent-rules \ + --with-tor-user=%{toruser} \ + --with-tor-group=%{torgroup} \ + --enable-systemd \ + --enable-lzma \ + --enable-zstd \ + --enable-unittests \ + --enable-gcc-warnings-advisory \ + --docdir=%{_docdir}/%{name} +%make_build + +%install +%make_install + +# missing dirs +install -d -m 700 \ + %{buildroot}%{_localstatedir}/lib/%{name} \ + %{buildroot}%{_localstatedir}/tmp/%{name} + +install -d -m 755 \ + %{buildroot}%{_localstatedir}/log/%{name} \ + %{buildroot}/%{_sbindir} + +install -m 644 -D %{SOURCE3} %{buildroot}/%{_unitdir}/%{name}.service +install -m 644 -D %{SOURCE6} %{buildroot}/%{_unitdir}/%{name}-master.service +install -m 644 %{SOURCE5} %{buildroot}%{_datadir}/tor/defaults-torrc +install -d -m 0755 %{buildroot}%{_tmpfilesdir}/ +install -m 0644 %{SOURCE4} %{buildroot}%{_tmpfilesdir}/%{name}.conf +ln -s -f service %{buildroot}%{_sbindir}/rc%{name} +ln -s -f service %{buildroot}%{_sbindir}/rc%{name}-master + +# sample config files +install -p -m 644 -D src/config/torrc.{sample,minimal} %{buildroot}/%{_sysconfdir}/%{name} +install -p -m 644 src/config/torrc.minimal %{buildroot}/%{_sysconfdir}/%{name}/torrc + +# logrotate conf +sed -i -e "s|_tor|tor|g" contrib/operator-tools/tor.logrotate +install -D -m 644 contrib/operator-tools/tor.logrotate %{buildroot}/%{_sysconfdir}/logrotate.d/%{name} + +%check +%ifnarch ppc ppc64 ppc64le aarch64 armv7l i586 +%make_build check || ( + find -type f -name test-suite.log -print -exec cat {} + + exit 42 +) +%endif + +%pre +getent group %{torgroup} >/dev/null || groupadd -r %{torgroup} +getent passwd %{toruser} >/dev/null || useradd -r -g %{torgroup} -d %{home_dir} -s /sbin/nologin -c "User for %{name}" %{toruser} +%service_add_pre tor.service tor-master.service + +%post +%fillup_only +%service_add_post tor.service tor-master.service +systemd-tmpfiles --create %{_tmpfilesdir}/tor.conf || : + +%preun +%service_del_preun tor.service tor-master.service + +%postun +%service_del_postun tor.service tor-master.service + +%files +%license LICENSE +%doc README* ChangeLog doc/HACKING doc/man/*.html +%{_mandir}/man*/* +%{_bindir}/* +%dir %{_datadir}/%{name} +%{_datadir}/%{name}/geoip* +%{_datadir}/%{name}/defaults-torrc +%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/logrotate.d/%{name} +%dir %attr(0755,root,%{torgroup}) %{_sysconfdir}/%{name} +%config(noreplace) %attr(0644,root,%{torgroup}) %{_sysconfdir}/%{name}/torrc +%config %attr(0644,root,%{torgroup}) %{_sysconfdir}/%{name}/torrc.* +%attr(0700,%{toruser},%{torgroup}) %dir %{_localstatedir}/lib/%{name} +%attr(0750,%{toruser},%{torgroup}) %dir %{_localstatedir}/log/%{name} +%{_unitdir}/%{name}.service +%{_unitdir}/%{name}-master.service +%{_tmpfilesdir}/%{name}.conf +%{_sbindir}/rc%{name} +%{_sbindir}/rc%{name}-master + +%changelog diff --git a/tor.tmpfiles b/tor.tmpfiles new file mode 100644 index 0000000..adfce77 --- /dev/null +++ b/tor.tmpfiles @@ -0,0 +1 @@ +D /run/tor 0755 tor tor - -- 2.51.1 From b1e2116e586e4ea49af7acb37e86515061a875c3ff6ad198d93c0d2d39270a93 Mon Sep 17 00:00:00 2001 From: Bernhard Wiedemann Date: Wed, 9 Jul 2025 16:14:10 +0000 Subject: [PATCH 4/6] - 0.4.8.17 * Minor features and bugfixes OBS-URL: https://build.opensuse.org/package/show/network/tor?expand=0&rev=283 --- .gitattributes | 23 + .gitignore | 1 + defaults-torrc | 11 + fix-test.patch | 21 + tor-0.2.5.x-logrotate.patch | 29 + tor-0.4.8.12.tar.gz | 3 + tor-0.4.8.12.tar.gz.sha256sum | 1 + tor-0.4.8.12.tar.gz.sha256sum.asc | 18 + tor-0.4.8.13.tar.gz | 3 + tor-0.4.8.13.tar.gz.sha256sum | 1 + tor-0.4.8.13.tar.gz.sha256sum.asc | 18 + tor-0.4.8.14.tar.gz | 3 + tor-0.4.8.14.tar.gz.sha256sum | 1 + tor-0.4.8.14.tar.gz.sha256sum.asc | 18 + tor-0.4.8.16.tar.gz | 3 + tor-0.4.8.16.tar.gz.sha256sum | 1 + tor-0.4.8.16.tar.gz.sha256sum.asc | 18 + tor-0.4.8.17.tar.gz | 3 + tor-0.4.8.17.tar.gz.sha256sum | 1 + tor-0.4.8.17.tar.gz.sha256sum.asc | 18 + tor-master.service | 16 + tor.changes | 3200 +++++++++++++++++++++++++++++ tor.keyring | 686 +++++++ tor.service | 53 + tor.spec | 172 ++ tor.tmpfiles | 1 + 26 files changed, 4323 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 defaults-torrc create mode 100644 fix-test.patch create mode 100644 tor-0.2.5.x-logrotate.patch create mode 100644 tor-0.4.8.12.tar.gz create mode 100644 tor-0.4.8.12.tar.gz.sha256sum create mode 100644 tor-0.4.8.12.tar.gz.sha256sum.asc create mode 100644 tor-0.4.8.13.tar.gz create mode 100644 tor-0.4.8.13.tar.gz.sha256sum create mode 100644 tor-0.4.8.13.tar.gz.sha256sum.asc create mode 100644 tor-0.4.8.14.tar.gz create mode 100644 tor-0.4.8.14.tar.gz.sha256sum create mode 100644 tor-0.4.8.14.tar.gz.sha256sum.asc create mode 100644 tor-0.4.8.16.tar.gz create mode 100644 tor-0.4.8.16.tar.gz.sha256sum create mode 100644 tor-0.4.8.16.tar.gz.sha256sum.asc create mode 100644 tor-0.4.8.17.tar.gz create mode 100644 tor-0.4.8.17.tar.gz.sha256sum create mode 100644 tor-0.4.8.17.tar.gz.sha256sum.asc create mode 100644 tor-master.service create mode 100644 tor.changes create mode 100644 tor.keyring create mode 100644 tor.service create mode 100644 tor.spec create mode 100644 tor.tmpfiles diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/defaults-torrc b/defaults-torrc new file mode 100644 index 0000000..bf7923e --- /dev/null +++ b/defaults-torrc @@ -0,0 +1,11 @@ +DataDirectory /var/lib/tor +PidFile /var/run/tor/tor.pid +Log notice syslog +ControlSocket /var/run/tor/control GroupWritable RelaxDirModeCheck +ControlSocketsGroupWritable 1 +SocksPort unix:/var/run/tor/socks WorldWritable +SocksPort 9050 + +CookieAuthentication 1 +CookieAuthFileGroupReadable 1 +CookieAuthFile /var/run/tor/control.authcookie diff --git a/fix-test.patch b/fix-test.patch new file mode 100644 index 0000000..9eedcfd --- /dev/null +++ b/fix-test.patch @@ -0,0 +1,21 @@ +commit 0384f5b3efbb041e2bc0080a6b6259e1b96815af +Author: Bernhard M. Wiedemann +Date: Wed Aug 21 11:36:05 2019 +0200 + + Workaround a LTO-induced test-failure + + https://bugzilla.opensuse.org/show_bug.cgi?id=1146548#c3 + +diff --git a/src/test/bt_test.py b/src/test/bt_test.py +index f9ca79efd..07026164a 100755 +--- a/src/test/bt_test.py ++++ b/src/test/bt_test.py +@@ -30,7 +30,7 @@ def matches(lines, funcs): + else: + return True + +-FUNCNAMES = "crash oh_what a_tangled_web we_weave main".split() ++FUNCNAMES = "oh_what a_tangled_web we_weave main".split() + + LINES = sys.stdin.readlines() + diff --git a/tor-0.2.5.x-logrotate.patch b/tor-0.2.5.x-logrotate.patch new file mode 100644 index 0000000..c08d015 --- /dev/null +++ b/tor-0.2.5.x-logrotate.patch @@ -0,0 +1,29 @@ +From: Andreas Stieger +Subject: openSUSE specific logrotate fixes +Date: Sun, 18 May 2014 00:10:32 +0100 +Upstream: no +References: + +* add su to logrotate config to fix W: suse-logrotate-user-writable-log-dir +* use "service tor" instead of "/etc/init.d/tor" to reload after logrotate + to fix logrotate on systemd-only setups without init script (by seife) + +--- + contrib/operator-tools/tor.logrotate.in | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: tor-0.2.5.10/contrib/operator-tools/tor.logrotate.in +=================================================================== +--- tor-0.2.5.10.orig/contrib/operator-tools/tor.logrotate.in 2014-06-27 22:45:19.000000000 +0100 ++++ tor-0.2.5.10/contrib/operator-tools/tor.logrotate.in 2014-10-24 20:22:54.000000000 +0100 +@@ -7,8 +7,9 @@ + notifempty + # you may need to change the username/groupname below + create 0640 _tor _tor ++ su _tor _tor + sharedscripts + postrotate +- /etc/init.d/tor reload > /dev/null ++ /usr/bin/systemctl try-reload-or-restart tor + endscript + } diff --git a/tor-0.4.8.12.tar.gz b/tor-0.4.8.12.tar.gz new file mode 100644 index 0000000..5f65915 --- /dev/null +++ b/tor-0.4.8.12.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ca7cc735d98e3747b58f2f3cc14f804dd789fa0fb333a84dcb6bd70adbb8c874 +size 9687430 diff --git a/tor-0.4.8.12.tar.gz.sha256sum b/tor-0.4.8.12.tar.gz.sha256sum new file mode 100644 index 0000000..644490a --- /dev/null +++ b/tor-0.4.8.12.tar.gz.sha256sum @@ -0,0 +1 @@ +ca7cc735d98e3747b58f2f3cc14f804dd789fa0fb333a84dcb6bd70adbb8c874 tor-0.4.8.12.tar.gz diff --git a/tor-0.4.8.12.tar.gz.sha256sum.asc b/tor-0.4.8.12.tar.gz.sha256sum.asc new file mode 100644 index 0000000..8a0263c --- /dev/null +++ b/tor-0.4.8.12.tar.gz.sha256sum.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmZhuq0ACgkQQuhqKhH0 +jTYZXAf+J26VUvM2M1DsjeUAMOZPEtNsQ0voIN9jeXFHUt7p3tqa2aBe8gJ5IREC +MtFK6MJLjJEHf6javbwoZuXXQ+xepJftPdJ9AR2bGlTConWE0VNVvfigawFHyKZn +Sdt6JyB2AesWl0HLIZnOXeSLy8JA12s/HPWtt8Fsf94drZwQsSl+WQGHr787JugF +aYmNRR4L+y46xL5HXbJ8KTc/UKPNlT+1vvwoAisofOQywrIJZGFsKpaowNiW9RWi +MXUdjmPjKJZ8vn+FQG0ZOmahUWMOMYIt6fWmkttI5KF6HajtGNTG4A+A5+QMBoif +N/VyJsISI2beHBAgAgPNGsXAa0FsIA== +=2gNt +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNATURE----- + +iHUEABYKAB0WIQRRQQJFTQqH2wdnoeu+agUxwYqReQUCZmHEggAKCRC+agUxwYqR +eVRoAP0SI+tzoCS06Pf1EJ0Mvea/ACIDZ5+XCaf9U0urRciMhgEA4BjvVG7I2cD8 +vGcxbkRtg4h9vZTr8rhdtSczdo3KYAY= +=C9WI +-----END PGP SIGNATURE----- diff --git a/tor-0.4.8.13.tar.gz b/tor-0.4.8.13.tar.gz new file mode 100644 index 0000000..582dde4 --- /dev/null +++ b/tor-0.4.8.13.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9baf26c387a2820b3942da572146e6eb77c2bc66862af6297cd02a074e6fba28 +size 9912610 diff --git a/tor-0.4.8.13.tar.gz.sha256sum b/tor-0.4.8.13.tar.gz.sha256sum new file mode 100644 index 0000000..0a3a86a --- /dev/null +++ b/tor-0.4.8.13.tar.gz.sha256sum @@ -0,0 +1 @@ +9baf26c387a2820b3942da572146e6eb77c2bc66862af6297cd02a074e6fba28 tor-0.4.8.13.tar.gz diff --git a/tor-0.4.8.13.tar.gz.sha256sum.asc b/tor-0.4.8.13.tar.gz.sha256sum.asc new file mode 100644 index 0000000..7e0fec9 --- /dev/null +++ b/tor-0.4.8.13.tar.gz.sha256sum.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmcaXcgACgkQQuhqKhH0 +jTY76wgAwOXmC2L3o594jJTXXAooZRkdQL/wAk4o6iNKFHmwiyIz/MGVTcrQBQSN +Hv3dQUhe3G3Z42M7GnJlEkFDA9Z6iBprkg0y9cD7nbmqC9nkB1zMdrUXdXOgMulG +sybEgzRFqTLVQmJzA4/tcGcjU+AXCqG13z1ScHOZP3Ev8S6yPntfax42hnFewAoW +OLSaYU68PGZ88uO2lAe65Hr/detdfJeWsG0rKK6jtCkej49qijiERemKZKCMTpYc +iW8DGA0n/O1p+qOHF4e0Du7lzhP1CckI5HeWZS2wgtqDKol1Kw86zugPfYWyh/V+ +WWEofhVb2OZOHed1qL9OeutDfdNtcg== +=NXg7 +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNATURE----- + +iHUEABYKAB0WIQRRQQJFTQqH2wdnoeu+agUxwYqReQUCZxpelAAKCRC+agUxwYqR +eV+2AP99m5nYfq/z1P7SYUpW1ddreizjFqlaQvJ1QhbZbpqc+AD+LxmvhDxM7+6S +8vyZWFHZYQ8ehhMftF70qM6o9NpQHgs= +=4Hya +-----END PGP SIGNATURE----- diff --git a/tor-0.4.8.14.tar.gz b/tor-0.4.8.14.tar.gz new file mode 100644 index 0000000..94d8d65 --- /dev/null +++ b/tor-0.4.8.14.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5047e1ded12d9aac4eb858f7634a627714dd58ce99053d517691a4b304a66d10 +size 9965322 diff --git a/tor-0.4.8.14.tar.gz.sha256sum b/tor-0.4.8.14.tar.gz.sha256sum new file mode 100644 index 0000000..12b1c1b --- /dev/null +++ b/tor-0.4.8.14.tar.gz.sha256sum @@ -0,0 +1 @@ +5047e1ded12d9aac4eb858f7634a627714dd58ce99053d517691a4b304a66d10 tor-0.4.8.14.tar.gz diff --git a/tor-0.4.8.14.tar.gz.sha256sum.asc b/tor-0.4.8.14.tar.gz.sha256sum.asc new file mode 100644 index 0000000..7e1b75d --- /dev/null +++ b/tor-0.4.8.14.tar.gz.sha256sum.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmejd6AACgkQQuhqKhH0 +jTY6yQf+K0xq5gMonH60H7/JXbwSjlbOEJ6+np3iBY781MtYfwS0LdcirgLx4JGK +6+UFq87sIKnobyNGap5OhU4Wao+id6jJRo8gaM18ogkSTbdqK0iDILbtz2rL5ghF +Y2MLMmHHW0oSCQdO6N0dqMqKATXs0lFyVWbO9i4nR2wJnldk837JSl9USpP0pMUx +YL9DPN38y2QAbnSx0cRfoHH72gpDCAlxkW4pG1BYvVswaNzsY3xHeCb7ibiw3hm4 +9UyTgLC13HEedb66vok+rGzH7PilpX2rGxuhhTFSwRy5G+tv8BT6eBDSO5yuOFNT ++uRdGGW7VMo4jVbpnsLi84zPPAZsNg== +=OLaG +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNATURE----- + +iHUEABYKAB0WIQRRQQJFTQqH2wdnoeu+agUxwYqReQUCZ6N4XwAKCRC+agUxwYqR +ea5DAQDr6kp7EtlHvgdBRmO/LlK93shDnM0lWsriBh3EHjse7wD/dJYEaHgCEPja +R1UKjD+dijMe3/ogEcoCAGQHk+Ak1wE= +=5r4b +-----END PGP SIGNATURE----- diff --git a/tor-0.4.8.16.tar.gz b/tor-0.4.8.16.tar.gz new file mode 100644 index 0000000..cf954de --- /dev/null +++ b/tor-0.4.8.16.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6540dd377a120fb8e7d27530aa3b7ff72a0fa5b4f670fe1d64c987c1cfd390cb +size 9930424 diff --git a/tor-0.4.8.16.tar.gz.sha256sum b/tor-0.4.8.16.tar.gz.sha256sum new file mode 100644 index 0000000..0ede6e2 --- /dev/null +++ b/tor-0.4.8.16.tar.gz.sha256sum @@ -0,0 +1 @@ +6540dd377a120fb8e7d27530aa3b7ff72a0fa5b4f670fe1d64c987c1cfd390cb tor-0.4.8.16.tar.gz diff --git a/tor-0.4.8.16.tar.gz.sha256sum.asc b/tor-0.4.8.16.tar.gz.sha256sum.asc new file mode 100644 index 0000000..36b4ab0 --- /dev/null +++ b/tor-0.4.8.16.tar.gz.sha256sum.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmfhekEACgkQQuhqKhH0 +jTa2BAf/YsuzMshcoLnnF6HbL3FcrSTkJjXQMh1Hy9f2ZRC15zC+pQuI0AZopWoS +3k2men7offxk7MELIVsIyZSdbNPexcOH53NHYQBXRrrHDEvJtjAHAW+QwSeJ6vEG +FaSxB+raEmtmIKgHbHWR1uYiyuHOs7Zzsl4jMZWyP0623SNi57Vc89ZKh3zDcu95 +0Pz9KNPw8QzGfDV7/RpgSXxF+PBRq7FFjJgc+CoTkQGy7cbhw3hl7DjSm76F/Tuj +k3v/dF8yJWGPQIZqenGbpun2IcO0+DX6kdLmDJoYtlzhvnO2dwQ/8t/nRW/KcyPI +7ZtGlXhr+jeNm+8zV4zsSMu4FyvjKA== +=yrh/ +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNATURE----- + +iHUEABYKAB0WIQRRQQJFTQqH2wdnoeu+agUxwYqReQUCZ+F9AAAKCRC+agUxwYqR +ea0eAP9AaASX6sf8IMTfA3oKL/UskFCPQpluCA0UrdeU07jN1QEAwn0za8bnTAti +iWERNqC4BvHrQybEbSxkwk3bbGABmgc= +=Wyz1 +-----END PGP SIGNATURE----- diff --git a/tor-0.4.8.17.tar.gz b/tor-0.4.8.17.tar.gz new file mode 100644 index 0000000..3596330 --- /dev/null +++ b/tor-0.4.8.17.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:79b4725e1d4b887b9e68fd09b0d2243777d5ce3cd471e538583bcf6f9d8cdb56 +size 10073355 diff --git a/tor-0.4.8.17.tar.gz.sha256sum b/tor-0.4.8.17.tar.gz.sha256sum new file mode 100644 index 0000000..9b81893 --- /dev/null +++ b/tor-0.4.8.17.tar.gz.sha256sum @@ -0,0 +1 @@ +79b4725e1d4b887b9e68fd09b0d2243777d5ce3cd471e538583bcf6f9d8cdb56 tor-0.4.8.17.tar.gz diff --git a/tor-0.4.8.17.tar.gz.sha256sum.asc b/tor-0.4.8.17.tar.gz.sha256sum.asc new file mode 100644 index 0000000..087b74f --- /dev/null +++ b/tor-0.4.8.17.tar.gz.sha256sum.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmhinFIACgkQQuhqKhH0 +jTZ+Vwf/bnb0H+vHgXV8GssLL7ph76SJoIy2CHil/Z9ku8vCXA77Zp1GqQEvphQ8 +Qh1es3gzGF3fMstsJOgEI32tubDH0UyF7X9F1HDs6M3xdwlFLRvAjcnEakUuRSJk +GR5wyxCrhxKLlTennGmIhVPDJ7/PTbzWFbm7SV1pb1I2n3oLxJc8cpDT0KhANSc6 +GDJ2Z/XvNhB3fIQWrc3yBR+2fOUo5J1LKH0tnasmt7S36htZm6LkOJKltuNHQ4pA +5yDPbyFCdmts5VjglZS8BlW4XYd2yl3iCy4X07ToM+B6l7BplUd53wHh1CQPLiF6 +kIOiGp8WZl4kLDv9VD1usvjoQfJDtg== +=qdkf +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNATURE----- + +iHUEABYKAB0WIQRRQQJFTQqH2wdnoeu+agUxwYqReQUCaGK8gQAKCRC+agUxwYqR +eb1fAP0Ux2aHILKcav+9y+Ig5SfxAwXloTI97mbF0z42EVb+0AEAl1MlIr+Tg9xf +EKMtmfGJFlQfwlMylhZLm33Xg8g8BAM= +=B/8g +-----END PGP SIGNATURE----- diff --git a/tor-master.service b/tor-master.service new file mode 100644 index 0000000..1426f4f --- /dev/null +++ b/tor-master.service @@ -0,0 +1,16 @@ +# Use tor-master.service to restart/reload/stop the main tor.service and +# all instances of tor@.service that are running. +# +# systemd targets cannot be reloaded so this is a service instead. + +[Unit] +Description=Anonymizing overlay network for TCP (multi-instance master) + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/true +ExecReload=/bin/true + +[Install] +WantedBy=multi-user.target diff --git a/tor.changes b/tor.changes new file mode 100644 index 0000000..358efe0 --- /dev/null +++ b/tor.changes @@ -0,0 +1,3200 @@ +------------------------------------------------------------------- +Tue Jul 1 03:12:54 UTC 2025 - Bernhard Wiedemann + +- 0.4.8.17 + * Minor features and bugfixes + +------------------------------------------------------------------- +Mon Apr 21 16:20:45 UTC 2025 - Andreas Stieger + +- tor 0.4.8.16 + * fix typo in a directory authority rule file + * fix a sandbox issue for bandwidth authority and a conflux issue + on the control port + * client fix about relay flag usage + +------------------------------------------------------------------- +Wed Feb 5 18:26:41 UTC 2025 - Bernhard Wiedemann + +- tor 0.4.8.14 + * bugfix for onion service directory cache + * test-network now unconditionally includes IPv6 + * Regenerate fallback directories 2025-02-05 + * Update the geoip files to 2025-02-05 + * Fix a pointer free + +------------------------------------------------------------------- +Fri Dec 27 21:55:57 UTC 2024 - Andreas Stieger + +- tor 0.4.8.13 + * Conflux related client circuit building performance bugfix + * Fix minor memory leaks + * Add STATUS TYPE=version handler for Pluggable Transport + +------------------------------------------------------------------- +Tue Jun 11 10:05:46 UTC 2024 - Bernhard Wiedemann + +- tor 0.4.8.12 + * Minor features and bugfixes + * See https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.8/ReleaseNotes + +------------------------------------------------------------------- +Thu Apr 11 06:50:01 UTC 2024 - Bernhard Wiedemann + +- tor 0.4.8.11 + * Minor features and bugfixes + * See https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.8/ReleaseNotes + +------------------------------------------------------------------- +Wed Feb 14 15:50:14 UTC 2024 - Martin Pluskal + +- Enables scrypt support unconditionally + +------------------------------------------------------------------- +Mon Feb 5 09:01:39 UTC 2024 - Andreas Stieger + +- fix users/groups with rpm 4.19 + +------------------------------------------------------------------- +Fri Dec 8 21:51:16 UTC 2023 - Bernhard Wiedemann + +- tor 0.4.8.10: + * (TROVE-2023-007, exit) (boo#1217918) + - fix a a UAF and NULL pointer dereference crash on Exit relays + +------------------------------------------------------------------- +Thu Nov 9 14:29:00 UTC 2023 - Bernhard Wiedemann + +- tor 0.4.8.9: + * (onion service, TROVE-2023-006): + - Fix a possible hard assert on a NULL pointer + * (guard usage): + - When Tor excluded a guard due to temporary circuit restrictions, + it considered *additional* primary guards for potential usage by + that circuit. + +------------------------------------------------------------------- +Fri Nov 3 20:51:01 UTC 2023 - Andreas Stieger + +- tor 0.4.8.8: + * Mitigate an issue when Tor compiled with OpenSSL can crash during + handshake with a remote relay. (TROVE-2023-004, boo#1216873) + * Regenerate fallback directories generated on November 03, 2023. + * Update the geoip files to match the IPFire Location Database, as + retrieved on 2023/11/03 + * directory authority: Look at the network parameter + "maxunmeasuredbw" with the correct spelling + * vanguards addon support: Count the conflux linked cell as + valid when it is successfully processed. This will quiet a + spurious warn in the vanguards addon + +------------------------------------------------------------------- +Mon Sep 25 20:15:52 UTC 2023 - Andreas Stieger + +- tor 0.4.8.7: + * Fix an issue that prevented us from pre-building more conflux + sets after existing sets had been used + +------------------------------------------------------------------- +Tue Sep 19 16:52:36 UTC 2023 - Andreas Stieger + +- tor 0.4.8.6: + * onion service: Fix a reliability issue where services were + expiring their introduction points every consensus update. + This caused connectivity issues for clients caching the old + descriptor and intro points + * Log the input and output buffer sizes when we detect a potential + compression bomb + * Disable multiple BUG warnings of a missing relay identity key when + starting an instance of Tor compiled without relay support + * When reporting a pseudo-networkstatus as a bridge authority, or + answering "ns/purpose/*" controller requests, include accurate + published-on dates from our list of router descriptors + * Use less frightening language and lower the log-level of our + run-time ABI compatibility check message in our Zstd + compression subsystem + +------------------------------------------------------------------- +Wed Aug 30 18:50:03 UTC 2023 - Andreas Stieger + +- tor 0.4.8.5: + * bugfixes creating log BUG stacktrace + +------------------------------------------------------------------- +Sun Aug 27 15:23:43 UTC 2023 - Andreas Stieger + +- tor 0.4.8.4: + * Extend DoS protection to partially opened channels and known + relays + * Dynamic Proof-Of-Work protocol to thwart flooding DoS attacks + against hidden services. Disabled by default, enable via + "HiddenServicePoW" in torrc + * Implement conflux traffic splitting + * Directory authorities and relays now interact properly with + directory authorities if they change addresses + +------------------------------------------------------------------- +Sun Jul 30 07:33:04 UTC 2023 - Andreas Stieger + +- tor 0.4.7.14: + * bugfix affecting vanguards (onion service), and minor fixes + +------------------------------------------------------------------- +Fri Mar 10 08:27:57 UTC 2023 - Martin Pluskal + +- Enable support for scrypt() + +------------------------------------------------------------------- +Fri Jan 13 06:29:25 UTC 2023 - Bernhard Wiedemann + +- tor 0.4.7.13: + * fix SafeSocks option to avoid DNS leaks (boo#1207110, TROVE-2022-002) + * improve congestion control + * fix relay channel handling + +------------------------------------------------------------------- +Tue Dec 6 21:10:57 UTC 2022 - Andreas Stieger + +- tor 0.4.7.12: + * new key for moria1 + * new metrics are exported on the MetricsPort for the congestion + control subsystem + +------------------------------------------------------------------- +Thu Nov 10 19:14:54 UTC 2022 - Andreas Stieger + +- tor 0.4.7.11: + * Improve security of DNS cache by randomly clipping the TTL + value (boo#1205307, TROVE-2021-009) + * Improved defenses against network-wide DoS, multiple counters + and metrics added to MetricsPorts + * Apply circuit creation anti-DoS defenses if the outbound + circuit max cell queue size is reached too many times. This + introduces two new consensus parameters to control the queue + size limit and number of times allowed to go over that limit. + * Directory authority updates + * IPFire database and geoip updates + * Bump the maximum amount of CPU that can be used from 16 to 128. + The NumCPUs torrc option overrides this hardcoded maximum. + * onion service: set a higher circuit build timeout for opened + client rendezvous circuit to avoid timeouts and retry load + * Make the service retry a rendezvous if the circuit is being + repurposed for measurements + +------------------------------------------------------------------- +Fri Aug 12 15:52:53 UTC 2022 - Andreas Stieger + +- tor 0.4.7.10 + * IPFire location database did not have proper ARIN network + allocations - affected circuit path selection and relay metrics + +------------------------------------------------------------------- +Thu Aug 11 16:39:24 UTC 2022 - Andreas Stieger + +- tor 0.4.7.9 (boo#1202336) + * major fixes aimed at reducing memory pressure on relays + * prevent a possible side-channel + * major bugfix related to congestion control + * major bugfix related to Vanguard L2 layer node selection + +------------------------------------------------------------------- +Thu Jun 16 17:08:53 UTC 2022 - Bernhard Wiedemann + +- tor 0.4.7.8 + * Fix a scenario where RTT estimation can become wedged, seriously + degrading congestion control performance on all circuits. This + impacts clients, onion services, and relays, and can be triggered + remotely by a malicious endpoint. + (TROVE-2022-001, CVE-2022-33903, boo#1200672) + * Regenerate fallback directories generated on June 17, 2022. + * Update the geoip files to match the IPFire Location Database, as + retrieved on 2022/06/17. + * Allow the rseq system call in the sandbox + * logging bug fixes + +------------------------------------------------------------------- +Wed Apr 27 18:29:58 UTC 2022 - Andreas Stieger + +- tor 0.4.7.7 + * New feature: Congestion control to improve traffic speed and + stability on the network once a majority of Exit nodes upgrade + boo#1198949 + * Directory authorities: improved handling of "MiddleOnly" relays + * Improved mitigation against guard discovery attacks on clients + and short-lived services + * Improve observed performance under DNS load + * Improve handling of overload state + * end-of-life relays running version 0.4.2.x, 0.4.3.x, + 0.4.4.x and 0.4.5 alphas/rc, 0.3.5.x are now rejected + * Onion service v2 addresses are no longer recognized + +------------------------------------------------------------------- +Sun Feb 6 01:10:07 UTC 2022 - Bernhard Wiedemann + +- tor 0.4.6.10 + * minor bugfixes and features + * https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.6/ReleaseNotes + +------------------------------------------------------------------- +Fri Dec 17 18:54:05 UTC 2021 - Andreas Stieger + +- tor 0.4.6.9: + * remove the DNS timeout metric from the overload general signal + * regenerate fallback directories generated on December 15, 2021 + * Update the geoip files to match the IPFire Location Database, + as retrieved on 2021/12/15 + * Reject IPv6-only DirPort + +------------------------------------------------------------------- +Sat Nov 13 11:02:55 UTC 2021 - Andreas Stieger + +- tor 0.4.6.8: + * Improving reporting of general overload state for DNS timeout + errors by relays + * Regenerate fallback directories for October 2021 + * Bug fixes for onion services + * CVE-2021-22929: do not log v2 onion services access attempt + warnings on disk excessively (TROVE-2021-008, boo#1192658) + +------------------------------------------------------------------- +Tue Aug 24 09:11:38 UTC 2021 - Jan Engelhardt + +- Reduce boilerplate generated by %service_*. + +------------------------------------------------------------------- +Tue Aug 17 18:52:40 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.6.7: + * Fix a DoS via a remotely triggerable assertion failure + (boo#1189489, TROVE-2021-007, CVE-2021-38385) + +------------------------------------------------------------------- +Tue Jul 6 07:13:19 UTC 2021 - Bernhard Wiedemann + +- Add missing service_add_pre tor-master.service + +------------------------------------------------------------------- +Thu Jul 1 11:13:23 UTC 2021 - Andreas Stieger + +- tor 0.4.6.6: + * Fix a compilation error with gcc 7, drop tor-0.4.6.5-gcc7.patch + * Enable the deterministic RNG for unit tests that covers the + address set bloomfilter-based API's + +------------------------------------------------------------------- +Wed Jun 16 20:32:43 UTC 2021 - Andreas Stieger + +- tor 0.4.6.5 + * Add controller support for creating v3 onion services with + client auth + * When voting on a relay with a Sybil-like appearance, add the + Sybil flag when clearing out the other flags. This lets a relay + operator know why their relay hasn't been included in the + consensus + * Relays now report how overloaded they are + * Add a new DoS subsystem to control the rate of client + connections for relays + * Relays now publish statistics about v3 onions services + * Improve circuit timeout algorithm for client performance +- add tor-0.4.6.5-gcc7.patch to fix build with gcc7 + +------------------------------------------------------------------- +Mon Jun 14 18:06:34 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.5.9 + * Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell (CVE-2021-34548, boo#1187322) + * Detect more failure conditions from the OpenSSL RNG code (boo#1187323) + * Resist a hashtable-based CPU denial-of-service attack against relays (CVE-2021-34549, boo#1187324) + * Fix an out-of-bounds memory access in v3 onion service descriptor parsing (CVE-2021-34550, boo#1187325) + +------------------------------------------------------------------- +Tue May 11 01:54:10 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.5.8 + * https://lists.torproject.org/pipermail/tor-announce/2021-May/000219.html + * allow Linux sandbox with Glibc 2.33 + * work with autoconf 2.70+ + * several other minor features and bugfixes (see announcement) + +------------------------------------------------------------------- +Sat Apr 24 19:07:24 UTC 2021 - Andreas Stieger + +- fix packaging warnings related to tor-master service + +------------------------------------------------------------------- +Fri Apr 23 21:22:30 UTC 2021 - Andreas Stieger + +- Fix logging issue due to systemd picking up stdout - boo#1181244 + Continue to log notices to syslog by default. +- actually build with lzma/zstd +- skip i586 tests (boo#1179331) + +------------------------------------------------------------------- +Tue Mar 16 23:38:53 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.5.7 + * https://lists.torproject.org/pipermail/tor-announce/2021-March/000216.html + * Fix 2 denial of service security issues (boo#1183726) + + Disable the dump_desc() function that we used to dump unparseable + information to disk (CVE-2021-28089) + + Fix a bug in appending detached signatures to a pending consensus + document that could be used to crash a directory authority + (CVE-2021-28090) + * Ship geoip files based on the IPFire Location Database + +------------------------------------------------------------------- +Tue Feb 16 07:49:14 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.5.6 + * https://lists.torproject.org/pipermail/tor-announce/2021-February/000214.html + * Introduce a new MetricsPort HTTP interface + * Support IPv6 in the torrc Address option + * Add event-tracing library support for USDT and LTTng-UST + * Try to read N of N bytes on a TLS connection +- Drop upstream tor-practracker.patch + +------------------------------------------------------------------- +Fri Feb 5 08:16:39 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.4.7 + * https://blog.torproject.org/node/1990 + * Stop requiring a live consensus for v3 clients and services + * Re-entry into the network is now denied at the Exit level + * Fix undefined behavior on our Keccak library + * Strip '\r' characters when reading text files on Unix platforms + * Handle partial SOCKS5 messages correctly +- Add tor-practracker.patch to fix tests + +------------------------------------------------------------------- +Wed Jan 27 06:16:46 UTC 2021 - Bernhard Wiedemann + +- Restrict service permissions with systemd + +------------------------------------------------------------------- +Thu Nov 12 17:02:48 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.4.6 + * Check channels+circuits on relays more thoroughly + (TROVE-2020-005, boo#1178741) + +------------------------------------------------------------------- +Tue Sep 15 14:51:40 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.4.5 + * Improve guard selection + * IPv6 improvements + +------------------------------------------------------------------- +Wed Aug 19 09:49:51 UTC 2020 - Dominique Leuenberger + +- Use %{_tmpfilesdir} instead of abusing %{_libexecdir}/tmpfiles.d. + +------------------------------------------------------------------- +Thu Jul 9 17:27:13 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.3.6 + * Fix a crash due to an out-of-bound memory access (CVE-2020-15572) + * Some minor fixes + +------------------------------------------------------------------- +Mon Jun 29 08:57:42 UTC 2020 - Bernhard Wiedemann + +- Fix logrotate to not fail when tor is stopped (boo#1164275) + +------------------------------------------------------------------- +Fri May 15 18:58:11 UTC 2020 - Andreas Stieger + +- tor 0.4.3.5: + * first stable release in the 0.4.3.x series + * implement functionality needed for OnionBalance with v3 onion + services + * significant refactoring of our configuration and controller + functionality + * Add support for banning a relay's ed25519 keys in the + approved-routers file in support for migrating away from RSA + * support OR connections through a HAProxy server + +------------------------------------------------------------------- +Wed Mar 18 20:52:20 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.2.7 + * CVE-2020-10592: CPU consumption DoS and timing patterns (boo#1167013) + * CVE-2020-10593: circuit padding memory leak (boo#1167014) + * Directory authorities now signal bandwidth pressure to clients + * Avoid excess logging on bug when flushing a buffer to a TLS connection + +------------------------------------------------------------------- +Fri Jan 31 08:32:28 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.2.6 + * Correct how we use libseccomp + * Fix crash when reloading logging configuration while the + experimental sandbox is enabled + * Avoid a possible crash when logging an assertion + about mismatched magic numbers + +------------------------------------------------------------------- +Tue Jan 7 11:21:02 UTC 2020 - Bernhard Wiedemann + +- Update tor.service and add defaults-torrc + to work without dropped torctl (boo#1072274) +- Add tor-master.service to allow handling multiple tor daemons + +------------------------------------------------------------------- +Sat Dec 14 20:35:25 UTC 2019 - Andreas Stieger + +- tor 0.4.2.5: + * first stable release in the 0.4.2.x series + * improves reliability and stability + * several stability and correctness improvements for onion services + * fixes many smaller bugs present in previous series + +------------------------------------------------------------------- +Tue Dec 10 08:27:14 UTC 2019 - Andreas Stieger + +- tor 0.4.1.7: + * several bugfixes to improve stability and correctness + * fixes for relays relying on AccountingMax + +------------------------------------------------------------------- +Mon Oct 7 13:16:38 UTC 2019 - Martin Pluskal + +- Update dependnecnies: + * python3 instead of python + * add libpcap and seccomp +- Use more suitable macros for building and systemd dependencies + +------------------------------------------------------------------- +Thu Sep 19 13:02:59 UTC 2019 - Bernhard Wiedemann + +- update to 0.4.1.6 + * Tolerate systems (including some Linux installations) where + madvise MADV_DONTFORK / MADV_DONTDUMP are available at build-time, + but not at run time. + * Do not include the deprecated on Linux + * Fix the MAPADDRESS controller command to accept one or more arguments + * Always retry v2+v3 single onion service intro and rendezvous circuits + with a 3-hop path + * Use RFC 2397 data URL scheme to embed an image into tor-exit-notice.html + +------------------------------------------------------------------- +Tue Aug 20 15:43:45 UTC 2019 - Bernhard Wiedemann + +- update to 0.4.1.5 + * Onion service clients now add padding cells at the start of their + INTRODUCE and RENDEZVOUS circuits to make it look like + Exit traffic + * Add a generic publish-subscribe message-passing subsystem + * Controller commands are now parsed using a generalized parsing + subsystem + * Implement authenticated SENDMEs as detailed in proposal 289 + * Our node selection algorithm now excludes nodes in linear time + * Construct a fast secure pseudorandom number generator for + each thread, to use when performance is critical + * Consider our directory information to have changed when our list + of bridges changes + * Do not count previously configured working bridges towards our + total of working bridges + * When considering upgrading circuits from "waiting for guard" to + "open", always ignore circuits that are marked for close + * Properly clean up the introduction point map when circuits change + purpose + * Fix an unreachable bug in which an introduction point could try to + send an INTRODUCE_ACK + * Clients can now handle unknown status codes from INTRODUCE_ACK + cells +- Remove upstreamed tor-0.3.5.8-no-ssl-version-warning.patch +- Compile without -Werror to build with LTO (boo#1146548) +- Add fix-test.patch to workaround a LTO-induced test-failure + +------------------------------------------------------------------- +Fri Jul 26 12:23:05 UTC 2019 - matthias.gerstner@suse.com + +- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by + firewalld, see [1]. + + [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html + +------------------------------------------------------------------- +Mon May 20 12:55:12 UTC 2019 - Christophe Giboudeaux + +- Add the missing zlib requirement. + +------------------------------------------------------------------- +Fri May 10 09:46:26 UTC 2019 - Andreas Stieger + +- tor 0.4.0.5: + * new stable branch, but not a long-term support branch + * improvements for power management and bootstrap reporting + * preliminary backend support for circuit padding to prevent some + kinds of traffic analysis + * refactoring for long-term maintainability +- drop upstreamed tor-0.3.5.8-nonetwork.patch + +------------------------------------------------------------------- +Mon Apr 15 12:24:02 UTC 2019 - Bernhard Wiedemann + +- Add tor-0.3.5.8-no-ssl-version-warning.patch (boo#1129411) +- Update tor.tmpfiles to use /run instead of /var/run + +------------------------------------------------------------------- +Mon Feb 25 15:55:39 UTC 2019 - bwiedemann@suse.com + +- Add tor-0.3.5.8-nonetwork.patch to fix test failures + without network + +------------------------------------------------------------------- +Fri Feb 22 15:04:30 UTC 2019 - bwiedemann@suse.com + +- tor 0.3.5.8: + * CVE-2019-8955 prevent attackers from making tor run + out of memory and crash + * Allow SOCKS5 with empty username+password + * Update geoip and geoip6 to the February 5 2019 Maxmind + GeoLite2 Country database + * Select guards even if the consensus has expired, as long + as the consensus is still reasonably live + +------------------------------------------------------------------- +Mon Jan 7 23:16:55 UTC 2019 - astieger@suse.com + +- tor 0.3.5.7: + * first stable release in 0.3.5.x LTS branch + * support client authorization for v3 onion services + * cleanups to bootstrap reporting + * support for improved bandwidth measurement tools + * the default version for newly created onion services is now v3 + (HiddenServiceVersion option can be used to override) + * If stem is used, an update of stem mey be required + +------------------------------------------------------------------- +Mon Jan 7 23:01:18 UTC 2019 - astieger@suse.com + +- tor 0.3.4.10: + * OpenSSL compatibility fixes + * Fixes for relay bugs + * update fallback directory list + +------------------------------------------------------------------- +Sat Nov 3 08:45:43 UTC 2018 - astieger@suse.com + +- tor 0.3.4.9: + * Various bug fixes, including a bandwidth management bug that + was causing memory exhaustion on relays + +------------------------------------------------------------------- +Mon Sep 10 15:51:17 UTC 2018 - astieger@suse.com + +- tor 0.3.4.8 (boo#1107847): + * improvements for running in low-power and embedded environments + * preliminary changes for new bandwidth measurement system + * refine anti-denial-of-service code + +------------------------------------------------------------------- +Mon Sep 10 13:52:34 UTC 2018 - astieger@suse.com + +- tor 0.3.3.10: + * various build and compatibility fixes + * The control port now exposes the list of HTTPTunnelPorts and + ExtOrPorts via GETINFO net/listeners/httptunnel and + net/listeners/extor respectively + * Authorities no longer vote to make the subprotocol version + "LinkAuth=1" a requirement: it is unsupportable with NSS, and + hasn't been needed since Tor 0.3.0.1-alpha + * When voting for recommended versions, make sure that all of the + versions are well-formed and parsable + * various minor bug fixes on onion services + +------------------------------------------------------------------- +Sat Jul 14 18:31:57 UTC 2018 - astieger@suse.com + +- tor 0.3.3.9: + * move to a new bridge authority + * backport some bug fixes +- refresh upstream signing keyring + +------------------------------------------------------------------- +Mon Jul 9 19:38:14 UTC 2018 - astieger@suse.com + +- tor 0.3.3.8: + * directory authority memory leak fix + * various minor bug fixes + +------------------------------------------------------------------- +Tue Jun 12 16:59:58 UTC 2018 - astieger@suse.com + +- tor 0.3.3.7: + * Add an IPv6 address for the "dannenberg" directory authority + * Improve accuracy of the BUILDTIMEOUT_SET control port event's + TIMEOUT_RATE and CLOSE_RATE fields + * Only select relays when tor has descriptors that it prefers to + use for them, avoiding nonfatal errors later + +------------------------------------------------------------------- +Sun May 27 11:33:54 UTC 2018 - astieger@suse.com + +- tor 0.3.3.6: + * new stable release series + * controller support and other improvements for v3 onion services + * official support for embedding Tor within other application + * Improvements to IPv6 support + * Relay option ReducedExitPolicy to configure a reasonable default + * Revent DoS via malicious protocol version string (boo#1094283) + * Many other other bug fixes and improvements + +------------------------------------------------------------------- +Sat Mar 3 18:39:39 UTC 2018 - astieger@suse.com + +- tor 0.3.2.10: + * CVE-2018-0490: remote crash vulnerability against directory + authorities (boo#1083845, TROVE-2018-001) + * CVE-2018-0491: remote relay crash (boo#1083846, TROVE-2018-002) + * New system for improved resistance to DoS attacks against relays + * Various other bug fixes + +------------------------------------------------------------------- +Wed Jan 10 21:33:45 UTC 2018 - astieger@suse.com + +- tor 0.3.2.9: + * new onion service design (v3), not default + * new circuit scheduler algorithm for improved performance + * directory authority updates + * many other updates and improvements + +------------------------------------------------------------------- +Fri Dec 1 20:33:08 UTC 2017 - astieger@suse.com + +- tor 0.3.1.9 with the following security fixes that prevent some + traffic confirmation, DoS and other problems (bsc#1070849): + * CVE-2017-8819: Replay-cache ineffective for v2 onion services + * CVE-2017-8820: Remote DoS attack against directory authorities + * CVE-2017-8821: An attacker can make Tor ask for a password + * CVE-2017-8822: Relays can pick themselves in a circuit path + * CVE-2017-8823: Use-after-free in onion service v2 + +------------------------------------------------------------------- +Wed Oct 25 15:05:45 UTC 2017 - astieger@suse.com + +- tor 0.3.1.8: + * Add "Bastet" as a ninth directory authority to the default list + * The directory authority "Longclaw" has changed its IP address + * Fix a timing-based assertion failure that could occur when the + circuit out-of-memory handler freed a connection's output buffer + * Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 + Country database +- drop tor-0.3.1.7-fix-zstd-i586.patch, upstreamed + +------------------------------------------------------------------- +Wed Sep 20 14:44:09 UTC 2017 - astieger@suse.com + +- tor 0.3.1.7: + * Serve and download directory information in more compact + formats + * New padding padding system to resist netflow-based traffic + analysis + * Improve protection against identification of tor traffic by ISP + via ConnectionPadding option + * Reduce the number of long-term connections open between relays +- add tor-0.3.1.7-fix-zstd-i586.patch to fix 32 bit build with zstd + +------------------------------------------------------------------- +Mon Sep 18 16:38:59 UTC 2017 - astieger@suse.com + +- tor 0.3.0.11: + * CVE-2017-0380: hidden services with the SafeLogging option + disabled could disclose the stack TROVE-2017-008, boo#1059194 + * Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2 + Country database. + * drop tor-0.3.0.7-gcc7-fallthrough.patch, now upstream + +------------------------------------------------------------------- +Thu Aug 3 11:26:00 UTC 2017 - jloehel@suse.com + +- tor 0.3.0.10 + * Fix a typo that had prevented TPROXY-based transparent proxying + from working under Linux. + * Avoid an assertion failure bug affecting our implementation of + inet_pton(AF_INET6) on certain OpenBSD systems. + +------------------------------------------------------------------- +Fri Jun 30 11:53:59 UTC 2017 - astieger@suse.com + +- tor 0.3.0.9: + * CVE-2017-0377: Fix path selection bug that would allow a client + to use a guard that was in the same network family as a chosen + exit relay (bsc#1046845) + * Don't block bootstrapping when a primary bridge is offline and + tor cannot get its descriptor + * When starting with an old consensus, do not add new entry guards + unless the consensus is "reasonably live" (under 1 day old). + * Update geoip and geoip6 to the June 8 2017 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Thu Jun 8 18:47:31 UTC 2017 - astieger@suse.com + +- tor 0.3.0.8 fixing a pair of bugs that would allow an attacker to + remotely crash a hidden service with an assertion failure + * CVE-2017-0375: remotely triggerable assertion failure when a + hidden service handles a malformed BEGIN cell (bsc#1043455) + * CVE-2017-0376: remotely triggerable assertion failure caused by + receiving a BEGIN_DIR cell on a hidden service rendezvous + circuit (bsc#1043456) +- further bug fixes: + * link handshake fixes when changing x509 certificates + * Regenerate link and authentication certificates whenever the key + that signs them changes; also, regenerate link certificates + whenever the signed key changes + * When sending an Ed25519 signing->link certificate in a CERTS cell, + send the certificate that matches the x509 certificate that was + used on the TLS connection + * Stop rejecting v3 hidden service descriptors because their size + did not match an old padding rule + +------------------------------------------------------------------- +Wed May 31 10:01:51 UTC 2017 - astieger@suse.com + +- fix build with GCC 7: warning-errors on implicit fallthrough + add tor-0.3.0.7-gcc7-fallthrough.patch bsc#1041262 + +------------------------------------------------------------------- +Tue May 16 00:26:43 UTC 2017 - astieger@suse.com + +- tor 0.3.0.7: + * Fix an assertion failure in the hidden service directory code, + which could be used by an attacker to remotely cause a Tor + relay process to exit. TROVE-2017-002 bsc#1039211 + * Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 + Country database. + * Tor no longer refuses to download microdescriptors or + descriptors if they are listed as "published in the future" + * The getpid() system call is now permitted under the Linux + seccomp2 sandbox, to avoid crashing with versions of OpenSSL + (and other libraries) that attempt to learn the process's PID + by using the syscall rather than the VDSO code + +------------------------------------------------------------------- +Thu Apr 27 06:23:44 UTC 2017 - astieger@suse.com + +- tor 0.3.0.6: + * clients and relays now use Ed25519 keys to authenticate their + link connections to relays, rather than the old RSA1024 keys + that they used before. + * replace the guard selection and replacement algorithm to behave + more robustly in the presence of unreliable networks, and to + resist guard-capture attacks. + * numerous other small features and bugfixes + * groundwork for the upcoming hidden-services revamp + +------------------------------------------------------------------- +Wed Mar 1 22:45:42 UTC 2017 - astieger@suse.com + +- tor 0.2.9.10: + * directory authority: During voting, when marking a relay as a + probable sybil, do not clear its BadExit flag: sybils can still + be bad in other ways too. + * IPv6 Exits: Stop rejecting all IPv6 traffic on Exits whose exit + policy rejects any IPv6 addresses. Instead, only reject a port + over IPv6 if the exit policy rejects that port on more than an + IPv6 /16 of addresses. + * parsing: Fix an integer underflow bug when comparing malformed + Tor versions. This bug could crash Tor when built with + --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through + Tor 0.2.9.8, which were built with -ftrapv by default. In other + cases it was harmless. Part of TROVE-2017-001 boo#1027539 + * Directory authorities now reject descriptors that claim to be + malformed versions of Tor + * Reject version numbers with components that exceed INT32_MAX. + * Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 + Country database. + * The tor-resolve command line tool now rejects hostnames over 255 + characters in length + +------------------------------------------------------------------- +Tue Jan 24 06:19:19 UTC 2017 - astieger@suse.com + +- tor 0.2.9.9: + * Downgrade the "-ftrapv" option from "always on" to "only on + when --enable-expensive-hardening is provided." This hardening + option, like others, can turn survivable bugs into crashes -- + and having it on by default made a (relatively harmless) + integer overflow bug into a denial-of-service bug + * Fix a client-side onion service reachability bug + * Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Sun Jan 1 11:43:02 UTC 2017 - tchvatal@suse.com + +- Remove conditionals for the sle11 as we won't build there due to + openssl requirements. This reduces the logic in the spec file + quite a bit + +------------------------------------------------------------------- +Mon Dec 19 20:40:39 UTC 2016 - astieger@suse.com + +- tor 0.2.9.8, the first stable release in the 0.2.9.x series: + * make mandatory a number of security features that were formerly + optional + * support a new shared-randomness protocol that will form the + basis for next generation hidden services + * single-hop hidden service mode for optimizing .onion services + that don't actually want to be hidden, + * try harder not to overload the directory authorities with + excessive downloads + * support a better protocol versioning scheme for improved + compatibility with other implementations of the Tor protocol + * deprecated options for security: CacheDNS, CacheIPv4DNS, + CacheIPv6DNS, UseDNSCache, UseIPv4Cache, and UseIPv6Cache, + AllowDotExit, AllowInvalidNodes, AllowSingleHopCircuits, + AllowSingleHopExits, ClientDNSRejectInternalAddresses, + CloseHSClientCircuitsImmediatelyOnTimeout, + CloseHSServiceRendCircuitsImmediatelyOnTimeout, + ExcludeSingleHopRelays, FastFirstHopPK, TLSECGroup, + UseNTorHandshake, and WarnUnsafeSocks. + * *ListenAddress options are now deprecated as unnecessary: the + corresponding *Port options should be used instead. The + affected options are: + ControlListenAddress, DNSListenAddress, DirListenAddress, + NATDListenAddress, ORListenAddress, SocksListenAddress, + and TransListenAddress. + +------------------------------------------------------------------- +Mon Dec 19 20:29:49 UTC 2016 - astieger@suse.com + +- tor 0.2.8.12: + * CVE-2016-1254: A hostile hidden service could cause tor clients + to crash (bsc#1016343) + * update fallback directory list + * Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Tue Dec 13 06:41:55 UTC 2016 - bwiedemann@suse.com + +- recommend torsocks as it is needed by included torify + +------------------------------------------------------------------- +Sun Dec 11 19:40:35 UTC 2016 - astieger@suse.com + +- tor 0.2.8.11: + * Fix compilation with OpenSSL 1.1 + +------------------------------------------------------------------- +Fri Dec 2 16:58:06 UTC 2016 - astieger@suse.com + +- tor 0.2.8.10: + * When Tor leaves standby because of a new application request, + open circuits as needed to serve that request + * Clients now respond to new application stream requests + immediately when they arrive, rather than waiting up to one + second before starting to handle them + * small portability and memory handling issues + * Update geoip and geoip6 to the November 3 2016 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Wed Oct 19 09:08:12 UTC 2016 - astieger@suse.com + +- tor 0.2.8.9: + * security fix: prevent remote DoS TROVE-2016-10-001 boo#1005292 + * Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2 + Country database. + * Update signing key + +------------------------------------------------------------------- +Sat Sep 24 13:52:20 UTC 2016 - astieger@suse.com + +- tor 0.2.8.8: + * fixes some crash bugs when using bridges + * fixes a timing-dependent assertion + * removes broken fallbacks from the hard-coded fallback directory + list + * Updates geoip and geoip6 to the September 6 2016 Maxmind + GeoLite2 Country database + +------------------------------------------------------------------- +Wed Aug 24 21:01:13 UTC 2016 - astieger@suse.com + +- tor 0.2.8.7: + * The "Tonga" bridge authority has been retired; the new bridge + authority is "Bifroest" + * Only use the ReachableAddresses option to restrict the first + hop in a path. In earlier versions of 0.2.8.x, it would apply + to every hop in the path, with a possible degradation in + anonymity for anyone using an uncommon ReachableAddress setting + +------------------------------------------------------------------- +Sat Aug 13 17:44:24 UTC 2016 - astieger@suse.com + +- tor 0.2.8.6: + * improve client bootstrapping performance + * improved identity keys for relays (authority side) + * numerous bug fixes and performance improvements + +------------------------------------------------------------------- +Mon Mar 21 08:17:17 UTC 2016 - astieger@suse.com + +- adjust nologin shell for tor user boo#971872 + +------------------------------------------------------------------- +Fri Dec 11 14:41:37 UTC 2015 - mpluskal@suse.com + +- Make building more verbose +- Remove useless conditon for libevent, there is dependency for it + anyway + +------------------------------------------------------------------- +Fri Dec 11 13:35:32 UTC 2015 - astieger@suse.com + +- skip tests on ports + +------------------------------------------------------------------- +Fri Dec 11 07:43:48 UTC 2015 - astieger@suse.com + +- tor 0.2.7.6 fixes a major bug in entry guard selection, as well + as a minor bug in hidden service reliability. [boo#958729] + +------------------------------------------------------------------- +Tue Nov 24 20:35:59 UTC 2015 - astieger@suse.com + +- 0.2.7.5: + * More secure identity key type for relays + * Improve cryptography performance + * Resolve several longstanding hidden-service performance issues + * Improve controller support for hidden services +- Features removed: + * tor-fw-helper is no longer part of thie packaged, it was + re-implemented as a separate project +- Packaging changes: + * drop upstreamed patch + tor-0.2.6.10-malformed-hostname-safe-logging.patch + +------------------------------------------------------------------- +Wed Oct 14 10:59:41 UTC 2015 - astieger@suse.com + +- fix Factory build (ignore missing