Posts in category releases

New release candidate: Tor 0.4.6.3-rc

by nickm | May 10, 2021

There's a new release candidate available for download. If you build Tor from source, you can download the source code for Tor 0.4.6.3-rc from the download page on the website. Packages should be available over the coming weeks, with a new Tor Browser release likely next week.

Tor 0.4.6.3-rc is the first release candidate in its series. It fixes a few small bugs from previous versions, and adds a better error message when trying to use (no longer supported) v2 onion services.

Though we anticipate that we'll be doing a bit more clean-up between now and the stable release, we expect that our remaining changes will be fairly simple. There will likely be at least one more release candidate before 0.4.6.x is stable.

Changes in version 0.4.6.3-rc - 2021-05-10

  • Major bugfixes (onion service, control port):
    • Make the ADD_ONION command properly configure client authorization. Before this fix, the created onion failed to add the client(s). Fixes bug 40378; bugfix on 0.4.6.1-alpha.
  • Minor features (compatibility, Linux seccomp sandbox):
    • Add a workaround to enable the Linux sandbox to work correctly with Glibc 2.33. This version of Glibc has started using the fstatat() system call, which previously our sandbox did not allow. Closes ticket 40382; see the ticket for a discussion of trade-offs.

 

New release: Tor 0.4.5.8

by nickm | May 10, 2021

We have a new stable release today. If you build Tor from source, you can download the source code for Tor 0.4.5.8 on the download page. Packages should be available within the next several weeks, with a new Tor Browser likely next week.

Tor 0.4.5.8 fixes several bugs in earlier version, backporting fixes from the 0.4.6.x series.

Changes in version 0.4.5.8 - 2021-05-10

  • Minor features (compatibility, Linux seccomp sandbox, backport from 0.4.6.3-rc):
    • Add a workaround to enable the Linux sandbox to work correctly with Glibc 2.33. This version of Glibc has started using the fstatat() system call, which previously our sandbox did not allow. Closes ticket 40382; see the ticket for a discussion of trade-offs.
  • Minor features (compilation, backport from 0.4.6.3-rc):
    • Make the autoconf script build correctly with autoconf versions 2.70 and later. Closes part of ticket 40335.

 

New Alpha Release: Tor 0.4.6.2-alpha

by nickm | April 15, 2021

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.6.2-alpha from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely some time next week.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

Tor 0.4.6.2-alpha is the second alpha in its series. It fixes several small bugs in previous releases, and solves other issues that had enabled denial-of-service attacks and affected integration with other tools.

Changes in version 0.4.6.2-alpha - 2021-04-15

  • Minor features (client):
    • Clients now check whether their streams are attempting to re-enter the Tor network (i.e. to send Tor traffic over Tor), and close them preemptively if they think exit relays will refuse them for this reason. See ticket 2667 for details. Closes ticket 40271.
  • Minor features (command line):
    • Add long format name "--torrc-file" equivalent to the existing command-line option "-f". Closes ticket 40324. Patch by Daniel Pinto.

 

New Alpha Release: Tor 0.4.6.1-alpha

by nickm | March 18, 2021

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.6.1-alpha from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely next week.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

Tor 0.4.6.1-alpha is the first alpha release in the 0.4.6.x series. It improves client circuit performance, adds missing features, and improves some of our DoS handling and statistics reporting. It also includes numerous smaller bugfixes.

Below are the changes since 0.4.5.7. (Note that this release DOES include the fixes for the security bugs already fixed in 0.4.5.7.)

Changes in version 0.4.6.1-alpha - 2021-03-18

  • Major features (control port, onion services):
    • Add controller support for creating version 3 onion services with client authorization. Previously, only v2 onion services could be created with client authorization. Closes ticket 40084. Patch by Neel Chauhan.
  • Major features (directory authorityl):
    • When voting on a relay with a Sybil-like appearance, add the Sybil flag when clearing out the other flags. This lets a relay operator know why their relay hasn't been included in the consensus. Closes ticket 40255. Patch by Neel Chauhan.

