Posts by nickm

New alpha release: Tor 0.4.4.2-alpha

by nickm | July 9, 2020

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.4.2-alpha from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release around the end of the month.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

This is the second alpha release in the 0.4.4.x series. It fixes a few bugs in the previous release, and solves a few usability, compatibility, and portability issues.

This release also fixes TROVE-2020-001, a medium-severity denial of service vulnerability affecting all versions of Tor when compiled with the NSS encryption library. (This is not the default configuration.) Using this vulnerability, an attacker could cause an affected Tor instance to crash remotely. This issue is also tracked as CVE-2020- 15572. Anybody running a version of Tor built with the NSS library should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha or later. If you're running with OpenSSL, this bug doesn't affect your Tor.

Changes in version 0.4.4.2-alpha - 2020-07-09

  • Major bugfixes (NSS, security):
    • Fix a crash due to an out-of-bound memory access when Tor is compiled with NSS support. Fixes bug 33119; bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001 and CVE-2020-15572.
  • Minor features (bootstrap reporting):
    • Report more detailed reasons for bootstrap failure when the failure happens due to a TLS error. Previously we would just call these errors "MISC" when they happened during read, and "DONE" when they happened during any other TLS operation. Closes ticket 32622.

 

New releases: Tor 0.3.5.11, 0.4.2.8, and 0.4.3.6 (with security fixes)

by nickm | July 9, 2020

We have new stable releases today. If you build Tor from source, you can download the source code for 0.4.3.6 on the website. Packages should be available within the next several weeks, with a new Tor Browser by the end of the month.

There are also updated versions for older supported series. You can download 0.3.5.11 and 0.4.2.8 at https://dist.torproject.org/.

These releases fix TROVE-2020-001, a medium-severity denial of service vulnerability affecting all versions of Tor when compiled with the NSS encryption library. (This is not the default configuration.) Using this vulnerability, an attacker could cause an affected Tor instance to crash remotely. This issue is also tracked as CVE-2020- 15572. Anybody running a version of Tor built with the NSS library should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha or later. (If you are running a version of Tor built with OpenSSL, this bug does not affect your installation.)

Tor 0.4.3.6 backports several bugfixes from later releases, including some affecting usability. Below are the changes in 0.4.3.6.  You can also read the changes in 0.3.5.11 and the changes in 0.4.2.8.

Changes in version 0.4.3.6 - 2020-07-09

  • Major bugfixes (NSS, security, backport from 0.4.4.2-alpha):
    • Fix a crash due to an out-of-bound memory access when Tor is compiled with NSS support. Fixes bug 33119; bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001 and CVE-2020-15572.
  • Minor bugfix (CI, Windows, backport from 0.4.4.2-alpha):
    • Use the correct 64-bit printf format when compiling with MINGW on Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha.

 

New release: Tor 0.4.4.1-alpha

by nickm | June 16, 2020

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.4.1-alpha from the download page. Packages should be available over the coming weeks, with a new alpha Tor Browser release by early July.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

This is the first alpha release in the 0.4.4.x series. It improves our guard selection algorithms, improves the amount of code that can be disabled when running without relay support, and includes numerous small bugfixes and enhancements. It also lays the ground for some IPv6 features that we'll be developing more in the next (0.4.5) series.

Here are the changes since 0.4.3.5.

Changes in version 0.4.4.1-alpha - 2020-06-16

  • Major features (Proposal 310, performance + security):
    • Implements Proposal 310, "Bandaid on guard selection". Proposal 310 solves load-balancing issues with older versions of the guard selection algorithm, and improves its security. Under this new algorithm, a newly selected guard never becomes Primary unless all previously sampled guards are unreachable. Implements recommendation from 32088. (Proposal 310 is linked to the CLAPS project researching optimal client location-aware path selections. This project is a collaboration between the UCLouvain Crypto Group, the U.S. Naval Research Laboratory, and Princeton University.)
  • Major features (IPv6, relay):
    • Consider IPv6-only EXTEND2 cells valid on relays. Log a protocol warning if the IPv4 or IPv6 address is an internal address, and internal addresses are not allowed. But continue to use the other address, if it is valid. Closes ticket 33817.
    • If a relay can extend over IPv4 and IPv6, and both addresses are provided, it chooses between them uniformly at random. Closes ticket 33817.
    • Re-use existing IPv6 connections for circuit extends. Closes ticket 33817.
    • Relays may extend circuits over IPv6, if the relay has an IPv6 ORPort, and the client supplies the other relay's IPv6 ORPort in the EXTEND2 cell. IPv6 extends will be used by the relay IPv6 ORPort self-tests in 33222. Closes ticket 33817.

