security fixes

The stable and beta Tor Browser Bundles have been updated with Firefox 17.0.9esr. This release of Firefox has many important security updates and all users are strongly encouraged to upgrade.

The beta version includes an updated HTTPS Everywhere which fixes the problems many users were having with the google.com OCSP meltdown.

https://www.torproject.org/projects/torbrowser.html.en#downloads

Tor Browser Bundle (2.3.25-13)

• Update Firefox to 17.0.9esr
  https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#f...
• Update HTTPS Everywhere to 3.4.1
• Update NoScript to 2.6.7.1
• Remove extraneous libevent libraries (closes: #9727)
• Enable GCC hardening for Tor
• Firefox patch changes:
• - Disable filtered results in Startpage omnibox (closes: #8839)

Tor Browser Bundle (2.4.17-beta-2)

• Update Firefox to 17.0.9esr
  https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#f...
• Update LibPNG to 1.6.3
• Update HTTPS Everywhere to 4.0development.12
• Update NoScript to 2.6.7.1
• Remove extraneous libevent libraries (closes: #9727)
• Enable GCC hardening for Tor
• Firefox patch changes:
• - Disable filtered results in Startpage omnibox (closes: #8839)
• Add missing geoip file to Linux bundle

(entry missing from regular changelog)

New Bundles (security release)

All of the available bundles of Tor have been updated for the latest stable Tor 0.2.2.39 release and the 0.2.3.22-rc release. These releases fix a remote crash bug found in Tor and all users and relays are STRONGLY encouraged to update immediately.

https://www.torproject.org/download

Further notes about Tor Browser Bundle updates:

The random port selection has been temporarily disabled in the Linux and Mac OS X alpha bundles. Most of you probably didn't notice any random port selection happpening at all, but if you encounter a problem running a system Tor and your Tor Browser Bundle at the same time, you can switch to the stable bundles for now. The next update should have a fix that allows us to re-enable automatic port selection.

Tor Browser Bundle (2.2.39-1)

• Update Tor to 0.2.2.39
• Update NoScript to 2.5.4

Tor Browser Bundle (2.3.22-alpha-1)

• Update Tor to 0.2.3.22-rc
• Temporarily use fixed Control and SOCKS ports as a workaround for #6803

The Tor Browser Bundles have been updated with a very important security fix. As explained in the previous blog post, a user discovered a severe security bug in Firefox related to websockets bypassing the SOCKS proxy DNS configuration. This is now fixed and we strongly encourage all users to update. There are a few other bugfixes in this release, including really fixing (for real this time!) the problem with the Mac OS X bundles crashing.

https://www.torproject.org/download

Tor Browser Bundle (2.2.35-11)

• Security release to stop TorBrowser from bypassing SOCKS proxy DNS configuration
• New Firefox patches:
• Prevent WebSocket DNS leak (closes: #5741)
• Fix a race condition that could be used to link browsing sessions together when using new identity from Tor Browser (closes: #5715)
• Remove extraneous BetterPrivacy settings from prefs.js (closes: #5722)
• Fix the mozconfig options for OS X so that it really builds everything with clang instead of llvm-gcc (closes: #5740)

The Tor Browser Bundles have been updated to Tor 0.2.2.35 which has a fix for a security critical bug. Please see the release announcement for further details. All users should update immediately.

This Tor Browser Bundle release also contains new Firefox patches which improve privacy and unlinkability.

https://www.torproject.org/download

Tor Browser Bundle (2.2.35-1)

• Update Tor to 0.2.2.35
• Update NoScript to 2.2.3
• Update Torbutton to 1.4.5
• New Firefox patches
• Disable SSL Session ID tracking
• Provide an observer event to close persistent connections

Tor 0.2.2.35 fixes a critical heap-overflow security issue in Tor's
buffers code. Absolutely everybody should upgrade.

The bug relied on an incorrect calculation when making data continuous
in one of our IO buffers, if the first chunk of the buffer was
misaligned by just the wrong amount. The miscalculation would allow an
attacker to overflow a piece of heap-allocated memory. To mount this
attack, the attacker would need to either open a SOCKS connection to
Tor's SocksPort (usually restricted to localhost), or target a Tor
instance configured to make its connections through a SOCKS proxy
(which Tor does not do by default).

Good security practice requires that all heap-overflow bugs should be
presumed to be exploitable until proven otherwise, so we are treating
this as a potential code execution attack. Please upgrade immediately!
This bug does not affect bufferevents-based builds of Tor. Special
thanks to "Vektor" for reporting this issue to us!

