bugs

Tor 0.2.1.7-alpha fixes a major security problem in Debian and Ubuntu
packages (and maybe other packages) noticed by Theo de Raadt, fixes
a smaller security flaw that might allow an attacker to access local
services, adds better defense against DNS poisoning attacks on exit
relays, further improves hidden service performance, and fixes a variety
of other issues.

https://www.torproject.org/download

Changes in version 0.2.1.7-alpha - 2008-11-08

Security fixes: read more »

• The "ClientDNSRejectInternalAddresses" config option wasn't being
  consistently obeyed: if an exit relay refuses a stream because its
  exit policy doesn't allow it, we would remember what IP address
  the relay said the destination address resolves to, even if it's
  an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.
• The "User" and "Group" config options did not clear the
  supplementary group entries for the Tor process. The "User" option
  is now more robust, and we now set the groups to the specified
  user's primary group. The "Group" option is now ignored. For more
  detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL
  in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum
  and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848.
• Do not use or believe expired v3 authority certificates. Patch
  from Karsten. Bugfix in 0.2.0.x. Fixes bug 851.

It appears Qt-4.3.3 has a bug that is causing Vidalia to crash when the list of Tor nodes refreshes and is sorted. The current 0.1.2.19-stable and 0.2.0.17-alpha bundles for OSX are built against Qt-4.3.3.

I've downgraded the build hosts to Qt-4.3.2. The rebuilt OSX vidalia-bundle packages for both 0.1.2.19-stable and 0.2.0.17-alpha are available as:

• Bundle with 0.1.2.19-stable and Vidalia 16a
• Bundle with 0.2.0.17-alpha and Vidalia 16a

These bundles contain Vidalia compiled with Qt-4.3.2. This makes Vidalia happy again.