alpha releases

Alpha Bundles Available for Testing

There are new alpha Tor Browser Bundles and Vidalia Bundles available for testing!

These bundles include the latest Vidalia 0.3.1 alpha release and Tor

Right now they are technology previews, so they aren't on the main download page yet, but please try them out and give us feedback in our bug tracker.

Download links


Mac OS X


There are also normal Vidalia bundles available for Windows and 32-bit non-ppc OS X (10.5 and up) here:


Mac OS X

Tor is out (security fix)

Tor fixes a critical heap-overflow security issue in
Tor's buffers code. Absolutely everybody should upgrade.

The bug relied on an incorrect calculation when making data continuous
in one of our IO buffers, if the first chunk of the buffer was
misaligned by just the wrong amount. The miscalculation would allow an
attacker to overflow a piece of heap-allocated memory. To mount this
attack, the attacker would need to either open a SOCKS connection to
Tor's SocksPort (usually restricted to localhost), or target a Tor
instance configured to make its connections through a SOCKS proxy
(which Tor does not do by default).

Good security practice requires that all heap-overflow bugs should be
presumed to be exploitable until proven otherwise, so we are treating
this as a potential code execution attack. Please upgrade immediately!
This bug does not affect bufferevents-based builds of Tor. Special
thanks to "Vektor" for reporting this issue to us!

This release also contains a few minor bugfixes for issues discovered

Changes in version - 2011-12-16

Major bugfixes

  • Fix a heap overflow bug that could occur when trying to pull
    data into the first chunk of a buffer, when that chunk had
    already had some data drained from it. Fixes CVE-2011-2778;
    bugfix on Reported by "Vektor".

Minor bugfixes

  • If we can't attach streams to a rendezvous circuit when we
    finish connecting to a hidden service, clear the rendezvous
    circuit's stream-isolation state and try to attach streams
    again. Previously, we cleared rendezvous circuits' isolation
    state either too early (if they were freshly built) or not at all
    (if they had been built earlier and were cannibalized). Bugfix on; fixes bug 4655.
  • Fix compilation of the libnatpmp helper on non-Windows. Bugfix on; fixes bug 4691. Reported by Anthony G. Basile.
  • Fix an assertion failure when a relay with accounting enabled
    starts up while dormant. Fixes bug 4702; bugfix on

Minor features

  • Update to the December 6 2011 Maxmind GeoLite Country database.

Tor is out

Tor fixes some crash and assert bugs, including a
socketpair-related bug that has been bothering Windows users. It adds
support to serve microdescriptors to controllers, so Vidalia's network
map can resume listing relays (once Vidalia implements its side),
and adds better support for hardware AES acceleration. Finally, it
starts the process of adjusting the bandwidth cutoff for getting the
"Fast" flag from 20KB to (currently) 32KB -- preliminary results show
that tiny relays harm performance more than they help network capacity.

Changes in version - 2011-11-22
Major bugfixes:

  • Initialize Libevent with the EVENT_BASE_FLAG_NOLOCK flag enabled, so
    that it doesn't attempt to allocate a socketpair. This could cause
    some problems on Windows systems with overzealous firewalls. Fix for
    bug 4457; workaround for Libevent versions 2.0.1-alpha through
  • Correctly sanity-check that we don't underflow on a memory
    allocation (and then assert) for hidden service introduction
    point decryption. Bug discovered by Dan Rosenberg. Fixes bug 4410;
    bugfix on
  • Remove the artificially low cutoff of 20KB to guarantee the Fast
    flag. In the past few years the average relay speed has picked
    up, and while the "top 7/8 of the network get the Fast flag" and
    "all relays with 20KB or more of capacity get the Fast flag" rules
    used to have the same result, now the top 7/8 of the network has
    a capacity more like 32KB. Bugfix on Fixes bug 4489.
  • Fix a rare assertion failure when checking whether a v0 hidden
    service descriptor has any usable introduction points left, and
    we don't have enough information to build a circuit to the first
    intro point named in the descriptor. The HS client code in
    0.2.3.x no longer uses v0 HS descriptors, but this assertion can
    trigger on (and crash) v0 HS authorities. Fixes bug 4411.
    Bugfix on; diagnosed by frosty_un.
  • Make bridge authorities not crash when they are asked for their own
    descriptor. Bugfix on, reported by Lucky Green.
  • When running as a client, do not print a misleading (and plain
    wrong) log message that we're collecting "directory request"
    statistics: clients don't collect statistics. Also don't create a
    useless (because empty) stats file in the stats/ directory. Fixes
    bug 4353; bugfix on and

Major features:

  • Allow Tor controllers like Vidalia to obtain the microdescriptor
    for a relay by identity digest or nickname. Previously,
    microdescriptors were only available by their own digests, so a
    controller would have to ask for and parse the whole microdescriptor
    consensus in order to look up a single relay's microdesc. Fixes
    bug 3832; bugfix on
  • Use OpenSSL's EVP interface for AES encryption, so that all AES
    operations can use hardware acceleration (if present). Resolves
    ticket 4442.

