tor

Tor 0.2.2.26-beta and 0.2.2.27-beta are out

Changes in version 0.2.2.27-beta - 2011-05-18
Tor 0.2.2.27-beta fixes a bridge-related stability bug in the previous
release, and also adds a few more general bugfixes.

Major bugfixes:

  • Fix a crash bug when changing bridges in a running Tor process.
    Fixes bug 3213; bugfix on 0.2.2.26-beta.

  • When the controller configures a new bridge, don't wait 10 to 60
    seconds before trying to fetch its descriptor. Bugfix on
    0.2.0.3-alpha; fixes bug 3198 (suggested by 2355).

    Minor bugfixes:

  • Require that onion keys have exponent 65537 in microdescriptors too.
    Fixes more of bug 3207; bugfix on 0.2.2.26-beta.

  • Tor used to limit HttpProxyAuthenticator values to 48 characters.
    Changed the limit to 512 characters by removing base64 newlines.
    Fixes bug 2752. Fix by Michael Yakubovich.

  • When a client starts or stops using bridges, never use a circuit
    that was built before the configuration change. This behavior could
    put at risk a user who uses bridges to ensure that her traffic
    only goes to the chosen addresses. Bugfix on 0.2.0.3-alpha; fixes
    bug 3200.

    Changes in version 0.2.2.26-beta - 2011-05-17
    Tor 0.2.2.26-beta fixes a variety of potential privacy problems. It
    also introduces a new "socksport auto" approach that should make it
    easier to run multiple Tors on the same system, and does a lot of
    cleanup to get us closer to a release candidate.

    Security/privacy fixes:

    • Replace all potentially sensitive memory comparison operations
      with versions whose runtime does not depend on the data being
      compared. This will help resist a class of attacks where an
      adversary can use variations in timing information to learn
      sensitive data. Fix for one case of bug 3122. (Safe memcmp
      implementation by Robert Ransom based partially on code by DJB.)
    • When receiving a hidden service descriptor, check that it is for
      the hidden service we wanted. Previously, Tor would store any
      hidden service descriptors that a directory gave it, whether it
      wanted them or not. This wouldn't have let an attacker impersonate
      a hidden service, but it did let directories pre-seed a client
      with descriptors that it didn't want. Bugfix on 0.0.6.
    • On SIGHUP, do not clear out all TrackHostExits mappings, client
      DNS cache entries, and virtual address mappings: that's what
      NEWNYM is for. Fixes bug 1345; bugfix on 0.1.0.1-rc.

    Major features:

    • The options SocksPort, ControlPort, and so on now all accept a
      value "auto" that opens a socket on an OS-selected port. A
      new ControlPortWriteToFile option tells Tor to write its
      actual control port or ports to a chosen file. If the option
      ControlPortFileGroupReadable is set, the file is created as
      group-readable. Now users can run two Tor clients on the same
      system without needing to manually mess with parameters. Resolves
      part of ticket 3076.
    • Set SO_REUSEADDR on all sockets, not just listeners. This should
      help busy exit nodes avoid running out of useable ports just
      because all the ports have been used in the near past. Resolves
      issue 2850.

    Minor features:

    • New "GETINFO net/listeners/(type)" controller command to return
      a list of addresses and ports that are bound for listeners for a
      given connection type. This is useful when the user has configured
      "SocksPort auto" and the controller needs to know which port got
      chosen. Resolves another part of ticket 3076.
    • Add a new ControlSocketsGroupWritable configuration option: when
      it is turned on, ControlSockets are group-writeable by the default
      group of the current user. Patch by Jérémy Bobbio; implements
      ticket 2972.
    • Tor now refuses to create a ControlSocket in a directory that is
      world-readable (or group-readable if ControlSocketsGroupWritable
      is 0). This is necessary because some operating systems do not
      enforce permissions on an AF_UNIX sockets. Permissions on the
      directory holding the socket, however, seems to work everywhere.
    • Rate-limit a warning about failures to download v2 networkstatus
      documents. Resolves part of bug 1352.
    • Backport code from 0.2.3.x that allows directory authorities to
      clean their microdescriptor caches. Needed to resolve bug 2230.
    • When an HTTPS proxy reports "403 Forbidden", we now explain
      what it means rather than calling it an unexpected status code.
      Closes bug 2503. Patch from Michael Yakubovich.
    • Update to the May 1 2011 Maxmind GeoLite Country database.

