New release candidate: Tor 0.4.5.5-rc
There's a new release candidate available for download. If you build Tor from source, you can...
Posts by nickm
New release candidate: Tor 0.4.5.4-rc
There's a new release candidate available for download. If you build Tor from source, you can download the source code for 0.4.5.4-rc from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely around this coming Tuesday.
Tor 0.4.5.4-rc is the second release candidate in its series. It fixes several bugs present in previous releases.
We expect that the stable release will be the same, or almost the same, as this release candidate, unless serious bugs are found.
Changes in version 0.4.5.4-rc - 2021-01-22
- Major bugfixes (authority, IPv6):
- Do not consider multiple relays in the same IPv6 /64 network to be sybils. Fixes bug 40243; bugfix on 0.4.5.1-alpha.
- Major bugfixes (directory cache, performance, windows):
- Limit the number of items in the consensus diff cache to 64 on Windows. We hope this will mitigate an issue where Windows relay operators reported Tor using 100% CPU, while we investigate better solutions. Fixes bug 24857; bugfix on 0.3.1.1-alpha.
New release candidate: Tor 0.4.5.3-rc
There's a new release candidate available for download. If you build Tor from source, you can download the source code for 0.4.5.3-rc from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release in 3-4 days.
We're getting closer and closer to stable here, so I hope that people will try this one out and report any bugs they find.
Tor 0.4.5.3-rc is the first release candidate in its series. It fixes several bugs, including one that broke onion services on certain older ARM CPUs, and another that made v3 onion services less reliable.
Though we anticipate that we'll be doing a bit more clean-up between now and the stable release, we expect that our remaining changes will be fairly simple. There will be at least one more release candidate before 0.4.5.x is stable.
Changes in version 0.4.5.3-rc - 2021-01-12
- Major bugfixes (onion service v3):
- Stop requiring a live consensus for v3 clients and services, and allow a "reasonably live" consensus instead. This allows v3 onion services to work even if the authorities fail to generate a consensus for more than 2 hours in a row. Fixes bug 40237; bugfix on 0.3.5.1-alpha.
- Minor features (crypto):
- Fix undefined behavior on our Keccak library. The bug only appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel) and would result in wrong digests. Fixes bug 40210; bugfix on 0.2.8.1-alpha. Thanks to Bernhard Übelacker, Arnd Bergmann and weasel for diagnosing this.
New alpha release: Tor 0.4.5.2-alpha
*Note: The Tor Project's postal address has changed since this post was published. Find the most current address in our FAQ.
There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.5.2-alpha from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release by mid-December.
Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.
Tor 0.4.5.2-alpha is the second alpha release in the 0.4.5.x series. It fixes several bugs present in earlier releases, including one that made it impractical to run relays on Windows. It also adds a few small safety features to improve Tor's behavior in the presence of strange compile-time options, misbehaving proxies, and future versions of OpenSSL.
Changes in version 0.4.5.2-alpha - 2020-11-23
- Major bugfixes (relay, windows):
- Fix a bug in our implementation of condition variables on Windows. Previously, a relay on Windows would use 100% CPU after running for some time. Because of this change, Tor now require Windows Vista or later to build and run. Fixes bug 30187; bugfix on 0.2.6.3-alpha. (This bug became more serious in 0.3.1.1-alpha with the introduction of consensus diffs.) Patch by Daniel Pinto.
- Minor features (compilation):
- Disable deprecation warnings when building with OpenSSL 3.0.0 or later. There are a number of APIs newly deprecated in OpenSSL 3.0.0 that Tor still requires. (A later version of Tor will try to stop depending on these APIs.) Closes ticket 40165.
New Releases: Tor 0.3.5.12, 0.4.3.7, and 0.4.4.6
We have a new stable release today. If you build Tor from source, you can download the source code for 0.4.4.6 on the download page. Packages should be available within the next several weeks, with a new Tor Browser likely next week.
We've also released 0.3.5.12 (changelog) and 0.4.3.7 (changelog) today. You can find the source for them at https://dist.torproject.org/, along with older releases.
Tor 0.4.4.6 is the second stable release in the 0.4.4.x series. It backports fixes from later releases, including a fix for TROVE-2020- 005, a security issue that could be used, under certain cases, by an adversary to observe traffic patterns on a limited number of circuits intended for a different relay.
Changes in version 0.4.4.6 - 2020-11-12
- Major bugfixes (security, backport from 0.4.5.1-alpha):
- When completing a channel, relays now check more thoroughly to make sure that it matches any pending circuits before attaching those circuits. Previously, address correctness and Ed25519 identities were not checked in this case, but only when extending circuits on an existing channel. Fixes bug 40080; bugfix on 0.2.7.2-alpha. Resolves TROVE-2020-005.
- Minor features (directory authorities, backport from 0.4.5.1-alpha):
- Authorities now list a different set of protocols as required and recommended. These lists have been chosen so that only truly recommended and/or required protocols are included, and so that clients using 0.2.9 or later will continue to work (even though they are not supported), whereas only relays running 0.3.5 or later will meet the requirements. Closes ticket 40162.
- Make it possible to specify multiple ConsensusParams torrc lines. Now directory authority operators can for example put the main ConsensusParams config in one torrc file and then add to it from a different torrc file. Closes ticket 40164.
New alpha release: Tor 0.4.5.1-alpha
There's a new alpha release available for download. If you build Tor from source, you can download the source code for Tor 0.4.5.1-alpha from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release some time this month, assuming we get #40172 figured out.
Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual. We'll be trying to put out putting out stable backport releases in the next week or so.
Tor 0.4.5.1-alpha is the first alpha release in the 0.4.5.x series. It improves support for IPv6, address discovery and self-testing, code metrics and tracing.