systemd-tmpfiles) + +------------------------------------------------------------------- +Wed Aug 26 20:02:21 UTC 2015 - astieger@suse.com + +- Malformed hostnames in socks5 requests were written to the log + regardless of SafeLogging option (CWE-532) [boo#943362] + add tor-0.2.6.10-malformed-hostname-safe-logging.patch + +------------------------------------------------------------------- +Sun Jul 12 20:54:48 UTC 2015 - astieger@suse.com + +- tor 0.2.6.10: + Significant stability and hidden service client fixes. + * Stop refusing to store updated hidden service descriptors on a + client. + * Stop crashing with an assertion failure when parsing certain + kinds of malformed or truncated microdescriptors. + * Stop random client-side assertion failures that could occur + when connecting to a busy hidden service, or connecting to a + hidden service while a NEWNYM is in progress. + +------------------------------------------------------------------- +Thu Jun 11 18:55:44 UTC 2015 - astieger@suse.com + +- tor 0.2.6.9: + Clients using circuit isolation should upgrade; + all directory authorities should upgrade. + * fixes a regression in the circuit isolation code + * increases the requirements for receiving an HSDir flag + * addresses some small bugs in the systemd and sandbox code. + +------------------------------------------------------------------- +Sat May 23 18:59:14 UTC 2015 - astieger@suse.com + +- tor 0.2.6.8: + This release fixes a bit of dodgy code in parsing INTRODUCE2 cells, + and fixes an authority-side bug in assigning the HSDir flag. All + directory authorities should upgrade. + - Revert commit that made directory authorities assign the HSDir + flag to relay without a DirPort; this was bad because such relays + can't handle BEGIN_DIR cells. + - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells + on a client authorized hidden service. + - Update geoip to the April 8 2015 Maxmind GeoLite2 Country + database. + - Update geoip6 to the April 8 2015 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Mon Apr 6 18:56:30 UTC 2015 - astieger@suse.com + +- tor 0.2.6.7 + This releases fixes two security issues that could be used by an + attacker to crash hidden services, or crash clients visiting + hidden services. Hidden services should upgrade as soon as + possible. [boo#926097] + This release also contains two simple improvements to make hidden + services a bit less vulnerable to denial-of-service attacks. + - Fix an issue that would allow a malicious client to trigger an + assertion failure and halt a hidden service. CVE-2015-2928 + - Fix a bug that could cause a client to crash with an assertion + failure when parsing a malformed hidden service descriptor. + CVE-2015-2929 + - Introduction points no longer allow multiple INTRODUCE1 cells + to arrive on the same circuit. This should make it more + expensive for attackers to overwhelm hidden services with + introductions. + - Decrease the amount of reattempts that a hidden service + performs when its rendezvous circuits fail. This reduces the + computational cost for running a hidden service under heavy + load. + +------------------------------------------------------------------- +Sun Mar 29 11:51:09 UTC 2015 - astieger@suse.com + +- tor 0.2.6.6, the first stable release in the 0.2.6 series: + * safety/security improvements + * correctness improvements + * performance improvements + * Client programs can be configured to use more kinds of sockets + * AutomapHosts works better + * multithreading backend is improved + * cell transmission is refactored + * test coverage is much higher + * more denial-of-service attacks are handled + * guard selection is improved to handle long-term guards better + * pluggable transports should work a bit better + * some annoying hidden service performance bugs addressed +- new minimal configuration file installed as active configuration + allows daemon to be run right after package installation +- build with systemd notifications where supported + +------------------------------------------------------------------- +Wed Mar 25 08:05:24 UTC 2015 - astieger@suse.com + +- add CVE IDs for 0.2.5.11 release + +------------------------------------------------------------------- +Thu Mar 19 21:36:34 UTC 2015 - astieger@suse.com + +- tor 0.2.5.11 [boo#923284]: + Contains several medium-level security fixes for relays and exit + nodes and also updates the list of directory authorities. + * Directory authority updates + * relay crashes trough assertion (CVE-2015-2688) + * exit node crash through assertion under high DNS load + (CVE-2015-2689) + * do not crash when receiving SIGHUP with the seccomp2 sandbox on + * do not crash sh during attempts to call wait4 + * new "GETINFO bw-event-cache" for controllers + * update geoip/geoip6 to the March 3 2015 + * Avoid crashing on malformed VirtualAddrNetworkIPv[4|6] config + * Fix a memory leak when using AutomapHostsOnResolve + * Allow directory authorities to fetch more data from one another + +------------------------------------------------------------------- +Fri Jan 23 22:04:27 UTC 2015 - andreas.stieger@gmx.de + +- fix build for SLE 12, libminiupnpc-devel not available + +------------------------------------------------------------------- +Fri Oct 24 20:48:14 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.5.10, the first stable release in the 0.2.5 series. + * improved denial-of-service resistance for relays + * new compiler hardening options + * system-call sandbox for hardened installations on Linux + (requires seccomp2) + * controller protocol has several new features + * improvements in resolving IPv6 addresses + * relays more CPU-efficient +- adjust tor-0.2.4.x-logrotate.patch to tor-0.2.5.x-logrotate.patch +- run unit tests + +------------------------------------------------------------------- +Thu Oct 23 20:35:26 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.4.25 [boo#902476] + Disables SSL3 in response to the recent "POODLE" attack (even + though POODLE does not affect Tor). + It also works around a crash bug caused by some operating systems' + response to the "POODLE" attack (which does affect Tor). + - Disable support for SSLv3. + - Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or + 1.0.1j, built with the 'no-ssl3' configuration option. + +------------------------------------------------------------------- +Wed Sep 24 17:52:08 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.4.24 [bnc#898268] + Fixes a bug that affects consistency and speed when connecting to + hidden services, and it updates the location of one of the + directory authorities. +- Major bugfixes: + * Clients now send the correct address for their chosen rendezvous + point when trying to access a hidden service. +- Directory authority changes: + * Change IP address for gabelmoo (v3 directory authority). +- Minor features (geoip): + * Update geoip and geoip6 to the August 7 2014 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Sat Sep 20 13:05:50 UTC 2014 - andreas.stieger@gmx.de + +- disable build with experimental feature bufferevents [bnc#897113] + +------------------------------------------------------------------- +Mon Aug 18 09:54:00 UTC 2014 - wagner-thomas@gmx.at + +- Added config file for firewall + +------------------------------------------------------------------- +Wed Jul 30 22:52:17 UTC 2014 - andreas.stieger@gmx.de + +- Tor 0.2.4.23 [bnc#889688] [CVE-2014-5117] + Slows down the risk from guard rotation and backports several + important fixes from the Tor 0.2.5 alpha release series. +- Major features: + - Clients now look at the "usecreatefast" consensus parameter to + decide whether to use CREATE_FAST or CREATE cells for the first hop + of their circuit. This approach can improve security on connections + where Tor's circuit handshake is stronger than the available TLS + connection security levels, but the tradeoff is more computational + load on guard relays. + - Make the number of entry guards configurable via a new + NumEntryGuards consensus parameter, and the number of directory + guards configurable via a new NumDirectoryGuards consensus + parameter. +- Major bugfixes: + - Fix a bug in the bounds-checking in the 32-bit curve25519-donna + implementation that caused incorrect results on 32-bit + implementations when certain malformed inputs were used along with + a small class of private ntor keys. +- Minor bugfixes: + - Warn and drop the circuit if we receive an inbound 'relay early' + cell. + - Correct a confusing error message when trying to extend a circuit + via the control protocol but we don't know a descriptor or + microdescriptor for one of the specified relays. + - Avoid an illegal read from stack when initializing the TLS module + using a version of OpenSSL without all of the ciphers used by the + v2 link handshake. + +------------------------------------------------------------------- +Fri Jun 6 18:51:36 UTC 2014 - andreas.stieger@gmx.de + +- do not own /var/run/tor for pid file, fixing Factory build + +------------------------------------------------------------------- +Sat May 17 23:13:54 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.4.22: + Backports numerous high-priority fixes. These include blocking + all authority signing keys that may have been affected by the + OpenSSL "heartbleed" bug, choosing a far more secure set of TLS + ciphersuites by default, closing a couple of memory leaks that + could be used to run a target relay out of RAM. +- Major features (security) + - Block authority signing keys that were used on authorities + vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160). +- Major bugfixes (security, OOM): + - Fix a memory leak that could occur if a microdescriptor parse + fails during the tokenizing step. +- Major bugfixes (TLS cipher selection): + - The relay ciphersuite list is now generated automatically based + on uniform criteria, and includes all OpenSSL ciphersuites with + acceptable strength and forward secrecy. + - Relays now trust themselves to have a better view than clients + of which TLS ciphersuites are better than others. + - Clients now try to advertise the same list of ciphersuites as + Firefox 28. +- further minor bug fixes, see ChangeLog +- fix logrotate on systemd-only setups without init scripts, + work tor-0.2.2.37-logrotate.patch to tor-0.2.4.x-logrotate.patch + +------------------------------------------------------------------- +Sat Apr 19 02:54:55 UTC 2014 - mook.moz+com.novell@gmail.com + +- Add tor-fw-helper for UPnP port forwarding; not used by default + +------------------------------------------------------------------- +Thu Mar 6 08:02:15 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.4.21 + Further improves security against potential adversaries who find + breaking 1024-bit crypto doable, and backports several stability + and robustness patches from the 0.2.5 branch. +- Major features (client security): + - When we choose a path for a 3-hop circuit, make sure it contains + at least one relay that supports the NTor circuit extension + handshake. Otherwise, there is a chance that we're building + a circuit that's worth attacking by an adversary who finds + breaking 1024-bit crypto doable, and that chance changes the game + theory. +- Major bugfixes: + - Do not treat streams that fail with reason + END_STREAM_REASON_INTERNAL as indicating a definite circuit failure, + since it could also indicate an ENETUNREACH connection error +- packaging changes: + - remove init script shadowing systemd unit + - general cleanup + +------------------------------------------------------------------- +Mon Jan 20 19:46:02 UTC 2014 - andreas.stieger@gmx.de + +- redaction of 0.2.4.20 changelog to include bug and CVE references + +------------------------------------------------------------------- +Fri Dec 27 20:55:26 UTC 2013 - andreas.stieger@gmx.de + +- tor 0.2.4.20 + fixes potentially poor random number generation for users who + 1) use OpenSSL 1.0.0 or later, + 2) set "HardwareAccel 1" in their torrc file, + 3) have "Sandy Bridge" or "Ivy Bridge" Intel processors + and + 4) have no state file in their DataDirectory (as would happen on + first start). + Users who generated relay or hidden service identity keys in such + a situation should discard them and generate new ones. + No 2 is not the default configuration for openSUSE. + [bnc#859421] [CVE-2013-7295] + This release also fixes a logic error that caused Tor clients to build + many more preemptive circuits than they actually need. +- Major bugfixes: + - Do not allow OpenSSL engines to replace the PRNG, even when + HardwareAccel is set. The only default builtin PRNG engine uses + the Intel RDRAND instruction to replace the entire PRNG, and + ignores all attempts to seed it with more entropy. That's + cryptographically stupid: the right response to a new alleged + entropy source is never to discard all previously used entropy + sources. Fixes bug 10402; works around behavior introduced in + OpenSSL 1.0.0. + - Fix assertion failure when AutomapHostsOnResolve yields an IPv6 + address. + - Avoid launching spurious extra circuits when a stream is pending. + This fixes a bug where any circuit that _wasn't_ unusable for new + streams would be treated as if it were, causing extra circuits to + be launched. +- Minor bugfixes: + - Avoid a crash bug when starting with a corrupted microdescriptor + cache file. + - If we fail to dump a previously cached microdescriptor to disk, avoid + freeing duplicate data later on. + +------------------------------------------------------------------- +Sat Dec 14 17:43:22 UTC 2013 - andreas.stieger@gmx.de + +- Tor 0.2.4.19, the first stable release in the 0.2.4 branch, features + a new circuit handshake and link encryption that use ECC to provide + better security and efficiency; makes relays better manage circuit + creation requests; uses "directory guards" to reduce client enumeration + risks; makes bridges collect and report statistics about the pluggable + transports they support; cleans up and improves our geoip database; + gets much closer to IPv6 support for clients, bridges, and relays; makes + directory authorities use measured bandwidths rather than advertised + ones when computing flags and thresholds; disables client-side DNS + caching to reduce tracking risks; and fixes a big bug in bridge + reachability testing. This release introduces two new design + abstractions in the code: a new "channel" abstraction between circuits + and or_connections to allow for implementing alternate relay-to-relay + transports, and a new "circuitmux" abstraction storing the queue of + circuits for a channel. The release also includes many stability, + security, and privacy fixes. +- full changelog relative to 0.2.3.x and 0.2.4.x RC series: + https://gitweb.torproject.org/tor.git?a=blob_plain;hb=release-0.2.4;f=ReleaseNotes + +------------------------------------------------------------------- +Sat Dec 7 12:04:08 UTC 2013 - andreas.stieger@gmx.de + +- tor-0.2.4.18-rc, improves stability, performance, and better + handling of edge cases. +- Major features: + - Re-enable TLS 1.1 and 1.2 when built with OpenSSL 1.0.1e or later. +- Major bugfixes: + - No longer stop reading or writing on cpuworker connections when + our rate limiting buckets go empty. + - If we are unable to save a microdescriptor to the journal, do not + drop it from memory and then reattempt downloading it. + - Stop trying to bootstrap all our directory information from + only our first guard. + - The new channel code sometimes lost track of in-progress circuits, + causing long-running clients to stop building new circuits. + +------------------------------------------------------------------- +Sat Oct 5 13:18:55 UTC 2013 - andreas.stieger@gmx.de + +- tor-0.2.4.17-rc +- major features in 0.2.4.x: + - improved client resilience + - support better link encryption with forward secrecy + - new NTor circuit handshake + - change relay queue for circuit create requests from size-based + limit to time-based limit + - many bug fixes and minor features + +------------------------------------------------------------------- +Fri May 24 22:51:24 UTC 2013 - andreas.stieger@gmx.de + +- add systemd support +- verify source tarball signature + +------------------------------------------------------------------- +Tue Nov 27 21:46:02 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.3.25, the first stable release in the 0.2.3 branch + + significantly reduced directory overhead (via microdescriptors) + + enormous crypto performance improvements for fast relays on new + enough hardware + + new v3 TLS handshake protocol that can better resist + fingerprinting + + support for protocol obfuscation plugins (pluggable transports) + + better scalability for hidden services + + IPv6 support for bridges + + performance improvements + + new "stream isolation" design to isolate different applications + on different circuits + + many stability, security, and privacy fixes + + Complete list of changes enumerated in: + https://lists.torproject.org/pipermail/tor-talk/2012-November/026554.html + https://gitweb.torproject.org/tor.git/blob/267c0e5aa14deeb2ca0d7997b4ef5a5c2bbf5fd4:/ReleaseNotes + + Tear down the circuit when receiving an unexpected SENDME cell. + [bnc#791374] CVE-2012-5573 +- build using --enable-bufferevents provided by Libevent 2.0.13 + +------------------------------------------------------------------- +Tue Nov 20 09:07:23 UTC 2012 - dimstar@opensuse.org + +- Fix useradd invocation: -o is useless without -u and newer + versions of pwdutils/shadowutils fail on this now. + +------------------------------------------------------------------- +Sat Sep 15 14:08:49 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.2.39 [bnc#780620] + Changes in version 0.2.2.39 - 2012-09-11 + Tor 0.2.2.39 fixes two more opportunities for remotely triggerable + assertions. + + o Security fixes: + - Fix an assertion failure in tor_timegm() that could be triggered + by a badly formatted directory object. + CVE-2012-4922 + - Do not crash when comparing an address with port value 0 to an + address policy. This bug could have been used to cause a remote + assertion failure by or against directory authorities, or to + allow some applications to crash clients. + CVE-2012-4419 + +------------------------------------------------------------------- +Mon Aug 20 19:11:57 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.2.38 [bnc#776642] + Changes in version 0.2.2.38 - 2012-08-12 + Tor 0.2.2.38 fixes a rare race condition that can crash exit relays; + fixes a remotely triggerable crash bug; and fixes a timing attack that + could in theory leak path information. + o Security fixes: + - Avoid read-from-freed-memory and double-free bugs that could occur + when a DNS request fails while launching it. + CVE-2012-3517 + - Avoid an uninitialized memory read when reading a vote or consensus + document that has an unrecognized flavor name. This read could + lead to a remote crash bug. + CVE-2012-3518 + - Try to leak less information about what relays a client is + choosing to a side-channel attacker. Previously, a Tor client would + stop iterating through the list of available relays as soon as it + had chosen one, thus finishing a little earlier when it picked + a router earlier in the list. If an attacker can recover this + timing information (nontrivial but not proven to be impossible), + they could learn some coarse-grained information about which relays + a client was picking (middle nodes in particular are likelier to + be affected than exits). The timing attack might be mitigated by + other factors, but it's best not to take chances. + CVE-2012-3519 + +------------------------------------------------------------------- +Fri Jun 15 19:45:01 UTC 2012 - andreas.stieger@gmx.de + +- add tor-0.2.2.37-logrotate.patch : add su option to logrotate to + fix W: suse-logrotate-user-writable-log-dir in Factory + +------------------------------------------------------------------- +Wed Jun 13 11:22:11 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.2.37 + Changes in version 0.2.2.37 - 2012-06-06 + Tor 0.2.2.37 introduces a workaround for a critical renegotiation + bug in OpenSSL 1.0.1 (where 20% of the Tor network can't talk to itself + currently). + + o Major bugfixes: + - Work around a bug in OpenSSL that broke renegotiation with TLS + 1.1 and TLS 1.2. Without this workaround, all attempts to speak + the v2 Tor connection protocol when both sides were using OpenSSL + 1.0.1 would fail. Resolves ticket 6033. + - When waiting for a client to renegotiate, don't allow it to add + any bytes to the input buffer. This fixes a potential DoS issue. + Fixes bugs 5934 and 6007; bugfix on 0.2.0.20-rc. + - Fix an edge case where if we fetch or publish a hidden service + descriptor, we might build a 4-hop circuit and then use that circuit + for exiting afterwards -- even if the new last hop doesn't obey our + ExitNodes config option. Fixes bug 5283; bugfix on 0.2.0.10-alpha. + + o Minor bugfixes: + - Fix a build warning with Clang 3.1 related to our use of vasprintf. + Fixes bug 5969. Bugfix on 0.2.2.11-alpha. + + o Minor features: + - Tell GCC and Clang to check for any errors in format strings passed + to the tor_v*(print|scan)f functions. + +------------------------------------------------------------------- +Wed Jun 6 20:46:46 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.2.36 + + Changes in version 0.2.2.36 - 2012-05-24 + o Directory authority changes: + - Change IP address for maatuska (v3 directory authority). + - Change IP address for ides (v3 directory authority), and rename + it to turtles. + + o Security fixes: + - When building or running with any version of OpenSSL earlier + than 0.9.8s or 1.0.0f, disable SSLv3 support. These OpenSSL + versions have a bug (CVE-2011-4576) in which their block cipher + padding includes uninitialized data, potentially leaking sensitive + information to any peer with whom they make a SSLv3 connection. Tor + does not use SSL v3 by default, but a hostile client or server + could force an SSLv3 connection in order to gain information that + they shouldn't have been able to get. The best solution here is to + upgrade to OpenSSL 0.9.8s or 1.0.0f (or later). But when building + or running with a non-upgraded OpenSSL, we disable SSLv3 entirely + to make sure that the bug can't happen. + - Never use a bridge or a controller-supplied node as an exit, even + if its exit policy allows it. Found by wanoskarnet. Fixes bug + 5342. Bugfix on 0.1.1.15-rc (for controller-purpose descriptors) + and 0.2.0.3-alpha (for bridge-purpose descriptors). + - Only build circuits if we have a sufficient threshold of the total + descriptors that are marked in the consensus with the "Exit" + flag. This mitigates an attack proposed by wanoskarnet, in which + all of a client's bridges collude to restrict the exit nodes that + the client knows about. Fixes bug 5343. + - Provide controllers with a safer way to implement the cookie + authentication mechanism. With the old method, if another locally + running program could convince a controller that it was the Tor + process, then that program could trick the controller into telling + it the contents of an arbitrary 32-byte file. The new "SAFECOOKIE" + authentication method uses a challenge-response approach to prevent + this attack. Fixes bug 5185; implements proposal 193. + + o Major bugfixes: + - Avoid logging uninitialized data when unable to decode a hidden + service descriptor cookie. Fixes bug 5647; bugfix on 0.2.1.5-alpha. + - Avoid a client-side assertion failure when receiving an INTRODUCE2 + cell on a general purpose circuit. Fixes bug 5644; bugfix on + 0.2.1.6-alpha. + - Fix builds when the path to sed, openssl, or sha1sum contains + spaces, which is pretty common on Windows. Fixes bug 5065; bugfix + on 0.2.2.1-alpha. + - Correct our replacements for the timeradd() and timersub() functions + on platforms that lack them (for example, Windows). The timersub() + function is used when expiring circuits, while timeradd() is + currently unused. Bug report and patch by Vektor. Fixes bug 4778; + bugfix on 0.2.2.24-alpha. + - Fix the SOCKET_OK test that we use to tell when socket + creation fails so that it works on Win64. Fixes part of bug 4533; + bugfix on 0.2.2.29-beta. Bug found by wanoskarnet. + + o Minor bugfixes: + - Reject out-of-range times like 23:59:61 in parse_rfc1123_time(). + Fixes bug 5346; bugfix on 0.0.8pre3. + - Make our number-parsing functions always treat too-large values + as an error, even when those values exceed the width of the + underlying type. Previously, if the caller provided these + functions with minima or maxima set to the extreme values of the + underlying integer type, these functions would return those + values on overflow rather than treating overflow as an error. + Fixes part of bug 5786; bugfix on 0.0.9. + - Older Linux kernels erroneously respond to strange nmap behavior + by having accept() return successfully with a zero-length + socket. When this happens, just close the connection. Previously, + we would try harder to learn the remote address: but there was + no such remote address to learn, and our method for trying to + learn it was incorrect. Fixes bugs 1240, 4745, and 4747. Bugfix + on 0.1.0.3-rc. Reported and diagnosed by "r1eo". + - Correct parsing of certain date types in parse_http_time(). + Without this patch, If-Modified-Since would behave + incorrectly. Fixes bug 5346; bugfix on 0.2.0.2-alpha. Patch from + Esteban Manchado Velázques. + - Change the BridgePassword feature (part of the "bridge community" + design, which is not yet implemented) to use a time-independent + comparison. The old behavior might have allowed an adversary + to use timing to guess the BridgePassword value. Fixes bug 5543; + bugfix on 0.2.0.14-alpha. + - Detect and reject certain misformed escape sequences in + configuration values. Previously, these values would cause us + to crash if received in a torrc file or over an authenticated + control port. Bug found by Esteban Manchado Velázquez, and + independently by Robert Connolly from Matta Consulting who further + noted that it allows a post-authentication heap overflow. Patch + by Alexander Schrijver. Fixes bugs 5090 and 5402 (CVE 2012-1668); + bugfix on 0.2.0.16-alpha. + - Fix a compile warning when using the --enable-openbsd-malloc + configure option. Fixes bug 5340; bugfix on 0.2.0.20-rc. + - During configure, detect when we're building with clang version + 3.0 or lower and disable the -Wnormalized=id and -Woverride-init + CFLAGS. clang doesn't support them yet. + - When sending an HTTP/1.1 proxy request, include a Host header. + Fixes bug 5593; bugfix on 0.2.2.1-alpha. + - Fix a NULL-pointer dereference on a badly formed SETCIRCUITPURPOSE + command. Found by mikeyc. Fixes bug 5796; bugfix on 0.2.2.9-alpha. + - If we hit the error case where routerlist_insert() replaces an + existing (old) server descriptor, make sure to remove that + server descriptor from the old_routers list. Fix related to bug + 1776. Bugfix on 0.2.2.18-alpha. + + o Minor bugfixes (documentation and log messages): + - Fix a typo in a log message in rend_service_rendezvous_has_opened(). + Fixes bug 4856; bugfix on Tor 0.0.6. + - Update "ClientOnly" man page entry to explain that there isn't + really any point to messing with it. Resolves ticket 5005. + - Document the GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays + directory authority option (introduced in Tor 0.2.2.34). + - Downgrade the "We're missing a certificate" message from notice + to info: people kept mistaking it for a real problem, whereas it + is seldom the problem even when we are failing to bootstrap. Fixes + bug 5067; bugfix on 0.2.0.10-alpha. + - Correctly spell "connect" in a log message on failure to create a + controlsocket. Fixes bug 4803; bugfix on 0.2.2.26-beta. + - Clarify the behavior of MaxCircuitDirtiness with hidden service + circuits. Fixes issue 5259. + + o Minor features: + - Directory authorities now reject versions of Tor older than + 0.2.1.30, and Tor versions between 0.2.2.1-alpha and 0.2.2.20-alpha + inclusive. These versions accounted for only a small fraction of + the Tor network, and have numerous known security issues. Resolves + issue 4788. + - Update to the May 1 2012 Maxmind GeoLite Country database. + + - Feature removal: + - When sending or relaying a RELAY_EARLY cell, we used to convert + it to a RELAY cell if the connection was using the v1 link + protocol. This was a workaround for older versions of Tor, which + didn't handle RELAY_EARLY cells properly. Now that all supported + versions can handle RELAY_EARLY cells, and now that we're enforcing + the "no RELAY_EXTEND commands except in RELAY_EARLY cells" rule, + remove this workaround. Addresses bug 4786. + +------------------------------------------------------------------- +Mon Jan 2 16:51:20 UTC 2012 - andreas.stieger@gmx.de + +- add CVE references in changelog, fixing bug #739133 + +------------------------------------------------------------------- +Fri Dec 16 20:37:05 UTC 2011 - andreas.stieger@gmx.de + +- update to upstream 0.2.2.35, which fixes a critical heap-overflow + security issue: CVE-2011-2778 For a full list of changes, see: + https://gitweb.torproject.org/tor.git/blob_plain/release-0.2.2:/ReleaseNotes + +------------------------------------------------------------------ +Mon Dec 12 15:42:09 UTC 2011 - cfarrell@suse.com + +- license update: BSD-3-Clause + SPDX format + +------------------------------------------------------------------- +Sun Dec 11 18:42:57 UTC 2011 - andreas.stieger@gmx.de + +- fix factory warning by removing INSTALL file from docs dir + +------------------------------------------------------------------- +Sun Dec 11 17:11:11 UTC 2011 - andreas.stieger@gmx.de + +- format spec file to include copyright notice + package is based on a former package in SUSE/openSUSE + +------------------------------------------------------------------- +Sun Dec 11 12:37:14 UTC 2011 - andreas.stieger@gmx.de + +- update license from "3-clause BSD" to "BSD3c" + +------------------------------------------------------------------- +Fri Oct 28 19:49:39 UTC 2011 - andreas.stieger@gmx.de + +- update to upstream 0.2.2.34 +- fixes CVE-2011-4895 Tor Bridge circuit building information disclosure +- fixes CVE-2011-4894 Tor DirPort information disclosure + +Changes in version 0.2.2.34 - 2011-10-26 + Tor 0.2.2.34 fixes a critical anonymity vulnerability where an attacker + can deanonymize Tor users. Everybody should upgrade. + + The attack relies on four components: 1) Clients reuse their TLS cert + when talking to different relays, so relays can recognize a user by + the identity key in her cert. 2) An attacker who knows the client's + identity key can probe each guard relay to see if that identity key + is connected to that guard relay right now. 3) A variety of active + attacks in the literature (starting from "Low-Cost Traffic Analysis + of Tor" by Murdoch and Danezis in 2005) allow a malicious website to + discover the guard relays that a Tor user visiting the website is using. + 4) Clients typically pick three guards at random, so the set of guards + for a given user could well be a unique fingerprint for her. This + release fixes components #1 and #2, which is enough to block the attack; + the other two remain as open research problems. Special thanks to + "frosty_un" for reporting the issue to us! + + Clients should upgrade so they are no longer recognizable by the TLS + certs they present. Relays should upgrade so they no longer allow a + remote attacker to probe them to test whether unpatched clients are + currently connected to them. + + This release also fixes several vulnerabilities that allow an attacker + to enumerate bridge relays. Some bridge enumeration attacks still + remain; see for example proposal 188. + + o Privacy/anonymity fixes (clients): + - Clients and bridges no longer send TLS certificate chains on + outgoing OR connections. Previously, each client or bridge would + use the same cert chain for all outgoing OR connections until + its IP address changes, which allowed any relay that the client + or bridge contacted to determine which entry guards it is using. + Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by "frosty_un". + - If a relay receives a CREATE_FAST cell on a TLS connection, it + no longer considers that connection as suitable for satisfying a + circuit EXTEND request. Now relays can protect clients from the + CVE-2011-2768 issue even if the clients haven't upgraded yet. + - Directory authorities no longer assign the Guard flag to relays + that haven't upgraded to the above "refuse EXTEND requests + to client connections" fix. Now directory authorities can + protect clients from the CVE-2011-2768 issue even if neither + the clients nor the relays have upgraded yet. There's a new + "GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays" config option + to let us transition smoothly, else tomorrow there would be no + guard relays. + + o Privacy/anonymity fixes (bridge enumeration): + - Bridge relays now do their directory fetches inside Tor TLS + connections, like all the other clients do, rather than connecting + directly to the DirPort like public relays do. Removes another + avenue for enumerating bridges. Fixes bug 4115; bugfix on 0.2.0.35. + - Bridges relays now build circuits for themselves in a more similar + way to how clients build them. Removes another avenue for + enumerating bridges. Fixes bug 4124; bugfix on 0.2.0.3-alpha, + when bridges were introduced. + - Bridges now refuse CREATE or CREATE_FAST cells on OR connections + that they initiated. Relays could distinguish incoming bridge + connections from client connections, creating another avenue for + enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha. + Found by "frosty_un". + + o Major bugfixes: + - Fix a crash bug when changing node restrictions while a DNS lookup + is in-progress. Fixes bug 4259; bugfix on 0.2.2.25-alpha. Bugfix + by "Tey'". + - Don't launch a useless circuit after failing to use one of a + hidden service's introduction points. Previously, we would + launch a new introduction circuit, but not set the hidden service + which that circuit was intended to connect to, so it would never + actually be used. A different piece of code would then create a + new introduction circuit correctly. Bug reported by katmagic and + found by Sebastian Hahn. Bugfix on 0.2.1.13-alpha; fixes bug 4212. + + o Minor bugfixes: + - Change an integer overflow check in the OpenBSD_Malloc code so + that GCC is less likely to eliminate it as impossible. Patch + from Mansour Moufid. Fixes bug 4059. + - When a hidden service turns an extra service-side introduction + circuit into a general-purpose circuit, free the rend_data and + intro_key fields first, so we won't leak memory if the circuit + is cannibalized for use as another service-side introduction + circuit. Bugfix on 0.2.1.7-alpha; fixes bug 4251. + - Bridges now skip DNS self-tests, to act a little more stealthily. + Fixes bug 4201; bugfix on 0.2.0.3-alpha, which first introduced + bridges. Patch by "warms0x". + - Fix internal bug-checking logic that was supposed to catch + failures in digest generation so that it will fail more robustly + if we ask for a nonexistent algorithm. Found by Coverity Scan. + Bugfix on 0.2.2.1-alpha; fixes Coverity CID 479. + - Report any failure in init_keys() calls launched because our + IP address has changed. Spotted by Coverity Scan. Bugfix on + 0.1.1.4-alpha; fixes CID 484. + + o Minor bugfixes (log messages and documentation): + - Remove a confusing dollar sign from the example fingerprint in the + man page, and also make the example fingerprint a valid one. Fixes + bug 4309; bugfix on 0.2.1.3-alpha. + - The next version of Windows will be called Windows 8, and it has + a major version of 6, minor version of 2. Correctly identify that + version instead of calling it "Very recent version". Resolves + ticket 4153; reported by funkstar. + - Downgrade log messages about circuit timeout calibration from + "notice" to "info": they don't require or suggest any human + intervention. Patch from Tom Lowenthal. Fixes bug 4063; + bugfix on 0.2.2.14-alpha. + + o Minor features: + - Turn on directory request statistics by default and include them in + extra-info descriptors. Don't break if we have no GeoIP database. + Backported from 0.2.3.1-alpha; implements ticket 3951. + - Update to the October 4 2011 Maxmind GeoLite Country database. + + +------------------------------------------------------------------- +Tue Sep 20 20:58:56 UTC 2011 - andreas.stieger@gmx.de + +- update to upstream 0.2.2.33 + +Changes in version 0.2.2.33 - 2011-09-13 + Tor 0.2.2.33 fixes several bugs, and includes a slight tweak to Tor's + TLS handshake that makes relays and bridges that run this new version + reachable from Iran again. + + o Major bugfixes: + - Avoid an assertion failure when reloading a configuration with + TrackExitHosts changes. Found and fixed by 'laruldan'. Fixes bug + 3923; bugfix on 0.2.2.25-alpha. + + o Minor features (security): + - Check for replays of the public-key encrypted portion of an + INTRODUCE1 cell, in addition to the current check for replays of + the g^x value. This prevents a possible class of active attacks + by an attacker who controls both an introduction point and a + rendezvous point, and who uses the malleability of AES-CTR to + alter the encrypted g^x portion of the INTRODUCE1 cell. We think + that these attacks are infeasible (requiring the attacker to send + on the order of zettabytes of altered cells in a short interval), + but we'd rather block them off in case there are any classes of + this attack that we missed. Reported by Willem Pinckaers. + + o Minor features: + - Adjust the expiration time on our SSL session certificates to + better match SSL certs seen in the wild. Resolves ticket 4014. + - Change the default required uptime for a relay to be accepted as + a HSDir (hidden service directory) from 24 hours to 25 hours. + Improves on 0.2.0.10-alpha; resolves ticket 2649. + - Add a VoteOnHidServDirectoriesV2 config option to allow directory + authorities to abstain from voting on assignment of the HSDir + consensus flag. Related to bug 2649. + - Update to the September 6 2011 Maxmind GeoLite Country database. + + o Minor bugfixes (documentation and log messages): + - Correct the man page to explain that HashedControlPassword and + CookieAuthentication can both be set, in which case either method + is sufficient to authenticate to Tor. Bugfix on 0.2.0.7-alpha, + when we decided to allow these config options to both be set. Issue + raised by bug 3898. + - Demote the 'replay detected' log message emitted when a hidden + service receives the same Diffie-Hellman public key in two different + INTRODUCE2 cells to info level. A normal Tor client can cause that + log message during its normal operation. Bugfix on 0.2.1.6-alpha; + fixes part of bug 2442. + - Demote the 'INTRODUCE2 cell is too {old,new}' log message to info + level. There is nothing that a hidden service's operator can do + to fix its clients' clocks. Bugfix on 0.2.1.6-alpha; fixes part + of bug 2442. + - Clarify a log message specifying the characters permitted in + HiddenServiceAuthorizeClient client names. Previously, the log + message said that "[A-Za-z0-9+-_]" were permitted; that could have + given the impression that every ASCII character between "+" and "_" + was permitted. Now we say "[A-Za-z0-9+_-]". Bugfix on 0.2.1.5-alpha. + + o Build fixes: + - Provide a substitute implementation of lround() for MSVC, which + apparently lacks it. Patch from Gisle Vanem. + - Clean up some code issues that prevented Tor from building on older + BSDs. Fixes bug 3894; reported by "grarpamp". + - Search for a platform-specific version of "ar" when cross-compiling. + Should fix builds on iOS. Resolves bug 3909, found by Marco Bonetti. + + +------------------------------------------------------------------- +Fri Sep 2 19:55:23 UTC 2011 - andreas.stieger@gmx.de + +- updated ot upstream 0.2.2.32 +- removed tor_initscript.patch +- fixes CVE-2011-4897 Tor Nickname information disclosure +- fixes CVE-2011-4896 Tor Bridge information disclosure + +Changes in version 0.2.2.32 - 2011-08-27 + The Tor 0.2.2 release series is dedicated to the memory of Andreas + Pfitzmann (1958-2010), a pioneer in anonymity and privacy research, + a founder of the PETS community, a leader in our field, a mentor, + and a friend. He left us with these words: "I had the possibility + to contribute to this world that is not as it should be. I hope I + could help in some areas to make the world a better place, and that + I could also encourage other people to be engaged in improving the + world. Please, stay engaged. This world needs you, your love, your + initiative -- now I cannot be part of that anymore." + + Tor 0.2.2.32, the first stable release in the 0.2.2 branch, is finally + ready. More than two years in the making, this release features improved + client performance and hidden service reliability, better compatibility + for Android, correct behavior for bridges that listen on more than + one address, more extensible and flexible directory object handling, + better reporting of network statistics, improved code security, and + many many other features and bugfixes. + + o Major features (client performance): + - When choosing which cells to relay first, relays now favor circuits + that have been quiet recently, to provide lower latency for + low-volume circuits. By default, relays enable or disable this + feature based on a setting in the consensus. They can override + this default by using the new "CircuitPriorityHalflife" config + option. Design and code by Ian Goldberg, Can Tang, and Chris + Alexander. + - Directory authorities now compute consensus weightings that instruct + clients how to weight relays flagged as Guard, Exit, Guard+Exit, + and no flag. Clients use these weightings to distribute network load + more evenly across these different relay types. The weightings are + in the consensus so we can change them globally in the future. Extra + thanks to "outofwords" for finding some nasty security bugs in + the first implementation of this feature. + + o Major features (client performance, circuit build timeout): + - Tor now tracks how long it takes to build client-side circuits + over time, and adapts its timeout to local network performance. + Since a circuit that takes a long time to build will also provide + bad performance, we get significant latency improvements by + discarding the slowest 20% of circuits. Specifically, Tor creates + circuits more aggressively than usual until it has enough data + points for a good timeout estimate. Implements proposal 151. + - Circuit build timeout constants can be controlled by consensus + parameters. We set good defaults for these parameters based on + experimentation on broadband and simulated high-latency links. + - Circuit build time learning can be disabled via consensus parameter + or by the client via a LearnCircuitBuildTimeout config option. We + also automatically disable circuit build time calculation if either + AuthoritativeDirectory is set, or if we fail to write our state + file. Implements ticket 1296. + + o Major features (relays use their capacity better): + - Set SO_REUSEADDR socket option on all sockets, not just + listeners. This should help busy exit nodes avoid running out of + useable ports just because all the ports have been used in the + near past. Resolves issue 2850. + - Relays now save observed peak bandwidth throughput rates to their + state file (along with total usage, which was already saved), + so that they can determine their correct estimated bandwidth on + restart. Resolves bug 1863, where Tor relays would reset their + estimated bandwidth to 0 after restarting. + - Lower the maximum weighted-fractional-uptime cutoff to 98%. This + should give us approximately 40-50% more Guard-flagged nodes, + improving the anonymity the Tor network can provide and also + decreasing the dropoff in throughput that relays experience when + they first get the Guard flag. + - Directory authorities now take changes in router IP address and + ORPort into account when determining router stability. Previously, + if a router changed its IP or ORPort, the authorities would not + treat it as having any downtime for the purposes of stability + calculation, whereas clients would experience downtime since the + change would take a while to propagate to them. Resolves issue 1035. + - New AccelName and AccelDir options add support for dynamic OpenSSL + hardware crypto acceleration engines. + + o Major features (relays control their load better): + - Exit relays now try harder to block exit attempts from unknown + relays, to make it harder for people to use them as one-hop proxies + a la tortunnel. Controlled by the refuseunknownexits consensus + parameter (currently enabled), or you can override it on your + relay with the RefuseUnknownExits torrc option. Resolves bug 1751; + based on a variant of proposal 163. + - Add separate per-conn write limiting to go with the per-conn read + limiting. We added a global write limit in Tor 0.1.2.5-alpha, + but never per-conn write limits. + - New consensus params "bwconnrate" and "bwconnburst" to let us + rate-limit client connections as they enter the network. It's + controlled in the consensus so we can turn it on and off for + experiments. It's starting out off. Based on proposal 163. + + o Major features (controllers): + - Export GeoIP information on bridge usage to controllers even if we + have not yet been running for 24 hours. Now Vidalia bridge operators + can get more accurate and immediate feedback about their + contributions to the network. + - Add an __OwningControllerProcess configuration option and a + TAKEOWNERSHIP control-port command. Now a Tor controller can ensure + that when it exits, Tor will shut down. Implements feature 3049. + + o Major features (directory authorities): + - Directory authorities now create, vote on, and serve multiple + parallel formats of directory data as part of their voting process. + Partially implements Proposal 162: "Publish the consensus in + multiple flavors". + - Directory authorities now agree on and publish small summaries + of router information that clients can use in place of regular + server descriptors. This transition will allow Tor 0.2.3 clients + to use far less bandwidth for downloading information about the + network. Begins the implementation of Proposal 158: "Clients + download consensus + microdescriptors". + - The directory voting system is now extensible to use multiple hash + algorithms for signatures and resource selection. Newer formats + are signed with SHA256, with a possibility for moving to a better + hash algorithm in the future. + - Directory authorities can now vote on arbitary integer values as + part of the consensus process. This is designed to help set + network-wide parameters. Implements proposal 167. + + o Major features and bugfixes (node selection): + - Revise and reconcile the meaning of the ExitNodes, EntryNodes, + ExcludeEntryNodes, ExcludeExitNodes, ExcludeNodes, and Strict*Nodes + options. Previously, we had been ambiguous in describing what + counted as an "exit" node, and what operations exactly "StrictNodes + 0" would permit. This created confusion when people saw nodes built + through unexpected circuits, and made it hard to tell real bugs from + surprises. Now the intended behavior is: + . "Exit", in the context of ExitNodes and ExcludeExitNodes, means + a node that delivers user traffic outside the Tor network. + . "Entry", in the context of EntryNodes, means a node used as the + first hop of a multihop circuit. It doesn't include direct + connections to directory servers. + . "ExcludeNodes" applies to all nodes. + . "StrictNodes" changes the behavior of ExcludeNodes only. When + StrictNodes is set, Tor should avoid all nodes listed in + ExcludeNodes, even when it will make user requests fail. When + StrictNodes is *not* set, then Tor should follow ExcludeNodes + whenever it can, except when it must use an excluded node to + perform self-tests, connect to a hidden service, provide a + hidden service, fulfill a .exit request, upload directory + information, or fetch directory information. + Collectively, the changes to implement the behavior fix bug 1090. + - If EntryNodes, ExitNodes, ExcludeNodes, or ExcludeExitNodes + change during a config reload, mark and discard all our origin + circuits. This fix should address edge cases where we change the + config options and but then choose a circuit that we created before + the change. + - Make EntryNodes config option much more aggressive even when + StrictNodes is not set. Before it would prepend your requested + entrynodes to your list of guard nodes, but feel free to use others + after that. Now it chooses only from your EntryNodes if any of + those are available, and only falls back to others if a) they're + all down and b) StrictNodes is not set. + - Now we refresh your entry guards from EntryNodes at each consensus + fetch -- rather than just at startup and then they slowly rot as + the network changes. + - Add support for the country code "{??