tor

Tor 0.2.1.30 is released

Tor 0.2.1.30 fixes a variety of less critical bugs. The main other change is a slight tweak to Tor's TLS handshake that makes relays and bridges that run this new version reachable from Iran again. We don't expect this tweak will win the arms race long-term, but it buys us time until we roll out a better solution.

https://www.torproject.org/download/download

Major bugfixes:

  • Stop sending a CLOCK_SKEW controller status event whenever
    we fetch directory information from a relay that has a wrong clock.
    Instead, only inform the controller when it's a trusted authority
    that claims our clock is wrong. Bugfix on 0.1.2.6-alpha; fixes
    the rest of bug 1074.
  • Fix a bounds-checking error that could allow an attacker to
    remotely crash a directory authority. Bugfix on 0.2.1.5-alpha.
    Found by "piebeer".
  • If relays set RelayBandwidthBurst but not RelayBandwidthRate,
    Tor would ignore their RelayBandwidthBurst setting,
    potentially using more bandwidth than expected. Bugfix on
    0.2.0.1-alpha. Reported by Paul Wouters. Fixes bug 2470.
  • Ignore and warn if the user mistakenly sets "PublishServerDescriptor
    hidserv" in her torrc. The 'hidserv' argument never controlled
    publication of hidden service descriptors. Bugfix on 0.2.0.1-alpha.

Minor features:

  • Adjust our TLS Diffie-Hellman parameters to match those used by
    Apache's mod_ssl.
  • Update to the February 1 2011 Maxmind GeoLite Country database.

Minor bugfixes:

  • Check for and reject overly long directory certificates and
    directory tokens before they have a chance to hit any assertions.
    Bugfix on 0.2.1.28. Found by "doorss".
  • Bring the logic that gathers routerinfos and assesses the
    acceptability of circuits into line. This prevents a Tor OP from
    getting locked in a cycle of choosing its local OR as an exit for a
    path (due to a .exit request) and then rejecting the circuit because
    its OR is not listed yet. It also prevents Tor clients from using an
    OR running in the same instance as an exit (due to a .exit request)
    if the OR does not meet the same requirements expected of an OR
    running elsewhere. Fixes bug 1859; bugfix on 0.1.0.1-rc.

Packaging changes:

  • Stop shipping the Tor specs files and development proposal documents
    in the tarball. They are now in a separate git repository at
    git://git.torproject.org/torspec.git
  • Do not include Git version tags as though they are SVN tags when
    generating a tarball from inside a repository that has switched
    between branches. Bugfix on 0.2.1.15-rc; fixes bug 2402.

Tor 0.2.2.22-alpha is out

https://www.torproject.org/download/download

Changes in version 0.2.2.22-alpha - 2011-01-25
Major bugfixes:

  • Fix a bounds-checking error that could allow an attacker to
    remotely crash a directory authority. Bugfix on 0.2.1.5-alpha.
    Found by "piebeer".
  • Don't assert when changing from bridge to relay or vice versa
    via the controller. The assert happened because we didn't properly
    initialize our keys in this case. Bugfix on 0.2.2.18-alpha; fixes
    bug 2433. Reported by bastik.

Minor features:

  • Adjust our TLS Diffie-Hellman parameters to match those used by
    Apache's mod_ssl.
  • Provide a log message stating which geoip file we're parsing
    instead of just stating that we're parsing the geoip file.
    Implements ticket 2432.

Minor bugfixes:

  • Check for and reject overly long directory certificates and
    directory tokens before they have a chance to hit any assertions.
    Bugfix on 0.2.1.28 / 0.2.2.20-alpha. Found by "doorss".

Tor Open Hackfest: February 19, 2011

We're holding a Tor hackfest on Saturday, February 19th. The bulk of the Tor developers are in town and coming to this event. Unlike last time when snow kept 75% of them outside the US.

We'll be meeting starting at 10 AM in the new Media Lab building (E14), thanks to the Center for Future Civic Media at MIT. We're hoping to provide pizza and drinks for lunch. Last time we had some fine Indian food for dinner.

Map: http://whereis.mit.edu/?go=E14

Please attend if you have some interest in programming, advocacy, marketing, or research with Tor, or are willing to be persuaded to entertain an interest. :) Tor's a small project (in terms of number of developers) that could really use your help.
Hope to see you on Saturday!

Tor 0.2.2.21-alpha is out (security patches)

Note to 64-bit Linux Tor Browser Bundle users: The previous bundles contained Tor 0.2.2.20-alpha. Please upgrade to 1.1.3-1 (sig).

Tor 0.2.2.21-alpha includes all the patches from Tor 0.2.1.29, which
continues our recent code security audit work. The main fix resolves
a remote heap overflow vulnerability that can allow remote code
execution (CVE-2011-0427). Other fixes address a variety of assert
and crash bugs, most of which we think are hard to exploit remotely.