 

New Release Candidate: Tor 0.4.3.4-rc

by nickm | April 13, 2020

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.3.4-rc from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely later this week.

This is a release candidate: unless we find new significant bugs in it, the stable release for the 0.4.3.x series will be substantially the same as this release.

Tor 0.4.3.4-rc is the first release candidate in its series. It fixes several bugs from earlier versions, including one affecting DoS defenses on bridges using pluggable transports.

Changes in version 0.4.3.4-rc - 2020-04-13

  • Major bugfixes (DoS defenses, bridges, pluggable transport):
    • Fix a bug that was preventing DoS defenses from running on bridges with a pluggable transport. Previously, the DoS subsystem was not given the transport name of the client connection, thus failed to find the GeoIP cache entry for that client address. Fixes bug 33491; bugfix on 0.3.3.2-alpha.
  • Minor feature (sendme, flow control):
    • Default to sending SENDME version 1 cells. (Clients are already sending these, because of a consensus parameter telling them to do so: this change only affects what clients would do if the consensus didn't contain a recommendation.) Closes ticket 33623.

 

New Release: Tor 0.4.3.3-alpha (with security fixes!)

by nickm | March 18, 2020

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.3.3-alpha from the download page on the website. Packages should be available over the coming days, including a new alpha Tor Browser.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

Tor 0.4.3.3-alpha fixes several bugs in previous releases, including TROVE-2020-002, a major denial-of-service vulnerability that affected all released Tor instances since 0.2.1.5-alpha. Using this vulnerability, an attacker could cause Tor instances to consume a huge amount of CPU, disrupting their operations for several seconds or minutes. This attack could be launched by anybody against a relay, or by a directory cache against any client that had connected to it. The attacker could launch this attack as much as they wanted, thereby disrupting service or creating patterns that could aid in traffic analysis. This issue was found by OSS-Fuzz, and is also tracked as CVE-2020-10592.

We do not have reason to believe that this attack is currently being exploited in the wild, but nonetheless we advise everyone to upgrade as soon as packages are available.

There are also new stable releases coming out today; I'll describe them in an upcoming post.

Changes in version 0.4.3.3-alpha - 2020-03-18

  • Major bugfixes (security, denial-of-service):
    • Fix a denial-of-service bug that could be used by anyone to consume a bunch of CPU on any Tor relay or authority, or by directories to consume a bunch of CPU on clients or hidden services. Because of the potential for CPU consumption to introduce observable timing patterns, we are treating this as a high-severity security issue. Fixes bug 33119; bugfix on 0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue as TROVE-2020-002 and CVE-2020-10592.
  • Major bugfixes (circuit padding, memory leak):
    • Avoid a remotely triggered memory leak in the case that a circuit padding machine is somehow negotiated twice on the same circuit. Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls. This is also tracked as TROVE-2020-004 and CVE-2020-10593.

 

New Alpha Release: Tor 0.4.3.2-alpha

by nickm | February 11, 2020

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.3.2-alpha from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely in the coming week.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

This is the second stable alpha release in the Tor 0.4.3.x series. It fixes several bugs present in the previous alpha release. Anybody running the previous alpha should upgrade and look for bugs in this one instead.

Changes in version 0.4.3.2-alpha - 2020-02-10

  • Major bugfixes (onion service client, authorization):
    • On a NEWNYM signal, purge entries from the ephemeral client authorization cache. The permanent ones are kept. Fixes bug 33139; bugfix on 0.4.3.1-alpha.
  • Minor features (best practices tracker):
    • Practracker now supports a --regen-overbroad option to regenerate the exceptions file, but only to revise exceptions to be _less_ tolerant of best-practices violations. Closes ticket 32372.

 

New releases: Tor 0.4.2.6 and 0.4.1.8

by nickm | January 30, 2020

We have two new stable releases today. If you build Tor from source, you can download the source code for 0.4.2.6 from the download page on our website. Packages should be available within the next several weeks, with a new Tor Browser by mid-February.

New Alpha Release: Tor 0.4.3.1-alpha

by nickm | January 23, 2020

This is the first alpha release in the 0.4.3.x series. It includes improved support for application integration of onion services, support for building in a client-only mode, and newly improved internal documentation (online at https://src-ref.docs.torproject.org/tor/). It also has numerous other small bugfixes and features, as well as improvements to our code's internal organization that should help us write better code in the future.