Tor Blog | The Tor Project

New Releases: Tor 0.4.0.2-alpha, 0.3.5.8, 0.3.4.11, and 0.3.3.12

There are new source code releases available for download. If you build Tor from source, you can download the source code for 0.4.0.2-alpha and 0.3.5.8 from the download page. You can find 0.3.4.11 and 0.3.3.12 at dist.torproject.org. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely in the same timeframe.

These releases all fix TROVE-2019-001, a possible security bug involving the KIST cell scheduler code in versions 0.3.2.1-alpha and later. We are not certain that it is possible to exploit this bug in the wild, but out of an abundance of caution, we recommend that all affected users upgrade once packages are available. The potential impact is a remote denial-of-service attack against clients or relays.

Also note: 0.3.3.12 is the last anticipated release in the 0.3.3.x series; that series will become unsupported next week. The remaining supported stable series will 0.2.9.x (long-term support until 2020), 0.3.4.x (supported until June), and 0.3.5.x (long-term support until 2022).

Below are the changes in Tor 0.3.5.8 and in 0.4.0.2-alpha. You can also read the changelog for 0.3.4.11 and the changelog for 0.3.3.12.

Changes in version 0.3.5.8 - 2019-02-21

Tor 0.3.5.8 backports serveral fixes from later releases, including fixes for an annoying SOCKS-parsing bug that affected users in earlier 0.3.5.x releases.

It also includes a fix for a medium-severity security bug affecting Tor 0.3.2.1-alpha and later. All Tor instances running an affected release should upgrade to 0.3.3.12, 0.3.4.11, 0.3.5.8, or 0.4.0.2-alpha.

Major bugfixes (cell scheduler, KIST, security):
- Make KIST consider the outbuf length when computing what it can put in the outbuf. Previously, KIST acted as though the outbuf were empty, which could lead to the outbuf becoming too full. It is possible that an attacker could exploit this bug to cause a Tor client or relay to run out of memory and crash. Fixes bug 29168; bugfix on 0.3.2.1-alpha. This issue is also being tracked as TROVE-2019-001 and CVE-2019-8955.
Major bugfixes (networking, backport from 0.4.0.2-alpha):
- Gracefully handle empty username/password fields in SOCKS5 username/password auth messsage and allow SOCKS5 handshake to continue. Previously, we had rejected these handshakes, breaking certain applications. Fixes bug 29175; bugfix on 0.3.5.1-alpha.

New Release: OnionShare 2

OnionShare is an open source tool for securely and anonymously sending and receiving files using Tor onion services. OnionShare 2 adds anonymous dropboxes, supports new Tor addresses, and is translated into a dozen new languages.

New Release: Tor Browser 8.5a8

Tor Browser 8.5a8 is now available from the Tor Browser Project page and also from our

New Release: Tor Browser 8.0.6

Tor Browser 8.0.6 is now available from the Tor Browser Project page and also from our

Expect More From Tor in 2019

We spent 2018 fighting for the fundamental human rights to privacy and freedom online and made our software more accessible than ever before. We know our work plays an important part in ensuring that people fighting back against injustice are able to stay safe online, and we are ready for the challenges ahead in 2019.

38 comments

New Release: Tor Browser 8.5a7

Tor Browser 8.5a7 is now available from the Tor Browser Project page and also from our

New Release: Tor Browser 8.0.5

Tor Browser 8.0.5 is now available from the Tor Browser Project page and also from our

New Release: Tails 3.12

This release fixes many security vulnerabilities. You should upgrade as soon as possible.

Tor Browser at TPL: Defending Intellectual Freedom, and Winning Awards Doing So

Public librarians can do a great deal to arm our users with the knowledge, the tools, and the confidence to navigate the surveillance society online.

3 comments

New Release: Tor 0.4.0.1-alpha

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.0.1-alpha from the download page. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely by the end of the month.

Upcoming Events

February 23, 2019

Tor Meetup (Lisbon)

March 23, 2019 - March 24, 2019

LibrePlanet (Boston)

March 24, 2019 - March 27, 2019

KNOW 2019 (Vegas)

April 01, 2019 - April 05, 2019

Internet Freedom Festival (Valencia)

June 11, 2019 - June 14, 2019

RightsCon (Tunis)

See All Upcoming Events

Recent Updates

New Releases: Tor 0.4.0.2-alpha, 0.3.5.8, 0.3.4.11, and 0.3.3.12

Below are the changes in Tor 0.3.5.8 and in 0.4.0.2-alpha. You can also read the changelog for 0.3.4.11 and the changelog for 0.3.3.12.

Changes in version 0.3.5.8 - 2019-02-21

Tor 0.3.5.8 backports serveral fixes from later releases, including fixes for an annoying SOCKS-parsing bug that affected users in earlier 0.3.5.x releases.

Major bugfixes (cell scheduler, KIST, security):
- Make KIST consider the outbuf length when computing what it can put in the outbuf. Previously, KIST acted as though the outbuf were empty, which could lead to the outbuf becoming too full. It is possible that an attacker could exploit this bug to cause a Tor client or relay to run out of memory and crash. Fixes bug 29168; bugfix on 0.3.2.1-alpha. This issue is also being tracked as TROVE-2019-001 and CVE-2019-8955.
Major bugfixes (networking, backport from 0.4.0.2-alpha):
- Gracefully handle empty username/password fields in SOCKS5 username/password auth messsage and allow SOCKS5 handshake to continue. Previously, we had rejected these handshakes, breaking certain applications. Fixes bug 29175; bugfix on 0.3.5.1-alpha.