Hello again! This post announces the fourth alpha in the 0.3.1.x series, which we just released today. There's a stable release too; I'll mention that in the next post.
Tor 0.3.1.4-alpha fixes a path selection bug that would allow a client to use a guard that was in the same network family as a chosen exit relay. This is a security regression; all clients running earlier versions of 0.3.0.x or 0.3.1.x should upgrade to 0.3.0.9 or 0.3.1.4-alpha.
This release also fixes several other bugs introduced in 0.3.0.x and 0.3.1.x, including others that can affect bandwidth usage and correctness.
Since this is an alpha release, you can expect more bugs than usual. If you'd rather have a more stable experience, stick to the stable releases.
If you build Tor from source, you can find Tor 0.3.1.4-alpha at the usual place (at the Download page on our website). Otherwise, you'll probably want to wait until packages are available. There should be a new Tor Browser release early next week.
Changes in version 0.3.1.4-alpha - 2017-06-29
- New dependencies:
- To build with zstd and lzma support, Tor now requires the pkg-config tool at build time. (This requirement was new in 0.3.1.1-alpha, but was not noted at the time. Noting it here to close ticket 22623.)
- Major bugfixes (path selection, security):
- When choosing which guard to use for a circuit, avoid the exit's family along with the exit itself. Previously, the new guard selection logic avoided the exit, but did not consider its family. Fixes bug 22753; bugfix on 0.3.0.1-alpha. Tracked as TROVE-2016- 006 and CVE-2017-0377.