bug fixes

Tor 0.2.1.9-alpha fixes many more bugs, some of them security-related.

https://www.torproject.org/download.html.en

Changes in version 0.2.1.9-alpha - 2008-12-25
New directory authorities:

• gabelmoo (the authority run by Karsten Loesing) now has a new
  IP address.

Security fixes:

• Never use a connection with a mismatched address to extend a
  circuit, unless that connection is canonical. A canonical
  connection is one whose address is authenticated by the router's
  identity key, either in a NETINFO cell or in a router descriptor.
• Avoid a possible memory corruption bug when receiving hidden service
  descriptors. Bugfix on 0.2.1.6-alpha.

Major bugfixes: read more »

Bug Fixes

Tor 0.2.1.7-alpha (released November 8) fixes a major security problem in Debian and Ubuntu packages (and maybe other packages) noticed by Theo de Raadt, fixes a smaller security flaw that might allow an attacker to access local services, adds better defense against DNS poisoning attacks on exit relays, further improves hidden service performance, and fixes a variety of other issues.
http://archives.seul.org/or/talk/Nov-2008/msg00229.html

Tor 0.2.0.32 (released November 20) fixes a major security problem in Debian and Ubuntu packages (and maybe other packages) noticed by Theo de Raadt, fixes a smaller security flaw that might allow an attacker to access local services, further improves hidden service performance, and fixes a variety of other issues.
http://archives.seul.org/or/announce/Dec-2008/msg00000.html

Vidalia 0.1.10 (released November 2) fixes some presentation bugs and some bugs in the Windows installer. read more »

Tor 0.2.1.6-alpha further improves performance and robustness of hidden
services, starts work on supporting per-country relay selection, and
fixes a variety of smaller issues.

The original announcement can be found at
http://archives.seul.org/or/talk/Oct-2008/msg00093.html

Changes in version 0.2.1.6-alpha - 2008-09-30 read more »

• Major features:
• Implement proposal 121: make it possible to build hidden services
  that only certain clients are allowed to connect to. This is
  enforced at several points, so that unauthorized clients are unable
  to send INTRODUCE cells to the service, or even (depending on the
  type of authentication) to learn introduction points. This feature
  raises the bar for certain kinds of active attacks against hidden
  services. Code by Karsten Loesing.
• Relays now store and serve v2 hidden service descriptors by default,
  i.e., the new default value for HidServDirectoryV2 is 1. This is
  the last step in proposal 114, which aims to make hidden service
  lookups more reliable.
• Start work to allow node restrictions to include country codes. The
  syntax to exclude nodes in a country with country code XX is
  "ExcludeNodes {XX}". Patch from Robert Hogan. It still needs some
  refinement to decide what config options should take priority if
  you ask to both use a particular node and exclude it.
• Allow ExitNodes list to include IP ranges and country codes, just
  like the Exclude*Nodes lists. Patch from Robert Hogan.
• Major bugfixes:
  

Releases
Vidalia 0.1.9 (released September 2) fixes a big pile of bugs and inconveniences in the earlier releases. This new release marks the first "stable" release of Vidalia, in that we have now branched into a stable (0.1.x) branch and a development (0.2.x) branch.
http://trac.vidalia-project.net/browser/vidalia/tags/vidalia-0.1.9/CHANG...

Tor 0.2.0.31 (released September 3) addresses two potential anonymity issues, starts to fix a big bug we're seeing where in rare cases traffic from one Tor stream gets mixed into another stream, and fixes a variety of smaller issues.
http://archives.seul.org/or/announce/Sep-2008/msg00000.html

Tor 0.2.1.6-alpha (released September 30) further improves performance and robustness of hidden services, starts work on supporting per-country relay selection, and fixes a variety of smaller issues.
http://archives.seul.org/or/talk/Oct-2008/msg00093.html

Circumvention Enhancements
From the Vidalia 0.1.9 ChangeLog:
"Correct the location of the simplified Chinese help files so they will actually load again."

From the Tor 0.2.1.6-alpha ChangeLog:
"Start work to allow node restrictions to include country codes. The syntax to exclude nodes in a country with country code XX is "ExcludeNodes {XX}". Patch from Robert Hogan. It still needs some refinement to decide what config options should take priority if you ask to both use a particular node and exclude it."
This feature should allow users in China to specify that they don't want to enter (and/or exit) in China, which in theory could provide stronger security for them.

From the Tor 0.2.1.6-alpha ChangeLog:
"Allow ports 465 and 587 in the default exit policy again. We had rejected them in 0.1.0.15, because back in 2005 they were commonly misconfigured and ended up as spam targets. We hear they are better locked down these days." read more »

A better formatted version of this can be found at the OR-Announce Archives.

Tor 0.2.0.31 addresses two potential anonymity issues, starts to fix
a big bug we're seeing where in rare cases traffic from one Tor stream
gets mixed into another stream, and fixes a variety of smaller issues.

https://www.torproject.org/download.html

Changes in version 0.2.0.31 - 2008-09-03
o Major bugfixes:
- Make sure that two circuits can never exist on the same connection
with the same circuit ID, even if one is marked for close. This
is conceivably a bugfix for bug 779. Bugfix on 0.1.0.4-rc.
- Relays now reject risky extend cells: if the extend cell includes
a digest of all zeroes, or asks to extend back to the relay that
sent the extend cell, tear down the circuit. Ideas suggested
by rovv.
- If not enough of our entry guards are available so we add a new
one, we might use the new one even if it overlapped with the
current circuit's exit relay (or its family). Anonymity bugfix
pointed out by rovv.

o Minor bugfixes:
- Recover 3-7 bytes that were wasted per memory chunk. Fixes bug
794; bug spotted by rovv. Bugfix on 0.2.0.1-alpha.
- Correctly detect the presence of the linux/netfilter_ipv4.h header
when building against recent kernels. Bugfix on 0.1.2.1-alpha.
- Pick size of default geoip filename string correctly on windows.
Fixes bug 806. Bugfix on 0.2.0.30.
- Make the autoconf script accept the obsolete --with-ssl-dir
option as an alias for the actually-working --with-openssl-dir
option. Fix the help documentation to recommend --with-openssl-dir.
Based on a patch by "Dave". Bugfix on 0.2.0.1-alpha.
- Disallow session resumption attempts during the renegotiation
stage of the v2 handshake protocol. Clients should never be trying read more »