Tor 0.2.2.35 also fixes several bugs in previous versions, including
crash bugs for unusual configurations, and a long-term bug that
would prevent Tor from starting on Windows machines with draconian
AV software.

With this release, we remind everyone that 0.2.0.x has reached its
formal end-of-life. Those Tor versions have many known flaws, and
nobody should be using them. You should upgrade -- ideally to the
0.2.2.x series. If you're using a Linux or BSD and its packages are
obsolete, stop using those packages and upgrade anyway.

The Tor 0.2.1.x series is also approaching its end-of-life: it will no
longer receive support after some time in early 2012.

https://www.torproject.org/download

Changes in version 0.2.2.35 - 2011-12-16

Major bugfixes:

• Fix a heap overflow bug that could occur when trying to pull
  data into the first chunk of a buffer, when that chunk had
  already had some data drained from it. Fixes CVE-2011-2778;
  bugfix on 0.2.0.16-alpha. Reported by "Vektor".
• Initialize Libevent with the EVENT_BASE_FLAG_NOLOCK flag enabled, so
  that it doesn't attempt to allocate a socketpair. This could cause
  some problems on Windows systems with overzealous firewalls. Fix for
  bug 4457; workaround for Libevent versions 2.0.1-alpha through
  2.0.15-stable.
• If we mark an OR connection for close based on a cell we process,
  don't process any further cells on it. We already avoid further
  reads on marked-for-close connections, but now we also discard the
  cells we'd already read. Fixes bug 4299; bugfix on 0.2.0.10-alpha,
  which was the first version where we might mark a connection for
  close based on processing a cell on it.
• Correctly sanity-check that we don't underflow on a memory
  allocation (and then assert) for hidden service introduction
  point decryption. Bug discovered by Dan Rosenberg. Fixes bug 4410;
  bugfix on 0.2.1.5-alpha.
• Fix a memory leak when we check whether a hidden service
  descriptor has any usable introduction points left. Fixes bug
  4424. Bugfix on 0.2.2.25-alpha.
• Don't crash when we're running as a relay and don't have a GeoIP
  file. Bugfix on 0.2.2.34; fixes bug 4340. This backports a fix
  we've had in the 0.2.3.x branch already.
• When running as a client, do not print a misleading (and plain
  wrong) log message that we're collecting "directory request"
  statistics: clients don't collect statistics. Also don't create a
  useless (because empty) stats file in the stats/ directory. Fixes
  bug 4353; bugfix on 0.2.2.34.

Minor bugfixes:

• Detect failure to initialize Libevent. This fix provides better
  detection for future instances of bug 4457.
• Avoid frequent calls to the fairly expensive cull_wedged_cpuworkers
  function. This was eating up hideously large amounts of time on some
  busy servers. Fixes bug 4518; bugfix on 0.0.9.8.
• Resolve an integer overflow bug in smartlist_ensure_capacity().
  Fixes bug 4230; bugfix on Tor 0.1.0.1-rc. Based on a patch by
  Mansour Moufid.
• Don't warn about unused log_mutex in log.c when building with
  --disable-threads using a recent GCC. Fixes bug 4437; bugfix on
  0.1.0.6-rc which introduced --disable-threads.
• When configuring, starting, or stopping an NT service, stop
  immediately after the service configuration attempt has succeeded
  or failed. Fixes bug 3963; bugfix on 0.2.0.7-alpha.
• When sending a NETINFO cell, include the original address
  received for the other side, not its canonical address. Found
  by "troll_un"; fixes bug 4349; bugfix on 0.2.0.10-alpha.
• Fix a typo in a hibernation-related log message. Fixes bug 4331;
  bugfix on 0.2.2.23-alpha; found by "tmpname0901".
• Fix a memory leak in launch_direct_bridge_descriptor_fetch() that
  occurred when a client tried to fetch a descriptor for a bridge
  in ExcludeNodes. Fixes bug 4383; bugfix on 0.2.2.25-alpha.
• Backport fixes for a pair of compilation warnings on Windows.
  Fixes bug 4521; bugfix on 0.2.2.28-beta and on 0.2.2.29-beta.
• If we had ever tried to call tor_addr_to_str on an address of
  unknown type, we would have done a strdup on an uninitialized
  buffer. Now we won't. Fixes bug 4529; bugfix on 0.2.1.3-alpha.
  Reported by "troll_un".
• Correctly detect and handle transient lookup failures from
  tor_addr_lookup. Fixes bug 4530; bugfix on 0.2.1.5-alpha.
  Reported by "troll_un".
• Fix null-pointer access that could occur if TLS allocation failed.
  Fixes bug 4531; bugfix on 0.2.0.20-rc. Found by "troll_un".
• Use tor_socket_t type for listener argument to accept(). Fixes bug
  4535; bugfix on 0.2.2.28-beta. Found by "troll_un".