All Tor users should upgrade.

https://www.torproject.org/download/download

Changes in version 0.2.2.21-alpha - 2011-01-15
Major bugfixes (security), also included in 0.2.1.29: read more »

Lots of new Tor packages

A new Tor stable (0.2.1.29) (sig) and Tor alpha (0.2.2.21-alpha) (sig) have been released and all users are strongly encouraged to upgrade.

The following packages have been released:

  • Windows expert packages (stable & alpha)
  • Vidalia bundles (stable & alpha for Windows, and OS X ppc & x86)
  • Tor Browser Bundles for Windows, Linux, and OS X (see below for other updates)
  • RPM packages (stable & alpha)
  • Debian and Ubuntu packages (stable & alpha)

You can download all of these from our download page or package repositories.

If you encounter any problems, please file a bug on our bug tracker.

Tor Browser Bundles

Windows Bundles
1.3.17: Released 2011-01-16

  • Update Tor to 0.2.1.29

Linux Bundles
1.1.3: Released 2011-01-16

  • Update Tor to 0.2.2.21-alpha
  • Update NoScript to 2.0.9.3

OS X Bundles
1.0.10: Released 2011-01-16

  • Update Tor to 0.2.2.21-alpha
  • Update NoScript to 2.0.9.3

Tor 0.2.1.29 is released (security patches)

Tor 0.2.1.29 continues our recent code security audit work. The main
fix resolves a remote heap overflow vulnerability that can allow remote
code execution. Other fixes address a variety of assert and crash bugs,
most of which we think are hard to exploit remotely.

All Tor users should upgrade.

https://www.torproject.org/download/download

Changes in version 0.2.1.29 - 2011-01-15
Major bugfixes (security): read more »

  • Fix a heap overflow bug where an adversary could cause heap
    corruption. This bug probably allows remote code execution
    attacks. Reported by "debuger". Fixes CVE-2011-0427. Bugfix on
    0.1.2.10-rc.
  • Prevent a denial-of-service attack by disallowing any
    zlib-compressed data whose compression factor is implausibly
    high. Fixes part of bug 2324; reported by "doorss".
  • Zero out a few more keys in memory before freeing them. Fixes

New PPC packages available

The OS X PPC packages have been updated! They are now available in stable (0.2.1.28) (sig) and alpha (0.2.2.20-alpha) (sig) versions, both with the latest Vidalia (0.2.10). As usual, if you experience any problems, please report a bug.

Tor 0.2.2.19-alpha is out

Yet another OpenSSL security patch broke its compatibility with Tor:
Tor 0.2.2.19-alpha makes relays work with OpenSSL 0.9.8p and 1.0.0.b.

https://www.torproject.org/download/download

The original announcement is at http://archives.seul.org/or/talk/Nov-2010/msg00172.html

Changes in version 0.2.2.19-alpha - 2010-11-21
Major bugfixes:

  • Resolve an incompatibility with openssl 0.9.8p and openssl 1.0.0b:
    No longer set the tlsext_host_name extension on server SSL objects;
    but continue to set it on client SSL objects. Our goal in setting
    it was to imitate a browser, not a vhosting server. Fixes bug 2204;
    bugfix on 0.2.1.1-alpha.
  • Minor bugfixes: read more »

  • Try harder not to exceed the maximum length of 50 KB when writing

Boston Tor Hackers: Join us Sunday September 19th

We're holding a Tor hackfest this Sunday, the 19th. Tor's Chief Architect, Nick Mathewson, will be explaining Tor's goals and what the project has been up to lately, and then we'll pick a few day-sized projects to work on together with his help.

We'll be meeting at 2pm in the new Media Lab building (E14), room 240, thanks to the Center for Future Civic Media at MIT. Since the building is closed on Sundays, please e-mail chris-torfest@printf.net before Sunday to get a phone number to use to be let in. We're hoping to provide pizza and drinks, and we'll finish up and move to Grendel's Den around 9pm.

Map: http://whereis.mit.edu/?go=E14

Please attend if you have some programming experience and are interested in Tor, or are willing to be persuaded to entertain an interest. :) Tor's a small project (in terms of number of developers) that could really use your help.

Please RSVP if you can make it. Hope to see you on Sunday!

Tor 0.2.2.15-alpha released

Tor 0.2.2.15-alpha fixes a big bug in hidden service availability, fixes a variety of other bugs that were preventing performance experiments from moving forward, fixes several bothersome memory leaks, and generally closes a lot of smaller bugs that have been filling up trac lately.

https://www.torproject.org/download

Changes in version 0.2.2.15-alpha - 2010-08-18
o Major bugfixes:
- Stop assigning the HSDir flag to relays that disable their
DirPort (and thus will refuse to answer directory requests). This
fix should dramatically improve the reachability of hidden services:
hidden services and hidden service clients pick six HSDir relays
to store and retrieve the hidden service descriptor, and currently
about half of the HSDir relays will refuse to work. Bugfix on
0.2.0.10-alpha; fixes part of bug 1693. read more »

Syndicate content Syndicate content