Minor bugfixes (on 0.2.2.x and earlier):

  • Detect failure to initialize Libevent. This fix provides better
    detection for future instances of bug 4457.
  • Avoid frequent calls to the fairly expensive cull_wedged_cpuworkers
    function. This was eating up hideously large amounts of time on some
    busy servers. Fixes bug 4518; bugfix on
  • Don't warn about unused log_mutex in log.c when building with
    --disable-threads using a recent GCC. Fixes bug 4437; bugfix on which introduced --disable-threads.
  • Allow manual 'authenticate' commands to the controller interface
    from netcat (nc) as well as telnet. We were rejecting them because
    they didn't come with the expected whitespace at the end of the
    command. Bugfix on; fixes bug 2893.
  • Fix some (not actually triggerable) buffer size checks in usage of
    tor_inet_ntop. Fixes bug 4434; bugfix on Tor Patch
    by Anders Sundman.
  • Fix parsing of some corner-cases with tor_inet_pton(). Fixes
    bug 4515; bugfix on; fix by Anders Sundman.
  • When configuring, starting, or stopping an NT service, stop
    immediately after the service configuration attempt has succeeded
    or failed. Fixes bug 3963; bugfix on
  • When sending a NETINFO cell, include the original address
    received for the other side, not its canonical address. Found
    by "troll_un"; fixes bug 4349; bugfix on
  • Rename the bench_{aes,dmap} functions to test_*, so that tinytest
    can pick them up when the tests aren't disabled. Bugfix on which introduced tinytest.
  • Fix a memory leak when we check whether a hidden service
    descriptor has any usable introduction points left. Fixes bug
    4424. Bugfix on
  • Fix a memory leak in launch_direct_bridge_descriptor_fetch() that
    occurred when a client tried to fetch a descriptor for a bridge
    in ExcludeNodes. Fixes bug 4383; bugfix on

Minor bugfixes (on 0.2.3.x):

  • Make util unit tests build correctly with MSVC. Bugfix on Patch by Gisle Vanem.
  • Successfully detect AUTH_CHALLENGE cells with no recognized
    authentication type listed. Fixes bug 4367; bugfix on
    Found by frosty_un.
  • If a relay receives an AUTH_CHALLENGE cell it can't answer,
    it should still send a NETINFO cell to allow the connection to
    become open. Fixes bug 4368; fix on; bug found by
  • Log less loudly when we get an invalid authentication certificate
    from a source other than a directory authority: it's not unusual
    to see invalid certs because of clock skew. Fixes bug 4370; bugfix
    on and

Minor features:

  • Add two new config options for directory authorities:
    AuthDirFastGuarantee sets a bandwidth threshold for guaranteeing the
    Fast flag, and AuthDirGuardBWGuarantee sets a bandwidth threshold
    that is always sufficient to satisfy the bandwidth requirement for
    the Guard flag. Now it will be easier for researchers to simulate
    Tor networks with different values. Resolves ticket 4484.
  • When Tor ignores a hidden service specified in its configuration,
    include the hidden service's directory in the warning message.
    Previously, we would only tell the user that some hidden service
    was ignored. Bugfix on 0.0.6; fixes bug 4426.
  • When we fail to initialize Libevent, retry with IOCP disabled so we
    don't need to turn on multi-threading support in Libevent, which in
    turn requires a working socketpair(). This is a workaround for bug
    4457, which affects Libevent versions from 2.0.1-alpha through
  • Detect when we try to build on a platform that doesn't define
    AF_UNSPEC to 0. We don't work there, so refuse to compile.
  • Update to the November 1 2011 Maxmind GeoLite Country database.

Packaging changes:

  • Make it easier to automate expert package builds on Windows,
    by removing an absolute path from makensis.exe command.

Code simplifications and refactoring:

  • Remove some redundant #include directives throughout the code.
    Patch from Andrea Gelmini.
  • Unconditionally use OpenSSL's AES implementation instead of our
    old built-in one. OpenSSL's AES has been better for a while, and
    relatively few servers should still be on any version of OpenSSL
    that doesn't have good optimized assembly AES.
  • Use the name "CERTS" consistently to refer to the new cell type;
    we were calling it CERT in some places and CERTS in others.


  • Numerous new unit tests for functions in util.c and address.c by
    Anders Sundman.
  • The long-disabled benchmark tests are now split into their own
    ./src/test/bench binary.
  • The benchmark tests can now use more accurate timers than
    gettimeofday() when such timers are available.

Tor is out

Tor fixes a crash bug in introduced by the new v3 handshake. It also resolves yet another bridge address enumeration issue.

All packages are updated, with the exception of the OS X PPC packages. The build machine is down and packages will be built as soon as it is back online.