    Minor bugfixes:

    • Authorities now clean their microdesc cache periodically and when
      reading from disk initially, not only when adding new descriptors.
      This prevents a bug where we could lose microdescriptors. Bugfix
      on 0.2.2.6-alpha. 2230
    • Do not crash when our configuration file becomes unreadable, for
      example due to a permissions change, between when we start up
      and when a controller calls SAVECONF. Fixes bug 3135; bugfix
      on 0.0.9pre6.
    • Avoid a bug that would keep us from replacing a microdescriptor
      cache on Windows. (We would try to replace the file while still
      holding it open. That's fine on Unix, but Windows doesn't let us
      do that.) Bugfix on 0.2.2.6-alpha; bug found by wanoskarnet.
    • Add missing explanations for the authority-related torrc options
      RephistTrackTime, BridgePassword, and V3AuthUseLegacyKey in the
      man page. Resolves issue 2379.
    • As an authority, do not upload our own vote or signature set to
      ourself. It would tell us nothing new, and as of 0.2.2.24-alpha,
      it would get flagged as a duplicate. Resolves bug 3026.
    • Accept hidden service descriptors if we think we might be a hidden
      service directory, regardless of what our consensus says. This
      helps robustness, since clients and hidden services can sometimes
      have a more up-to-date view of the network consensus than we do,
      and if they think that the directory authorities list us a HSDir,
      we might actually be one. Related to bug 2732; bugfix on
      0.2.0.10-alpha.
    • When a controller changes TrackHostExits, remove mappings for
      hosts that should no longer have their exits tracked. Bugfix on
      0.1.0.1-rc.
    • When a controller changes VirtualAddrNetwork, remove any mappings
      for hosts that were automapped to the old network. Bugfix on
      0.1.1.19-rc.
    • When a controller changes one of the AutomapHosts* options, remove
      any mappings for hosts that should no longer be automapped. Bugfix
      on 0.2.0.1-alpha.
    • Do not reset the bridge descriptor download status every time we
      re-parse our configuration or get a configuration change. Fixes
      bug 3019; bugfix on 0.2.0.3-alpha.

    Minor bugfixes (code cleanup):

    • When loading the microdesc journal, remember its current size.
      In 0.2.2, this helps prevent the microdesc journal from growing
      without limit on authorities (who are the only ones to use it in
      0.2.2). Fixes a part of bug 2230; bugfix on 0.2.2.6-alpha.
      Fix posted by "cypherpunks."
    • The microdesc journal is supposed to get rebuilt only if it is
      at least _half_ the length of the store, not _twice_ the length
      of the store. Bugfix on 0.2.2.6-alpha; fixes part of bug 2230.
    • Fix a potential null-pointer dereference while computing a
      consensus. Bugfix on tor-0.2.0.3-alpha, found with the help of
      clang's analyzer.
    • Avoid a possible null-pointer dereference when rebuilding the mdesc
      cache without actually having any descriptors to cache. Bugfix on
      0.2.2.6-alpha. Issue discovered using clang's static analyzer.
    • If we fail to compute the identity digest of a v3 legacy keypair,
      warn, and don't use a buffer-full of junk instead. Bugfix on
      0.2.1.1-alpha; fixes bug 3106.
    • Resolve an untriggerable issue in smartlist_string_num_isin(),
      where if the function had ever in the future been used to check
      for the presence of a too-large number, it would have given an
      incorrect result. (Fortunately, we only used it for 16-bit
      values.) Fixes bug 3175; bugfix on 0.1.0.1-rc.
    • Require that introduction point keys and onion handshake keys
      have a public exponent of 65537. Starts to fix bug 3207; bugfix
      on 0.2.0.10-alpha.

    Removed features:

    • Caches no longer download and serve v2 networkstatus documents
      unless FetchV2Networkstatus flag is set: these documents haven't
      haven't been used by clients or relays since 0.2.0.x. Resolves
      bug 3022.
  • New Tor Browser Bundles (and other packaging updates)

    Tor 0.2.2.25-alpha is out and there are the usual packaging updates. You can go right to the download page to update.

