stable release

Tor 0.2.1.26 addresses the recent connection and memory overload problems we've been seeing on relays, especially relays with their DirPort open. If your relay has been crashing, or you turned it off because it used too many resources, give this release a try.

This release also fixes yet another instance of broken OpenSSL libraries that was causing some relays to drop out of the consensus.

Available for download at https://www.torproject.org/easy-download

Changes in version 0.2.1.26
Major bugfixes:

• Teach relays to defend themselves from connection overload. Relays
  now close idle circuits early if it looks like they were intended
  for directory fetches. Relays are also more aggressive about closing
  TLS connections that have no circuits on them. Such circuits are
  unlikely to be re-used, and tens of thousands of them were piling
  up at the fast relays, causing the relays to run out of sockets read more »

On May 20, we released Vidalia 0.2.9. Fixes include Qt 4.6.2 compatibility, new cert, and some new translations.

You can download it at https://www.torproject.org/vidalia/. Packages are slowly being updated to include this version of Vidalia.

The full changelog is: read more »

• Remove the GoDaddy CA certificate bundle since we changed the certificate used to authenticate connections to geoips.vidalia-project.net for downloading GeoIP information from a commercial GoDaddy certificate to a free CACert certificate.
• Define -D_WIN32_WINNT=0x0501 on Windows builds so that MiniUPnPc will build with the latest versions of MinGW.
• Modify miniupnpc.c from MiniUPnPc's source so that it will build on Mac OS X 10.4.
• Work around Qt's new behavior for the QT_WA macro so that Vidalia will
  work correctly again on Windows with Qt >= 4.6.

Tor 0.2.1.23 fixes a huge client-side performance bug, makes Tor work again on the latest OS X, and updates the location of a directory authority.

Tor 0.2.1.24 makes Tor work again on the latest OS X -- this time for sure!

The Windows and OS X bundles also come with a newer version of Polipo that fixes some stability and security problems.

People using Tor as a client should upgrade:
https://www.torproject.org/easy-download

Changes in version 0.2.1.23 - 2010-02-13
Major bugfixes (performance): read more »

• We were selecting our guards uniformly at random, and then weighting which of our guards we'd use uniformly at random. This imbalance meant that Tor clients were severely limited on throughput (and probably latency too) by the first hop in their circuit. Now we select guards weighted by currently advertised bandwidth. We also automatically discard guards picked using the old algorithm. Fixes bug 1217; bugfix on 0.2.1.3-alpha. Found by Mike Perry.

Tor 0.2.1.22 rotates two of the seven v3 directory authority keys and
locations, due to a security breach of some of the Torproject servers:
http://archives.seul.org/or/talk/Jan-2010/msg00161.html

It also fixes a privacy problem in bridge directory authorities -- it
would tell you its whole history of bridge descriptors if you make the
right directory request.

Everybody should upgrade:
https://www.torproject.org/easy-download

Changes in version 0.2.1.22 - 2010-01-19
o Directory authority changes:
- Rotate keys (both v3 identity and relay identity) for moria1
and gabelmoo.

o Major bugfixes:
- Stop bridge directory authorities from answering dbg-stability.txt
directory queries, which would let people fetch a list of all
bridge identities they track. Bugfix on 0.2.1.6-alpha.

You should upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha:
https://www.torproject.org/easy-download.html.en

In early January we discovered that two of the seven servers that run directory
authorities were compromised (moria1 and gabelmoo), along with
metrics.torproject.org, a new server we'd recently set up to serve
metrics data and graphs. The three servers have since been reinstalled
with service migrated to other servers.

We made fresh identity keys for the two directory authorities, which is
why you need to upgrade.

Moria also hosted our git repository and svn repository. We took the
services offline as soon as we learned of the breach. It appears the
attackers didn't realize what they broke into -- just that they had
found some servers with lots of bandwidth. The attackers set up some ssh
keys and proceeded to use the three servers for launching other attacks.
We've done some preliminary comparisons, and it looks like git and svn
were not touched in any way. read more »

Tor 0.2.1.21 fixes an incompatibility with the most recent OpenSSL
library. If you use Tor on Linux / Unix and you're getting SSL
renegotiation errors, upgrading should help. We also recommend an
upgrade if you're an exit relay.

https://www.torproject.org/easy-download

Changes in version 0.2.1.21 - 2009-12-21
Major bugfixes:

• Work around a security feature in OpenSSL 0.9.8l that prevents our
  handshake from working unless we explicitly tell OpenSSL that we
  are using SSL renegotiation safely. We are, of course, but OpenSSL
  0.9.8l won't work unless we say we are.
• Avoid crashing if the client is trying to upload many bytes and the
  circuit gets torn down at the same time, or if the flip side
  happens on the exit relay. Bugfix on 0.2.0.1-alpha; fixes bug 1150.

Minor bugfixes: read more »

• Do not refuse to learn about authority certs and v2 networkstatus
  

Tor 0.2.1.18 lays the foundations for performance improvements, adds
status events to help users diagnose bootstrap problems, adds optional
authentication/authorization for hidden services, fixes a variety of
potential anonymity problems, and includes a huge pile of other features
and bug fixes.

Tor 0.2.1.19 fixes a major bug with accessing and providing hidden
services.

https://www.torproject.org/easy-download

Changes in version 0.2.1.19 - 2009-07-28
Major bugfixes:

• Make accessing hidden services on 0.2.1.x work right again.
  Bugfix on 0.2.1.3-alpha; workaround for bug 1038. Diagnosis and
  part of patch provided by "optimist".

Minor features:

• When a relay/bridge is writing out its identity key fingerprint to
  the "fingerprint" file and to its logs, write it without spaces. Now
  it will look like the fingerprints in our bridges documentation, read more »

Updated Vidalia-bundle packages with Tor 0.2.0.35 are released. The only thing that's changed is the update of Vidalia from 0.1.14 to 0.1.15. You can retrieve the updated packages from https://www.torproject.org/easy-download

Tor 0.2.0.35 fixes a big bug that was causing Tor relays with dynamic
IP addresses to disappear from the network. It also fixes a rare crash
bug on fast exit relays.

https://www.torproject.org/easy-download

Changes in version 0.2.0.35 - 2009-06-24
Security fix:

• Avoid crashing in the presence of certain malformed descriptors.
  Found by lark, and by automated fuzzing.
• Fix an edge case where a malicious exit relay could convince a
  controller that the client's DNS question resolves to an internal IP
  address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.

Major bugfixes:

• Finally fix the bug where dynamic-IP relays disappear when their
  IP address changes: directory mirrors were mistakenly telling
  them their old address if they asked via begin_dir, so they
  never got an accurate answer about their new address, so they read more »

Tor 0.2.0.34 features several more security-related fixes. You
should upgrade, especially if you run an exit relay (remote crash) or
a directory authority (remote infinite loop), or you're on an older
(pre-XP) or not-recently-patched Windows (remote exploit).

This release marks end-of-life for Tor 0.1.2.x. Those Tor versions have
many known flaws, and nobody should be using them. You should upgrade. If
you're using a Linux or BSD and its packages are obsolete, stop using
those packages and upgrade anyway.

https://www.torproject.org/download.html

Changes in version 0.2.0.34 - 2009-02-08
Security fixes: read more »

• Fix an infinite-loop bug on handling corrupt votes under certain
        circumstances. Bugfix on 0.2.0.8-alpha.
• Fix a temporary DoS vulnerability that could be performed by
        a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
• Avoid a potential crash on exit nodes when processing malformed