Changes in version - 2011-10-30
Major bugfixes:

  • If we mark an OR connection for close based on a cell we process,
    don't process any further cells on it. We already avoid further
    reads on marked-for-close connections, but now we also discard the
    cells we'd already read. Fixes bug 4299; bugfix on,
    which was the first version where we might mark a connection for
    close based on processing a cell on it.
  • Fix a double-free bug that would occur when we received an invalid
    certificate in a CERT cell in the new v3 handshake. Fixes bug 4343;
    bugfix on
  • Bridges no longer include their address in NETINFO cells on outgoing
    OR connections, to allow them to blend in better with clients.
    Removes another avenue for enumerating bridges. Reported by
    "troll_un". Fixes bug 4348; bugfix on, when NETINFO
    cells were introduced.

Trivial fixes:

  • Fixed a typo in a hibernation-related log message. Fixes bug 4331;
    bugfix on; found by "tmpname0901".

Tor is out

Tor fixes two bugs that make it possible to enumerate
bridge relays; fixes an assertion error that many users started hitting
today; and adds the ability to refill token buckets more often than
once per second, allowing significant performance improvements.

Security fixes:

  • Bridge relays now do their directory fetches inside Tor TLS
    connections, like all the other clients do, rather than connecting
    directly to the DirPort like public relays do. Removes another
    avenue for enumerating bridges. Fixes bug 4115; bugfix on
  • Bridges relays now build circuits for themselves in a more similar
    way to how clients build them. Removes another avenue for
    enumerating bridges. Fixes bug 4124; bugfix on,
    when bridges were introduced.

Major bugfixes:

  • Fix an "Assertion md->held_by_node == 1 failed" error that could
    occur when the same microdescriptor was referenced by two node_t
    objects at once. Fix for bug 4118; bugfix on Tor

Major features (networking):

  • Add a new TokenBucketRefillInterval option to refill token buckets
    more frequently than once per second. This should improve network
    performance, alleviate queueing problems, and make traffic less
    bursty. Implements proposal 183; closes ticket 3630. Design by
    Florian Tschorsch and Björn Scheuermann; implementation by
    Florian Tschorsch.

Minor bugfixes:

  • Change an integer overflow check in the OpenBSD_Malloc code so
    that GCC is less likely to eliminate it as impossible. Patch
    from Mansour Moufid. Fixes bug 4059.

Minor bugfixes (usability):

  • Downgrade log messages about circuit timeout calibration from
    "notice" to "info": they don't require or suggest any human
    intervention. Patch from Tom Lowenthal. Fixes bug 4063;
    bugfix on

Minor features (diagnostics):

  • When the system call to create a listener socket fails, log the
    error message explaining why. This may help diagnose bug 4027.

New Tor Browser Bundles

All of the alpha Tor Browser Bundles have been updated to the latest Tor

Firefox 5 has recently been released and our next set of Firefox alpha bundles
will come with that instead of Firefox 4. For users who want to use Firefox 5
now, Torbutton 1.3.3-alpha is compatible.

We're also going to begin phasing out the Firefox 3.6 bundles within the next
month. Mike Perry is focusing his attention on the new Firefox releases (see
his previous posts on the topic) and we feel this is the best path to keep our users safe. You can also see his current Firefox patches in the Tor Browser Bundle git repository.

The following changelogs encompass the would-be Tor packages as
well as the changes made for Tor

Firefox 3.6 Tor Browser Bundles

OS X bundle
1.1.19: Released 2011-06-21

  • Update Tor to
  • Update NoScript to
  • Update HTTPS-Everywhere to 0.9.9.development.6

1.0.18: Released 2011-06-05

  • Update Tor to
  • Update Libevent to 2.0.12-stable
  • Update zlib to 1.2.5
  • Update NoScript to 2.1.1
  • Update BetterPrivacy to 1.51

Linux bundles
1.1.11: Released 2011-06-21

  • Update Tor to
  • Update NoScript to
  • Update HTTPS-Everywhere to 0.9.9.development.6

1.1.10: Released 2011-06-05

  • Update Tor to
  • Update Libevent to 2.0.12-stable
  • Update zlib to 1.2.5
  • Update NoScript to 2.1.1
  • Update BetterPrivacy to 1.51

Firefox 4 Tor Browser Bundles

Tor Browser Bundle (2.2.29-1)

  • Update Tor to
  • Update Libevent to 2.0.12-stable
  • Update HTTPS Everywhere to 0.9.9.development.6
  • Update NoScript to
  • Update BetterPrivacy to 1.51

Temporary direct download links for Firefox 4 bundles:

Tor and are out

Changes in version - 2011-06-20
Tor reverts an accidental behavior change for users who
have bridge lines in their torrc but don't want to use them; gets
us closer to having the control socket feature working on Debian;
and fixes a variety of smaller bugs.

Major bugfixes:

  • Revert the UseBridges option to its behavior before
    When we changed the default behavior to "use bridges if any
    are listed in the torrc", we surprised users who had bridges
    in their torrc files but who didn't actually want to use them.
    Partial resolution for bug 3354.

