security fixes

Tor Browser Bundle 1.2.9 is released today. It updates Firefox and Pidgin Instant Messaging client to address the security issues in the older versions, and includes the latest and greatest Vidalia.

TBB can be downloaded from https://www.torproject.org/torbrowser.

The details of the changes are:

• update Vidalia to 0.2.4
• update Qt to 4.5.2
• update Pidgin to 2.6.2
• update Firefox to 3.0.14

Tor 0.2.2.1-alpha disables ".exit" address notation by default, allows
Tor clients to bootstrap on networks where only port 80 is reachable,
makes it more straightforward to support hardware crypto accelerators,
and starts the groundwork for gathering stats safely at relays.

https://www.torproject.org/download

We've been improving our packages and bundles:
Packaging changes: read more »

• Upgrade Vidalia from 0.1.15 to 0.2.3 in the Windows and OS X
  installer bundles. See
  https://trac.vidalia-project.net/browser/vidalia/tags/vidalia-0.2.3/CHAN...
  for details of what's new in Vidalia 0.2.3.
• Windows Vidalia Bundle: update Privoxy from 3.0.6 to 3.0.14-beta.
• OS X Vidalia Bundle: move to Polipo 1.0.4 with Tor specific
  configuration file, rather than the old Privoxy.
• OS X Vidalia Bundle: Vidalia, Tor, and Polipo are compiled as
  x86-only for better compatibility with OS X 10.6, aka Snow Leopard.

New releases

On July 8th, we released Vidalia 0.1.15..

On July 8th, we updated the Tor 0.2.0.35-stable bundles with the new Vidalia to fix an ssl issue and the Firefox Torbutton extension installation for OS X users.

On July 8th, we released Tor 0.2.1.17-rc.

Tor Browser Bundle 1.2.3 was released on July 8, 2009.
TBB 1.2.3 was replaced by 1.2.4 on July 11, 2009
TBB 1.2.5 was released on July 25th. It solely included an update to Tor 0.2.1.18 . read more »

Tor 0.2.1.16-rc speeds up performance for fast exit relays, and fixes
a bunch of minor bugs.

https://www.torproject.org/download

Changes in version 0.2.1.16-rc - 2009-06-20
Security fixes:

• Fix an edge case where a malicious exit relay could convince a
  controller that the client's DNS question resolves to an internal IP
  address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.

Major performance improvements (on 0.2.0.x):

• Disable and refactor some debugging checks that forced a linear scan
  over the whole server-side DNS cache. These accounted for over 50%
  of CPU time on a relatively busy exit node's gprof profile. Found
  by Jacob.
• Disable some debugging checks that appeared in exit node profile
  data.

Minor features: read more »

• Update to the "June 3 2009" ip-to-country file.

Tor 0.2.1.13-alpha includes another big pile of minor bugfixes and
cleanups. We're finally getting close to a release candidate.

https://www.torproject.org/download

Changes in version 0.2.1.13-alpha - 2009-03-09
Major bugfixes:

• Correctly update the list of which countries we exclude as
  exits, when the GeoIP file is loaded or reloaded. Diagnosed by
  lark. Bugfix on 0.2.1.6-alpha.

Minor bugfixes (on 0.2.0.x and earlier):

• Automatically detect MacOSX versions earlier than 10.4.0, and
  disable kqueue from inside Tor when running with these versions.
  We previously did this from the startup script, but that was no
  help to people who didn't use the startup script. Resolves bug 863.
• When we had picked an exit node for a connection, but marked it as
  "optional", and it turned out we had no onion key for the exit, read more »

New releases, new hires, new funding

Tor 0.2.1.10-alpha (released January 6) fixes two major bugs in bridge
relays (one that would make the bridge relay not so useful if it had
DirPort set to 0, and one that could let an attacker learn a little bit
of information about the bridge's users), and a bug that would cause your
Tor relay to ignore a circuit create request it can't decrypt (rather
than reply with an error). It also fixes a wide variety of other bugs.
http://archives.seul.org/or/talk/Jan-2009/msg00078.html