}" in torrc options like + ExcludeNodes, to indicate all routers of unknown country. Closes + bug 1094. + - ExcludeNodes now takes precedence over EntryNodes and ExitNodes: if + a node is listed in both, it's treated as excluded. + - ExcludeNodes now applies to directory nodes -- as a preference if + StrictNodes is 0, or an absolute requirement if StrictNodes is 1. + Don't exclude all the directory authorities and set StrictNodes to 1 + unless you really want your Tor to break. + - ExcludeNodes and ExcludeExitNodes now override exit enclaving. + - ExcludeExitNodes now overrides .exit requests. + - We don't use bridges listed in ExcludeNodes. + - When StrictNodes is 1: + . We now apply ExcludeNodes to hidden service introduction points + and to rendezvous points selected by hidden service users. This + can make your hidden service less reliable: use it with caution! + . If we have used ExcludeNodes on ourself, do not try relay + reachability self-tests. + . If we have excluded all the directory authorities, we will not + even try to upload our descriptor if we're a relay. + . Do not honor .exit requests to an excluded node. + - When the set of permitted nodes changes, we now remove any mappings + introduced via TrackExitHosts to now-excluded nodes. Bugfix on + 0.1.0.1-rc. + - We never cannibalize a circuit that had excluded nodes on it, even + if StrictNodes is 0. Bugfix on 0.1.0.1-rc. + - Improve log messages related to excluded nodes. + + o Major features (misc): + - Numerous changes, bugfixes, and workarounds from Nathan Freitas + to help Tor build correctly for Android phones. + - The options SocksPort, ControlPort, and so on now all accept a + value "auto" that opens a socket on an OS-selected port. A + new ControlPortWriteToFile option tells Tor to write its + actual control port or ports to a chosen file. If the option + ControlPortFileGroupReadable is set, the file is created as + group-readable. Now users can run two Tor clients on the same + system without needing to manually mess with parameters. Resolves + part of ticket 3076. + - Tor now supports tunneling all of its outgoing connections over + a SOCKS proxy, using the SOCKS4Proxy and/or SOCKS5Proxy + configuration options. Code by Christopher Davis. + + o Code security improvements: + - Replace all potentially sensitive memory comparison operations + with versions whose runtime does not depend on the data being + compared. This will help resist a class of attacks where an + adversary can use variations in timing information to learn + sensitive data. Fix for one case of bug 3122. (Safe memcmp + implementation by Robert Ransom based partially on code by DJB.) + - Enable Address Space Layout Randomization (ASLR) and Data Execution + Prevention (DEP) by default on Windows to make it harder for + attackers to exploit vulnerabilities. Patch from John Brooks. + - New "--enable-gcc-hardening" ./configure flag (off by default) + to turn on gcc compile time hardening options. It ensures + that signed ints have defined behavior (-fwrapv), enables + -D_FORTIFY_SOURCE=2 (requiring -O2), adds stack smashing protection + with canaries (-fstack-protector-all), turns on ASLR protection if + supported by the kernel (-fPIE, -pie), and adds additional security + related warnings. Verified to work on Mac OS X and Debian Lenny. + - New "--enable-linker-hardening" ./configure flag (off by default) + to turn on ELF specific hardening features (relro, now). This does + not work with Mac OS X or any other non-ELF binary format. + - Always search the Windows system directory for system DLLs, and + nowhere else. Bugfix on 0.1.1.23; fixes bug 1954. + - New DisableAllSwap option. If set to 1, Tor will attempt to lock all + current and future memory pages via mlockall(). On supported + platforms (modern Linux and probably BSD but not Windows or OS X), + this should effectively disable any and all attempts to page out + memory. This option requires that you start your Tor as root -- + if you use DisableAllSwap, please consider using the User option + to properly reduce the privileges of your Tor. + + o Major bugfixes (crashes): + - Fix crash bug on platforms where gmtime and localtime can return + NULL. Windows 7 users were running into this one. Fixes part of bug + 2077. Bugfix on all versions of Tor. Found by boboper. + - Introduce minimum/maximum values that clients will believe + from the consensus. Now we'll have a better chance to avoid crashes + or worse when a consensus param has a weird value. + - Fix a rare crash bug that could occur when a client was configured + with a large number of bridges. Fixes bug 2629; bugfix on + 0.2.1.2-alpha. Bugfix by trac user "shitlei". + - Do not crash when our configuration file becomes unreadable, for + example due to a permissions change, between when we start up + and when a controller calls SAVECONF. Fixes bug 3135; bugfix + on 0.0.9pre6. + - If we're in the pathological case where there's no exit bandwidth + but there is non-exit bandwidth, or no guard bandwidth but there + is non-guard bandwidth, don't crash during path selection. Bugfix + on 0.2.0.3-alpha. + - Fix a crash bug when trying to initialize the evdns module in + Libevent 2. Bugfix on 0.2.1.16-rc. + + o Major bugfixes (stability): + - Fix an assert in parsing router descriptors containing IPv6 + addresses. This one took down the directory authorities when + somebody tried some experimental code. Bugfix on 0.2.1.3-alpha. + - Fix an uncommon assertion failure when running with DNSPort under + heavy load. Fixes bug 2933; bugfix on 0.2.0.1-alpha. + - Treat an unset $HOME like an empty $HOME rather than triggering an + assert. Bugfix on 0.0.8pre1; fixes bug 1522. + - More gracefully handle corrupt state files, removing asserts + in favor of saving a backup and resetting state. + - Instead of giving an assertion failure on an internal mismatch + on estimated freelist size, just log a BUG warning and try later. + Mitigates but does not fix bug 1125. + - Fix an assert that got triggered when using the TestingTorNetwork + configuration option and then issuing a GETINFO config-text control + command. Fixes bug 2250; bugfix on 0.2.1.2-alpha. + - If the cached cert file is unparseable, warn but don't exit. + + o Privacy fixes (relays/bridges): + - Don't list Windows capabilities in relay descriptors. We never made + use of them, and maybe it's a bad idea to publish them. Bugfix + on 0.1.1.8-alpha. + - If the Nickname configuration option isn't given, Tor would pick a + nickname based on the local hostname as the nickname for a relay. + Because nicknames are not very important in today's Tor and the + "Unnamed" nickname has been implemented, this is now problematic + behavior: It leaks information about the hostname without being + useful at all. Fixes bug 2979; bugfix on 0.1.2.2-alpha, which + introduced the Unnamed nickname. Reported by tagnaq. + - Maintain separate TLS contexts and certificates for incoming and + outgoing connections in bridge relays. Previously we would use the + same TLS contexts and certs for incoming and outgoing connections. + Bugfix on 0.2.0.3-alpha; addresses bug 988. + - Maintain separate identity keys for incoming and outgoing TLS + contexts in bridge relays. Previously we would use the same + identity keys for incoming and outgoing TLS contexts. Bugfix on + 0.2.0.3-alpha; addresses the other half of bug 988. + - Make the bridge directory authority refuse to answer directory + requests for "all descriptors". It used to include bridge + descriptors in its answer, which was a major information leak. + Found by "piebeer". Bugfix on 0.2.0.3-alpha. + + o Privacy fixes (clients): + - When receiving a hidden service descriptor, check that it is for + the hidden service we wanted. Previously, Tor would store any + hidden service descriptors that a directory gave it, whether it + wanted them or not. This wouldn't have let an attacker impersonate + a hidden service, but it did let directories pre-seed a client + with descriptors that it didn't want. Bugfix on 0.0.6. + - Start the process of disabling ".exit" address notation, since it + can be used for a variety of esoteric application-level attacks + on users. To reenable it, set "AllowDotExit 1" in your torrc. Fix + on 0.0.9rc5. + - Reject attempts at the client side to open connections to private + IP addresses (like 127.0.0.1, 10.0.0.1, and so on) with + a randomly chosen exit node. Attempts to do so are always + ill-defined, generally prevented by exit policies, and usually + in error. This will also help to detect loops in transparent + proxy configurations. You can disable this feature by setting + "ClientRejectInternalAddresses 0" in your torrc. + - Log a notice when we get a new control connection. Now it's easier + for security-conscious users to recognize when a local application + is knocking on their controller door. Suggested by bug 1196. + + o Privacy fixes (newnym): + - Avoid linkability based on cached hidden service descriptors: forget + all hidden service descriptors cached as a client when processing a + SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6. + - On SIGHUP, do not clear out all TrackHostExits mappings, client + DNS cache entries, and virtual address mappings: that's what + NEWNYM is for. Fixes bug 1345; bugfix on 0.1.0.1-rc. + - Don't attach new streams to old rendezvous circuits after SIGNAL + NEWNYM. Previously, we would keep using an existing rendezvous + circuit if it remained open (i.e. if it were kept open by a + long-lived stream, or if a new stream were attached to it before + Tor could notice that it was old and no longer in use). Bugfix on + 0.1.1.15-rc; fixes bug 3375. + + o Major bugfixes (relay bandwidth accounting): + - Fix a bug that could break accounting on 64-bit systems with large + time_t values, making them hibernate for impossibly long intervals. + Fixes bug 2146. Bugfix on 0.0.9pre6; fix by boboper. + - Fix a bug in bandwidth accounting that could make us use twice + the intended bandwidth when our interval start changes due to + daylight saving time. Now we tolerate skew in stored vs computed + interval starts: if the start of the period changes by no more than + 50% of the period's duration, we remember bytes that we transferred + in the old period. Fixes bug 1511; bugfix on 0.0.9pre5. + + o Major bugfixes (bridges): + - Bridges now use "reject *:*" as their default exit policy. Bugfix + on 0.2.0.3-alpha. Fixes bug 1113. + - If you configure your bridge with a known identity fingerprint, + and the bridge authority is unreachable (as it is in at least + one country now), fall back to directly requesting the descriptor + from the bridge. Finishes the feature started in 0.2.0.10-alpha; + closes bug 1138. + - Fix a bug where bridge users who configure the non-canonical + address of a bridge automatically switch to its canonical + address. If a bridge listens at more than one address, it + should be able to advertise those addresses independently and + any non-blocked addresses should continue to work. Bugfix on Tor + 0.2.0.3-alpha. Fixes bug 2510. + - If you configure Tor to use bridge A, and then quit and + configure Tor to use bridge B instead (or if you change Tor + to use bridge B via the controller), it would happily continue + to use bridge A if it's still reachable. While this behavior is + a feature if your goal is connectivity, in some scenarios it's a + dangerous bug. Bugfix on Tor 0.2.0.1-alpha; fixes bug 2511. + - When the controller configures a new bridge, don't wait 10 to 60 + seconds before trying to fetch its descriptor. Bugfix on + 0.2.0.3-alpha; fixes bug 3198 (suggested by 2355). + + o Major bugfixes (directory authorities): + - Many relays have been falling out of the consensus lately because + not enough authorities know about their descriptor for them to get + a majority of votes. When we deprecated the v2 directory protocol, + we got rid of the only way that v3 authorities can hear from each + other about other descriptors. Now authorities examine every v3 + vote for new descriptors, and fetch them from that authority. Bugfix + on 0.2.1.23. + - Authorities could be tricked into giving out the Exit flag to relays + that didn't allow exiting to any ports. This bug could screw + with load balancing and stats. Bugfix on 0.1.1.6-alpha; fixes bug + 1238. Bug discovered by Martin Kowalczyk. + - If all authorities restart at once right before a consensus vote, + nobody will vote about "Running", and clients will get a consensus + with no usable relays. Instead, authorities refuse to build a + consensus if this happens. Bugfix on 0.2.0.10-alpha; fixes bug 1066. + + o Major bugfixes (stream-level fairness): + - When receiving a circuit-level SENDME for a blocked circuit, try + to package cells fairly from all the streams that had previously + been blocked on that circuit. Previously, we had started with the + oldest stream, and allowed each stream to potentially exhaust + the circuit's package window. This gave older streams on any + given circuit priority over newer ones. Fixes bug 1937. Detected + originally by Camilo Viecco. This bug was introduced before the + first Tor release, in svn commit r152: it is the new winner of + the longest-lived bug prize. + - Fix a stream fairness bug that would cause newer streams on a given + circuit to get preference when reading bytes from the origin or + destination. Fixes bug 2210. Fix by Mashael AlSabah. This bug was + introduced before the first Tor release, in svn revision r152. + - When the exit relay got a circuit-level sendme cell, it started + reading on the exit streams, even if had 500 cells queued in the + circuit queue already, so the circuit queue just grew and grew in + some cases. We fix this by not re-enabling reading on receipt of a + sendme cell when the cell queue is blocked. Fixes bug 1653. Bugfix + on 0.2.0.1-alpha. Detected by Mashael AlSabah. Original patch by + "yetonetime". + - Newly created streams were allowed to read cells onto circuits, + even if the circuit's cell queue was blocked and waiting to drain. + This created potential unfairness, as older streams would be + blocked, but newer streams would gladly fill the queue completely. + We add code to detect this situation and prevent any stream from + getting more than one free cell. Bugfix on 0.2.0.1-alpha. Partially + fixes bug 1298. + + o Major bugfixes (hidden services): + - Apply circuit timeouts to opened hidden-service-related circuits + based on the correct start time. Previously, we would apply the + circuit build timeout based on time since the circuit's creation; + it was supposed to be applied based on time since the circuit + entered its current state. Bugfix on 0.0.6; fixes part of bug 1297. + - Improve hidden service robustness: When we find that we have + extended a hidden service's introduction circuit to a relay not + listed as an introduction point in the HS descriptor we currently + have, retry with an introduction point from the current + descriptor. Previously we would just give up. Fixes bugs 1024 and + 1930; bugfix on 0.2.0.10-alpha. + - Directory authorities now use data collected from their own + uptime observations when choosing whether to assign the HSDir flag + to relays, instead of trusting the uptime value the relay reports in + its descriptor. This change helps prevent an attack where a small + set of nodes with frequently-changing identity keys can blackhole + a hidden service. (Only authorities need upgrade; others will be + fine once they do.) Bugfix on 0.2.0.10-alpha; fixes bug 2709. + - Stop assigning the HSDir flag to relays that disable their + DirPort (and thus will refuse to answer directory requests). This + fix should dramatically improve the reachability of hidden services: + hidden services and hidden service clients pick six HSDir relays + to store and retrieve the hidden service descriptor, and currently + about half of the HSDir relays will refuse to work. Bugfix on + 0.2.0.10-alpha; fixes part of bug 1693. + + o Major bugfixes (misc): + - Clients now stop trying to use an exit node associated with a given + destination by TrackHostExits if they fail to reach that exit node. + Fixes bug 2999. Bugfix on 0.2.0.20-rc. + - Fix a regression that caused Tor to rebind its ports if it receives + SIGHUP while hibernating. Bugfix in 0.1.1.6-alpha; closes bug 919. + - Remove an extra pair of quotation marks around the error + message in control-port STATUS_GENERAL BUG events. Bugfix on + 0.1.2.6-alpha; fixes bug 3732. + + o Minor features (relays): + - Ensure that no empty [dirreq-](read|write)-history lines are added + to an extrainfo document. Implements ticket 2497. + - When bandwidth accounting is enabled, be more generous with how + much bandwidth we'll use up before entering "soft hibernation". + Previously, we'd refuse new connections and circuits once we'd + used up 95% of our allotment. Now, we use up 95% of our allotment, + AND make sure that we have no more than 500MB (or 3 hours of + expected traffic, whichever is lower) remaining before we enter + soft hibernation. + - Relays now log the reason for publishing a new relay descriptor, + so we have a better chance of hunting down instances of bug 1810. + Resolves ticket 3252. + - Log a little more clearly about the times at which we're no longer + accepting new connections (e.g. due to hibernating). Resolves + bug 2181. + - When AllowSingleHopExits is set, print a warning to explain to the + relay operator why most clients are avoiding her relay. + - Send END_STREAM_REASON_NOROUTE in response to EHOSTUNREACH errors. + Clients before 0.2.1.27 didn't handle NOROUTE correctly, but such + clients are already deprecated because of security bugs. + + o Minor features (network statistics): + - Directory mirrors that set "DirReqStatistics 1" write statistics + about directory requests to disk every 24 hours. As compared to the + "--enable-geoip-stats" ./configure flag in 0.2.1.x, there are a few + improvements: 1) stats are written to disk exactly every 24 hours; + 2) estimated shares of v2 and v3 requests are determined as mean + values, not at the end of a measurement period; 3) unresolved + requests are listed with country code '??'; 4) directories also + measure download times. + - Exit nodes that set "ExitPortStatistics 1" write statistics on the + number of exit streams and transferred bytes per port to disk every + 24 hours. + - Relays that set "CellStatistics 1" write statistics on how long + cells spend in their circuit queues to disk every 24 hours. + - Entry nodes that set "EntryStatistics 1" write statistics on the + rough number and origins of connecting clients to disk every 24 + hours. + - Relays that write any of the above statistics to disk and set + "ExtraInfoStatistics 1" include the past 24 hours of statistics in + their extra-info documents. Implements proposal 166. + + o Minor features (GeoIP and statistics): + - Provide a log message stating which geoip file we're parsing + instead of just stating that we're parsing the geoip file. + Implements ticket 2432. + - Make sure every relay writes a state file at least every 12 hours. + Previously, a relay could go for weeks without writing its state + file, and on a crash could lose its bandwidth history, capacity + estimates, client country statistics, and so on. Addresses bug 3012. + - Relays report the number of bytes spent on answering directory + requests in extra-info descriptors similar to {read,write}-history. + Implements enhancement 1790. + - Report only the top 10 ports in exit-port stats in order not to + exceed the maximum extra-info descriptor length of 50 KB. Implements + task 2196. + - If writing the state file to disk fails, wait up to an hour before + retrying again, rather than trying again each second. Fixes bug + 2346; bugfix on Tor 0.1.1.3-alpha. + - Delay geoip stats collection by bridges for 6 hours, not 2 hours, + when we switch from being a public relay to a bridge. Otherwise + there will still be clients that see the relay in their consensus, + and the stats will end up wrong. Bugfix on 0.2.1.15-rc; fixes + bug 932. + - Update to the August 2 2011 Maxmind GeoLite Country database. + + o Minor features (clients): + - When expiring circuits, use microsecond timers rather than + one-second timers. This can avoid an unpleasant situation where a + circuit is launched near the end of one second and expired right + near the beginning of the next, and prevent fluctuations in circuit + timeout values. + - If we've configured EntryNodes and our network goes away and/or all + our entrynodes get marked down, optimistically retry them all when + a new socks application request appears. Fixes bug 1882. + - Always perform router selections using weighted relay bandwidth, + even if we don't need a high capacity circuit at the time. Non-fast + circuits now only differ from fast ones in that they can use relays + not marked with the Fast flag. This "feature" could turn out to + be a horrible bug; we should investigate more before it goes into + a stable release. + - When we run out of directory information such that we can't build + circuits, but then get enough that we can build circuits, log when + we actually construct a circuit, so the user has a better chance of + knowing what's going on. Fixes bug 1362. + - Log SSL state transitions at debug level during handshake, and + include SSL states in error messages. This may help debug future + SSL handshake issues. + + o Minor features (directory authorities): + - When a router changes IP address or port, authorities now launch + a new reachability test for it. Implements ticket 1899. + - Directory authorities now reject relays running any versions of + Tor between 0.2.1.3-alpha and 0.2.1.18 inclusive; they have + known bugs that keep RELAY_EARLY cells from working on rendezvous + circuits. Followup to fix for bug 2081. + - Directory authorities now reject relays running any version of Tor + older than 0.2.0.26-rc. That version is the earliest that fetches + current directory information correctly. Fixes bug 2156. + - Directory authorities now do an immediate reachability check as soon + as they hear about a new relay. This change should slightly reduce + the time between setting up a relay and getting listed as running + in the consensus. It should also improve the time between setting + up a bridge and seeing use by bridge users. + - Directory authorities no longer launch a TLS connection to every + relay as they startup. Now that we have 2k+ descriptors cached, + the resulting network hiccup is becoming a burden. Besides, + authorities already avoid voting about Running for the first half + hour of their uptime. + - Directory authorities now log the source of a rejected POSTed v3 + networkstatus vote, so we can track failures better. + - Backport code from 0.2.3.x that allows directory authorities to + clean their microdescriptor caches. Needed to resolve bug 2230. + + o Minor features (hidden services): + - Use computed circuit-build timeouts to decide when to launch + parallel introduction circuits for hidden services. (Previously, + we would retry after 15 seconds.) + - Don't allow v0 hidden service authorities to act as clients. + Required by fix for bug 3000. + - Ignore SIGNAL NEWNYM commands on relay-only Tor instances. Required + by fix for bug 3000. + - Make hidden services work better in private Tor networks by not + requiring any uptime to join the hidden service descriptor + DHT. Implements ticket 2088. + - Log (at info level) when purging pieces of hidden-service-client + state because of SIGNAL NEWNYM. + + o Minor features (controller interface): + - New "GETINFO net/listeners/(type)" controller command to return + a list of addresses and ports that are bound for listeners for a + given connection type. This is useful when the user has configured + "SocksPort auto" and the controller needs to know which port got + chosen. Resolves another part of ticket 3076. + - Have the controller interface give a more useful message than + "Internal Error" in response to failed GETINFO requests. + - Add a TIMEOUT_RATE keyword to the BUILDTIMEOUT_SET control port + event, to give information on the current rate of circuit timeouts + over our stored history. + - The 'EXTENDCIRCUIT' control port command can now be used with + a circ id of 0 and no path. This feature will cause Tor to build + a new 'fast' general purpose circuit using its own path selection + algorithms. + - Added a BUILDTIMEOUT_SET controller event to describe changes + to the circuit build timeout. + - New controller command "getinfo config-text". It returns the + contents that Tor would write if you send it a SAVECONF command, + so the controller can write the file to disk itself. + + o Minor features (controller protocol): + - Add a new ControlSocketsGroupWritable configuration option: when + it is turned on, ControlSockets are group-writeable by the default + group of the current user. Patch by Jérémy Bobbio; implements + ticket 2972. + - Tor now refuses to create a ControlSocket in a directory that is + world-readable (or group-readable if ControlSocketsGroupWritable + is 0). This is necessary because some operating systems do not + enforce permissions on an AF_UNIX sockets. Permissions on the + directory holding the socket, however, seems to work everywhere. + - Warn when CookieAuthFileGroupReadable is set but CookieAuthFile is + not. This would lead to a cookie that is still not group readable. + Closes bug 1843. Suggested by katmagic. + - Future-proof the controller protocol a bit by ignoring keyword + arguments we do not recognize. + + o Minor features (more useful logging): + - Revise most log messages that refer to nodes by nickname to + instead use the "$key=nickname at address" format. This should be + more useful, especially since nicknames are less and less likely + to be unique. Resolves ticket 3045. + - When an HTTPS proxy reports "403 Forbidden", we now explain + what it means rather than calling it an unexpected status code. + Closes bug 2503. Patch from Michael Yakubovich. + - Rate-limit a warning about failures to download v2 networkstatus + documents. Resolves part of bug 1352. + - Rate-limit the "your application is giving Tor only an IP address" + warning. Addresses bug 2000; bugfix on 0.0.8pre2. + - Rate-limit "Failed to hand off onionskin" warnings. + - When logging a rate-limited warning, we now mention how many messages + got suppressed since the last warning. + - Make the formerly ugly "2 unknown, 7 missing key, 0 good, 0 bad, + 2 no signature, 4 required" messages about consensus signatures + easier to read, and make sure they get logged at the same severity + as the messages explaining which keys are which. Fixes bug 1290. + - Don't warn when we have a consensus that we can't verify because + of missing certificates, unless those certificates are ones + that we have been trying and failing to download. Fixes bug 1145. + + o Minor features (log domains): + - Add documentation for configuring logging at different severities in + different log domains. We've had this feature since 0.2.1.1-alpha, + but for some reason it never made it into the manpage. Fixes + bug 2215. + - Make it simpler to specify "All log domains except for A and B". + Previously you needed to say "[*,~A,~B]". Now you can just say + "[~A,~B]". + - Add a "LogMessageDomains 1" option to include the domains of log + messages along with the messages. Without this, there's no way + to use log domains without reading the source or doing a lot + of guessing. + - Add a new "Handshake" log domain for activities that happen + during the TLS handshake. + + o Minor features (build process): + - Make compilation with clang possible when using + "--enable-gcc-warnings" by removing two warning options that clang + hasn't implemented yet and by fixing a few warnings. Resolves + ticket 2696. + - Detect platforms that brokenly use a signed size_t, and refuse to + build there. Found and analyzed by doorss and rransom. + - Fix a bunch of compile warnings revealed by mingw with gcc 4.5. + Resolves bug 2314. + - Add support for statically linking zlib by specifying + "--enable-static-zlib", to go with our support for statically + linking openssl and libevent. Resolves bug 1358. + - Instead of adding the svn revision to the Tor version string, report + the git commit (when we're building from a git checkout). + - Rename the "log.h" header to "torlog.h" so as to conflict with fewer + system headers. + - New --digests command-line switch to output the digests of the + source files Tor was built with. + - Generate our manpage and HTML documentation using Asciidoc. This + change should make it easier to maintain the documentation, and + produce nicer HTML. The build process fails if asciidoc cannot + be found and building with asciidoc isn't disabled (via the + "--disable-asciidoc" argument to ./configure. Skipping the manpage + speeds up the build considerably. + + o Minor features (options / torrc): + - Warn when the same option is provided more than once in a torrc + file, on the command line, or in a single SETCONF statement, and + the option is one that only accepts a single line. Closes bug 1384. + - Warn when the user configures two HiddenServiceDir lines that point + to the same directory. Bugfix on 0.0.6 (the version introducing + HiddenServiceDir); fixes bug 3289. + - Add new "perconnbwrate" and "perconnbwburst" consensus params to + do individual connection-level rate limiting of clients. The torrc + config options with the same names trump the consensus params, if + both are present. Replaces the old "bwconnrate" and "bwconnburst" + consensus params which were broken from 0.2.2.7-alpha through + 0.2.2.14-alpha. Closes bug 1947. + - New config option "WarnUnsafeSocks 0" disables the warning that + occurs whenever Tor receives a socks handshake using a version of + the socks protocol that can only provide an IP address (rather + than a hostname). Setups that do DNS locally over Tor are fine, + and we shouldn't spam the logs in that case. + - New config option "CircuitStreamTimeout" to override our internal + timeout schedule for how many seconds until we detach a stream from + a circuit and try a new circuit. If your network is particularly + slow, you might want to set this to a number like 60. + - New options for SafeLogging to allow scrubbing only log messages + generated while acting as a relay. Specify "SafeLogging relay" if + you want to ensure that only messages known to originate from + client use of the Tor process will be logged unsafely. + - Time and memory units in the configuration file can now be set to + fractional units. For example, "2.5 GB" is now a valid value for + AccountingMax. + - Support line continuations in the torrc config file. If a line + ends with a single backslash character, the newline is ignored, and + the configuration value is treated as continuing on the next line. + Resolves bug 1929. + + o Minor features (unit tests): + - Revise our unit tests to use the "tinytest" framework, so we + can run tests in their own processes, have smarter setup/teardown + code, and so on. The unit test code has moved to its own + subdirectory, and has been split into multiple modules. + - Add a unit test for cross-platform directory-listing code. + - Add some forgotten return value checks during unit tests. Found + by coverity. + - Use GetTempDir to find the proper temporary directory location on + Windows when generating temporary files for the unit tests. Patch + by Gisle Vanem. + + o Minor features (misc): + - The "torify" script now uses torsocks where available. + - Make Libevent log messages get delivered to controllers later, + and not from inside the Libevent log handler. This prevents unsafe + reentrant Libevent calls while still letting the log messages + get through. + - Certain Tor clients (such as those behind check.torproject.org) may + want to fetch the consensus in an extra early manner. To enable this + a user may now set FetchDirInfoExtraEarly to 1. This also depends on + setting FetchDirInfoEarly to 1. Previous behavior will stay the same + as only certain clients who must have this information sooner should + set this option. + - Expand homedirs passed to tor-checkkey. This should silence a + coverity complaint about passing a user-supplied string into + open() without checking it. + - Make sure to disable DirPort if running as a bridge. DirPorts aren't + used on bridges, and it makes bridge scanning somewhat easier. + - Create the /var/run/tor directory on startup on OpenSUSE if it is + not already created. Patch from Andreas Stieger. Fixes bug 2573. + + o Minor bugfixes (relays): + - When a relay decides that its DNS is too broken for it to serve + as an exit server, it advertised itself as a non-exit, but + continued to act as an exit. This could create accidental + partitioning opportunities for users. Instead, if a relay is + going to advertise reject *:* as its exit policy, it should + really act with exit policy "reject *:*". Fixes bug 2366. + Bugfix on Tor 0.1.2.5-alpha. Bugfix by user "postman" on trac. + - Publish a router descriptor even if generating an extra-info + descriptor fails. Previously we would not publish a router + descriptor without an extra-info descriptor; this can cause fast + exit relays collecting exit-port statistics to drop from the + consensus. Bugfix on 0.1.2.9-rc; fixes bug 2195. + - When we're trying to guess whether we know our IP address as + a relay, we would log various ways that we failed to guess + our address, but never log that we ended up guessing it + successfully. Now add a log line to help confused and anxious + relay operators. Bugfix on 0.1.2.1-alpha; fixes bug 1534. + - For bandwidth accounting, calculate our expected bandwidth rate + based on the time during which we were active and not in + soft-hibernation during the last interval. Previously, we were + also considering the time spent in soft-hibernation. If this + was a long time, we would wind up underestimating our bandwidth + by a lot, and skewing our wakeup time towards the start of the + accounting interval. Fixes bug 1789. Bugfix on 0.0.9pre5. + - Demote a confusing TLS warning that relay operators might get when + someone tries to talk to their ORPort. It is not the operator's + fault, nor can they do anything about it. Fixes bug 1364; bugfix + on 0.2.0.14-alpha. + - Change "Application request when we're believed to be offline." + notice to "Application request when we haven't used client + functionality lately.", to clarify that it's not an error. Bugfix + on 0.0.9.3; fixes bug 1222. + + o Minor bugfixes (bridges): + - When a client starts or stops using bridges, never use a circuit + that was built before the configuration change. This behavior could + put at risk a user who uses bridges to ensure that her traffic + only goes to the chosen addresses. Bugfix on 0.2.0.3-alpha; fixes + bug 3200. + - Do not reset the bridge descriptor download status every time we + re-parse our configuration or get a configuration change. Fixes + bug 3019; bugfix on 0.2.0.3-alpha. + - Users couldn't configure a regular relay to be their bridge. It + didn't work because when Tor fetched the bridge descriptor, it found + that it already had it, and didn't realize that the purpose of the + descriptor had changed. Now we replace routers with a purpose other + than bridge with bridge descriptors when fetching them. Bugfix on + 0.1.1.9-alpha. Fixes bug 1776. + - In the special case where you configure a public exit relay as your + bridge, Tor would be willing to use that exit relay as the last + hop in your circuit as well. Now we fail that circuit instead. + Bugfix on 0.2.0.12-alpha. Fixes bug 2403. Reported by "piebeer". + + o Minor bugfixes (clients): + - We now ask the other side of a stream (the client or the exit) + for more data on that stream when the amount of queued data on + that stream dips low enough. Previously, we wouldn't ask the + other side for more data until either it sent us more data (which + it wasn't supposed to do if it had exhausted its window!) or we + had completely flushed all our queued data. This flow control fix + should improve throughput. Fixes bug 2756; bugfix on the earliest + released versions of Tor (svn commit r152). + - When a client finds that an origin circuit has run out of 16-bit + stream IDs, we now mark it as unusable for new streams. Previously, + we would try to close the entire circuit. Bugfix on 0.0.6. + - Make it explicit that we don't cannibalize one-hop circuits. This + happens in the wild, but doesn't turn out to be a problem because + we fortunately don't use those circuits. Many thanks to outofwords + for the initial analysis and to swissknife who confirmed that + two-hop circuits are actually created. + - Resolve an edge case in path weighting that could make us misweight + our relay selection. Fixes bug 1203; bugfix on 0.0.8rc1. + - Make the DNSPort option work with libevent 2.x. Don't alter the + behaviour for libevent 1.x. Fixes bug 1143. Found by SwissTorExit. + + o Minor bugfixes (directory authorities): + - Make directory authorities more accurate at recording when + relays that have failed several reachability tests became + unreachable, so we can provide more accuracy at assigning Stable, + Guard, HSDir, etc flags. Bugfix on 0.2.0.6-alpha. Resolves bug 2716. + - Directory authorities are now more robust to hops back in time + when calculating router stability. Previously, if a run of uptime + or downtime appeared to be negative, the calculation could give + incorrect results. Bugfix on 0.2.0.6-alpha; noticed when fixing + bug 1035. + - Directory authorities will now attempt to download consensuses + if their own efforts to make a live consensus have failed. This + change means authorities that restart will fetch a valid + consensus, and it means authorities that didn't agree with the + current consensus will still fetch and serve it if it has enough + signatures. Bugfix on 0.2.0.9-alpha; fixes bug 1300. + - Never vote for a server as "Running" if we have a descriptor for + it claiming to be hibernating, and that descriptor was published + more recently than our last contact with the server. Bugfix on + 0.2.0.3-alpha; fixes bug 911. + - Directory authorities no longer change their opinion of, or vote on, + whether a router is Running, unless they have themselves been + online long enough to have some idea. Bugfix on 0.2.0.6-alpha. + Fixes bug 1023. + + o Minor bugfixes (hidden services): + - Log malformed requests for rendezvous descriptors as protocol + warnings, not warnings. Also, use a more informative log message + in case someone sees it at log level warning without prior + info-level messages. Fixes bug 2748; bugfix on 0.2.0.10-alpha. + - Accept hidden service descriptors if we think we might be a hidden + service directory, regardless of what our consensus says. This + helps robustness, since clients and hidden services can sometimes + have a more up-to-date view of the network consensus than we do, + and if they think that the directory authorities list us a HSDir, + we might actually be one. Related to bug 2732; bugfix on + 0.2.0.10-alpha. + - Correct the warning displayed when a rendezvous descriptor exceeds + the maximum size. Fixes bug 2750; bugfix on 0.2.1.5-alpha. Found by + John Brooks. + - Clients and hidden services now use HSDir-flagged relays for hidden + service descriptor downloads and uploads even if the relays have no + DirPort set and the client has disabled TunnelDirConns. This will + eventually allow us to give the HSDir flag to relays with no + DirPort. Fixes bug 2722; bugfix on 0.2.1.6-alpha. + - Only limit the lengths of single HS descriptors, even when multiple + HS descriptors are published to an HSDir relay in a single POST + operation. Fixes bug 2948; bugfix on 0.2.1.5-alpha. Found by hsdir. + + o Minor bugfixes (controllers): + - Allow GETINFO fingerprint to return a fingerprint even when + we have not yet built a router descriptor. Fixes bug 3577; + bugfix on 0.2.0.1-alpha. + - Send a SUCCEEDED stream event to the controller when a reverse + resolve succeeded. Fixes bug 3536; bugfix on 0.0.8pre1. Issue + discovered by katmagic. + - Remove a trailing asterisk from "exit-policy/default" in the + output of the control port command "GETINFO info/names". Bugfix + on 0.1.2.5-alpha. + - Make the SIGNAL DUMP controller command work on FreeBSD. Fixes bug + 2917. Bugfix on 0.1.1.1-alpha. + - When we restart our relay, we might get a successful connection + from the outside before we've started our reachability tests, + triggering a warning: "ORPort found reachable, but I have no + routerinfo yet. Failing to inform controller of success." This + bug was harmless unless Tor is running under a controller + like Vidalia, in which case the controller would never get a + REACHABILITY_SUCCEEDED status event. Bugfix on 0.1.2.6-alpha; + fixes bug 1172. + - When a controller changes TrackHostExits, remove mappings for + hosts that should no longer have their exits tracked. Bugfix on + 0.1.0.1-rc. + - When a controller changes VirtualAddrNetwork, remove any mappings + for hosts that were automapped to the old network. Bugfix on + 0.1.1.19-rc. + - When a controller changes one of the AutomapHosts* options, remove + any mappings for hosts that should no longer be automapped. Bugfix + on 0.2.0.1-alpha. + - Fix an off-by-one error in calculating some controller command + argument lengths. Fortunately, this mistake is harmless since + the controller code does redundant NUL termination too. Found by + boboper. Bugfix on 0.1.1.1-alpha. + - Fix a bug in the controller interface where "GETINFO ns/asdaskljkl" + would return "551 Internal error" rather than "552 Unrecognized key + ns/asdaskljkl". Bugfix on 0.1.2.3-alpha. + - Don't spam the controller with events when we have no file + descriptors available. Bugfix on 0.2.1.5-alpha. (Rate-limiting + for log messages was already solved from bug 748.) + - Emit a GUARD DROPPED controller event for a case we missed. + - Ensure DNS requests launched by "RESOLVE" commands from the + controller respect the __LeaveStreamsUnattached setconf options. The + same goes for requests launched via DNSPort or transparent + proxying. Bugfix on 0.2.0.1-alpha; fixes bug 1525. + + o Minor bugfixes (config options): + - Tor used to limit HttpProxyAuthenticator values to 48 characters. + Change the limit to 512 characters by removing base64 newlines. + Fixes bug 2752. Fix by Michael Yakubovich. + - Complain if PublishServerDescriptor is given multiple arguments that + include 0 or 1. This configuration will be rejected in the future. + Bugfix on 0.2.0.1-alpha; closes bug 1107. + - Disallow BridgeRelay 1 and ORPort 0 at once in the configuration. + Bugfix on 0.2.0.13-alpha; closes bug 928. + + o Minor bugfixes (log subsystem fixes): + - When unable to format an address as a string, report its value + as "???" rather than reusing the last formatted address. Bugfix + on 0.2.1.5-alpha. + - Be more consistent in our treatment of file system paths. "~" should + get expanded to the user's home directory in the Log config option. + Fixes bug 2971; bugfix on 0.2.0.1-alpha, which introduced the + feature for the -f and --DataDirectory options. + + o Minor bugfixes (memory management): + - Don't stack-allocate the list of supplementary GIDs when we're + about to log them. Stack-allocating NGROUPS_MAX gid_t elements + could take up to 256K, which is way too much stack. Found by + Coverity; CID #450. Bugfix on 0.2.1.7-alpha. + - Save a couple bytes in memory allocation every time we escape + certain characters in a string. Patch from Florian Zumbiehl. + + o Minor bugfixes (protocol correctness): + - When checking for 1024-bit keys, check for 1024 bits, not 128 + bytes. This allows Tor to correctly discard keys of length 1017 + through 1023. Bugfix on 0.0.9pre5. + - Require that introduction point keys and onion handshake keys + have a public exponent of 65537. Starts to fix bug 3207; bugfix + on 0.2.0.10-alpha. + - Handle SOCKS messages longer than 128 bytes long correctly, rather + than waiting forever for them to finish. Fixes bug 2330; bugfix + on 0.2.0.16-alpha. Found by doorss. + - Never relay a cell for a circuit we have already destroyed. + Between marking a circuit as closeable and finally closing it, + it may have been possible for a few queued cells to get relayed, + even though they would have been immediately dropped by the next + OR in the circuit. Fixes bug 1184; bugfix on 0.2.0.1-alpha. + - Never queue a cell for a circuit that's already been marked + for close. + - Fix a spec conformance issue: the network-status-version token + must be the first token in a v3 consensus or vote. Discovered by + "parakeep". Bugfix on 0.2.0.3-alpha. + - A networkstatus vote must contain exactly one signature. Spec + conformance issue. Bugfix on 0.2.0.3-alpha. + - When asked about a DNS record type we don't support via a + client DNSPort, reply with NOTIMPL rather than an empty + reply. Patch by intrigeri. Fixes bug 3369; bugfix on 2.0.1-alpha. + - Make more fields in the controller protocol case-insensitive, since + control-spec.txt said they were. + + o Minor bugfixes (log messages): + - Fix a log message that said "bits" while displaying a value in + bytes. Found by wanoskarnet. Fixes bug 3318; bugfix on + 0.2.0.1-alpha. + - Downgrade "no current certificates known for authority" message from + Notice to Info. Fixes bug 2899; bugfix on 0.2.0.10-alpha. + - Correctly describe errors that occur when generating a TLS object. + Previously we would attribute them to a failure while generating a + TLS context. Patch by Robert Ransom. Bugfix on 0.1.0.4-rc; fixes + bug 1994. + - Fix an instance where a Tor directory mirror might accidentally + log the IP address of a misbehaving Tor client. Bugfix on + 0.1.0.1-rc. + - Stop logging at severity 'warn' when some other Tor client tries + to establish a circuit with us using weak DH keys. It's a protocol + violation, but that doesn't mean ordinary users need to hear about + it. Fixes the bug part of bug 1114. Bugfix on 0.1.0.13. + - If your relay can't keep up with the number of incoming create + cells, it would log one warning per failure into your logs. Limit + warnings to 1 per minute. Bugfix on 0.0.2pre10; fixes bug 1042. + + o Minor bugfixes (build fixes): + - Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option. + - When warning about missing zlib development packages during compile, + give the correct package names. Bugfix on 0.2.0.1-alpha. + - Fix warnings that newer versions of autoconf produce during + ./autogen.sh. These warnings appear to be harmless in our case, + but they were extremely verbose. Fixes bug 2020. + - Squash a compile warning on OpenBSD. Reported by Tas; fixes + bug 1848. + + o Minor bugfixes (portability): + - Write several files in text mode, on OSes that distinguish text + mode from binary mode (namely, Windows). These files are: + 'buffer-stats', 'dirreq-stats', and 'entry-stats' on relays + that collect those statistics; 'client_keys' and 'hostname' for + hidden services that use authentication; and (in the tor-gencert + utility) newly generated identity and signing keys. Previously, + we wouldn't specify text mode or binary mode, leading to an + assertion failure. Fixes bug 3607. Bugfix on 0.2.1.1-alpha (when + the DirRecordUsageByCountry option which would have triggered + the assertion failure was added), although this assertion failure + would have occurred in tor-gencert on Windows in 0.2.0.1-alpha. + - Selectively disable deprecation warnings on OS X because Lion + started deprecating the shipped copy of openssl. Fixes bug 3643. + - Use a wide type to hold sockets when built for 64-bit Windows. + Fixes bug 3270. + - Fix an issue that prevented static linking of libevent on + some platforms (notably Linux). Fixes bug 2698; bugfix on 0.2.1.23, + where we introduced the "--with-static-libevent" configure option. + - Fix a bug with our locking implementation on Windows that couldn't + correctly detect when a file was already locked. Fixes bug 2504, + bugfix on 0.2.1.6-alpha. + - Build correctly on OSX with zlib 1.2.4 and higher with all warnings + enabled. + - Fix IPv6-related connect() failures on some platforms (BSD, OS X). + Bugfix on 0.2.0.3-alpha; fixes first part of bug 2660. Patch by + "piebeer". + + o Minor bugfixes (code correctness): + - Always NUL-terminate the sun_path field of a sockaddr_un before + passing it to the kernel. (Not a security issue: kernels are + smart enough to reject bad sockaddr_uns.) Found by Coverity; + CID #428. Bugfix on Tor 0.2.0.3-alpha. + - Make connection_printf_to_buf()'s behaviour sane. Its callers + expect it to emit a CRLF iff the format string ends with CRLF; + it actually emitted a CRLF iff (a) the format string ended with + CRLF or (b) the resulting string was over 1023 characters long or + (c) the format string did not end with CRLF *and* the resulting + string was 1021 characters long or longer. Bugfix on 0.1.1.9-alpha; + fixes part of bug 3407. + - Make send_control_event_impl()'s behaviour sane. Its callers + expect it to always emit a CRLF at the end of the string; it + might have emitted extra control characters as well. Bugfix on + 0.1.1.9-alpha; fixes another part of bug 3407. + - Make crypto_rand_int() check the value of its input correctly. + Previously, it accepted values up to UINT_MAX, but could return a + negative number if given a value above INT_MAX+1. Found by George + Kadianakis. Fixes bug 3306; bugfix on 0.2.2pre14. + - Fix a potential null-pointer dereference while computing a + consensus. Bugfix on tor-0.2.0.3-alpha, found with the help of + clang's analyzer. + - If we fail to compute the identity digest of a v3 legacy keypair, + warn, and don't use a buffer-full of junk instead. Bugfix on + 0.2.1.1-alpha; fixes bug 3106. + - Resolve an untriggerable issue in smartlist_string_num_isin(), + where if the function had ever in the future been used to check + for the presence of a too-large number, it would have given an + incorrect result. (Fortunately, we only used it for 16-bit + values.) Fixes bug 3175; bugfix on 0.1.0.1-rc. + - Be more careful about reporting the correct error from a failed + connect() system call. Under some circumstances, it was possible to + look at an incorrect value for errno when sending the end reason. + Bugfix on 0.1.0.1-rc. + - Correctly handle an "impossible" overflow cases in connection byte + counting, where we write or read more than 4GB on an edge connection + in a single second. Bugfix on 0.1.2.8-beta. + - Avoid a double mark-for-free warning when failing to attach a + transparent proxy connection. Bugfix on 0.1.2.1-alpha. Fixes + bug 2279. + - Correctly detect failure to allocate an OpenSSL BIO. Fixes bug 2378; + found by "cypherpunks". This bug was introduced before the first + Tor release, in svn commit r110. + - Fix a bug in bandwidth history state parsing that could have been + triggered if a future version of Tor ever changed the timing + granularity at which bandwidth history is measured. Bugfix on + Tor 0.1.1.11-alpha. + - Add assertions to check for overflow in arguments to + base32_encode() and base32_decode(); fix a signed-unsigned + comparison there too. These bugs are not actually reachable in Tor, + but it's good to prevent future errors too. Found by doorss. + - Avoid a bogus overlapped memcpy in tor_addr_copy(). Reported by + "memcpyfail". + - Set target port in get_interface_address6() correctly. Bugfix + on 0.1.1.4-alpha and 0.2.0.3-alpha; fixes second part of bug 2660. + - Fix an impossible-to-actually-trigger buffer overflow in relay + descriptor generation. Bugfix on 0.1.0.15. + - Fix numerous small code-flaws found by Coverity Scan Rung 3. + + o Minor bugfixes (code improvements): + - After we free an internal connection structure, overwrite it + with a different memory value than we use for overwriting a freed + internal circuit structure. Should help with debugging. Suggested + by bug 1055. + - If OpenSSL fails to make a duplicate of a private or public key, log + an error message and try to exit cleanly. May help with debugging + if bug 1209 ever remanifests. + - Some options used different conventions for uppercasing of acronyms + when comparing manpage and source. Fix those in favor of the + manpage, as it makes sense to capitalize acronyms. + - Take a first step towards making or.h smaller by splitting out + function definitions for all source files in src/or/. Leave + structures and defines in or.h for now. + - Remove a few dead assignments during router parsing. Found by + coverity. + - Don't use 1-bit wide signed bit fields. Found by coverity. + - Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned. + None of the cases where we did this before were wrong, but by making + this change we avoid warnings. Fixes bug 2475; bugfix on 0.2.1.28. + - The memarea code now uses a sentinel value at the end of each area + to make sure nothing writes beyond the end of an area. This might + help debug some conceivable causes of bug 930. + - Always treat failure to allocate an RSA key as an unrecoverable + allocation error. + - Add some more defensive programming for architectures that can't + handle unaligned integer accesses. We don't know of any actual bugs + right now, but that's the best time to fix them. Fixes bug 1943. + + o Minor bugfixes (misc): + - Fix a rare bug in rend_fn unit tests: we would fail a test when + a randomly generated port is 0. Diagnosed by Matt Edman. Bugfix + on 0.2.0.10-alpha; fixes bug 1808. + - Where available, use Libevent 2.0's periodic timers so that our + once-per-second cleanup code gets called even more closely to + once per second than it would otherwise. Fixes bug 943. + - Ignore OutboundBindAddress when connecting to localhost. + Connections to localhost need to come _from_ localhost, or else + local servers (like DNS and outgoing HTTP/SOCKS proxies) will often + refuse to listen. + - Update our OpenSSL 0.9.8l fix so that it works with OpenSSL 0.9.8m + too. + - If any of the v3 certs we download are unparseable, we should + actually notice the failure so we don't retry indefinitely. Bugfix + on 0.2.0.x; reported by "rotator". + - When Tor fails to parse a descriptor of any kind, dump it to disk. + Might help diagnosing bug 1051. + - Make our 'torify' script more portable; if we have only one of + 'torsocks' or 'tsocks' installed, don't complain to the user; + and explain our warning about tsocks better. + - Fix some urls in the exit notice file and make it XHTML1.1 strict + compliant. Based on a patch from Christian Kujau. + + o Documentation changes: + - Modernize the doxygen configuration file slightly. Fixes bug 2707. + - Resolve all doxygen warnings except those for missing documentation. + Fixes bug 2705. + - Add doxygen documentation for more functions, fields, and types. + - Convert the HACKING file to asciidoc, and add a few new sections + to it, explaining how we use Git, how we make changelogs, and + what should go in a patch. + - Document the default socks host and port (127.0.0.1:9050) for + tor-resolve. + - Removed some unnecessary files from the source distribution. The + AUTHORS file has now been merged into the people page on the + website. The roadmaps and design doc can now be found in the + projects directory in svn. + + o Deprecated and removed features (config): + - Remove the torrc.complete file. It hasn't been kept up to date + and users will have better luck checking out the manpage. + - Remove the HSAuthorityRecordStats option that version 0 hidden + service authorities could use to track statistics of overall v0 + hidden service usage. + - Remove the obsolete "NoPublish" option; it has been flagged + as obsolete and has produced a warning since 0.1.1.18-rc. + - Caches no longer download and serve v2 networkstatus documents + unless FetchV2Networkstatus flag is set: these documents haven't + haven't been used by clients or relays since 0.2.0.x. Resolves + bug 3022. + + o Deprecated and removed features (controller): + - The controller no longer accepts the old obsolete "addr-mappings/" + or "unregistered-servers-" GETINFO values. + - The EXTENDED_EVENTS and VERBOSE_NAMES controller features are now + always on; using them is necessary for correct forward-compatible + controllers. + + o Deprecated and removed features (misc): + - Hidden services no longer publish version 0 descriptors, and clients + do not request or use version 0 descriptors. However, the old hidden + service authorities still accept and serve version 0 descriptors + when contacted by older hidden services/clients. + - Remove undocumented option "-F" from tor-resolve: it hasn't done + anything since 0.2.1.16-rc. + - Remove everything related to building the expert bundle for OS X. + It has confused many users, doesn't work right on OS X 10.6, + and is hard to get rid of once installed. Resolves bug 1274. + - Remove support for .noconnect style addresses. Nobody was using + them, and they provided another avenue for detecting Tor users + via application-level web tricks. + - When we fixed bug 1038 we had to put in a restriction not to send + RELAY_EARLY cells on rend circuits. This was necessary as long + as relays using Tor 0.2.1.3-alpha through 0.2.1.18-alpha were + active. Now remove this obsolete check. Resolves bug 2081. + - Remove workaround code to handle directory responses from servers + that had bug 539 (they would send HTTP status 503 responses _and_ + send a body too). Since only server versions before + 0.2.0.16-alpha/0.1.2.19 were affected, there is no longer reason to + keep the workaround in place. + - Remove the old 'fuzzy time' logic. It was supposed to be used for + handling calculations where we have a known amount of clock skew and + an allowed amount of unknown skew. But we only used it in three + places, and we never adjusted the known/unknown skew values. This is + still something we might want to do someday, but if we do, we'll + want to do it differently. + - Remove the "--enable-iphone" option to ./configure. According to + reports from Marco Bonetti, Tor builds fine without any special + tweaking on recent iPhone SDK versions. + +------------------------------------------------------------------- +Mon Feb 28 21:29:12 UTC 2011 - andreas.stieger@gmx.de + +- updated to upstram 0.2.1.30 + + Tor 0.2.1.30 fixes a variety of less critical bugs. The main other + change is a slight tweak to Tor's TLS handshake that makes relays + and bridges that run this new version reachable from Iran again. + We don't expect this tweak will win the arms race long-term, but it + buys us time until we roll out a better solution. + + o Major bugfixes: + - Stop sending a CLOCK_SKEW controller status event whenever + we fetch directory information from a relay that has a wrong clock. + Instead, only inform the controller when it's a trusted authority + that claims our clock is wrong. Bugfix on 0.1.2.6-alpha; fixes + the rest of bug 1074. + - Fix a bounds-checking error that could allow an attacker to + remotely crash a directory authority. Bugfix on 0.2.1.5-alpha. + Found by "piebeer". + - If relays set RelayBandwidthBurst but not RelayBandwidthRate, + Tor would ignore their RelayBandwidthBurst setting, + potentially using more bandwidth than expected. Bugfix on + 0.2.0.1-alpha. Reported by Paul Wouters. Fixes bug 