Privacy fixes:

  • Don't attach new streams to old rendezvous circuits after SIGNAL
    NEWNYM. Previously, we would keep using an existing rendezvous
    circuit if it remained open (i.e. if it were kept open by a
    long-lived stream, or if a new stream were attached to it before
    Tor could notice that it was old and no longer in use). Bugfix on; fixes bug 3375.

Minor bugfixes:

  • Fix a bug when using ControlSocketsGroupWritable with User. The
    directory's group would be checked against the current group, not
    the configured group. Patch by Jérémy Bobbio. Fixes bug 3393;
    bugfix on
  • Make connection_printf_to_buf()'s behaviour sane. Its callers
    expect it to emit a CRLF iff the format string ends with CRLF;
    it actually emitted a CRLF iff (a) the format string ended with
    CRLF or (b) the resulting string was over 1023 characters long or
    (c) the format string did not end with CRLF *and* the resulting
    string was 1021 characters long or longer. Bugfix on;
    fixes part of bug 3407.
  • Make send_control_event_impl()'s behaviour sane. Its callers
    expect it to always emit a CRLF at the end of the string; it
    might have emitted extra control characters as well. Bugfix on; fixes another part of bug 3407.
  • Make crypto_rand_int() check the value of its input correctly.
    Previously, it accepted values up to UINT_MAX, but could return a
    negative number if given a value above INT_MAX+1. Found by George
    Kadianakis. Fixes bug 3306; bugfix on 0.2.2pre14.
  • Avoid a segfault when reading a malformed circuit build state
    with more than INT_MAX entries. Found by wanoskarnet. Bugfix on
  • When asked about a DNS record type we don't support via a
    client DNSPort, reply with NOTIMPL rather than an empty
    reply. Patch by intrigeri. Fixes bug 3369; bugfix on 2.0.1-alpha.
  • Fix a rare memory leak during stats writing. Found by coverity.

Minor features:

  • Update to the June 1 2011 Maxmind GeoLite Country database.

Code simplifications and refactoring:

  • Remove some dead code as indicated by coverity.
  • Remove a few dead assignments during router parsing. Found by
  • Add some forgotten return value checks during unit tests. Found
    by coverity.
  • Don't use 1-bit wide signed bit fields. Found by coverity.

Changes in version - 2011-06-04
Tor makes great progress towards a new stable release: we
fixed a big bug in whether relays stay in the consensus consistently,
we moved closer to handling bridges and hidden services correctly,
and we started the process of better handling the dreaded "my Vidalia
died, and now my Tor demands a password when I try to reconnect to it"
usability issue.

Major bugfixes:

  • Don't decide to make a new descriptor when receiving a HUP signal.
    This bug has caused a lot of 0.2.2.x relays to disappear from the
    consensus periodically. Fixes the most common case of triggering
    bug 1810; bugfix on
  • Actually allow nameservers with IPv6 addresses. Fixes bug 2574.
  • Don't try to build descriptors if "ORPort auto" is set and we
    don't know our actual ORPort yet. Fix for bug 3216; bugfix on
  • Resolve a crash that occurred when setting BridgeRelay to 1 with
    accounting enabled. Fixes bug 3228; bugfix on
  • Apply circuit timeouts to opened hidden-service-related circuits
    based on the correct start time. Previously, we would apply the
    circuit build timeout based on time since the circuit's creation;
    it was supposed to be applied based on time since the circuit
    entered its current state. Bugfix on 0.0.6; fixes part of bug 1297.
  • Use the same circuit timeout for client-side introduction
    circuits as for other four-hop circuits, rather than the timeout
    for single-hop directory-fetch circuits; the shorter timeout may
    have been appropriate with the static circuit build timeout in
    0.2.1.x and earlier, but caused many hidden service access attempts
    to fail with the adaptive CBT introduced in Bugfix
    on; fixes another part of bug 1297.
  • In ticket 2511 we fixed a case where you could use an unconfigured
    bridge if you had configured it as a bridge the last time you ran
    Tor. Now fix another edge case: if you had configured it as a bridge
    but then switched to a different bridge via the controller, you
    would still be willing to use the old one. Bugfix on;
    fixes bug 3321.

Major features:

  • Add an __OwningControllerProcess configuration option and a
    TAKEOWNERSHIP control-port command. Now a Tor controller can ensure
    that when it exits, Tor will shut down. Implements feature 3049.
  • If "UseBridges 1" is set and no bridges are configured, Tor will
    now refuse to build any circuits until some bridges are set.
    If "UseBridges auto" is set, Tor will use bridges if they are
    configured and we are not running as a server, but otherwise will
    make circuits as usual. The new default is "auto". Patch by anonym,
    so the Tails LiveCD can stop automatically revealing you as a Tor
    user on startup.