 

New Release: Tor 0.4.5.6

by nickm | February 15, 2021

After months of work, we have a new stable release series! If you build Tor from source, you can download the source code for 0.4.5.6 on the download page. Packages should be available within the next several weeks, with a new Tor Browser likely next week.

The Tor 0.4.5.x release series is dedicated to the memory of Karsten Loesing (1979-2020), Tor developer, cypherpunk, husband, and father. Karsten is best known for creating the Tor metrics portal and leading the metrics team, but he was involved in Tor from the early days. For example, while he was still a student he invented and implemented the v2 onion service directory design, and he also served as an ambassador to the many German researchers working in the anonymity field. We loved him and respected him for his patience, his consistency, and his welcoming approach to growing our community.

This release series introduces significant improvements in relay IPv6 address discovery, a new "MetricsPort" mechanism for relay operators to measure performance, LTTng support, build system improvements to help when using Tor as a static library, and significant bugfixes related to Windows relay performance. It also includes numerous smaller features and bugfixes.

Below are the changes since 0.4.4.7. For a list of changes since 0.4.5.5-rc, see the ChangeLog file.

Changes in version 0.4.5.6 - 2021-02-15

  • Major features (build):
    • When building Tor, first link all object files into a single static library. This may help with embedding Tor in other programs. Note that most Tor functions do not constitute a part of a stable or supported API: only those functions in tor_api.h should be used if embedding Tor. Closes ticket 40127.
  • Major features (metrics):
    • Introduce a new MetricsPort which exposes, through an HTTP interface, a series of metrics that tor collects at runtime. At the moment, the only supported output format is Prometheus data model. Closes ticket 40063. See the manual page for more information and security considerations.

 

New releases: Tor 0.3.5.13, 0.4.3.8, and 0.4.4.7

by nickm | February 3, 2021

We have a new stable release today. If you build Tor from source, you can download the source code for 0.4.4.7 on the download page. Packages should be available within the next several weeks, with a new Tor Browser later this month.

We're also releasing updates for older stable release series. You can download 0.3.5.13 (changelog) and 0.4.3.8 (changelog) from dist.torproject.org. Note that the 0.4.3.x series will no longer be supported after 15 February.

Tor 0.4.4.7 backports numerous bugfixes from later releases, including one that made v3 onion services more susceptible to denial-of-service attacks, and a feature that makes some kinds of DoS attacks harder to perform.

Changes in version 0.4.4.7 - 2021-02-03

  • Major bugfixes (onion service v3, backport from 0.4.5.3-rc):
    • Stop requiring a live consensus for v3 clients and services, and allow a "reasonably live" consensus instead. This allows v3 onion services to work even if the authorities fail to generate a consensus for more than 2 hours in a row. Fixes bug 40237; bugfix on 0.3.5.1-alpha.
  • Major feature (exit, backport from 0.4.5.5-rc):
    • Re-entry into the network is now denied at the Exit level to all relays' ORPorts and authorities' ORPorts and DirPorts. This change should help mitgate a set of denial-of-service attacks. Closes ticket 2667.

 

New release candidate: Tor 0.4.5.4-rc

by nickm | January 22, 2021

There's a new release candidate available for download. If you build Tor from source, you can download the source code for 0.4.5.4-rc from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely around this coming Tuesday.

Tor 0.4.5.4-rc is the second release candidate in its series. It fixes several bugs present in previous releases.

We expect that the stable release will be the same, or almost the same, as this release candidate, unless serious bugs are found.

Changes in version 0.4.5.4-rc - 2021-01-22

  • Major bugfixes (authority, IPv6):
    • Do not consider multiple relays in the same IPv6 /64 network to be sybils. Fixes bug 40243; bugfix on 0.4.5.1-alpha.
  • Major bugfixes (directory cache, performance, windows):
    • Limit the number of items in the consensus diff cache to 64 on Windows. We hope this will mitigate an issue where Windows relay operators reported Tor using 100% CPU, while we investigate better solutions. Fixes bug 24857; bugfix on 0.3.1.1-alpha.

 

New release candidate: Tor 0.4.5.3-rc

by nickm | January 12, 2021

There's a new release candidate available for download. If you build Tor from source, you can download the source code for 0.4.5.3-rc from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release in 3-4 days.

