security fixes

New Tor Browser Bundles with Firefox 17.0.9esr

The stable and beta Tor Browser Bundles have been updated with Firefox 17.0.9esr. This release of Firefox has many important security updates and all users are strongly encouraged to upgrade.

The beta version includes an updated HTTPS Everywhere which fixes the problems many users were having with the google.com OCSP meltdown.

https://www.torproject.org/projects/torbrowser.html.en#downloads

Tor Browser Bundle (2.3.25-13)

Tor Browser Bundle (2.4.17-beta-2)

  • Update Firefox to 17.0.9esr
    https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#f...
  • Update LibPNG to 1.6.3
  • Update HTTPS Everywhere to 4.0development.12
  • Update NoScript to 2.6.7.1
  • Remove extraneous libevent libraries (closes: #9727)
  • Enable GCC hardening for Tor
  • Firefox patch changes:
    • - Disable filtered results in Startpage omnibox (closes: #8839)
  • Add missing geoip file to Linux bundle
  • (entry missing from regular changelog)

New bundles (security release)

New Bundles (security release)

All of the available bundles of Tor have been updated for the latest stable Tor 0.2.2.39 release and the 0.2.3.22-rc release. These releases fix a remote crash bug found in Tor and all users and relays are STRONGLY encouraged to update immediately.

https://www.torproject.org/download

Further notes about Tor Browser Bundle updates:

The random port selection has been temporarily disabled in the Linux and Mac OS X alpha bundles. Most of you probably didn't notice any random port selection happpening at all, but if you encounter a problem running a system Tor and your Tor Browser Bundle at the same time, you can switch to the stable bundles for now. The next update should have a fix that allows us to re-enable automatic port selection.

Tor Browser Bundle (2.2.39-1)

  • Update Tor to 0.2.2.39
  • Update NoScript to 2.5.4

Tor Browser Bundle (2.3.22-alpha-1)

  • Update Tor to 0.2.3.22-rc
  • Temporarily use fixed Control and SOCKS ports as a workaround for #6803

New Tor Browser Bundles (security release)

The Tor Browser Bundles have been updated with a very important security fix. As explained in the previous blog post, a user discovered a severe security bug in Firefox related to websockets bypassing the SOCKS proxy DNS configuration. This is now fixed and we strongly encourage all users to update. There are a few other bugfixes in this release, including really fixing (for real this time!) the problem with the Mac OS X bundles crashing.

https://www.torproject.org/download

Tor Browser Bundle (2.2.35-11)

  • Security release to stop TorBrowser from bypassing SOCKS proxy DNS configuration
  • New Firefox patches:
    • Prevent WebSocket DNS leak (closes: #5741)
    • Fix a race condition that could be used to link browsing sessions together when using new identity from Tor Browser (closes: #5715)
  • Remove extraneous BetterPrivacy settings from prefs.js (closes: #5722)
  • Fix the mozconfig options for OS X so that it really builds everything with clang instead of llvm-gcc (closes: #5740)

New Tor Browser Bundles

The Tor Browser Bundles have been updated to Tor 0.2.2.35 which has a fix for a security critical bug. Please see the release announcement for further details. All users should update immediately.

This Tor Browser Bundle release also contains new Firefox patches which improve privacy and unlinkability.

https://www.torproject.org/download

Tor Browser Bundle (2.2.35-1)

  • Update Tor to 0.2.2.35
  • Update NoScript to 2.2.3
  • Update Torbutton to 1.4.5
  • New Firefox patches
    • Disable SSL Session ID tracking
    • Provide an observer event to close persistent connections

Tor 0.2.2.35 is released (security patches)

Tor 0.2.2.35 fixes a critical heap-overflow security issue in Tor's
buffers code. Absolutely everybody should upgrade.

The bug relied on an incorrect calculation when making data continuous
in one of our IO buffers, if the first chunk of the buffer was
misaligned by just the wrong amount. The miscalculation would allow an
attacker to overflow a piece of heap-allocated memory. To mount this
attack, the attacker would need to either open a SOCKS connection to
Tor's SocksPort (usually restricted to localhost), or target a Tor
instance configured to make its connections through a SOCKS proxy
(which Tor does not do by default).

Good security practice requires that all heap-overflow bugs should be
presumed to be exploitable until proven otherwise, so we are treating
this as a potential code execution attack. Please upgrade immediately!
This bug does not affect bufferevents-based builds of Tor. Special
thanks to "Vektor" for reporting this issue to us!