Minor bugfixes:

  • Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option.
  • Remove a trailing asterisk from "exit-policy/default" in the
    output of the control port command "GETINFO info/names". Bugfix
  • Use a wide type to hold sockets when built for 64-bit Windows builds.
    Fixes bug 3270.
  • Warn when the user configures two HiddenServiceDir lines that point
    to the same directory. Bugfix on 0.0.6 (the version introducing
    HiddenServiceDir); fixes bug 3289.
  • Remove dead code from rend_cache_lookup_v2_desc_as_dir. Fixes
    part of bug 2748; bugfix on
  • Log malformed requests for rendezvous descriptors as protocol
    warnings, not warnings. Also, use a more informative log message
    in case someone sees it at log level warning without prior
    info-level messages. Fixes the other part of bug 2748; bugfix
  • Clear the table recording the time of the last request for each
    hidden service descriptor from each HS directory on SIGNAL NEWNYM.
    Previously, we would clear our HS descriptor cache on SIGNAL
    NEWNYM, but if we had previously retrieved a descriptor (or tried
    to) from every directory responsible for it, we would refuse to
    fetch it again for up to 15 minutes. Bugfix on;
    fixes bug 3309.
  • Fix a log message that said "bits" while displaying a value in
    bytes. Found by wanoskarnet. Fixes bug 3318; bugfix on
  • When checking for 1024-bit keys, check for 1024 bits, not 128
    bytes. This allows Tor to correctly discard keys of length 1017
    through 1023. Bugfix on 0.0.9pre5.

Minor features:

  • Relays now log the reason for publishing a new relay descriptor,
    so we have a better chance of hunting down instances of bug 1810.
    Resolves ticket 3252.
  • Revise most log messages that refer to nodes by nickname to
    instead use the "$key=nickname at address" format. This should be
    more useful, especially since nicknames are less and less likely
    to be unique. Resolves ticket 3045.
  • Log (at info level) when purging pieces of hidden-service-client
    state because of SIGNAL NEWNYM.

Removed options:

  • Remove undocumented option "-F" from tor-resolve: it hasn't done
    anything since

New Tor Browser Bundles

All of the alpha Tor Browser Bundles have been updated to the latest Tor

Firefox 3.6 Tor Browser Bundles

Linux bundles
1.1.9: Released 2011-05-19

  • Update Tor to
  • Update NoScript to
  • Update BetterPrivacy to 1.50
  • Update HTTPS Everywhere to 0.9.9.development.5

OS X bundle
1.0.17: Released 2011-05-19

  • Update Tor to
  • Update NoScript to
  • Update HTTPS-Everywhere to 0.9.9.development.5
  • Update BetterPrivacy to 1.50

Firefox 4 Tor Browser Bundles

Tor Browser Bundle (2.2.27-1)

  • Update Tor to
  • Update HTTPS Everywhere to 0.9.9.development.5
  • Update NoScript to

Temporary direct download links for Firefox 4 bundles:

Tor and are out

Changes in version - 2011-05-18
Tor fixes a bridge-related stability bug in the previous
release, and also adds a few more general bugfixes.

Major bugfixes:

  • Fix a crash bug when changing bridges in a running Tor process.
    Fixes bug 3213; bugfix on

  • When the controller configures a new bridge, don't wait 10 to 60
    seconds before trying to fetch its descriptor. Bugfix on; fixes bug 3198 (suggested by 2355).

    Minor bugfixes:

  • Require that onion keys have exponent 65537 in microdescriptors too.
    Fixes more of bug 3207; bugfix on

  • Tor used to limit HttpProxyAuthenticator values to 48 characters.
    Changed the limit to 512 characters by removing base64 newlines.
    Fixes bug 2752. Fix by Michael Yakubovich.

  • When a client starts or stops using bridges, never use a circuit
    that was built before the configuration change. This behavior could
    put at risk a user who uses bridges to ensure that her traffic
    only goes to the chosen addresses. Bugfix on; fixes
    bug 3200.

    Changes in version - 2011-05-17
    Tor fixes a variety of potential privacy problems. It
    also introduces a new "socksport auto" approach that should make it
    easier to run multiple Tors on the same system, and does a lot of
    cleanup to get us closer to a release candidate.

    Security/privacy fixes:

    • Replace all potentially sensitive memory comparison operations
      with versions whose runtime does not depend on the data being
      compared. This will help resist a class of attacks where an
      adversary can use variations in timing information to learn
      sensitive data. Fix for one case of bug 3122. (Safe memcmp
      implementation by Robert Ransom based partially on code by DJB.)
    • When receiving a hidden service descriptor, check that it is for
      the hidden service we wanted. Previously, Tor would store any
      hidden service descriptors that a directory gave it, whether it
      wanted them or not. This wouldn't have let an attacker impersonate
      a hidden service, but it did let directories pre-seed a client
      with descriptors that it didn't want. Bugfix on 0.0.6.
    • On SIGHUP, do not clear out all TrackHostExits mappings, client
      DNS cache entries, and virtual address mappings: that's what
      NEWNYM is for. Fixes bug 1345; bugfix on

    Major features:

    • The options SocksPort, ControlPort, and so on now all accept a
      value "auto" that opens a socket on an OS-selected port. A
      new ControlPortWriteToFile option tells Tor to write its
      actual control port or ports to a chosen file. If the option
      ControlPortFileGroupReadable is set, the file is created as
      group-readable. Now users can run two Tor clients on the same
      system without needing to manually mess with parameters. Resolves
      part of ticket 3076.
    • Set SO_REUSEADDR on all sockets, not just listeners. This should
      help busy exit nodes avoid running out of useable ports just
      because all the ports have been used in the near past. Resolves
      issue 2850.

