New Release: Tor 0.4.3.3-alpha (with security fixes!)
nickm March 18, 2020

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.3.3-alpha from the download page on the website. Packages should be available over the coming days, including a new alpha Tor Browser.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

Tor 0.4.3.3-alpha fixes several bugs in previous releases, including TROVE-2020-002, a major denial-of-service vulnerability that affected all released Tor instances since 0.2.1.5-alpha. Using this vulnerability, an attacker could cause Tor instances to consume a huge amount of CPU, disrupting their operations for several seconds or minutes. This attack could be launched by anybody against a relay, or by a directory cache against any client that had connected to it. The attacker could launch this attack as much as they wanted, thereby disrupting service or creating patterns that could aid in traffic analysis. This issue was found by OSS-Fuzz, and is also tracked as CVE-2020-10592.

We do not have reason to believe that this attack is currently being exploited in the wild, but nonetheless we advise everyone to upgrade as soon as packages are available.

There are also new stable releases coming out today; I'll describe them in an upcoming post.

Changes in version 0.4.3.3-alpha - 2020-03-18

  • Major bugfixes (security, denial-of-service):
    • Fix a denial-of-service bug that could be used by anyone to consume a bunch of CPU on any Tor relay or authority, or by directories to consume a bunch of CPU on clients or hidden services. Because of the potential for CPU consumption to introduce observable timing patterns, we are treating this as a high-severity security issue. Fixes bug 33119; bugfix on 0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue as TROVE-2020-002 and CVE-2020-10592.
  • Major bugfixes (circuit padding, memory leak):
    • Avoid a remotely triggered memory leak in the case that a circuit padding machine is somehow negotiated twice on the same circuit. Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls. This is also tracked as TROVE-2020-004 and CVE-2020-10593.

 

New Alpha Release: Tor 0.4.3.2-alpha

by nickm | February 10, 2020

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.3.2-alpha from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely in the coming week.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

This is the second stable alpha release in the Tor 0.4.3.x series. It fixes several bugs present in the previous alpha release. Anybody running the previous alpha should upgrade and look for bugs in this one instead.

Changes in version 0.4.3.2-alpha - 2020-02-10

  • Major bugfixes (onion service client, authorization):
    • On a NEWNYM signal, purge entries from the ephemeral client authorization cache. The permanent ones are kept. Fixes bug 33139; bugfix on 0.4.3.1-alpha.
  • Minor features (best practices tracker):
    • Practracker now supports a --regen-overbroad option to regenerate the exceptions file, but only to revise exceptions to be _less_ tolerant of best-practices violations. Closes ticket 32372.

 

New Alpha Release: Tor 0.4.3.1-alpha

by nickm | January 22, 2020

This is the first alpha release in the 0.4.3.x series. It includes improved support for application integration of onion services, support for building in a client-only mode, and newly improved internal documentation (online at https://src-ref.docs.torproject.org/tor/). It also has numerous other small bugfixes and features, as well as improvements to our code's internal organization that should help us write better code in the future.

New alpha release: Tor 0.4.2.2-alpha

by nickm | October 07, 2019

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.2.2-alpha from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely in the next couple of weeks.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

This release fixes several bugs from the previous alpha release, and from earlier versions. It also includes a change in authorities, so that they begin to reject the currently unsupported release series.

Changes in version 0.4.2.2-alpha - 2019-10-07

  • Major features (directory authorities):
    • Directory authorities now reject relays running all currently deprecated release series. The currently supported release series are: 0.2.9, 0.3.5, 0.4.0, 0.4.1, and 0.4.2. Closes ticket 31549.
  • Major bugfixes (embedded Tor):
    • Avoid a possible crash when restarting Tor in embedded mode and enabling a different set of publish/subscribe messages. Fixes bug 31898; bugfix on 0.4.1.1-alpha.

 

New Release: Tor 0.4.2.1-alpha

by nickm | September 17, 2019

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.2.1-alpha from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release in the next couple of weeks.

New alpha release: Tor 0.4.1.3-alpha

by nickm | June 25, 2019

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.1.3-alpha from the usual place on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely in the next couple of weeks.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

Tor 0.4.1.3-alpha resolves numerous bugs left over from the previous alpha, most of them from earlier release series.