Tor 0.2.2.35 also fixes several bugs in previous versions, including
crash bugs for unusual configurations, and a long-term bug that
would prevent Tor from starting on Windows machines with draconian
AV software.

With this release, we remind everyone that 0.2.0.x has reached its
formal end-of-life. Those Tor versions have many known flaws, and
nobody should be using them. You should upgrade -- ideally to the
0.2.2.x series. If you're using a Linux or BSD and its packages are
obsolete, stop using those packages and upgrade anyway.

The Tor 0.2.1.x series is also approaching its end-of-life: it will no
longer receive support after some time in early 2012.

https://www.torproject.org/download

Changes in version 0.2.2.35 - 2011-12-16

Major bugfixes:

  • Fix a heap overflow bug that could occur when trying to pull
    data into the first chunk of a buffer, when that chunk had
    already had some data drained from it. Fixes CVE-2011-2778;
    bugfix on 0.2.0.16-alpha. Reported by "Vektor".
  • Initialize Libevent with the EVENT_BASE_FLAG_NOLOCK flag enabled, so
    that it doesn't attempt to allocate a socketpair. This could cause
    some problems on Windows systems with overzealous firewalls. Fix for
    bug 4457; workaround for Libevent versions 2.0.1-alpha through
    2.0.15-stable.
  • If we mark an OR connection for close based on a cell we process,
    don't process any further cells on it. We already avoid further
    reads on marked-for-close connections, but now we also discard the
    cells we'd already read. Fixes bug 4299; bugfix on 0.2.0.10-alpha,
    which was the first version where we might mark a connection for
    close based on processing a cell on it.
  • Correctly sanity-check that we don't underflow on a memory
    allocation (and then assert) for hidden service introduction
    point decryption. Bug discovered by Dan Rosenberg. Fixes bug 4410;
    bugfix on 0.2.1.5-alpha.
  • Fix a memory leak when we check whether a hidden service
    descriptor has any usable introduction points left. Fixes bug
    4424. Bugfix on 0.2.2.25-alpha.
  • Don't crash when we're running as a relay and don't have a GeoIP
    file. Bugfix on 0.2.2.34; fixes bug 4340. This backports a fix
    we've had in the 0.2.3.x branch already.
  • When running as a client, do not print a misleading (and plain
    wrong) log message that we're collecting "directory request"
    statistics: clients don't collect statistics. Also don't create a
    useless (because empty) stats file in the stats/ directory. Fixes
    bug 4353; bugfix on 0.2.2.34.

Minor bugfixes:

  • Detect failure to initialize Libevent. This fix provides better
    detection for future instances of bug 4457.
  • Avoid frequent calls to the fairly expensive cull_wedged_cpuworkers
    function. This was eating up hideously large amounts of time on some
    busy servers. Fixes bug 4518; bugfix on 0.0.9.8.
  • Resolve an integer overflow bug in smartlist_ensure_capacity().
    Fixes bug 4230; bugfix on Tor 0.1.0.1-rc. Based on a patch by
    Mansour Moufid.
  • Don't warn about unused log_mutex in log.c when building with
    --disable-threads using a recent GCC. Fixes bug 4437; bugfix on
    0.1.0.6-rc which introduced --disable-threads.
  • When configuring, starting, or stopping an NT service, stop
    immediately after the service configuration attempt has succeeded
    or failed. Fixes bug 3963; bugfix on 0.2.0.7-alpha.
  • When sending a NETINFO cell, include the original address
    received for the other side, not its canonical address. Found
    by "troll_un"; fixes bug 4349; bugfix on 0.2.0.10-alpha.
  • Fix a typo in a hibernation-related log message. Fixes bug 4331;
    bugfix on 0.2.2.23-alpha; found by "tmpname0901".
  • Fix a memory leak in launch_direct_bridge_descriptor_fetch() that
    occurred when a client tried to fetch a descriptor for a bridge
    in ExcludeNodes. Fixes bug 4383; bugfix on 0.2.2.25-alpha.
  • Backport fixes for a pair of compilation warnings on Windows.
    Fixes bug 4521; bugfix on 0.2.2.28-beta and on 0.2.2.29-beta.
  • If we had ever tried to call tor_addr_to_str on an address of
    unknown type, we would have done a strdup on an uninitialized
    buffer. Now we won't. Fixes bug 4529; bugfix on 0.2.1.3-alpha.
    Reported by "troll_un".
  • Correctly detect and handle transient lookup failures from
    tor_addr_lookup. Fixes bug 4530; bugfix on 0.2.1.5-alpha.
    Reported by "troll_un".
  • Fix null-pointer access that could occur if TLS allocation failed.
    Fixes bug 4531; bugfix on 0.2.0.20-rc. Found by "troll_un".
  • Use tor_socket_t type for listener argument to accept(). Fixes bug
    4535; bugfix on 0.2.2.28-beta. Found by "troll_un".