We're getting closer and closer to stable here, so I hope that people will try this one out and report any bugs they find.

Tor 0.4.5.3-rc is the first release candidate in its series. It fixes several bugs, including one that broke onion services on certain older ARM CPUs, and another that made v3 onion services less reliable.

Though we anticipate that we'll be doing a bit more clean-up between now and the stable release, we expect that our remaining changes will be fairly simple. There will be at least one more release candidate before 0.4.5.x is stable.

Changes in version 0.4.5.3-rc - 2021-01-12

  • Major bugfixes (onion service v3):
    • Stop requiring a live consensus for v3 clients and services, and allow a "reasonably live" consensus instead. This allows v3 onion services to work even if the authorities fail to generate a consensus for more than 2 hours in a row. Fixes bug 40237; bugfix on 0.3.5.1-alpha.
  • Minor features (crypto):
    • Fix undefined behavior on our Keccak library. The bug only appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel) and would result in wrong digests. Fixes bug 40210; bugfix on 0.2.8.1-alpha. Thanks to Bernhard Übelacker, Arnd Bergmann and weasel for diagnosing this.

 

New alpha release: Tor 0.4.5.2-alpha

by nickm | November 23, 2020

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.5.2-alpha from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release by mid-December.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

Tor 0.4.5.2-alpha is the second alpha release in the 0.4.5.x series. It fixes several bugs present in earlier releases, including one that made it impractical to run relays on Windows. It also adds a few small safety features to improve Tor's behavior in the presence of strange compile-time options, misbehaving proxies, and future versions of OpenSSL.

Changes in version 0.4.5.2-alpha - 2020-11-23

  • Major bugfixes (relay, windows):
    • Fix a bug in our implementation of condition variables on Windows. Previously, a relay on Windows would use 100% CPU after running for some time. Because of this change, Tor now require Windows Vista or later to build and run. Fixes bug 30187; bugfix on 0.2.6.3-alpha. (This bug became more serious in 0.3.1.1-alpha with the introduction of consensus diffs.) Patch by Daniel Pinto.
  • Minor features (compilation):
    • Disable deprecation warnings when building with OpenSSL 3.0.0 or later. There are a number of APIs newly deprecated in OpenSSL 3.0.0 that Tor still requires. (A later version of Tor will try to stop depending on these APIs.) Closes ticket 40165.

 

New Releases: Tor 0.3.5.12, 0.4.3.7, and 0.4.4.6

by nickm | November 12, 2020

We have a new stable release today. If you build Tor from source, you can download the source code for 0.4.4.6 on the download page. Packages should be available within the next several weeks, with a new Tor Browser likely next week.

We've also released 0.3.5.12 (changelog) and 0.4.3.7 (changelog) today. You can find the source for them at https://dist.torproject.org/, along with older releases.

Tor 0.4.4.6 is the second stable release in the 0.4.4.x series. It backports fixes from later releases, including a fix for TROVE-2020- 005, a security issue that could be used, under certain cases, by an adversary to observe traffic patterns on a limited number of circuits intended for a different relay.

Changes in version 0.4.4.6 - 2020-11-12

  • Major bugfixes (security, backport from 0.4.5.1-alpha):
    • When completing a channel, relays now check more thoroughly to make sure that it matches any pending circuits before attaching those circuits. Previously, address correctness and Ed25519 identities were not checked in this case, but only when extending circuits on an existing channel. Fixes bug 40080; bugfix on 0.2.7.2-alpha. Resolves TROVE-2020-005.
  • Minor features (directory authorities, backport from 0.4.5.1-alpha):
    • Authorities now list a different set of protocols as required and recommended. These lists have been chosen so that only truly recommended and/or required protocols are included, and so that clients using 0.2.9 or later will continue to work (even though they are not supported), whereas only relays running 0.3.5 or later will meet the requirements. Closes ticket 40162.
    • Make it possible to specify multiple ConsensusParams torrc lines. Now directory authority operators can for example put the main ConsensusParams config in one torrc file and then add to it from a different torrc file. Closes ticket 40164.