phobos's blog

Tor 0.2.1.12-alpha features several more security-related fixes. You
should upgrade, especially if you run an exit relay (remote crash) or
a directory authority (remote infinite loop), or you're on an older
(pre-XP) or not-recently-patched Windows (remote exploit). It also
includes a big pile of minor bugfixes and cleanups.

https://www.torproject.org/download.html.en

Changes in version 0.2.1.12-alpha - 2009-02-08
Security fixes:

• Fix an infinite-loop bug on handling corrupt votes under certain
  circumstances. Bugfix on 0.2.0.8-alpha.
• Fix a temporary DoS vulnerability that could be performed by
  a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
• Avoid a potential crash on exit nodes when processing malformed
  input. Remote DoS opportunity. Bugfix on 0.2.1.7-alpha.

Minor bugfixes:

• Let controllers actually ask for the "clients_seen" event for read more »

Tor 0.2.0.34 features several more security-related fixes. You
should upgrade, especially if you run an exit relay (remote crash) or
a directory authority (remote infinite loop), or you're on an older
(pre-XP) or not-recently-patched Windows (remote exploit).

This release marks end-of-life for Tor 0.1.2.x. Those Tor versions have
many known flaws, and nobody should be using them. You should upgrade. If
you're using a Linux or BSD and its packages are obsolete, stop using
those packages and upgrade anyway.

https://www.torproject.org/download.html

Changes in version 0.2.0.34 - 2009-02-08
Security fixes: read more »

• Fix an infinite-loop bug on handling corrupt votes under certain
        circumstances. Bugfix on 0.2.0.8-alpha.
• Fix a temporary DoS vulnerability that could be performed by
        a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
• Avoid a potential crash on exit nodes when processing malformed
  

Releases
Tor 0.2.1.8-alpha (released December 8) fixes some crash bugs in earlier alpha releases, builds better on unusual platforms like Solaris and old OS X, and fixes a variety of other issues.
http://archives.seul.org/or/talk/Dec-2008/msg00129.html

Tor Browser Bundle 1.1.6 (released December 2) and 1.1.7 (released December 12) update Tor to 0.2.1.8-alpha, include a new version of Firefox, and attempt to wrestle with the "AllowMultipleInstances=false" design that could allow us to run Tor Browser Bundle alongside a normal Firefox.
https://svn.torproject.org/svn/torbrowser/trunk/README

Tor 0.2.1.9-alpha (released December 25) fixes many more bugs, some of them security-related.
http://archives.seul.org/or/talk/Jan-2009/msg00029.html

Bug fixes
Security fixes in the Tor 0.2.1.8-alpha release: read more »

Tor 0.2.0.33 fixes a variety of bugs that were making relays less useful
to users. It also finally fixes a bug where a relay or client that's
been off for many days would take a long time to bootstrap.

This update also fixes an important security-related bug reported by
Ilja van Sprundel. You should upgrade. (We'll send out more details
about the bug once people have had some time to upgrade.)

https://www.torproject.org/download.html

Changes in version 0.2.0.33 - 2009-01-21
Security fixes:

• Fix a heap-corruption bug that may be remotely triggerable on
  some platforms. Reported by Ilja van Sprundel.

Major bugfixes:

• When a stream at an exit relay is in state "resolving" or
  "connecting" and it receives an "end" relay cell, the exit relay
  would silently ignore the end cell and not close the stream. If
  the client never closes the circuit, then the exit relay never read more »

Tor 0.2.1.11-alpha finishes fixing the "if your Tor is off for a week it
will take a long time to bootstrap again" bug. It also fixes an important
security-related bug reported by Ilja van Sprundel. You should upgrade.
(We'll send out more details about the bug once people have had some
time to upgrade.)

https://www.torproject.org/download.html.en

Changes in version 0.2.1.11-alpha - 2009-01-20
Security fixes:

• Fix a heap-corruption bug that may be remotely triggerable on
  some platforms. Reported by Ilja van Sprundel.

Major bugfixes:

• Discard router descriptors as we load them if they are more than
  five days old. Otherwise if Tor is off for a long time and then
  starts with cached descriptors, it will try to use the onion
  keys in those obsolete descriptors when building circuits. Bugfix
  on 0.2.0.x. Fixes bug 887.

Minor features: read more »

I asked for community feedback in this post about drag and drop installation of the Vidalia bundle for Apple's OS X. In working with the Vidalia team, we now have a drag and drop installer. This is experimental. It's designed for a clean install. It won't migrate your settings, nor will it configure anything for you. Upon installing, your milk may sour and your salt may run off with your pepper. Now that the disclaimers are over, here's what it contains and does do for you. read more »

It includes Universal binaries for:

• Vidalia version 0.2.0-svn r3425
• Polipo 1.0.4 configured to use Tor as a socksproxy
• Tor 0.2.1.10-alpha compiled with prefix and bindir set to /Applications/Vidalia.app

We've always argued that safe circumvention requires anonymity, even from the circumvention service itself. There are many people wanting to record your Internet traffic and browsing patterns; from governments to commercial advertising networks. There are many ways to defeat the threat of traffic analysis; from simple proxy providers, virtual private networks, and distributed peer to peer solutions. Only some of these offer anonymity along with circumvention. Tor's open design and anonymity properties provide protections for the user from those watching the traffic and from us as an organization. read more »

Tor 0.2.1.10-alpha fixes two major bugs in bridge relays (one that would
make the bridge relay not so useful if it had DirPort set to 0, and one
that could let an attacker learn a little bit of information about the
bridge's users), and a bug that would cause your Tor relay to ignore a
circuit create request it can't decrypt (rather than reply with an error).
It also fixes a wide variety of other bugs.

https://www.torproject.org/download.html.en

Changes in version 0.2.1.10-alpha - 2009-01-06
Major bugfixes: read more »

• If the cached networkstatus consensus is more than five days old,
  discard it rather than trying to use it. In theory it could
  be useful because it lists alternate directory mirrors, but in
  practice it just means we spend many minutes trying directory
  mirrors that are long gone from the network. Helps bug 887 a bit;
  bugfix on 0.2.0.x.
• Bridge relays that had DirPort set to 0 would stop fetching
  descriptors shortly after startup, and then briefly resume
  after a new bandwidth test and/or after publishing a new bridge
  descriptor. Bridge users that try to bootstrap from them would
  get a recent networkstatus but would get descriptors from up to
  18 hours earlier, meaning most of the descriptors were obsolete
  already. Reported by Tas; bugfix on 0.2.0.13-alpha.
• Prevent bridge relays from serving their 'extrainfo' document
  to anybody who asks, now that extrainfo docs include potentially
  sensitive aggregated client geoip summaries. Bugfix on
  0.2.0.13-alpha.