    Minor features:

    • New "GETINFO net/listeners/(type)" controller command to return
      a list of addresses and ports that are bound for listeners for a
      given connection type. This is useful when the user has configured
      "SocksPort auto" and the controller needs to know which port got
      chosen. Resolves another part of ticket 3076.
    • Add a new ControlSocketsGroupWritable configuration option: when
      it is turned on, ControlSockets are group-writeable by the default
      group of the current user. Patch by Jérémy Bobbio; implements
      ticket 2972.
    • Tor now refuses to create a ControlSocket in a directory that is
      world-readable (or group-readable if ControlSocketsGroupWritable
      is 0). This is necessary because some operating systems do not
      enforce permissions on an AF_UNIX sockets. Permissions on the
      directory holding the socket, however, seems to work everywhere.
    • Rate-limit a warning about failures to download v2 networkstatus
      documents. Resolves part of bug 1352.
    • Backport code from 0.2.3.x that allows directory authorities to
      clean their microdescriptor caches. Needed to resolve bug 2230.
    • When an HTTPS proxy reports "403 Forbidden", we now explain
      what it means rather than calling it an unexpected status code.
      Closes bug 2503. Patch from Michael Yakubovich.
    • Update to the May 1 2011 Maxmind GeoLite Country database.

    Minor bugfixes:

    • Authorities now clean their microdesc cache periodically and when
      reading from disk initially, not only when adding new descriptors.
      This prevents a bug where we could lose microdescriptors. Bugfix
      on 2230
    • Do not crash when our configuration file becomes unreadable, for
      example due to a permissions change, between when we start up
      and when a controller calls SAVECONF. Fixes bug 3135; bugfix
      on 0.0.9pre6.
    • Avoid a bug that would keep us from replacing a microdescriptor
      cache on Windows. (We would try to replace the file while still
      holding it open. That's fine on Unix, but Windows doesn't let us
      do that.) Bugfix on; bug found by wanoskarnet.
    • Add missing explanations for the authority-related torrc options
      RephistTrackTime, BridgePassword, and V3AuthUseLegacyKey in the
      man page. Resolves issue 2379.
    • As an authority, do not upload our own vote or signature set to
      ourself. It would tell us nothing new, and as of,
      it would get flagged as a duplicate. Resolves bug 3026.
    • Accept hidden service descriptors if we think we might be a hidden
      service directory, regardless of what our consensus says. This
      helps robustness, since clients and hidden services can sometimes
      have a more up-to-date view of the network consensus than we do,
      and if they think that the directory authorities list us a HSDir,
      we might actually be one. Related to bug 2732; bugfix on
    • When a controller changes TrackHostExits, remove mappings for
      hosts that should no longer have their exits tracked. Bugfix on
    • When a controller changes VirtualAddrNetwork, remove any mappings
      for hosts that were automapped to the old network. Bugfix on
    • When a controller changes one of the AutomapHosts* options, remove
      any mappings for hosts that should no longer be automapped. Bugfix
    • Do not reset the bridge descriptor download status every time we
      re-parse our configuration or get a configuration change. Fixes
      bug 3019; bugfix on

    Minor bugfixes (code cleanup):

    • When loading the microdesc journal, remember its current size.
      In 0.2.2, this helps prevent the microdesc journal from growing
      without limit on authorities (who are the only ones to use it in
      0.2.2). Fixes a part of bug 2230; bugfix on
      Fix posted by "cypherpunks."
    • The microdesc journal is supposed to get rebuilt only if it is
      at least _half_ the length of the store, not _twice_ the length
      of the store. Bugfix on; fixes part of bug 2230.
    • Fix a potential null-pointer dereference while computing a
      consensus. Bugfix on tor-, found with the help of
      clang's analyzer.
    • Avoid a possible null-pointer dereference when rebuilding the mdesc
      cache without actually having any descriptors to cache. Bugfix on Issue discovered using clang's static analyzer.
    • If we fail to compute the identity digest of a v3 legacy keypair,
      warn, and don't use a buffer-full of junk instead. Bugfix on; fixes bug 3106.
    • Resolve an untriggerable issue in smartlist_string_num_isin(),
      where if the function had ever in the future been used to check
      for the presence of a too-large number, it would have given an
      incorrect result. (Fortunately, we only used it for 16-bit
      values.) Fixes bug 3175; bugfix on
    • Require that introduction point keys and onion handshake keys
      have a public exponent of 65537. Starts to fix bug 3207; bugfix