Minor features:

  • Add two new config options for directory authorities:
    AuthDirFastGuarantee sets a bandwidth threshold for guaranteeing the
    Fast flag, and AuthDirGuardBWGuarantee sets a bandwidth threshold
    that is always sufficient to satisfy the bandwidth requirement for
    the Guard flag. Now it will be easier for researchers to simulate
    Tor networks with different values. Resolves ticket 4484.
  • When Tor ignores a hidden service specified in its configuration,
    include the hidden service's directory in the warning message.
    Previously, we would only tell the user that some hidden service
    was ignored. Bugfix on 0.0.6; fixes bug 4426.
  • Update to the December 6 2011 Maxmind GeoLite Country database.

Packaging changes:

  • Make it easier to automate expert package builds on Windows,
    by removing an absolute path from makensis.exe command.

Tor 0.2.3.10-alpha is out (security fix)

Tor 0.2.3.10-alpha fixes a critical heap-overflow security issue in
Tor's buffers code. Absolutely everybody should upgrade.

The bug relied on an incorrect calculation when making data continuous
in one of our IO buffers, if the first chunk of the buffer was
misaligned by just the wrong amount. The miscalculation would allow an
attacker to overflow a piece of heap-allocated memory. To mount this
attack, the attacker would need to either open a SOCKS connection to
Tor's SocksPort (usually restricted to localhost), or target a Tor
instance configured to make its connections through a SOCKS proxy
(which Tor does not do by default).

Good security practice requires that all heap-overflow bugs should be
presumed to be exploitable until proven otherwise, so we are treating
this as a potential code execution attack. Please upgrade immediately!
This bug does not affect bufferevents-based builds of Tor. Special
thanks to "Vektor" for reporting this issue to us!

This release also contains a few minor bugfixes for issues discovered
in 0.2.3.9-alpha.

https://www.torproject.org/download

Changes in version 0.2.3.10-alpha - 2011-12-16

Major bugfixes

  • Fix a heap overflow bug that could occur when trying to pull
    data into the first chunk of a buffer, when that chunk had
    already had some data drained from it. Fixes CVE-2011-2778;
    bugfix on 0.2.0.16-alpha. Reported by "Vektor".

Minor bugfixes

  • If we can't attach streams to a rendezvous circuit when we
    finish connecting to a hidden service, clear the rendezvous
    circuit's stream-isolation state and try to attach streams
    again. Previously, we cleared rendezvous circuits' isolation
    state either too early (if they were freshly built) or not at all
    (if they had been built earlier and were cannibalized). Bugfix on
    0.2.3.3-alpha; fixes bug 4655.
  • Fix compilation of the libnatpmp helper on non-Windows. Bugfix on
    0.2.3.9-alpha; fixes bug 4691. Reported by Anthony G. Basile.
  • Fix an assertion failure when a relay with accounting enabled
    starts up while dormant. Fixes bug 4702; bugfix on 0.2.3.9-alpha.

Minor features

  • Update to the December 6 2011 Maxmind GeoLite Country database.

Tor 0.2.2.34 is released (security patches)

Tor 0.2.2.34 fixes a critical anonymity vulnerability where an attacker
can deanonymize Tor users. Everybody should upgrade.

The attack relies on four components:

  • 1) Clients reuse their TLS cert when talking to different relays, so relays can recognize a user by the identity key in her cert.
  • 2) An attacker who knows the client's identity key can probe each guard relay to see if that identity key is connected to that guard relay right now.
  • 3) A variety of active attacks in the literature (starting from "Low-Cost Traffic Analysis of Tor" by Murdoch and Danezis in 2005) allow a malicious website to discover the guard relays that a Tor user visiting the website is using.
  • 4) Clients typically pick three guards at random, so the set of guards for a given user could well be a unique fingerprint for her. This release fixes components #1 and #2, which is enough to block the attack; the other two remain as open research problems.

Special thanks to "frosty_un" for reporting the issue to us! (As far as we know, this has nothing to do with any claimed attack currently getting attention in the media.)

Clients should upgrade so they are no longer recognizable by the TLS certs they present. Relays should upgrade so they no longer allow a remote attacker to probe them to test whether unpatched clients are currently connected to them.