This release also fixes TROVE-2020-005, a security issue that could be used, under certain cases, by an adversary to observe traffic patterns on a limited number of circuits intended for a different relay. To mount this attack, the adversary would need to actively extend circuits to an incorrect address, as well as compromise a relay's legacy RSA-1024 key. We'll be backporting this fix to other release series soon, after it has had some testing.
Here are the changes since 0.4.4.5.
Changes in version 0.4.5.1-alpha - 2020-11-01
- Major features (build):
- When building Tor, first link all object files into a single static library. This may help with embedding Tor in other programs. Note that most Tor functions do not constitute a part of a stable or supported API: only those functions in tor_api.h should be used if embedding Tor. Closes ticket 40127.
- Major features (metrics):
- Introduce a new MetricsPort which exposes, through an HTTP interface, a series of metrics that tor collects at runtime. At the moment, the only supported output format is Prometheus data model. Closes ticket 40063. See the manual page for more information and security considerations.
New Release: Tor 0.4.4.5
After months of work, we have a new stable release series!
If you build Tor from source, you can download the source
code for 0.4.4.5 on the
download page.
Packages should be available within the next several weeks, with a new Tor Browser by some time next week.
Tor 0.4.4.5 is the first stable release in the 0.4.4.x series. This series improves our guard selection algorithms, adds v3 onion balance support, improves the amount of code that can be disabled when running without relay support, and includes numerous small bugfixes and enhancements. It also lays the ground for some IPv6 features that we'll be developing more in the next (0.4.5) series.
Per our support policy, we support each stable release series for nine months after its first stable release, or three months after the first stable release of the next series: whichever is longer. This means that 0.4.4.x will be supported until around June 2021--or later, if 0.4.5.x is later than anticipated.
Note also that support for 0.4.2.x has just ended; support for 0.4.3 will continue until Feb 15, 2021. We still plan to continue supporting 0.3.5.x, our long-term stable series, until Feb 2022.
Below are the changes since 0.4.3.6-rc. For a complete list of changes since 0.4.4.4-rc, see the ChangeLog file.
Changes in version 0.4.4.5 - 2020-09-15
- Major features (Proposal 310, performance + security):
- Implements Proposal 310, "Bandaid on guard selection". Proposal 310 solves load-balancing issues with older versions of the guard selection algorithm, and improves its security. Under this new algorithm, a newly selected guard never becomes Primary unless all previously sampled guards are unreachable. Implements recommendation from 32088. (Proposal 310 is linked to the CLAPS project researching optimal client location-aware path selections. This project is a collaboration between the UCLouvain Crypto Group, the U.S. Naval Research Laboratory, and Princeton University.)
- Major features (fallback directory list):
- Replace the 148 fallback directories originally included in Tor 0.4.1.4-rc (of which around 105 are still functional) with a list of 144 fallbacks generated in July 2020. Closes ticket 40061.
New release candidate: 0.4.4.4-rc
There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.4.4-rc from the download page. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely in the coming weeks.
Remember, this is a release candidate, not a a stable release: you should only run this if you'd like to find and report more bugs than usual.
Tor 0.4.4.4-rc is the first release candidate in its series. It fixes several bugs in previous versions, including some that caused annoying behavior for relay and bridge operators.
Changes in version 0.4.4.4-rc - 2020-08-13
- Minor features (security):
- Channels using obsolete versions of the Tor link protocol are no longer allowed to circumvent address-canonicity checks. (This is only a minor issue, since such channels have no way to set ed25519 keys, and therefore should always be rejected for circuits that specify ed25519 identities.) Closes ticket 40081.
- Minor features (defense in depth):
- Wipe more data from connection address fields before returning them to the memory heap. Closes ticket 6198.
New alpha release: Tor 0.4.4.3-alpha
There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.4.3-alpha from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release by mid-August.
Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.
Tor 0.4.4.3-alpha fixes several annoyances in previous versions, including one affecting NSS users, and several affecting the Linux seccomp2 sandbox.
Changes in version 0.4.4.3-alpha - 2020-07-27
- Major features (fallback directory list):
- Replace the 148 fallback directories originally included in Tor 0.4.1.4-rc (of which around 105 are still functional) with a list of 144 fallbacks generated in July 2020. Closes ticket 40061.
- Major bugfixes (NSS):
- When running with NSS enabled, make sure that NSS knows to expect nonblocking sockets. Previously, we set our TCP sockets as nonblocking, but did not tell NSS, which in turn could lead to unexpected blocking behavior. Fixes bug 40035; bugfix on 0.3.5.1-alpha.
New alpha release: Tor 0.4.4.2-alpha
There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.4.2-alpha from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release around the end of the month.
Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.
This is the second alpha release in the 0.4.4.x series. It fixes a few bugs in the previous release, and solves a few usability, compatibility, and portability issues.
This release also fixes TROVE-2020-001, a medium-severity denial of service vulnerability affecting all versions of Tor when compiled with the NSS encryption library. (This is not the default configuration.) Using this vulnerability, an attacker could cause an affected Tor instance to crash remotely. This issue is also tracked as CVE-2020- 15572. Anybody running a version of Tor built with the NSS library should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha or later. If you're running with OpenSSL, this bug doesn't affect your Tor.
Changes in version 0.4.4.2-alpha - 2020-07-09
- Major bugfixes (NSS, security):
- Fix a crash due to an out-of-bound memory access when Tor is compiled with NSS support. Fixes bug 33119; bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001 and CVE-2020-15572.
- Minor features (bootstrap reporting):
- Report more detailed reasons for bootstrap failure when the failure happens due to a TLS error. Previously we would just call these errors "MISC" when they happened during read, and "DONE" when they happened during any other TLS operation. Closes ticket 32622.