• Add LIBS=-lrt to Makefile.am so the Tor RPMs use a static libevent.

Tor 0.1.2.19 fixes a huge memory leak on exit relays, makes the default exit policy a little bit more conservative so it's safer to run an exit relay on a home system, and fixes a variety of smaller issues.

• Security fixes:
  • Exit policies now reject connections that are addressed to a relay's public (external) IP address too, unless ExitPolicyRejectPrivate is turned off. We do this because too many relays are running nearby to services that trust them based on network address.
• Major bugfixes:
  • When the clock jumps forward a lot, do not allow the bandwidth buckets to become negative. Fixes bug 544.
  • Fix a memory leak on exit relays; we were leaking a cached_resolve_t on every successful resolve. Reported by Mike Perry.
  • Purge old entries from the "rephist" database and the hidden service descriptor database even when DirPort is zero.
  • Stop thinking that 0.1.2.x directory servers can handle "begin_dir" requests. Should ease bugs 406 and 419 where 0.1.2.x relays are crashing or mis-answering these requests.
  • When we decide to send a 503 response to a request for servers, do not then also send the server descriptors: this defeats the whole purpose. Fixes bug 539.
• Minor bugfixes:
  • Changing the ExitPolicyRejectPrivate setting should cause us to rebuild our server descriptor.
  • Fix handling of hex nicknames when answering controller requests for networkstatus by name, or when deciding whether to warn about unknown routers in a config option. (Patch from mwenge.)
  • Fix a couple of hard-to-trigger autoconf problems that could result in really weird results on platforms whose sys/types.h files define nonstandard integer types.
  • Don't try to create the datadir when running --verify-config or --hash-password. Resolves bug 540.
  • If we were having problems getting a particular descriptor from the directory caches, and then we learned about a new descriptor for that router, we weren't resetting our failure count. Reported by lodger.
  • Although we fixed bug 539 (where servers would send HTTP status 503 responses and send a body too), there are still servers out there that haven't upgraded. Therefore, make clients parse such bodies when they receive them.
  • Run correctly on systems where rlim_t is larger than unsigned long. This includes some 64-bit systems.
  • Run correctly on platforms (like some versions of OS X 10.5) where the real limit for number of open files is OPEN_FILES, not rlim_max from getrlimit(RLIMIT_NOFILES).
  • Avoid a spurious free on base64 failure.
  • Avoid segfaults on certain complex invocations of router_get_by_hexdigest().
  • Fix rare bug on REDIRECTSTREAM control command when called with no port set: it could erroneously report an error when none had happened.

Release notes not available.

o Major security fixes:
- Close immediately after missing authentication on control port;
do not allow multiple authentication attempts.

Tor 0.1.2.14 changes the addresses of two directory authorities (this change especially affects those who serve or use hidden services), and fixes several other crash- and security-related bugs.