There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.3.3-alpha from the download page on the website. Packages should be available over the coming days, including a new alpha Tor Browser.
Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.
Tor 0.4.3.3-alpha fixes several bugs in previous releases, including TROVE-2020-002, a major denial-of-service vulnerability that affected all released Tor instances since 0.2.1.5-alpha. Using this vulnerability, an attacker could cause Tor instances to consume a huge amount of CPU, disrupting their operations for several seconds or minutes. This attack could be launched by anybody against a relay, or by a directory cache against any client that had connected to it. The attacker could launch this attack as much as they wanted, thereby disrupting service or creating patterns that could aid in traffic analysis. This issue was found by OSS-Fuzz, and is also tracked as CVE-2020-10592.
We do not have reason to believe that this attack is currently being exploited in the wild, but nonetheless we advise everyone to upgrade as soon as packages are available.
There are also new stable releases coming out today; I'll describe them in an upcoming post.
Changes in version 0.4.3.3-alpha - 2020-03-18
Major bugfixes (security, denial-of-service):
Fix a denial-of-service bug that could be used by anyone to consume a bunch of CPU on any Tor relay or authority, or by directories to consume a bunch of CPU on clients or hidden services. Because of the potential for CPU consumption to introduce observable timing patterns, we are treating this as a high-severity security issue. Fixes bug 33119; bugfix on 0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue as TROVE-2020-002 and CVE-2020-10592.
Major bugfixes (circuit padding, memory leak):
Avoid a remotely triggered memory leak in the case that a circuit padding machine is somehow negotiated twice on the same circuit. Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls. This is also tracked as TROVE-2020-004 and CVE-2020-10593.
We have new releases today. If you build Tor from source, you can download the source code for 0.4.2.7 from the download page on the website. Packages should be available within the next several days, including a new Tor Browser.
There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.3.2-alpha from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely in the coming week.
Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.
This is the second stable alpha release in the Tor 0.4.3.x series. It fixes several bugs present in the previous alpha release. Anybody running the previous alpha should upgrade and look for bugs in this one instead.
Changes in version 0.4.3.2-alpha - 2020-02-10
Major bugfixes (onion service client, authorization):
On a NEWNYM signal, purge entries from the ephemeral client authorization cache. The permanent ones are kept. Fixes bug 33139; bugfix on 0.4.3.1-alpha.
Minor features (best practices tracker):
Practracker now supports a --regen-overbroad option to regenerate the exceptions file, but only to revise exceptions to be _less_ tolerant of best-practices violations. Closes ticket 32372.
We have two new stable releases today. If you build Tor from source, you can download the source code for 0.4.2.6 from the download page on our website. Packages should be available within the next several weeks, with a new Tor Browser by mid-February.
This is the first alpha release in the 0.4.3.x series. It includes improved support for application integration of onion services, support for building in a client-only mode, and newly improved internal documentation (online at https://src-ref.docs.torproject.org/tor/). It also has numerous other small bugfixes and features, as well as improvements to our code's internal organization that should help us write better code in the future.
So far, we’ve marked 77 tickets with BugSmashFund. As of today, 56 of those tickets have been closed, and 21 of them are still in progress. With this reserve, we’ve been able to fix bugs and complete necessary maintenance on core tor, bridgedb, Snowflake, and Metrics, as well as complete the Tor Browser ESR 68 migration.
Ater months of work, we have a new stable release series! If you build Tor from source, you can download the source code for 0.4.2.5 on the website. Packages should be available within the next several weeks, with a new Tor Browser around January 7.
There's a new release candidate available for download. If you build Tor from source, you can download the source code for 0.4.2.4-rc from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely by December 3.
Remember, this is a release candidate: there may still be more bugs here than usual. We'd love to know about any new ones, so that we can try to get them fixed before we call this series stable.
Tor 0.4.2.4-rc is the first release candidate in its series. It fixes several bugs from earlier versions, including a few that would result in stack traces or incorrect behavior.
Changes in version 0.4.2.4-rc - 2019-11-15
Minor features (build system):
Make pkg-config use --prefix when cross-compiling, if PKG_CONFIG_PATH is not set. Closes ticket 32191.
Minor features (geoip):
Update geoip and geoip6 to the November 6 2019 Maxmind GeoLite2 Country database. Closes ticket 32440.
