Hello again! This post announces the third alpha in the 0.3.1.x series, which I just released today. There were stable releases too; I'll go over them in the next post.
Tor 0.3.1.3-alpha fixes a pair of bugs that would allow an attacker to remotely crash a hidden service with an assertion failure. Anyone running a hidden service should upgrade to this version, or to some other version with fixes for TROVE-2017-004 and TROVE-2017-005.
Tor 0.3.1.3-alpha also includes fixes for several key management bugs that sometimes made relays unreliable, as well as several other bugfixes described below.
Since this is an alpha release, you can expect more bugs than usual. If you'd rather have a more stable experience, stick to the stable releases.
If you build Tor from source, you can find Tor 0.3.1.2-alpha at the usual place (at the Download page on our website). Otherwise, you'll probably want to wait until packages are available.
Changes in version 0.3.1.3-alpha - 2017-06-08
- Major bugfixes (hidden service, relay, security):
- Fix a remotely triggerable assertion failure when a hidden service handles a malformed BEGIN cell. Fixes bug 22493, tracked as TROVE-2017-004 and as CVE-2017-0375; bugfix on 0.3.0.1-alpha.
- Fix a remotely triggerable assertion failure caused by receiving a BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha.
- Major bugfixes (relay, link handshake):
- When performing the v3 link handshake on a TLS connection, report that we have the x509 certificate that we actually used on that connection, even if we have changed certificates since that connection was first opened. Previously, we would claim to have used our most recent x509 link certificate, which would sometimes make the link handshake fail. Fixes one case of bug 22460; bugfix on 0.2.3.6-alpha.
Tor 0.2.8.5-rc has been released! You can download the source from the Tor website. Packages should be available over the next week or so.
Tor 0.2.5.12 and 0.2.6.7 fix two security issues that could be used by an attacker to crash hidden services, or crash clients visiting hidden services.
Tor 0.2.5.7-rc fixes several regressions from earlier in the 0.2.5.x release series, and some long-standing bugs related to ORPort reachability testing and failure to send CREATE cells.
This is a slightly belated announcement for the release of tor 0.2.4.22.
Firefox 17.0.11esr has been released with several security fixes and the stable and RC Tor Browser Bundles h
There is a new alpha-release of Tor Browser, based on tor 0.2.4.12-alpha. Alpha versions of Vidalia Bundles and Expert bundles are also updated.