    Removed features:

    • Caches no longer download and serve v2 networkstatus documents
      unless FetchV2Networkstatus flag is set: these documents haven't
      haven't been used by clients or relays since 0.2.0.x. Resolves
      bug 3022.
  • Tor is out

    Tor fixes many bugs: hidden service clients are more
    robust, routers no longer overreport their bandwidth, Win7 should crash
    a little less, and NEWNYM (as used by Vidalia's "new identity" button)
    now prevents hidden service-related activity from being linkable. It
    provides more information to Vidalia so you can see if your bridge is
    working. Also, revamps the Entry/Exit/ExcludeNodes and
    StrictNodes configuration options to make them more reliable, more
    understandable, and more regularly applied. If you use those options,
    please see the revised documentation for them in the manual page.

    Major bugfixes:

    • Relays were publishing grossly inflated bandwidth values because
      they were writing their state files wrong--now they write the
      correct value. Also, resume reading bandwidth history from the
      state file correctly. Fixes bug 2704; bugfix on
    • Improve hidden service robustness: When we find that we have
      extended a hidden service's introduction circuit to a relay not
      listed as an introduction point in the HS descriptor we currently
      have, retry with an introduction point from the current
      descriptor. Previously we would just give up. Fixes bugs 1024 and
      1930; bugfix on
    • Clients now stop trying to use an exit node associated with a given
      destination by TrackHostExits if they fail to reach that exit node.
      Fixes bug 2999. Bugfix on
    • Fix crash bug on platforms where gmtime and localtime can return
      NULL. Windows 7 users were running into this one. Fixes part of bug
      2077. Bugfix on all versions of Tor. Found by boboper.

    Security and stability fixes:

    • Don't double-free a parsable, but invalid, microdescriptor, even if
      it is followed in the blob we're parsing by an unparsable
      microdescriptor. Fixes an issue reported in a comment on bug 2954.
      Bugfix on; fix by "cypherpunks".
    • If the Nickname configuration option isn't given, Tor would pick a
      nickname based on the local hostname as the nickname for a relay.
      Because nicknames are not very important in today's Tor and the
      "Unnamed" nickname has been implemented, this is now problematic
      behavior: It leaks information about the hostname without being
      useful at all. Fixes bug 2979; bugfix on, which
      introduced the Unnamed nickname. Reported by tagnaq.
    • Fix an uncommon assertion failure when running with DNSPort under
      heavy load. Fixes bug 2933; bugfix on
    • Avoid linkability based on cached hidden service descriptors: forget
      all hidden service descriptors cached as a client when processing a
      SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6.

    Major features:

    • Export GeoIP information on bridge usage to controllers even if we
      have not yet been running for 24 hours. Now Vidalia bridge operators
      can get more accurate and immediate feedback about their
      contributions to the network.

    Major features and bugfixes (node selection):

    • Revise and reconcile the meaning of the ExitNodes, EntryNodes,
      ExcludeEntryNodes, ExcludeExitNodes, ExcludeNodes, and StrictNodes
      options. Previously, we had been ambiguous in describing what
      counted as an "exit" node, and what operations exactly "StrictNodes
      0" would permit. This created confusion when people saw nodes built
      through unexpected circuits, and made it hard to tell real bugs from
      surprises. Now the intended behavior is:
      • "Exit", in the context of ExitNodes and ExcludeExitNodes, means
        a node that delivers user traffic outside the Tor network.
      • "Entry", in the context of EntryNodes, means a node used as the
        first hop of a multihop circuit. It doesn't include direct
        connections to directory servers.
      • "ExcludeNodes" applies to all nodes.
      • "StrictNodes" changes the behavior of ExcludeNodes only. When
        StrictNodes is set, Tor should avoid all nodes listed in
        ExcludeNodes, even when it will make user requests fail. When
        StrictNodes is *not* set, then Tor should follow ExcludeNodes
        whenever it can, except when it must use an excluded node to
        perform self-tests, connect to a hidden service, provide a
        hidden service, fulfill a .exit request, upload directory
        information, or fetch directory information.

      Collectively, the changes to implement the behavior fix bug 1090.

