security critical
Tor Browser Bundle 1.3.1 Released
Posted January 23rd, 2010 by phobosThe latest in the Tor Browser series, version 1.3.1 is released. This includes updates to Firefox, Pidgin, and Tor.
Tor 0.2.1.22 rotates two of the seven v3 directory authority keys and
locations, due to a security breach of some of the Torproject servers:
http://archives.seul.org/or/talk/Jan-2010/msg00161.html
It also fixes a privacy problem in bridge directory authorities -- it
would tell you its whole history of bridge descriptors if you make the
right directory request.
Everybody should upgrade:
https://www.torproject.org/easy-download
The changelog is:
1.3.1: Released 2010-01-22
update Firefox to 3.5.7
update Pidgin to 2.6.5
update Tor to 0.2.1.22
Tor 0.2.2.7-alpha released
Posted January 23rd, 2010 by phobosalpha fixes a huge client-side performance bug, as well
as laying the groundwork for further relay-side performance fixes. It
also starts cleaning up client behavior with respect to the EntryNodes,
ExitNodes, and StrictNodes config options.
This release also rotates two directory authority keys, due to a security
breach of some of the Torproject servers:
http://archives.seul.org/or/talk/Jan-2010/msg00161.html
Everybody should upgrade:
https://www.torproject.org/download.html.en
Changes in version 0.2.2.7-alpha - 2010-01-19
o Directory authority changes:
- Rotate keys (both v3 identity and relay identity) for moria1
and gabelmoo.
o Major features (performance):
- We were selecting our guards uniformly at random, and then weighting
which of our guards we'd use uniformly at random. This imbalance
meant that Tor clients were severely limited on throughput (and
probably latency too) by the first hop in their circuit. Now we read more »
Tor 0.2.1.22 Released
Posted January 23rd, 2010 by phobosTor 0.2.1.22 rotates two of the seven v3 directory authority keys and
locations, due to a security breach of some of the Torproject servers:
http://archives.seul.org/or/talk/Jan-2010/msg00161.html
It also fixes a privacy problem in bridge directory authorities -- it
would tell you its whole history of bridge descriptors if you make the
right directory request.
Everybody should upgrade:
https://www.torproject.org/easy-download
Changes in version 0.2.1.22 - 2010-01-19
o Directory authority changes:
- Rotate keys (both v3 identity and relay identity) for moria1
and gabelmoo.
o Major bugfixes:
- Stop bridge directory authorities from answering dbg-stability.txt
directory queries, which would let people fetch a list of all
bridge identities they track. Bugfix on 0.2.1.6-alpha.
Security critical Tor-0.2.0.26-rc released
Posted May 13th, 2008 by phobosTor-0.2.0.26-rc replaces several V3 directory authority keys affected by a recent Debian OpenSSL bug.
This is a security-critical release.
Everybody running any version in the 0.2.0.x series should upgrade, whether
they are running Debian or not. Also, all servers running any version of Tor
whose keys were generated by Debian, Ubuntu, or any derived distribution may
have to replace their identity keys. See our security advisory for full details. As always, you can find Tor 0.2.0.26-rc on the downloads page.
Changes in version 0.2.0.26-rc - 2008-05-13
Major security fixes:
- Use new V3 directory authority keys on the tor26, gabelmoo, and moria1 V3 directory authorities. The old keys were generated with a vulnerable version of Debian's OpenSSL package, and must be considered compromised. Other authorities' keys were not generatedwith an affected version of OpenSSL.
Major bugfixes:
- List authority signatures as "unrecognized" based on DirServer lines, not on cert cache. Bugfix on 0.2.0.x.
Minor features:
- Add a new V3AuthUseLegacyKey option to make it easier for authorities to change their identity keys if they have to.