Tor 0.2.1.11-alpha (released Jan 20) finishes fixing the "if your Tor is
off for a week it will take a long time to bootstrap again" bug. It also
fixes an important security-related bug reported by Ilja van Sprundel. You
should upgrade. (We'll send out more details about the bug once people
have had some time to upgrade.)
http://archives.seul.org/or/talk/Jan-2009/msg00171.html read more »

Tor 0.2.1.12-alpha features several more security-related fixes. You
should upgrade, especially if you run an exit relay (remote crash) or
a directory authority (remote infinite loop), or you're on an older
(pre-XP) or not-recently-patched Windows (remote exploit). It also
includes a big pile of minor bugfixes and cleanups.

https://www.torproject.org/download.html.en

Changes in version 0.2.1.12-alpha - 2009-02-08
Security fixes:

• Fix an infinite-loop bug on handling corrupt votes under certain
  circumstances. Bugfix on 0.2.0.8-alpha.
• Fix a temporary DoS vulnerability that could be performed by
  a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
• Avoid a potential crash on exit nodes when processing malformed
  input. Remote DoS opportunity. Bugfix on 0.2.1.7-alpha.

Minor bugfixes:

• Let controllers actually ask for the "clients_seen" event for read more »

Tor 0.2.0.34 features several more security-related fixes. You
should upgrade, especially if you run an exit relay (remote crash) or
a directory authority (remote infinite loop), or you're on an older
(pre-XP) or not-recently-patched Windows (remote exploit).

This release marks end-of-life for Tor 0.1.2.x. Those Tor versions have
many known flaws, and nobody should be using them. You should upgrade. If
you're using a Linux or BSD and its packages are obsolete, stop using
those packages and upgrade anyway.

https://www.torproject.org/download.html

Changes in version 0.2.0.34 - 2009-02-08
Security fixes: read more »

• Fix an infinite-loop bug on handling corrupt votes under certain
        circumstances. Bugfix on 0.2.0.8-alpha.
• Fix a temporary DoS vulnerability that could be performed by
        a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
• Avoid a potential crash on exit nodes when processing malformed
  

Releases
Tor 0.2.1.8-alpha (released December 8) fixes some crash bugs in earlier alpha releases, builds better on unusual platforms like Solaris and old OS X, and fixes a variety of other issues.
http://archives.seul.org/or/talk/Dec-2008/msg00129.html

Tor Browser Bundle 1.1.6 (released December 2) and 1.1.7 (released December 12) update Tor to 0.2.1.8-alpha, include a new version of Firefox, and attempt to wrestle with the "AllowMultipleInstances=false" design that could allow us to run Tor Browser Bundle alongside a normal Firefox.
https://svn.torproject.org/svn/torbrowser/trunk/README

Tor 0.2.1.9-alpha (released December 25) fixes many more bugs, some of them security-related.
http://archives.seul.org/or/talk/Jan-2009/msg00029.html

Bug fixes
Security fixes in the Tor 0.2.1.8-alpha release: read more »

Tor 0.2.0.33 fixes a variety of bugs that were making relays less useful
to users. It also finally fixes a bug where a relay or client that's
been off for many days would take a long time to bootstrap.

This update also fixes an important security-related bug reported by
Ilja van Sprundel. You should upgrade. (We'll send out more details
about the bug once people have had some time to upgrade.)

https://www.torproject.org/download.html

Changes in version 0.2.0.33 - 2009-01-21
Security fixes:

• Fix a heap-corruption bug that may be remotely triggerable on
  some platforms. Reported by Ilja van Sprundel.

Major bugfixes:

• When a stream at an exit relay is in state "resolving" or
  "connecting" and it receives an "end" relay cell, the exit relay
  would silently ignore the end cell and not close the stream. If
  the client never closes the circuit, then the exit relay never read more »