This release also fixes several vulnerabilities that allow an attacker to enumerate bridge relays. Some bridge enumeration attacks still remain; see for example proposal 188.

https://torproject.org/download/download-easy

Changes in version 0.2.2.34 - 2011-10-26

Privacy/anonymity fixes (clients):

  • Clients and bridges no longer send TLS certificate chains on outgoing OR
    connections. Previously, each client or bridge would use the same cert chain
    for all outgoing OR connections until its IP address changes, which allowed any
    relay that the client or bridge contacted to determine which entry guards it is
    using. Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by "frosty_un".
  • If a relay receives a CREATE_FAST cell on a TLS connection, it no longer
    considers that connection as suitable for satisfying a circuit EXTEND request.
    Now relays can protect clients from the CVE-2011-2768 issue even if the clients
    haven't upgraded yet.
  • Directory authorities no longer assign the Guard flag to relays that
    haven't upgraded to the above "refuse EXTEND requests to client connections"
    fix. Now directory authorities can protect clients from the CVE-2011-2768 issue
    even if neither the clients nor the relays have upgraded yet. There's a new
    "GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays" config option to let us
    transition smoothly, else tomorrow there would be no guard relays.

Privacy/anonymity fixes (bridge enumeration):

  • Bridge relays now do their directory fetches inside Tor TLS connections,
    like all the other clients do, rather than connecting directly to the DirPort
    like public relays do. Removes another avenue for enumerating bridges. Fixes
    bug 4115; bugfix on 0.2.0.35.
  • Bridges relays now build circuits for themselves in a more similar way to
    how clients build them. Removes another avenue for enumerating bridges. Fixes
    bug 4124; bugfix on 0.2.0.3-alpha, when bridges were introduced.
  • Bridges now refuse CREATE or CREATE_FAST cells on OR connections that they
    initiated. Relays could distinguish incoming bridge connections from client
    connections, creating another avenue for enumerating bridges. Fixes
    CVE-2011-2769. Bugfix on 0.2.0.3-alpha. Found by "frosty_un".

Major bugfixes:

  • Fix a crash bug when changing node restrictions while a DNS lookup is
    in-progress. Fixes bug 4259; bugfix on 0.2.2.25-alpha. Bugfix by "Tey'".
  • Don't launch a useless circuit after failing to use one of a hidden
    service's introduction points. Previously, we would launch a new introduction
    circuit, but not set the hidden service which that circuit was intended to
    connect to, so it would never actually be used. A different piece of code would
    then create a new introduction circuit correctly. Bug reported by katmagic and
    found by Sebastian Hahn. Bugfix on 0.2.1.13-alpha; fixes bug 4212.

Minor bugfixes:

  • Change an integer overflow check in the OpenBSD_Malloc code so that GCC is
    less likely to eliminate it as impossible. Patch from Mansour Moufid. Fixes bug
    4059.
  • When a hidden service turns an extra service-side introduction circuit into
    a general-purpose circuit, free the rend_data and intro_key fields first, so we
    won't leak memory if the circuit is cannibalized for use as another
    service-side introduction circuit. Bugfix on 0.2.1.7-alpha; fixes bug
    4251.
  • Bridges now skip DNS self-tests, to act a little more stealthily. Fixes
    bug 4201; bugfix on 0.2.0.3-alpha, which first introduced bridges. Patch by
    "warms0x".
  • Fix internal bug-checking logic that was supposed to catch failures in
    digest generation so that it will fail more robustly if we ask for a
    nonexistent algorithm. Found by Coverity Scan. Bugfix on 0.2.2.1-alpha; fixes
    Coverity CID 479.
  • Report any failure in init_keys() calls launched because our IP address has
    changed. Spotted by Coverity Scan. Bugfix on 0.1.1.4-alpha; fixes CID 484.

Minor bugfixes (log messages and documentation):

  • Remove a confusing dollar sign from the example fingerprint in the man
    page, and also make the example fingerprint a valid one. Fixes bug 4309; bugfix
    on 0.2.1.3-alpha.
  • The next version of Windows will be called Windows 8, and it has a major
    version of 6, minor version of 2. Correctly identify that version instead of
    calling it "Very recent version". Resolves ticket 4153; reported by
    funkstar.
  • Downgrade log messages about circuit timeout calibration from "notice" to
    "info": they don't require or suggest any human intervention. Patch from Tom
    Lowenthal. Fixes bug 4063; bugfix on 0.2.2.14-alpha.

Minor features:

  • Turn on directory request statistics by default and include them in
    extra-info descriptors. Don't break if we have no GeoIP database. Backported
    from 0.2.3.1-alpha; implements ticket 3951.
  • Update to the October 4 2011 Maxmind GeoLite Country database.