2470. + - Ignore and warn if the user mistakenly sets "PublishServerDescriptor + hidserv" in her torrc. The 'hidserv' argument never controlled + publication of hidden service descriptors. Bugfix on 0.2.0.1-alpha. + + o Minor features: + - Adjust our TLS Diffie-Hellman parameters to match those used by + Apache's mod_ssl. + - Update to the February 1 2011 Maxmind GeoLite Country database. + + o Minor bugfixes: + - Check for and reject overly long directory certificates and + directory tokens before they have a chance to hit any assertions. + Bugfix on 0.2.1.28. Found by "doorss". + - Bring the logic that gathers routerinfos and assesses the + acceptability of circuits into line. This prevents a Tor OP from + getting locked in a cycle of choosing its local OR as an exit for a + path (due to a .exit request) and then rejecting the circuit because + its OR is not listed yet. It also prevents Tor clients from using an + OR running in the same instance as an exit (due to a .exit request) + if the OR does not meet the same requirements expected of an OR + running elsewhere. Fixes bug 1859; bugfix on 0.1.0.1-rc. + + o Packaging changes: + - Stop shipping the Tor specs files and development proposal documents + in the tarball. They are now in a separate git repository at + git://git.torproject.org/torspec.git + - Do not include Git version tags as though they are SVN tags when + generating a tarball from inside a repository that has switched + between branches. Bugfix on 0.2.1.15-rc; fixes bug 2402. + +------------------------------------------------------------------- +Wed Feb 16 21:13:00 UTC 2011 - andreas.stieger@gmx.de + +- fix bug #671821 - /var/run/tor might not exist + +------------------------------------------------------------------- +Mon Jan 17 19:47:20 UTC 2011 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.29 + + o Major bugfixes (security): + - Fix a heap overflow bug where an adversary could cause heap + corruption. This bug probably allows remote code execution + attacks. Reported by "debuger". Fixes CVE-2011-0427. Bugfix on + 0.1.2.10-rc. + - Prevent a denial-of-service attack by disallowing any + zlib-compressed data whose compression factor is implausibly + high. Fixes part of bug 2324; reported by "doorss". + - Zero out a few more keys in memory before freeing them. Fixes + bug 2384 and part of bug 2385. These key instances found by + "cypherpunks", based on Andrew Case's report about being able + to find sensitive data in Tor's memory space if you have enough + permissions. Bugfix on 0.0.2pre9. + + o Major bugfixes (crashes): + - Prevent calls to Libevent from inside Libevent log handlers. + This had potential to cause a nasty set of crashes, especially + if running Libevent with debug logging enabled, and running + Tor with a controller watching for low-severity log messages. + Bugfix on 0.1.0.2-rc. Fixes bug 2190. + - Add a check for SIZE_T_MAX to tor_realloc() to try to avoid + underflow errors there too. Fixes the other part of bug 2324. + - Fix a bug where we would assert if we ever had a + cached-descriptors.new file (or another file read directly into + memory) of exactly SIZE_T_CEILING bytes. Fixes bug 2326; bugfix + on 0.2.1.25. Found by doorss. + - Fix some potential asserts and parsing issues with grossly + malformed router caches. Fixes bug 2352; bugfix on Tor 0.2.1.27. + Found by doorss. + + o Minor bugfixes (other): + - Fix a bug with handling misformed replies to reverse DNS lookup + requests in DNSPort. Bugfix on Tor 0.2.0.1-alpha. Related to a + bug reported by doorss. + - Fix compilation on mingw when a pthreads compatibility library + has been installed. (We don't want to use it, so we shouldn't + be including pthread.h.) Fixes bug 2313; bugfix on 0.1.0.1-rc. + - Fix a bug where we would declare that we had run out of virtual + addresses when the address space was only half-exhausted. Bugfix + on 0.1.2.1-alpha. + - Correctly handle the case where AutomapHostsOnResolve is set but + no virtual addresses are available. Fixes bug 2328; bugfix on + 0.1.2.1-alpha. Bug found by doorss. + - Correctly handle wrapping around when we run out of virtual + address space. Found by cypherpunks, bugfix on 0.2.0.5-alpha. + + o Minor features: + - Update to the January 1 2011 Maxmind GeoLite Country database. + - Introduce output size checks on all of our decryption functions. + + o Build changes: + - Tor does not build packages correctly with Automake 1.6 and earlier; + added a check to Makefile.am to make sure that we're building with + Automake 1.7 or later. + - The 0.2.1.28 tarball was missing src/common/OpenBSD_malloc_Linux.c + because we built it with a too-old version of automake. Thus that + release broke ./configure --enable-openbsd-malloc, which is popular + among really fast exit relays on Linux. + +------------------------------------------------------------------- +Mon Dec 20 21:24:19 UTC 2010 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.28 + - Major bugfixes: + - Fix a remotely exploitable bug that could be used to crash instances + of Tor remotely by overflowing on the heap. Remote-code execution + hasn't been confirmed, but can't be ruled out. Everyone should + upgrade. Bugfix on the 0.1.1 series and later. + + - Directory authority changes: + - Change IP address and ports for gabelmoo (v3 directory authority). + + - Minor features: + - Update to the December 1 2010 Maxmind GeoLite Country database. + +------------------------------------------------------------------- +Fri Nov 26 17:12:40 UTC 2010 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.27 + +------------------------------------------------------------------- +Fri Aug 6 03:53:35 UTC 2010 - cristian.rodriguez@opensuse.org + +- %ghost the pid file so /var/run can be mounted tmpfs +- require logrotate + +------------------------------------------------------------------- +Sat May 29 17:50:51 UTC 2010 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.26 + +------------------------------------------------------------------- +Sun Mar 28 17:00:30 UTC 2010 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.25 + +------------------------------------------------------------------- +Mon Mar 1 20:49:13 UTC 2010 - andreas.stieger@gmx.de + +- new upstream version (0.2.1.24) + +------------------------------------------------------------------- +Fri Jan 29 13:34:55 UTC 2010 - puzel@novell.com + +- remove debug_package macro to make it build + +------------------------------------------------------------------- +Sun Jan 24 22:21:51 UTC 2010 - andreas.stieger@gmx.de + +- new upstream version (0.2.1.22) + diff --git a/tor.keyring b/tor.keyring new file mode 100644 index 0000000..581cf6d --- /dev/null +++ b/tor.keyring @@ -0,0 +1,686 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xjMEXegH3RYJKwYBBAHaRw8BAQdA1IMvjZzYALGBFe/ARHNSXuQjccz0HgOHBHRq +v8Pb4j/NH0FsZXhhbmRlciBGw6Zyw7h5IDxhaGZAMHg5MC5kaz7CmQQTFggAQQIb +AwUJCWYBgAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBBwbwAep9geqgVLAQL6n +sYCxSRkhBQJd6GooAhkBAAoJEL6nsYCxSRkhdqEA/0skJeGZkqRmlHPXqTFZMvbh +As2kY9Lm5LBGesjgQCspAPwJZagtqC5252zPFMlaIUu2hxcUeA+HwdLqnnl6Wjvs +Ac0kQWxleGFuZGVyIEbDpnLDuHkgPGFoZkBib3JuaGFjay5vcmc+wpYEExYIAD4W +IQQcG8AHqfYHqoFSwEC+p7GAsUkZIQUCXegKdwIbAwUJCWYBgAULCQgHAgYVCgkI +CwIEFgIDAQIeAQIXgAAKCRC+p7GAsUkZIRfkAP997/8J1lf3D7PiY21tPnB8d+5S +CXI/qI8mEfhaDZY+SAD/cfCblmB8CYzashZAbFM/6dwwNrNR7VBrzYyaRPhpkALN +IEFsZXhhbmRlciBGw6Zyw7h5IDxhaGZAZnNmZS5vcmc+wpYEExYIAD4WIQQcG8AH +qfYHqoFSwEC+p7GAsUkZIQUCXegKbwIbAwUJCWYBgAULCQgHAgYVCgkICwIEFgID +AQIeAQIXgAAKCRC+p7GAsUkZIdxtAQDuraf/2l/6BGDEAERL63OsjyN692MMur3P +KRy4kWdQzwEAod6V12Y5X3yjraPkbsiGC5QsXraAAz7ihSkIcJs0NgHNIEFsZXhh +bmRlciBGw6Zyw7h5IDxhaGZAaXJjNi5uZXQ+wpYEExYIAD4WIQQcG8AHqfYHqoFS +wEC+p7GAsUkZIQUCXegKVgIbAwUJCWYBgAULCQgHAgYVCgkICwIEFgIDAQIeAQIX +gAAKCRC+p7GAsUkZITd5AQDgi5qd1zBzUO9qzk8inT1xPxUjWoj7dj4hh7gFErut +vwD+JAxYHXrM0Kwg1F7nkf8XBfICTtx8do2QDNFO2nZvJgDNIUFsZXhhbmRlciBG +w6Zyw7h5IDxhaGZAaXJzc2kub3JnPsKWBBMWCAA+FiEEHBvAB6n2B6qBUsBAvqex +gLFJGSEFAl3oCmMCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ +vqexgLFJGSG+PAD7BECXB/S+eUWz118sqaiyrBtr/2msq89p7FNMswoOIlQBAMgO +1j8A5xW+hW8YOfiklahZh2TUHRVrcNhrE4R6PgELzSZBbGV4YW5kZXIgRsOmcsO4 +eSA8YWhmQHRvcnByb2plY3Qub3JnPsKWBBMWCAA+FiEEHBvAB6n2B6qBUsBAvqex +gLFJGSEFAl3oCoICGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ +vqexgLFJGSHOawEAts5tDnzSOw9O7xtKBujA06UKlyJMxxD3ARjPqm9BBV4A/jHu +wYvNLPJdVl1PPgYnmCJ1u7L5epfdagZRsHqQ5PkEzjMEXegMBBYJKwYBBAHaRw8B +AQdAQvnurKGUaemX/DTpmpSE5NtGyfxLWgW9WSvZbbbR+DPCeAQYFggAIBYhBBwb +wAep9geqgVLAQL6nsYCxSRkhBQJd6AwEAhsgAAoJEL6nsYCxSRkhLj4BAOMBgQBj +h8SJEOM6RqWT5SXb8HiDfdZqvgr8nCtffEewAP93G3tS+owZ3m4bTzkeBzTvay/7 +eq23AcJprL+sedUTBs44BF3oC/ASCisGAQQBl1UBBQEBB0C1S8DIQiC+5dfHix3b +eFUzD3Lrq5+5UYGkmp6lh+OaPwMBCAfCeAQYFggAIBYhBBwbwAep9geqgVLAQL6n +sYCxSRkhBQJd6AvwAhsMAAoJEL6nsYCxSRkhDJQBAJse48bTxe81zjXKuMt66QKa +RnBaDsY1EGaYk4Vyb6rxAQCtmsYhDHtiE2D2oFav+UULbeqdJyIOhPEPa31Rn4N5 +D84zBF3oC7wWCSsGAQQB2kcPAQEHQPdFLwvik9OFJ008OgdtSfe4LNlTuybXT4Pu +CuMuUgqcwsAvBBgWCAAgFiEEHBvAB6n2B6qBUsBAvqexgLFJGSEFAl3oC7wCGwIA +gQkQvqexgLFJGSF2IAQZFggAHRYhBFFBAkVNCofbB2eh675qBTHBipF5BQJd6Au8 +AAoJEL5qBTHBipF5qtoBAPTP2KTGDGl2OvDdwEzZ0uN7+VyiRPEGLUizwkyALsN7 +AQCInRWmKA4jrQzMgn5sC4yCKKW46/TA8PGX3kHZnYnNBfIXAP9ajF1eZVWy1BFl +ayUm3Z7tUF9w7qWTL0u+EZD1Nlnw9wD/dUZYPCNEPhsk/Bdrh+v6sBryagleM4Vc +6SM3xZaaxQI= +=GZkh +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsFNBFfinwwBEADNzG/Q6YTrH7oSfUERhopwCWWn/gsprtnUFK+O4enXPXQlisGt +OVNbc5GWoZibNPowjORN+kADB+ce+VBmVeh+4ZeJDjpsc+WXuVajDc0wNwG3I36m +8uNRPLMftBcxS1zUsMpwaqff5sDoqlBTwrvfLpHT0W1ecJX8Ew10zim58DzwQisR +Uv1rsGiyH/dFzs8m3jPdNjDZyyzGQK62hwp6Y/m11PiMYgGrvAa1ofjfkGRVxUgo +UUG8JG/AhGvMnHJjV923A7I8MspOm4H76wlEQLesPHJ5WPSBXTZ5jVgdWdp50fPR +JZOUT6gwkYF59SeZOcSFecdyuSb0W68/klD5PX0G8qQ5ko9beNm7Rs2aJKvY1MHU +n5rb00aulQFaYLFJ7LOTDqYDUkKYp7n4hw1X1yXO1MUYyk9J9WNO/Uo2psKXcBsd +ZjdEWj1dWHOhwswygndL7RxK/17psmod055S0uYkjA74J2eRSmPZ7ErIfUh85rQw +DZyYKh7B6AGjcpA1YyrAh6BgyJncP9x21dmip0ENrfg5rpcfHpTrOF8To8fpo4/y +vUL8kCxCCPJtkJiuXkGhV3oZsj2tWGvAclYqO7xe84vks+GgjG9Ydfga8JrvPMDz +YLX7aTDnZRiU2Z+FvtABMjmmPjAHj3hMx/o25Na4bQ7wBAPEUiESsnh1HwARAQAB +zSNOaWNrIE1hdGhld3NvbiA8bmlja21AYWx1bS5taXQuZWR1PsLBgQQTAQgAKwIb +AQIeAQIXgAIZAQULCQgHAgYVCgkICwIFFgMCAQAFAl97G2UFCRD+fdkACgkQ/kMA +nEYHsfsg8g//ToPK4HDWDmHOLcFKi2v33Q/aTA5TsfQb1pwHvAUepABf+bjwqu5o +/2K3HFqhn7HVl7vgpqFcAjf1u9H7Jh+R7buawoWQIxi5cWW0GIuX9gutzgVyP/36 +y6rrQnZwcY+vIvi7fmRx0VVd+bZMOsd5/XJQ2wkLDw/6ppRWIPY5Pg97M3+CD26r +MonWcghRkCO9g0PwAxmqYHZCxcJp5aEURLOzh8NtDllxsoaZK4H974tWtWk04BWH +koApQPFg0YYn3cTftAIanmgtuKARW5nAIzPnCS2576DjKyUbAis19nYRgv+CtMZQ +ohkyNEeDowf7UgFTI+AkbUBjxwKP71U7ZW+qynRYT125jTtTGOOkX5BQjx2Qg/sO +Vs7Ukyezw1GFWmka4ijpHRssvEdK1mKZLqH8OsMG6XE1xIDOIRnsNJzR0c4u3IGO +C3+TAQaokn1E45CcFwb39n6keFLVEIa+XnYDil5QC6w+16TMvK38q6dS5QnE04OS +errSuYfX4IFslhkaLXd7uAAb7qrSQzD//jmmiKjgyFuRnSHO/nlv7fsvpCtFNNX5 +stthayhtmKxvBSlyTgArcNiP0oQKVE3LO8y2qARGY1eOBMMC0ml0W053A/cfQOAa ++2UqQlvCQf/Qben24Bh4tKyW6The2k4aNSIN9tyIUAIASfgOtoye6J/CwYEEEwEI +ACsCGwECHgECF4ACGQEFCwkIBwIGFQoJCAsCBRYDAgEABQJbn5ngBQkHf2HUAAoJ +EP5DAJxGB7H7XPMQAJ6EXm4DaB1IlCrH+5U+QYXwwrKiBR+mHPBWuiEBSUbY4nOY +V+jK0647jljluyPXL7EUHli5RqajCvqZPfheAuRxNLlyznhJeLjdt/qBbTEgtOvo +QwsmmDwEogiStE/FrNypgGCqH6NLAEvHANn9UBDRsi/J6ccPDieIuxlQa5ksQCsR +zXTp19+39XWkeStIaaHx0w/x78IyAQHFZlxDI88/ZmUXfI2FWkOnp5dWcJhYJPGf +/E4n/aBbKZ6cB5OxEAX3uAt2fz625RuoFR9R03BjW1L8RJwKEa5fiBf8sG69dxmn +RWqebG5H4MhCemG9Pv1CGqK/bAiyIK6j2Dpj7K7F6j/0CePr7K0MrGjHOvT01bnt +ZI0jnNWGWS9M18M3mfdHM4Lof8kA8S/KIJ6gFAi0N5W8OVtzUx20IA1G2cRcrTYc +zyOpENDKOz26CRIi8SyJWmfR8N0HE5YlouT+xL09Vyo4i2Jck12t59DnKvCnsNLM +XuudDOALTGqyzK2t7njMblLWq/xL0A3DmcI4auX2OuxTyVm5UJkUk+2UT2GtzXne +2NIi07k8+5/xP84v/nWiNaaCFuPySfy1xmTYERt3EXgCs5r+qOCl2L4jzfe3EEsJ +NPKy8KWSitUjcc9VoOiZ48LDBEbY8LDDFliYkvwTyHK5fNjqLlNE8Jj4yX49wsGB +BBMBCAArAhsBAh4BAheABQkFo6E9AhkBBQJX5WLXBQsJCAcCBhUKCQgLAgUWAwIB +AAAKCRD+QwCcRgex+87WD/wP/UW4QljFB74PmDKY9c0uXmpbH3M9fyuLxSVofdYP +CU21mwjCwiWLBVhBGiMEJ9KtSQYFcK0mbcWG9dB2vvCyfgvbaGZPs0gczYpSo84V +64a5VX5uDujQQqWgZYVLal462M0A40mMRNxLrOzMMeSxZUtFjsvqygLjpTwuYJWf +dE24A/TAUUEX611eHzniQtRegfTGZwD5A6HA+WmSLRIgcPXfHNTwq75nHhLgFari +qRjzmfJfVkQjHhDC8tBp+NHkUv1b1me6b+POBnwYvOoH+tlKw4HLN5j1eXC/7H8L +xyC6XOQyq4uSMrVXIcLFVo4T6uG+yuboUknV97QogWCKuGUtl8zFF52EfZmUa1jx +kpF9F6OywY0K3tAYc/qXODQuWjmCPl3gk3CPK5B2P7QT6nhc+wCfwLQasMZxJv/m +7s/7jcyyAW2+EUi0Oo1m75XWH9/3s3TbZeFfFT6FsX4obNIWauBwr5cWRaeG0qoA +kIOysY57v9aKzc0bQaqJLspWiWMLs2CWXH4GGZf7glGeVgK/VY7pICGroT5PWhcQ +OmUJ8rx+Sj7fQ5UNtczA9mEFtCuFfZ9IXVs8kOaSTnCtH9NeeEwy/iFB8cgIEysx +T7T1n+IpT3mPjvVTGK1fu/EVhjk5VCgU4B0eCNsL4tSWXy41fRFA0auy/0o99G0T +7cLBfwQTAQgAKQIbAQcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheABQJX4qXJBQkF +o6E9AAoJEP5DAJxGB7H7TnAQAJs/XQk5Wx5Db/vMztwR3oRMPvG4NVHnA38fit8g +IWSMsB8AWJyMY1P/cFkJRpnQo/fF83Z/XinP0pKTEQ97+UIqvtndSTLUFacMirGh +yx025aTag+OLhyIe4xq19ZZEy3+YNq9nOGMIivWxGyvWUVjQYVwk2AAtFsC1FZtZ +4pVtte4Yd/Vq4nOTfmO+eejVmCvOHKr3xHET2+psiVS23j3aBJIShikPbmxRg+l+ +VbE7RLjk90Mv3PnGhqVfgnEEoYQZ/kppE7fnFb6pHgP4zBVRCoYVP3qCLv8WzoyZ +s/snYItAgGIHHv6OLDKn5SSSnmJho3+z6/PfCUBbLbz64vF0Itj8+6mwGlenMp2p +tPc8mvkEnvfHa11emmJVnFVJTKY9qkrft/kabb7AezPE7TgFuN0tTfoSsW00qNuL +QiRubdqknQ20C3ILCUiqPef7WajwlkQbe5KJE1f2HK6P3FhcveGkB5eG537/0BO6 +gH/Mv1Czu+sebDOcXwPeNPqNEFAqUmXxh5UFznQqETFej6DPP0HkMUlGnZi3o5g6 +jrUnMnzG6GLBYDmLAm26x1m7YMqLI23bxDLuBjIDZmLmcn2kYA/MbJhbWg9mnmis +0YK/5nXbbsZ8GtNhLP70T/mRW3c3loyTYtX2mtsmaGq64Uw2XlwQEtdZrpiQNnR8 +ExrHzSROaWNrIE1hdGhld3NvbiA8bmlja21AZnJlZWhhdmVuLm5ldD7CwX4EEwEI +ACgCGwECHgECF4AFCwkIBwIGFQoJCAsCBRYDAgEABQJfextxBQkQ/n3ZAAoJEP5D +AJxGB7H7eBwP/R3OpDnx7JtFOq22z0jcLjPLwmP+QqgOlIvSiqj66SplpEhPHcgf +4DgBu02RwE8ONAMo6McFvUH4tvI2NH3X8WET32APLe8/2cxhtZpH86gdnwTu1xGM +XQxz5sRppIhOtoowGWh+/e/t9owALOm/+IsHnxbX4ddIN6goB/mrlepRVRUODBnE +0K9oZG7VnnrB73Ip0+hqaDVmiGdOn7LSggl7ip7VZ5hUHXwvHg3dUknKapucMXFC +aqdelvYFt3NYQ2ZROAsAVLdi4k2dY9/WGNCgFHbdSGurJ19yGwttv57t+GUsG3OX +HEIMq52dkM4LOnbdVR2miV/jhFQ7J6i+mjZ5tYJiwrX9uFSOSzHbjWVCq5tlj1OH +s18s0zDO523p2YWS2LWaiDpThnRU092iGsNJZHaJmzA0T+7Ti/uaqqY9CjshYSBd +i0XUQ1LowzWDfBsVjV/u+BN80FYoszJzTAmiJW3GOrxbkhdb4nYptPKmY4YSSlLf +fOQ0y9Y+eUYMGe23xhejsYITS6THOunWmb/jlgK12Rd8AyrZVtD64szxAYqSXJ9r +x/k16KIl1z7JzJIRzBIrdHe8HTtuy9zs/oQgICPMrotKF6TCjHkH7prZFcCF09Ij +Rcc8ihpZ/C991HS4X4pN1MdQMuEIWVIAjxKh++gMYYzMjXUqBsjXjuBhwsF+BBMB +CAAoAhsBAh4BAheABQsJCAcCBhUKCQgLAgUWAwIBAAUCW5+Z8AUJB39h1AAKCRD+ +QwCcRgex+8yID/9lIunYmqatd4mTaiaAJIUHMjFh7d7J+3pXwOV2bpg/eBpFlonI +OC/8xnj+2CiKVusjF9WXoakOQUyXizPD7+fnUDzgQjmXxQTO3TCiXhSRdDdrcYcw +Z3Y+0rkK66QOv66S+NQGonG1qOJPjV8XSpLnuWb7bdk5qlaGquJIeoVQQpMZB9qe +0iwxgKeegJuOCRTQnPI7hoCpJX9+PowWR53JMi/Tks76B7XP/KF2TLR226oD3S/t +4Jup7LU5xP/IDCKWf641ZOoNdrCRc84nxeXcChjcX2eGNuBaceplLRQD3+ONZ9QE +HuQkbLfCQzs/NQTXxrB5NwBaBblJkNEY1i7GXeURGFE4ChD5eb6ba7m/uE7UOZ+F +wB0OpgUHIRlHrD/maVsd17mIsNo6WNRypXuzAlNNOVFgtnwVOpfm/OURzkLXeFjx +An4mJ/ca9SBYxtj9EYSp4OM1FjLNbm95Z1cQ7nxwQA98ZEa1yAr/TY6Z1Zpe8nHy +evsBLBWNPObW7nUjmfvIYzP7/xJTimwkagLGgSi+0R01HlHk1TlIYd5KyOFdXLui +4eEK5WFppqSCq4U2j8vaRwNKfUFryYOihBvpcZblRSl6+kuatcYF+m6tUQ0Pi5p5 +jO/nORRm9a8ertRSaxshcsavjrXpe7ZJ+yCCIe15MHVBSA/g687Wo8qJFMLBfgQT +AQgAKAIbAQUJBaOhPQIeAQIXgAUCV+Vi4QULCQgHAgYVCgkICwIFFgMCAQAACgkQ +/kMAnEYHsftQVBAAvOPy7R+ucWt6SSg3bw7CUtJozxujfNKpIb9xWJ6rhNWCPbyk +kAyWnHuWLxaRiADX+aTBLoGgNNJHBc5rYgcXgFaE26O2/QEEXV/0vJrPcmzR1t6M +0f4J9BTmoc+zLcgIYwPJl5HfyTPy+zZ/zorJ2CP5h6oaCYioyXVOEIhtO9pX/xRy +DI9CtFV0CuYrisPTr9CU09zwa4DQSvXcWSL1xyvijuMKE2tDvoYectdD+z7hZZAW +R7x7VktlS4WnbbTOMtrQ/EEQljLeoLz8gm0wwvSkRBnA01sBhFp+MWaw0slPBrBu +Nkmm3MygWDK+IU+JHTFr2E+6tSnEnAkZmQgLG3S+D8wUo3fY4iUnE0vxP4wvcx7f +/1ckzUsnOE1n4zOQTGefA89tFKOza8BG5/1BVhIUVztfXkKdeES9d4ynh6EKHOD1 +5a296IU7BKf1dAJgOchgktwKWbRQ8mKKpyExCYygno1EqBw1Wvv5UIvewPodAEJl +1zPHt4XKR/+bVhJQGeDsBoc3+tzqcDxyUOv22Euf85yvVhq9DXIAUQ8STY2xh/7S +YGIwf3WZp/3ry6HR40+LmUe6KXAAQSQQXOAZPAgC87j2mzMDTeQZ7bJ9wBQ6j7QR +/ebzs/6cHKeroNEbcoW6QhOwSnX01CU0REQdq9tCwYOcQ5lmjt8zNv6cB/XCwX8E +EwEIACkFAlfiphkCGwEFCQWjoT0HCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAK +CRD+QwCcRgex+xRCEACwAh/qUAj3EYe1XvMU+whr2h9HyW7qeIqHDqQc/LEt5UeI +XSqfoJV23nQSu3C3MT0mJR4UF2C0qOGOLNZVpsxOIE/dDpg0/8xABCNCrxJF3y+2 +DTUoVtujoftAYCP19MaIml05C+LDeoM1d4CmDbokYtm/KBbLnyc82nYaQHrlljRT +8mLAEia8ye9IR16gTPn3PGT5dn+0yWiZ+95BIKhJdVKCY4wMr46RiEi81+3LWDBl +Ariv+Ojg6hCoQPwC4kUR1tisxyWo4mnaOEkHM2fnFWcqxXqK3NHhHUk56A9EbfOw +4mxbntg4I9d9UuW+B8N/Po5y10RExGqyOQWxeGOpPQrJsb77iHA/3I94/0o3yVuR +PDMSftTVWgiaHqSJ212hITMZZU7eYuxbnOFd2dIgzU2Nt1a/h9putFoJOj37Rz3Y +5blIX36DChBOtwHwChYx39V0OETRnX7036RfkRK1+4DX6Ipz/e2dXmzrsReUbvys +vxPz11NVefjic11EINm737K5iamul3VO0MNZb2+PQDJsG33eF7EYhKIJdFrldaWP +A6Qz7ER/CnEPHMwGS/ccVzcH8KOa6VymZhUMjsyd7BHoMtiNZGZM45d3AjgANEOm +7XM/CQ7IA8ODo2h5eGRQBoYDEPPqE0jBuTtNi+5E/6sD8oxRKbc0EnblVFhD/M0l +TmljayBNYXRoZXdzb24gPG5pY2ttQHRvcnByb2plY3Qub3JnPsLBfgQTAQgAKAIb +AQIeAQIXgAULCQgHAgYVCgkICwIFFgMCAQAFAl97G3AFCRD+fdkACgkQ/kMAnEYH +sfshpw//eju0iMvlXvsTbib8b4Y2Q84m5TBPEmkKh94hi2KQA27b89WhGRG2gFFz +E7PsrtM0RbV9IvG2KHMvUK7zQsHqW9ang6UHeCBNpxWYMkzjH+nI8tyE0fMYaVpN +TlcC1/daZ15BDddwLPMayxq9fofpzP54t3Oehw3lg4oUMKkx4QSaDaK6x/v5yrc2 +QTYXxtJsojP2/RsQh9mGzoDESAvSbgj8oFjllcrTk8rEFkioiCLy/6DJ1uQ0xmuc +V1bfok3cU4C3PvfuqTJIP4VRhxt4+AH98FNfx+20DAjW/o8/rcZwmFdtbewAqLmk +ADMflmGQ9+oal6vn+b/TUbn1zuuuw2jOyqvVL0Bxg9KSDzPU5TrLIU5eAMwRwCSA +eIsRrHGUdx/HCJYG0MnvdhpoHSZMNsdFCeVmlOCfYN4jJy3iAOI9PUJn+R/MF606 +S89Mkwf0tRElY1b9wSUlIcp9OKzP7g732sB1KfHeI9W7LXRsXqTRca1pbCvc1Fda +JQCfFGXguLEZpMthG2xfkPal0LhqZ1riZOysisoPYCZCXG1Aq7FNrLdRrIqeqSdU +xkwFSTI+MCJwvdMUNnpZx5tQDI4kwQcWOINehkaAJgaJQJmhJpJCav2HzzNV6Ynv +/xN4I8e+euvWm8ipJigIHJF4CyVo1FVruiTtwvNdCJmzS8kgxDDCwX4EEwEIACgC +GwECHgECF4AFCwkIBwIGFQoJCAsCBRYDAgEABQJbn5nwBQkHf2HUAAoJEP5DAJxG +B7H7jjEP/0PVTL9eI1otZ9EGV4Wxv6fcX7gXJO1VZsRFWosae1neZjIjQ91dCzIk ++m+EnW7uNzubhxE6T3orMiITzM+UmQJE26+bOWT1cbKYkAUyjSck1S2DOITRP4iS +pu9DCM6XtU0kuClpKY6NmOYJaqPwfVTOah8IFKh6sWIJtzhiQf3s+hufOD+wWS7f +PIdo4qOHLggQYhQ8pG2PsiqJjSArpCqzfyG4SMMqOlDFgFxkx127qAqje3QlAu38 +gji5j3UVuBhb5s0eA4+HtVKcUpHWH6JMT8RALWM4eF0t0qUWYk6X63ScXr/J5gv4 +SGcrDv4ksCnE5Cr2gR2SUmYxhPfofBCx+3pPzExpEb4+qSe+S62pf+weKQU8XrAq +tP5LxIh6bG8ugE6Cs+J1kmQPEYjkONT8v3iRT0SfkNWRhyrYlQFPYA1F2E47FRpE +jdDnzIsez+HLDysmtdXsB0p/+1rDrriY8yJttXE9U8BSgTpukYifY+5c2c4vQWit +NlJyAY9sTPX1+KqnvMztYNZyFdcJifiY6tY990o3pabAlcwOgrayMFSMd/JrtEyD +jDk5M9dK1G9p0N9bkf92FfOP3SBo+9ScmF5A68jyFHrLQ8AXSuQF02s8WhNymgmV +Y1VugS6MsL+RGh8gTxCxaCBvExiMilmJPtrVTg4N7IzQYnYMeOidwsF+BBMBCAAo +AhsBBQkFo6E9Ah4BAheABQJX5WLhBQsJCAcCBhUKCQgLAgUWAwIBAAAKCRD+QwCc +Rgex+zFTEAC1GgGgpEJ4SFyREO4We3sgLadFJH5W0+f2xgYZKJsJHF6VgKcOcLYS ++xnb4T/XPSjoXgfTATj3lTKLJ5vwurx3LLjsUBYNE9kZOxd1dEUTMu2sN7ACd1s5 +dlasztgChRLO0K1GD2/dJcfvFF6xC6OJ7VtLuqp8Rlooui3/wRA6RLvk5hkFDjje +l/t2UHa9inYq96d7YpSlEF2It6p44kp73g+57ZaGwTHDlMvxpj1RZLCQ0ijEnajz +BxlDLJ6jRkYcRtG0enhQvvPYii3rXhKo5hK/XuBtNDysTR0ZXdPQMbHtsve4dxXC +Lg/0/Gm78tA27XVJIo6zgR7/qPJ8Is7/7wTNlh9VXnp0NE3SjKtIOxMdTJyoxVgy +06WJ41x0c6Wtt/AzUEOeMWRa5GLatci+KU8Szhn4Gddi9bdemtLPvzQyH0DFcU+5 +/IV36V/2rbWHr3zyAmM6t41YBzNKJNIVP6EbUiNwnfDUjii7QcphVPuYbk7F3wmB +UunQ6LYcbpYcTEaVMlrjDMwTbJnkDS3YFpn/vncn2GTDsaMUcGAf8REkUs/SB7mW +TTHn4R1/A8Ut6KJkqiMlwtonhyhsDRfkCplYePSs0TUlAopbr+Qm41ZYquw0myTb +3mVp9EgAwR3D9xGvgYkPyUvgCLbla3MxUkUn/16KWY7PzHvFfL/iEMLBfwQTAQgA +KQUCV+KmBwIbAQUJBaOhPQcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEP5D +AJxGB7H7xCEQAKH/X147T2z1QX5G4iYh3+LhbtqMVSGt64fhjmmTbX39D46+Aqrp +U9Jc44O6C/Qj3dMsIlGeoiqSyA7y7P1ICK2SW+T61z77VBLY7l6+taR4Tnr4hiNq +9ZSx4MPcgXpIxN60IpMVc7H3maNrX1+3r3B++LvC+kLl24b2jdIcBI+d0nsNDqS9 +m2m+vnLE+Wy6YdaF1TPGIVz9EidX09/kHNPGNp2Dk9S+5AdrQHjfqls/XXPIYWAX +J/A3Fx2lgpAqvRA+YMCD9cesPMf7IWCs19P/75venoT0clE1Lo3ghvigjMDaC18A +VK6GL3nos+qxl3x0aNNGrNveGMSUfoYE3lzjupTsIEDBwO5Y+uz48IAlPQuFDdwk +3q8FlhaBaTGsJ8z8iA/reeqiFmmH69kOOG8eAoR/UVZaVJU1zd0Zd7NmUADXLRuL +j+SNvf9nq670gZ8Hu6cAF5/9ilBL7bRO9EQ/J+uG1EldRARz4bXc32MEz4K+iLyI +krXVFkU7xOYIVm7EO5mTwkIDmqaOwtzXYVD8LP859a6u1vzkpgcBrNhWZXLcPLs9 +mUp273cByfMV/P78JwhlsdvXXcWd7Us6EfLtM6z8ZrXoVJtf1jG+7OylmttrGZ6X +patCUcnkYXhNZTw527bh+nKLOdGqOPY4Md6KZp9dFxjK+a3RTovA1QQhzSJOaWNr +IE1hdGhld3NvbiA8bmlja21Ad2FuZ2FmdS5uZXQ+wsF+BBMBCAAoAhsBAh4BAheA +BQsJCAcCBhUKCQgLAgUWAwIBAAUCX3sbcAUJEP592QAKCRD+QwCcRgex+1VqD/9Y +ksvGVLhmqk5GGk25NIepvq4upKPEt3oePZK/Bj9xNTMpUvmNa0+n6lERa9/bcdoE +er8PRiTKbOAijR5rgySN2gEpjJSDTcql4q5C5RQoO11OqcC6gEBk93BGZ2Ur2PpN +chxAmNH+hkVsmZVIbCVoYFXz2uNeT/q+0CJPzUGZYA8FadPdUeZ2lwa1lz7I9h2g +NQID+IrqV8MEpgTD207ERjdB0C8zua7J/DbnlfZN4zbjsaL/y8RCJkk3yG1YG2EC +DF5Q8bivkcYlSSTqrMo9WAiJLK7m03qKLfyKH5M9DM1kBCqppYPKEANB44vk++0G +EyYQL2gjICkXO5XrxJAVkBm/RzKVFAMvRx0SBqCG2NiywspTiVrXRGEe+0KQkkHI +8bPPVcrLGHE+x19W6s8YWHTRJj8F1xJOBy37PW+o9OpX5cfmJosNRh4zVZFPnuS+ +ytC1QNL9DxUBxgKy1UCKrlb5WTb6sQh03xDEU25uoOB9UmITk3Wd9MoqR0F59EZ5 +cqN8TKdfSup94mI6ecDRPOw9akZ1LNFpbiJ5E5EAiATCd4SEh5PxBDt7YK6/38Ik +4l8IoPinDSyJCVesJNRbWNIdwjpX31pplzK0GDE+1JLfHZJnVVD9X8edQQpwPIeU +bMN1XFd8kQs+xwCg6QQrtjRmLjjNDf/dnbmxSWoo68LBfgQTAQgAKAIbAQIeAQIX +gAULCQgHAgYVCgkICwIFFgMCAQAFAlufmfAFCQd/YdQACgkQ/kMAnEYHsfvYBhAA +xgEY8oNLZhC+0Ent53yUvs/dNN1+YcE/jmBKBflewwxTTSXOkervnMa1QLu4Xegr +/ttlGqjA5EakH5PtrQWfAb3u4B4NBrAGxN/WirL598RwwKEGo4PecNh7ADy40skq +OHNJQbEcaJ8ZAqFF/t+3C6CjVDuO36lHqDXEYytw/2XjY4CBtRF0lyTE5lRyI+DO +cWD9m7M2BZU61Vx/aK5OI5UaCqWtYWXl36gBJdV7APY+MA183Ly9EywCZFPb/il2 +RdmiM19ycENrIuDF1ZAqpFats3hZR4MW8WTS3BTGste/yBjjaS10bp5HiqVlZot3 +TT28OmeWqwjFaXC3mVE943/322Mslz1QFV4e1/S1umqIf0wIVu3jDSKeZ0bagdk5 +SK8yNWhZ2ClbtR2vSPLdA128hjaNfaxDYiXMOLFEy2FvZk3rUtNWbA5Mji2qhiIh +cm2jCkOGg5hKSfA3anEQfKXcEi8OTzEnLmvyEw0MNZgPBUUciJjgis7CWAlTn30c +6plwxJRhBE4tEvY5VzWNOMeTRhx1Sf7qp8vKMc2FnjZJUBI8xFe3vZ1qSFAKfuga ++SJM1+PbxQQM6N2q/hlJALW4WUpjvtvEQsWYYoDbBgWtsTtNaLYbetcS4EaA3lr+ +elwOTLiYcsPNaKD4ZAsDR8qiAzABJ3W5aGEV1VvF+7PCwX4EEwEIACgCGwEFCQWj +oT0CHgECF4AFAlflYuEFCwkIBwIGFQoJCAsCBRYDAgEAAAoJEP5DAJxGB7H7RCoQ +ALDD2Tu7CeSRsGiNRgJE1QNEvvoISDpr2LncgOwumsJg9gvLeOY5fve0AyVbyW/j +KkElOGbfGC5HO3JAX8s+uqJLoEF1TmYr/ldBRFDb9YsyYz2saBlnUWvWwcDI5HCH +fw8BRPw2MhGkB2nt+hQdEteKkaeHIjvkScFzqonsiq2IQknsbhmyDZj9coaxoCK1 +JL2xX8pDl24i8alhgDTu3rQJxppqBBixZ3tSXhsp2WSF2bSrjb97A6XxSfUrVqGs +FWqeCXDE53QSzAEYmFFpuL1kvi1jOXlr9CeTc4XGBP7HttPWU8bgnhA36HzW/MGd +hpJ6L7GVoACKhEsB5GTKEzobwONalHg60ufRNk+dIZMr7C2eEpjBKLYzgevAmbd9 +k0uOicbVqA24cNWjvNzuRxJGxCA9XQSt9FAhpiNcdvoeSXgxc8sZp3+0EUuyjYTn +ahLIk5KjvRRTkILeq1HAffomGvd2PfiT3Iq7vKGHhh5n4cXBMXi5DpAB36hKIC/U +LcGH9khKTlBxfeNntHMm+/mNqwrdKeAfC8MO0rBWXZdWZs4rwElPcoVtVxPY/CCr +J1vJqfnufc0ZUB8WguLoPxqPLC+ja7Pg/ALRQI1cbJnZD5hteAJ/dq2mZ4vS01Py +ztuwCKYTKIdj6yoMgnIYxmh9xty4FSSzodtHM3c0x5sZwsF/BBMBCAApBQJX4qYv +AhsBBQkFo6E9BwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQ/kMAnEYHsfsc +9w//XpLL93sf0hNPz281ql/zSVo8P3oLmYxzmJfiEAMKOLX9UivWD+oJR2iBTo0p +nhuP+/4a0IB08dIvTE0Y3DJNsx738F3CSP7ZHF5EFaIXEcyaCv4lncVELHBMiTCx +mA2Law011830pwug0jOUyv4T9+CElUhm4XT3k0CFxXtOMgQ0KA0IplxszhFOL7Vq +T4Qqokgdymjo7mLKLvXqKqs9XbZ9A+RYeKi/HwDqBfzhLC1ur9p5VmcA9PLJvQvY +B4S0RIM0utaVMP5vD6BRpmlQk+WkeJbzbZQFEJKzdOGVdQnSX/Y8qtdGTYwUDq9o +ZCEdrEraP/6uAzCccI6lkGoTSnQ+FUufOV0c6NZvmiaA9GkIwfq+O5M8Vhf67krA +rR8Avw5y8TmEsr9Sg7AgmW8rMDuNFF2ol+D2r5VJZgo48kICo1V6BSDN4pdY4sI1 +xrzha8fkQ2bXUvPDukEHs7JAXToK/f3GwMtwqWzmR5b5EO1Pytx9DK60I0ohjosk +8O/F/9cY+kkEXQ1hyu4FKhLia7HmJbdaKsaQSyqcVBUvkDm3MExl+fSx6S6F07kr +z9k4017irw8kOvpnV33dbXK+gzs7qFYY64Jn6tJMnYxTkyGqHDvPrCFVbUvIBQ5e ++Q/bghHJmzNJO/8ruvi0Enp6pioY/0bzr9TVtWCg0KNZPFnOwU0EV+U4tgEQAJx1 +gKVZwjJoFhF7TJ3VAJJ7JfwkGlxXOF+3TR7hhdmV3WwI019Cx4cUV21P7zVLYqt0 +jb+iPAK3aSFjTrCQZwUgvfM+s+G4byS6i6fbM9X6M8HKGuTqTRIKGaFjZlJ/ubBn +H/CyYpFD33WtEMJv1wBaz4EM3q1ROLsNAujCEzWD8PabG7atQKINnp2zXzpKO1Aw +gLYPJPrbKFJz4usYpdN8ULSnJSzIxqMoiJATRVnilnYCpcJeQnc2V3bH/ftEm2tK +SMRZuRefPggiMZZn5uEmTlBdyHMGFK+huqP51rw1EcvIi8Bxy65YoTjQDvrPuKtA +6pOQNK5XETfzWlnwBa1tG5QxhIg+AqEJFJ9AH1h/jPfy9ZGeE4PW/PJDa8Xnet6u +dhIqcyKrXNlyc+Cu/uLcTS/2LB7BgEouKKwbYpXv0LcZlkkkUb8biFLKW4bIx9+8 +YcZdAWUZQGvB/jOcxq1YR5Ke1jd6efPb7BTTAM/DL2dInwEEJkS5S+ecuuKWHnV+ +0iMzxzUUkCehEQ4apXejTRwbWe+H9eN1a1MKPGgTZrc98hhrVb+hST0Pl12fcY94 +botnk2Va1kzeAURYnlbwWADtbCtNB/inUIjOMxK8F0oIsu/i+lC/q+4x0V0wA5lM +sowWj1Q5A/sh+Mah8/v7Qh2LGkjGOH3xVbE6L76rABEBAAHCwWUEGAEIAA8CGwwF +Al97G8IFCRD75IwACgkQ/kMAnEYHsfs/+g/9HfQdh6DLeYXPUvTDEUYVUHlkZw61 +SjHPQy4SMMBTz7rALeBuxYpR7KTzLaCdtjiHBGGSgsEmQto/GLdT4Vt25zpx2uxK +/tOq041PYRRcZ/aK67M/N2CDmcsCzi9sm6HsOKJkZIwVIiQ10UZ1YT8FEdC8/Kzw +nxgmtG/iG2852dDS7Ar55GIuYjEob6emTbM8Z5L21vPvJRpxuvsqEiMMA/Oyi9jw +xhDVCHL+a7pWSR5hZuyvJE4W5zU3loZrLg7kezzbdhWcEENLPiLdw6mexhUeXgT5 +nnUwcLe6eFc6VHUUO2Q0vXF2mCHdQLOCGpykL0DWxxth07o0OSqTKIAeDwsh5YO3 +dYJ6V5UYVu84xBe5UF5RZ5XDWYyNbifrLiVtb50OBWLekwau/d2VqrlmWJaGrLJ8 +B9mxWN8zcWozZtQNDVSo8GU3L8LYY9Sb2nBxOAXRVCyuPwyeQcHamvuWokaUniav +gEcEEXP2RLlPdJOF6QV0i2mXc5AFq/CfylZOtRZ5WHvASqvtT5rulQ/oZ67v/0WI +LTDYXh34D8ukEU40WNT4cL0XHcXMLhZJ1AQUOn294aG1b2z3N0DrGx5/Mcscz5qT +O2tfvbM16jbttrFfjuGGvuTBnEtSaJMhVVmtdFg9MsMAwHMp8zBE/aSNDF5qmNai +o5TEFXO5W+BS3l/CwWUEGAEIAA8CGwwFAlufmjkFCQd8yIMACgkQ/kMAnEYHsfth +VQ//T2F0tYl9k4zW/IOR//GGHVHGuzESjjvyAAisBZZf+4fFCrHGgzb3XGmD96UH +8C6PB9ttSP6knWYJa4ohuX50iJusrvGlyAmOyTYfX4DfXdrPeMtvutSXCk8A0nR3 +lfpeGkhXDCt/MTuhKvQOrqupsbVbzZHOLdlGz+y3k2790dMMEUdCk7EXONfMyaOU +jI233n/MLhMHFVlOjPStU3+552i/yCKFctAwznxjhHO6rQbgJvEwQsXa2c9JnEtK +LSoj1j8IDICo75WWoMgbc9F+eNV1l8cya9FVWcJ4kfI/6adxj4ZKEMMl4FHPb3ct +9aasqll/cTnC2JEcnholP2ZvKa6asaprJb3Se0nesOJcsqwsq4Ylc4vjh5DDMCpU +Hqjgg4MP2u3WuL8nOOKdzgDpYOjitoGi19giFF0QRFDbtqZxo68LF4xo2069HYs6 +R++ZaAvcaKeB8WgM+QRhP/i67vLpYLeIKk4H9wOSKudIg3URCjTMdSPVJjmeJvq4 +ZfMM2In+CkrYGMJMW9Miaj1+KDEHRTGr6vOw8UkUD/x7O2pbFOfIaAPWNCLsJ9qK ++5N0yvY9FzVaKi0UwEc7KP7HA3HFRSM2VZLdVjqOPPIbxvcGNqU1WjpQxKc69ong +VvBF9RLjGsIqXbq3yygz0XosW6VC5mhRuIMcfa5FGltkGDrCwWUEGAEIAA8FAlfl +OLYCGwwFCQPCZwAACgkQ/kMAnEYHsfua7Q//ezGNpIkXijjXeS8HqxvP6yyAxWTD +I2cjynC8xqg170U7lmcYbvWsbAk0ml2TKkjPpORKPa6ywLBAKED6zUraqBEiEehw +aQiaJbPzxd7E9TWkapxXaNLuJnETbjdZgzAVSTcOcylLqeUJrIWfcDc3BVumi/Bu +dyuR2KWi42OwNHLV4L5K3rDng+whzGk49jrf3tpCXy1npBGYRDqgeRzzJnQS5K2f +XnFsBifbRn8PwtLKGGO6RYp7XWZTLP8+ZwfELVTulDox/OV7xSLRZUtF4woQrG+J +S9G2FOh6mES3ihuRUSjBRQZcKf9kEKqqcrpqPwtoPHIrmygz6eDz0Ea5idbFCGCv +AEARwTrmZe5dTzBAB3X/oobyQPex/QOV3OPIPw+HSY/ficyGHimizIB/x0QEN4L7 +GL8DZSLO4m9TEa7+Y4+XIBqa3Y5yXqUy52jCGt5QD7r1mu6fIuxyW2vffOk4H2jI +5SD/I1J3tipNgOFbjx/pQWjk2kZVoLKg60fcL8Q24TSm569vyj2r1+xFkKSWO8pX +1njIExUTePEUcWEcT7AdxrrPAf2WUxYPGGMTRfrcUw4+SKLzDqgFGC4nIi9y1flj +ZXEZBeG80R3GnU3hyeUwwdn344V+rMT/8k3He3nDEL+vIfEeubAV8Jz3hzou4SD1 +o2/lCOmP+XwQDODOwU0EV+U3SwEQAON6g9gDGhFIqHJNGBfkDAd7XzJ/dasMIqji +Orpjgnr90THlM5HXfuaWCVV+Yt1kAsI4woT8w7nAvNs/5v8Bq7aYQgseMMsdlHnN +CczVyoynxAwTJ3tDME53Kz4sLsu5NVCQ9uZ9Z/GcJHA8ARObJ2GROagFExPOIeri +GDyYFWDOgCmIjBz9VUT1PN2DOWpTAPjn30k4ZpWeN/hnf9V+WkOMbUaJFefCsIU5 +ExFhVCZn3J66M+YumclIlnyxEZgLs+xM/El471rX3bHm0z85XOj/wX73zIKpws3p +ucIFNO8PXIFGja5RzQVNM9nhpK6xOvelaHzDsX4sb5ILs2Y4x8bZYnU099sO1VGC +hfn+Y0ZQupdLUPnshi5dXTyzBTiYuBuKPihGUgm/awsMmAdSRB8vqZATDnvayjRw +6j0g1AfWDJBPVqUDY5XrztJkWifx6RF3CWCdSmrbcRrVVyoWTBx3alsIvTAUhZKE +4aISvzy5doMRVyMEbhqHEhbfRGt+toNEHmPdxIDLI7V6+CZ1EwwXNQIwK5MNWLrv +1QQexrqzVVdcxuQz/P91gLDxoCoBi8HBGsA/HL+GVd5oW1U1o8U3mm1SvLSeg+MF +WmiSpSOGpS9adKPwRyGy+giGRnCWJH2dcncSfB9S3XOimhqhNy3Eb98ttgl2AgaU +DO8M6Gu/ABEBAAHCw4QEGAEIAA8CGwIFAl97G6cFCRD75dwCKcFdIAQZAQgABgUC +V+U3SwAKCRBq/ubUnpK2Af+QEACuXfhlmATujXHC5oMpo6TWWUpNJk8r396sdJzl +sRmE+ST/bOaMpJuCCufUXVJupX6S0XuoWV3KyxF2b0RINzAqjjBw42kycoAvArr/ +yS+8ubp3Nv9HwD7WBWGIGPyS5MLDj4iyL9HXonVA5tT3pQQXBaSdybYhDn4PcOI/ +3bsQ6PhflHTFhpuRp4BhceL6whQUgGqoXGO9dpsvCjiCV1jqrZOt9ZmhvV3HwwX4 +37h70ne47IkJEO4OtYflW4quPu76vR+IpBVIkVVUPCQPipgnEllGV1Sn5Zhy0xG1 +Nakzq9bnlqnw2yIl0rFba653Dm1oS9rJ5WRcZwcz17YCsCVJLNE+VPw/EN+5y1dt +yZxpPn/0jvS8yPthhOw075ZVdBy2k2uv//5cEPR2eA+4vZEpmRD5yP2B8GKqTT8/ +/63ifzOAqKlnxQ800ZQV9fDP9ndaXHPJCBHJ3K1nzEoPtehgF0z7rCrd+M9doGuC +mSiJvig03iTsy/cVKTF+BnOCDkc5kMlU8zMsOmjizY3k6VUq4rW9sH70W5lLA+xn +TzJYTy+sUEV56K4bqFf/TXym7mVW9xY33BhFR2P4tvI9VXd99lPdbvJWKg9eJkYl +cHKAv6ldLCuv8z3f4OG6ecZjZI1tr696lUMN3JFeMJUzHJe/7UVy2Y+AxR0SXYc9 +0OX47wkQ/kMAnEYHsftCNBAAvHC4X+z1yIZ9d1kiEEbBrfYT6K+E5m8i6trhDJ/M +3BxQPcV5Zl8JqvHfc8eciSnp5aFpbpNpSMNGMWjvqDxYCI8/OkbWuulcXW7zTMaZ +8h+RdRie7havjBGfMrCYBwQX2BHwrXjhobEwnCfOX2VsIt0i/J/xpREQ21KvSvxk +hlWQGa5YXOjUdD951kZuw61HXajDQFsZzpL/RMX/n+qOfj3YUb5J7/55As4Ysett +vAW3tKzosCxCKcKuAJ3Z4frKF0X374FOfUmp/ncKOXtsXcLVYugVhHmuhTwy7wNN +3LCk+43ED3ZgxR0V7sykPUytkLKTECkWsCQohPBN6P5gaV1yY2OnXQGXm6qOy/Wc +uGmRfSG8btsnOSGbpgfHI7TK78ALSkvDr/mgEEsF9kgxaA0sWsUJsWayh/7LK/A3 +qQZp8JVU3wAuKdoatV7t3EznOdeg786ahx5lJ6FjzB290YvgX4Oynpal+agnhfxl +f9YpCZsOh46K6zy9Mr9JtqzNp2IfYGWoEAazsgc+w8RUmToHiz+D7z4IHJdH+iNH +slUfSf1sSAWBEQWxd8I1r+R0zX3Va+Tuk/qJYO05EyLnVbaOAVPjLvP8SNO0Fn0E +oGeAtZ2x6pbCaDWIknjDU6l3cwu+Uns11rSkY2cVV4eKVD2POqLyGejDmKC8fSFc +lLXCw4QEGAEIAA8CGwIFAlufmicFCQd8ydwCKcFdIAQZAQgABgUCV+U3SwAKCRBq +/ubUnpK2Af+QEACuXfhlmATujXHC5oMpo6TWWUpNJk8r396sdJzlsRmE+ST/bOaM +pJuCCufUXVJupX6S0XuoWV3KyxF2b0RINzAqjjBw42kycoAvArr/yS+8ubp3Nv9H +wD7WBWGIGPyS5MLDj4iyL9HXonVA5tT3pQQXBaSdybYhDn4PcOI/3bsQ6PhflHTF +hpuRp4BhceL6whQUgGqoXGO9dpsvCjiCV1jqrZOt9ZmhvV3HwwX437h70ne47IkJ +EO4OtYflW4quPu76vR+IpBVIkVVUPCQPipgnEllGV1Sn5Zhy0xG1Nakzq9bnlqnw +2yIl0rFba653Dm1oS9rJ5WRcZwcz17YCsCVJLNE+VPw/EN+5y1dtyZxpPn/0jvS8 +yPthhOw075ZVdBy2k2uv//5cEPR2eA+4vZEpmRD5yP2B8GKqTT8//63ifzOAqKln +xQ800ZQV9fDP9ndaXHPJCBHJ3K1nzEoPtehgF0z7rCrd+M9doGuCmSiJvig03iTs +y/cVKTF+BnOCDkc5kMlU8zMsOmjizY3k6VUq4rW9sH70W5lLA+xnTzJYTy+sUEV5 +6K4bqFf/TXym7mVW9xY33BhFR2P4tvI9VXd99lPdbvJWKg9eJkYlcHKAv6ldLCuv +8z3f4OG6ecZjZI1tr696lUMN3JFeMJUzHJe/7UVy2Y+AxR0SXYc90OX47wkQ/kMA +nEYHsfuDKQ/9Fpoq75+xgkbQno3vLC2aNJqHwk0LzEINgqSNVYPob+/dBf1u3lN5 +HHNKH1opin4EEknRulSWhU3C9oMy4MjN6rFqhS65M2f8jfG3qXHAUKDf4gL3ZHeP +qWEHVkE/Z5X/M3gZA87DgmskLuxWFyWoT7DFWkTb4TtJRdVs3R/zI+g52uM7UUV8 +QjG/ox9w7VdUXIn9Mg5TehBTqZCBsWx2lM1SOzK2R7Ax/IukppOb205RmqOKxZh8 +gj29StTlRoJy0RE6typfSrhyaTithX3gWKfkCm+LGzEwWtZoRstCRmEeD30Glnko +BXFMVKAvEXIGCdVyaugQYVMy5RXlQllg/3Qo2aoKhwCWUjVnJIDT8csrcYKgA+As +R+0RqXCSHDeJWhoeiUOnm/ZGa6g9z5f8t6z67jY/iXXSCw+jv1U9znYj0vuQIBWg +FbFC2C0xI9HBZIUgakeyUxnG3WRkChUV76ZG9EMuTfFaGanWG9MWzb6sX1oWVNru +PEvxdRlFhkr8M98kAQHKcBgVmK1eCwvBt+4DvJxVRCT5DADLL1pM3ZSb5e8ibkOY +a066rFPA6VBNxDkYOYBw2e2itzljh6M+Q9URIocFytK5PQsCxuTHqAK/Y50Oypgf +tw2aq3/J1W+QDO7Xmyu23GJGFZ1oCF0Wm6RlU7d9lHxclFwR2cptw8fCw4QEGAEI +AA8FAlflN0sCGwIFCQPCZwACKQkQ/kMAnEYHsfvBXSAEGQEIAAYFAlflN0sACgkQ +av7m1J6StgH/kBAArl34ZZgE7o1xwuaDKaOk1llKTSZPK9/erHSc5bEZhPkk/2zm +jKSbggrn1F1SbqV+ktF7qFldyssRdm9ESDcwKo4wcONpMnKALwK6/8kvvLm6dzb/ +R8A+1gVhiBj8kuTCw4+Isi/R16J1QObU96UEFwWkncm2IQ5+D3DiP927EOj4X5R0 +xYabkaeAYXHi+sIUFIBqqFxjvXabLwo4gldY6q2TrfWZob1dx8MF+N+4e9J3uOyJ +CRDuDrWH5VuKrj7u+r0fiKQVSJFVVDwkD4qYJxJZRldUp+WYctMRtTWpM6vW55ap +8NsiJdKxW2uudw5taEvayeVkXGcHM9e2ArAlSSzRPlT8PxDfuctXbcmcaT5/9I70 +vMj7YYTsNO+WVXQctpNrr//+XBD0dngPuL2RKZkQ+cj9gfBiqk0/P/+t4n8zgKip +Z8UPNNGUFfXwz/Z3WlxzyQgRydytZ8xKD7XoYBdM+6wq3fjPXaBrgpkoib4oNN4k +7Mv3FSkxfgZzgg5HOZDJVPMzLDpo4s2N5OlVKuK1vbB+9FuZSwPsZ08yWE8vrFBF +eeiuG6hX/018pu5lVvcWN9wYRUdj+LbyPVV3ffZT3W7yVioPXiZGJXBygL+pXSwr +r/M93+DhunnGY2SNba+vepVDDdyRXjCVMxyXv+1FctmPgMUdEl2HPdDl+O+waxAA +g7ZuiuuRAi70Q6aZFLlG259cyCmTmgwsbUAjFKtqTP5g9URgh1A0JZfS5/MYschS +fj8qBYsdChdP9VX/d0U9/LCc4sXL24XLnpTw7C9MeelndtXdxBxnPLUTby3ZQ19h +ZPc3l4XC52ej35iTG/lr2jQcBHI05fwBiUCuWn7hGiKk2TfUtUpFkcvXObrB2/CC +28Mg1d3NpYu79OY6raQoUGe34aVDdjbTDnx1nxARBfhJwfceid+j/Z6V3JKO0C1T +vKgJvBhc84kRKGT5/PVJR4dnXsYzdgWTDXVw2CUHKVS4taHoBuUAoTGOeu7M0WU1 +yMoYWsRQ2auMjxwP4w9sc7hTJt+Oj6o5vW1sBB47PHnl3lDWLt/iG+QL94N3aZXZ +1b4yeTzHi+AZYR9hs3kFpL9dq0WgS72j2BmcSkHdgdXRv5offNHyFNEMjxqB2+w1 +32xMCtNT4zWah0VJOsfFiAYPUZhDgCY155ULwJXJ+PTHyv2O983xJVmZhsRU+/Z5 +MoDtXDDeuCfL31nnKt42sRa1Ce+tHjJEoukT3Ng7GjV1lyuwZ3YX1UpN9BcM8aWr +KRUP30TqqjdlZLIMGoVv/z9rxYlSsLbn+P7nqaX8Vq8ZeoEh8iaQa+IB7NgXvoIg +cP4OP2yasPh/GwyuLN/DcnsMJjv+76tjXryzEH0ffZY= +=GKc2 +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: B744 17ED DF22 AC9F 9E90 F491 42E8 6A2A 11F4 8D36 +Comment: David Goulet +Comment: David Goulet +Comment: David Goulet + +xsBNBE3KySMBCADOeaVfjDRP3kb2YaDyZbEjPKXkIJivkBbEt9E5abcuipmIA8o6 +W+eYbnRDUZr0u/a6NjEhG35yNFRWpFpi4Gby9+0xjNvGjFj+hTjROFsph3ljGFKp +yYfJQejlFEjlub/7ehNdVrwJz5WnIpNz1UnoC7/rry6HzBtKIcXbEpLTnGAoqAmY +d78cv5h+9B5WzN48/63qIns5ZkzAZIQio3Y+n8B80NXDOiTh+9cFPfAk4xBVPIYk +8dDpCGeHA8E7htJsAkgn4A3wsxEwwKVf4AD5+E622BWYabFyCWetpNIBDsRAm2Di +s7LtxC7SRWd/e/91axtQ5u1bHFliVkRRbn9VABEBAAHNIERhdmlkIEdvdWxldCA8 +ZGdvdWxldEBldjBrZS5uZXQ+wsCTBBMBCAA9AhsDAh4BAheABAsECQoEFQgJCgMW +AQICGQEWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCYk7b+QUJFmVGVgAKCRBC6Goq +EfSNNiH0CACJCNbyooaIGDEJ6sNkwrwh9DZZFs+qyafJqz7KXd3d2MXcnlgAw6O2 +DYCAy6hlKNaANWQSFeYTjsoIWf7wC8fFnaWJscPx6+ZE8beUlQMiyzk0KQg8ie7x +Bfnl9Lmh4cnH+4b5A+A3GO8JrWf+gNAi182WJzq62SX7gK7EUT3H9oS3FSbhwYLS +Yf7WQMWpWJ6dS7PbUr78J8XiJDvm6GvEMMC34/aZTeRdhntNOu1B2tybA4BwxbuI +KMa8nneqd/lgXXTA3nFRbO6V/PiFcjoABNEUgqTDpgKypcl9GZ15D/sINX6wuIFf +519Qq1PWtmBZ9xPNHyzXt3wfA/88ticywsCTBBMBCAA9AhsDAh4BAheABAsECQoE +FQgJCgMWAQICGQEWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCYG92uQUJFIXhFgAK +CRBC6GoqEfSNNqLIB/9tFtZYDxWmpCBgokXkrJbTEhnYnxGJ+PzvFdswy+vPaf1+ +JsEnzqZS72bZYRfFyJXs5H3Q5pyIEt+/AIGJmafWXJNBkDiyx1+ZsXyqLlbXfWer +rzEIX6r2sPytAZ6OWDzbMnOlodEmJXVIWfVubXlkiSKFRQbORsqVzThcQ99yUGxD +8kGYGvWtTwZCJ3YgHHYecAOzwIEAKQjP7FnGqkFiV0aknJ1s7bHpU4MCu5nC53hw +oBWXtrNQD5h9woQCUco3yz/17tIPsbsLnlOIsywpy2WtQMUMr5UdEvkYFcVbYMQv +x0ZlebtPQ0P9n6lq/cna3kuDA7DshqIrRGIZDgzlwsCTBBMBCAA9AhsDAh4BAheA +BAsECQoEFQgJCgMWAQICGQEWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCXqsnzgUJ +EsGSKwAKCRBC6GoqEfSNNkARB/wMw153/mlVTcDFokfxlDtEuzDKx6GO3DMMJE3s +sPk81OtfT6gQsfdzI092AbAjzurNwGuEj52xJhJeQ0JnVn+YhsCohuQvmIRNBzDt +sK3U/93VNWMdSEIPFQZ4B589sZ2qtjpnHK1gEVqw+jImypYRP7FrQ7zWi6DEkC7T +uLTAToTRBeXKWoMAiT9F+kEmH45chYll+450/mSWdoyK3vAUw4GSFOeX2AoG5ka/ +2eLtuzTb3gWZriAkYAtmdgLFVeKjkCy9mQ2G6mSRvBfkJcWT8V3Mp2IkDl4PzeOi +SFUrm60ZuoR1pi+F6KE2IorFtKv272GNc4ys2HeqRqBpqIZHwsCTBBMBCAA9AhsD +Ah4BAheABAsECQoEFQgJCgMWAQICGQEWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUC +XMnawwUJEOBFIAAKCRBC6GoqEfSNNpeMB/9zAaVEcZPk+emYqeSDjaOnANAJLBYs +LCCfB23rdQkcfNzYbtsOvvRehxB1Mg9PNN4e3K/l6ZMFCauBGt6jOWiMkojAdDMS +p7vOXwrhQ66whpJjn6pIOjv2p/Z9VME1/e039z6DDCH/Oy/G8pEldIQZkzzP9YgL +ytoMBjEs6bFt7zDS5G90HHkugCUVK9WNLMKhrCbgLa0QVNTeHHFffJWo5jhCkZJ4 +Dw8x8ukbOIzsNWGYtUT1vdKTZCDYASaWEC+2duxJiWL5qcR7m7oGb2Ohcvq432Hl +c4gBVS/HCLmSw9Vn7s7C8aJicUn6e4RQhSXajYeyU9MZfoz+7ecaCTogwsCTBBMB +CAA9AhsDAh4BAheABAsECQoEFQgJCgMWAQICGQEWIQS3RBft3yKsn56Q9JFC6Goq +EfSNNgUCWuifjQUJDv8J6gAKCRBC6GoqEfSNNsvsCADILBT0LK0qjHxjM0YU+AK8 +OEcp1xaf32jPOyE3eZyro5QgVqAmsUM59Vk3R+cgrcfdwEOB78j6H1qJerCIA9he +RFpyLglJqmTFWdFMnYlAg9IInyIgPko6fK8X3E2DktyXNhUsfLWrKktjxNwU4tC5 +IIDboLDI6BjNMVtgcMyJRq1AB2iFBNydR1GQr8waF0ODaZLWeSB+QAkWCwLjIxLh +4mT22TVyGNFXhE988caesVlmDGgSiOviAZC3uCH0HI9aNAraE9hWUVkIp0nQEX1H +28if19LLlEfj6zJJVn1PhW0bggq5UQDEto+MIuq8YAuxvour3H9B6EESlJ3ncnyf +wsCTBBMBCAAmAhsDAh4BAheABAsECQoEFQgJCgMWAQICGQEFAlkHZSQFCQ0dz4EA +IQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNvT2B/0fsSkMvEIF60Tg +lEQC4Qs9MYAtBMyf9F1nF+UxIipPpSfobbjIcImbPzcmrAAlege5u0/oTSpYP4r3 +EVMoN2VOyy2afxLiOyPCHporyOzW0KUoi+rEq84FrxwtBL6mPjeEnzuYTRfG+DSJ +eo2uDOS/q28+MwPCJ7ZiLKH9zEODbqS7rUGVijakHShYszStYNSLV50835OfZ4vX +2Uawf3FP65UUKjbY9tbTeljjWXME7ZOkx3b2zEm9Ngbshsy9U2YWkjAYOXtAMA3k +EWPwP/zQBNtK7BHwjZ74uXBo06X+LmakMYZNL8sRjlL0O3FkMKuMKt+axsRs4SCZ +aJYkPw25wsCTBBMBCAAmAhsDAh4BAheABAsECQoEFQgJCgMWAQICGQEFAlcw7j4F +CQtHWJYAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNieACACCAn02 +e6w3AHy6npq89Yce5UuT2GSkjQwCYYUQpO+PsGPzM/RfPd6s3XquvDqC9+v1NvuT +T5ziI7HtfGZ1II3h6AsCMngZgYRN6T3lUoUKPS1lDYBtFS59iat6aFW4cVLUJSK2 +wQpP2yefcRAmxxPXfP6rKn2zeMGcsiuPUaXcsGgMa5vkqGoLunVF68yPlpv4al9r +GDK7PWq14yS7PW6sgQ6es7uXQ6eClr7oSv41V+EQkmFxNOpOlYO2iPl3CfigXs+v +zagvmV1qxSUAQwGjem22WnXY86x/nWp6hL9OxjAI4wTqOsbCda+R4uDhv+uDoq8B +229CYmKcoIUgui1cwsCSBBMBAgAmAhsDBQkJZgGAAh4BAheABAsECQoEFQgJCgMW +AQIFAk3K5V4CGQEAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNrTe +B/jgxz5vAPTQzxWCIpThmtbv8y7Aykmwy6A7oJUaoI2fnlXj00SFbLhhwHYI/vj0 +nXTH7RqwNKG62QJWCyKdtUsI1IcItkAx+hXOrW2Is1JY+WKe8CTFtlGk27x6hjKE +6w181a8QU+2KO6fdu6MKHE4k8QAzjSgbxx3IHSw+DMbOuePQc9KZCGHZTWdcrqer +7mr9Q+9hjTqIm89V6DG2forCoLaFS5CYBdouxMjLegKNL2ozwYuA6jTpwaVrurNe +z1w+38Q+9olH8suCM0VbFWFM9/BIC1Q/SohjE80FT9nThAfwqFTy6JdzaMjbcKKM +Rtsf+uz4nyU8KGfptA48yEHCwJUEEwECACgFAk3KySMCGwMFCQlmAYAGCwkIBwMC +BhUIAgkKCwQWAgMBAh4BAheAACEJEELoaioR9I02FiEEt0QX7d8irJ+ekPSRQuhq +KhH0jTY9MQgAo1nJFw25PSHDJKFfF91qIcO6y3eX3Gaag2DYu8nAMg7otmcZZjC5 +mn3r9l7jx/9A0zn4Ld112e2QsUk7VYI+ywiyhnXszPh8iRoLapyFUJUDpuW3cjhk +vBS//9qUXM++vxdzw1RaVEaMYIqD0jG/HYSIMvhMo5GLG8SeVoLDybEBK3s8S7ya +YahbgQQ0xDrArtNaWWWAE4UXpMCz7cf6MhZS7lfOfcgrrTMXNX5MWubpu5OcA42o +yR0aE3//OuAgmuQNcZ1RoRGMqGqKgjMyXXQ0f/3TrctdY9fLRqUkB8ZEj2d/4KN+ +gyPyYalMjPaWXeHmwBwE0VkEWHP7S7YJZM0hRGF2aWQgR291bGV0IDxkZ291bGV0 +QHJpc2V1cC5uZXQ+wsCUBBMBCAA+AhsDBQsJCAcDBRUKCQgLBRYDAgEAAh4BAheA +FiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmJO2/kFCRZlRlYACgkQQuhqKhH0jTYV +Owf/c5KA0BLCJ8V+zFTkQLSEKD/RfCkuRdC1fpNH2fuXZ6W1BKBRxFmVi4+lD+ij +4BbNTkWhifAGE+Xe4llnTRZZMlV+7A0/m98jsjS1P9QoLj+VwkEbNQ6k9ZoZM+rf +qHut3uTYp699rlE2HWsjQLjMgNyKfbipi+x9ZF2mVG1fbco43YiHFSL3S5WBn7vO +iHCkXNgmHpA8grJE2ecUEZWFWKqz3SJADCkMKoulOFhLtDPeWh5bJBfqBD5tyrzX +R1u/zz1AXo0fP1QF1dRWQCcrvfnLoP7PsECUUM1TuBw/yyE35/1Z0nyR81f9Bab3 +t3cH1e6wEdZfzeMIEiTQoz4qusLAlAQTAQgAPgIbAwULCQgHAwUVCgkICwUWAwIB +AAIeAQIXgBYhBLdEF+3fIqyfnpD0kULoaioR9I02BQJgb3a9BQkUheEWAAoJEELo +aioR9I02gugH/2+Zunp8kHXoaAFtOP9yWyhxO6Ei5IQfFE/tq371rWlVe2Jg8vSB +2IIqWr6+wmCQmfT0fT+zkHKEGlIl51Q9uwvux8ADoXheFt3DeCqCE99OQpbGaEo+ +j6NRfipCQUN7SWHZgLefph8qLZhTIdvfrXt0m+w/fZ/rpOZnxJL6JJKpEaJeI1/Z +Onf7Hulep5S85La4ElHh34n0QtceciCQUbprv6D7/KWfHz6CELIPbF86mM7Ff+Es +Ki3f6c0+oIA9cnp3D9ij/Qg16GFB0NwJ1tJykMXfFRGxoKMWQK4lJEUbn9hvshNa +4ALRPs3GtnsYvM/tzbVW7Grfm7ayti8pVRnCwJQEEwEIAD4CGwMFCwkIBwMFFQoJ +CAsFFgMCAQACHgECF4AWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCXqsnzgUJEsGS +KwAKCRBC6GoqEfSNNpRpB/48OeRBe9C5nscmwZKo+dbsj61+njkQj1A5vSKTadez +V5h5hX5lpm2hiUryklFAoTGZ49HltYpZGrzDyvL3RPT7BnCiK6uCYnqzyemk+1J4 +ZZ1rUALqjV+8KHtgS72bjBjGPDKK3d/+KK/FLg/iLkKl+5U8t9gk79aXT7xzSzb+ +PfSVi4VOpDi8gmIAcd+agvw5dUK/vI7gpXOgs91CfwbB/C3FJluFprxa8RsAurUw +qUfDbz8PkpTYbMzv84fm2j5H/2mQ+xcm19swG0/BaiWT1EBR91Q74xm4/0W3CJi9 +2tJKPXwRI1ZDfMH4iujLr5Yex22fmFFuF9Y7at1lbG1UwsCUBBMBCAA+AhsDBQsJ +CAcDBRUKCQgLBRYDAgEAAh4BAheAFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAlzJ +2scFCRDgRSAACgkQQuhqKhH0jTbxLggAmCQx2GentBz6PWZkRj48Y+KfVfr3SAxP +q8nCsdzwHHRM+vjxD+iAo9FbGojVRs9nfLSjmhDyEwfI3f9ypLZaIPBiAwdLzDol +4U0EdyVU7fgfVglSUwPJz+eNhvvUiJp/9u/s4hM0TE/LNtA/uNcKoaqAWQIPiEsd +2FebX8RVqs+pH/0TQO8RYv3R48wCQOOsj7kvkq/3s5ceA9SaZ7vsJ9ooiZhvbkk0 +INsdJWtQcJTYoiBE0DOYhkBX78u07Z1Zk5RUr+4LzI/FpQtlGLyeJ9eFOiyhk7nx +0dzPxZnKWoWLTzse1p/5hf0WQ9OTMdt50ru1RxmnruQgkK+MdGwQ+8LAlAQTAQgA +PgIbAwULCQgHAwUVCgkICwUWAwIBAAIeAQIXgBYhBLdEF+3fIqyfnpD0kULoaioR +9I02BQJa6J+OBQkO/wnqAAoJEELoaioR9I02KJwH/j7WC8qbiWW0lm/QmGtj1seZ +VeEkoEf3hYsyYi+sGq/rp3AkeOI+gr/P1G8Is1pTRuhzqLfzzt+NjLGKiaD0Iurh +5KkToSjwn+Y4aC7qRb4Fa3L3rvNixwNmpgJ/+F1Q7R+Ef+6kCEigICEW4xjYWJDl +61yCgnQdzMYwUOrI303hwWQb6aDRRkFp1J+V/D/pO9iA6deBwm0Lk2IinjeNuBDv +4LQN2Fc9GdvRi1cG2xSjpk6q0Xo00Lz6PIwZr645x8LQqnQI4vyBdrJllTght5+z +eY8VPgOtQ3K5UY8QuvQWZKY5bFc+PjRrajHFWYV8Mu9+KZMYSQBbanmSLU7F28TC +wJQEEwEIACcCGwMFCwkIBwMFFQoJCAsFFgMCAQACHgECF4AFAlkHZSQFCQ0dz4EA +IQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNsGPB/906Acyx+JhbcYf +cD/y1tvVB77LWf3MPn2JChTvkk8hL2keKdDPdPmkSOuJww3/cE5Sm8c/fBUudAXJ +Tt8pIJGc5vygFjlUbuO4PjtFNSOf7rkNdHTRyFrfAqFc4hF1aN0Ej1mSQSIV1VJJ +mpGQrQJfrBswUG8va2PqLWxIFy0z+Bo1uWwPPBveES9dIiqJKUsmM+aVyN+6wDuU +RBmNYPFdUfWRIpgRepgFotSMqokrSh5pPDHwjKDcnkDcSGQRmQl0C+6fEwjGjwwj +zDOPjvldfNH817FnHotovAY/TrezMAPQbyjh1dJJbR3/mUj82g2VZKR9YuUHo24/ +B9Udi+vkwsCUBBMBCAAnAhsDBQsJCAcDBRUKCQgLBRYDAgEAAh4BAheABQJXMO5B +BQkLR1iWACEJEELoaioR9I02FiEEt0QX7d8irJ+ekPSRQuhqKhH0jTZP/gf+ORBE +lFFMYSbbxHIS6NP+AcHqQaPRFTJ5Eths+FAdTh2XVgy8YWZxUC5/pwQzLtEWkxcA +1Ppw4sWCLh+pKQUDj4x6W+ET4U4Ysoar0jpNYslgkJvpwWwkhHDGVNeRE/EYbEHj +Yyb1ej7FDYkioqw8KI/UykGom5KHE0GnYPfaXyhia1FPVvXN+iSRjCDiIR+bARNW +R1RHjRqpPKmGa0J4eKsgOfEa2BIghdnfWgUKBWSMDD6S0t3xoUsDQnibVIRTjBi6 +Pygeuizbi2+n7AzinFNdvWQ8o6cDOFl8tpJ+HrIs2Uan4DPImjMg0ibsZ9eWgoj6 +8sRxPidaR9EiOT5g8cLAlAQTAQgAJwUCUhFFVwIbAwUJCWYBgAULCQgHAwUVCgkI +CwUWAwIBAAIeAQIXgAAhCRBC6GoqEfSNNhYhBLdEF+3fIqyfnpD0kULoaioR9I02 +MJQH/iLM7BLfXDeG41XOumR37ungugUzqmwLoN6jpKCUo68+qjP9hQdM/Uc8g15N +b2BFQrRzXRg5peOkXgPLIwoxy7j0auoqnjdXr7vpQPq1FzSslv9Cf9sjG7hTbbY+ +EXHrwZWFn2LoN1+OdtrKJdgm0+0k4VyRkQxRgPCdre9dvq9oqPKQ2pf271115s8D +wEvRmosAS/Z3uqinVsuEZjw1pU3u0fVKmqGZ9AuWg03arnFrJM+W5d9cc/6XxQNp +OEza9/CaudJ2ygy/MeujboglwIDO7sviNdJ4836qVXV66VLqt5zpQ3I3Fbjr7B/s +BOl3K3TEftMvlLmxIfj/CkHA/bvNJURhdmlkIEdvdWxldCA8ZGdvdWxldEB0b3Jw +cm9qZWN0Lm9yZz7CwJQEEwEIAD4CGwMFCwkIBwMFFQoJCAsFFgMCAQACHgECF4AW +IQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCYk7b+QUJFmVGVgAKCRBC6GoqEfSNNkWd +CACRF1LvZ24YvmFLLvM46Z0gPNVagtrjTRDLx/GkV0LnlOVCrcdW3cf/e5SEYuRP +Oz5rpEPlWMVAjjP5wkERxFgPBSRxAm/lKkPC63J2Qa5qDp75cJa2vcF5iQsVecG3 +8NzgrXlTNfpTOjas1jQKjOgh8do/6k96T2diMhYWGQvAehbkLPhrL69mVTywqrtY +UPXQJGP9BxPtHI+uO2umeJJyJbPitqVb3m+dofJFUeE8f6xO7ZHvrkvnbWpyfKm0 +QTzHz5aLjv/YSvxtSoVAxqRsuKsU5u6KA4xI3I8HZ+YPrCBeiXfwvME5WAwa0qKv +N6HDIrbBw66J19JUUQ+WvkfHwsCUBBMBCAA+AhsDBQsJCAcDBRUKCQgLBRYDAgEA +Ah4BAheAFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmBvdr4FCRSF4RYACgkQQuhq +KhH0jTZSsggAw0Lw9DaQ85h//Hb5pPOrMg0ktSXxhMRj7d2zlwsg1OD2ezlAnkIV +GcDoe7ok6r+zoBu7isG+WJ53C7i7T8mTQxNMJDmbzGdXMm7ZzmL5cj00EhBili7U +jpsMR/4D0NCcFez67CHe3WEl5DqNNgZFmfzD4kiLGRtptIz/hHjndeDjUHSjIPYA +0+Dg8ri4plkPDg+cT3IvP3NivgwDDhfst+ExLITCPBQh+ucVv2Z5dkNzKBmdkb1J +shi20zi74ii+w3XC7xHzk2RRmu3VMzO1QbHaEXhDvjf94vsGwPe/wLmGH5fI5D0x +ypQ954GsfS3lsbV+RomHS8964oLV8VaGp8LAlAQTAQgAPgIbAwULCQgHAwUVCgkI +CwUWAwIBAAIeAQIXgBYhBLdEF+3fIqyfnpD0kULoaioR9I02BQJeqyfOBQkSwZIr +AAoJEELoaioR9I02mWcIAKD/d3KKK6Tlnw3ezvreOw5/Z91WtyA/z72N6yByUj76 +wyw85gZb6FpXS+Igek/zQ0ARXM6keKRCng8UpvbRbPm7in9en5KSWeXEVRc33Xva +TuxCihHZZdr5osJDkLgDq5iKKfAHW6l6ToXT6SfaFUx3F30/DvIoiskP5Mjf8jga +DPW5ePgDe9McNUeeu/T5afxVebATxRYbGaiBgOmhL0azJV/g2ytx6vHrXjOxyYsZ +lXvj8WSUVG9E1tKRmNkO+vezXjitEYRT8vv5RH8rYpzJ1ZSfoHArXzIv1oeJCtrA +ztGclXvNk7FrBN6CMGJrDeWJI3ioW49ORkxKtrW57SvCwJQEEwEIAD4CGwMFCwkI +BwMFFQoJCAsFFgMCAQACHgECF4AWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCXMna +xwUJEOBFIAAKCRBC6GoqEfSNNuDdCAC1xCEFnjFOYrQTZYAwJECie7Ra/QSx9bmj +LD9eZt4QGayDdxHkYCLgxkzo/OErmlkq8weKqG+MjR7/l/2y7cVca6C2zYcrvszC +ynX5iNxJSxkAYcLxSkk6Kv1AbPty3nwN3WcCFhazK6S2hheZzEscWjfBlVGzEFXb +LcgkRpaiJgqcW7X6n3wMYg2DyGsPMkcHDN0tz6yQiOqq/bBKM6GshMA3/V+pYz+E +EeApE53/Nsofr5T249vf6Wd3t5MzOJB9D09G1iIQ7lfUBVS+E26dGSOH9cMkiZRy +FMOTGgDxjw2AjLQLltoEIAMPq8HKy/SaXWsZ10u68QsOx0yRuZCOwsCUBBMBCAA+ +AhsDBQsJCAcDBRUKCQgLBRYDAgEAAh4BAheAFiEEt0QX7d8irJ+ekPSRQuhqKhH0 +jTYFAlron44FCQ7/CeoACgkQQuhqKhH0jTZBYggAmcHPO+w13XMMs3vr2cpW3hM2 +seRXfPlI6PfQk0/VQjCsakvCP1c95agL5DUmIK/KDdXImOYQSnkjXCffMt7PKf4i +X7NOizsOfbmnxIgIO6dOcJs9Jsa2KCUZLr+aP4so1P3PpNPMmQsNeKCeksY/fj7O +F2wfNpZCVdU8K4swtdbIjjT3v/7LBwUsufGu3WNE66vnMowD/Qkn6IMR6m6gYPly +S/pjGh7uLnf+Le3YL5eQyzlY1Bqo2uuR+nWrqerNRb+RSNf0Ipuo+dUnqf+WC3pd +t9K7pNFsV++5p7aXD8WUlRvFfNNAzWEtNUGSIjgMDG+QXlE1XQF4OPFm1swRMcLA +lAQTAQgAJwIbAwULCQgHAwUVCgkICwUWAwIBAAIeAQIXgAUCWQdlJAUJDR3PgQAh +CRBC6GoqEfSNNhYhBLdEF+3fIqyfnpD0kULoaioR9I02isoIAMgZORLPCB6AG8AQ +6IHeSPYkyeb+zUjLZpLusbwRbuouzaQgt8TXj5CQQTonHGe/n77xBYa6dywOGyVx +LPDpywGal+fWbqj/rDPzBtWaRr9h6qhLkV9I7r1rT177y/PVhJuGKOBBs/FXgagh +bCaAHXaUETKcQnqb5LBrcuWSe+B5IXueFLVUQgA+zM2y4vVEV+7ltnKGauMVHC0k +6r/bxZAGcTcRjUsPdIgRSLLxPFyWS8EbFF5KjyoDIO1Ib+gJM61TKRVT3gJnvjyt +OB4yJWB3ePKk2GjHvKtrhro5U5ge6i+ldbiZh3swTy127ycngiADu+orYFK12awI +CxD1UjrCwJQEEwEIACcCGwMFCwkIBwMFFQoJCAsFFgMCAQACHgECF4AFAlcw7kEF +CQtHWJYAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNux4CACDqeH/ +YxTWSqmb1PjfF4CYtjqx7ObCb6AsSR9RcJ3Fp0DREpsto+MsOiOAD5benHnbud+c +MUrJNdozDHzByEn/jmETRVsbqWUp9eK5/3vtDkei6hFM9nmc5vYPJ9PSzCK4+rmf +m4HQOCtj2tLxgZLGZ9DSlxUV33UbB3xr5WilPuJ6D3tiOJKwJdHdwHXjfFGG96Gn +ILpkOroyiUA0gQbRbFOjgqxB/h0vX/qlvmsvM9L/XTXPz+rrnUg6UuP46S40lvWz +Lj0Zrs2ixDhoqYo5WG57n747D12vRD/UCKxLql6/d9IfvevmbBKKrprVICoSt1lE +ocXwE8DnquN5w5f9wsCUBBMBCAAnBQJTCejfAhsDBQkJZgGABQsJCAcDBRUKCQgL +BRYDAgEAAh4BAheAACEJEELoaioR9I02FiEEt0QX7d8irJ+ekPSRQuhqKhH0jTb1 +lwf+NXiMBqn6XydizQnNy2lO+bMVr4HhwsDznqcV9HHBzUnCtnR3kAVqD+tC5DKD +zimCtqhvys8xPNjzWIl0xzhNMHlls2D9lkACDQU4oywOm8tE05IXrF1Q6Zlf3PdJ +C+jhO4EGrTehHYoTZPwC6RQYZtTCl4UqPMxO2aSEU4R99BAw4mKpRTEGKXIZJBDJ +6kXWbg0ahx0DKFg0EB37z8NvJnN2cbI+5kdmt8ZRiqZg7W0GsY31a1W4EchX7K2g +P/ZN/VNBjGyJ01IdhxEUzM84XF82KWGKsfHH3diqxDZiQZH08kf3HJS8PHN8OnUd +v/uLEeg3uLyQUUTrRXhoZSrZgs7BTQRSL5QtARAAtVN7/CeTT7uJsUzQf/2a+fq1 +IVQWN3JPTZjDNQeSB/V8W0R83QH32awj1uvSljCtCKbtTrDj0foz+CBRHe4aJgm2 +iAzMxKY1SxJ+SBTVyAYVQ+orzIvzqi2URzAfTII/mmvFdZEuS67hkbHXFnTLlXj9 +m3SdWRpCIQlwLCFERvMdr+sPQ07HcUDpoASPgo6P2cJgidaxBgfasUTvru3dxeid +jRbv5defzcdsBqk1eAZ/G/YFOQUiGig60/G2SOlBR7HVmD/iVkSun6j18vPKpqr0 +VJ3sHGUO+KhJrc35QQ7C0ezYtOg6fhaO8PzOcMovnk/P0DGkl1Y3uG4d+h3IDVBA +1fTaX/joVSBVtddLiNkOwgKxw6OH+jjq/irXl6X/0LqNW/FdgK23fEsA0mv4vrUR +0ulDtsPagk3np7DgS5J/v+npGARoeLoj5QjyK4+/1RjMXq+DYW3piADJLW55xH4y +6M+OYpu9svQ60vr2Ae+3pNL7q/mppdixc/isXbOsjtoGSb5QUUOXbzhDWX960Jby +jZUn9Iao+eZRV11tMbMI4pWuL8JEWj8qpcnIyJhYi2hSf7TVq/Zw+PvEXkEAnpq3 +EMyN4Su9I1ZWoxyTiwZVMdOn6TEnkdfxB9aTd5vYvR9L+t5SpmXLBMXQygbg9xR1 +Gbh5EHVlhAobb0uSkYsAEQEAAcLAfAQYAQgAJgIbDBYhBLdEF+3fIqyfnpD0kULo +aioR9I02BQJiTtxDBQkSAHuWAAoJEELoaioR9I024lwH/1UtASIiEoZKhuVkv55b +jo3w422w3wwJTC5kooG1TOWmtHOo/JJ1rFxcIpkY6ftnC+p6YhEbxxk/3XAZtUNR +sJ9Zqemhp331AGq/44g/OYAZkQiNyNhjftj6JafvgU1Zauzi7w0xqhLMKBMDV09v +cbPeo+axUj7cvibHxYUUC2RWqkBxegXpa+Cq4YKpEEbXh510mwK11sUyxcPxsrkZ +hr97KdgY8RedpPDAxnQBGU7dIMDc3xVIX1uXXZpY+SyJb7QAMGTW+9jDPwDUeUYa +nV+eRwLotrkvSgKJ9GQ2F3Am0axV8iqob7unvbKYTtQcIR2P9X52sT0Pytt44W2K +xH3CwHwEGAEIACYCGwwWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCYG922wUJECEW +LgAKCRBC6GoqEfSNNir6CAC70rZbHWguzP4O7paEaS18CNJ6fDyvoq96j3sh/oYN +WE5l3tFPqTtKYwgn33bMoArNgV8i0zdNXem36VIGh2A/fLwvg8aneY+XAvt500QL +IqHWp8WalE5RkaHrnYhHuTTzwztuus/lSQPQnl72W9HMoZJ7mvUtk9VMbybD56Fx +mo5zru4kMJ0Qk3fYYUYk9hge5im3Sk8SeX3UnmJsmZpt7xj6eFvAuO2CoSJb53e1 +LV+exrV9A+cM83T2I20/Zk1A5rX6WaehttHG6sTVpgg+JMKj0HeOYrooPB803WH4 +RM04wziYFvCmDtPF5qmOvErqZtjaYa9wskkoXUAsgwGRwsB8BBgBCAAmAhsMFiEE +t0QX7d8irJ+ekPSRQuhqKhH0jTYFAl6rJ9kFCQ5cxywACgkQQuhqKhH0jTYAbggA +irnoh4NbeEgSwEIrFJ+lAOcA3KXya5MHnq47Y3L0Ezc/wz19NbMYsEYWn3x26w+R +p4VVd2KiARJN19Lf/AZ0pS05nVuTPPIsqBgS/sczO5NyCpPAlcrkNq9nOi4TEeF6 +X+4BWTcRGKSRKEEwumqfppGMkYmVwhvq5xktMTi1HOQkdiGeZ0KV3BKkRIOZJkrq +vhZiyKEW4PMylC2ByWsWMK5NAI2ljRxp1eUcJb5DTqld7fl4iZkjP1UGe3X6qoXt +CkGtnXy+SdlwIpqL0Ianen8frjwNsO3H4hFZJE17AfEFvINoeDHGpsDJSitS5KsT ++6P4Y3nuClPSpsEPEDSlLMLAfAQYAQgAJgIbDBYhBLdEF+3fIqyfnpD0kULoaioR +9I02BQJdWqePBQkNDEbiAAoJEELoaioR9I023UUH/RYw9CZga6hljJHBaAac+sOM +M4FfKkVHmokwYvd4Po2mRFy4wLkfgAp2pv2Z5lb9gILpiy9ORLscdBaQAa+xlbK6 +SUC/XaIEN8LqRP13noQGWQbqZ61hP5wludNi4tpfqM0Oj/GLDw5EE7gGDb10TmpP +MLwc4yun73Hgq8f9FerNZdkA8zvIrD3Bd09PDrm/oAt9KxGCHoVHxFp75An5LDs7 +fY6HZaSru9CoFqjYrOEDSqt/lSm6ZsOsqYbvaesG9zBnuINoY6lOTP9jWtURrGwq +gucakBg7Fg+tln1QyjzG1u7pLacDBGPqgAZCdz2OduL6G0tvpBEgq0ppg9DnqcHC +wHwEGAEIACYCGwwWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCXVg00QUJDQnUJAAK +CRBC6GoqEfSNNsHrB/9h7uqHGB07U9lX6V64iKFQbNjarWJKPyRZ8hbh3/Enh3QF +zmqZOgHfRU0nD4WLlaQT95tRyAvc6E54q8ALZqePPfDzJxxPd6/ywJ4+oojOjibN +MbO9mpLbMeSYgmnC98YQaGJ2MxPepBOpOLkwtFH07b/SU/QzK2/T+astNr62Wgvy +LbZ8wQZRmwfL2YF6xB5HptVD/+Xg8iSF5qHRAmqrk0ORqcf6NO+3JqSQ/okN67I1 +HVktxEAymaTDUp7Pi/b1WSPpBQL1WCheWdAkkruO3rGadqNON1Cq8mBPLlIR6Alo +7W3vl1QQ+EyxHH5EgENvqEgb3XGIdp2woXDmCZgBwsB8BBgBCAAmAhsMFiEEt0QX +7d8irJ+ekPSRQuhqKhH0jTYFAlt24EEFCQsof5QACgkQQuhqKhH0jTaMMAf/TFUG +cMSDu5a1ytd+5pjSGkEn3QxcwiNXv4s7L1VkCbcwqKejYXWFrnaFkzXROuY97LmL +ejRxnV/v+YKtJLxCrdG5bwr9zgqXUFvyOfKfC5Iy44dZGmrnUuT0jpSlA44VvXcN +LEFpEx56BUVhsZFUIuuWeyFELryLe4FSHH0S4VdNICMl/PUI5B+cIDC8NrGv5DYC +cy/OyOvkUqkxW09FSTv0tVUDVydDeWzan4STcnGf7IxiGkb+1XiDKqRSZrjp57RH +CIF8SpbBUxRsRXQc8zKZ8TP74xzXYVT1tLM60H4DqhvFxL4aZqYwSuMeOClNAoh9 +pBEm3t5EcZau6pAo1sLAfAQYAQgADwIbDAUCWYiUYwUJCToztgAhCRBC6GoqEfSN +NhYhBLdEF+3fIqyfnpD0kULoaioR9I02Kw4H/2DsLDtA7Gwfr9bKE6jDzfYKqnPt +97s8X+cKUYa2HIyAMA4tPAjbi2De3/ZSAOBYXNfe49qpmTvg+DNj+dGVKI0lLj/n +/ngK87SDTVAPi3zOPDOmnOs3J3fQj5f6fMOoqYRR7p3BNa7GcDiq/bJ1nkyMh0o+ +N50LzNMevq0KbVAQAXtYOYMWkS49lnT1gV9ZFITSiDAUK8S8vani84mcVxxrjwhc +d+Oy+k4rdnTGpZTayQOXZUS9u6AkSgUlNl6nyR6Vkn+AUi2E3SLUm6XE+aQKlBUq +jZlGSPWuQPQCeduGrdk0OvHuUt9ANhdEhopZLZuMKemOL1fjquaasp4IhGbCwHwE +GAEIAA8CGwwFAle4becFCQdqDTMAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC +6GoqEfSNNmBiB/wOjADNaQrDal06MfWPm2QZNAzytpAi2o48ZRBVueVsjpjMTGJH +I5pPQNjBClQptcaCuoBYubzKB4Ud9bOFqF2cs6Fb61RI9SguKU61LNF0wFAfFIDL +78vvlLWTfWk3sUyTSCz5Ll7Awi1L1P1tbTYrkF+WNCRAvUyUMGWXVfttSFTlWLV8 +LydP3+P1FYSllcRDowvU08hed6AajJfC2b7ECe9LW6IPJ3nLMihimQ3QffbJPmIl +KHm44PhZkEcDoNtk35bvUascINZOwFVLE5TtPmOJfSIgltO7Eip8IluZyhVFL5E/ +WmWGlB10JhHaZtleSgH0N+JWeKvllA450AwHwsB8BBgBCAAPAhsMBQJV8q6rBQkF +pE3sACEJEELoaioR9I02FiEEt0QX7d8irJ+ekPSRQuhqKhH0jTZRKgf+PhNUR0er ++HWhlya6pUJISzPQvlUKCBksilDE9xNlH7sN+xxUT1l1Ktc8BrlCE8mJna6DTu1F +S5BWcIZp/2zU7R5ndVqqZa537X3wXZbIBOddCWYTI1WsC762Ihk9BcJhTVKizrPU +b4rdYQk4REao8hVL93K+k815e5sobg6YkL+q7ctTK0SO/8hiVWqw4nWDV6brXAEZ +F63cLc5RLlhtjgqPk32m1zcva0blLi9d6/BrJEjjJCL8EYZhS3zX6zZ89hNvt2zv +5+QjwdmxRIT02e2YlLCIwAIJfAuGq6vZdk9xr07nAexTZ4OMZUPudzxXda8qKgdE +7JA38ftiLarCwsLAfAQYAQgADwIbDAUCVBDTxAUJA8JzDAAhCRBC6GoqEfSNNhYh +BLdEF+3fIqyfnpD0kULoaioR9I02CdkH/RfqMPmyHREzTe+YZQfell4+cDHGdrOP +kBYeDV6PDkG2ykuVlrBpT/MVO3MPm+UQ3z3QnlQ8PPArfcypvin8D+wZwKEyDuOc +1i7oiVCZPu6FcA5D29mTINp7ftw9KmR2IfxwPd0afGUM8rUE3gKdVnCzniIS8tpQ +0LxkK+Vxaa3lvQcGogvMiJUAHcb7hR25/nNjzAtZPm0swq5fED+1IFyUYjN4bGZc +33N/UtiTNbems2C0474nXHkexNJUN/Ra533OGZwetlcOlWNEqxJSysIS5ZfDh3dD +RpKjqG2RAAMS2lJEVRfKhbPO1fa2eJVVpLJYexeZh+Fl5TfFmqx6BhvCwHwEGAEI +AA8FAlIvlC0CGwwFCQHhM4AAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6Goq +EfSNNlpRCAC4i/XcrcoBB0hVIPAu7E29n3m29jEvMg+06RulbLDI2D9zyt9kKBCZ +dcjzYVMzUxEDTbpcfiYls23/bDhR32JyFaSvs18Sb9F6AmwJy0TOaeoPToIsQN3r +uTbUdSIJzsusjrafWS4gKQRhP4AmRXWQzXU0XmVy8cOfur3HcRH1frkOKS+d1EMu +chpI5F39TsH3/RTg31gEBB+xtwAbTbwz5tWYBQvq4N8uItNDiStY6j1Ncl54/l+0 +1TeiArIjryi8g5nr46uGYbC/YGn2ACx5VwpvEOuO0mCf+cwQPj5S5Ra30mNGT915 +4b2lP+U/hRBR8ex6Khur6wN5T8mww6jdzsNNBE3K2S4QEADWHqS7zXq3mbnK6VRS +AtAYQkQWSuPqrlXWZNFMdxVi4Lglj4T+UQXsbCn9rsgISlRWCdxmDOJ7eOjj1zo2 +OA0UPnenZOXOB2n8LvhzrIPp9jq7x10qDTDcakXIjvfYqWco6VawbmLjwP25rDJx +u1uoZRQNeCCxQp6aDBrq7AmWrUwd0WfZ5eGOKUrZkg4Sk1EayExwhAz/1Hwvieyz +neWfdRDYzikgLZCxUcL6O6PKHSXg8qQFnd6Br+aJv34FaE9QOzNx1fev3SDDS/Hj +47twkZKu8u0B/pViDvwLcYEieVbHrGwlehvqLAn7jEe+uc+oDpJiMNZDDVW7LWF/ +PoQ5qTxQFeoU9DuQZxSGna1zGcHO4MJCBf5ENiRlhirncWEGsEAQXoGqvP4Gn3hz +7CSjk4eanQjyisrlA5aM0w1eIxVOJxsIjNFV8ewf081aLCqjxD8n5XdY5mnHj/g3 +CNXQ5JEa4mB3WUqXLXC8at9IVxPNpRX5oTT5GtkKGNgPVTqveDcgNc82DBFbxmju +PfkDtyvoHOq1Lu8PGxRN+/l2xhZKoL62qux69GYNQmsLV6WSf9DryOk7ATbbWsHB +oD0DzmfylhFpGzTjlEmNV1uOfms4sCF58WoD7uRUwNs2kelnVcgKqVjTm/72855n +9S9SWSCeDEVw6BCjQp0/md8L1wAECw/8DqIYY8LEtZGEnBSauejVnv8WTM7F/QJD +cslXtj9ocQefxNSQq+EdgJUrUOITowwd/ZtthJlROckJwuAgqSguhv0tXD/iba6i +nAv7WByVTTXcOjAiTn3icz4HJVByDmECxmk6s1TvxD9UpbsaNSsmuK/RvkVL0IlL +jpNkJx6mlTlls1JcUsCUifmkwbDUeeps+u2mMVpbjDPCJWeMtv16ckrA0v/ooxeX +B9HgAnWCKXHoCGPII8EEQuKZ58KYaPez8kRTLPqxZC+jhU51R5aT3OluB8iyKdii +i8STKry1morREksjqzkewnycS8fyAAbq2k/LKYHgEjVtSPemAP7DIY60Vsl3Df0U +07j0h4c2BPUkV1fMC9Okmx8Oy5YpDlm9BOrB6I8XHy7ZDYpHDfHb0uIpjwX5J664 +/RtsBaFnb/0LRBr7MkGd4eSoHQwydWNNXakrtepOeOoNxBVmmxSly000wzxGS3xO +Pfuy4s5HEDScuITOzc5R3+oCwOl0pfji+zLnaHVQdiaRep+PAVlzuckyvvQTVa3o +ub65NlPQc7qanIHqE8aQ2Lgjiq2VQI/S0V5QhGn/pX2FP4Oxs4eU29nY/Hgq/j5u +ZOljrL7pp1hwgQtPkE8/EmUQ9oFTYhT+SxpikC9UalAo5IVSqci3662K9YB2sn89 +YTgmVVXCi1HCwHwEGAECAA8FAk3K2S4CGwwFCQlmAYAAIQkQQuhqKhH0jTYWIQS3 +RBft3yKsn56Q9JFC6GoqEfSNNp1pB/9OZoK4Zj8fi6Ruu7q0+tCOm9k3tvQ0FZsm +3QKPLhcilFy0QBabnZ71ih0AzKxPVoKrtHBENZ1hQ58B4lv+zE8LQf4F0gO9ybcD +vlwpTtAlX8il4kONIHeJQmJ1KHi3vKxIM3+i+Igdm5eDyTY2IFTMAjDshMWl0CJK +oPzwZYRZlXoogfrTWrMUPnvz7a7IUb0Kza2GQdq5fQXRiuAImSn9lY8GOLdiLovg +afIrzAaylpgDShiAV9qKm2BfJEpHm9AzuubNPY5tQX3hwlUE7I/DY/nY8LEra2kF +fMhrtPimujMIu32gmJvJe/nHS/z5d4YdUC4H/SDsYqPNRfpacaLP +=T3bO +-----END PGP PUBLIC KEY BLOCK----- diff --git a/tor.service b/tor.service new file mode 100644 index 0000000..d40972a --- /dev/null +++ b/tor.service @@ -0,0 +1,53 @@ +[Unit] +Description=Anonymizing overlay network for TCP +After=syslog.target network.target nss-lookup.target +PartOf=tor-master.service +ReloadPropagatedFrom=tor-master.service + +[Service] +Type=notify +NotifyAccess=all +#User=tor +ExecStartPre=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc --verify-config --user tor --hush +ExecStart=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc --user tor --hush +ExecReload=/bin/kill -HUP ${MAINPID} +KillSignal=SIGINT +TimeoutSec=30 +Restart=on-failure +RestartSec=1 +WatchdogSec=1m +LimitNOFILE=32768 + +# Hardening +CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PermissionsStartOnly=yes +PrivateDevices=yes +PrivateNetwork=no +PrivateUsers=no +PrivateTmp=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectSystem=strict +ProtectHostname=yes +ReadOnlyDirectories=/ +ReadWriteDirectories=/run/tor +ReadWriteDirectories=/var/lib/tor +ReadWriteDirectories=/var/log/tor +RemoveIPC=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=~@cpu-emulation @obsolete @raw-io @mount @module @debug @clock @reboot @swap +UMask=77 + +[Install] +WantedBy=multi-user.target diff --git a/tor.spec b/tor.spec new file mode 100644 index 0000000..9fe8959 --- /dev/null +++ b/tor.spec @@ -0,0 +1,172 @@ +# +# spec file for package tor +# +# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 Andreas Stieger +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define toruser %{name} +%define torgroup %{name} +%define home_dir %{_localstatedir}/lib/empty +Name: tor +Version: 0.4.8.17 +Release: 0 +Summary: Anonymizing overlay network for TCP (The onion router) +License: BSD-3-Clause +URL: https://www.torproject.org/ +Source0: https://www.torproject.org/dist/%{name}-%{version}.tar.gz +# https://support.torproject.org/little-t-tor/verify-little-t-tor/ +Source2: tor.keyring +Source3: tor.service +Source4: tor.tmpfiles +Source5: defaults-torrc +Source6: tor-master.service +Source100: https://www.torproject.org/dist/%{name}-%{version}.tar.gz.sha256sum +Source101: https://www.torproject.org/dist/%{name}-%{version}.tar.gz.sha256sum.asc +Patch0: tor-0.2.5.x-logrotate.patch +Patch1: fix-test.patch +BuildRequires: openssl-devel >= 1.0.1 +BuildRequires: pkgconfig >= 0.9.0 +BuildRequires: pwdutils +BuildRequires: python3-base +BuildRequires: pkgconfig(libcap) +BuildRequires: pkgconfig(libevent) >= 2.0.10 +BuildRequires: pkgconfig(liblzma) +BuildRequires: pkgconfig(libseccomp) +BuildRequires: pkgconfig(libsystemd) +BuildRequires: pkgconfig(libzstd) +BuildRequires: pkgconfig(systemd) +BuildRequires: pkgconfig(zlib) +Requires: logrotate +Requires(post): %fillup_prereq +Recommends: torsocks +Provides: group(%{torgroup}) +Provides: user(%{toruser}) +%systemd_ordering +BuildRequires: libscrypt-devel + +%description +Tor is a connection-based low-latency anonymous communication system. + +This package provides the "tor" program, which serves as both a client and +a relay node. Scripts will automatically create a "%{toruser}" user and +a "%{torgroup}" group, and set tor up to run as a daemon when the system +is rebooted. + +Applications connect to the local Tor proxy using the SOCKS +protocol. The tor client chooses a path through a set of relays, in +which each relay knows its predecessor and successor, but no +others. Traffic flowing down the circuit is unwrapped by a symmetric +key at each relay, which reveals the downstream relay. + +Warnings: Tor does no protocol cleaning. That means there is a danger +that application protocols and associated programs can be induced to +reveal information about the initiator. Tor depends on Privoxy or +similar protocol cleaners to solve this problem. This is alpha code, +and is even more likely than released code to have anonymity-spoiling +bugs. The present network is small -- this further reduces the +strength of the anonymity provided. Tor is not presently suitable +for high-stakes anonymity. + +%prep +( cd $(dirname %{SOURCE0}) && echo "$(cat %{SOURCE100} | cut -d' ' -f1) tor-%{version}.tar.gz" | sha256sum --check ) +%autosetup -p1 + +%build +%configure \ + --disable-silent-rules \ + --with-tor-user=%{toruser} \ + --with-tor-group=%{torgroup} \ + --enable-systemd \ + --enable-lzma \ + --enable-zstd \ + --enable-unittests \ + --enable-gcc-warnings-advisory \ + --docdir=%{_docdir}/%{name} +%make_build + +%install +%make_install + +# missing dirs +install -d -m 700 \ + %{buildroot}%{_localstatedir}/lib/%{name} \ + %{buildroot}%{_localstatedir}/tmp/%{name} + +install -d -m 755 \ + %{buildroot}%{_localstatedir}/log/%{name} \ + %{buildroot}/%{_sbindir} + +install -m 644 -D %{SOURCE3} %{buildroot}/%{_unitdir}/%{name}.service +install -m 644 -D %{SOURCE6} %{buildroot}/%{_unitdir}/%{name}-master.service +install -m 644 %{SOURCE5} %{buildroot}%{_datadir}/tor/defaults-torrc +install -d -m 0755 %{buildroot}%{_tmpfilesdir}/ +install -m 0644 %{SOURCE4} %{buildroot}%{_tmpfilesdir}/%{name}.conf +ln -s -f service %{buildroot}%{_sbindir}/rc%{name} +ln -s -f service %{buildroot}%{_sbindir}/rc%{name}-master + +# sample config files +install -p -m 644 -D src/config/torrc.