    • ExcludeNodes now takes precedence over EntryNodes and ExitNodes: if
      a node is listed in both, it's treated as excluded.
    • ExcludeNodes now applies to directory nodes -- as a preference if
      StrictNodes is 0, or an absolute requirement if StrictNodes is 1.
      Don't exclude all the directory authorities and set StrictNodes to 1
      unless you really want your Tor to break.
    • ExcludeNodes and ExcludeExitNodes now override exit enclaving.
    • ExcludeExitNodes now overrides .exit requests.
    • We don't use bridges listed in ExcludeNodes.
    • When StrictNodes is 1:
      • We now apply ExcludeNodes to hidden service introduction points
        and to rendezvous points selected by hidden service users. This
        can make your hidden service less reliable: use it with caution!
      • If we have used ExcludeNodes on ourself, do not try relay
        reachability self-tests.
      • If we have excluded all the directory authorities, we will not
        even try to upload our descriptor if we're a relay.
      • Do not honor .exit requests to an excluded node.
    • Remove a misfeature that caused us to ignore the Fast/Stable flags
      when ExitNodes is set. Bugfix on
    • When the set of permitted nodes changes, we now remove any mappings
      introduced via TrackExitHosts to now-excluded nodes. Bugfix on
    • We never cannibalize a circuit that had excluded nodes on it, even
      if StrictNodes is 0. Bugfix on
    • Revert a change where we would be laxer about attaching streams to
      circuits than when building the circuits. This was meant to prevent
      a set of bugs where streams were never attachable, but our improved
      code here should make this unnecessary. Bugfix on
    • Keep track of how many times we launch a new circuit to handle a
      given stream. Too many launches could indicate an inconsistency
      between our "launch a circuit to handle this stream" logic and our
      "attach this stream to one of the available circuits" logic.
    • Improve log messages related to excluded nodes.

    Minor bugfixes:

    • Fix a spurious warning when moving from a short month to a long
      month on relays with month-based BandwidthAccounting. Bugfix on; fixes bug 3020.
    • When a client finds that an origin circuit has run out of 16-bit
      stream IDs, we now mark it as unusable for new streams. Previously,
      we would try to close the entire circuit. Bugfix on 0.0.6.
    • Add a forgotten cast that caused a compile warning on OS X 10.6.
      Bugfix on
    • Be more careful about reporting the correct error from a failed
      connect() system call. Under some circumstances, it was possible to
      look at an incorrect value for errno when sending the end reason.
      Bugfix on
    • Correctly handle an "impossible" overflow cases in connection byte
      counting, where we write or read more than 4GB on an edge connection
      in a single second. Bugfix on
    • Correct the warning displayed when a rendezvous descriptor exceeds
      the maximum size. Fixes bug 2750; bugfix on Found by
      John Brooks.
    • Clients and hidden services now use HSDir-flagged relays for hidden
      service descriptor downloads and uploads even if the relays have no
      DirPort set and the client has disabled TunnelDirConns. This will
      eventually allow us to give the HSDir flag to relays with no
      DirPort. Fixes bug 2722; bugfix on
    • Downgrade "no current certificates known for authority" message from
      Notice to Info. Fixes bug 2899; bugfix on
    • Make the SIGNAL DUMP control-port command work on FreeBSD. Fixes bug
      2917. Bugfix on
    • Only limit the lengths of single HS descriptors, even when multiple
      HS descriptors are published to an HSDir relay in a single POST
      operation. Fixes bug 2948; bugfix on Found by hsdir.
    • Write the current time into the LastWritten line in our state file,
      rather than the time from the previous write attempt. Also, stop
      trying to use a time of -1 in our log statements. Fixes bug 3039;
      bugfix on
    • Be more consistent in our treatment of file system paths. "~" should
      get expanded to the user's home directory in the Log config option.
      Fixes bug 2971; bugfix on, which introduced the
      feature for the -f and --DataDirectory options.

    Minor features:

    • Make sure every relay writes a state file at least every 12 hours.
      Previously, a relay could go for weeks without writing its state
      file, and on a crash could lose its bandwidth history, capacity
      estimates, client country statistics, and so on. Addresses bug 3012.
    • Send END_STREAM_REASON_NOROUTE in response to EHOSTUNREACH errors.
      Clients before didn't handle NOROUTE correctly, but such
      clients are already deprecated because of security bugs.
    • Don't allow v0 hidden service authorities to act as clients.
      Required by fix for bug 3000.
    • Ignore SIGNAL NEWNYM commands on relay-only Tor instances. Required
      by fix for bug 3000.
    • Ensure that no empty [dirreq-](read|write)-history lines are added
      to an extrainfo document. Implements ticket 2497.

    Code simplification and refactoring:

    • Remove workaround code to handle directory responses from servers
      that had bug 539 (they would send HTTP status 503 responses _and_
      send a body too). Since only server versions before were affected, there is no longer reason to
      keep the workaround in place.
    • Remove the old 'fuzzy time' logic. It was supposed to be used for
      handling calculations where we have a known amount of clock skew and
      an allowed amount of unknown skew. But we only used it in three
      places, and we never adjusted the known/unknown skew values. This is
      still something we might want to do someday, but if we do, we'll
      want to do it differently.
    • Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned.
      None of the cases where we did this before were wrong, but by making
      this change we avoid warnings. Fixes bug 2475; bugfix on
    • Use GetTempDir to find the proper temporary directory location on
      Windows when generating temporary files for the unit tests. Patch by
      Gisle Vanem.
    Syndicate content Syndicate content