Archive - 2010

Tor 0.2.2.20-alpha is out (security patches)

Tor 0.2.2.20-alpha does some code cleanup to reduce the risk of remotely
exploitable bugs. Thanks to Willem Pinckaers for notifying us of the
issue. The Common Vulnerabilities and Exposures project has assigned
CVE-2010-1676 to this issue.

We also fix a variety of other significant bugs, change the IP address
for one of our directory authorities, and update the minimum version
that Tor relays must run to join the network.

All Tor users should upgrade.

https://www.torproject.org/download/download

Changes in version 0.2.2.20-alpha - 2010-12-17
Major bugfixes: read more »

  • Fix a remotely exploitable bug that could be used to crash instances
    of Tor remotely by overflowing on the heap. Remote-code execution
    hasn't been confirmed, but can't be ruled out. Everyone should
    upgrade. Bugfix on the 0.1.1 series and later.
  • Fix a bug that could break accounting on 64-bit systems with large

Tor 0.2.1.28 is released (security patches)

Tor 0.2.1.28 does some code cleanup to reduce the risk of remotely
exploitable bugs. Thanks to Willem Pinckaers for notifying us of the
issue. The Common Vulnerabilities and Exposures project has assigned
CVE-2010-1676 to this issue.

We also took this opportunity to change the IP address for one of our
directory authorities, and to update the geoip database we ship.

All Tor users should upgrade.

https://www.torproject.org/download/download

Changes in version 0.2.1.28 - 2010-12-17
Major bugfixes:

  • Fix a remotely exploitable bug that could be used to crash instances of Tor remotely by overflowing on the heap. Remote-code execution hasn't been confirmed, but can't be ruled out. Everyone should upgrade. Bugfix on the 0.1.1 series and later.

Directory authority changes:

  • Change IP address and ports for gabelmoo (v3 directory authority).

Minor features: read more »

November 2010 Progress Report

New Releases read more »

  • On November 16 we released the latest in the Tor -alpha series. Tor 0.2.2.18-alpha fixes several crash bugs that have been nagging us lately, makes unpublished bridge relays able to detect their IP address, and fixes a wide variety of other bugs to get us much closer to a stable release. https://blog.torproject.org/blog/tor-02218-alpha-available
  • On November 23, we released the latest in the Tor -stable series. Tor 0.2.1.27 makes relays work with OpenSSL 0.9.8p and 1.0.0.b --yet another OpenSSL security patch broke its compatibility with Tor. We also took this opportunity to fix several crash bugs, integrate a new directory authority, and update the bundled GeoIP database. https://blog.torproject.org/blog/tor-02127-released

New Tor Browser Bundle packages

Linux Bundles

Important: Polipo has been removed from the Linux Tor Browser Bundle. Please read the full changelog and report bugs if you have any problems.

1.1.0: Released 2010-12-13

  • Update Firefox to 3.6.13
  • Update NoScript to 2.0.7
  • Update HTTPS Everywhere to 0.9.9.development.1
    • This version of HTTPS-Everywhere is patched to include a fix for bug #2096 which
      prevented globally installed versions of the extension from working. It also
      includes better protection from Firesheep. See the changelog here:
      https://www.eff.org/files/Changelog.txt
  • Add Chris Davis's patch
    • This patch improves Firefox's SOCKS support and eliminates the need for Polipo, so read more »

Arm Release 1.4.0

in

After over a year it's about time that I announced an arm release so here it is! What's new since August of 2009, you ask? Lots. The project has been under very active development, continuing to add usability improvements to make relay operation nicer and less error prone. If you're really curious what I've been up to this last year then it's all available in the change log.

For those unfamiliar, arm is a terminal monitor for Tor relays and, to a growing extent, end users. It provides: read more »

  • resource usage (bandwidth, cpu, and memory usage)
  • general relaying information (nickname, fingerprint, flags, or/dir/controlports)
  • event log with optional regex filtering and deduplication
  • connections correlated against tor's consensus data (ip, connection types, relay details, etc)
  • an editor to quickly alter Tor's configuration

New Tor Browser Bundle packages

There are new browser bundles out with the updated Tor versions (0.2.2.19-alpha and 0.2.1.27) that work with the latest OpenSSL.

Windows Tor Browser Bundles
There were some controversial changes recently made to the Windows bundle, and for those I apologize. I have removed BetterPrivacy and NoScript from them pending further testing. The whole changelog:

1.3.13: Released 2010-11-25

  • update Tor to 0.2.1.27
  • update Pidgin to 2.7.5
  • update OpenSSL to 0.9.8p
  • fix Firefox extension install path so extensions show in the installed add-ons list
  • disable Firefox's ability to search the Windows registry path for system-wide
    plugins and extensions (closes: #2118)
  • remove NoScript and BetterPrivacy from stable bundle until they receive more
    testing

OS X and Linux bundles read more »

Tor 0.2.2.19-alpha is out

Yet another OpenSSL security patch broke its compatibility with Tor:
Tor 0.2.2.19-alpha makes relays work with OpenSSL 0.9.8p and 1.0.0.b.

https://www.torproject.org/download/download

The original announcement is at http://archives.seul.org/or/talk/Nov-2010/msg00172.html

Changes in version 0.2.2.19-alpha - 2010-11-21
Major bugfixes:

  • Resolve an incompatibility with openssl 0.9.8p and openssl 1.0.0b:
    No longer set the tlsext_host_name extension on server SSL objects;
    but continue to set it on client SSL objects. Our goal in setting
    it was to imitate a browser, not a vhosting server. Fixes bug 2204;
    bugfix on 0.2.1.1-alpha.
  • Minor bugfixes: read more »

  • Try harder not to exceed the maximum length of 50 KB when writing

Tor 0.2.1.27 is released.

Tor 0.2.1.27 makes relays work with OpenSSL 0.9.8p and 1.0.0.b --yet another OpenSSL security patch broke its compatibility with Tor. We also took this opportunity to fix several crash bugs, integrate a new directory authority, and update the bundled GeoIP database.

If you operate a relay, please upgrade.

https://www.torproject.org/download/download

The original release announcement is at
http://archives.seul.org/or/announce/Nov-2010/msg00000.html

Changes in version 0.2.1.27 - 2010-11-23
Major bugfixes: read more »

  • Resolve an incompatibility with OpenSSL 0.9.8p and OpenSSL 1.0.0b: No longer set the tlsext_host_name extension on server SSL objects; but continue to set it on client SSL objects. Our goal in setting
    it was to imitate a browser, not a vhosting server. Fixes bug 2204; bugfix on 0.2.1.1-alpha.
Syndicate content