{sample,minimal} %{buildroot}/%{_sysconfdir}/%{name} +install -p -m 644 src/config/torrc.minimal %{buildroot}/%{_sysconfdir}/%{name}/torrc + +# logrotate conf +sed -i -e "s|_tor|tor|g" contrib/operator-tools/tor.logrotate +install -D -m 644 contrib/operator-tools/tor.logrotate %{buildroot}/%{_sysconfdir}/logrotate.d/%{name} + +%check +%ifnarch ppc ppc64 ppc64le aarch64 armv7l i586 +%make_build check || ( + find -type f -name test-suite.log -print -exec cat {} + + exit 42 +) +%endif + +%pre +getent group %{torgroup} >/dev/null || groupadd -r %{torgroup} +getent passwd %{toruser} >/dev/null || useradd -r -g %{torgroup} -d %{home_dir} -s /sbin/nologin -c "User for %{name}" %{toruser} +%service_add_pre tor.service tor-master.service + +%post +%fillup_only +%service_add_post tor.service tor-master.service +systemd-tmpfiles --create %{_tmpfilesdir}/tor.conf || : + +%preun +%service_del_preun tor.service tor-master.service + +%postun +%service_del_postun tor.service tor-master.service + +%files +%license LICENSE +%doc README* ChangeLog doc/HACKING doc/man/*.html +%{_mandir}/man*/* +%{_bindir}/* +%dir %{_datadir}/%{name} +%{_datadir}/%{name}/geoip* +%{_datadir}/%{name}/defaults-torrc +%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/logrotate.d/%{name} +%dir %attr(0755,root,%{torgroup}) %{_sysconfdir}/%{name} +%config(noreplace) %attr(0644,root,%{torgroup}) %{_sysconfdir}/%{name}/torrc +%config %attr(0644,root,%{torgroup}) %{_sysconfdir}/%{name}/torrc.* +%attr(0700,%{toruser},%{torgroup}) %dir %{_localstatedir}/lib/%{name} +%attr(0750,%{toruser},%{torgroup}) %dir %{_localstatedir}/log/%{name} +%{_unitdir}/%{name}.service +%{_unitdir}/%{name}-master.service +%{_tmpfilesdir}/%{name}.conf +%{_sbindir}/rc%{name} +%{_sbindir}/rc%{name}-master + +%changelog diff --git a/tor.tmpfiles b/tor.tmpfiles new file mode 100644 index 0000000..adfce77 --- /dev/null +++ b/tor.tmpfiles @@ -0,0 +1 @@ +D /run/tor 0755 tor tor - -- 2.51.1 From 01a1f4be8424034945cad38a2b3ce6bd838ebe02d184247f024ad90b854b39ea Mon Sep 17 00:00:00 2001 From: Bernhard Wiedemann Date: Wed, 17 Sep 2025 06:22:36 +0000 Subject: [PATCH 5/6] 0.4.8.18 * important bug fix for onion service directory * use quantum-resistant MLKEM-768 cipher OBS-URL: https://build.opensuse.org/package/show/network/tor?expand=0&rev=285 --- .gitattributes | 23 + .gitignore | 1 + defaults-torrc | 11 + fix-test.patch | 21 + tor-0.2.5.x-logrotate.patch | 29 + tor-0.4.8.18.tar.gz | 3 + tor-0.4.8.18.tar.gz.sha256sum | 1 + tor-0.4.8.18.tar.gz.sha256sum.asc | 18 + tor-master.service | 16 + tor.changes | 3207 +++++++++++++++++++++++++++++ tor.keyring | 686 ++++++ tor.service | 53 + tor.spec | 172 ++ tor.tmpfiles | 1 + 14 files changed, 4242 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 defaults-torrc create mode 100644 fix-test.patch create mode 100644 tor-0.2.5.x-logrotate.patch create mode 100644 tor-0.4.8.18.tar.gz create mode 100644 tor-0.4.8.18.tar.gz.sha256sum create mode 100644 tor-0.4.8.18.tar.gz.sha256sum.asc create mode 100644 tor-master.service create mode 100644 tor.changes create mode 100644 tor.keyring create mode 100644 tor.service create mode 100644 tor.spec create mode 100644 tor.tmpfiles diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/defaults-torrc b/defaults-torrc new file mode 100644 index 0000000..bf7923e --- /dev/null +++ b/defaults-torrc @@ -0,0 +1,11 @@ +DataDirectory /var/lib/tor +PidFile /var/run/tor/tor.pid +Log notice syslog +ControlSocket /var/run/tor/control GroupWritable RelaxDirModeCheck +ControlSocketsGroupWritable 1 +SocksPort unix:/var/run/tor/socks WorldWritable +SocksPort 9050 + +CookieAuthentication 1 +CookieAuthFileGroupReadable 1 +CookieAuthFile /var/run/tor/control.authcookie diff --git a/fix-test.patch b/fix-test.patch new file mode 100644 index 0000000..9eedcfd --- /dev/null +++ b/fix-test.patch @@ -0,0 +1,21 @@ +commit 0384f5b3efbb041e2bc0080a6b6259e1b96815af +Author: Bernhard M. Wiedemann +Date: Wed Aug 21 11:36:05 2019 +0200 + + Workaround a LTO-induced test-failure + + https://bugzilla.opensuse.org/show_bug.cgi?id=1146548#c3 + +diff --git a/src/test/bt_test.py b/src/test/bt_test.py +index f9ca79efd..07026164a 100755 +--- a/src/test/bt_test.py ++++ b/src/test/bt_test.py +@@ -30,7 +30,7 @@ def matches(lines, funcs): + else: + return True + +-FUNCNAMES = "crash oh_what a_tangled_web we_weave main".split() ++FUNCNAMES = "oh_what a_tangled_web we_weave main".split() + + LINES = sys.stdin.readlines() + diff --git a/tor-0.2.5.x-logrotate.patch b/tor-0.2.5.x-logrotate.patch new file mode 100644 index 0000000..c08d015 --- /dev/null +++ b/tor-0.2.5.x-logrotate.patch @@ -0,0 +1,29 @@ +From: Andreas Stieger +Subject: openSUSE specific logrotate fixes +Date: Sun, 18 May 2014 00:10:32 +0100 +Upstream: no +References: + +* add su to logrotate config to fix W: suse-logrotate-user-writable-log-dir +* use "service tor" instead of "/etc/init.d/tor" to reload after logrotate + to fix logrotate on systemd-only setups without init script (by seife) + +--- + contrib/operator-tools/tor.logrotate.in | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: tor-0.2.5.10/contrib/operator-tools/tor.logrotate.in +=================================================================== +--- tor-0.2.5.10.orig/contrib/operator-tools/tor.logrotate.in 2014-06-27 22:45:19.000000000 +0100 ++++ tor-0.2.5.10/contrib/operator-tools/tor.logrotate.in 2014-10-24 20:22:54.000000000 +0100 +@@ -7,8 +7,9 @@ + notifempty + # you may need to change the username/groupname below + create 0640 _tor _tor ++ su _tor _tor + sharedscripts + postrotate +- /etc/init.d/tor reload > /dev/null ++ /usr/bin/systemctl try-reload-or-restart tor + endscript + } diff --git a/tor-0.4.8.18.tar.gz b/tor-0.4.8.18.tar.gz new file mode 100644 index 0000000..002dde1 --- /dev/null +++ b/tor-0.4.8.18.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4aea6c109d4eff4ea2bafb905a7e6b0a965d14fe856214b02fcd9046b4d93af8 +size 10139317 diff --git a/tor-0.4.8.18.tar.gz.sha256sum b/tor-0.4.8.18.tar.gz.sha256sum new file mode 100644 index 0000000..d087a3a --- /dev/null +++ b/tor-0.4.8.18.tar.gz.sha256sum @@ -0,0 +1 @@ +4aea6c109d4eff4ea2bafb905a7e6b0a965d14fe856214b02fcd9046b4d93af8 tor-0.4.8.18.tar.gz diff --git a/tor-0.4.8.18.tar.gz.sha256sum.asc b/tor-0.4.8.18.tar.gz.sha256sum.asc new file mode 100644 index 0000000..62cd811 --- /dev/null +++ b/tor-0.4.8.18.tar.gz.sha256sum.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmjJhoIACgkQQuhqKhH0 +jTbmFwf/bm1hykDFLO7QgqL8nMd1Zri0LlTzWUhdFzi8XY6QFb/X0qth+nI3IZnx +A6zQkqGgOyJPK871QJDvSttQSbNqqEL4Ks3R5ImTtrlkLJitAbYuenVuXs5Ul+x6 +SlfBEAYfe/1OgDnZSe13bAiL+1hJNMxyh8vpu4fcLbQxTZk+dCobjC7V6TlzBvsJ +dMLEQs+Fa+nZx5aol8Asahx7CcPSZdhyTIrxaW7fzQWrOSv4Dnc3EF+XwXDPN2+L +s23/W/gFod2eacyZQbDaxrQT8r0Q9FraNlrl/DDIk9V5ZP8B1bi1sO40oVIVz0fv +jcck9GPY05lM8qJ9kThHaDn7bfjgiw== +=tx5R +-----END PGP SIGNATURE----- +-----BEGIN PGP SIGNATURE----- + +iHUEABYKAB0WIQRRQQJFTQqH2wdnoeu+agUxwYqReQUCaMmHfgAKCRC+agUxwYqR +eZgcAP9bh1iYOvgWRfl4MT1rWM2IwEm6eAj2I1/ONK0onQhNjgEA0F45K7P8Q98q +Omptk4nxTslHZ75z01TVdFv7rvVdLgo= +=41Rz +-----END PGP SIGNATURE----- diff --git a/tor-master.service b/tor-master.service new file mode 100644 index 0000000..1426f4f --- /dev/null +++ b/tor-master.service @@ -0,0 +1,16 @@ +# Use tor-master.service to restart/reload/stop the main tor.service and +# all instances of tor@.service that are running. +# +# systemd targets cannot be reloaded so this is a service instead. + +[Unit] +Description=Anonymizing overlay network for TCP (multi-instance master) + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/true +ExecReload=/bin/true + +[Install] +WantedBy=multi-user.target diff --git a/tor.changes b/tor.changes new file mode 100644 index 0000000..02d82e8 --- /dev/null +++ b/tor.changes @@ -0,0 +1,3207 @@ +------------------------------------------------------------------- +Wed Sep 17 06:19:42 UTC 2025 - Bernhard Wiedemann + +- 0.4.8.18 + * important bug fix for onion service directory + +------------------------------------------------------------------- +Tue Jul 1 03:12:54 UTC 2025 - Bernhard Wiedemann + +- 0.4.8.17 + * Minor features and bugfixes + * use quantum-resistant MLKEM-768 cipher + +------------------------------------------------------------------- +Mon Apr 21 16:20:45 UTC 2025 - Andreas Stieger + +- tor 0.4.8.16 + * fix typo in a directory authority rule file + * fix a sandbox issue for bandwidth authority and a conflux issue + on the control port + * client fix about relay flag usage + +------------------------------------------------------------------- +Wed Feb 5 18:26:41 UTC 2025 - Bernhard Wiedemann + +- tor 0.4.8.14 + * bugfix for onion service directory cache + * test-network now unconditionally includes IPv6 + * Regenerate fallback directories 2025-02-05 + * Update the geoip files to 2025-02-05 + * Fix a pointer free + +------------------------------------------------------------------- +Fri Dec 27 21:55:57 UTC 2024 - Andreas Stieger + +- tor 0.4.8.13 + * Conflux related client circuit building performance bugfix + * Fix minor memory leaks + * Add STATUS TYPE=version handler for Pluggable Transport + +------------------------------------------------------------------- +Tue Jun 11 10:05:46 UTC 2024 - Bernhard Wiedemann + +- tor 0.4.8.12 + * Minor features and bugfixes + * See https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.8/ReleaseNotes + +------------------------------------------------------------------- +Thu Apr 11 06:50:01 UTC 2024 - Bernhard Wiedemann + +- tor 0.4.8.11 + * Minor features and bugfixes + * See https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.8/ReleaseNotes + +------------------------------------------------------------------- +Wed Feb 14 15:50:14 UTC 2024 - Martin Pluskal + +- Enables scrypt support unconditionally + +------------------------------------------------------------------- +Mon Feb 5 09:01:39 UTC 2024 - Andreas Stieger + +- fix users/groups with rpm 4.19 + +------------------------------------------------------------------- +Fri Dec 8 21:51:16 UTC 2023 - Bernhard Wiedemann + +- tor 0.4.8.10: + * (TROVE-2023-007, exit) (boo#1217918) + - fix a a UAF and NULL pointer dereference crash on Exit relays + +------------------------------------------------------------------- +Thu Nov 9 14:29:00 UTC 2023 - Bernhard Wiedemann + +- tor 0.4.8.9: + * (onion service, TROVE-2023-006): + - Fix a possible hard assert on a NULL pointer + * (guard usage): + - When Tor excluded a guard due to temporary circuit restrictions, + it considered *additional* primary guards for potential usage by + that circuit. + +------------------------------------------------------------------- +Fri Nov 3 20:51:01 UTC 2023 - Andreas Stieger + +- tor 0.4.8.8: + * Mitigate an issue when Tor compiled with OpenSSL can crash during + handshake with a remote relay. (TROVE-2023-004, boo#1216873) + * Regenerate fallback directories generated on November 03, 2023. + * Update the geoip files to match the IPFire Location Database, as + retrieved on 2023/11/03 + * directory authority: Look at the network parameter + "maxunmeasuredbw" with the correct spelling + * vanguards addon support: Count the conflux linked cell as + valid when it is successfully processed. This will quiet a + spurious warn in the vanguards addon + +------------------------------------------------------------------- +Mon Sep 25 20:15:52 UTC 2023 - Andreas Stieger + +- tor 0.4.8.7: + * Fix an issue that prevented us from pre-building more conflux + sets after existing sets had been used + +------------------------------------------------------------------- +Tue Sep 19 16:52:36 UTC 2023 - Andreas Stieger + +- tor 0.4.8.6: + * onion service: Fix a reliability issue where services were + expiring their introduction points every consensus update. + This caused connectivity issues for clients caching the old + descriptor and intro points + * Log the input and output buffer sizes when we detect a potential + compression bomb + * Disable multiple BUG warnings of a missing relay identity key when + starting an instance of Tor compiled without relay support + * When reporting a pseudo-networkstatus as a bridge authority, or + answering "ns/purpose/*" controller requests, include accurate + published-on dates from our list of router descriptors + * Use less frightening language and lower the log-level of our + run-time ABI compatibility check message in our Zstd + compression subsystem + +------------------------------------------------------------------- +Wed Aug 30 18:50:03 UTC 2023 - Andreas Stieger + +- tor 0.4.8.5: + * bugfixes creating log BUG stacktrace + +------------------------------------------------------------------- +Sun Aug 27 15:23:43 UTC 2023 - Andreas Stieger + +- tor 0.4.8.4: + * Extend DoS protection to partially opened channels and known + relays + * Dynamic Proof-Of-Work protocol to thwart flooding DoS attacks + against hidden services. Disabled by default, enable via + "HiddenServicePoW" in torrc + * Implement conflux traffic splitting + * Directory authorities and relays now interact properly with + directory authorities if they change addresses + +------------------------------------------------------------------- +Sun Jul 30 07:33:04 UTC 2023 - Andreas Stieger + +- tor 0.4.7.14: + * bugfix affecting vanguards (onion service), and minor fixes + +------------------------------------------------------------------- +Fri Mar 10 08:27:57 UTC 2023 - Martin Pluskal + +- Enable support for scrypt() + +------------------------------------------------------------------- +Fri Jan 13 06:29:25 UTC 2023 - Bernhard Wiedemann + +- tor 0.4.7.13: + * fix SafeSocks option to avoid DNS leaks (boo#1207110, TROVE-2022-002) + * improve congestion control + * fix relay channel handling + +------------------------------------------------------------------- +Tue Dec 6 21:10:57 UTC 2022 - Andreas Stieger + +- tor 0.4.7.12: + * new key for moria1 + * new metrics are exported on the MetricsPort for the congestion + control subsystem + +------------------------------------------------------------------- +Thu Nov 10 19:14:54 UTC 2022 - Andreas Stieger + +- tor 0.4.7.11: + * Improve security of DNS cache by randomly clipping the TTL + value (boo#1205307, TROVE-2021-009) + * Improved defenses against network-wide DoS, multiple counters + and metrics added to MetricsPorts + * Apply circuit creation anti-DoS defenses if the outbound + circuit max cell queue size is reached too many times. This + introduces two new consensus parameters to control the queue + size limit and number of times allowed to go over that limit. + * Directory authority updates + * IPFire database and geoip updates + * Bump the maximum amount of CPU that can be used from 16 to 128. + The NumCPUs torrc option overrides this hardcoded maximum. + * onion service: set a higher circuit build timeout for opened + client rendezvous circuit to avoid timeouts and retry load + * Make the service retry a rendezvous if the circuit is being + repurposed for measurements + +------------------------------------------------------------------- +Fri Aug 12 15:52:53 UTC 2022 - Andreas Stieger + +- tor 0.4.7.10 + * IPFire location database did not have proper ARIN network + allocations - affected circuit path selection and relay metrics + +------------------------------------------------------------------- +Thu Aug 11 16:39:24 UTC 2022 - Andreas Stieger + +- tor 0.4.7.9 (boo#1202336) + * major fixes aimed at reducing memory pressure on relays + * prevent a possible side-channel + * major bugfix related to congestion control + * major bugfix related to Vanguard L2 layer node selection + +------------------------------------------------------------------- +Thu Jun 16 17:08:53 UTC 2022 - Bernhard Wiedemann + +- tor 0.4.7.8 + * Fix a scenario where RTT estimation can become wedged, seriously + degrading congestion control performance on all circuits. This + impacts clients, onion services, and relays, and can be triggered + remotely by a malicious endpoint. + (TROVE-2022-001, CVE-2022-33903, boo#1200672) + * Regenerate fallback directories generated on June 17, 2022. + * Update the geoip files to match the IPFire Location Database, as + retrieved on 2022/06/17. + * Allow the rseq system call in the sandbox + * logging bug fixes + +------------------------------------------------------------------- +Wed Apr 27 18:29:58 UTC 2022 - Andreas Stieger + +- tor 0.4.7.7 + * New feature: Congestion control to improve traffic speed and + stability on the network once a majority of Exit nodes upgrade + boo#1198949 + * Directory authorities: improved handling of "MiddleOnly" relays + * Improved mitigation against guard discovery attacks on clients + and short-lived services + * Improve observed performance under DNS load + * Improve handling of overload state + * end-of-life relays running version 0.4.2.x, 0.4.3.x, + 0.4.4.x and 0.4.5 alphas/rc, 0.3.5.x are now rejected + * Onion service v2 addresses are no longer recognized + +------------------------------------------------------------------- +Sun Feb 6 01:10:07 UTC 2022 - Bernhard Wiedemann + +- tor 0.4.6.10 + * minor bugfixes and features + * https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.6/ReleaseNotes + +------------------------------------------------------------------- +Fri Dec 17 18:54:05 UTC 2021 - Andreas Stieger + +- tor 0.4.6.9: + * remove the DNS timeout metric from the overload general signal + * regenerate fallback directories generated on December 15, 2021 + * Update the geoip files to match the IPFire Location Database, + as retrieved on 2021/12/15 + * Reject IPv6-only DirPort + +------------------------------------------------------------------- +Sat Nov 13 11:02:55 UTC 2021 - Andreas Stieger + +- tor 0.4.6.8: + * Improving reporting of general overload state for DNS timeout + errors by relays + * Regenerate fallback directories for October 2021 + * Bug fixes for onion services + * CVE-2021-22929: do not log v2 onion services access attempt + warnings on disk excessively (TROVE-2021-008, boo#1192658) + +------------------------------------------------------------------- +Tue Aug 24 09:11:38 UTC 2021 - Jan Engelhardt + +- Reduce boilerplate generated by %service_*. + +------------------------------------------------------------------- +Tue Aug 17 18:52:40 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.6.7: + * Fix a DoS via a remotely triggerable assertion failure + (boo#1189489, TROVE-2021-007, CVE-2021-38385) + +------------------------------------------------------------------- +Tue Jul 6 07:13:19 UTC 2021 - Bernhard Wiedemann + +- Add missing service_add_pre tor-master.service + +------------------------------------------------------------------- +Thu Jul 1 11:13:23 UTC 2021 - Andreas Stieger + +- tor 0.4.6.6: + * Fix a compilation error with gcc 7, drop tor-0.4.6.5-gcc7.patch + * Enable the deterministic RNG for unit tests that covers the + address set bloomfilter-based API's + +------------------------------------------------------------------- +Wed Jun 16 20:32:43 UTC 2021 - Andreas Stieger + +- tor 0.4.6.5 + * Add controller support for creating v3 onion services with + client auth + * When voting on a relay with a Sybil-like appearance, add the + Sybil flag when clearing out the other flags. This lets a relay + operator know why their relay hasn't been included in the + consensus + * Relays now report how overloaded they are + * Add a new DoS subsystem to control the rate of client + connections for relays + * Relays now publish statistics about v3 onions services + * Improve circuit timeout algorithm for client performance +- add tor-0.4.6.5-gcc7.patch to fix build with gcc7 + +------------------------------------------------------------------- +Mon Jun 14 18:06:34 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.5.9 + * Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell (CVE-2021-34548, boo#1187322) + * Detect more failure conditions from the OpenSSL RNG code (boo#1187323) + * Resist a hashtable-based CPU denial-of-service attack against relays (CVE-2021-34549, boo#1187324) + * Fix an out-of-bounds memory access in v3 onion service descriptor parsing (CVE-2021-34550, boo#1187325) + +------------------------------------------------------------------- +Tue May 11 01:54:10 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.5.8 + * https://lists.torproject.org/pipermail/tor-announce/2021-May/000219.html + * allow Linux sandbox with Glibc 2.33 + * work with autoconf 2.70+ + * several other minor features and bugfixes (see announcement) + +------------------------------------------------------------------- +Sat Apr 24 19:07:24 UTC 2021 - Andreas Stieger + +- fix packaging warnings related to tor-master service + +------------------------------------------------------------------- +Fri Apr 23 21:22:30 UTC 2021 - Andreas Stieger + +- Fix logging issue due to systemd picking up stdout - boo#1181244 + Continue to log notices to syslog by default. +- actually build with lzma/zstd +- skip i586 tests (boo#1179331) + +------------------------------------------------------------------- +Tue Mar 16 23:38:53 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.5.7 + * https://lists.torproject.org/pipermail/tor-announce/2021-March/000216.html + * Fix 2 denial of service security issues (boo#1183726) + + Disable the dump_desc() function that we used to dump unparseable + information to disk (CVE-2021-28089) + + Fix a bug in appending detached signatures to a pending consensus + document that could be used to crash a directory authority + (CVE-2021-28090) + * Ship geoip files based on the IPFire Location Database + +------------------------------------------------------------------- +Tue Feb 16 07:49:14 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.5.6 + * https://lists.torproject.org/pipermail/tor-announce/2021-February/000214.html + * Introduce a new MetricsPort HTTP interface + * Support IPv6 in the torrc Address option + * Add event-tracing library support for USDT and LTTng-UST + * Try to read N of N bytes on a TLS connection +- Drop upstream tor-practracker.patch + +------------------------------------------------------------------- +Fri Feb 5 08:16:39 UTC 2021 - Bernhard Wiedemann + +- tor 0.4.4.7 + * https://blog.torproject.org/node/1990 + * Stop requiring a live consensus for v3 clients and services + * Re-entry into the network is now denied at the Exit level + * Fix undefined behavior on our Keccak library + * Strip '\r' characters when reading text files on Unix platforms + * Handle partial SOCKS5 messages correctly +- Add tor-practracker.patch to fix tests + +------------------------------------------------------------------- +Wed Jan 27 06:16:46 UTC 2021 - Bernhard Wiedemann + +- Restrict service permissions with systemd + +------------------------------------------------------------------- +Thu Nov 12 17:02:48 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.4.6 + * Check channels+circuits on relays more thoroughly + (TROVE-2020-005, boo#1178741) + +------------------------------------------------------------------- +Tue Sep 15 14:51:40 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.4.5 + * Improve guard selection + * IPv6 improvements + +------------------------------------------------------------------- +Wed Aug 19 09:49:51 UTC 2020 - Dominique Leuenberger + +- Use %{_tmpfilesdir} instead of abusing %{_libexecdir}/tmpfiles.d. + +------------------------------------------------------------------- +Thu Jul 9 17:27:13 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.3.6 + * Fix a crash due to an out-of-bound memory access (CVE-2020-15572) + * Some minor fixes + +------------------------------------------------------------------- +Mon Jun 29 08:57:42 UTC 2020 - Bernhard Wiedemann + +- Fix logrotate to not fail when tor is stopped (boo#1164275) + +------------------------------------------------------------------- +Fri May 15 18:58:11 UTC 2020 - Andreas Stieger + +- tor 0.4.3.5: + * first stable release in the 0.4.3.x series + * implement functionality needed for OnionBalance with v3 onion + services + * significant refactoring of our configuration and controller + functionality + * Add support for banning a relay's ed25519 keys in the + approved-routers file in support for migrating away from RSA + * support OR connections through a HAProxy server + +------------------------------------------------------------------- +Wed Mar 18 20:52:20 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.2.7 + * CVE-2020-10592: CPU consumption DoS and timing patterns (boo#1167013) + * CVE-2020-10593: circuit padding memory leak (boo#1167014) + * Directory authorities now signal bandwidth pressure to clients + * Avoid excess logging on bug when flushing a buffer to a TLS connection + +------------------------------------------------------------------- +Fri Jan 31 08:32:28 UTC 2020 - Bernhard Wiedemann + +- tor 0.4.2.6 + * Correct how we use libseccomp + * Fix crash when reloading logging configuration while the + experimental sandbox is enabled + * Avoid a possible crash when logging an assertion + about mismatched magic numbers + +------------------------------------------------------------------- +Tue Jan 7 11:21:02 UTC 2020 - Bernhard Wiedemann + +- Update tor.service and add defaults-torrc + to work without dropped torctl (boo#1072274) +- Add tor-master.service to allow handling multiple tor daemons + +------------------------------------------------------------------- +Sat Dec 14 20:35:25 UTC 2019 - Andreas Stieger + +- tor 0.4.2.5: + * first stable release in the 0.4.2.x series + * improves reliability and stability + * several stability and correctness improvements for onion services + * fixes many smaller bugs present in previous series + +------------------------------------------------------------------- +Tue Dec 10 08:27:14 UTC 2019 - Andreas Stieger + +- tor 0.4.1.7: + * several bugfixes to improve stability and correctness + * fixes for relays relying on AccountingMax + +------------------------------------------------------------------- +Mon Oct 7 13:16:38 UTC 2019 - Martin Pluskal + +- Update dependnecnies: + * python3 instead of python + * add libpcap and seccomp +- Use more suitable macros for building and systemd dependencies + +------------------------------------------------------------------- +Thu Sep 19 13:02:59 UTC 2019 - Bernhard Wiedemann + +- update to 0.4.1.6 + * Tolerate systems (including some Linux installations) where + madvise MADV_DONTFORK / MADV_DONTDUMP are available at build-time, + but not at run time. + * Do not include the deprecated on Linux + * Fix the MAPADDRESS controller command to accept one or more arguments + * Always retry v2+v3 single onion service intro and rendezvous circuits + with a 3-hop path + * Use RFC 2397 data URL scheme to embed an image into tor-exit-notice.html + +------------------------------------------------------------------- +Tue Aug 20 15:43:45 UTC 2019 - Bernhard Wiedemann + +- update to 0.4.1.5 + * Onion service clients now add padding cells at the start of their + INTRODUCE and RENDEZVOUS circuits to make it look like + Exit traffic + * Add a generic publish-subscribe message-passing subsystem + * Controller commands are now parsed using a generalized parsing + subsystem + * Implement authenticated SENDMEs as detailed in proposal 289 + * Our node selection algorithm now excludes nodes in linear time + * Construct a fast secure pseudorandom number generator for + each thread, to use when performance is critical + * Consider our directory information to have changed when our list + of bridges changes + * Do not count previously configured working bridges towards our + total of working bridges + * When considering upgrading circuits from "waiting for guard" to + "open", always ignore circuits that are marked for close + * Properly clean up the introduction point map when circuits change + purpose + * Fix an unreachable bug in which an introduction point could try to + send an INTRODUCE_ACK + * Clients can now handle unknown status codes from INTRODUCE_ACK + cells +- Remove upstreamed tor-0.3.5.8-no-ssl-version-warning.patch +- Compile without -Werror to build with LTO (boo#1146548) +- Add fix-test.patch to workaround a LTO-induced test-failure + +------------------------------------------------------------------- +Fri Jul 26 12:23:05 UTC 2019 - matthias.gerstner@suse.com + +- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by + firewalld, see [1]. + + [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html + +------------------------------------------------------------------- +Mon May 20 12:55:12 UTC 2019 - Christophe Giboudeaux + +- Add the missing zlib requirement. + +------------------------------------------------------------------- +Fri May 10 09:46:26 UTC 2019 - Andreas Stieger + +- tor 0.4.0.5: + * new stable branch, but not a long-term support branch + * improvements for power management and bootstrap reporting + * preliminary backend support for circuit padding to prevent some + kinds of traffic analysis + * refactoring for long-term maintainability +- drop upstreamed tor-0.3.5.8-nonetwork.patch + +------------------------------------------------------------------- +Mon Apr 15 12:24:02 UTC 2019 - Bernhard Wiedemann + +- Add tor-0.3.5.8-no-ssl-version-warning.patch (boo#1129411) +- Update tor.tmpfiles to use /run instead of /var/run + +------------------------------------------------------------------- +Mon Feb 25 15:55:39 UTC 2019 - bwiedemann@suse.com + +- Add tor-0.3.5.8-nonetwork.patch to fix test failures + without network + +------------------------------------------------------------------- +Fri Feb 22 15:04:30 UTC 2019 - bwiedemann@suse.com + +- tor 0.3.5.8: + * CVE-2019-8955 prevent attackers from making tor run + out of memory and crash + * Allow SOCKS5 with empty username+password + * Update geoip and geoip6 to the February 5 2019 Maxmind + GeoLite2 Country database + * Select guards even if the consensus has expired, as long + as the consensus is still reasonably live + +------------------------------------------------------------------- +Mon Jan 7 23:16:55 UTC 2019 - astieger@suse.com + +- tor 0.3.5.7: + * first stable release in 0.3.5.x LTS branch + * support client authorization for v3 onion services + * cleanups to bootstrap reporting + * support for improved bandwidth measurement tools + * the default version for newly created onion services is now v3 + (HiddenServiceVersion option can be used to override) + * If stem is used, an update of stem mey be required + +------------------------------------------------------------------- +Mon Jan 7 23:01:18 UTC 2019 - astieger@suse.com + +- tor 0.3.4.10: + * OpenSSL compatibility fixes + * Fixes for relay bugs + * update fallback directory list + +------------------------------------------------------------------- +Sat Nov 3 08:45:43 UTC 2018 - astieger@suse.com + +- tor 0.3.4.9: + * Various bug fixes, including a bandwidth management bug that + was causing memory exhaustion on relays + +------------------------------------------------------------------- +Mon Sep 10 15:51:17 UTC 2018 - astieger@suse.com + +- tor 0.3.4.8 (boo#1107847): + * improvements for running in low-power and embedded environments + * preliminary changes for new bandwidth measurement system + * refine anti-denial-of-service code + +------------------------------------------------------------------- +Mon Sep 10 13:52:34 UTC 2018 - astieger@suse.com + +- tor 0.3.3.10: + * various build and compatibility fixes + * The control port now exposes the list of HTTPTunnelPorts and + ExtOrPorts via GETINFO net/listeners/httptunnel and + net/listeners/extor respectively + * Authorities no longer vote to make the subprotocol version + "LinkAuth=1" a requirement: it is unsupportable with NSS, and + hasn't been needed since Tor 0.3.0.1-alpha + * When voting for recommended versions, make sure that all of the + versions are well-formed and parsable + * various minor bug fixes on onion services + +------------------------------------------------------------------- +Sat Jul 14 18:31:57 UTC 2018 - astieger@suse.com + +- tor 0.3.3.9: + * move to a new bridge authority + * backport some bug fixes +- refresh upstream signing keyring + +------------------------------------------------------------------- +Mon Jul 9 19:38:14 UTC 2018 - astieger@suse.com + +- tor 0.3.3.8: + * directory authority memory leak fix + * various minor bug fixes + +------------------------------------------------------------------- +Tue Jun 12 16:59:58 UTC 2018 - astieger@suse.com + +- tor 0.3.3.7: + * Add an IPv6 address for the "dannenberg" directory authority + * Improve accuracy of the BUILDTIMEOUT_SET control port event's + TIMEOUT_RATE and CLOSE_RATE fields + * Only select relays when tor has descriptors that it prefers to + use for them, avoiding nonfatal errors later + +------------------------------------------------------------------- +Sun May 27 11:33:54 UTC 2018 - astieger@suse.com + +- tor 0.3.3.6: + * new stable release series + * controller support and other improvements for v3 onion services + * official support for embedding Tor within other application + * Improvements to IPv6 support + * Relay option ReducedExitPolicy to configure a reasonable default + * Revent DoS via malicious protocol version string (boo#1094283) + * Many other other bug fixes and improvements + +------------------------------------------------------------------- +Sat Mar 3 18:39:39 UTC 2018 - astieger@suse.com + +- tor 0.3.2.10: + * CVE-2018-0490: remote crash vulnerability against directory + authorities (boo#1083845, TROVE-2018-001) + * CVE-2018-0491: remote relay crash (boo#1083846, TROVE-2018-002) + * New system for improved resistance to DoS attacks against relays + * Various other bug fixes + +------------------------------------------------------------------- +Wed Jan 10 21:33:45 UTC 2018 - astieger@suse.com + +- tor 0.3.2.9: + * new onion service design (v3), not default + * new circuit scheduler algorithm for improved performance + * directory authority updates + * many other updates and improvements + +------------------------------------------------------------------- +Fri Dec 1 20:33:08 UTC 2017 - astieger@suse.com + +- tor 0.3.1.9 with the following security fixes that prevent some + traffic confirmation, DoS and other problems (bsc#1070849): + * CVE-2017-8819: Replay-cache ineffective for v2 onion services + * CVE-2017-8820: Remote DoS attack against directory authorities + * CVE-2017-8821: An attacker can make Tor ask for a password + * CVE-2017-8822: Relays can pick themselves in a circuit path + * CVE-2017-8823: Use-after-free in onion service v2 + +------------------------------------------------------------------- +Wed Oct 25 15:05:45 UTC 2017 - astieger@suse.com + +- tor 0.3.1.8: + * Add "Bastet" as a ninth directory authority to the default list + * The directory authority "Longclaw" has changed its IP address + * Fix a timing-based assertion failure that could occur when the + circuit out-of-memory handler freed a connection's output buffer + * Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 + Country database +- drop tor-0.3.1.7-fix-zstd-i586.patch, upstreamed + +------------------------------------------------------------------- +Wed Sep 20 14:44:09 UTC 2017 - astieger@suse.com + +- tor 0.3.1.7: + * Serve and download directory information in more compact + formats + * New padding padding system to resist netflow-based traffic + analysis + * Improve protection against identification of tor traffic by ISP + via ConnectionPadding option + * Reduce the number of long-term connections open between relays +- add tor-0.3.1.7-fix-zstd-i586.patch to fix 32 bit build with zstd + +------------------------------------------------------------------- +Mon Sep 18 16:38:59 UTC 2017 - astieger@suse.com + +- tor 0.3.0.11: + * CVE-2017-0380: hidden services with the SafeLogging option + disabled could disclose the stack TROVE-2017-008, boo#1059194 + * Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2 + Country database. + * drop tor-0.3.0.7-gcc7-fallthrough.patch, now upstream + +------------------------------------------------------------------- +Thu Aug 3 11:26:00 UTC 2017 - jloehel@suse.com + +- tor 0.3.0.10 + * Fix a typo that had prevented TPROXY-based transparent proxying + from working under Linux. + * Avoid an assertion failure bug affecting our implementation of + inet_pton(AF_INET6) on certain OpenBSD systems. + +------------------------------------------------------------------- +Fri Jun 30 11:53:59 UTC 2017 - astieger@suse.com + +- tor 0.3.0.9: + * CVE-2017-0377: Fix path selection bug that would allow a client + to use a guard that was in the same network family as a chosen + exit relay (bsc#1046845) + * Don't block bootstrapping when a primary bridge is offline and + tor cannot get its descriptor + * When starting with an old consensus, do not add new entry guards + unless the consensus is "reasonably live" (under 1 day old). + * Update geoip and geoip6 to the June 8 2017 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Thu Jun 8 18:47:31 UTC 2017 - astieger@suse.com + +- tor 0.3.0.8 fixing a pair of bugs that would allow an attacker to + remotely crash a hidden service with an assertion failure + * CVE-2017-0375: remotely triggerable assertion failure when a + hidden service handles a malformed BEGIN cell (bsc#1043455) + * CVE-2017-0376: remotely triggerable assertion failure caused by + receiving a BEGIN_DIR cell on a hidden service rendezvous + circuit (bsc#1043456) +- further bug fixes: + * link handshake fixes when changing x509 certificates + * Regenerate link and authentication certificates whenever the key + that signs them changes; also, regenerate link certificates + whenever the signed key changes + * When sending an Ed25519 signing->link certificate in a CERTS cell, + send the certificate that matches the x509 certificate that was + used on the TLS connection + * Stop rejecting v3 hidden service descriptors because their size + did not match an old padding rule + +------------------------------------------------------------------- +Wed May 31 10:01:51 UTC 2017 - astieger@suse.com + +- fix build with GCC 7: warning-errors on implicit fallthrough + add tor-0.3.0.7-gcc7-fallthrough.patch bsc#1041262 + +------------------------------------------------------------------- +Tue May 16 00:26:43 UTC 2017 - astieger@suse.com + +- tor 0.3.0.7: + * Fix an assertion failure in the hidden service directory code, + which could be used by an attacker to remotely cause a Tor + relay process to exit. TROVE-2017-002 bsc#1039211 + * Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 + Country database. + * Tor no longer refuses to download microdescriptors or + descriptors if they are listed as "published in the future" + * The getpid() system call is now permitted under the Linux + seccomp2 sandbox, to avoid crashing with versions of OpenSSL + (and other libraries) that attempt to learn the process's PID + by using the syscall rather than the VDSO code + +------------------------------------------------------------------- +Thu Apr 27 06:23:44 UTC 2017 - astieger@suse.com + +- tor 0.3.0.6: + * clients and relays now use Ed25519 keys to authenticate their + link connections to relays, rather than the old RSA1024 keys + that they used before. + * replace the guard selection and replacement algorithm to behave + more robustly in the presence of unreliable networks, and to + resist guard-capture attacks. + * numerous other small features and bugfixes + * groundwork for the upcoming hidden-services revamp + +------------------------------------------------------------------- +Wed Mar 1 22:45:42 UTC 2017 - astieger@suse.com + +- tor 0.2.9.10: + * directory authority: During voting, when marking a relay as a + probable sybil, do not clear its BadExit flag: sybils can still + be bad in other ways too. + * IPv6 Exits: Stop rejecting all IPv6 traffic on Exits whose exit + policy rejects any IPv6 addresses. Instead, only reject a port + over IPv6 if the exit policy rejects that port on more than an + IPv6 /16 of addresses. + * parsing: Fix an integer underflow bug when comparing malformed + Tor versions. This bug could crash Tor when built with + --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through + Tor 0.2.9.8, which were built with -ftrapv by default. In other + cases it was harmless. Part of TROVE-2017-001 boo#1027539 + * Directory authorities now reject descriptors that claim to be + malformed versions of Tor + * Reject version numbers with components that exceed INT32_MAX. + * Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 + Country database. + * The tor-resolve command line tool now rejects hostnames over 255 + characters in length + +------------------------------------------------------------------- +Tue Jan 24 06:19:19 UTC 2017 - astieger@suse.com + +- tor 0.2.9.9: + * Downgrade the "-ftrapv" option from "always on" to "only on + when --enable-expensive-hardening is provided." This hardening + option, like others, can turn survivable bugs into crashes -- + and having it on by default made a (relatively harmless) + integer overflow bug into a denial-of-service bug + * Fix a client-side onion service reachability bug + * Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Sun Jan 1 11:43:02 UTC 2017 - tchvatal@suse.com + +- Remove conditionals for the sle11 as we won't build there due to + openssl requirements. This reduces the logic in the spec file + quite a bit + +------------------------------------------------------------------- +Mon Dec 19 20:40:39 UTC 2016 - astieger@suse.com + +- tor 0.2.9.8, the first stable release in the 0.2.9.x series: + * make mandatory a number of security features that were formerly + optional + * support a new shared-randomness protocol that will form the + basis for next generation hidden services + * single-hop hidden service mode for optimizing .onion services + that don't actually want to be hidden, + * try harder not to overload the directory authorities with + excessive downloads + * support a better protocol versioning scheme for improved + compatibility with other implementations of the Tor protocol + * deprecated options for security: CacheDNS, CacheIPv4DNS, + CacheIPv6DNS, UseDNSCache, UseIPv4Cache, and UseIPv6Cache, + AllowDotExit, AllowInvalidNodes, AllowSingleHopCircuits, + AllowSingleHopExits, ClientDNSRejectInternalAddresses, + CloseHSClientCircuitsImmediatelyOnTimeout, + CloseHSServiceRendCircuitsImmediatelyOnTimeout, + ExcludeSingleHopRelays, FastFirstHopPK, TLSECGroup, + UseNTorHandshake, and WarnUnsafeSocks. + * *ListenAddress options are now deprecated as unnecessary: the + corresponding *Port options should be used instead. The + affected options are: + ControlListenAddress, DNSListenAddress, DirListenAddress, + NATDListenAddress, ORListenAddress, SocksListenAddress, + and TransListenAddress. + +------------------------------------------------------------------- +Mon Dec 19 20:29:49 UTC 2016 - astieger@suse.com + +- tor 0.2.8.12: + * CVE-2016-1254: A hostile hidden service could cause tor clients + to crash (bsc#1016343) + * update fallback directory list + * Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Tue Dec 13 06:41:55 UTC 2016 - bwiedemann@suse.com + +- recommend torsocks as it is needed by included torify + +------------------------------------------------------------------- +Sun Dec 11 19:40:35 UTC 2016 - astieger@suse.com + +- tor 0.2.8.11: + * Fix compilation with OpenSSL 1.1 + +------------------------------------------------------------------- +Fri Dec 2 16:58:06 UTC 2016 - astieger@suse.com + +- tor 0.2.8.10: + * When Tor leaves standby because of a new application request, + open circuits as needed to serve that request + * Clients now respond to new application stream requests + immediately when they arrive, rather than waiting up to one + second before starting to handle them + * small portability and memory handling issues + * Update geoip and geoip6 to the November 3 2016 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Wed Oct 19 09:08:12 UTC 2016 - astieger@suse.com + +- tor 0.2.8.9: + * security fix: prevent remote DoS TROVE-2016-10-001 boo#1005292 + * Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2 + Country database. + * Update signing key + +------------------------------------------------------------------- +Sat Sep 24 13:52:20 UTC 2016 - astieger@suse.com + +- tor 0.2.8.8: + * fixes some crash bugs when using bridges + * fixes a timing-dependent assertion + * removes broken fallbacks from the hard-coded fallback directory + list + * Updates geoip and geoip6 to the September 6 2016 Maxmind + GeoLite2 Country database + +------------------------------------------------------------------- +Wed Aug 24 21:01:13 UTC 2016 - astieger@suse.com + +- tor 0.2.8.7: + * The "Tonga" bridge authority has been retired; the new bridge + authority is "Bifroest" + * Only use the ReachableAddresses option to restrict the first + hop in a path. In earlier versions of 0.2.8.x, it would apply + to every hop in the path, with a possible degradation in + anonymity for anyone using an uncommon ReachableAddress setting + +------------------------------------------------------------------- +Sat Aug 13 17:44:24 UTC 2016 - astieger@suse.com + +- tor 0.2.8.6: + * improve client bootstrapping performance + * improved identity keys for relays (authority side) + * numerous bug fixes and performance improvements + +------------------------------------------------------------------- +Mon Mar 21 08:17:17 UTC 2016 - astieger@suse.com + +- adjust nologin shell for tor user boo#971872 + +------------------------------------------------------------------- +Fri Dec 11 14:41:37 UTC 2015 - mpluskal@suse.com + +- Make building more verbose +- Remove useless conditon for libevent, there is dependency for it + anyway + +------------------------------------------------------------------- +Fri Dec 11 13:35:32 UTC 2015 - astieger@suse.com + +- skip tests on ports + +------------------------------------------------------------------- +Fri Dec 11 07:43:48 UTC 2015 - astieger@suse.com + +- tor 0.2.7.6 fixes a major bug in entry guard selection, as well + as a minor bug in hidden service reliability. [boo#958729] + +------------------------------------------------------------------- +Tue Nov 24 20:35:59 UTC 2015 - astieger@suse.com + +- 0.2.7.5: + * More secure identity key type for relays + * Improve cryptography performance + * Resolve several longstanding hidden-service performance issues + * Improve controller support for hidden services +- Features removed: + * tor-fw-helper is no longer part of thie packaged, it was + re-implemented as a separate project +- Packaging changes: + * drop upstreamed patch + tor-0.2.6.10-malformed-hostname-safe-logging.patch + +------------------------------------------------------------------- +Wed Oct 14 10:59:41 UTC 2015 - astieger@suse.com + +- fix Factory build (ignore missing systemd-tmpfiles) + +------------------------------------------------------------------- +Wed Aug 26 20:02:21 UTC 2015 - astieger@suse.com + +- Malformed hostnames in socks5 requests were written to the log + regardless of SafeLogging option (CWE-532) [boo#943362] + add tor-0.2.6.10-malformed-hostname-safe-logging.patch + +------------------------------------------------------------------- +Sun Jul 12 20:54:48 UTC 2015 - astieger@suse.com + +- tor 0.2.6.10: + Significant stability and hidden service client fixes. + * Stop refusing to store updated hidden service descriptors on a + client. + * Stop crashing with an assertion failure when parsing certain + kinds of malformed or truncated microdescriptors. + * Stop random client-side assertion failures that could occur + when connecting to a busy hidden service, or connecting to a + hidden service while a NEWNYM is in progress. + +------------------------------------------------------------------- +Thu Jun 11 18:55:44 UTC 2015 - astieger@suse.com + +- tor 0.2.6.9: + Clients using circuit isolation should upgrade; + all directory authorities should upgrade. + * fixes a regression in the circuit isolation code + * increases the requirements for receiving an HSDir flag + * addresses some small bugs in the systemd and sandbox code. + +------------------------------------------------------------------- +Sat May 23 18:59:14 UTC 2015 - astieger@suse.com + +- tor 0.2.6.8: + This release fixes a bit of dodgy code in parsing INTRODUCE2 cells, + and fixes an authority-side bug in assigning the HSDir flag. All + directory authorities should upgrade. + - Revert commit that made directory authorities assign the HSDir + flag to relay without a DirPort; this was bad because such relays + can't handle BEGIN_DIR cells. + - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells + on a client authorized hidden service. + - Update geoip to the April 8 2015 Maxmind GeoLite2 Country + database. + - Update geoip6 to the April 8 2015 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Mon Apr 6 18:56:30 UTC 2015 - astieger@suse.com + +- tor 0.2.6.7 + This releases fixes two security issues that could be used by an + attacker to crash hidden services, or crash clients visiting + hidden services. Hidden services should upgrade as soon as + possible. [boo#926097] + This release also contains two simple improvements to make hidden + services a bit less vulnerable to denial-of-service attacks. + - Fix an issue that would allow a malicious client to trigger an + assertion failure and halt a hidden service. CVE-2015-2928 + - Fix a bug that could cause a client to crash with an assertion + failure when parsing a malformed hidden service descriptor. + CVE-2015-2929 + - Introduction points no longer allow multiple INTRODUCE1 cells + to arrive on the same circuit. This should make it more + expensive for attackers to overwhelm hidden services with + introductions. + - Decrease the amount of reattempts that a hidden service + performs when its rendezvous circuits fail. This reduces the + computational cost for running a hidden service under heavy + load. + +------------------------------------------------------------------- +Sun Mar 29 11:51:09 UTC 2015 - astieger@suse.com + +- tor 0.2.6.6, the first stable release in the 0.2.6 series: + * safety/security improvements + * correctness improvements + * performance improvements + * Client programs can be configured to use more kinds of sockets + * AutomapHosts works better + * multithreading backend is improved + * cell transmission is refactored + * test coverage is much higher + * more denial-of-service attacks are handled + * guard selection is improved to handle long-term guards better + * pluggable transports should work a bit better + * some annoying hidden service performance bugs addressed +- new minimal configuration file installed as active configuration + allows daemon to be run right after package installation +- build with systemd notifications where supported + +------------------------------------------------------------------- +Wed Mar 25 08:05:24 UTC 2015 - astieger@suse.com + +- add CVE IDs for 0.2.5.11 release + +------------------------------------------------------------------- +Thu Mar 19 21:36:34 UTC 2015 - astieger@suse.com + +- tor 0.2.5.11 [boo#923284]: + Contains several medium-level security fixes for relays and exit + nodes and also updates the list of directory authorities. + * Directory authority updates + * relay crashes trough assertion (CVE-2015-2688) + * exit node crash through assertion under high DNS load + (CVE-2015-2689) + * do not crash when receiving SIGHUP with the seccomp2 sandbox on + * do not crash sh during attempts to call wait4 + * new "GETINFO bw-event-cache" for controllers + * update geoip/geoip6 to the March 3 2015 + * Avoid crashing on malformed VirtualAddrNetworkIPv[4|6] config + * Fix a memory leak when using AutomapHostsOnResolve + * Allow directory authorities to fetch more data from one another + +------------------------------------------------------------------- +Fri Jan 23 22:04:27 UTC 2015 - andreas.stieger@gmx.de + +- fix build for SLE 12, libminiupnpc-devel not available + +------------------------------------------------------------------- +Fri Oct 24 20:48:14 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.5.10, the first stable release in the 0.2.5 series. + * improved denial-of-service resistance for relays + * new compiler hardening options + * system-call sandbox for hardened installations on Linux + (requires seccomp2) + * controller protocol has several new features + * improvements in resolving IPv6 addresses + * relays more CPU-efficient +- adjust tor-0.2.4.x-logrotate.patch to tor-0.2.5.x-logrotate.patch +- run unit tests + +------------------------------------------------------------------- +Thu Oct 23 20:35:26 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.4.25 [boo#902476] + Disables SSL3 in response to the recent "POODLE" attack (even + though POODLE does not affect Tor). + It also works around a crash bug caused by some operating systems' + response to the "POODLE" attack (which does affect Tor). + - Disable support for SSLv3. + - Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or + 1.0.1j, built with the 'no-ssl3' configuration option. + +------------------------------------------------------------------- +Wed Sep 24 17:52:08 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.4.24 [bnc#898268] + Fixes a bug that affects consistency and speed when connecting to + hidden services, and it updates the location of one of the + directory authorities. +- Major bugfixes: + * Clients now send the correct address for their chosen rendezvous + point when trying to access a hidden service. +- Directory authority changes: + * Change IP address for gabelmoo (v3 directory authority). +- Minor features (geoip): + * Update geoip and geoip6 to the August 7 2014 Maxmind GeoLite2 + Country database. + +------------------------------------------------------------------- +Sat Sep 20 13:05:50 UTC 2014 - andreas.stieger@gmx.de + +- disable build with experimental feature bufferevents [bnc#897113] + +------------------------------------------------------------------- +Mon Aug 18 09:54:00 UTC 2014 - wagner-thomas@gmx.at + +- Added config file for firewall + +------------------------------------------------------------------- +Wed Jul 30 22:52:17 UTC 2014 - andreas.stieger@gmx.de + +- Tor 0.2.4.23 [bnc#889688] [CVE-2014-5117] + Slows down the risk from guard rotation and backports several + important fixes from the Tor 0.2.5 alpha release series. +- Major features: + - Clients now look at the "usecreatefast" consensus parameter to + decide whether to use CREATE_FAST or CREATE cells for the first hop + of their circuit. This approach can improve security on connections + where Tor's circuit handshake is stronger than the available TLS + connection security levels, but the tradeoff is more computational + load on guard relays. + - Make the number of entry guards configurable via a new + NumEntryGuards consensus parameter, and the number of directory + guards configurable via a new NumDirectoryGuards consensus + parameter. +- Major bugfixes: + - Fix a bug in the bounds-checking in the 32-bit curve25519-donna + implementation that caused incorrect results on 32-bit + implementations when certain malformed inputs were used along with + a small class of private ntor keys. +- Minor bugfixes: + - Warn and drop the circuit if we receive an inbound 'relay early' + cell. + - Correct a confusing error message when trying to extend a circuit + via the control protocol but we don't know a descriptor or + microdescriptor for one of the specified relays. + - Avoid an illegal read from stack when initializing the TLS module + using a version of OpenSSL without all of the ciphers used by the + v2 link handshake. + +------------------------------------------------------------------- +Fri Jun 6 18:51:36 UTC 2014 - andreas.stieger@gmx.de + +- do not own /var/run/tor for pid file, fixing Factory build + +------------------------------------------------------------------- +Sat May 17 23:13:54 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.4.22: + Backports numerous high-priority fixes. These include blocking + all authority signing keys that may have been affected by the + OpenSSL "heartbleed" bug, choosing a far more secure set of TLS + ciphersuites by default, closing a couple of memory leaks that + could be used to run a target relay out of RAM. +- Major features (security) + - Block authority signing keys that were used on authorities + vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160). +- Major bugfixes (security, OOM): + - Fix a memory leak that could occur if a microdescriptor parse + fails during the tokenizing step. +- Major bugfixes (TLS cipher selection): + - The relay ciphersuite list is now generated automatically based + on uniform criteria, and includes all OpenSSL ciphersuites with + acceptable strength and forward secrecy. + - Relays now trust themselves to have a better view than clients + of which TLS ciphersuites are better than others. + - Clients now try to advertise the same list of ciphersuites as + Firefox 28. +- further minor bug fixes, see ChangeLog +- fix logrotate on systemd-only setups without init scripts, + work tor-0.2.2.37-logrotate.patch to tor-0.2.4.x-logrotate.patch + +------------------------------------------------------------------- +Sat Apr 19 02:54:55 UTC 2014 - mook.moz+com.novell@gmail.com + +- Add tor-fw-helper for UPnP port forwarding; not used by default + +------------------------------------------------------------------- +Thu Mar 6 08:02:15 UTC 2014 - andreas.stieger@gmx.de + +- tor 0.2.4.21 + Further improves security against potential adversaries who find + breaking 1024-bit crypto doable, and backports several stability + and robustness patches from the 0.2.5 branch. +- Major features (client security): + - When we choose a path for a 3-hop circuit, make sure it contains + at least one relay that supports the NTor circuit extension + handshake. Otherwise, there is a chance that we're building + a circuit that's worth attacking by an adversary who finds + breaking 1024-bit crypto doable, and that chance changes the game + theory. +- Major bugfixes: + - Do not treat streams that fail with reason + END_STREAM_REASON_INTERNAL as indicating a definite circuit failure, + since it could also indicate an ENETUNREACH connection error +- packaging changes: + - remove init script shadowing systemd unit + - general cleanup + +------------------------------------------------------------------- +Mon Jan 20 19:46:02 UTC 2014 - andreas.stieger@gmx.de + +- redaction of 0.2.4.20 changelog to include bug and CVE references + +------------------------------------------------------------------- +Fri Dec 27 20:55:26 UTC 2013 - andreas.stieger@gmx.de + +- tor 0.2.4.20 + fixes potentially poor random number generation for users who + 1) use OpenSSL 1.0.0 or later, + 2) set "HardwareAccel 1" in their torrc file, + 3) have "Sandy Bridge" or "Ivy Bridge" Intel processors + and + 4) have no state file in their DataDirectory (as would happen on + first start). + Users who generated relay or hidden service identity keys in such + a situation should discard them and generate new ones. + No 2 is not the default configuration for openSUSE. + [bnc#859421] [CVE-2013-7295] + This release also fixes a logic error that caused Tor clients to build + many more preemptive circuits than they actually need. +- Major bugfixes: + - Do not allow OpenSSL engines to replace the PRNG, even when + HardwareAccel is set. The only default builtin PRNG engine uses + the Intel RDRAND instruction to replace the entire PRNG, and + ignores all attempts to seed it with more entropy. That's + cryptographically stupid: the right response to a new alleged + entropy source is never to discard all previously used entropy + sources. Fixes bug 10402; works around behavior introduced in + OpenSSL 1.0.0. + - Fix assertion failure when AutomapHostsOnResolve yields an IPv6 + address. + - Avoid launching spurious extra circuits when a stream is pending. + This fixes a bug where any circuit that _wasn't_ unusable for new + streams would be treated as if it were, causing extra circuits to + be launched. +- Minor bugfixes: + - Avoid a crash bug when starting with a corrupted microdescriptor + cache file. + - If we fail to dump a previously cached microdescriptor to disk, avoid + freeing duplicate data later on. + +------------------------------------------------------------------- +Sat Dec 14 17:43:22 UTC 2013 - andreas.stieger@gmx.de + +- Tor 0.2.4.19, the first stable release in the 0.2.4 branch, features + a new circuit handshake and link encryption that use ECC to provide + better security and efficiency; makes relays better manage circuit + creation requests; uses "directory guards" to reduce client enumeration + risks; makes bridges collect and report statistics about the pluggable + transports they support; cleans up and improves our geoip database; + gets much closer to IPv6 support for clients, bridges, and relays; makes + directory authorities use measured bandwidths rather than advertised + ones when computing flags and thresholds; disables client-side DNS + caching to reduce tracking risks; and fixes a big bug in bridge + reachability testing. This release introduces two new design + abstractions in the code: a new "channel" abstraction between circuits + and or_connections to allow for implementing alternate relay-to-relay + transports, and a new "circuitmux" abstraction storing the queue of + circuits for a channel. The release also includes many stability, + security, and privacy fixes. +- full changelog relative to 0.2.3.x and 0.2.4.x RC series: + https://gitweb.torproject.org/tor.git?a=blob_plain;hb=release-0.2.4;f=ReleaseNotes + +------------------------------------------------------------------- +Sat Dec 7 12:04:08 UTC 2013 - andreas.stieger@gmx.de + +- tor-0.2.4.18-rc, improves stability, performance, and better + handling of edge cases. +- Major features: + - Re-enable TLS 1.1 and 1.2 when built with OpenSSL 1.0.1e or later. +- Major bugfixes: + - No longer stop reading or writing on cpuworker connections when + our rate limiting buckets go empty. + - If we are unable to save a microdescriptor to the journal, do not + drop it from memory and then reattempt downloading it. + - Stop trying to bootstrap all our directory information from + only our first guard. + - The new channel code sometimes lost track of in-progress circuits, + causing long-running clients to stop building new circuits. + +------------------------------------------------------------------- +Sat Oct 5 13:18:55 UTC 2013 - andreas.stieger@gmx.de + +- tor-0.2.4.17-rc +- major features in 0.2.4.x: + - improved client resilience + - support better link encryption with forward secrecy + - new NTor circuit handshake + - change relay queue for circuit create requests from size-based + limit to time-based limit + - many bug fixes and minor features + +------------------------------------------------------------------- +Fri May 24 22:51:24 UTC 2013 - andreas.stieger@gmx.de + +- add systemd support +- verify source tarball signature + +------------------------------------------------------------------- +Tue Nov 27 21:46:02 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.3.25, the first stable release in the 0.2.3 branch + + significantly reduced directory overhead (via microdescriptors) + + enormous crypto performance improvements for fast relays on new + enough hardware + + new v3 TLS handshake protocol that can better resist + fingerprinting + + support for protocol obfuscation plugins (pluggable transports) + + better scalability for hidden services + + IPv6 support for bridges + + performance improvements + + new "stream isolation" design to isolate different applications + on different circuits + + many stability, security, and privacy fixes + + Complete list of changes enumerated in: + https://lists.torproject.org/pipermail/tor-talk/2012-November/026554.html + https://gitweb.torproject.org/tor.git/blob/267c0e5aa14deeb2ca0d7997b4ef5a5c2bbf5fd4:/ReleaseNotes + + Tear down the circuit when receiving an unexpected SENDME cell. + [bnc#791374] CVE-2012-5573 +- build using --enable-bufferevents provided by Libevent 2.0.13 + +------------------------------------------------------------------- +Tue Nov 20 09:07:23 UTC 2012 - dimstar@opensuse.org + +- Fix useradd invocation: -o is useless without -u and newer + versions of pwdutils/shadowutils fail on this now. + +------------------------------------------------------------------- +Sat Sep 15 14:08:49 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.2.39 [bnc#780620] + Changes in version 0.2.2.39 - 2012-09-11 + Tor 0.2.2.39 fixes two more opportunities for remotely triggerable + assertions. + + o Security fixes: + - Fix an assertion failure in tor_timegm() that could be triggered + by a badly formatted directory object. + CVE-2012-4922 + - Do not crash when comparing an address with port value 0 to an + address policy. This bug could have been used to cause a remote + assertion failure by or against directory authorities, or to + allow some applications to crash clients. + CVE-2012-4419 + +------------------------------------------------------------------- +Mon Aug 20 19:11:57 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.2.38 [bnc#776642] + Changes in version 0.2.2.38 - 2012-08-12 + Tor 0.2.2.38 fixes a rare race condition that can crash exit relays; + fixes a remotely triggerable crash bug; and fixes a timing attack that + could in theory leak path information. + o Security fixes: + - Avoid read-from-freed-memory and double-free bugs that could occur + when a DNS request fails while launching it. + CVE-2012-3517 + - Avoid an uninitialized memory read when reading a vote or consensus + document that has an unrecognized flavor name. This read could + lead to a remote crash bug. + CVE-2012-3518 + - Try to leak less information about what relays a client is + choosing to a side-channel attacker. Previously, a Tor client would + stop iterating through the list of available relays as soon as it + had chosen one, thus finishing a little earlier when it picked + a router earlier in the list. If an attacker can recover this + timing information (nontrivial but not proven to be impossible), + they could learn some coarse-grained information about which relays + a client was picking (middle nodes in particular are likelier to + be affected than exits). The timing attack might be mitigated by + other factors, but it's best not to take chances. + CVE-2012-3519 + +------------------------------------------------------------------- +Fri Jun 15 19:45:01 UTC 2012 - andreas.stieger@gmx.de + +- add tor-0.2.2.37-logrotate.patch : add su option to logrotate to + fix W: suse-logrotate-user-writable-log-dir in Factory + +------------------------------------------------------------------- +Wed Jun 13 11:22:11 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.2.37 + Changes in version 0.2.2.37 - 2012-06-06 + Tor 0.2.2.37 introduces a workaround for a critical renegotiation + bug in OpenSSL 1.0.1 (where 20% of the Tor network can't talk to itself + currently). + + o Major bugfixes: + - Work around a bug in OpenSSL that broke renegotiation with TLS + 1.1 and TLS 1.2. Without this workaround, all attempts to speak + the v2 Tor connection protocol when both sides were using OpenSSL + 1.0.1 would fail. Resolves ticket 6033. + - When waiting for a client to renegotiate, don't allow it to add + any bytes to the input buffer. This fixes a potential DoS issue. + Fixes bugs 5934 and 6007; bugfix on 0.2.0.20-rc. + - Fix an edge case where if we fetch or publish a hidden service + descriptor, we might build a 4-hop circuit and then use that circuit + for exiting afterwards -- even if the new last hop doesn't obey our + ExitNodes config option. Fixes bug 5283; bugfix on 0.2.0.10-alpha. + + o Minor bugfixes: + - Fix a build warning with Clang 3.1 related to our use of vasprintf. + Fixes bug 5969. Bugfix on 0.2.2.11-alpha. + + o Minor features: + - Tell GCC and Clang to check for any errors in format strings passed + to the tor_v*(print|scan)f functions. + +------------------------------------------------------------------- +Wed Jun 6 20:46:46 UTC 2012 - andreas.stieger@gmx.de + +- update to 0.2.2.36 + + Changes in version 0.2.2.36 - 2012-05-24 + o Directory authority changes: + - Change IP address for maatuska (v3 directory authority). + - Change IP address for ides (v3 directory authority), and rename + it to turtles. + + o Security fixes: + - When building or running with any version of OpenSSL earlier + than 0.9.8s or 1.0.0f, disable SSLv3 support. These OpenSSL + versions have a bug (CVE-2011-4576) in which their block cipher + padding includes uninitialized data, potentially leaking sensitive + information to any peer with whom they make a SSLv3 connection. Tor + does not use SSL v3 by default, but a hostile client or server + could force an SSLv3 connection in order to gain information that + they shouldn't have been able to get. The best solution here is to + upgrade to OpenSSL 0.9.8s or 1.0.0f (or later). But when building + or running with a non-upgraded OpenSSL, we disable SSLv3 entirely + to make sure that the bug can't happen. + - Never use a bridge or a controller-supplied node as an exit, even + if its exit policy allows it. Found by wanoskarnet. Fixes bug + 5342. Bugfix on 0.1.1.15-rc (for controller-purpose descriptors) + and 0.2.0.3-alpha (for bridge-purpose descriptors). + - Only build circuits if we have a sufficient threshold of the total + descriptors that are marked in the consensus with the "Exit" + flag. This mitigates an attack proposed by wanoskarnet, in which + all of a client's bridges collude to restrict the exit nodes that + the client knows about. Fixes bug 5343. + - Provide controllers with a safer way to implement the cookie + authentication mechanism. With the old method, if another locally + running program could convince a controller that it was the Tor + process, then that program could trick the controller into telling + it the contents of an arbitrary 32-byte file. The new "SAFECOOKIE" + authentication method uses a challenge-response approach to prevent + this attack. Fixes bug 5185; implements proposal 193. + + o Major bugfixes: + - Avoid logging uninitialized data when unable to decode a hidden + service descriptor cookie. Fixes bug 5647; bugfix on 0.2.1.5-alpha. + - Avoid a client-side assertion failure when receiving an INTRODUCE2 + cell on a general purpose circuit. Fixes bug 5644; bugfix on + 0.2.1.6-alpha. + - Fix builds when the path to sed, openssl, or sha1sum contains + spaces, which is pretty common on Windows. Fixes bug 5065; bugfix + on 0.2.2.1-alpha. + - Correct our replacements for the timeradd() and timersub() functions + on platforms that lack them (for example, Windows). The timersub() + function is used when expiring circuits, while timeradd() is + currently unused. Bug report and patch by Vektor. Fixes bug 4778; + bugfix on 0.2.2.24-alpha. + - Fix the SOCKET_OK test that we use to tell when socket + creation fails so that it works on Win64. Fixes part of bug 4533; + bugfix on 0.2.2.29-beta. Bug found by wanoskarnet. + + o Minor bugfixes: + - Reject out-of-range times like 23:59:61 in parse_rfc1123_time(). + Fixes bug 5346; bugfix on 0.0.8pre3. + - Make our number-parsing functions always treat too-large values + as an error, even when those values exceed the width of the + underlying type. Previously, if the caller provided these + functions with minima or maxima set to the extreme values of the + underlying integer type, these functions would return those + values on overflow rather than treating overflow as an error. + Fixes part of bug 5786; bugfix on 0.0.9. + - Older Linux kernels erroneously respond to strange nmap behavior + by having accept() return successfully with a zero-length + socket. When this happens, just close the connection. Previously, + we would try harder to learn the remote address: but there was + no such remote address to learn, and our method for trying to + learn it was incorrect. Fixes bugs 1240, 4745, and 4747. Bugfix + on 0.1.0.3-rc. Reported and diagnosed by "r1eo". + - Correct parsing of certain date types in parse_http_time(). + Without this patch, If-Modified-Since would behave + incorrectly. Fixes bug 5346; bugfix on 0.2.0.2-alpha. Patch from + Esteban Manchado Velázques. + - Change the BridgePassword feature (part of the "bridge community" + design, which is not yet implemented) to use a time-independent + comparison. The old behavior might have allowed an adversary + to use timing to guess the BridgePassword value. Fixes bug 5543; + bugfix on 0.2.0.14-alpha. + - Detect and reject certain misformed escape sequences in + configuration values. Previously, these values would cause us + to crash if received in a torrc file or over an authenticated + control port. Bug found by Esteban Manchado Velázquez, and + independently by Robert Connolly from Matta Consulting who further + noted that it allows a post-authentication heap overflow. Patch + by Alexander Schrijver. Fixes bugs 5090 and 5402 (CVE 2012-1668); + bugfix on 0.2.0.16-alpha. + - Fix a compile warning when using the --enable-openbsd-malloc + configure option. Fixes bug 5340; bugfix on 0.2.0.20-rc. + - During configure, detect when we're building with clang version + 3.0 or lower and disable the -Wnormalized=id and -Woverride-init + CFLAGS. clang doesn't support them yet. + - When sending an HTTP/1.1 proxy request, include a Host header. + Fixes bug 5593; bugfix on 0.2.2.1-alpha. + - Fix a NULL-pointer dereference on a badly formed SETCIRCUITPURPOSE + command. Found by mikeyc. Fixes bug 5796; bugfix on 0.2.2.9-alpha. + - If we hit the error case where routerlist_insert() replaces an + existing (old) server descriptor, make sure to remove that + server descriptor from the old_routers list. Fix related to bug + 1776. Bugfix on 0.2.2.18-alpha. + + o Minor bugfixes (documentation and log messages): + - Fix a typo in a log message in rend_service_rendezvous_has_opened(). + Fixes bug 4856; bugfix on Tor 0.0.6. + - Update "ClientOnly" man page entry to explain that there isn't + really any point to messing with it. Resolves ticket 5005. + - Document the GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays + directory authority option (introduced in Tor 0.2.2.34). + - Downgrade the "We're missing a certificate" message from notice + to info: people kept mistaking it for a real problem, whereas it + is seldom the problem even when we are failing to bootstrap. Fixes + bug 5067; bugfix on 0.2.0.10-alpha. + - Correctly spell "connect" in a log message on failure to create a + controlsocket. Fixes bug 4803; bugfix on 0.2.2.26-beta. + - Clarify the behavior of MaxCircuitDirtiness with hidden service + circuits. Fixes issue 5259. + + o Minor features: + - Directory authorities now reject versions of Tor older than + 0.2.1.30, and Tor versions between 0.2.2.1-alpha and 0.2.2.20-alpha + inclusive. These versions accounted for only a small fraction of + the Tor network, and have numerous known security issues. Resolves + issue 4788. + - Update to the May 1 2012 Maxmind GeoLite Country database. + + - Feature removal: + - When sending or relaying a RELAY_EARLY cell, we used to convert + it to a RELAY cell if the connection was using the v1 link + protocol. This was a workaround for older versions of Tor, which + didn't handle RELAY_EARLY cells properly. Now that all supported + versions can handle RELAY_EARLY cells, and now that we're enforcing + the "no RELAY_EXTEND commands except in RELAY_EARLY cells" rule, + remove this workaround. Addresses bug 4786. + +------------------------------------------------------------------- +Mon Jan 2 16:51:20 UTC 2012 - andreas.stieger@gmx.de + +- add CVE references in changelog, fixing bug #739133 + +------------------------------------------------------------------- +Fri Dec 16 20:37:05 UTC 2011 - andreas.stieger@gmx.de + +- update to upstream 0.2.2.35, which fixes a critical heap-overflow + security issue: CVE-2011-2778 For a full list of changes, see: + https://gitweb.torproject.org/tor.git/blob_plain/release-0.2.2:/ReleaseNotes + +------------------------------------------------------------------ +Mon Dec 12 15:42:09 UTC 2011 - cfarrell@suse.com + +- license update: BSD-3-Clause + SPDX format + +------------------------------------------------------------------- +Sun Dec 11 18:42:57 UTC 2011 - andreas.stieger@gmx.de + +- fix factory warning by removing INSTALL file from docs dir + +------------------------------------------------------------------- +Sun Dec 11 17:11:11 UTC 2011 - andreas.stieger@gmx.de + +- format spec file to include copyright notice + package is based on a former package in SUSE/openSUSE + +------------------------------------------------------------------- +Sun Dec 11 12:37:14 UTC 2011 - andreas.stieger@gmx.de + +- update license from "3-clause BSD" to "BSD3c" + +------------------------------------------------------------------- +Fri Oct 28 19:49:39 UTC 2011 - andreas.stieger@gmx.de + +- update to upstream 0.2.2.34 +- fixes CVE-2011-4895 Tor Bridge circuit building information disclosure +- fixes CVE-2011-4894 Tor DirPort information disclosure + +Changes in version 0.2.2.34 - 2011-10-26 + Tor 0.2.2.34 fixes a critical anonymity vulnerability where an attacker + can deanonymize Tor users. Everybody should upgrade. + + The attack relies on four components: 1) Clients reuse their TLS cert + when talking to different relays, so relays can recognize a user by + the identity key in her cert. 2) An attacker who knows the client's + identity key can probe each guard relay to see if that identity key + is connected to that guard relay right now. 3) A variety of active + attacks in the literature (starting from "Low-Cost Traffic Analysis + of Tor" by Murdoch and Danezis in 2005) allow a malicious website to + discover the guard relays that a Tor user visiting the website is using. + 4) Clients typically pick three guards at random, so the set of guards + for a given user could well be a unique fingerprint for her. This + release fixes components #1 and #2, which is enough to block the attack; + the other two remain as open research problems. Special thanks to + "frosty_un" for reporting the issue to us! + + Clients should upgrade so they are no longer recognizable by the TLS + certs they present. Relays should upgrade so they no longer allow a + remote attacker to probe them to test whether unpatched clients are + currently connected to them. + + This release also fixes several vulnerabilities that allow an attacker + to enumerate bridge relays. Some bridge enumeration attacks still + remain; see for example proposal 188. + + o Privacy/anonymity fixes (clients): + - Clients and bridges no longer send TLS certificate chains on + outgoing OR connections. Previously, each client or bridge would + use the same cert chain for all outgoing OR connections until + its IP address changes, which allowed any relay that the client + or bridge contacted to determine which entry guards it is using. + Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by "frosty_un". + - If a relay receives a CREATE_FAST cell on a TLS connection, it + no longer considers that connection as suitable for satisfying a + circuit EXTEND request. Now relays can protect clients from the + CVE-2011-2768 issue even if the clients haven't upgraded yet. + - Directory authorities no longer assign the Guard flag to relays + that haven't upgraded to the above "refuse EXTEND requests + to client connections" fix. Now directory authorities can + protect clients from the CVE-2011-2768 issue even if neither + the clients nor the relays have upgraded yet. There's a new + "GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays" config option + to let us transition smoothly, else tomorrow there would be no + guard relays. + + o Privacy/anonymity fixes (bridge enumeration): + - Bridge relays now do their directory fetches inside Tor TLS + connections, like all the other clients do, rather than connecting + directly to the DirPort like public relays do. Removes another + avenue for enumerating bridges. Fixes bug 4115; bugfix on 0.2.0.35. + - Bridges relays now build circuits for themselves in a more similar + way to how clients build them. Removes another avenue for + enumerating bridges. Fixes bug 4124; bugfix on 0.2.0.3-alpha, + when bridges were introduced. + - Bridges now refuse CREATE or CREATE_FAST cells on OR connections + that they initiated. Relays could distinguish incoming bridge + connections from client connections, creating another avenue for + enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha. + Found by "frosty_un". + + o Major bugfixes: + - Fix a crash bug when changing node restrictions while a DNS lookup + is in-progress. Fixes bug 4259; bugfix on 0.2.2.25-alpha. Bugfix + by "Tey'". + - Don't launch a useless circuit after failing to use one of a + hidden service's introduction points. Previously, we would + launch a new introduction circuit, but not set the hidden service + which that circuit was intended to connect to, so it would never + actually be used. A different piece of code would then create a + new introduction circuit correctly. Bug reported by katmagic and + found by Sebastian Hahn. Bugfix on 0.2.1.13-alpha; fixes bug 4212. + + o Minor bugfixes: + - Change an integer overflow check in the OpenBSD_Malloc code so + that GCC is less likely to eliminate it as impossible. Patch + from Mansour Moufid. Fixes bug 4059. + - When a hidden service turns an extra service-side introduction + circuit into a general-purpose circuit, free the rend_data and + intro_key fields first, so we won't leak memory if the circuit + is cannibalized for use as another service-side introduction + circuit. Bugfix on 0.2.1.7-alpha; fixes bug 4251. + - Bridges now skip DNS self-tests, to act a little more stealthily. + Fixes bug 4201; bugfix on 0.2.0.3-alpha, which first introduced + bridges. Patch by "warms0x". + - Fix internal bug-checking logic that was supposed to catch + failures in digest generation so that it will fail more robustly + if we ask for a nonexistent algorithm. Found by Coverity Scan. + Bugfix on 0.2.2.1-alpha; fixes Coverity CID 479. + - Report any failure in init_keys() calls launched because our + IP address has changed. Spotted by Coverity Scan. Bugfix on + 0.1.1.4-alpha; fixes CID 484. + + o Minor bugfixes (log messages and documentation): + - Remove a confusing dollar sign from the example fingerprint in the + man page, and also make the example fingerprint a valid one. Fixes + bug 4309; bugfix on 0.2.1.3-alpha. + - The next version of Windows will be called Windows 8, and it has + a major version of 6, minor version of 2. Correctly identify that + version instead of calling it "Very recent version". Resolves + ticket 4153; reported by funkstar. + - Downgrade log messages about circuit timeout calibration from + "notice" to "info": they don't require or suggest any human + intervention. Patch from Tom Lowenthal. Fixes bug 4063; + bugfix on 0.2.2.14-alpha. + + o Minor features: + - Turn on directory request statistics by default and include them in + extra-info descriptors. Don't break if we have no GeoIP database. + Backported from 0.2.3.1-alpha; implements ticket 3951. + - Update to the October 4 2011 Maxmind GeoLite Country database. + + +------------------------------------------------------------------- +Tue Sep 20 20:58:56 UTC 2011 - andreas.stieger@gmx.de + +- update to upstream 0.2.2.33 + +Changes in version 0.2.2.33 - 2011-09-13 + Tor 0.2.2.33 fixes several bugs, and includes a slight tweak to Tor's + TLS handshake that makes relays and bridges that run this new version + reachable from Iran again. + + o Major bugfixes: + - Avoid an assertion failure when reloading a configuration with + TrackExitHosts changes. Found and fixed by 'laruldan'. Fixes bug + 3923; bugfix on 0.2.2.25-alpha. + + o Minor features (security): + - Check for replays of the public-key encrypted portion of an + INTRODUCE1 cell, in addition to the current check for replays of + the g^x value. This prevents a possible class of active attacks + by an attacker who controls both an introduction point and a + rendezvous point, and who uses the malleability of AES-CTR to + alter the encrypted g^x portion of the INTRODUCE1 cell. We think + that these attacks are infeasible (requiring the attacker to send + on the order of zettabytes of altered cells in a short interval), + but we'd rather block them off in case there are any classes of + this attack that we missed. Reported by Willem Pinckaers. + + o Minor features: + - Adjust the expiration time on our SSL session certificates to + better match SSL certs seen in the wild. Resolves ticket 4014. + - Change the default required uptime for a relay to be accepted as + a HSDir (hidden service directory) from 24 hours to 25 hours. + Improves on 0.2.0.10-alpha; resolves ticket 2649. + - Add a VoteOnHidServDirectoriesV2 config option to allow directory + authorities to abstain from voting on assignment of the HSDir + consensus flag. Related to bug 2649. + - Update to the September 6 2011 Maxmind GeoLite Country database. + + o Minor bugfixes (documentation and log messages): + - Correct the man page to explain that HashedControlPassword and + CookieAuthentication can both be set, in which case either method + is sufficient to authenticate to Tor. Bugfix on 0.2.0.7-alpha, + when we decided to allow these config options to both be set. Issue + raised by bug 3898. + - Demote the 'replay detected' log message emitted when a hidden + service receives the same Diffie-Hellman public key in two different + INTRODUCE2 cells to info level. A normal Tor client can cause that + log message during its normal operation. Bugfix on 0.2.1.6-alpha; + fixes part of bug 2442. + - Demote the 'INTRODUCE2 cell is too {old,new}' log message to info + level. There is nothing that a hidden service's operator can do + to fix its clients' clocks. Bugfix on 0.2.1.6-alpha; fixes part + of bug 2442. + - Clarify a log message specifying the characters permitted in + HiddenServiceAuthorizeClient client names. Previously, the log + message said that "[A-Za-z0-9+-_]" were permitted; that could have + given the impression that every ASCII character between "+" and "_" + was permitted. Now we say "[A-Za-z0-9+_-]". Bugfix on 0.2.1.5-alpha. + + o Build fixes: + - Provide a substitute implementation of lround() for MSVC, which + apparently lacks it. Patch from Gisle Vanem. + - Clean up some code issues that prevented Tor from building on older + BSDs. Fixes bug 3894; reported by "grarpamp". + - Search for a platform-specific version of "ar" when cross-compiling. + Should fix builds on iOS. Resolves bug 3909, found by Marco Bonetti. + + +------------------------------------------------------------------- +Fri Sep 2 19:55:23 UTC 2011 - andreas.stieger@gmx.de + +- updated ot upstream 0.2.2.32 +- removed tor_initscript.patch +- fixes CVE-2011-4897 Tor Nickname information disclosure +- fixes CVE-2011-4896 Tor Bridge information disclosure + +Changes in version 0.2.2.32 - 2011-08-27 + The Tor 0.2.2 release series is dedicated to the memory of Andreas + Pfitzmann (1958-2010), a pioneer in anonymity and privacy research, + a founder of the PETS community, a leader in our field, a mentor, + and a friend. He left us with these words: "I had the possibility + to contribute to this world that is not as it should be. I hope I + could help in some areas to make the world a better place, and that + I could also encourage other people to be engaged in improving the + world. Please, stay engaged. This world needs you, your love, your + initiative -- now I cannot be part of that anymore." + + Tor 0.2.2.32, the first stable release in the 0.2.2 branch, is finally + ready. More than two years in the making, this release features improved + client performance and hidden service reliability, better compatibility + for Android, correct behavior for bridges that listen on more than + one address, more extensible and flexible directory object handling, + better reporting of network statistics, improved code security, and + many many other features and bugfixes. + + o Major features (client performance): + - When choosing which cells to relay first, relays now favor circuits + that have been quiet recently, to provide lower latency for + low-volume circuits. By default, relays enable or disable this + feature based on a setting in the consensus. They can override + this default by using the new "CircuitPriorityHalflife" config + option. Design and code by Ian Goldberg, Can Tang, and Chris + Alexander. + - Directory authorities now compute consensus weightings that instruct + clients how to weight relays flagged as Guard, Exit, Guard+Exit, + and no flag. Clients use these weightings to distribute network load + more evenly across these different relay types. The weightings are + in the consensus so we can change them globally in the future. Extra + thanks to "outofwords" for finding some nasty security bugs in + the first implementation of this feature. + + o Major features (client performance, circuit build timeout): + - Tor now tracks how long it takes to build client-side circuits + over time, and adapts its timeout to local network performance. + Since a circuit that takes a long time to build will also provide + bad performance, we get significant latency improvements by + discarding the slowest 20% of circuits. Specifically, Tor creates + circuits more aggressively than usual until it has enough data + points for a good timeout estimate. Implements proposal 151. + - Circuit build timeout constants can be controlled by consensus + parameters. We set good defaults for these parameters based on + experimentation on broadband and simulated high-latency links. + - Circuit build time learning can be disabled via consensus parameter + or by the client via a LearnCircuitBuildTimeout config option. We + also automatically disable circuit build time calculation if either + AuthoritativeDirectory is set, or if we fail to write our state + file. Implements ticket 1296. + + o Major features (relays use their capacity better): + - Set SO_REUSEADDR socket option on all sockets, not just + listeners. This should help busy exit nodes avoid running out of + useable ports just because all the ports have been used in the + near past. Resolves issue 2850. + - Relays now save observed peak bandwidth throughput rates to their + state file (along with total usage, which was already saved), + so that they can determine their correct estimated bandwidth on + restart. Resolves bug 1863, where Tor relays would reset their + estimated bandwidth to 0 after restarting. + - Lower the maximum weighted-fractional-uptime cutoff to 98%. This + should give us approximately 40-50% more Guard-flagged nodes, + improving the anonymity the Tor network can provide and also + decreasing the dropoff in throughput that relays experience when + they first get the Guard flag. + - Directory authorities now take changes in router IP address and + ORPort into account when determining router stability. Previously, + if a router changed its IP or ORPort, the authorities would not + treat it as having any downtime for the purposes of stability + calculation, whereas clients would experience downtime since the + change would take a while to propagate to them. Resolves issue 1035. + - New AccelName and AccelDir options add support for dynamic OpenSSL + hardware crypto acceleration engines. + + o Major features (relays control their load better): + - Exit relays now try harder to block exit attempts from unknown + relays, to make it harder for people to use them as one-hop proxies + a la tortunnel. Controlled by the refuseunknownexits consensus + parameter (currently enabled), or you can override it on your + relay with the RefuseUnknownExits torrc option. Resolves bug 1751; + based on a variant of proposal 163. + - Add separate per-conn write limiting to go with the per-conn read + limiting. We added a global write limit in Tor 0.1.2.5-alpha, + but never per-conn write limits. + - New consensus params "bwconnrate" and "bwconnburst" to let us + rate-limit client connections as they enter the network. It's + controlled in the consensus so we can turn it on and off for + experiments. It's starting out off. Based on proposal 163. + + o Major features (controllers): + - Export GeoIP information on bridge usage to controllers even if we + have not yet been running for 24 hours. Now Vidalia bridge operators + can get more accurate and immediate feedback about their + contributions to the network. + - Add an __OwningControllerProcess configuration option and a + TAKEOWNERSHIP control-port command. Now a Tor controller can ensure + that when it exits, Tor will shut down. Implements feature 3049. + + o Major features (directory authorities): + - Directory authorities now create, vote on, and serve multiple + parallel formats of directory data as part of their voting process. + Partially implements Proposal 162: "Publish the consensus in + multiple flavors". + - Directory authorities now agree on and publish small summaries + of router information that clients can use in place of regular + server descriptors. This transition will allow Tor 0.2.3 clients + to use far less bandwidth for downloading information about the + network. Begins the implementation of Proposal 158: "Clients + download consensus + microdescriptors". + - The directory voting system is now extensible to use multiple hash + algorithms for signatures and resource selection. Newer formats + are signed with SHA256, with a possibility for moving to a better + hash algorithm in the future. + - Directory authorities can now vote on arbitary integer values as + part of the consensus process. This is designed to help set + network-wide parameters. Implements proposal 167. + + o Major features and bugfixes (node selection): + - Revise and reconcile the meaning of the ExitNodes, EntryNodes, + ExcludeEntryNodes, ExcludeExitNodes, ExcludeNodes, and Strict*Nodes + options. Previously, we had been ambiguous in describing what + counted as an "exit" node, and what operations exactly "StrictNodes + 0" would permit. This created confusion when people saw nodes built + through unexpected circuits, and made it hard to tell real bugs from + surprises. Now the intended behavior is: + . "Exit", in the context of ExitNodes and ExcludeExitNodes, means + a node that delivers user traffic outside the Tor network. + . "Entry", in the context of EntryNodes, means a node used as the + first hop of a multihop circuit. It doesn't include direct + connections to directory servers. + . "ExcludeNodes" applies to all nodes. + . "StrictNodes" changes the behavior of ExcludeNodes only. When + StrictNodes is set, Tor should avoid all nodes listed in + ExcludeNodes, even when it will make user requests fail. When + StrictNodes is *not* set, then Tor should follow ExcludeNodes + whenever it can, except when it must use an excluded node to + perform self-tests, connect to a hidden service, provide a + hidden service, fulfill a .exit request, upload directory + information, or fetch directory information. + Collectively, the changes to implement the behavior fix bug 1090. + - If EntryNodes, ExitNodes, ExcludeNodes, or ExcludeExitNodes + change during a config reload, mark and discard all our origin + circuits. This fix should address edge cases where we change the + config options and but then choose a circuit that we created before + the change. + - Make EntryNodes config option much more aggressive even when + StrictNodes is not set. Before it would prepend your requested + entrynodes to your list of guard nodes, but feel free to use others + after that. Now it chooses only from your EntryNodes if any of + those are available, and only falls back to others if a) they're + all down and b) StrictNodes is not set. + - Now we refresh your entry guards from EntryNodes at each consensus + fetch -- rather than just at startup and then they slowly rot as + the network changes. + - Add support for the country code "{??}" in torrc options like + ExcludeNodes, to indicate all routers of unknown country. Closes + bug 1094. + - ExcludeNodes now takes precedence over EntryNodes and ExitNodes: if + a node is listed in both, it's treated as excluded. + - ExcludeNodes now applies to directory nodes -- as a preference if + StrictNodes is 0, or an absolute requirement if StrictNodes is 1. + Don't exclude all the directory authorities and set StrictNodes to 1 + unless you really want your Tor to break. + - ExcludeNodes and ExcludeExitNodes now override exit enclaving. + - ExcludeExitNodes now overrides .exit requests. + - We don't use bridges listed in ExcludeNodes. + - When StrictNodes is 1: + . We now apply ExcludeNodes to hidden service introduction points + and to rendezvous points selected by hidden service users. This + can make your hidden service less reliable: use it with caution! + . If we have used ExcludeNodes on ourself, do not try relay + reachability self-tests. + . If we have excluded all the directory authorities, we will not + even try to upload our descriptor if we're a relay. + . Do not honor .exit requests to an excluded node. + - When the set of permitted nodes changes, we now remove any mappings + introduced via TrackExitHosts to now-excluded nodes. Bugfix on + 0.1.0.1-rc. + - We never cannibalize a circuit that had excluded nodes on it, even + if StrictNodes is 0. Bugfix on 0.1.0.1-rc. + - Improve log messages related to excluded nodes. + + o Major features (misc): + - Numerous changes, bugfixes, and workarounds from Nathan Freitas + to help Tor build correctly for Android phones. + - The options SocksPort, ControlPort, and so on now all accept a + value "auto" that opens a socket on an OS-selected port. A + new ControlPortWriteToFile option tells Tor to write its + actual control port or ports to a chosen file. If the option + ControlPortFileGroupReadable is set, the file is created as + group-readable. Now users can run two Tor clients on the same + system without needing to manually mess with parameters. Resolves + part of ticket 3076. + - Tor now supports tunneling all of its outgoing connections over + a SOCKS proxy, using the SOCKS4Proxy and/or SOCKS5Proxy + configuration options. Code by Christopher Davis. + + o Code security improvements: + - Replace all potentially sensitive memory comparison operations + with versions whose runtime does not depend on the data being + compared. This will help resist a class of attacks where an + adversary can use variations in timing information to learn + sensitive data. Fix for one case of bug 3122. (Safe memcmp + implementation by Robert Ransom based partially on code by DJB.) + - Enable Address Space Layout Randomization (ASLR) and Data Execution + Prevention (DEP) by default on Windows to make it harder for + attackers to exploit vulnerabilities. Patch from John Brooks. + - New "--enable-gcc-hardening" ./configure flag (off by default) + to turn on gcc compile time hardening options. It ensures + that signed ints have defined behavior (-fwrapv), enables + -D_FORTIFY_SOURCE=2 (requiring -O2), adds stack smashing protection + with canaries (-fstack-protector-all), turns on ASLR protection if + supported by the kernel (-fPIE, -pie), and adds additional security + related warnings. Verified to work on Mac OS X and Debian Lenny. + - New "--enable-linker-hardening" ./configure flag (off by default) + to turn on ELF specific hardening features (relro, now). This does + not work with Mac OS X or any other non-ELF binary format. + - Always search the Windows system directory for system DLLs, and + nowhere else. Bugfix on 0.1.1.23; fixes bug 1954. + - New DisableAllSwap option. If set to 1, Tor will attempt to lock all + current and future memory pages via mlockall(). On supported + platforms (modern Linux and probably BSD but not Windows or OS X), + this should effectively disable any and all attempts to page out + memory. This option requires that you start your Tor as root -- + if you use DisableAllSwap, please consider using the User option + to properly reduce the privileges of your Tor. + + o Major bugfixes (crashes): + - Fix crash bug on platforms where gmtime and localtime can return + NULL. Windows 7 users were running into this one. Fixes part of bug + 2077. Bugfix on all versions of Tor. Found by boboper. + - Introduce minimum/maximum values that clients will believe + from the consensus. Now we'll have a better chance to avoid crashes + or worse when a consensus param has a weird value. + - Fix a rare crash bug that could occur when a client was configured + with a large number of bridges. Fixes bug 2629; bugfix on + 0.2.1.2-alpha. Bugfix by trac user "shitlei". + - Do not crash when our configuration file becomes unreadable, for + example due to a permissions change, between when we start up + and when a controller calls SAVECONF. Fixes bug 3135; bugfix + on 0.0.9pre6. + - If we're in the pathological case where there's no exit bandwidth + but there is non-exit bandwidth, or no guard bandwidth but there + is non-guard bandwidth, don't crash during path selection. Bugfix + on 0.2.0.3-alpha. + - Fix a crash bug when trying to initialize the evdns module in + Libevent 2. Bugfix on 0.2.1.16-rc. + + o Major bugfixes (stability): + - Fix an assert in parsing router descriptors containing IPv6 + addresses. This one took down the directory authorities when + somebody tried some experimental code. Bugfix on 0.2.1.3-alpha. + - Fix an uncommon assertion failure when running with DNSPort under + heavy load. Fixes bug 2933; bugfix on 0.2.0.1-alpha. + - Treat an unset $HOME like an empty $HOME rather than triggering an + assert. Bugfix on 0.0.8pre1; fixes bug 1522. + - More gracefully handle corrupt state files, removing asserts + in favor of saving a backup and resetting state. + - Instead of giving an assertion failure on an internal mismatch + on estimated freelist size, just log a BUG warning and try later. + Mitigates but does not fix bug 1125. + - Fix an assert that got triggered when using the TestingTorNetwork + configuration option and then issuing a GETINFO config-text control + command. Fixes bug 2250; bugfix on 0.2.1.2-alpha. + - If the cached cert file is unparseable, warn but don't exit. + + o Privacy fixes (relays/bridges): + - Don't list Windows capabilities in relay descriptors. We never made + use of them, and maybe it's a bad idea to publish them. Bugfix + on 0.1.1.8-alpha. + - If the Nickname configuration option isn't given, Tor would pick a + nickname based on the local hostname as the nickname for a relay. + Because nicknames are not very important in today's Tor and the + "Unnamed" nickname has been implemented, this is now problematic + behavior: It leaks information about the hostname without being + useful at all. Fixes bug 2979; bugfix on 0.1.2.2-alpha, which + introduced the Unnamed nickname. Reported by tagnaq. + - Maintain separate TLS contexts and certificates for incoming and + outgoing connections in bridge relays. Previously we would use the + same TLS contexts and certs for incoming and outgoing connections. + Bugfix on 0.2.0.3-alpha; addresses bug 988. + - Maintain separate identity keys for incoming and outgoing TLS + contexts in bridge relays. Previously we would use the same + identity keys for incoming and outgoing TLS contexts. Bugfix on + 0.2.0.3-alpha; addresses the other half of bug 988. + - Make the bridge directory authority refuse to answer directory + requests for "all descriptors". It used to include bridge + descriptors in its answer, which was a major information leak. + Found by "piebeer". Bugfix on 0.2.0.3-alpha. + + o Privacy fixes (clients): + - When receiving a hidden service descriptor, check that it is for + the hidden service we wanted. Previously, Tor would store any + hidden service descriptors that a directory gave it, whether it + wanted them or not. This wouldn't have let an attacker impersonate + a hidden service, but it did let directories pre-seed a client + with descriptors that it didn't want. Bugfix on 0.0.6. + - Start the process of disabling ".exit" address notation, since it + can be used for a variety of esoteric application-level attacks + on users. To reenable it, set "AllowDotExit 1" in your torrc. Fix + on 0.0.9rc5. + - Reject attempts at the client side to open connections to private + IP addresses (like 127.0.0.1, 10.0.0.1, and so on) with + a randomly chosen exit node. Attempts to do so are always + ill-defined, generally prevented by exit policies, and usually + in error. This will also help to detect loops in transparent + proxy configurations. You can disable this feature by setting + "ClientRejectInternalAddresses 0" in your torrc. + - Log a notice when we get a new control connection. Now it's easier + for security-conscious users to recognize when a local application + is knocking on their controller door. Suggested by bug 1196. + + o Privacy fixes (newnym): + - Avoid linkability based on cached hidden service descriptors: forget + all hidden service descriptors cached as a client when processing a + SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6. + - On SIGHUP, do not clear out all TrackHostExits mappings, client + DNS cache entries, and virtual address mappings: that's what + NEWNYM is for. Fixes bug 1345; bugfix on 0.1.0.1-rc. + - Don't attach new streams to old rendezvous circuits after SIGNAL + NEWNYM. Previously, we would keep using an existing rendezvous + circuit if it remained open (i.e. if it were kept open by a + long-lived stream, or if a new stream were attached to it before + Tor could notice that it was old and no longer in use). Bugfix on + 0.1.1.15-rc; fixes bug 3375. + + o Major bugfixes (relay bandwidth accounting): + - Fix a bug that could break accounting on 64-bit systems with large + time_t values, making them hibernate for impossibly long intervals. + Fixes bug 2146. Bugfix on 0.0.9pre6; fix by boboper. + - Fix a bug in bandwidth accounting that could make us use twice + the intended bandwidth when our interval start changes due to + daylight saving time. Now we