Minor features:

• Add two new config options for directory authorities:
  AuthDirFastGuarantee sets a bandwidth threshold for guaranteeing the
  Fast flag, and AuthDirGuardBWGuarantee sets a bandwidth threshold
  that is always sufficient to satisfy the bandwidth requirement for
  the Guard flag. Now it will be easier for researchers to simulate
  Tor networks with different values. Resolves ticket 4484.
• When Tor ignores a hidden service specified in its configuration,
  include the hidden service's directory in the warning message.
  Previously, we would only tell the user that some hidden service
  was ignored. Bugfix on 0.0.6; fixes bug 4426.
• Update to the December 6 2011 Maxmind GeoLite Country database.

Packaging changes:

• Make it easier to automate expert package builds on Windows,
  by removing an absolute path from makensis.exe command.

Tor 0.2.3.10-alpha fixes a critical heap-overflow security issue in
Tor's buffers code. Absolutely everybody should upgrade.

The bug relied on an incorrect calculation when making data continuous
in one of our IO buffers, if the first chunk of the buffer was
misaligned by just the wrong amount. The miscalculation would allow an
attacker to overflow a piece of heap-allocated memory. To mount this
attack, the attacker would need to either open a SOCKS connection to
Tor's SocksPort (usually restricted to localhost), or target a Tor
instance configured to make its connections through a SOCKS proxy
(which Tor does not do by default).

Good security practice requires that all heap-overflow bugs should be
presumed to be exploitable until proven otherwise, so we are treating
this as a potential code execution attack. Please upgrade immediately!
This bug does not affect bufferevents-based builds of Tor. Special
thanks to "Vektor" for reporting this issue to us!

This release also contains a few minor bugfixes for issues discovered
in 0.2.3.9-alpha.

https://www.torproject.org/download

Changes in version 0.2.3.10-alpha - 2011-12-16

Major bugfixes

• Fix a heap overflow bug that could occur when trying to pull
  data into the first chunk of a buffer, when that chunk had
  already had some data drained from it. Fixes CVE-2011-2778;
  bugfix on 0.2.0.16-alpha. Reported by "Vektor".

Minor bugfixes

• If we can't attach streams to a rendezvous circuit when we
  finish connecting to a hidden service, clear the rendezvous
  circuit's stream-isolation state and try to attach streams
  again. Previously, we cleared rendezvous circuits' isolation
  state either too early (if they were freshly built) or not at all
  (if they had been built earlier and were cannibalized). Bugfix on
  0.2.3.3-alpha; fixes bug 4655.
• Fix compilation of the libnatpmp helper on non-Windows. Bugfix on
  0.2.3.9-alpha; fixes bug 4691. Reported by Anthony G. Basile.
• Fix an assertion failure when a relay with accounting enabled
  starts up while dormant. Fixes bug 4702; bugfix on 0.2.3.9-alpha.

Minor features

• Update to the December 6 2011 Maxmind GeoLite Country database.

Tor 0.2.2.34 fixes a critical anonymity vulnerability where an attacker
can deanonymize Tor users. Everybody should upgrade.

The attack relies on four components:

• 1) Clients reuse their TLS cert when talking to different relays, so relays can recognize a user by the identity key in her cert.
• 2) An attacker who knows the client's identity key can probe each guard relay to see if that identity key is connected to that guard relay right now.
• 3) A variety of active attacks in the literature (starting from "Low-Cost Traffic Analysis of Tor" by Murdoch and Danezis in 2005) allow a malicious website to discover the guard relays that a Tor user visiting the website is using.
• 4) Clients typically pick three guards at random, so the set of guards for a given user could well be a unique fingerprint for her. This release fixes components #1 and #2, which is enough to block the attack; the other two remain as open research problems.

Special thanks to "frosty_un" for reporting the issue to us! (As far as we know, this has nothing to do with any claimed attack currently getting attention in the media.)

Clients should upgrade so they are no longer recognizable by the TLS certs they present. Relays should upgrade so they no longer allow a remote attacker to probe them to test whether unpatched clients are currently connected to them.