Changes in version 0.4.1.3-alpha - 2019-06-25

  • Major bugfixes (Onion service reachability):
    • Properly clean up the introduction point map when circuits change purpose from onion service circuits to pathbias, measurement, or other circuit types. This should fix some service-side instances of introduction point failure. Fixes bug 29034; bugfix on 0.3.2.1-alpha.
  • Minor features (geoip):
    • Update geoip and geoip6 to the June 10 2019 Maxmind GeoLite2 Country database. Closes ticket 30852.

 

New alpha release: Tor 0.4.1.2-alpha

by nickm | June 06, 2019

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.1.2-alpha from the usual place on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release by some time next week.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

Tor 0.4.1.2-alpha resolves numerous bugs--some of them from the previous alpha, and some much older. It also contains minor testing improvements, and an improvement to the security of our authenticated SENDME implementation.

Changes in version 0.4.1.2-alpha - 2019-06-06

  • Major bugfixes (bridges):
    • Consider our directory information to have changed when our list of bridges changes. Previously, Tor would not re-compute the status of its directory information when bridges changed, and therefore would not realize that it was no longer able to build circuits. Fixes part of bug 29875.
    • Do not count previously configured working bridges towards our total of working bridges. Previously, when Tor's list of bridges changed, it would think that the old bridges were still usable, and delay fetching router descriptors for the new ones. Fixes part of bug 29875; bugfix on 0.3.0.1-alpha.
  • Major bugfixes (flow control, SENDME):
    • Decrement the stream-level package window after packaging a cell. Previously, it was done inside a log_debug() call, meaning that if debug logs were not enabled, the decrement would never happen, and thus the window would be out of sync with the other end point. Fixes bug 30628; bugfix on 0.4.1.1-alpha.

 

New alpha release: Tor 0.4.1.1-alpha

by nickm | May 22, 2019

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.1.1-alpha from the usual place on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release in the next couple of weeks.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

This is the first alpha in the 0.4.1.x series. It introduces lightweight circuit padding to make some onion-service circuits harder to distinguish, includes a new "authenticated SENDME" feature to make certain denial-of-service attacks more difficult, and improves performance in several areas.

Changes in version 0.4.1.1-alpha - 2019-05-22

  • Major features (circuit padding):
    • Onion service clients now add padding cells at the start of their INTRODUCE and RENDEZVOUS circuits, to make those circuits' traffic look more like general purpose Exit traffic. The overhead for this is 2 extra cells in each direction for RENDEZVOUS circuits, and 1 extra upstream cell and 10 downstream cells for INTRODUCE circuits. This feature is only enabled when also supported by the circuit's middle node. (Clients may specify fixed middle nodes with the MiddleNodes option, and may force-disable this feature with the CircuitPadding torrc.) Closes ticket 28634.
  • Major features (code organization):
    • Tor now includes a generic publish-subscribe message-passing subsystem that we can use to organize intermodule dependencies. We hope to use this to reduce dependencies between modules that don't need to be related, and to generally simplify our codebase. Closes ticket 28226.

 

New release: Tor 0.4.0.3-alpha

by nickm | March 22, 2019

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.0.3-alpha from the usual place on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release some time in the coming weeks.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

Tor 0.4.0.3-alpha is the third in its series; it fixes several small bugs from earlier versions.

Changes in version 0.4.0.3-alpha - 2019-03-22

  • Minor features (address selection):
    • Treat the subnet 100.64.0.0/10 as public for some purposes; private for others. This subnet is the RFC 6598 (Carrier Grade NAT) IP range, and is deployed by many ISPs as an alternative to RFC 1918 that does not break existing internal networks. Tor now blocks SOCKS and control ports on these addresses and warns users if client ports or ExtORPorts are listening on a RFC 6598 address. Closes ticket 28525. Patch by Neel Chauhan.
  • Minor features (geoip):
    • Update geoip and geoip6 to the March 4 2019 Maxmind GeoLite2 Country database. Closes ticket 29666.