tolerate skew in stored vs computed + interval starts: if the start of the period changes by no more than + 50% of the period's duration, we remember bytes that we transferred + in the old period. Fixes bug 1511; bugfix on 0.0.9pre5. + + o Major bugfixes (bridges): + - Bridges now use "reject *:*" as their default exit policy. Bugfix + on 0.2.0.3-alpha. Fixes bug 1113. + - If you configure your bridge with a known identity fingerprint, + and the bridge authority is unreachable (as it is in at least + one country now), fall back to directly requesting the descriptor + from the bridge. Finishes the feature started in 0.2.0.10-alpha; + closes bug 1138. + - Fix a bug where bridge users who configure the non-canonical + address of a bridge automatically switch to its canonical + address. If a bridge listens at more than one address, it + should be able to advertise those addresses independently and + any non-blocked addresses should continue to work. Bugfix on Tor + 0.2.0.3-alpha. Fixes bug 2510. + - If you configure Tor to use bridge A, and then quit and + configure Tor to use bridge B instead (or if you change Tor + to use bridge B via the controller), it would happily continue + to use bridge A if it's still reachable. While this behavior is + a feature if your goal is connectivity, in some scenarios it's a + dangerous bug. Bugfix on Tor 0.2.0.1-alpha; fixes bug 2511. + - When the controller configures a new bridge, don't wait 10 to 60 + seconds before trying to fetch its descriptor. Bugfix on + 0.2.0.3-alpha; fixes bug 3198 (suggested by 2355). + + o Major bugfixes (directory authorities): + - Many relays have been falling out of the consensus lately because + not enough authorities know about their descriptor for them to get + a majority of votes. When we deprecated the v2 directory protocol, + we got rid of the only way that v3 authorities can hear from each + other about other descriptors. Now authorities examine every v3 + vote for new descriptors, and fetch them from that authority. Bugfix + on 0.2.1.23. + - Authorities could be tricked into giving out the Exit flag to relays + that didn't allow exiting to any ports. This bug could screw + with load balancing and stats. Bugfix on 0.1.1.6-alpha; fixes bug + 1238. Bug discovered by Martin Kowalczyk. + - If all authorities restart at once right before a consensus vote, + nobody will vote about "Running", and clients will get a consensus + with no usable relays. Instead, authorities refuse to build a + consensus if this happens. Bugfix on 0.2.0.10-alpha; fixes bug 1066. + + o Major bugfixes (stream-level fairness): + - When receiving a circuit-level SENDME for a blocked circuit, try + to package cells fairly from all the streams that had previously + been blocked on that circuit. Previously, we had started with the + oldest stream, and allowed each stream to potentially exhaust + the circuit's package window. This gave older streams on any + given circuit priority over newer ones. Fixes bug 1937. Detected + originally by Camilo Viecco. This bug was introduced before the + first Tor release, in svn commit r152: it is the new winner of + the longest-lived bug prize. + - Fix a stream fairness bug that would cause newer streams on a given + circuit to get preference when reading bytes from the origin or + destination. Fixes bug 2210. Fix by Mashael AlSabah. This bug was + introduced before the first Tor release, in svn revision r152. + - When the exit relay got a circuit-level sendme cell, it started + reading on the exit streams, even if had 500 cells queued in the + circuit queue already, so the circuit queue just grew and grew in + some cases. We fix this by not re-enabling reading on receipt of a + sendme cell when the cell queue is blocked. Fixes bug 1653. Bugfix + on 0.2.0.1-alpha. Detected by Mashael AlSabah. Original patch by + "yetonetime". + - Newly created streams were allowed to read cells onto circuits, + even if the circuit's cell queue was blocked and waiting to drain. + This created potential unfairness, as older streams would be + blocked, but newer streams would gladly fill the queue completely. + We add code to detect this situation and prevent any stream from + getting more than one free cell. Bugfix on 0.2.0.1-alpha. Partially + fixes bug 1298. + + o Major bugfixes (hidden services): + - Apply circuit timeouts to opened hidden-service-related circuits + based on the correct start time. Previously, we would apply the + circuit build timeout based on time since the circuit's creation; + it was supposed to be applied based on time since the circuit + entered its current state. Bugfix on 0.0.6; fixes part of bug 1297. + - Improve hidden service robustness: When we find that we have + extended a hidden service's introduction circuit to a relay not + listed as an introduction point in the HS descriptor we currently + have, retry with an introduction point from the current + descriptor. Previously we would just give up. Fixes bugs 1024 and + 1930; bugfix on 0.2.0.10-alpha. + - Directory authorities now use data collected from their own + uptime observations when choosing whether to assign the HSDir flag + to relays, instead of trusting the uptime value the relay reports in + its descriptor. This change helps prevent an attack where a small + set of nodes with frequently-changing identity keys can blackhole + a hidden service. (Only authorities need upgrade; others will be + fine once they do.) Bugfix on 0.2.0.10-alpha; fixes bug 2709. + - Stop assigning the HSDir flag to relays that disable their + DirPort (and thus will refuse to answer directory requests). This + fix should dramatically improve the reachability of hidden services: + hidden services and hidden service clients pick six HSDir relays + to store and retrieve the hidden service descriptor, and currently + about half of the HSDir relays will refuse to work. Bugfix on + 0.2.0.10-alpha; fixes part of bug 1693. + + o Major bugfixes (misc): + - Clients now stop trying to use an exit node associated with a given + destination by TrackHostExits if they fail to reach that exit node. + Fixes bug 2999. Bugfix on 0.2.0.20-rc. + - Fix a regression that caused Tor to rebind its ports if it receives + SIGHUP while hibernating. Bugfix in 0.1.1.6-alpha; closes bug 919. + - Remove an extra pair of quotation marks around the error + message in control-port STATUS_GENERAL BUG events. Bugfix on + 0.1.2.6-alpha; fixes bug 3732. + + o Minor features (relays): + - Ensure that no empty [dirreq-](read|write)-history lines are added + to an extrainfo document. Implements ticket 2497. + - When bandwidth accounting is enabled, be more generous with how + much bandwidth we'll use up before entering "soft hibernation". + Previously, we'd refuse new connections and circuits once we'd + used up 95% of our allotment. Now, we use up 95% of our allotment, + AND make sure that we have no more than 500MB (or 3 hours of + expected traffic, whichever is lower) remaining before we enter + soft hibernation. + - Relays now log the reason for publishing a new relay descriptor, + so we have a better chance of hunting down instances of bug 1810. + Resolves ticket 3252. + - Log a little more clearly about the times at which we're no longer + accepting new connections (e.g. due to hibernating). Resolves + bug 2181. + - When AllowSingleHopExits is set, print a warning to explain to the + relay operator why most clients are avoiding her relay. + - Send END_STREAM_REASON_NOROUTE in response to EHOSTUNREACH errors. + Clients before 0.2.1.27 didn't handle NOROUTE correctly, but such + clients are already deprecated because of security bugs. + + o Minor features (network statistics): + - Directory mirrors that set "DirReqStatistics 1" write statistics + about directory requests to disk every 24 hours. As compared to the + "--enable-geoip-stats" ./configure flag in 0.2.1.x, there are a few + improvements: 1) stats are written to disk exactly every 24 hours; + 2) estimated shares of v2 and v3 requests are determined as mean + values, not at the end of a measurement period; 3) unresolved + requests are listed with country code '??'; 4) directories also + measure download times. + - Exit nodes that set "ExitPortStatistics 1" write statistics on the + number of exit streams and transferred bytes per port to disk every + 24 hours. + - Relays that set "CellStatistics 1" write statistics on how long + cells spend in their circuit queues to disk every 24 hours. + - Entry nodes that set "EntryStatistics 1" write statistics on the + rough number and origins of connecting clients to disk every 24 + hours. + - Relays that write any of the above statistics to disk and set + "ExtraInfoStatistics 1" include the past 24 hours of statistics in + their extra-info documents. Implements proposal 166. + + o Minor features (GeoIP and statistics): + - Provide a log message stating which geoip file we're parsing + instead of just stating that we're parsing the geoip file. + Implements ticket 2432. + - Make sure every relay writes a state file at least every 12 hours. + Previously, a relay could go for weeks without writing its state + file, and on a crash could lose its bandwidth history, capacity + estimates, client country statistics, and so on. Addresses bug 3012. + - Relays report the number of bytes spent on answering directory + requests in extra-info descriptors similar to {read,write}-history. + Implements enhancement 1790. + - Report only the top 10 ports in exit-port stats in order not to + exceed the maximum extra-info descriptor length of 50 KB. Implements + task 2196. + - If writing the state file to disk fails, wait up to an hour before + retrying again, rather than trying again each second. Fixes bug + 2346; bugfix on Tor 0.1.1.3-alpha. + - Delay geoip stats collection by bridges for 6 hours, not 2 hours, + when we switch from being a public relay to a bridge. Otherwise + there will still be clients that see the relay in their consensus, + and the stats will end up wrong. Bugfix on 0.2.1.15-rc; fixes + bug 932. + - Update to the August 2 2011 Maxmind GeoLite Country database. + + o Minor features (clients): + - When expiring circuits, use microsecond timers rather than + one-second timers. This can avoid an unpleasant situation where a + circuit is launched near the end of one second and expired right + near the beginning of the next, and prevent fluctuations in circuit + timeout values. + - If we've configured EntryNodes and our network goes away and/or all + our entrynodes get marked down, optimistically retry them all when + a new socks application request appears. Fixes bug 1882. + - Always perform router selections using weighted relay bandwidth, + even if we don't need a high capacity circuit at the time. Non-fast + circuits now only differ from fast ones in that they can use relays + not marked with the Fast flag. This "feature" could turn out to + be a horrible bug; we should investigate more before it goes into + a stable release. + - When we run out of directory information such that we can't build + circuits, but then get enough that we can build circuits, log when + we actually construct a circuit, so the user has a better chance of + knowing what's going on. Fixes bug 1362. + - Log SSL state transitions at debug level during handshake, and + include SSL states in error messages. This may help debug future + SSL handshake issues. + + o Minor features (directory authorities): + - When a router changes IP address or port, authorities now launch + a new reachability test for it. Implements ticket 1899. + - Directory authorities now reject relays running any versions of + Tor between 0.2.1.3-alpha and 0.2.1.18 inclusive; they have + known bugs that keep RELAY_EARLY cells from working on rendezvous + circuits. Followup to fix for bug 2081. + - Directory authorities now reject relays running any version of Tor + older than 0.2.0.26-rc. That version is the earliest that fetches + current directory information correctly. Fixes bug 2156. + - Directory authorities now do an immediate reachability check as soon + as they hear about a new relay. This change should slightly reduce + the time between setting up a relay and getting listed as running + in the consensus. It should also improve the time between setting + up a bridge and seeing use by bridge users. + - Directory authorities no longer launch a TLS connection to every + relay as they startup. Now that we have 2k+ descriptors cached, + the resulting network hiccup is becoming a burden. Besides, + authorities already avoid voting about Running for the first half + hour of their uptime. + - Directory authorities now log the source of a rejected POSTed v3 + networkstatus vote, so we can track failures better. + - Backport code from 0.2.3.x that allows directory authorities to + clean their microdescriptor caches. Needed to resolve bug 2230. + + o Minor features (hidden services): + - Use computed circuit-build timeouts to decide when to launch + parallel introduction circuits for hidden services. (Previously, + we would retry after 15 seconds.) + - Don't allow v0 hidden service authorities to act as clients. + Required by fix for bug 3000. + - Ignore SIGNAL NEWNYM commands on relay-only Tor instances. Required + by fix for bug 3000. + - Make hidden services work better in private Tor networks by not + requiring any uptime to join the hidden service descriptor + DHT. Implements ticket 2088. + - Log (at info level) when purging pieces of hidden-service-client + state because of SIGNAL NEWNYM. + + o Minor features (controller interface): + - New "GETINFO net/listeners/(type)" controller command to return + a list of addresses and ports that are bound for listeners for a + given connection type. This is useful when the user has configured + "SocksPort auto" and the controller needs to know which port got + chosen. Resolves another part of ticket 3076. + - Have the controller interface give a more useful message than + "Internal Error" in response to failed GETINFO requests. + - Add a TIMEOUT_RATE keyword to the BUILDTIMEOUT_SET control port + event, to give information on the current rate of circuit timeouts + over our stored history. + - The 'EXTENDCIRCUIT' control port command can now be used with + a circ id of 0 and no path. This feature will cause Tor to build + a new 'fast' general purpose circuit using its own path selection + algorithms. + - Added a BUILDTIMEOUT_SET controller event to describe changes + to the circuit build timeout. + - New controller command "getinfo config-text". It returns the + contents that Tor would write if you send it a SAVECONF command, + so the controller can write the file to disk itself. + + o Minor features (controller protocol): + - Add a new ControlSocketsGroupWritable configuration option: when + it is turned on, ControlSockets are group-writeable by the default + group of the current user. Patch by Jérémy Bobbio; implements + ticket 2972. + - Tor now refuses to create a ControlSocket in a directory that is + world-readable (or group-readable if ControlSocketsGroupWritable + is 0). This is necessary because some operating systems do not + enforce permissions on an AF_UNIX sockets. Permissions on the + directory holding the socket, however, seems to work everywhere. + - Warn when CookieAuthFileGroupReadable is set but CookieAuthFile is + not. This would lead to a cookie that is still not group readable. + Closes bug 1843. Suggested by katmagic. + - Future-proof the controller protocol a bit by ignoring keyword + arguments we do not recognize. + + o Minor features (more useful logging): + - Revise most log messages that refer to nodes by nickname to + instead use the "$key=nickname at address" format. This should be + more useful, especially since nicknames are less and less likely + to be unique. Resolves ticket 3045. + - When an HTTPS proxy reports "403 Forbidden", we now explain + what it means rather than calling it an unexpected status code. + Closes bug 2503. Patch from Michael Yakubovich. + - Rate-limit a warning about failures to download v2 networkstatus + documents. Resolves part of bug 1352. + - Rate-limit the "your application is giving Tor only an IP address" + warning. Addresses bug 2000; bugfix on 0.0.8pre2. + - Rate-limit "Failed to hand off onionskin" warnings. + - When logging a rate-limited warning, we now mention how many messages + got suppressed since the last warning. + - Make the formerly ugly "2 unknown, 7 missing key, 0 good, 0 bad, + 2 no signature, 4 required" messages about consensus signatures + easier to read, and make sure they get logged at the same severity + as the messages explaining which keys are which. Fixes bug 1290. + - Don't warn when we have a consensus that we can't verify because + of missing certificates, unless those certificates are ones + that we have been trying and failing to download. Fixes bug 1145. + + o Minor features (log domains): + - Add documentation for configuring logging at different severities in + different log domains. We've had this feature since 0.2.1.1-alpha, + but for some reason it never made it into the manpage. Fixes + bug 2215. + - Make it simpler to specify "All log domains except for A and B". + Previously you needed to say "[*,~A,~B]". Now you can just say + "[~A,~B]". + - Add a "LogMessageDomains 1" option to include the domains of log + messages along with the messages. Without this, there's no way + to use log domains without reading the source or doing a lot + of guessing. + - Add a new "Handshake" log domain for activities that happen + during the TLS handshake. + + o Minor features (build process): + - Make compilation with clang possible when using + "--enable-gcc-warnings" by removing two warning options that clang + hasn't implemented yet and by fixing a few warnings. Resolves + ticket 2696. + - Detect platforms that brokenly use a signed size_t, and refuse to + build there. Found and analyzed by doorss and rransom. + - Fix a bunch of compile warnings revealed by mingw with gcc 4.5. + Resolves bug 2314. + - Add support for statically linking zlib by specifying + "--enable-static-zlib", to go with our support for statically + linking openssl and libevent. Resolves bug 1358. + - Instead of adding the svn revision to the Tor version string, report + the git commit (when we're building from a git checkout). + - Rename the "log.h" header to "torlog.h" so as to conflict with fewer + system headers. + - New --digests command-line switch to output the digests of the + source files Tor was built with. + - Generate our manpage and HTML documentation using Asciidoc. This + change should make it easier to maintain the documentation, and + produce nicer HTML. The build process fails if asciidoc cannot + be found and building with asciidoc isn't disabled (via the + "--disable-asciidoc" argument to ./configure. Skipping the manpage + speeds up the build considerably. + + o Minor features (options / torrc): + - Warn when the same option is provided more than once in a torrc + file, on the command line, or in a single SETCONF statement, and + the option is one that only accepts a single line. Closes bug 1384. + - Warn when the user configures two HiddenServiceDir lines that point + to the same directory. Bugfix on 0.0.6 (the version introducing + HiddenServiceDir); fixes bug 3289. + - Add new "perconnbwrate" and "perconnbwburst" consensus params to + do individual connection-level rate limiting of clients. The torrc + config options with the same names trump the consensus params, if + both are present. Replaces the old "bwconnrate" and "bwconnburst" + consensus params which were broken from 0.2.2.7-alpha through + 0.2.2.14-alpha. Closes bug 1947. + - New config option "WarnUnsafeSocks 0" disables the warning that + occurs whenever Tor receives a socks handshake using a version of + the socks protocol that can only provide an IP address (rather + than a hostname). Setups that do DNS locally over Tor are fine, + and we shouldn't spam the logs in that case. + - New config option "CircuitStreamTimeout" to override our internal + timeout schedule for how many seconds until we detach a stream from + a circuit and try a new circuit. If your network is particularly + slow, you might want to set this to a number like 60. + - New options for SafeLogging to allow scrubbing only log messages + generated while acting as a relay. Specify "SafeLogging relay" if + you want to ensure that only messages known to originate from + client use of the Tor process will be logged unsafely. + - Time and memory units in the configuration file can now be set to + fractional units. For example, "2.5 GB" is now a valid value for + AccountingMax. + - Support line continuations in the torrc config file. If a line + ends with a single backslash character, the newline is ignored, and + the configuration value is treated as continuing on the next line. + Resolves bug 1929. + + o Minor features (unit tests): + - Revise our unit tests to use the "tinytest" framework, so we + can run tests in their own processes, have smarter setup/teardown + code, and so on. The unit test code has moved to its own + subdirectory, and has been split into multiple modules. + - Add a unit test for cross-platform directory-listing code. + - Add some forgotten return value checks during unit tests. Found + by coverity. + - Use GetTempDir to find the proper temporary directory location on + Windows when generating temporary files for the unit tests. Patch + by Gisle Vanem. + + o Minor features (misc): + - The "torify" script now uses torsocks where available. + - Make Libevent log messages get delivered to controllers later, + and not from inside the Libevent log handler. This prevents unsafe + reentrant Libevent calls while still letting the log messages + get through. + - Certain Tor clients (such as those behind check.torproject.org) may + want to fetch the consensus in an extra early manner. To enable this + a user may now set FetchDirInfoExtraEarly to 1. This also depends on + setting FetchDirInfoEarly to 1. Previous behavior will stay the same + as only certain clients who must have this information sooner should + set this option. + - Expand homedirs passed to tor-checkkey. This should silence a + coverity complaint about passing a user-supplied string into + open() without checking it. + - Make sure to disable DirPort if running as a bridge. DirPorts aren't + used on bridges, and it makes bridge scanning somewhat easier. + - Create the /var/run/tor directory on startup on OpenSUSE if it is + not already created. Patch from Andreas Stieger. Fixes bug 2573. + + o Minor bugfixes (relays): + - When a relay decides that its DNS is too broken for it to serve + as an exit server, it advertised itself as a non-exit, but + continued to act as an exit. This could create accidental + partitioning opportunities for users. Instead, if a relay is + going to advertise reject *:* as its exit policy, it should + really act with exit policy "reject *:*". Fixes bug 2366. + Bugfix on Tor 0.1.2.5-alpha. Bugfix by user "postman" on trac. + - Publish a router descriptor even if generating an extra-info + descriptor fails. Previously we would not publish a router + descriptor without an extra-info descriptor; this can cause fast + exit relays collecting exit-port statistics to drop from the + consensus. Bugfix on 0.1.2.9-rc; fixes bug 2195. + - When we're trying to guess whether we know our IP address as + a relay, we would log various ways that we failed to guess + our address, but never log that we ended up guessing it + successfully. Now add a log line to help confused and anxious + relay operators. Bugfix on 0.1.2.1-alpha; fixes bug 1534. + - For bandwidth accounting, calculate our expected bandwidth rate + based on the time during which we were active and not in + soft-hibernation during the last interval. Previously, we were + also considering the time spent in soft-hibernation. If this + was a long time, we would wind up underestimating our bandwidth + by a lot, and skewing our wakeup time towards the start of the + accounting interval. Fixes bug 1789. Bugfix on 0.0.9pre5. + - Demote a confusing TLS warning that relay operators might get when + someone tries to talk to their ORPort. It is not the operator's + fault, nor can they do anything about it. Fixes bug 1364; bugfix + on 0.2.0.14-alpha. + - Change "Application request when we're believed to be offline." + notice to "Application request when we haven't used client + functionality lately.", to clarify that it's not an error. Bugfix + on 0.0.9.3; fixes bug 1222. + + o Minor bugfixes (bridges): + - When a client starts or stops using bridges, never use a circuit + that was built before the configuration change. This behavior could + put at risk a user who uses bridges to ensure that her traffic + only goes to the chosen addresses. Bugfix on 0.2.0.3-alpha; fixes + bug 3200. + - Do not reset the bridge descriptor download status every time we + re-parse our configuration or get a configuration change. Fixes + bug 3019; bugfix on 0.2.0.3-alpha. + - Users couldn't configure a regular relay to be their bridge. It + didn't work because when Tor fetched the bridge descriptor, it found + that it already had it, and didn't realize that the purpose of the + descriptor had changed. Now we replace routers with a purpose other + than bridge with bridge descriptors when fetching them. Bugfix on + 0.1.1.9-alpha. Fixes bug 1776. + - In the special case where you configure a public exit relay as your + bridge, Tor would be willing to use that exit relay as the last + hop in your circuit as well. Now we fail that circuit instead. + Bugfix on 0.2.0.12-alpha. Fixes bug 2403. Reported by "piebeer". + + o Minor bugfixes (clients): + - We now ask the other side of a stream (the client or the exit) + for more data on that stream when the amount of queued data on + that stream dips low enough. Previously, we wouldn't ask the + other side for more data until either it sent us more data (which + it wasn't supposed to do if it had exhausted its window!) or we + had completely flushed all our queued data. This flow control fix + should improve throughput. Fixes bug 2756; bugfix on the earliest + released versions of Tor (svn commit r152). + - When a client finds that an origin circuit has run out of 16-bit + stream IDs, we now mark it as unusable for new streams. Previously, + we would try to close the entire circuit. Bugfix on 0.0.6. + - Make it explicit that we don't cannibalize one-hop circuits. This + happens in the wild, but doesn't turn out to be a problem because + we fortunately don't use those circuits. Many thanks to outofwords + for the initial analysis and to swissknife who confirmed that + two-hop circuits are actually created. + - Resolve an edge case in path weighting that could make us misweight + our relay selection. Fixes bug 1203; bugfix on 0.0.8rc1. + - Make the DNSPort option work with libevent 2.x. Don't alter the + behaviour for libevent 1.x. Fixes bug 1143. Found by SwissTorExit. + + o Minor bugfixes (directory authorities): + - Make directory authorities more accurate at recording when + relays that have failed several reachability tests became + unreachable, so we can provide more accuracy at assigning Stable, + Guard, HSDir, etc flags. Bugfix on 0.2.0.6-alpha. Resolves bug 2716. + - Directory authorities are now more robust to hops back in time + when calculating router stability. Previously, if a run of uptime + or downtime appeared to be negative, the calculation could give + incorrect results. Bugfix on 0.2.0.6-alpha; noticed when fixing + bug 1035. + - Directory authorities will now attempt to download consensuses + if their own efforts to make a live consensus have failed. This + change means authorities that restart will fetch a valid + consensus, and it means authorities that didn't agree with the + current consensus will still fetch and serve it if it has enough + signatures. Bugfix on 0.2.0.9-alpha; fixes bug 1300. + - Never vote for a server as "Running" if we have a descriptor for + it claiming to be hibernating, and that descriptor was published + more recently than our last contact with the server. Bugfix on + 0.2.0.3-alpha; fixes bug 911. + - Directory authorities no longer change their opinion of, or vote on, + whether a router is Running, unless they have themselves been + online long enough to have some idea. Bugfix on 0.2.0.6-alpha. + Fixes bug 1023. + + o Minor bugfixes (hidden services): + - Log malformed requests for rendezvous descriptors as protocol + warnings, not warnings. Also, use a more informative log message + in case someone sees it at log level warning without prior + info-level messages. Fixes bug 2748; bugfix on 0.2.0.10-alpha. + - Accept hidden service descriptors if we think we might be a hidden + service directory, regardless of what our consensus says. This + helps robustness, since clients and hidden services can sometimes + have a more up-to-date view of the network consensus than we do, + and if they think that the directory authorities list us a HSDir, + we might actually be one. Related to bug 2732; bugfix on + 0.2.0.10-alpha. + - Correct the warning displayed when a rendezvous descriptor exceeds + the maximum size. Fixes bug 2750; bugfix on 0.2.1.5-alpha. Found by + John Brooks. + - Clients and hidden services now use HSDir-flagged relays for hidden + service descriptor downloads and uploads even if the relays have no + DirPort set and the client has disabled TunnelDirConns. This will + eventually allow us to give the HSDir flag to relays with no + DirPort. Fixes bug 2722; bugfix on 0.2.1.6-alpha. + - Only limit the lengths of single HS descriptors, even when multiple + HS descriptors are published to an HSDir relay in a single POST + operation. Fixes bug 2948; bugfix on 0.2.1.5-alpha. Found by hsdir. + + o Minor bugfixes (controllers): + - Allow GETINFO fingerprint to return a fingerprint even when + we have not yet built a router descriptor. Fixes bug 3577; + bugfix on 0.2.0.1-alpha. + - Send a SUCCEEDED stream event to the controller when a reverse + resolve succeeded. Fixes bug 3536; bugfix on 0.0.8pre1. Issue + discovered by katmagic. + - Remove a trailing asterisk from "exit-policy/default" in the + output of the control port command "GETINFO info/names". Bugfix + on 0.1.2.5-alpha. + - Make the SIGNAL DUMP controller command work on FreeBSD. Fixes bug + 2917. Bugfix on 0.1.1.1-alpha. + - When we restart our relay, we might get a successful connection + from the outside before we've started our reachability tests, + triggering a warning: "ORPort found reachable, but I have no + routerinfo yet. Failing to inform controller of success." This + bug was harmless unless Tor is running under a controller + like Vidalia, in which case the controller would never get a + REACHABILITY_SUCCEEDED status event. Bugfix on 0.1.2.6-alpha; + fixes bug 1172. + - When a controller changes TrackHostExits, remove mappings for + hosts that should no longer have their exits tracked. Bugfix on + 0.1.0.1-rc. + - When a controller changes VirtualAddrNetwork, remove any mappings + for hosts that were automapped to the old network. Bugfix on + 0.1.1.19-rc. + - When a controller changes one of the AutomapHosts* options, remove + any mappings for hosts that should no longer be automapped. Bugfix + on 0.2.0.1-alpha. + - Fix an off-by-one error in calculating some controller command + argument lengths. Fortunately, this mistake is harmless since + the controller code does redundant NUL termination too. Found by + boboper. Bugfix on 0.1.1.1-alpha. + - Fix a bug in the controller interface where "GETINFO ns/asdaskljkl" + would return "551 Internal error" rather than "552 Unrecognized key + ns/asdaskljkl". Bugfix on 0.1.2.3-alpha. + - Don't spam the controller with events when we have no file + descriptors available. Bugfix on 0.2.1.5-alpha. (Rate-limiting + for log messages was already solved from bug 748.) + - Emit a GUARD DROPPED controller event for a case we missed. + - Ensure DNS requests launched by "RESOLVE" commands from the + controller respect the __LeaveStreamsUnattached setconf options. The + same goes for requests launched via DNSPort or transparent + proxying. Bugfix on 0.2.0.1-alpha; fixes bug 1525. + + o Minor bugfixes (config options): + - Tor used to limit HttpProxyAuthenticator values to 48 characters. + Change the limit to 512 characters by removing base64 newlines. + Fixes bug 2752. Fix by Michael Yakubovich. + - Complain if PublishServerDescriptor is given multiple arguments that + include 0 or 1. This configuration will be rejected in the future. + Bugfix on 0.2.0.1-alpha; closes bug 1107. + - Disallow BridgeRelay 1 and ORPort 0 at once in the configuration. + Bugfix on 0.2.0.13-alpha; closes bug 928. + + o Minor bugfixes (log subsystem fixes): + - When unable to format an address as a string, report its value + as "???" rather than reusing the last formatted address. Bugfix + on 0.2.1.5-alpha. + - Be more consistent in our treatment of file system paths. "~" should + get expanded to the user's home directory in the Log config option. + Fixes bug 2971; bugfix on 0.2.0.1-alpha, which introduced the + feature for the -f and --DataDirectory options. + + o Minor bugfixes (memory management): + - Don't stack-allocate the list of supplementary GIDs when we're + about to log them. Stack-allocating NGROUPS_MAX gid_t elements + could take up to 256K, which is way too much stack. Found by + Coverity; CID #450. Bugfix on 0.2.1.7-alpha. + - Save a couple bytes in memory allocation every time we escape + certain characters in a string. Patch from Florian Zumbiehl. + + o Minor bugfixes (protocol correctness): + - When checking for 1024-bit keys, check for 1024 bits, not 128 + bytes. This allows Tor to correctly discard keys of length 1017 + through 1023. Bugfix on 0.0.9pre5. + - Require that introduction point keys and onion handshake keys + have a public exponent of 65537. Starts to fix bug 3207; bugfix + on 0.2.0.10-alpha. + - Handle SOCKS messages longer than 128 bytes long correctly, rather + than waiting forever for them to finish. Fixes bug 2330; bugfix + on 0.2.0.16-alpha. Found by doorss. + - Never relay a cell for a circuit we have already destroyed. + Between marking a circuit as closeable and finally closing it, + it may have been possible for a few queued cells to get relayed, + even though they would have been immediately dropped by the next + OR in the circuit. Fixes bug 1184; bugfix on 0.2.0.1-alpha. + - Never queue a cell for a circuit that's already been marked + for close. + - Fix a spec conformance issue: the network-status-version token + must be the first token in a v3 consensus or vote. Discovered by + "parakeep". Bugfix on 0.2.0.3-alpha. + - A networkstatus vote must contain exactly one signature. Spec + conformance issue. Bugfix on 0.2.0.3-alpha. + - When asked about a DNS record type we don't support via a + client DNSPort, reply with NOTIMPL rather than an empty + reply. Patch by intrigeri. Fixes bug 3369; bugfix on 2.0.1-alpha. + - Make more fields in the controller protocol case-insensitive, since + control-spec.txt said they were. + + o Minor bugfixes (log messages): + - Fix a log message that said "bits" while displaying a value in + bytes. Found by wanoskarnet. Fixes bug 3318; bugfix on + 0.2.0.1-alpha. + - Downgrade "no current certificates known for authority" message from + Notice to Info. Fixes bug 2899; bugfix on 0.2.0.10-alpha. + - Correctly describe errors that occur when generating a TLS object. + Previously we would attribute them to a failure while generating a + TLS context. Patch by Robert Ransom. Bugfix on 0.1.0.4-rc; fixes + bug 1994. + - Fix an instance where a Tor directory mirror might accidentally + log the IP address of a misbehaving Tor client. Bugfix on + 0.1.0.1-rc. + - Stop logging at severity 'warn' when some other Tor client tries + to establish a circuit with us using weak DH keys. It's a protocol + violation, but that doesn't mean ordinary users need to hear about + it. Fixes the bug part of bug 1114. Bugfix on 0.1.0.13. + - If your relay can't keep up with the number of incoming create + cells, it would log one warning per failure into your logs. Limit + warnings to 1 per minute. Bugfix on 0.0.2pre10; fixes bug 1042. + + o Minor bugfixes (build fixes): + - Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option. + - When warning about missing zlib development packages during compile, + give the correct package names. Bugfix on 0.2.0.1-alpha. + - Fix warnings that newer versions of autoconf produce during + ./autogen.sh. These warnings appear to be harmless in our case, + but they were extremely verbose. Fixes bug 2020. + - Squash a compile warning on OpenBSD. Reported by Tas; fixes + bug 1848. + + o Minor bugfixes (portability): + - Write several files in text mode, on OSes that distinguish text + mode from binary mode (namely, Windows). These files are: + 'buffer-stats', 'dirreq-stats', and 'entry-stats' on relays + that collect those statistics; 'client_keys' and 'hostname' for + hidden services that use authentication; and (in the tor-gencert + utility) newly generated identity and signing keys. Previously, + we wouldn't specify text mode or binary mode, leading to an + assertion failure. Fixes bug 3607. Bugfix on 0.2.1.1-alpha (when + the DirRecordUsageByCountry option which would have triggered + the assertion failure was added), although this assertion failure + would have occurred in tor-gencert on Windows in 0.2.0.1-alpha. + - Selectively disable deprecation warnings on OS X because Lion + started deprecating the shipped copy of openssl. Fixes bug 3643. + - Use a wide type to hold sockets when built for 64-bit Windows. + Fixes bug 3270. + - Fix an issue that prevented static linking of libevent on + some platforms (notably Linux). Fixes bug 2698; bugfix on 0.2.1.23, + where we introduced the "--with-static-libevent" configure option. + - Fix a bug with our locking implementation on Windows that couldn't + correctly detect when a file was already locked. Fixes bug 2504, + bugfix on 0.2.1.6-alpha. + - Build correctly on OSX with zlib 1.2.4 and higher with all warnings + enabled. + - Fix IPv6-related connect() failures on some platforms (BSD, OS X). + Bugfix on 0.2.0.3-alpha; fixes first part of bug 2660. Patch by + "piebeer". + + o Minor bugfixes (code correctness): + - Always NUL-terminate the sun_path field of a sockaddr_un before + passing it to the kernel. (Not a security issue: kernels are + smart enough to reject bad sockaddr_uns.) Found by Coverity; + CID #428. Bugfix on Tor 0.2.0.3-alpha. + - Make connection_printf_to_buf()'s behaviour sane. Its callers + expect it to emit a CRLF iff the format string ends with CRLF; + it actually emitted a CRLF iff (a) the format string ended with + CRLF or (b) the resulting string was over 1023 characters long or + (c) the format string did not end with CRLF *and* the resulting + string was 1021 characters long or longer. Bugfix on 0.1.1.9-alpha; + fixes part of bug 3407. + - Make send_control_event_impl()'s behaviour sane. Its callers + expect it to always emit a CRLF at the end of the string; it + might have emitted extra control characters as well. Bugfix on + 0.1.1.9-alpha; fixes another part of bug 3407. + - Make crypto_rand_int() check the value of its input correctly. + Previously, it accepted values up to UINT_MAX, but could return a + negative number if given a value above INT_MAX+1. Found by George + Kadianakis. Fixes bug 3306; bugfix on 0.2.2pre14. + - Fix a potential null-pointer dereference while computing a + consensus. Bugfix on tor-0.2.0.3-alpha, found with the help of + clang's analyzer. + - If we fail to compute the identity digest of a v3 legacy keypair, + warn, and don't use a buffer-full of junk instead. Bugfix on + 0.2.1.1-alpha; fixes bug 3106. + - Resolve an untriggerable issue in smartlist_string_num_isin(), + where if the function had ever in the future been used to check + for the presence of a too-large number, it would have given an + incorrect result. (Fortunately, we only used it for 16-bit + values.) Fixes bug 3175; bugfix on 0.1.0.1-rc. + - Be more careful about reporting the correct error from a failed + connect() system call. Under some circumstances, it was possible to + look at an incorrect value for errno when sending the end reason. + Bugfix on 0.1.0.1-rc. + - Correctly handle an "impossible" overflow cases in connection byte + counting, where we write or read more than 4GB on an edge connection + in a single second. Bugfix on 0.1.2.8-beta. + - Avoid a double mark-for-free warning when failing to attach a + transparent proxy connection. Bugfix on 0.1.2.1-alpha. Fixes + bug 2279. + - Correctly detect failure to allocate an OpenSSL BIO. Fixes bug 2378; + found by "cypherpunks". This bug was introduced before the first + Tor release, in svn commit r110. + - Fix a bug in bandwidth history state parsing that could have been + triggered if a future version of Tor ever changed the timing + granularity at which bandwidth history is measured. Bugfix on + Tor 0.1.1.11-alpha. + - Add assertions to check for overflow in arguments to + base32_encode() and base32_decode(); fix a signed-unsigned + comparison there too. These bugs are not actually reachable in Tor, + but it's good to prevent future errors too. Found by doorss. + - Avoid a bogus overlapped memcpy in tor_addr_copy(). Reported by + "memcpyfail". + - Set target port in get_interface_address6() correctly. Bugfix + on 0.1.1.4-alpha and 0.2.0.3-alpha; fixes second part of bug 2660. + - Fix an impossible-to-actually-trigger buffer overflow in relay + descriptor generation. Bugfix on 0.1.0.15. + - Fix numerous small code-flaws found by Coverity Scan Rung 3. + + o Minor bugfixes (code improvements): + - After we free an internal connection structure, overwrite it + with a different memory value than we use for overwriting a freed + internal circuit structure. Should help with debugging. Suggested + by bug 1055. + - If OpenSSL fails to make a duplicate of a private or public key, log + an error message and try to exit cleanly. May help with debugging + if bug 1209 ever remanifests. + - Some options used different conventions for uppercasing of acronyms + when comparing manpage and source. Fix those in favor of the + manpage, as it makes sense to capitalize acronyms. + - Take a first step towards making or.h smaller by splitting out + function definitions for all source files in src/or/. Leave + structures and defines in or.h for now. + - Remove a few dead assignments during router parsing. Found by + coverity. + - Don't use 1-bit wide signed bit fields. Found by coverity. + - Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned. + None of the cases where we did this before were wrong, but by making + this change we avoid warnings. Fixes bug 2475; bugfix on 0.2.1.28. + - The memarea code now uses a sentinel value at the end of each area + to make sure nothing writes beyond the end of an area. This might + help debug some conceivable causes of bug 930. + - Always treat failure to allocate an RSA key as an unrecoverable + allocation error. + - Add some more defensive programming for architectures that can't + handle unaligned integer accesses. We don't know of any actual bugs + right now, but that's the best time to fix them. Fixes bug 1943. + + o Minor bugfixes (misc): + - Fix a rare bug in rend_fn unit tests: we would fail a test when + a randomly generated port is 0. Diagnosed by Matt Edman. Bugfix + on 0.2.0.10-alpha; fixes bug 1808. + - Where available, use Libevent 2.0's periodic timers so that our + once-per-second cleanup code gets called even more closely to + once per second than it would otherwise. Fixes bug 943. + - Ignore OutboundBindAddress when connecting to localhost. + Connections to localhost need to come _from_ localhost, or else + local servers (like DNS and outgoing HTTP/SOCKS proxies) will often + refuse to listen. + - Update our OpenSSL 0.9.8l fix so that it works with OpenSSL 0.9.8m + too. + - If any of the v3 certs we download are unparseable, we should + actually notice the failure so we don't retry indefinitely. Bugfix + on 0.2.0.x; reported by "rotator". + - When Tor fails to parse a descriptor of any kind, dump it to disk. + Might help diagnosing bug 1051. + - Make our 'torify' script more portable; if we have only one of + 'torsocks' or 'tsocks' installed, don't complain to the user; + and explain our warning about tsocks better. + - Fix some urls in the exit notice file and make it XHTML1.1 strict + compliant. Based on a patch from Christian Kujau. + + o Documentation changes: + - Modernize the doxygen configuration file slightly. Fixes bug 2707. + - Resolve all doxygen warnings except those for missing documentation. + Fixes bug 2705. + - Add doxygen documentation for more functions, fields, and types. + - Convert the HACKING file to asciidoc, and add a few new sections + to it, explaining how we use Git, how we make changelogs, and + what should go in a patch. + - Document the default socks host and port (127.0.0.1:9050) for + tor-resolve. + - Removed some unnecessary files from the source distribution. The + AUTHORS file has now been merged into the people page on the + website. The roadmaps and design doc can now be found in the + projects directory in svn. + + o Deprecated and removed features (config): + - Remove the torrc.complete file. It hasn't been kept up to date + and users will have better luck checking out the manpage. + - Remove the HSAuthorityRecordStats option that version 0 hidden + service authorities could use to track statistics of overall v0 + hidden service usage. + - Remove the obsolete "NoPublish" option; it has been flagged + as obsolete and has produced a warning since 0.1.1.18-rc. + - Caches no longer download and serve v2 networkstatus documents + unless FetchV2Networkstatus flag is set: these documents haven't + haven't been used by clients or relays since 0.2.0.x. Resolves + bug 3022. + + o Deprecated and removed features (controller): + - The controller no longer accepts the old obsolete "addr-mappings/" + or "unregistered-servers-" GETINFO values. + - The EXTENDED_EVENTS and VERBOSE_NAMES controller features are now + always on; using them is necessary for correct forward-compatible + controllers. + + o Deprecated and removed features (misc): + - Hidden services no longer publish version 0 descriptors, and clients + do not request or use version 0 descriptors. However, the old hidden + service authorities still accept and serve version 0 descriptors + when contacted by older hidden services/clients. + - Remove undocumented option "-F" from tor-resolve: it hasn't done + anything since 0.2.1.16-rc. + - Remove everything related to building the expert bundle for OS X. + It has confused many users, doesn't work right on OS X 10.6, + and is hard to get rid of once installed. Resolves bug 1274. + - Remove support for .noconnect style addresses. Nobody was using + them, and they provided another avenue for detecting Tor users + via application-level web tricks. + - When we fixed bug 1038 we had to put in a restriction not to send + RELAY_EARLY cells on rend circuits. This was necessary as long + as relays using Tor 0.2.1.3-alpha through 0.2.1.18-alpha were + active. Now remove this obsolete check. Resolves bug 2081. + - Remove workaround code to handle directory responses from servers + that had bug 539 (they would send HTTP status 503 responses _and_ + send a body too). Since only server versions before + 0.2.0.16-alpha/0.1.2.19 were affected, there is no longer reason to + keep the workaround in place. + - Remove the old 'fuzzy time' logic. It was supposed to be used for + handling calculations where we have a known amount of clock skew and + an allowed amount of unknown skew. But we only used it in three + places, and we never adjusted the known/unknown skew values. This is + still something we might want to do someday, but if we do, we'll + want to do it differently. + - Remove the "--enable-iphone" option to ./configure. According to + reports from Marco Bonetti, Tor builds fine without any special + tweaking on recent iPhone SDK versions. + +------------------------------------------------------------------- +Mon Feb 28 21:29:12 UTC 2011 - andreas.stieger@gmx.de + +- updated to upstram 0.2.1.30 + + Tor 0.2.1.30 fixes a variety of less critical bugs. The main other + change is a slight tweak to Tor's TLS handshake that makes relays + and bridges that run this new version reachable from Iran again. + We don't expect this tweak will win the arms race long-term, but it + buys us time until we roll out a better solution. + + o Major bugfixes: + - Stop sending a CLOCK_SKEW controller status event whenever + we fetch directory information from a relay that has a wrong clock. + Instead, only inform the controller when it's a trusted authority + that claims our clock is wrong. Bugfix on 0.1.2.6-alpha; fixes + the rest of bug 1074. + - Fix a bounds-checking error that could allow an attacker to + remotely crash a directory authority. Bugfix on 0.2.1.5-alpha. + Found by "piebeer". + - If relays set RelayBandwidthBurst but not RelayBandwidthRate, + Tor would ignore their RelayBandwidthBurst setting, + potentially using more bandwidth than expected. Bugfix on + 0.2.0.1-alpha. Reported by Paul Wouters. Fixes bug 2470. + - Ignore and warn if the user mistakenly sets "PublishServerDescriptor + hidserv" in her torrc. The 'hidserv' argument never controlled + publication of hidden service descriptors. Bugfix on 0.2.0.1-alpha. + + o Minor features: + - Adjust our TLS Diffie-Hellman parameters to match those used by + Apache's mod_ssl. + - Update to the February 1 2011 Maxmind GeoLite Country database. + + o Minor bugfixes: + - Check for and reject overly long directory certificates and + directory tokens before they have a chance to hit any assertions. + Bugfix on 0.2.1.28. Found by "doorss". + - Bring the logic that gathers routerinfos and assesses the + acceptability of circuits into line. This prevents a Tor OP from + getting locked in a cycle of choosing its local OR as an exit for a + path (due to a .exit request) and then rejecting the circuit because + its OR is not listed yet. It also prevents Tor clients from using an + OR running in the same instance as an exit (due to a .exit request) + if the OR does not meet the same requirements expected of an OR + running elsewhere. Fixes bug 1859; bugfix on 0.1.0.1-rc. + + o Packaging changes: + - Stop shipping the Tor specs files and development proposal documents + in the tarball. They are now in a separate git repository at + git://git.torproject.org/torspec.git + - Do not include Git version tags as though they are SVN tags when + generating a tarball from inside a repository that has switched + between branches. Bugfix on 0.2.1.15-rc; fixes bug 2402. + +------------------------------------------------------------------- +Wed Feb 16 21:13:00 UTC 2011 - andreas.stieger@gmx.de + +- fix bug #671821 - /var/run/tor might not exist + +------------------------------------------------------------------- +Mon Jan 17 19:47:20 UTC 2011 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.29 + + o Major bugfixes (security): + - Fix a heap overflow bug where an adversary could cause heap + corruption. This bug probably allows remote code execution + attacks. Reported by "debuger". Fixes CVE-2011-0427. Bugfix on + 0.1.2.10-rc. + - Prevent a denial-of-service attack by disallowing any + zlib-compressed data whose compression factor is implausibly + high. Fixes part of bug 2324; reported by "doorss". + - Zero out a few more keys in memory before freeing them. Fixes + bug 2384 and part of bug 2385. These key instances found by + "cypherpunks", based on Andrew Case's report about being able + to find sensitive data in Tor's memory space if you have enough + permissions. Bugfix on 0.0.2pre9. + + o Major bugfixes (crashes): + - Prevent calls to Libevent from inside Libevent log handlers. + This had potential to cause a nasty set of crashes, especially + if running Libevent with debug logging enabled, and running + Tor with a controller watching for low-severity log messages. + Bugfix on 0.1.0.2-rc. Fixes bug 2190. + - Add a check for SIZE_T_MAX to tor_realloc() to try to avoid + underflow errors there too. Fixes the other part of bug 2324. + - Fix a bug where we would assert if we ever had a + cached-descriptors.new file (or another file read directly into + memory) of exactly SIZE_T_CEILING bytes. Fixes bug 2326; bugfix + on 0.2.1.25. Found by doorss. + - Fix some potential asserts and parsing issues with grossly + malformed router caches. Fixes bug 2352; bugfix on Tor 0.2.1.27. + Found by doorss. + + o Minor bugfixes (other): + - Fix a bug with handling misformed replies to reverse DNS lookup + requests in DNSPort. Bugfix on Tor 0.2.0.1-alpha. Related to a + bug reported by doorss. + - Fix compilation on mingw when a pthreads compatibility library + has been installed. (We don't want to use it, so we shouldn't + be including pthread.h.) Fixes bug 2313; bugfix on 0.1.0.1-rc. + - Fix a bug where we would declare that we had run out of virtual + addresses when the address space was only half-exhausted. Bugfix + on 0.1.2.1-alpha. + - Correctly handle the case where AutomapHostsOnResolve is set but + no virtual addresses are available. Fixes bug 2328; bugfix on + 0.1.2.1-alpha. Bug found by doorss. + - Correctly handle wrapping around when we run out of virtual + address space. Found by cypherpunks, bugfix on 0.2.0.5-alpha. + + o Minor features: + - Update to the January 1 2011 Maxmind GeoLite Country database. + - Introduce output size checks on all of our decryption functions. + + o Build changes: + - Tor does not build packages correctly with Automake 1.6 and earlier; + added a check to Makefile.am to make sure that we're building with + Automake 1.7 or later. + - The 0.2.1.28 tarball was missing src/common/OpenBSD_malloc_Linux.c + because we built it with a too-old version of automake. Thus that + release broke ./configure --enable-openbsd-malloc, which is popular + among really fast exit relays on Linux. + +------------------------------------------------------------------- +Mon Dec 20 21:24:19 UTC 2010 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.28 + - Major bugfixes: + - Fix a remotely exploitable bug that