This release also fixes several vulnerabilities that allow an attacker to enumerate bridge relays. Some bridge enumeration attacks still remain; see for example proposal 188.

https://torproject.org/download/download-easy

Changes in version 0.2.2.34 - 2011-10-26

Privacy/anonymity fixes (clients):

• Clients and bridges no longer send TLS certificate chains on outgoing OR
  connections. Previously, each client or bridge would use the same cert chain
  for all outgoing OR connections until its IP address changes, which allowed any
  relay that the client or bridge contacted to determine which entry guards it is
  using. Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by "frosty_un".
• If a relay receives a CREATE_FAST cell on a TLS connection, it no longer
  considers that connection as suitable for satisfying a circuit EXTEND request.
  Now relays can protect clients from the CVE-2011-2768 issue even if the clients
  haven't upgraded yet.
• Directory authorities no longer assign the Guard flag to relays that
  haven't upgraded to the above "refuse EXTEND requests to client connections"
  fix. Now directory authorities can protect clients from the CVE-2011-2768 issue
  even if neither the clients nor the relays have upgraded yet. There's a new
  "GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays" config option to let us
  transition smoothly, else tomorrow there would be no guard relays.

Privacy/anonymity fixes (bridge enumeration):

• Bridge relays now do their directory fetches inside Tor TLS connections,
  like all the other clients do, rather than connecting directly to the DirPort
  like public relays do. Removes another avenue for enumerating bridges. Fixes
  bug 4115; bugfix on 0.2.0.35.
• Bridges relays now build circuits for themselves in a more similar way to
  how clients build them. Removes another avenue for enumerating bridges. Fixes
  bug 4124; bugfix on 0.2.0.3-alpha, when bridges were introduced.
• Bridges now refuse CREATE or CREATE_FAST cells on OR connections that they
  initiated. Relays could distinguish incoming bridge connections from client
  connections, creating another avenue for enumerating bridges. Fixes
  CVE-2011-2769. Bugfix on 0.2.0.3-alpha. Found by "frosty_un".

Major bugfixes:

• Fix a crash bug when changing node restrictions while a DNS lookup is
  in-progress. Fixes bug 4259; bugfix on 0.2.2.25-alpha. Bugfix by "Tey'".
• Don't launch a useless circuit after failing to use one of a hidden
  service's introduction points. Previously, we would launch a new introduction
  circuit, but not set the hidden service which that circuit was intended to
  connect to, so it would never actually be used. A different piece of code would
  then create a new introduction circuit correctly. Bug reported by katmagic and
  found by Sebastian Hahn. Bugfix on 0.2.1.13-alpha; fixes bug 4212.

Minor bugfixes:

• Change an integer overflow check in the OpenBSD_Malloc code so that GCC is
  less likely to eliminate it as impossible. Patch from Mansour Moufid. Fixes bug
  4059.
• When a hidden service turns an extra service-side introduction circuit into
  a general-purpose circuit, free the rend_data and intro_key fields first, so we
  won't leak memory if the circuit is cannibalized for use as another
  service-side introduction circuit. Bugfix on 0.2.1.7-alpha; fixes bug
  4251.
• Bridges now skip DNS self-tests, to act a little more stealthily. Fixes
  bug 4201; bugfix on 0.2.0.3-alpha, which first introduced bridges. Patch by
  "warms0x".
• Fix internal bug-checking logic that was supposed to catch failures in
  digest generation so that it will fail more robustly if we ask for a
  nonexistent algorithm. Found by Coverity Scan. Bugfix on 0.2.2.1-alpha; fixes
  Coverity CID 479.
• Report any failure in init_keys() calls launched because our IP address has
  changed. Spotted by Coverity Scan. Bugfix on 0.1.1.4-alpha; fixes CID 484.

Minor bugfixes (log messages and documentation):

• Remove a confusing dollar sign from the example fingerprint in the man
  page, and also make the example fingerprint a valid one. Fixes bug 4309; bugfix
  on 0.2.1.3-alpha.
• The next version of Windows will be called Windows 8, and it has a major
  version of 6, minor version of 2. Correctly identify that version instead of
  calling it "Very recent version". Resolves ticket 4153; reported by
  funkstar.
• Downgrade log messages about circuit timeout calibration from "notice" to
  "info": they don't require or suggest any human intervention. Patch from Tom
  Lowenthal. Fixes bug 4063; bugfix on 0.2.2.14-alpha.

Minor features:

• Turn on directory request statistics by default and include them in
  extra-info descriptors. Don't break if we have no GeoIP database. Backported
  from 0.2.3.1-alpha; implements ticket 3951.
• Update to the October 4 2011 Maxmind GeoLite Country database.

Tor 0.2.3.5-alpha fixes two bugs that make it possible to enumerate
bridge relays; fixes an assertion error that many users started hitting
today; and adds the ability to refill token buckets more often than
once per second, allowing significant performance improvements.