Tor 0.2.3.5-alpha is out

Tor 0.2.3.5-alpha fixes two bugs that make it possible to enumerate
bridge relays; fixes an assertion error that many users started hitting
today; and adds the ability to refill token buckets more often than
once per second, allowing significant performance improvements.

Security fixes:

  • Bridge relays now do their directory fetches inside Tor TLS
    connections, like all the other clients do, rather than connecting
    directly to the DirPort like public relays do. Removes another
    avenue for enumerating bridges. Fixes bug 4115; bugfix on 0.2.0.35.
  • Bridges relays now build circuits for themselves in a more similar
    way to how clients build them. Removes another avenue for
    enumerating bridges. Fixes bug 4124; bugfix on 0.2.0.3-alpha,
    when bridges were introduced.

Major bugfixes:

  • Fix an "Assertion md->held_by_node == 1 failed" error that could
    occur when the same microdescriptor was referenced by two node_t
    objects at once. Fix for bug 4118; bugfix on Tor 0.2.3.1-alpha.

Major features (networking):

  • Add a new TokenBucketRefillInterval option to refill token buckets
    more frequently than once per second. This should improve network
    performance, alleviate queueing problems, and make traffic less
    bursty. Implements proposal 183; closes ticket 3630. Design by
    Florian Tschorsch and Björn Scheuermann; implementation by
    Florian Tschorsch.

Minor bugfixes:

  • Change an integer overflow check in the OpenBSD_Malloc code so
    that GCC is less likely to eliminate it as impossible. Patch
    from Mansour Moufid. Fixes bug 4059.

Minor bugfixes (usability):

  • Downgrade log messages about circuit timeout calibration from
    "notice" to "info": they don't require or suggest any human
    intervention. Patch from Tom Lowenthal. Fixes bug 4063;
    bugfix on 0.2.2.14-alpha.

Minor features (diagnostics):

  • When the system call to create a listener socket fails, log the
    error message explaining why. This may help diagnose bug 4027.

New Tor Browser Bundles

The Tor Browser Bundles have been updated again, this time with Firefox 6.0.2, Torbutton 1.4.2, and more privacy-enhancing patches. Windows users: if you had problems running the last bundles, please try this. We believe the problem is fixed, but let us know if it's not.

https://www.torproject.org/download/download-easy

Tor Browser Bundle (2.2.32-3)

  • Update Firefox to 6.0.2
  • New Firefox patches:
    • Improve cache APIs to enable better isolation (closes: #3666)
    • Provide auth headers to on-modify-request (closes: #3907)
    • Randomize HTTP pipelining as an experimental website traffic fingerprinting defense (closes: #3914)
    • Enable HTTP pipelining in TBB prefs.js (closes: #3913)
  • Update Torbutton to 1.4.2
    • bug 3879: Fix broken framed sites (yopmail, gmane, gmaps, etc)
    • bug 3337: Fetch check.tp.o page to check versions (TBB only)
    • Bug 3754: Fix SafeCache OCSP errors (fix for TBB only)
  • Update NoScript to 2.1.2.7

Windows fixes

  • Add missing C runtime libraries so WinXP users can use TBB again. Fix found by velope.

Linux fixes

  • Update libpng to 1.4.8 (closes: #3906)
  • Make the TBB launch script work when using a relative symlink (closes: #2525)

New Tor Browser Bundles

We have updated the stable Tor Browser Bundles to Firefox 6.

There are no longer any stable Tor Browser Bundles with the 3.6.x series of Firefox. We were using pre-built binaries on some platforms and owing to the recent DigiNotar debacle, we no longer felt comfortable shipping versions of Firefox that we were unable to patch. We build all Firefox 6 binaries from source, with our own set of patches, including some specific to the DigiNotar issue.

We'd originally planned to drop support for Firefox 3.6 bundles on September 10th, but this moved up the date a bit. The new Tor Browser Bundles are much more feature-rich than the previous bundles, but users may still experience unexpected behavior. Please report all bugs to https://trac.torproject.org/.

Windows users will see the biggest difference between the old stable bundle and the new stable bundle. In addition to upgrading Firefox, it includes the latest stable release of Tor 0.2.2.32,Vidalia 0.2.14 and Torbutton 1.4.1. These three upgrades together allow you to run the Tor Browser Bundle at the same time as a system Tor, or even multiple copies of the Tor Browser Bundle in different directories, by dynamically choosing available ports.

https://www.torproject.org/download

Tor Browser Bundle (2.2.32-2)

Syndicate content Syndicate content