could be used to crash instances + of Tor remotely by overflowing on the heap. Remote-code execution + hasn't been confirmed, but can't be ruled out. Everyone should + upgrade. Bugfix on the 0.1.1 series and later. + + - Directory authority changes: + - Change IP address and ports for gabelmoo (v3 directory authority). + + - Minor features: + - Update to the December 1 2010 Maxmind GeoLite Country database. + +------------------------------------------------------------------- +Fri Nov 26 17:12:40 UTC 2010 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.27 + +------------------------------------------------------------------- +Fri Aug 6 03:53:35 UTC 2010 - cristian.rodriguez@opensuse.org + +- %ghost the pid file so /var/run can be mounted tmpfs +- require logrotate + +------------------------------------------------------------------- +Sat May 29 17:50:51 UTC 2010 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.26 + +------------------------------------------------------------------- +Sun Mar 28 17:00:30 UTC 2010 - andreas.stieger@gmx.de + +- updated to upstream 0.2.1.25 + +------------------------------------------------------------------- +Mon Mar 1 20:49:13 UTC 2010 - andreas.stieger@gmx.de + +- new upstream version (0.2.1.24) + +------------------------------------------------------------------- +Fri Jan 29 13:34:55 UTC 2010 - puzel@novell.com + +- remove debug_package macro to make it build + +------------------------------------------------------------------- +Sun Jan 24 22:21:51 UTC 2010 - andreas.stieger@gmx.de + +- new upstream version (0.2.1.22) + diff --git a/tor.keyring b/tor.keyring new file mode 100644 index 0000000..581cf6d --- /dev/null +++ b/tor.keyring @@ -0,0 +1,686 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xjMEXegH3RYJKwYBBAHaRw8BAQdA1IMvjZzYALGBFe/ARHNSXuQjccz0HgOHBHRq +v8Pb4j/NH0FsZXhhbmRlciBGw6Zyw7h5IDxhaGZAMHg5MC5kaz7CmQQTFggAQQIb +AwUJCWYBgAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBBwbwAep9geqgVLAQL6n +sYCxSRkhBQJd6GooAhkBAAoJEL6nsYCxSRkhdqEA/0skJeGZkqRmlHPXqTFZMvbh +As2kY9Lm5LBGesjgQCspAPwJZagtqC5252zPFMlaIUu2hxcUeA+HwdLqnnl6Wjvs +Ac0kQWxleGFuZGVyIEbDpnLDuHkgPGFoZkBib3JuaGFjay5vcmc+wpYEExYIAD4W +IQQcG8AHqfYHqoFSwEC+p7GAsUkZIQUCXegKdwIbAwUJCWYBgAULCQgHAgYVCgkI +CwIEFgIDAQIeAQIXgAAKCRC+p7GAsUkZIRfkAP997/8J1lf3D7PiY21tPnB8d+5S +CXI/qI8mEfhaDZY+SAD/cfCblmB8CYzashZAbFM/6dwwNrNR7VBrzYyaRPhpkALN +IEFsZXhhbmRlciBGw6Zyw7h5IDxhaGZAZnNmZS5vcmc+wpYEExYIAD4WIQQcG8AH +qfYHqoFSwEC+p7GAsUkZIQUCXegKbwIbAwUJCWYBgAULCQgHAgYVCgkICwIEFgID +AQIeAQIXgAAKCRC+p7GAsUkZIdxtAQDuraf/2l/6BGDEAERL63OsjyN692MMur3P +KRy4kWdQzwEAod6V12Y5X3yjraPkbsiGC5QsXraAAz7ihSkIcJs0NgHNIEFsZXhh +bmRlciBGw6Zyw7h5IDxhaGZAaXJjNi5uZXQ+wpYEExYIAD4WIQQcG8AHqfYHqoFS +wEC+p7GAsUkZIQUCXegKVgIbAwUJCWYBgAULCQgHAgYVCgkICwIEFgIDAQIeAQIX +gAAKCRC+p7GAsUkZITd5AQDgi5qd1zBzUO9qzk8inT1xPxUjWoj7dj4hh7gFErut +vwD+JAxYHXrM0Kwg1F7nkf8XBfICTtx8do2QDNFO2nZvJgDNIUFsZXhhbmRlciBG +w6Zyw7h5IDxhaGZAaXJzc2kub3JnPsKWBBMWCAA+FiEEHBvAB6n2B6qBUsBAvqex +gLFJGSEFAl3oCmMCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ +vqexgLFJGSG+PAD7BECXB/S+eUWz118sqaiyrBtr/2msq89p7FNMswoOIlQBAMgO +1j8A5xW+hW8YOfiklahZh2TUHRVrcNhrE4R6PgELzSZBbGV4YW5kZXIgRsOmcsO4 +eSA8YWhmQHRvcnByb2plY3Qub3JnPsKWBBMWCAA+FiEEHBvAB6n2B6qBUsBAvqex +gLFJGSEFAl3oCoICGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ +vqexgLFJGSHOawEAts5tDnzSOw9O7xtKBujA06UKlyJMxxD3ARjPqm9BBV4A/jHu +wYvNLPJdVl1PPgYnmCJ1u7L5epfdagZRsHqQ5PkEzjMEXegMBBYJKwYBBAHaRw8B +AQdAQvnurKGUaemX/DTpmpSE5NtGyfxLWgW9WSvZbbbR+DPCeAQYFggAIBYhBBwb +wAep9geqgVLAQL6nsYCxSRkhBQJd6AwEAhsgAAoJEL6nsYCxSRkhLj4BAOMBgQBj +h8SJEOM6RqWT5SXb8HiDfdZqvgr8nCtffEewAP93G3tS+owZ3m4bTzkeBzTvay/7 +eq23AcJprL+sedUTBs44BF3oC/ASCisGAQQBl1UBBQEBB0C1S8DIQiC+5dfHix3b +eFUzD3Lrq5+5UYGkmp6lh+OaPwMBCAfCeAQYFggAIBYhBBwbwAep9geqgVLAQL6n +sYCxSRkhBQJd6AvwAhsMAAoJEL6nsYCxSRkhDJQBAJse48bTxe81zjXKuMt66QKa +RnBaDsY1EGaYk4Vyb6rxAQCtmsYhDHtiE2D2oFav+UULbeqdJyIOhPEPa31Rn4N5 +D84zBF3oC7wWCSsGAQQB2kcPAQEHQPdFLwvik9OFJ008OgdtSfe4LNlTuybXT4Pu +CuMuUgqcwsAvBBgWCAAgFiEEHBvAB6n2B6qBUsBAvqexgLFJGSEFAl3oC7wCGwIA +gQkQvqexgLFJGSF2IAQZFggAHRYhBFFBAkVNCofbB2eh675qBTHBipF5BQJd6Au8 +AAoJEL5qBTHBipF5qtoBAPTP2KTGDGl2OvDdwEzZ0uN7+VyiRPEGLUizwkyALsN7 +AQCInRWmKA4jrQzMgn5sC4yCKKW46/TA8PGX3kHZnYnNBfIXAP9ajF1eZVWy1BFl +ayUm3Z7tUF9w7qWTL0u+EZD1Nlnw9wD/dUZYPCNEPhsk/Bdrh+v6sBryagleM4Vc +6SM3xZaaxQI= +=GZkh +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsFNBFfinwwBEADNzG/Q6YTrH7oSfUERhopwCWWn/gsprtnUFK+O4enXPXQlisGt +OVNbc5GWoZibNPowjORN+kADB+ce+VBmVeh+4ZeJDjpsc+WXuVajDc0wNwG3I36m +8uNRPLMftBcxS1zUsMpwaqff5sDoqlBTwrvfLpHT0W1ecJX8Ew10zim58DzwQisR +Uv1rsGiyH/dFzs8m3jPdNjDZyyzGQK62hwp6Y/m11PiMYgGrvAa1ofjfkGRVxUgo +UUG8JG/AhGvMnHJjV923A7I8MspOm4H76wlEQLesPHJ5WPSBXTZ5jVgdWdp50fPR +JZOUT6gwkYF59SeZOcSFecdyuSb0W68/klD5PX0G8qQ5ko9beNm7Rs2aJKvY1MHU +n5rb00aulQFaYLFJ7LOTDqYDUkKYp7n4hw1X1yXO1MUYyk9J9WNO/Uo2psKXcBsd +ZjdEWj1dWHOhwswygndL7RxK/17psmod055S0uYkjA74J2eRSmPZ7ErIfUh85rQw +DZyYKh7B6AGjcpA1YyrAh6BgyJncP9x21dmip0ENrfg5rpcfHpTrOF8To8fpo4/y +vUL8kCxCCPJtkJiuXkGhV3oZsj2tWGvAclYqO7xe84vks+GgjG9Ydfga8JrvPMDz +YLX7aTDnZRiU2Z+FvtABMjmmPjAHj3hMx/o25Na4bQ7wBAPEUiESsnh1HwARAQAB +zSNOaWNrIE1hdGhld3NvbiA8bmlja21AYWx1bS5taXQuZWR1PsLBgQQTAQgAKwIb +AQIeAQIXgAIZAQULCQgHAgYVCgkICwIFFgMCAQAFAl97G2UFCRD+fdkACgkQ/kMA +nEYHsfsg8g//ToPK4HDWDmHOLcFKi2v33Q/aTA5TsfQb1pwHvAUepABf+bjwqu5o +/2K3HFqhn7HVl7vgpqFcAjf1u9H7Jh+R7buawoWQIxi5cWW0GIuX9gutzgVyP/36 +y6rrQnZwcY+vIvi7fmRx0VVd+bZMOsd5/XJQ2wkLDw/6ppRWIPY5Pg97M3+CD26r +MonWcghRkCO9g0PwAxmqYHZCxcJp5aEURLOzh8NtDllxsoaZK4H974tWtWk04BWH +koApQPFg0YYn3cTftAIanmgtuKARW5nAIzPnCS2576DjKyUbAis19nYRgv+CtMZQ +ohkyNEeDowf7UgFTI+AkbUBjxwKP71U7ZW+qynRYT125jTtTGOOkX5BQjx2Qg/sO +Vs7Ukyezw1GFWmka4ijpHRssvEdK1mKZLqH8OsMG6XE1xIDOIRnsNJzR0c4u3IGO +C3+TAQaokn1E45CcFwb39n6keFLVEIa+XnYDil5QC6w+16TMvK38q6dS5QnE04OS +errSuYfX4IFslhkaLXd7uAAb7qrSQzD//jmmiKjgyFuRnSHO/nlv7fsvpCtFNNX5 +stthayhtmKxvBSlyTgArcNiP0oQKVE3LO8y2qARGY1eOBMMC0ml0W053A/cfQOAa ++2UqQlvCQf/Qben24Bh4tKyW6The2k4aNSIN9tyIUAIASfgOtoye6J/CwYEEEwEI +ACsCGwECHgECF4ACGQEFCwkIBwIGFQoJCAsCBRYDAgEABQJbn5ngBQkHf2HUAAoJ +EP5DAJxGB7H7XPMQAJ6EXm4DaB1IlCrH+5U+QYXwwrKiBR+mHPBWuiEBSUbY4nOY +V+jK0647jljluyPXL7EUHli5RqajCvqZPfheAuRxNLlyznhJeLjdt/qBbTEgtOvo +QwsmmDwEogiStE/FrNypgGCqH6NLAEvHANn9UBDRsi/J6ccPDieIuxlQa5ksQCsR +zXTp19+39XWkeStIaaHx0w/x78IyAQHFZlxDI88/ZmUXfI2FWkOnp5dWcJhYJPGf +/E4n/aBbKZ6cB5OxEAX3uAt2fz625RuoFR9R03BjW1L8RJwKEa5fiBf8sG69dxmn +RWqebG5H4MhCemG9Pv1CGqK/bAiyIK6j2Dpj7K7F6j/0CePr7K0MrGjHOvT01bnt +ZI0jnNWGWS9M18M3mfdHM4Lof8kA8S/KIJ6gFAi0N5W8OVtzUx20IA1G2cRcrTYc +zyOpENDKOz26CRIi8SyJWmfR8N0HE5YlouT+xL09Vyo4i2Jck12t59DnKvCnsNLM +XuudDOALTGqyzK2t7njMblLWq/xL0A3DmcI4auX2OuxTyVm5UJkUk+2UT2GtzXne +2NIi07k8+5/xP84v/nWiNaaCFuPySfy1xmTYERt3EXgCs5r+qOCl2L4jzfe3EEsJ +NPKy8KWSitUjcc9VoOiZ48LDBEbY8LDDFliYkvwTyHK5fNjqLlNE8Jj4yX49wsGB +BBMBCAArAhsBAh4BAheABQkFo6E9AhkBBQJX5WLXBQsJCAcCBhUKCQgLAgUWAwIB +AAAKCRD+QwCcRgex+87WD/wP/UW4QljFB74PmDKY9c0uXmpbH3M9fyuLxSVofdYP +CU21mwjCwiWLBVhBGiMEJ9KtSQYFcK0mbcWG9dB2vvCyfgvbaGZPs0gczYpSo84V +64a5VX5uDujQQqWgZYVLal462M0A40mMRNxLrOzMMeSxZUtFjsvqygLjpTwuYJWf +dE24A/TAUUEX611eHzniQtRegfTGZwD5A6HA+WmSLRIgcPXfHNTwq75nHhLgFari +qRjzmfJfVkQjHhDC8tBp+NHkUv1b1me6b+POBnwYvOoH+tlKw4HLN5j1eXC/7H8L +xyC6XOQyq4uSMrVXIcLFVo4T6uG+yuboUknV97QogWCKuGUtl8zFF52EfZmUa1jx +kpF9F6OywY0K3tAYc/qXODQuWjmCPl3gk3CPK5B2P7QT6nhc+wCfwLQasMZxJv/m +7s/7jcyyAW2+EUi0Oo1m75XWH9/3s3TbZeFfFT6FsX4obNIWauBwr5cWRaeG0qoA +kIOysY57v9aKzc0bQaqJLspWiWMLs2CWXH4GGZf7glGeVgK/VY7pICGroT5PWhcQ +OmUJ8rx+Sj7fQ5UNtczA9mEFtCuFfZ9IXVs8kOaSTnCtH9NeeEwy/iFB8cgIEysx +T7T1n+IpT3mPjvVTGK1fu/EVhjk5VCgU4B0eCNsL4tSWXy41fRFA0auy/0o99G0T +7cLBfwQTAQgAKQIbAQcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheABQJX4qXJBQkF +o6E9AAoJEP5DAJxGB7H7TnAQAJs/XQk5Wx5Db/vMztwR3oRMPvG4NVHnA38fit8g +IWSMsB8AWJyMY1P/cFkJRpnQo/fF83Z/XinP0pKTEQ97+UIqvtndSTLUFacMirGh +yx025aTag+OLhyIe4xq19ZZEy3+YNq9nOGMIivWxGyvWUVjQYVwk2AAtFsC1FZtZ +4pVtte4Yd/Vq4nOTfmO+eejVmCvOHKr3xHET2+psiVS23j3aBJIShikPbmxRg+l+ +VbE7RLjk90Mv3PnGhqVfgnEEoYQZ/kppE7fnFb6pHgP4zBVRCoYVP3qCLv8WzoyZ +s/snYItAgGIHHv6OLDKn5SSSnmJho3+z6/PfCUBbLbz64vF0Itj8+6mwGlenMp2p +tPc8mvkEnvfHa11emmJVnFVJTKY9qkrft/kabb7AezPE7TgFuN0tTfoSsW00qNuL +QiRubdqknQ20C3ILCUiqPef7WajwlkQbe5KJE1f2HK6P3FhcveGkB5eG537/0BO6 +gH/Mv1Czu+sebDOcXwPeNPqNEFAqUmXxh5UFznQqETFej6DPP0HkMUlGnZi3o5g6 +jrUnMnzG6GLBYDmLAm26x1m7YMqLI23bxDLuBjIDZmLmcn2kYA/MbJhbWg9mnmis +0YK/5nXbbsZ8GtNhLP70T/mRW3c3loyTYtX2mtsmaGq64Uw2XlwQEtdZrpiQNnR8 +ExrHzSROaWNrIE1hdGhld3NvbiA8bmlja21AZnJlZWhhdmVuLm5ldD7CwX4EEwEI +ACgCGwECHgECF4AFCwkIBwIGFQoJCAsCBRYDAgEABQJfextxBQkQ/n3ZAAoJEP5D +AJxGB7H7eBwP/R3OpDnx7JtFOq22z0jcLjPLwmP+QqgOlIvSiqj66SplpEhPHcgf +4DgBu02RwE8ONAMo6McFvUH4tvI2NH3X8WET32APLe8/2cxhtZpH86gdnwTu1xGM +XQxz5sRppIhOtoowGWh+/e/t9owALOm/+IsHnxbX4ddIN6goB/mrlepRVRUODBnE +0K9oZG7VnnrB73Ip0+hqaDVmiGdOn7LSggl7ip7VZ5hUHXwvHg3dUknKapucMXFC +aqdelvYFt3NYQ2ZROAsAVLdi4k2dY9/WGNCgFHbdSGurJ19yGwttv57t+GUsG3OX +HEIMq52dkM4LOnbdVR2miV/jhFQ7J6i+mjZ5tYJiwrX9uFSOSzHbjWVCq5tlj1OH +s18s0zDO523p2YWS2LWaiDpThnRU092iGsNJZHaJmzA0T+7Ti/uaqqY9CjshYSBd +i0XUQ1LowzWDfBsVjV/u+BN80FYoszJzTAmiJW3GOrxbkhdb4nYptPKmY4YSSlLf +fOQ0y9Y+eUYMGe23xhejsYITS6THOunWmb/jlgK12Rd8AyrZVtD64szxAYqSXJ9r +x/k16KIl1z7JzJIRzBIrdHe8HTtuy9zs/oQgICPMrotKF6TCjHkH7prZFcCF09Ij +Rcc8ihpZ/C991HS4X4pN1MdQMuEIWVIAjxKh++gMYYzMjXUqBsjXjuBhwsF+BBMB +CAAoAhsBAh4BAheABQsJCAcCBhUKCQgLAgUWAwIBAAUCW5+Z8AUJB39h1AAKCRD+ +QwCcRgex+8yID/9lIunYmqatd4mTaiaAJIUHMjFh7d7J+3pXwOV2bpg/eBpFlonI +OC/8xnj+2CiKVusjF9WXoakOQUyXizPD7+fnUDzgQjmXxQTO3TCiXhSRdDdrcYcw +Z3Y+0rkK66QOv66S+NQGonG1qOJPjV8XSpLnuWb7bdk5qlaGquJIeoVQQpMZB9qe +0iwxgKeegJuOCRTQnPI7hoCpJX9+PowWR53JMi/Tks76B7XP/KF2TLR226oD3S/t +4Jup7LU5xP/IDCKWf641ZOoNdrCRc84nxeXcChjcX2eGNuBaceplLRQD3+ONZ9QE +HuQkbLfCQzs/NQTXxrB5NwBaBblJkNEY1i7GXeURGFE4ChD5eb6ba7m/uE7UOZ+F +wB0OpgUHIRlHrD/maVsd17mIsNo6WNRypXuzAlNNOVFgtnwVOpfm/OURzkLXeFjx +An4mJ/ca9SBYxtj9EYSp4OM1FjLNbm95Z1cQ7nxwQA98ZEa1yAr/TY6Z1Zpe8nHy +evsBLBWNPObW7nUjmfvIYzP7/xJTimwkagLGgSi+0R01HlHk1TlIYd5KyOFdXLui +4eEK5WFppqSCq4U2j8vaRwNKfUFryYOihBvpcZblRSl6+kuatcYF+m6tUQ0Pi5p5 +jO/nORRm9a8ertRSaxshcsavjrXpe7ZJ+yCCIe15MHVBSA/g687Wo8qJFMLBfgQT +AQgAKAIbAQUJBaOhPQIeAQIXgAUCV+Vi4QULCQgHAgYVCgkICwIFFgMCAQAACgkQ +/kMAnEYHsftQVBAAvOPy7R+ucWt6SSg3bw7CUtJozxujfNKpIb9xWJ6rhNWCPbyk +kAyWnHuWLxaRiADX+aTBLoGgNNJHBc5rYgcXgFaE26O2/QEEXV/0vJrPcmzR1t6M +0f4J9BTmoc+zLcgIYwPJl5HfyTPy+zZ/zorJ2CP5h6oaCYioyXVOEIhtO9pX/xRy +DI9CtFV0CuYrisPTr9CU09zwa4DQSvXcWSL1xyvijuMKE2tDvoYectdD+z7hZZAW +R7x7VktlS4WnbbTOMtrQ/EEQljLeoLz8gm0wwvSkRBnA01sBhFp+MWaw0slPBrBu +Nkmm3MygWDK+IU+JHTFr2E+6tSnEnAkZmQgLG3S+D8wUo3fY4iUnE0vxP4wvcx7f +/1ckzUsnOE1n4zOQTGefA89tFKOza8BG5/1BVhIUVztfXkKdeES9d4ynh6EKHOD1 +5a296IU7BKf1dAJgOchgktwKWbRQ8mKKpyExCYygno1EqBw1Wvv5UIvewPodAEJl +1zPHt4XKR/+bVhJQGeDsBoc3+tzqcDxyUOv22Euf85yvVhq9DXIAUQ8STY2xh/7S +YGIwf3WZp/3ry6HR40+LmUe6KXAAQSQQXOAZPAgC87j2mzMDTeQZ7bJ9wBQ6j7QR +/ebzs/6cHKeroNEbcoW6QhOwSnX01CU0REQdq9tCwYOcQ5lmjt8zNv6cB/XCwX8E +EwEIACkFAlfiphkCGwEFCQWjoT0HCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAK +CRD+QwCcRgex+xRCEACwAh/qUAj3EYe1XvMU+whr2h9HyW7qeIqHDqQc/LEt5UeI +XSqfoJV23nQSu3C3MT0mJR4UF2C0qOGOLNZVpsxOIE/dDpg0/8xABCNCrxJF3y+2 +DTUoVtujoftAYCP19MaIml05C+LDeoM1d4CmDbokYtm/KBbLnyc82nYaQHrlljRT +8mLAEia8ye9IR16gTPn3PGT5dn+0yWiZ+95BIKhJdVKCY4wMr46RiEi81+3LWDBl +Ariv+Ojg6hCoQPwC4kUR1tisxyWo4mnaOEkHM2fnFWcqxXqK3NHhHUk56A9EbfOw +4mxbntg4I9d9UuW+B8N/Po5y10RExGqyOQWxeGOpPQrJsb77iHA/3I94/0o3yVuR +PDMSftTVWgiaHqSJ212hITMZZU7eYuxbnOFd2dIgzU2Nt1a/h9putFoJOj37Rz3Y +5blIX36DChBOtwHwChYx39V0OETRnX7036RfkRK1+4DX6Ipz/e2dXmzrsReUbvys +vxPz11NVefjic11EINm737K5iamul3VO0MNZb2+PQDJsG33eF7EYhKIJdFrldaWP +A6Qz7ER/CnEPHMwGS/ccVzcH8KOa6VymZhUMjsyd7BHoMtiNZGZM45d3AjgANEOm +7XM/CQ7IA8ODo2h5eGRQBoYDEPPqE0jBuTtNi+5E/6sD8oxRKbc0EnblVFhD/M0l +TmljayBNYXRoZXdzb24gPG5pY2ttQHRvcnByb2plY3Qub3JnPsLBfgQTAQgAKAIb +AQIeAQIXgAULCQgHAgYVCgkICwIFFgMCAQAFAl97G3AFCRD+fdkACgkQ/kMAnEYH +sfshpw//eju0iMvlXvsTbib8b4Y2Q84m5TBPEmkKh94hi2KQA27b89WhGRG2gFFz +E7PsrtM0RbV9IvG2KHMvUK7zQsHqW9ang6UHeCBNpxWYMkzjH+nI8tyE0fMYaVpN +TlcC1/daZ15BDddwLPMayxq9fofpzP54t3Oehw3lg4oUMKkx4QSaDaK6x/v5yrc2 +QTYXxtJsojP2/RsQh9mGzoDESAvSbgj8oFjllcrTk8rEFkioiCLy/6DJ1uQ0xmuc +V1bfok3cU4C3PvfuqTJIP4VRhxt4+AH98FNfx+20DAjW/o8/rcZwmFdtbewAqLmk +ADMflmGQ9+oal6vn+b/TUbn1zuuuw2jOyqvVL0Bxg9KSDzPU5TrLIU5eAMwRwCSA +eIsRrHGUdx/HCJYG0MnvdhpoHSZMNsdFCeVmlOCfYN4jJy3iAOI9PUJn+R/MF606 +S89Mkwf0tRElY1b9wSUlIcp9OKzP7g732sB1KfHeI9W7LXRsXqTRca1pbCvc1Fda +JQCfFGXguLEZpMthG2xfkPal0LhqZ1riZOysisoPYCZCXG1Aq7FNrLdRrIqeqSdU +xkwFSTI+MCJwvdMUNnpZx5tQDI4kwQcWOINehkaAJgaJQJmhJpJCav2HzzNV6Ynv +/xN4I8e+euvWm8ipJigIHJF4CyVo1FVruiTtwvNdCJmzS8kgxDDCwX4EEwEIACgC +GwECHgECF4AFCwkIBwIGFQoJCAsCBRYDAgEABQJbn5nwBQkHf2HUAAoJEP5DAJxG +B7H7jjEP/0PVTL9eI1otZ9EGV4Wxv6fcX7gXJO1VZsRFWosae1neZjIjQ91dCzIk ++m+EnW7uNzubhxE6T3orMiITzM+UmQJE26+bOWT1cbKYkAUyjSck1S2DOITRP4iS +pu9DCM6XtU0kuClpKY6NmOYJaqPwfVTOah8IFKh6sWIJtzhiQf3s+hufOD+wWS7f +PIdo4qOHLggQYhQ8pG2PsiqJjSArpCqzfyG4SMMqOlDFgFxkx127qAqje3QlAu38 +gji5j3UVuBhb5s0eA4+HtVKcUpHWH6JMT8RALWM4eF0t0qUWYk6X63ScXr/J5gv4 +SGcrDv4ksCnE5Cr2gR2SUmYxhPfofBCx+3pPzExpEb4+qSe+S62pf+weKQU8XrAq +tP5LxIh6bG8ugE6Cs+J1kmQPEYjkONT8v3iRT0SfkNWRhyrYlQFPYA1F2E47FRpE +jdDnzIsez+HLDysmtdXsB0p/+1rDrriY8yJttXE9U8BSgTpukYifY+5c2c4vQWit +NlJyAY9sTPX1+KqnvMztYNZyFdcJifiY6tY990o3pabAlcwOgrayMFSMd/JrtEyD +jDk5M9dK1G9p0N9bkf92FfOP3SBo+9ScmF5A68jyFHrLQ8AXSuQF02s8WhNymgmV +Y1VugS6MsL+RGh8gTxCxaCBvExiMilmJPtrVTg4N7IzQYnYMeOidwsF+BBMBCAAo +AhsBBQkFo6E9Ah4BAheABQJX5WLhBQsJCAcCBhUKCQgLAgUWAwIBAAAKCRD+QwCc +Rgex+zFTEAC1GgGgpEJ4SFyREO4We3sgLadFJH5W0+f2xgYZKJsJHF6VgKcOcLYS ++xnb4T/XPSjoXgfTATj3lTKLJ5vwurx3LLjsUBYNE9kZOxd1dEUTMu2sN7ACd1s5 +dlasztgChRLO0K1GD2/dJcfvFF6xC6OJ7VtLuqp8Rlooui3/wRA6RLvk5hkFDjje +l/t2UHa9inYq96d7YpSlEF2It6p44kp73g+57ZaGwTHDlMvxpj1RZLCQ0ijEnajz +BxlDLJ6jRkYcRtG0enhQvvPYii3rXhKo5hK/XuBtNDysTR0ZXdPQMbHtsve4dxXC +Lg/0/Gm78tA27XVJIo6zgR7/qPJ8Is7/7wTNlh9VXnp0NE3SjKtIOxMdTJyoxVgy +06WJ41x0c6Wtt/AzUEOeMWRa5GLatci+KU8Szhn4Gddi9bdemtLPvzQyH0DFcU+5 +/IV36V/2rbWHr3zyAmM6t41YBzNKJNIVP6EbUiNwnfDUjii7QcphVPuYbk7F3wmB +UunQ6LYcbpYcTEaVMlrjDMwTbJnkDS3YFpn/vncn2GTDsaMUcGAf8REkUs/SB7mW +TTHn4R1/A8Ut6KJkqiMlwtonhyhsDRfkCplYePSs0TUlAopbr+Qm41ZYquw0myTb +3mVp9EgAwR3D9xGvgYkPyUvgCLbla3MxUkUn/16KWY7PzHvFfL/iEMLBfwQTAQgA +KQUCV+KmBwIbAQUJBaOhPQcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEP5D +AJxGB7H7xCEQAKH/X147T2z1QX5G4iYh3+LhbtqMVSGt64fhjmmTbX39D46+Aqrp +U9Jc44O6C/Qj3dMsIlGeoiqSyA7y7P1ICK2SW+T61z77VBLY7l6+taR4Tnr4hiNq +9ZSx4MPcgXpIxN60IpMVc7H3maNrX1+3r3B++LvC+kLl24b2jdIcBI+d0nsNDqS9 +m2m+vnLE+Wy6YdaF1TPGIVz9EidX09/kHNPGNp2Dk9S+5AdrQHjfqls/XXPIYWAX +J/A3Fx2lgpAqvRA+YMCD9cesPMf7IWCs19P/75venoT0clE1Lo3ghvigjMDaC18A +VK6GL3nos+qxl3x0aNNGrNveGMSUfoYE3lzjupTsIEDBwO5Y+uz48IAlPQuFDdwk +3q8FlhaBaTGsJ8z8iA/reeqiFmmH69kOOG8eAoR/UVZaVJU1zd0Zd7NmUADXLRuL +j+SNvf9nq670gZ8Hu6cAF5/9ilBL7bRO9EQ/J+uG1EldRARz4bXc32MEz4K+iLyI +krXVFkU7xOYIVm7EO5mTwkIDmqaOwtzXYVD8LP859a6u1vzkpgcBrNhWZXLcPLs9 +mUp273cByfMV/P78JwhlsdvXXcWd7Us6EfLtM6z8ZrXoVJtf1jG+7OylmttrGZ6X +patCUcnkYXhNZTw527bh+nKLOdGqOPY4Md6KZp9dFxjK+a3RTovA1QQhzSJOaWNr +IE1hdGhld3NvbiA8bmlja21Ad2FuZ2FmdS5uZXQ+wsF+BBMBCAAoAhsBAh4BAheA +BQsJCAcCBhUKCQgLAgUWAwIBAAUCX3sbcAUJEP592QAKCRD+QwCcRgex+1VqD/9Y +ksvGVLhmqk5GGk25NIepvq4upKPEt3oePZK/Bj9xNTMpUvmNa0+n6lERa9/bcdoE +er8PRiTKbOAijR5rgySN2gEpjJSDTcql4q5C5RQoO11OqcC6gEBk93BGZ2Ur2PpN +chxAmNH+hkVsmZVIbCVoYFXz2uNeT/q+0CJPzUGZYA8FadPdUeZ2lwa1lz7I9h2g +NQID+IrqV8MEpgTD207ERjdB0C8zua7J/DbnlfZN4zbjsaL/y8RCJkk3yG1YG2EC +DF5Q8bivkcYlSSTqrMo9WAiJLK7m03qKLfyKH5M9DM1kBCqppYPKEANB44vk++0G +EyYQL2gjICkXO5XrxJAVkBm/RzKVFAMvRx0SBqCG2NiywspTiVrXRGEe+0KQkkHI +8bPPVcrLGHE+x19W6s8YWHTRJj8F1xJOBy37PW+o9OpX5cfmJosNRh4zVZFPnuS+ +ytC1QNL9DxUBxgKy1UCKrlb5WTb6sQh03xDEU25uoOB9UmITk3Wd9MoqR0F59EZ5 +cqN8TKdfSup94mI6ecDRPOw9akZ1LNFpbiJ5E5EAiATCd4SEh5PxBDt7YK6/38Ik +4l8IoPinDSyJCVesJNRbWNIdwjpX31pplzK0GDE+1JLfHZJnVVD9X8edQQpwPIeU +bMN1XFd8kQs+xwCg6QQrtjRmLjjNDf/dnbmxSWoo68LBfgQTAQgAKAIbAQIeAQIX +gAULCQgHAgYVCgkICwIFFgMCAQAFAlufmfAFCQd/YdQACgkQ/kMAnEYHsfvYBhAA +xgEY8oNLZhC+0Ent53yUvs/dNN1+YcE/jmBKBflewwxTTSXOkervnMa1QLu4Xegr +/ttlGqjA5EakH5PtrQWfAb3u4B4NBrAGxN/WirL598RwwKEGo4PecNh7ADy40skq +OHNJQbEcaJ8ZAqFF/t+3C6CjVDuO36lHqDXEYytw/2XjY4CBtRF0lyTE5lRyI+DO +cWD9m7M2BZU61Vx/aK5OI5UaCqWtYWXl36gBJdV7APY+MA183Ly9EywCZFPb/il2 +RdmiM19ycENrIuDF1ZAqpFats3hZR4MW8WTS3BTGste/yBjjaS10bp5HiqVlZot3 +TT28OmeWqwjFaXC3mVE943/322Mslz1QFV4e1/S1umqIf0wIVu3jDSKeZ0bagdk5 +SK8yNWhZ2ClbtR2vSPLdA128hjaNfaxDYiXMOLFEy2FvZk3rUtNWbA5Mji2qhiIh +cm2jCkOGg5hKSfA3anEQfKXcEi8OTzEnLmvyEw0MNZgPBUUciJjgis7CWAlTn30c +6plwxJRhBE4tEvY5VzWNOMeTRhx1Sf7qp8vKMc2FnjZJUBI8xFe3vZ1qSFAKfuga ++SJM1+PbxQQM6N2q/hlJALW4WUpjvtvEQsWYYoDbBgWtsTtNaLYbetcS4EaA3lr+ +elwOTLiYcsPNaKD4ZAsDR8qiAzABJ3W5aGEV1VvF+7PCwX4EEwEIACgCGwEFCQWj +oT0CHgECF4AFAlflYuEFCwkIBwIGFQoJCAsCBRYDAgEAAAoJEP5DAJxGB7H7RCoQ +ALDD2Tu7CeSRsGiNRgJE1QNEvvoISDpr2LncgOwumsJg9gvLeOY5fve0AyVbyW/j +KkElOGbfGC5HO3JAX8s+uqJLoEF1TmYr/ldBRFDb9YsyYz2saBlnUWvWwcDI5HCH +fw8BRPw2MhGkB2nt+hQdEteKkaeHIjvkScFzqonsiq2IQknsbhmyDZj9coaxoCK1 +JL2xX8pDl24i8alhgDTu3rQJxppqBBixZ3tSXhsp2WSF2bSrjb97A6XxSfUrVqGs +FWqeCXDE53QSzAEYmFFpuL1kvi1jOXlr9CeTc4XGBP7HttPWU8bgnhA36HzW/MGd +hpJ6L7GVoACKhEsB5GTKEzobwONalHg60ufRNk+dIZMr7C2eEpjBKLYzgevAmbd9 +k0uOicbVqA24cNWjvNzuRxJGxCA9XQSt9FAhpiNcdvoeSXgxc8sZp3+0EUuyjYTn +ahLIk5KjvRRTkILeq1HAffomGvd2PfiT3Iq7vKGHhh5n4cXBMXi5DpAB36hKIC/U +LcGH9khKTlBxfeNntHMm+/mNqwrdKeAfC8MO0rBWXZdWZs4rwElPcoVtVxPY/CCr +J1vJqfnufc0ZUB8WguLoPxqPLC+ja7Pg/ALRQI1cbJnZD5hteAJ/dq2mZ4vS01Py +ztuwCKYTKIdj6yoMgnIYxmh9xty4FSSzodtHM3c0x5sZwsF/BBMBCAApBQJX4qYv +AhsBBQkFo6E9BwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQ/kMAnEYHsfsc +9w//XpLL93sf0hNPz281ql/zSVo8P3oLmYxzmJfiEAMKOLX9UivWD+oJR2iBTo0p +nhuP+/4a0IB08dIvTE0Y3DJNsx738F3CSP7ZHF5EFaIXEcyaCv4lncVELHBMiTCx +mA2Law011830pwug0jOUyv4T9+CElUhm4XT3k0CFxXtOMgQ0KA0IplxszhFOL7Vq +T4Qqokgdymjo7mLKLvXqKqs9XbZ9A+RYeKi/HwDqBfzhLC1ur9p5VmcA9PLJvQvY +B4S0RIM0utaVMP5vD6BRpmlQk+WkeJbzbZQFEJKzdOGVdQnSX/Y8qtdGTYwUDq9o +ZCEdrEraP/6uAzCccI6lkGoTSnQ+FUufOV0c6NZvmiaA9GkIwfq+O5M8Vhf67krA +rR8Avw5y8TmEsr9Sg7AgmW8rMDuNFF2ol+D2r5VJZgo48kICo1V6BSDN4pdY4sI1 +xrzha8fkQ2bXUvPDukEHs7JAXToK/f3GwMtwqWzmR5b5EO1Pytx9DK60I0ohjosk +8O/F/9cY+kkEXQ1hyu4FKhLia7HmJbdaKsaQSyqcVBUvkDm3MExl+fSx6S6F07kr +z9k4017irw8kOvpnV33dbXK+gzs7qFYY64Jn6tJMnYxTkyGqHDvPrCFVbUvIBQ5e ++Q/bghHJmzNJO/8ruvi0Enp6pioY/0bzr9TVtWCg0KNZPFnOwU0EV+U4tgEQAJx1 +gKVZwjJoFhF7TJ3VAJJ7JfwkGlxXOF+3TR7hhdmV3WwI019Cx4cUV21P7zVLYqt0 +jb+iPAK3aSFjTrCQZwUgvfM+s+G4byS6i6fbM9X6M8HKGuTqTRIKGaFjZlJ/ubBn +H/CyYpFD33WtEMJv1wBaz4EM3q1ROLsNAujCEzWD8PabG7atQKINnp2zXzpKO1Aw +gLYPJPrbKFJz4usYpdN8ULSnJSzIxqMoiJATRVnilnYCpcJeQnc2V3bH/ftEm2tK +SMRZuRefPggiMZZn5uEmTlBdyHMGFK+huqP51rw1EcvIi8Bxy65YoTjQDvrPuKtA +6pOQNK5XETfzWlnwBa1tG5QxhIg+AqEJFJ9AH1h/jPfy9ZGeE4PW/PJDa8Xnet6u +dhIqcyKrXNlyc+Cu/uLcTS/2LB7BgEouKKwbYpXv0LcZlkkkUb8biFLKW4bIx9+8 +YcZdAWUZQGvB/jOcxq1YR5Ke1jd6efPb7BTTAM/DL2dInwEEJkS5S+ecuuKWHnV+ +0iMzxzUUkCehEQ4apXejTRwbWe+H9eN1a1MKPGgTZrc98hhrVb+hST0Pl12fcY94 +botnk2Va1kzeAURYnlbwWADtbCtNB/inUIjOMxK8F0oIsu/i+lC/q+4x0V0wA5lM +sowWj1Q5A/sh+Mah8/v7Qh2LGkjGOH3xVbE6L76rABEBAAHCwWUEGAEIAA8CGwwF +Al97G8IFCRD75IwACgkQ/kMAnEYHsfs/+g/9HfQdh6DLeYXPUvTDEUYVUHlkZw61 +SjHPQy4SMMBTz7rALeBuxYpR7KTzLaCdtjiHBGGSgsEmQto/GLdT4Vt25zpx2uxK +/tOq041PYRRcZ/aK67M/N2CDmcsCzi9sm6HsOKJkZIwVIiQ10UZ1YT8FEdC8/Kzw +nxgmtG/iG2852dDS7Ar55GIuYjEob6emTbM8Z5L21vPvJRpxuvsqEiMMA/Oyi9jw +xhDVCHL+a7pWSR5hZuyvJE4W5zU3loZrLg7kezzbdhWcEENLPiLdw6mexhUeXgT5 +nnUwcLe6eFc6VHUUO2Q0vXF2mCHdQLOCGpykL0DWxxth07o0OSqTKIAeDwsh5YO3 +dYJ6V5UYVu84xBe5UF5RZ5XDWYyNbifrLiVtb50OBWLekwau/d2VqrlmWJaGrLJ8 +B9mxWN8zcWozZtQNDVSo8GU3L8LYY9Sb2nBxOAXRVCyuPwyeQcHamvuWokaUniav +gEcEEXP2RLlPdJOF6QV0i2mXc5AFq/CfylZOtRZ5WHvASqvtT5rulQ/oZ67v/0WI +LTDYXh34D8ukEU40WNT4cL0XHcXMLhZJ1AQUOn294aG1b2z3N0DrGx5/Mcscz5qT +O2tfvbM16jbttrFfjuGGvuTBnEtSaJMhVVmtdFg9MsMAwHMp8zBE/aSNDF5qmNai +o5TEFXO5W+BS3l/CwWUEGAEIAA8CGwwFAlufmjkFCQd8yIMACgkQ/kMAnEYHsfth +VQ//T2F0tYl9k4zW/IOR//GGHVHGuzESjjvyAAisBZZf+4fFCrHGgzb3XGmD96UH +8C6PB9ttSP6knWYJa4ohuX50iJusrvGlyAmOyTYfX4DfXdrPeMtvutSXCk8A0nR3 +lfpeGkhXDCt/MTuhKvQOrqupsbVbzZHOLdlGz+y3k2790dMMEUdCk7EXONfMyaOU +jI233n/MLhMHFVlOjPStU3+552i/yCKFctAwznxjhHO6rQbgJvEwQsXa2c9JnEtK +LSoj1j8IDICo75WWoMgbc9F+eNV1l8cya9FVWcJ4kfI/6adxj4ZKEMMl4FHPb3ct +9aasqll/cTnC2JEcnholP2ZvKa6asaprJb3Se0nesOJcsqwsq4Ylc4vjh5DDMCpU +Hqjgg4MP2u3WuL8nOOKdzgDpYOjitoGi19giFF0QRFDbtqZxo68LF4xo2069HYs6 +R++ZaAvcaKeB8WgM+QRhP/i67vLpYLeIKk4H9wOSKudIg3URCjTMdSPVJjmeJvq4 +ZfMM2In+CkrYGMJMW9Miaj1+KDEHRTGr6vOw8UkUD/x7O2pbFOfIaAPWNCLsJ9qK ++5N0yvY9FzVaKi0UwEc7KP7HA3HFRSM2VZLdVjqOPPIbxvcGNqU1WjpQxKc69ong +VvBF9RLjGsIqXbq3yygz0XosW6VC5mhRuIMcfa5FGltkGDrCwWUEGAEIAA8FAlfl +OLYCGwwFCQPCZwAACgkQ/kMAnEYHsfua7Q//ezGNpIkXijjXeS8HqxvP6yyAxWTD +I2cjynC8xqg170U7lmcYbvWsbAk0ml2TKkjPpORKPa6ywLBAKED6zUraqBEiEehw +aQiaJbPzxd7E9TWkapxXaNLuJnETbjdZgzAVSTcOcylLqeUJrIWfcDc3BVumi/Bu +dyuR2KWi42OwNHLV4L5K3rDng+whzGk49jrf3tpCXy1npBGYRDqgeRzzJnQS5K2f +XnFsBifbRn8PwtLKGGO6RYp7XWZTLP8+ZwfELVTulDox/OV7xSLRZUtF4woQrG+J +S9G2FOh6mES3ihuRUSjBRQZcKf9kEKqqcrpqPwtoPHIrmygz6eDz0Ea5idbFCGCv +AEARwTrmZe5dTzBAB3X/oobyQPex/QOV3OPIPw+HSY/ficyGHimizIB/x0QEN4L7 +GL8DZSLO4m9TEa7+Y4+XIBqa3Y5yXqUy52jCGt5QD7r1mu6fIuxyW2vffOk4H2jI +5SD/I1J3tipNgOFbjx/pQWjk2kZVoLKg60fcL8Q24TSm569vyj2r1+xFkKSWO8pX +1njIExUTePEUcWEcT7AdxrrPAf2WUxYPGGMTRfrcUw4+SKLzDqgFGC4nIi9y1flj +ZXEZBeG80R3GnU3hyeUwwdn344V+rMT/8k3He3nDEL+vIfEeubAV8Jz3hzou4SD1 +o2/lCOmP+XwQDODOwU0EV+U3SwEQAON6g9gDGhFIqHJNGBfkDAd7XzJ/dasMIqji +Orpjgnr90THlM5HXfuaWCVV+Yt1kAsI4woT8w7nAvNs/5v8Bq7aYQgseMMsdlHnN +CczVyoynxAwTJ3tDME53Kz4sLsu5NVCQ9uZ9Z/GcJHA8ARObJ2GROagFExPOIeri +GDyYFWDOgCmIjBz9VUT1PN2DOWpTAPjn30k4ZpWeN/hnf9V+WkOMbUaJFefCsIU5 +ExFhVCZn3J66M+YumclIlnyxEZgLs+xM/El471rX3bHm0z85XOj/wX73zIKpws3p +ucIFNO8PXIFGja5RzQVNM9nhpK6xOvelaHzDsX4sb5ILs2Y4x8bZYnU099sO1VGC +hfn+Y0ZQupdLUPnshi5dXTyzBTiYuBuKPihGUgm/awsMmAdSRB8vqZATDnvayjRw +6j0g1AfWDJBPVqUDY5XrztJkWifx6RF3CWCdSmrbcRrVVyoWTBx3alsIvTAUhZKE +4aISvzy5doMRVyMEbhqHEhbfRGt+toNEHmPdxIDLI7V6+CZ1EwwXNQIwK5MNWLrv +1QQexrqzVVdcxuQz/P91gLDxoCoBi8HBGsA/HL+GVd5oW1U1o8U3mm1SvLSeg+MF +WmiSpSOGpS9adKPwRyGy+giGRnCWJH2dcncSfB9S3XOimhqhNy3Eb98ttgl2AgaU +DO8M6Gu/ABEBAAHCw4QEGAEIAA8CGwIFAl97G6cFCRD75dwCKcFdIAQZAQgABgUC +V+U3SwAKCRBq/ubUnpK2Af+QEACuXfhlmATujXHC5oMpo6TWWUpNJk8r396sdJzl +sRmE+ST/bOaMpJuCCufUXVJupX6S0XuoWV3KyxF2b0RINzAqjjBw42kycoAvArr/ +yS+8ubp3Nv9HwD7WBWGIGPyS5MLDj4iyL9HXonVA5tT3pQQXBaSdybYhDn4PcOI/ +3bsQ6PhflHTFhpuRp4BhceL6whQUgGqoXGO9dpsvCjiCV1jqrZOt9ZmhvV3HwwX4 +37h70ne47IkJEO4OtYflW4quPu76vR+IpBVIkVVUPCQPipgnEllGV1Sn5Zhy0xG1 +Nakzq9bnlqnw2yIl0rFba653Dm1oS9rJ5WRcZwcz17YCsCVJLNE+VPw/EN+5y1dt +yZxpPn/0jvS8yPthhOw075ZVdBy2k2uv//5cEPR2eA+4vZEpmRD5yP2B8GKqTT8/ +/63ifzOAqKlnxQ800ZQV9fDP9ndaXHPJCBHJ3K1nzEoPtehgF0z7rCrd+M9doGuC +mSiJvig03iTsy/cVKTF+BnOCDkc5kMlU8zMsOmjizY3k6VUq4rW9sH70W5lLA+xn +TzJYTy+sUEV56K4bqFf/TXym7mVW9xY33BhFR2P4tvI9VXd99lPdbvJWKg9eJkYl +cHKAv6ldLCuv8z3f4OG6ecZjZI1tr696lUMN3JFeMJUzHJe/7UVy2Y+AxR0SXYc9 +0OX47wkQ/kMAnEYHsftCNBAAvHC4X+z1yIZ9d1kiEEbBrfYT6K+E5m8i6trhDJ/M +3BxQPcV5Zl8JqvHfc8eciSnp5aFpbpNpSMNGMWjvqDxYCI8/OkbWuulcXW7zTMaZ +8h+RdRie7havjBGfMrCYBwQX2BHwrXjhobEwnCfOX2VsIt0i/J/xpREQ21KvSvxk +hlWQGa5YXOjUdD951kZuw61HXajDQFsZzpL/RMX/n+qOfj3YUb5J7/55As4Ysett +vAW3tKzosCxCKcKuAJ3Z4frKF0X374FOfUmp/ncKOXtsXcLVYugVhHmuhTwy7wNN +3LCk+43ED3ZgxR0V7sykPUytkLKTECkWsCQohPBN6P5gaV1yY2OnXQGXm6qOy/Wc +uGmRfSG8btsnOSGbpgfHI7TK78ALSkvDr/mgEEsF9kgxaA0sWsUJsWayh/7LK/A3 +qQZp8JVU3wAuKdoatV7t3EznOdeg786ahx5lJ6FjzB290YvgX4Oynpal+agnhfxl +f9YpCZsOh46K6zy9Mr9JtqzNp2IfYGWoEAazsgc+w8RUmToHiz+D7z4IHJdH+iNH +slUfSf1sSAWBEQWxd8I1r+R0zX3Va+Tuk/qJYO05EyLnVbaOAVPjLvP8SNO0Fn0E +oGeAtZ2x6pbCaDWIknjDU6l3cwu+Uns11rSkY2cVV4eKVD2POqLyGejDmKC8fSFc +lLXCw4QEGAEIAA8CGwIFAlufmicFCQd8ydwCKcFdIAQZAQgABgUCV+U3SwAKCRBq +/ubUnpK2Af+QEACuXfhlmATujXHC5oMpo6TWWUpNJk8r396sdJzlsRmE+ST/bOaM +pJuCCufUXVJupX6S0XuoWV3KyxF2b0RINzAqjjBw42kycoAvArr/yS+8ubp3Nv9H +wD7WBWGIGPyS5MLDj4iyL9HXonVA5tT3pQQXBaSdybYhDn4PcOI/3bsQ6PhflHTF +hpuRp4BhceL6whQUgGqoXGO9dpsvCjiCV1jqrZOt9ZmhvV3HwwX437h70ne47IkJ +EO4OtYflW4quPu76vR+IpBVIkVVUPCQPipgnEllGV1Sn5Zhy0xG1Nakzq9bnlqnw +2yIl0rFba653Dm1oS9rJ5WRcZwcz17YCsCVJLNE+VPw/EN+5y1dtyZxpPn/0jvS8 +yPthhOw075ZVdBy2k2uv//5cEPR2eA+4vZEpmRD5yP2B8GKqTT8//63ifzOAqKln +xQ800ZQV9fDP9ndaXHPJCBHJ3K1nzEoPtehgF0z7rCrd+M9doGuCmSiJvig03iTs +y/cVKTF+BnOCDkc5kMlU8zMsOmjizY3k6VUq4rW9sH70W5lLA+xnTzJYTy+sUEV5 +6K4bqFf/TXym7mVW9xY33BhFR2P4tvI9VXd99lPdbvJWKg9eJkYlcHKAv6ldLCuv +8z3f4OG6ecZjZI1tr696lUMN3JFeMJUzHJe/7UVy2Y+AxR0SXYc90OX47wkQ/kMA +nEYHsfuDKQ/9Fpoq75+xgkbQno3vLC2aNJqHwk0LzEINgqSNVYPob+/dBf1u3lN5 +HHNKH1opin4EEknRulSWhU3C9oMy4MjN6rFqhS65M2f8jfG3qXHAUKDf4gL3ZHeP +qWEHVkE/Z5X/M3gZA87DgmskLuxWFyWoT7DFWkTb4TtJRdVs3R/zI+g52uM7UUV8 +QjG/ox9w7VdUXIn9Mg5TehBTqZCBsWx2lM1SOzK2R7Ax/IukppOb205RmqOKxZh8 +gj29StTlRoJy0RE6typfSrhyaTithX3gWKfkCm+LGzEwWtZoRstCRmEeD30Glnko +BXFMVKAvEXIGCdVyaugQYVMy5RXlQllg/3Qo2aoKhwCWUjVnJIDT8csrcYKgA+As +R+0RqXCSHDeJWhoeiUOnm/ZGa6g9z5f8t6z67jY/iXXSCw+jv1U9znYj0vuQIBWg +FbFC2C0xI9HBZIUgakeyUxnG3WRkChUV76ZG9EMuTfFaGanWG9MWzb6sX1oWVNru +PEvxdRlFhkr8M98kAQHKcBgVmK1eCwvBt+4DvJxVRCT5DADLL1pM3ZSb5e8ibkOY +a066rFPA6VBNxDkYOYBw2e2itzljh6M+Q9URIocFytK5PQsCxuTHqAK/Y50Oypgf +tw2aq3/J1W+QDO7Xmyu23GJGFZ1oCF0Wm6RlU7d9lHxclFwR2cptw8fCw4QEGAEI +AA8FAlflN0sCGwIFCQPCZwACKQkQ/kMAnEYHsfvBXSAEGQEIAAYFAlflN0sACgkQ +av7m1J6StgH/kBAArl34ZZgE7o1xwuaDKaOk1llKTSZPK9/erHSc5bEZhPkk/2zm +jKSbggrn1F1SbqV+ktF7qFldyssRdm9ESDcwKo4wcONpMnKALwK6/8kvvLm6dzb/ +R8A+1gVhiBj8kuTCw4+Isi/R16J1QObU96UEFwWkncm2IQ5+D3DiP927EOj4X5R0 +xYabkaeAYXHi+sIUFIBqqFxjvXabLwo4gldY6q2TrfWZob1dx8MF+N+4e9J3uOyJ +CRDuDrWH5VuKrj7u+r0fiKQVSJFVVDwkD4qYJxJZRldUp+WYctMRtTWpM6vW55ap +8NsiJdKxW2uudw5taEvayeVkXGcHM9e2ArAlSSzRPlT8PxDfuctXbcmcaT5/9I70 +vMj7YYTsNO+WVXQctpNrr//+XBD0dngPuL2RKZkQ+cj9gfBiqk0/P/+t4n8zgKip +Z8UPNNGUFfXwz/Z3WlxzyQgRydytZ8xKD7XoYBdM+6wq3fjPXaBrgpkoib4oNN4k +7Mv3FSkxfgZzgg5HOZDJVPMzLDpo4s2N5OlVKuK1vbB+9FuZSwPsZ08yWE8vrFBF +eeiuG6hX/018pu5lVvcWN9wYRUdj+LbyPVV3ffZT3W7yVioPXiZGJXBygL+pXSwr +r/M93+DhunnGY2SNba+vepVDDdyRXjCVMxyXv+1FctmPgMUdEl2HPdDl+O+waxAA +g7ZuiuuRAi70Q6aZFLlG259cyCmTmgwsbUAjFKtqTP5g9URgh1A0JZfS5/MYschS +fj8qBYsdChdP9VX/d0U9/LCc4sXL24XLnpTw7C9MeelndtXdxBxnPLUTby3ZQ19h +ZPc3l4XC52ej35iTG/lr2jQcBHI05fwBiUCuWn7hGiKk2TfUtUpFkcvXObrB2/CC +28Mg1d3NpYu79OY6raQoUGe34aVDdjbTDnx1nxARBfhJwfceid+j/Z6V3JKO0C1T +vKgJvBhc84kRKGT5/PVJR4dnXsYzdgWTDXVw2CUHKVS4taHoBuUAoTGOeu7M0WU1 +yMoYWsRQ2auMjxwP4w9sc7hTJt+Oj6o5vW1sBB47PHnl3lDWLt/iG+QL94N3aZXZ +1b4yeTzHi+AZYR9hs3kFpL9dq0WgS72j2BmcSkHdgdXRv5offNHyFNEMjxqB2+w1 +32xMCtNT4zWah0VJOsfFiAYPUZhDgCY155ULwJXJ+PTHyv2O983xJVmZhsRU+/Z5 +MoDtXDDeuCfL31nnKt42sRa1Ce+tHjJEoukT3Ng7GjV1lyuwZ3YX1UpN9BcM8aWr +KRUP30TqqjdlZLIMGoVv/z9rxYlSsLbn+P7nqaX8Vq8ZeoEh8iaQa+IB7NgXvoIg +cP4OP2yasPh/GwyuLN/DcnsMJjv+76tjXryzEH0ffZY= +=GKc2 +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: B744 17ED DF22 AC9F 9E90 F491 42E8 6A2A 11F4 8D36 +Comment: David Goulet +Comment: David Goulet +Comment: David Goulet + +xsBNBE3KySMBCADOeaVfjDRP3kb2YaDyZbEjPKXkIJivkBbEt9E5abcuipmIA8o6 +W+eYbnRDUZr0u/a6NjEhG35yNFRWpFpi4Gby9+0xjNvGjFj+hTjROFsph3ljGFKp +yYfJQejlFEjlub/7ehNdVrwJz5WnIpNz1UnoC7/rry6HzBtKIcXbEpLTnGAoqAmY +d78cv5h+9B5WzN48/63qIns5ZkzAZIQio3Y+n8B80NXDOiTh+9cFPfAk4xBVPIYk +8dDpCGeHA8E7htJsAkgn4A3wsxEwwKVf4AD5+E622BWYabFyCWetpNIBDsRAm2Di +s7LtxC7SRWd/e/91axtQ5u1bHFliVkRRbn9VABEBAAHNIERhdmlkIEdvdWxldCA8 +ZGdvdWxldEBldjBrZS5uZXQ+wsCTBBMBCAA9AhsDAh4BAheABAsECQoEFQgJCgMW +AQICGQEWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCYk7b+QUJFmVGVgAKCRBC6Goq +EfSNNiH0CACJCNbyooaIGDEJ6sNkwrwh9DZZFs+qyafJqz7KXd3d2MXcnlgAw6O2 +DYCAy6hlKNaANWQSFeYTjsoIWf7wC8fFnaWJscPx6+ZE8beUlQMiyzk0KQg8ie7x +Bfnl9Lmh4cnH+4b5A+A3GO8JrWf+gNAi182WJzq62SX7gK7EUT3H9oS3FSbhwYLS +Yf7WQMWpWJ6dS7PbUr78J8XiJDvm6GvEMMC34/aZTeRdhntNOu1B2tybA4BwxbuI +KMa8nneqd/lgXXTA3nFRbO6V/PiFcjoABNEUgqTDpgKypcl9GZ15D/sINX6wuIFf +519Qq1PWtmBZ9xPNHyzXt3wfA/88ticywsCTBBMBCAA9AhsDAh4BAheABAsECQoE +FQgJCgMWAQICGQEWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCYG92uQUJFIXhFgAK +CRBC6GoqEfSNNqLIB/9tFtZYDxWmpCBgokXkrJbTEhnYnxGJ+PzvFdswy+vPaf1+ +JsEnzqZS72bZYRfFyJXs5H3Q5pyIEt+/AIGJmafWXJNBkDiyx1+ZsXyqLlbXfWer +rzEIX6r2sPytAZ6OWDzbMnOlodEmJXVIWfVubXlkiSKFRQbORsqVzThcQ99yUGxD +8kGYGvWtTwZCJ3YgHHYecAOzwIEAKQjP7FnGqkFiV0aknJ1s7bHpU4MCu5nC53hw +oBWXtrNQD5h9woQCUco3yz/17tIPsbsLnlOIsywpy2WtQMUMr5UdEvkYFcVbYMQv +x0ZlebtPQ0P9n6lq/cna3kuDA7DshqIrRGIZDgzlwsCTBBMBCAA9AhsDAh4BAheA +BAsECQoEFQgJCgMWAQICGQEWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCXqsnzgUJ +EsGSKwAKCRBC6GoqEfSNNkARB/wMw153/mlVTcDFokfxlDtEuzDKx6GO3DMMJE3s +sPk81OtfT6gQsfdzI092AbAjzurNwGuEj52xJhJeQ0JnVn+YhsCohuQvmIRNBzDt +sK3U/93VNWMdSEIPFQZ4B589sZ2qtjpnHK1gEVqw+jImypYRP7FrQ7zWi6DEkC7T +uLTAToTRBeXKWoMAiT9F+kEmH45chYll+450/mSWdoyK3vAUw4GSFOeX2AoG5ka/ +2eLtuzTb3gWZriAkYAtmdgLFVeKjkCy9mQ2G6mSRvBfkJcWT8V3Mp2IkDl4PzeOi +SFUrm60ZuoR1pi+F6KE2IorFtKv272GNc4ys2HeqRqBpqIZHwsCTBBMBCAA9AhsD +Ah4BAheABAsECQoEFQgJCgMWAQICGQEWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUC +XMnawwUJEOBFIAAKCRBC6GoqEfSNNpeMB/9zAaVEcZPk+emYqeSDjaOnANAJLBYs +LCCfB23rdQkcfNzYbtsOvvRehxB1Mg9PNN4e3K/l6ZMFCauBGt6jOWiMkojAdDMS +p7vOXwrhQ66whpJjn6pIOjv2p/Z9VME1/e039z6DDCH/Oy/G8pEldIQZkzzP9YgL +ytoMBjEs6bFt7zDS5G90HHkugCUVK9WNLMKhrCbgLa0QVNTeHHFffJWo5jhCkZJ4 +Dw8x8ukbOIzsNWGYtUT1vdKTZCDYASaWEC+2duxJiWL5qcR7m7oGb2Ohcvq432Hl +c4gBVS/HCLmSw9Vn7s7C8aJicUn6e4RQhSXajYeyU9MZfoz+7ecaCTogwsCTBBMB +CAA9AhsDAh4BAheABAsECQoEFQgJCgMWAQICGQEWIQS3RBft3yKsn56Q9JFC6Goq +EfSNNgUCWuifjQUJDv8J6gAKCRBC6GoqEfSNNsvsCADILBT0LK0qjHxjM0YU+AK8 +OEcp1xaf32jPOyE3eZyro5QgVqAmsUM59Vk3R+cgrcfdwEOB78j6H1qJerCIA9he +RFpyLglJqmTFWdFMnYlAg9IInyIgPko6fK8X3E2DktyXNhUsfLWrKktjxNwU4tC5 +IIDboLDI6BjNMVtgcMyJRq1AB2iFBNydR1GQr8waF0ODaZLWeSB+QAkWCwLjIxLh +4mT22TVyGNFXhE988caesVlmDGgSiOviAZC3uCH0HI9aNAraE9hWUVkIp0nQEX1H +28if19LLlEfj6zJJVn1PhW0bggq5UQDEto+MIuq8YAuxvour3H9B6EESlJ3ncnyf +wsCTBBMBCAAmAhsDAh4BAheABAsECQoEFQgJCgMWAQICGQEFAlkHZSQFCQ0dz4EA +IQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNvT2B/0fsSkMvEIF60Tg +lEQC4Qs9MYAtBMyf9F1nF+UxIipPpSfobbjIcImbPzcmrAAlege5u0/oTSpYP4r3 +EVMoN2VOyy2afxLiOyPCHporyOzW0KUoi+rEq84FrxwtBL6mPjeEnzuYTRfG+DSJ +eo2uDOS/q28+MwPCJ7ZiLKH9zEODbqS7rUGVijakHShYszStYNSLV50835OfZ4vX +2Uawf3FP65UUKjbY9tbTeljjWXME7ZOkx3b2zEm9Ngbshsy9U2YWkjAYOXtAMA3k +EWPwP/zQBNtK7BHwjZ74uXBo06X+LmakMYZNL8sRjlL0O3FkMKuMKt+axsRs4SCZ +aJYkPw25wsCTBBMBCAAmAhsDAh4BAheABAsECQoEFQgJCgMWAQICGQEFAlcw7j4F +CQtHWJYAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNieACACCAn02 +e6w3AHy6npq89Yce5UuT2GSkjQwCYYUQpO+PsGPzM/RfPd6s3XquvDqC9+v1NvuT +T5ziI7HtfGZ1II3h6AsCMngZgYRN6T3lUoUKPS1lDYBtFS59iat6aFW4cVLUJSK2 +wQpP2yefcRAmxxPXfP6rKn2zeMGcsiuPUaXcsGgMa5vkqGoLunVF68yPlpv4al9r +GDK7PWq14yS7PW6sgQ6es7uXQ6eClr7oSv41V+EQkmFxNOpOlYO2iPl3CfigXs+v +zagvmV1qxSUAQwGjem22WnXY86x/nWp6hL9OxjAI4wTqOsbCda+R4uDhv+uDoq8B +229CYmKcoIUgui1cwsCSBBMBAgAmAhsDBQkJZgGAAh4BAheABAsECQoEFQgJCgMW +AQIFAk3K5V4CGQEAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNrTe +B/jgxz5vAPTQzxWCIpThmtbv8y7Aykmwy6A7oJUaoI2fnlXj00SFbLhhwHYI/vj0 +nXTH7RqwNKG62QJWCyKdtUsI1IcItkAx+hXOrW2Is1JY+WKe8CTFtlGk27x6hjKE +6w181a8QU+2KO6fdu6MKHE4k8QAzjSgbxx3IHSw+DMbOuePQc9KZCGHZTWdcrqer +7mr9Q+9hjTqIm89V6DG2forCoLaFS5CYBdouxMjLegKNL2ozwYuA6jTpwaVrurNe +z1w+38Q+9olH8suCM0VbFWFM9/BIC1Q/SohjE80FT9nThAfwqFTy6JdzaMjbcKKM +Rtsf+uz4nyU8KGfptA48yEHCwJUEEwECACgFAk3KySMCGwMFCQlmAYAGCwkIBwMC +BhUIAgkKCwQWAgMBAh4BAheAACEJEELoaioR9I02FiEEt0QX7d8irJ+ekPSRQuhq +KhH0jTY9MQgAo1nJFw25PSHDJKFfF91qIcO6y3eX3Gaag2DYu8nAMg7otmcZZjC5 +mn3r9l7jx/9A0zn4Ld112e2QsUk7VYI+ywiyhnXszPh8iRoLapyFUJUDpuW3cjhk +vBS//9qUXM++vxdzw1RaVEaMYIqD0jG/HYSIMvhMo5GLG8SeVoLDybEBK3s8S7ya +YahbgQQ0xDrArtNaWWWAE4UXpMCz7cf6MhZS7lfOfcgrrTMXNX5MWubpu5OcA42o +yR0aE3//OuAgmuQNcZ1RoRGMqGqKgjMyXXQ0f/3TrctdY9fLRqUkB8ZEj2d/4KN+ +gyPyYalMjPaWXeHmwBwE0VkEWHP7S7YJZM0hRGF2aWQgR291bGV0IDxkZ291bGV0 +QHJpc2V1cC5uZXQ+wsCUBBMBCAA+AhsDBQsJCAcDBRUKCQgLBRYDAgEAAh4BAheA +FiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmJO2/kFCRZlRlYACgkQQuhqKhH0jTYV +Owf/c5KA0BLCJ8V+zFTkQLSEKD/RfCkuRdC1fpNH2fuXZ6W1BKBRxFmVi4+lD+ij +4BbNTkWhifAGE+Xe4llnTRZZMlV+7A0/m98jsjS1P9QoLj+VwkEbNQ6k9ZoZM+rf +qHut3uTYp699rlE2HWsjQLjMgNyKfbipi+x9ZF2mVG1fbco43YiHFSL3S5WBn7vO +iHCkXNgmHpA8grJE2ecUEZWFWKqz3SJADCkMKoulOFhLtDPeWh5bJBfqBD5tyrzX +R1u/zz1AXo0fP1QF1dRWQCcrvfnLoP7PsECUUM1TuBw/yyE35/1Z0nyR81f9Bab3 +t3cH1e6wEdZfzeMIEiTQoz4qusLAlAQTAQgAPgIbAwULCQgHAwUVCgkICwUWAwIB +AAIeAQIXgBYhBLdEF+3fIqyfnpD0kULoaioR9I02BQJgb3a9BQkUheEWAAoJEELo +aioR9I02gugH/2+Zunp8kHXoaAFtOP9yWyhxO6Ei5IQfFE/tq371rWlVe2Jg8vSB +2IIqWr6+wmCQmfT0fT+zkHKEGlIl51Q9uwvux8ADoXheFt3DeCqCE99OQpbGaEo+ +j6NRfipCQUN7SWHZgLefph8qLZhTIdvfrXt0m+w/fZ/rpOZnxJL6JJKpEaJeI1/Z +Onf7Hulep5S85La4ElHh34n0QtceciCQUbprv6D7/KWfHz6CELIPbF86mM7Ff+Es +Ki3f6c0+oIA9cnp3D9ij/Qg16GFB0NwJ1tJykMXfFRGxoKMWQK4lJEUbn9hvshNa +4ALRPs3GtnsYvM/tzbVW7Grfm7ayti8pVRnCwJQEEwEIAD4CGwMFCwkIBwMFFQoJ +CAsFFgMCAQACHgECF4AWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCXqsnzgUJEsGS +KwAKCRBC6GoqEfSNNpRpB/48OeRBe9C5nscmwZKo+dbsj61+njkQj1A5vSKTadez +V5h5hX5lpm2hiUryklFAoTGZ49HltYpZGrzDyvL3RPT7BnCiK6uCYnqzyemk+1J4 +ZZ1rUALqjV+8KHtgS72bjBjGPDKK3d/+KK/FLg/iLkKl+5U8t9gk79aXT7xzSzb+ +PfSVi4VOpDi8gmIAcd+agvw5dUK/vI7gpXOgs91CfwbB/C3FJluFprxa8RsAurUw +qUfDbz8PkpTYbMzv84fm2j5H/2mQ+xcm19swG0/BaiWT1EBR91Q74xm4/0W3CJi9 +2tJKPXwRI1ZDfMH4iujLr5Yex22fmFFuF9Y7at1lbG1UwsCUBBMBCAA+AhsDBQsJ +CAcDBRUKCQgLBRYDAgEAAh4BAheAFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAlzJ +2scFCRDgRSAACgkQQuhqKhH0jTbxLggAmCQx2GentBz6PWZkRj48Y+KfVfr3SAxP +q8nCsdzwHHRM+vjxD+iAo9FbGojVRs9nfLSjmhDyEwfI3f9ypLZaIPBiAwdLzDol +4U0EdyVU7fgfVglSUwPJz+eNhvvUiJp/9u/s4hM0TE/LNtA/uNcKoaqAWQIPiEsd +2FebX8RVqs+pH/0TQO8RYv3R48wCQOOsj7kvkq/3s5ceA9SaZ7vsJ9ooiZhvbkk0 +INsdJWtQcJTYoiBE0DOYhkBX78u07Z1Zk5RUr+4LzI/FpQtlGLyeJ9eFOiyhk7nx +0dzPxZnKWoWLTzse1p/5hf0WQ9OTMdt50ru1RxmnruQgkK+MdGwQ+8LAlAQTAQgA +PgIbAwULCQgHAwUVCgkICwUWAwIBAAIeAQIXgBYhBLdEF+3fIqyfnpD0kULoaioR +9I02BQJa6J+OBQkO/wnqAAoJEELoaioR9I02KJwH/j7WC8qbiWW0lm/QmGtj1seZ +VeEkoEf3hYsyYi+sGq/rp3AkeOI+gr/P1G8Is1pTRuhzqLfzzt+NjLGKiaD0Iurh +5KkToSjwn+Y4aC7qRb4Fa3L3rvNixwNmpgJ/+F1Q7R+Ef+6kCEigICEW4xjYWJDl +61yCgnQdzMYwUOrI303hwWQb6aDRRkFp1J+V/D/pO9iA6deBwm0Lk2IinjeNuBDv +4LQN2Fc9GdvRi1cG2xSjpk6q0Xo00Lz6PIwZr645x8LQqnQI4vyBdrJllTght5+z +eY8VPgOtQ3K5UY8QuvQWZKY5bFc+PjRrajHFWYV8Mu9+KZMYSQBbanmSLU7F28TC +wJQEEwEIACcCGwMFCwkIBwMFFQoJCAsFFgMCAQACHgECF4AFAlkHZSQFCQ0dz4EA +IQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNsGPB/906Acyx+JhbcYf +cD/y1tvVB77LWf3MPn2JChTvkk8hL2keKdDPdPmkSOuJww3/cE5Sm8c/fBUudAXJ +Tt8pIJGc5vygFjlUbuO4PjtFNSOf7rkNdHTRyFrfAqFc4hF1aN0Ej1mSQSIV1VJJ +mpGQrQJfrBswUG8va2PqLWxIFy0z+Bo1uWwPPBveES9dIiqJKUsmM+aVyN+6wDuU +RBmNYPFdUfWRIpgRepgFotSMqokrSh5pPDHwjKDcnkDcSGQRmQl0C+6fEwjGjwwj +zDOPjvldfNH817FnHotovAY/TrezMAPQbyjh1dJJbR3/mUj82g2VZKR9YuUHo24/ +B9Udi+vkwsCUBBMBCAAnAhsDBQsJCAcDBRUKCQgLBRYDAgEAAh4BAheABQJXMO5B +BQkLR1iWACEJEELoaioR9I02FiEEt0QX7d8irJ+ekPSRQuhqKhH0jTZP/gf+ORBE +lFFMYSbbxHIS6NP+AcHqQaPRFTJ5Eths+FAdTh2XVgy8YWZxUC5/pwQzLtEWkxcA +1Ppw4sWCLh+pKQUDj4x6W+ET4U4Ysoar0jpNYslgkJvpwWwkhHDGVNeRE/EYbEHj +Yyb1ej7FDYkioqw8KI/UykGom5KHE0GnYPfaXyhia1FPVvXN+iSRjCDiIR+bARNW +R1RHjRqpPKmGa0J4eKsgOfEa2BIghdnfWgUKBWSMDD6S0t3xoUsDQnibVIRTjBi6 +Pygeuizbi2+n7AzinFNdvWQ8o6cDOFl8tpJ+HrIs2Uan4DPImjMg0ibsZ9eWgoj6 +8sRxPidaR9EiOT5g8cLAlAQTAQgAJwUCUhFFVwIbAwUJCWYBgAULCQgHAwUVCgkI +CwUWAwIBAAIeAQIXgAAhCRBC6GoqEfSNNhYhBLdEF+3fIqyfnpD0kULoaioR9I02 +MJQH/iLM7BLfXDeG41XOumR37ungugUzqmwLoN6jpKCUo68+qjP9hQdM/Uc8g15N +b2BFQrRzXRg5peOkXgPLIwoxy7j0auoqnjdXr7vpQPq1FzSslv9Cf9sjG7hTbbY+ +EXHrwZWFn2LoN1+OdtrKJdgm0+0k4VyRkQxRgPCdre9dvq9oqPKQ2pf271115s8D +wEvRmosAS/Z3uqinVsuEZjw1pU3u0fVKmqGZ9AuWg03arnFrJM+W5d9cc/6XxQNp +OEza9/CaudJ2ygy/MeujboglwIDO7sviNdJ4836qVXV66VLqt5zpQ3I3Fbjr7B/s +BOl3K3TEftMvlLmxIfj/CkHA/bvNJURhdmlkIEdvdWxldCA8ZGdvdWxldEB0b3Jw +cm9qZWN0Lm9yZz7CwJQEEwEIAD4CGwMFCwkIBwMFFQoJCAsFFgMCAQACHgECF4AW +IQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCYk7b+QUJFmVGVgAKCRBC6GoqEfSNNkWd +CACRF1LvZ24YvmFLLvM46Z0gPNVagtrjTRDLx/GkV0LnlOVCrcdW3cf/e5SEYuRP +Oz5rpEPlWMVAjjP5wkERxFgPBSRxAm/lKkPC63J2Qa5qDp75cJa2vcF5iQsVecG3 +8NzgrXlTNfpTOjas1jQKjOgh8do/6k96T2diMhYWGQvAehbkLPhrL69mVTywqrtY +UPXQJGP9BxPtHI+uO2umeJJyJbPitqVb3m+dofJFUeE8f6xO7ZHvrkvnbWpyfKm0 +QTzHz5aLjv/YSvxtSoVAxqRsuKsU5u6KA4xI3I8HZ+YPrCBeiXfwvME5WAwa0qKv +N6HDIrbBw66J19JUUQ+WvkfHwsCUBBMBCAA+AhsDBQsJCAcDBRUKCQgLBRYDAgEA +Ah4BAheAFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmBvdr4FCRSF4RYACgkQQuhq +KhH0jTZSsggAw0Lw9DaQ85h//Hb5pPOrMg0ktSXxhMRj7d2zlwsg1OD2ezlAnkIV +GcDoe7ok6r+zoBu7isG+WJ53C7i7T8mTQxNMJDmbzGdXMm7ZzmL5cj00EhBili7U +jpsMR/4D0NCcFez67CHe3WEl5DqNNgZFmfzD4kiLGRtptIz/hHjndeDjUHSjIPYA +0+Dg8ri4plkPDg+cT3IvP3NivgwDDhfst+ExLITCPBQh+ucVv2Z5dkNzKBmdkb1J +shi20zi74ii+w3XC7xHzk2RRmu3VMzO1QbHaEXhDvjf94vsGwPe/wLmGH5fI5D0x +ypQ954GsfS3lsbV+RomHS8964oLV8VaGp8LAlAQTAQgAPgIbAwULCQgHAwUVCgkI +CwUWAwIBAAIeAQIXgBYhBLdEF+3fIqyfnpD0kULoaioR9I02BQJeqyfOBQkSwZIr +AAoJEELoaioR9I02mWcIAKD/d3KKK6Tlnw3ezvreOw5/Z91WtyA/z72N6yByUj76 +wyw85gZb6FpXS+Igek/zQ0ARXM6keKRCng8UpvbRbPm7in9en5KSWeXEVRc33Xva +TuxCihHZZdr5osJDkLgDq5iKKfAHW6l6ToXT6SfaFUx3F30/DvIoiskP5Mjf8jga +DPW5ePgDe9McNUeeu/T5afxVebATxRYbGaiBgOmhL0azJV/g2ytx6vHrXjOxyYsZ +lXvj8WSUVG9E1tKRmNkO+vezXjitEYRT8vv5RH8rYpzJ1ZSfoHArXzIv1oeJCtrA +ztGclXvNk7FrBN6CMGJrDeWJI3ioW49ORkxKtrW57SvCwJQEEwEIAD4CGwMFCwkI +BwMFFQoJCAsFFgMCAQACHgECF4AWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCXMna +xwUJEOBFIAAKCRBC6GoqEfSNNuDdCAC1xCEFnjFOYrQTZYAwJECie7Ra/QSx9bmj +LD9eZt4QGayDdxHkYCLgxkzo/OErmlkq8weKqG+MjR7/l/2y7cVca6C2zYcrvszC +ynX5iNxJSxkAYcLxSkk6Kv1AbPty3nwN3WcCFhazK6S2hheZzEscWjfBlVGzEFXb +LcgkRpaiJgqcW7X6n3wMYg2DyGsPMkcHDN0tz6yQiOqq/bBKM6GshMA3/V+pYz+E +EeApE53/Nsofr5T249vf6Wd3t5MzOJB9D09G1iIQ7lfUBVS+E26dGSOH9cMkiZRy +FMOTGgDxjw2AjLQLltoEIAMPq8HKy/SaXWsZ10u68QsOx0yRuZCOwsCUBBMBCAA+ +AhsDBQsJCAcDBRUKCQgLBRYDAgEAAh4BAheAFiEEt0QX7d8irJ+ekPSRQuhqKhH0 +jTYFAlron44FCQ7/CeoACgkQQuhqKhH0jTZBYggAmcHPO+w13XMMs3vr2cpW3hM2 +seRXfPlI6PfQk0/VQjCsakvCP1c95agL5DUmIK/KDdXImOYQSnkjXCffMt7PKf4i +X7NOizsOfbmnxIgIO6dOcJs9Jsa2KCUZLr+aP4so1P3PpNPMmQsNeKCeksY/fj7O +F2wfNpZCVdU8K4swtdbIjjT3v/7LBwUsufGu3WNE66vnMowD/Qkn6IMR6m6gYPly +S/pjGh7uLnf+Le3YL5eQyzlY1Bqo2uuR+nWrqerNRb+RSNf0Ipuo+dUnqf+WC3pd +t9K7pNFsV++5p7aXD8WUlRvFfNNAzWEtNUGSIjgMDG+QXlE1XQF4OPFm1swRMcLA +lAQTAQgAJwIbAwULCQgHAwUVCgkICwUWAwIBAAIeAQIXgAUCWQdlJAUJDR3PgQAh +CRBC6GoqEfSNNhYhBLdEF+3fIqyfnpD0kULoaioR9I02isoIAMgZORLPCB6AG8AQ +6IHeSPYkyeb+zUjLZpLusbwRbuouzaQgt8TXj5CQQTonHGe/n77xBYa6dywOGyVx +LPDpywGal+fWbqj/rDPzBtWaRr9h6qhLkV9I7r1rT177y/PVhJuGKOBBs/FXgagh +bCaAHXaUETKcQnqb5LBrcuWSe+B5IXueFLVUQgA+zM2y4vVEV+7ltnKGauMVHC0k +6r/bxZAGcTcRjUsPdIgRSLLxPFyWS8EbFF5KjyoDIO1Ib+gJM61TKRVT3gJnvjyt +OB4yJWB3ePKk2GjHvKtrhro5U5ge6i+ldbiZh3swTy127ycngiADu+orYFK12awI +CxD1UjrCwJQEEwEIACcCGwMFCwkIBwMFFQoJCAsFFgMCAQACHgECF4AFAlcw7kEF +CQtHWJYAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6GoqEfSNNux4CACDqeH/ +YxTWSqmb1PjfF4CYtjqx7ObCb6AsSR9RcJ3Fp0DREpsto+MsOiOAD5benHnbud+c +MUrJNdozDHzByEn/jmETRVsbqWUp9eK5/3vtDkei6hFM9nmc5vYPJ9PSzCK4+rmf +m4HQOCtj2tLxgZLGZ9DSlxUV33UbB3xr5WilPuJ6D3tiOJKwJdHdwHXjfFGG96Gn +ILpkOroyiUA0gQbRbFOjgqxB/h0vX/qlvmsvM9L/XTXPz+rrnUg6UuP46S40lvWz +Lj0Zrs2ixDhoqYo5WG57n747D12vRD/UCKxLql6/d9IfvevmbBKKrprVICoSt1lE +ocXwE8DnquN5w5f9wsCUBBMBCAAnBQJTCejfAhsDBQkJZgGABQsJCAcDBRUKCQgL +BRYDAgEAAh4BAheAACEJEELoaioR9I02FiEEt0QX7d8irJ+ekPSRQuhqKhH0jTb1 +lwf+NXiMBqn6XydizQnNy2lO+bMVr4HhwsDznqcV9HHBzUnCtnR3kAVqD+tC5DKD +zimCtqhvys8xPNjzWIl0xzhNMHlls2D9lkACDQU4oywOm8tE05IXrF1Q6Zlf3PdJ +C+jhO4EGrTehHYoTZPwC6RQYZtTCl4UqPMxO2aSEU4R99BAw4mKpRTEGKXIZJBDJ +6kXWbg0ahx0DKFg0EB37z8NvJnN2cbI+5kdmt8ZRiqZg7W0GsY31a1W4EchX7K2g +P/ZN/VNBjGyJ01IdhxEUzM84XF82KWGKsfHH3diqxDZiQZH08kf3HJS8PHN8OnUd +v/uLEeg3uLyQUUTrRXhoZSrZgs7BTQRSL5QtARAAtVN7/CeTT7uJsUzQf/2a+fq1 +IVQWN3JPTZjDNQeSB/V8W0R83QH32awj1uvSljCtCKbtTrDj0foz+CBRHe4aJgm2 +iAzMxKY1SxJ+SBTVyAYVQ+orzIvzqi2URzAfTII/mmvFdZEuS67hkbHXFnTLlXj9 +m3SdWRpCIQlwLCFERvMdr+sPQ07HcUDpoASPgo6P2cJgidaxBgfasUTvru3dxeid +jRbv5defzcdsBqk1eAZ/G/YFOQUiGig60/G2SOlBR7HVmD/iVkSun6j18vPKpqr0 +VJ3sHGUO+KhJrc35QQ7C0ezYtOg6fhaO8PzOcMovnk/P0DGkl1Y3uG4d+h3IDVBA +1fTaX/joVSBVtddLiNkOwgKxw6OH+jjq/irXl6X/0LqNW/FdgK23fEsA0mv4vrUR +0ulDtsPagk3np7DgS5J/v+npGARoeLoj5QjyK4+/1RjMXq+DYW3piADJLW55xH4y +6M+OYpu9svQ60vr2Ae+3pNL7q/mppdixc/isXbOsjtoGSb5QUUOXbzhDWX960Jby +jZUn9Iao+eZRV11tMbMI4pWuL8JEWj8qpcnIyJhYi2hSf7TVq/Zw+PvEXkEAnpq3 +EMyN4Su9I1ZWoxyTiwZVMdOn6TEnkdfxB9aTd5vYvR9L+t5SpmXLBMXQygbg9xR1 +Gbh5EHVlhAobb0uSkYsAEQEAAcLAfAQYAQgAJgIbDBYhBLdEF+3fIqyfnpD0kULo +aioR9I02BQJiTtxDBQkSAHuWAAoJEELoaioR9I024lwH/1UtASIiEoZKhuVkv55b +jo3w422w3wwJTC5kooG1TOWmtHOo/JJ1rFxcIpkY6ftnC+p6YhEbxxk/3XAZtUNR +sJ9Zqemhp331AGq/44g/OYAZkQiNyNhjftj6JafvgU1Zauzi7w0xqhLMKBMDV09v +cbPeo+axUj7cvibHxYUUC2RWqkBxegXpa+Cq4YKpEEbXh510mwK11sUyxcPxsrkZ +hr97KdgY8RedpPDAxnQBGU7dIMDc3xVIX1uXXZpY+SyJb7QAMGTW+9jDPwDUeUYa +nV+eRwLotrkvSgKJ9GQ2F3Am0axV8iqob7unvbKYTtQcIR2P9X52sT0Pytt44W2K +xH3CwHwEGAEIACYCGwwWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCYG922wUJECEW +LgAKCRBC6GoqEfSNNir6CAC70rZbHWguzP4O7paEaS18CNJ6fDyvoq96j3sh/oYN +WE5l3tFPqTtKYwgn33bMoArNgV8i0zdNXem36VIGh2A/fLwvg8aneY+XAvt500QL +IqHWp8WalE5RkaHrnYhHuTTzwztuus/lSQPQnl72W9HMoZJ7mvUtk9VMbybD56Fx +mo5zru4kMJ0Qk3fYYUYk9hge5im3Sk8SeX3UnmJsmZpt7xj6eFvAuO2CoSJb53e1 +LV+exrV9A+cM83T2I20/Zk1A5rX6WaehttHG6sTVpgg+JMKj0HeOYrooPB803WH4 +RM04wziYFvCmDtPF5qmOvErqZtjaYa9wskkoXUAsgwGRwsB8BBgBCAAmAhsMFiEE +t0QX7d8irJ+ekPSRQuhqKhH0jTYFAl6rJ9kFCQ5cxywACgkQQuhqKhH0jTYAbggA +irnoh4NbeEgSwEIrFJ+lAOcA3KXya5MHnq47Y3L0Ezc/wz19NbMYsEYWn3x26w+R +p4VVd2KiARJN19Lf/AZ0pS05nVuTPPIsqBgS/sczO5NyCpPAlcrkNq9nOi4TEeF6 +X+4BWTcRGKSRKEEwumqfppGMkYmVwhvq5xktMTi1HOQkdiGeZ0KV3BKkRIOZJkrq +vhZiyKEW4PMylC2ByWsWMK5NAI2ljRxp1eUcJb5DTqld7fl4iZkjP1UGe3X6qoXt +CkGtnXy+SdlwIpqL0Ianen8frjwNsO3H4hFZJE17AfEFvINoeDHGpsDJSitS5KsT ++6P4Y3nuClPSpsEPEDSlLMLAfAQYAQgAJgIbDBYhBLdEF+3fIqyfnpD0kULoaioR +9I02BQJdWqePBQkNDEbiAAoJEELoaioR9I023UUH/RYw9CZga6hljJHBaAac+sOM +M4FfKkVHmokwYvd4Po2mRFy4wLkfgAp2pv2Z5lb9gILpiy9ORLscdBaQAa+xlbK6 +SUC/XaIEN8LqRP13noQGWQbqZ61hP5wludNi4tpfqM0Oj/GLDw5EE7gGDb10TmpP +MLwc4yun73Hgq8f9FerNZdkA8zvIrD3Bd09PDrm/oAt9KxGCHoVHxFp75An5LDs7 +fY6HZaSru9CoFqjYrOEDSqt/lSm6ZsOsqYbvaesG9zBnuINoY6lOTP9jWtURrGwq +gucakBg7Fg+tln1QyjzG1u7pLacDBGPqgAZCdz2OduL6G0tvpBEgq0ppg9DnqcHC +wHwEGAEIACYCGwwWIQS3RBft3yKsn56Q9JFC6GoqEfSNNgUCXVg00QUJDQnUJAAK +CRBC6GoqEfSNNsHrB/9h7uqHGB07U9lX6V64iKFQbNjarWJKPyRZ8hbh3/Enh3QF +zmqZOgHfRU0nD4WLlaQT95tRyAvc6E54q8ALZqePPfDzJxxPd6/ywJ4+oojOjibN +MbO9mpLbMeSYgmnC98YQaGJ2MxPepBOpOLkwtFH07b/SU/QzK2/T+astNr62Wgvy +LbZ8wQZRmwfL2YF6xB5HptVD/+Xg8iSF5qHRAmqrk0ORqcf6NO+3JqSQ/okN67I1 +HVktxEAymaTDUp7Pi/b1WSPpBQL1WCheWdAkkruO3rGadqNON1Cq8mBPLlIR6Alo +7W3vl1QQ+EyxHH5EgENvqEgb3XGIdp2woXDmCZgBwsB8BBgBCAAmAhsMFiEEt0QX +7d8irJ+ekPSRQuhqKhH0jTYFAlt24EEFCQsof5QACgkQQuhqKhH0jTaMMAf/TFUG +cMSDu5a1ytd+5pjSGkEn3QxcwiNXv4s7L1VkCbcwqKejYXWFrnaFkzXROuY97LmL +ejRxnV/v+YKtJLxCrdG5bwr9zgqXUFvyOfKfC5Iy44dZGmrnUuT0jpSlA44VvXcN +LEFpEx56BUVhsZFUIuuWeyFELryLe4FSHH0S4VdNICMl/PUI5B+cIDC8NrGv5DYC +cy/OyOvkUqkxW09FSTv0tVUDVydDeWzan4STcnGf7IxiGkb+1XiDKqRSZrjp57RH +CIF8SpbBUxRsRXQc8zKZ8TP74xzXYVT1tLM60H4DqhvFxL4aZqYwSuMeOClNAoh9 +pBEm3t5EcZau6pAo1sLAfAQYAQgADwIbDAUCWYiUYwUJCToztgAhCRBC6GoqEfSN +NhYhBLdEF+3fIqyfnpD0kULoaioR9I02Kw4H/2DsLDtA7Gwfr9bKE6jDzfYKqnPt +97s8X+cKUYa2HIyAMA4tPAjbi2De3/ZSAOBYXNfe49qpmTvg+DNj+dGVKI0lLj/n +/ngK87SDTVAPi3zOPDOmnOs3J3fQj5f6fMOoqYRR7p3BNa7GcDiq/bJ1nkyMh0o+ +N50LzNMevq0KbVAQAXtYOYMWkS49lnT1gV9ZFITSiDAUK8S8vani84mcVxxrjwhc +d+Oy+k4rdnTGpZTayQOXZUS9u6AkSgUlNl6nyR6Vkn+AUi2E3SLUm6XE+aQKlBUq +jZlGSPWuQPQCeduGrdk0OvHuUt9ANhdEhopZLZuMKemOL1fjquaasp4IhGbCwHwE +GAEIAA8CGwwFAle4becFCQdqDTMAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC +6GoqEfSNNmBiB/wOjADNaQrDal06MfWPm2QZNAzytpAi2o48ZRBVueVsjpjMTGJH +I5pPQNjBClQptcaCuoBYubzKB4Ud9bOFqF2cs6Fb61RI9SguKU61LNF0wFAfFIDL +78vvlLWTfWk3sUyTSCz5Ll7Awi1L1P1tbTYrkF+WNCRAvUyUMGWXVfttSFTlWLV8 +LydP3+P1FYSllcRDowvU08hed6AajJfC2b7ECe9LW6IPJ3nLMihimQ3QffbJPmIl +KHm44PhZkEcDoNtk35bvUascINZOwFVLE5TtPmOJfSIgltO7Eip8IluZyhVFL5E/ +WmWGlB10JhHaZtleSgH0N+JWeKvllA450AwHwsB8BBgBCAAPAhsMBQJV8q6rBQkF +pE3sACEJEELoaioR9I02FiEEt0QX7d8irJ+ekPSRQuhqKhH0jTZRKgf+PhNUR0er ++HWhlya6pUJISzPQvlUKCBksilDE9xNlH7sN+xxUT1l1Ktc8BrlCE8mJna6DTu1F +S5BWcIZp/2zU7R5ndVqqZa537X3wXZbIBOddCWYTI1WsC762Ihk9BcJhTVKizrPU +b4rdYQk4REao8hVL93K+k815e5sobg6YkL+q7ctTK0SO/8hiVWqw4nWDV6brXAEZ +F63cLc5RLlhtjgqPk32m1zcva0blLi9d6/BrJEjjJCL8EYZhS3zX6zZ89hNvt2zv +5+QjwdmxRIT02e2YlLCIwAIJfAuGq6vZdk9xr07nAexTZ4OMZUPudzxXda8qKgdE +7JA38ftiLarCwsLAfAQYAQgADwIbDAUCVBDTxAUJA8JzDAAhCRBC6GoqEfSNNhYh +BLdEF+3fIqyfnpD0kULoaioR9I02CdkH/RfqMPmyHREzTe+YZQfell4+cDHGdrOP +kBYeDV6PDkG2ykuVlrBpT/MVO3MPm+UQ3z3QnlQ8PPArfcypvin8D+wZwKEyDuOc +1i7oiVCZPu6FcA5D29mTINp7ftw9KmR2IfxwPd0afGUM8rUE3gKdVnCzniIS8tpQ +0LxkK+Vxaa3lvQcGogvMiJUAHcb7hR25/nNjzAtZPm0swq5fED+1IFyUYjN4bGZc +33N/UtiTNbems2C0474nXHkexNJUN/Ra533OGZwetlcOlWNEqxJSysIS5ZfDh3dD +RpKjqG2RAAMS2lJEVRfKhbPO1fa2eJVVpLJYexeZh+Fl5TfFmqx6BhvCwHwEGAEI +AA8FAlIvlC0CGwwFCQHhM4AAIQkQQuhqKhH0jTYWIQS3RBft3yKsn56Q9JFC6Goq +EfSNNlpRCAC4i/XcrcoBB0hVIPAu7E29n3m29jEvMg+06RulbLDI2D9zyt9kKBCZ +dcjzYVMzUxEDTbpcfiYls23/bDhR32JyFaSvs18Sb9F6AmwJy0TOaeoPToIsQN3r +uTbUdSIJzsusjrafWS4gKQRhP4AmRXWQzXU0XmVy8cOfur3HcRH1frkOKS+d1EMu +chpI5F39TsH3/RTg31gEBB+xtwAbTbwz5tWYBQvq4N8uItNDiStY6j1Ncl54/l+0 +1TeiArIjryi8g5nr46uGYbC/YGn2ACx5VwpvEOuO0mCf+cwQPj5S5Ra30mNGT915 +4b2lP+U/hRBR8ex6Khur6wN5T8mww6jdzsNNBE3K2S4QEADWHqS7zXq3mbnK6VRS +AtAYQkQWSuPqrlXWZNFMdxVi4Lglj4T+UQXsbCn9rsgISlRWCdxmDOJ7eOjj1zo2 +OA0UPnenZOXOB2n8LvhzrIPp9jq7x10qDTDcakXIjvfYqWco6VawbmLjwP25rDJx +u1uoZRQNeCCxQp6aDBrq7AmWrUwd0WfZ5eGOKUrZkg4Sk1EayExwhAz/1Hwvieyz +neWfdRDYzikgLZCxUcL6O6PKHSXg8qQFnd6Br+aJv34FaE9QOzNx1fev3SDDS/Hj +47twkZKu8u0B/pViDvwLcYEieVbHrGwlehvqLAn7jEe+uc+oDpJiMNZDDVW7LWF/ +PoQ5qTxQFeoU9DuQZxSGna1zGcHO4MJCBf5ENiRlhirncWEGsEAQXoGqvP4Gn3hz +7CSjk4eanQjyisrlA5aM0w1eIxVOJxsIjNFV8ewf081aLCqjxD8n5XdY5mnHj/g3 +CNXQ5JEa4mB3WUqXLXC8at9IVxPNpRX5oTT5GtkKGNgPVTqveDcgNc82DBFbxmju +PfkDtyvoHOq1Lu8PGxRN+/l2xhZKoL62qux69GYNQmsLV6WSf9DryOk7ATbbWsHB +oD0DzmfylhFpGzTjlEmNV1uOfms4sCF58WoD7uRUwNs2kelnVcgKqVjTm/72855n +9S9SWSCeDEVw6BCjQp0/md8L1wAECw/8DqIYY8LEtZGEnBSauejVnv8WTM7F/QJD +cslXtj9ocQefxNSQq+EdgJUrUOITowwd/ZtthJlROckJwuAgqSguhv0tXD/iba6i +nAv7WByVTTXcOjAiTn3icz4HJVByDmECxmk6s1TvxD9UpbsaNSsmuK/RvkVL0IlL +jpNkJx6mlTlls1JcUsCUifmkwbDUeeps+u2mMVpbjDPCJWeMtv16ckrA0v/ooxeX +B9HgAnWCKXHoCGPII8EEQuKZ58KYaPez8kRTLPqxZC+jhU51R5aT3OluB8iyKdii +i8STKry1morREksjqzkewnycS8fyAAbq2k/LKYHgEjVtSPemAP7DIY60Vsl3Df0U +07j0h4c2BPUkV1fMC9Okmx8Oy5YpDlm9BOrB6I8XHy7ZDYpHDfHb0uIpjwX5J664 +/RtsBaFnb/0LRBr7MkGd4eSoHQwydWNNXakrtepOeOoNxBVmmxSly000wzxGS3xO +Pfuy4s5HEDScuITOzc5R3+oCwOl0pfji+zLnaHVQdiaRep+PAVlzuckyvvQTVa3o +ub65NlPQc7qanIHqE8aQ2Lgjiq2VQI/S0V5QhGn/pX2FP4Oxs4eU29nY/Hgq/j5u +ZOljrL7pp1hwgQtPkE8/EmUQ9oFTYhT+SxpikC9UalAo5IVSqci3662K9YB2sn89 +YTgmVVXCi1HCwHwEGAECAA8FAk3K2S4CGwwFCQlmAYAAIQkQQuhqKhH0jTYWIQS3 +RBft3yKsn56Q9JFC6GoqEfSNNp1pB/9OZoK4Zj8fi6Ruu7q0+tCOm9k3tvQ0FZsm +3QKPLhcilFy0QBabnZ71ih0AzKxPVoKrtHBENZ1hQ58B4lv+zE8LQf4F0gO9ybcD +vlwpTtAlX8il4kONIHeJQmJ1KHi3vKxIM3+i+Igdm5eDyTY2IFTMAjDshMWl0CJK +oPzwZYRZlXoogfrTWrMUPnvz7a7IUb0Kza2GQdq5fQXRiuAImSn9lY8GOLdiLovg +afIrzAaylpgDShiAV9qKm2BfJEpHm9AzuubNPY5tQX3hwlUE7I/DY/nY8LEra2kF +fMhrtPimujMIu32gmJvJe/nHS/z5d4YdUC4H/SDsYqPNRfpacaLP +=T3bO +-----END PGP PUBLIC KEY BLOCK----- diff --git a/tor.service b/tor.service new file mode 100644 index 0000000..d40972a --- /dev/null +++ b/tor.service @@ -0,0 +1,53 @@ +[Unit] +Description=Anonymizing overlay network for TCP +After=syslog.target network.target nss-lookup.target +PartOf=tor-master.service +ReloadPropagatedFrom=tor-master.service + +[Service] +Type=notify +NotifyAccess=all +#User=tor +ExecStartPre=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc --verify-config --user tor --hush +ExecStart=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc --user tor --hush +ExecReload=/bin/kill -HUP ${MAINPID} +KillSignal=SIGINT +TimeoutSec=30 +Restart=on-failure +RestartSec=1 +WatchdogSec=1m +LimitNOFILE=32768 + +# Hardening +CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PermissionsStartOnly=yes +PrivateDevices=yes +PrivateNetwork=no +PrivateUsers=no +PrivateTmp=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectSystem=strict +ProtectHostname=yes +ReadOnlyDirectories=/ +ReadWriteDirectories=/run/tor +ReadWriteDirectories=/var/lib/tor +ReadWriteDirectories=/var/log/tor +RemoveIPC=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=~@cpu-emulation @obsolete @raw-io @mount @module @debug @clock @reboot @swap +UMask=77 + +[Install] +WantedBy=multi-user.target diff --git a/tor.spec b/tor.spec new file mode 100644 index 0000000..23f5f86 --- /dev/null +++ b/tor.spec @@ -0,0 +1,172 @@ +# +# spec file for package tor +# +# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 Andreas Stieger +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define toruser %{name} +%define torgroup %{name} +%define home_dir %{_localstatedir}/lib/empty +Name: tor +Version: 0.4.8.18 +Release: 0 +Summary: Anonymizing overlay network for TCP (The onion router) +License: BSD-3-Clause +URL: https://www.torproject.org/ +Source0: https://www.torproject.org/dist/%{name}-%{version}.tar.gz +# https://support.torproject.org/little-t-tor/verify-little-t-tor/ +Source2: tor.keyring +Source3: tor.service +Source4: tor.tmpfiles +Source5: defaults-torrc +Source6: tor-master.service +Source100: https://www.torproject.org/dist/%{name}-%{version}.tar.gz.sha256sum +Source101: https://www.torproject.org/dist/%{name}-%{version}.tar.gz.sha256sum.asc +Patch0: tor-0.2.5.x-logrotate.patch +Patch1: fix-test.patch +BuildRequires: openssl-devel >= 1.0.1 +BuildRequires: pkgconfig >= 0.9.0 +BuildRequires: pwdutils +BuildRequires: python3-base +BuildRequires: pkgconfig(libcap) +BuildRequires: pkgconfig(libevent) >= 2.0.10 +BuildRequires: pkgconfig(liblzma) +BuildRequires: pkgconfig(libseccomp) +BuildRequires: pkgconfig(libsystemd) +BuildRequires: pkgconfig(libzstd) +BuildRequires: pkgconfig(systemd) +BuildRequires: pkgconfig(zlib) +Requires: logrotate +Requires(post): %fillup_prereq +Recommends: torsocks +Provides: group(%{torgroup}) +Provides: user(%{toruser}) +%systemd_ordering +BuildRequires: libscrypt-devel + +%description +Tor is a connection-based low-latency anonymous communication system. + +This package provides the "tor" program, which serves as both a client and +a relay node. Scripts will automatically create a "%{toruser}" user and +a "%{torgroup}" group, and set tor up to run as a daemon when the system +is rebooted. + +Applications connect to the local Tor proxy using the SOCKS +protocol. The tor client chooses a path through a set of relays, in +which each relay knows its predecessor and successor, but no +others. Traffic flowing down the circuit is unwrapped by a symmetric +key at each relay, which reveals the downstream relay. + +Warnings: Tor does no protocol cleaning. That means there is a danger +that application protocols and associated programs can be induced to +reveal information about the initiator. Tor depends on Privoxy or +similar protocol cleaners to solve this problem. This is alpha code, +and is even more likely than released code to have anonymity-spoiling +bugs. The present network is small -- this further reduces the +strength of the anonymity provided. Tor is not presently suitable +for high-stakes anonymity. + +%prep +( cd $(dirname %{SOURCE0}) && echo "$(cat %{SOURCE100} | cut -d' ' -f1) tor-%{version}.tar.gz" | sha256sum --check ) +%autosetup -p1 + +%build +%configure \ + --disable-silent-rules \ + --with-tor-user=%{toruser} \ + --with-tor-group=%{torgroup} \ + --enable-systemd \ + --enable-lzma \ + --enable-zstd \ + --enable-unittests \ + --enable-gcc-warnings-advisory \ + --docdir=%{_docdir}/%{name} +%make_build + +%install +%make_install + +# missing dirs +install -d -m 700 \ + %{buildroot}%{_localstatedir}/lib/%{name} \ + %{buildroot}%{_localstatedir}/tmp/%{name} + +install -d -m 755 \ + %{buildroot}%{_localstatedir}/log/%{name} \ + %{buildroot}/%{_sbindir} + +install -m 644 -D %{SOURCE3} %{buildroot}/%{_unitdir}/%{name}.service +install -m 644 -D %{SOURCE6} %{buildroot}/%{_unitdir}/%{name}-master.service +install -m 644 %{SOURCE5} %{buildroot}%{_datadir}/tor/defaults-torrc +install -d -m 0755 %{buildroot}%{_tmpfilesdir}/ +install -m 0644 %{SOURCE4} %{buildroot}%{_tmpfilesdir}/%{name}.conf +ln -s -f service %{buildroot}%{_sbindir}/rc%{name} +ln -s -f service %{buildroot}%{_sbindir}/rc%{name}-master + +# sample config files +install -p -m 644 -D src/config/torrc.{sample,minimal} %{buildroot}/%{_sysconfdir}/%{name} +install -p -m 644 src/config/torrc.minimal %{buildroot}/%{_sysconfdir}/%{name}/torrc + +# logrotate conf +sed -i -e "s|_tor|tor|g" contrib/operator-tools/tor.logrotate +install -D -m 644 contrib/operator-tools/tor.logrotate %{buildroot}/%{_sysconfdir}/logrotate.d/%{name} + +%check +%ifnarch ppc ppc64 ppc64le aarch64 armv7l i586 +%make_build check || ( + find -type f -name test-suite.log -print -exec cat {} + + exit 42 +) +%endif + +%pre +getent group %{torgroup} >/dev/null || groupadd -r %{torgroup} +getent passwd %{toruser} >/dev/null || useradd -r -g %{torgroup} -d %{home_dir} -s /sbin/nologin -c "User for %{name}" %{toruser} +%service_add_pre tor.service tor-master.service + +%post +%fillup_only +%service_add_post tor.service tor-master.service +systemd-tmpfiles --create %{_tmpfilesdir}/tor.conf || : + +%preun +%service_del_preun tor.service tor-master.service + +%postun +%service_del_postun tor.service tor-master.service + +%files +%license LICENSE +%doc README* ChangeLog doc/HACKING doc/man/*.html +%{_mandir}/man*/* +%{_bindir}/* +%dir %{_datadir}/%{name} +%{_datadir}/%{name}/geoip* +%{_datadir}/%{name}/defaults-torrc +%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/logrotate.d/%{name} +%dir %attr(0755,root,%{torgroup}) %{_sysconfdir}/%{name} +%config(noreplace) %attr(0644,root,%{torgroup}) %{_sysconfdir}/%{name}/torrc +%config %attr(0644,root,%{torgroup}) %{_sysconfdir}/%{name}/torrc.* +%attr(0700,%{toruser},%{torgroup}) %dir %{_localstatedir}/lib/%{name} +%attr(0750,%{toruser},%{torgroup}) %dir %{_localstatedir}/log/%{name} +%{_unitdir}/%{name}.service +%{_unitdir}/%{name}-master.service +%{_tmpfilesdir}/%{name}.conf +%{_sbindir}/rc%{name} +%{_sbindir}/rc%{name}-master + +%changelog diff --git a/tor.tmpfiles b/tor.tmpfiles new file mode 100644 index 0000000..adfce77 --- /dev/null +++ b/tor.tmpfiles @@ -0,0 +1 @@ +D /run/tor 0755 tor tor - -- 2.51.1 From 7a4cf9b9853e32f146a88631c4a18416c030f594179c1840054fddc391587e60 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Mon, 22 Sep 2025 12:01:00 +0000 Subject: [PATCH 6/6] changelog OBS-URL: https://build.opensuse.org/package/show/network/tor?expand=0&rev=286 --- tor.changes | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tor.changes b/tor.changes index 02d82e8..b314ece 100644 --- a/tor.changes +++ b/tor.changes @@ -2,7 +2,8 @@ Wed Sep 17 06:19:42 UTC 2025 - Bernhard Wiedemann - 0.4.8.18 - * important bug fix for onion service directory + * CVE-2025-4444: onion service descriptor resource consumption + issue (boo#1250101) ------------------------------------------------------------------- Tue Jul 1 03:12:54 UTC 2025 - Bernhard Wiedemann -- 2.51.1