Security fixes:

• Bridge relays now do their directory fetches inside Tor TLS
  connections, like all the other clients do, rather than connecting
  directly to the DirPort like public relays do. Removes another
  avenue for enumerating bridges. Fixes bug 4115; bugfix on 0.2.0.35.
• Bridges relays now build circuits for themselves in a more similar
  way to how clients build them. Removes another avenue for
  enumerating bridges. Fixes bug 4124; bugfix on 0.2.0.3-alpha,
  when bridges were introduced.

Major bugfixes:

• Fix an "Assertion md->held_by_node == 1 failed" error that could
  occur when the same microdescriptor was referenced by two node_t
  objects at once. Fix for bug 4118; bugfix on Tor 0.2.3.1-alpha.

Major features (networking):

• Add a new TokenBucketRefillInterval option to refill token buckets
  more frequently than once per second. This should improve network
  performance, alleviate queueing problems, and make traffic less
  bursty. Implements proposal 183; closes ticket 3630. Design by
  Florian Tschorsch and Björn Scheuermann; implementation by
  Florian Tschorsch.

Minor bugfixes:

• Change an integer overflow check in the OpenBSD_Malloc code so
  that GCC is less likely to eliminate it as impossible. Patch
  from Mansour Moufid. Fixes bug 4059.

Minor bugfixes (usability):

• Downgrade log messages about circuit timeout calibration from
  "notice" to "info": they don't require or suggest any human
  intervention. Patch from Tom Lowenthal. Fixes bug 4063;
  bugfix on 0.2.2.14-alpha.

Minor features (diagnostics):

• When the system call to create a listener socket fails, log the
  error message explaining why. This may help diagnose bug 4027.

The Tor Browser Bundles have been updated again, this time with Firefox 6.0.2, Torbutton 1.4.2, and more privacy-enhancing patches. Windows users: if you had problems running the last bundles, please try this. We believe the problem is fixed, but let us know if it's not.

https://www.torproject.org/download/download-easy

Tor Browser Bundle (2.2.32-3)

• Update Firefox to 6.0.2
• New Firefox patches:
• Improve cache APIs to enable better isolation (closes: #3666)
• Provide auth headers to on-modify-request (closes: #3907)
• Randomize HTTP pipelining as an experimental website traffic fingerprinting defense (closes: #3914)
• Enable HTTP pipelining in TBB prefs.js (closes: #3913)
• Update Torbutton to 1.4.2
• bug 3879: Fix broken framed sites (yopmail, gmane, gmaps, etc)
• bug 3337: Fetch check.tp.o page to check versions (TBB only)
• Bug 3754: Fix SafeCache OCSP errors (fix for TBB only)
• Update NoScript to 2.1.2.7

Windows fixes

• Add missing C runtime libraries so WinXP users can use TBB again. Fix found by velope.

Linux fixes

• Update libpng to 1.4.8 (closes: #3906)
• Make the TBB launch script work when using a relative symlink (closes: #2525)

We have updated the stable Tor Browser Bundles to Firefox 6.

There are no longer any stable Tor Browser Bundles with the 3.6.x series of Firefox. We were using pre-built binaries on some platforms and owing to the recent DigiNotar debacle, we no longer felt comfortable shipping versions of Firefox that we were unable to patch. We build all Firefox 6 binaries from source, with our own set of patches, including some specific to the DigiNotar issue.

We'd originally planned to drop support for Firefox 3.6 bundles on September 10th, but this moved up the date a bit. The new Tor Browser Bundles are much more feature-rich than the previous bundles, but users may still experience unexpected behavior. Please report all bugs to https://trac.torproject.org/.

Windows users will see the biggest difference between the old stable bundle and the new stable bundle. In addition to upgrading Firefox, it includes the latest stable release of Tor 0.2.2.32,Vidalia 0.2.14 and Torbutton 1.4.1. These three upgrades together allow you to run the Tor Browser Bundle at the same time as a system Tor, or even multiple copies of the Tor Browser Bundle in different directories, by dynamically choosing available ports.

https://www.torproject.org/download

Tor Browser Bundle (2.2.32-2)

• Update Firefox to 6.0.1, with an additional patch to exclude DigiNotar completely
  • https://gitweb.torproject.org/torbrowser.git/commit/0be3b043afa0e54d207f...

  For the full saga, read:

  • http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certif...
  • http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man...
• OS X specific: Rebuild 32-bit binaries with backwards compatibility options so TBB works on OSX 10.5 (closes: #3671)
• Update Libevent to 2.0.14-stable
• Update torbrowser.version string in prefs.js to have more information (see #3504)
• Enable internationalized bundles by adding and changing the
  general.useragent.locale pref in prefs.js