    The alpha Vidalia bundles have also been updated with the latest Torbutton 1.3.3-alpha which has itself been updated to work with the latest Firefox 4.0.1 release and has this notable feature:

    When used with Firefox 4 or the alpha Tor Browser Bundles, it also
    features support for youtube videos in HTML5, but you must currently
    opt-in for youtube to provide you with HTML5 video as opposed to
    flash: http://www.youtube.com/html5

    Tor Browser Bundle changelogs follow.

    Firefox 3.6 Tor Browser Bundles

    Tor Browser Bundle for Windows

    1.3.24: Released 2011-04-30

    • Update Firefox to 3.6.17
    • Update Libevent to 2.0.10-stable
    • Update zlib to 1.2.5
    • Update OpenSSL to 1.0.0d

    Tor Browser Bundle for Linux
    1.1.8: Released 2011-04-30

    • Update Tor to 0.2.2.25-alpha
    • Update Firefox to 3.6.17

    Tor Browser Bundle for OS X
    1.0.16: Released 2011-04-30

    • Update Tor to 0.2.2.25-alpha
    • Update Firefox to 3.6.17

    Firefox 4 Tor Browser Bundles

    Tor Browser Bundle (2.2.25-1) alpha; suite=all

    • Update Tor to 0.2.2.25-alpha
    • Update Firefox to 4.0.1
    • Update Torbutton to 1.3.3-alpha
    • Update BetterPrivacy to 1.50
    • Update NoScript to 2.1.0.3

    Temporary direct download links for Firefox 4 bundles:

    Tor 0.2.2.25-alpha is out

    Tor 0.2.2.25-alpha fixes many bugs: hidden service clients are more
    robust, routers no longer overreport their bandwidth, Win7 should crash
    a little less, and NEWNYM (as used by Vidalia's "new identity" button)
    now prevents hidden service-related activity from being linkable. It
    provides more information to Vidalia so you can see if your bridge is
    working. Also, 0.2.2.25-alpha revamps the Entry/Exit/ExcludeNodes and
    StrictNodes configuration options to make them more reliable, more
    understandable, and more regularly applied. If you use those options,
    please see the revised documentation for them in the manual page.

    https://www.torproject.org/download/download

    Major bugfixes:

    • Relays were publishing grossly inflated bandwidth values because
      they were writing their state files wrong--now they write the
      correct value. Also, resume reading bandwidth history from the
      state file correctly. Fixes bug 2704; bugfix on 0.2.2.23-alpha.
    • Improve hidden service robustness: When we find that we have
      extended a hidden service's introduction circuit to a relay not
      listed as an introduction point in the HS descriptor we currently
      have, retry with an introduction point from the current
      descriptor. Previously we would just give up. Fixes bugs 1024 and
      1930; bugfix on 0.2.0.10-alpha.
    • Clients now stop trying to use an exit node associated with a given
      destination by TrackHostExits if they fail to reach that exit node.
      Fixes bug 2999. Bugfix on 0.2.0.20-rc.
    • Fix crash bug on platforms where gmtime and localtime can return
      NULL. Windows 7 users were running into this one. Fixes part of bug
      2077. Bugfix on all versions of Tor. Found by boboper.

    Security and stability fixes:

    • Don't double-free a parsable, but invalid, microdescriptor, even if
      it is followed in the blob we're parsing by an unparsable
      microdescriptor. Fixes an issue reported in a comment on bug 2954.
      Bugfix on 0.2.2.6-alpha; fix by "cypherpunks".
    • If the Nickname configuration option isn't given, Tor would pick a
      nickname based on the local hostname as the nickname for a relay.
      Because nicknames are not very important in today's Tor and the
      "Unnamed" nickname has been implemented, this is now problematic
      behavior: It leaks information about the hostname without being
      useful at all. Fixes bug 2979; bugfix on 0.1.2.2-alpha, which
      introduced the Unnamed nickname. Reported by tagnaq.
    • Fix an uncommon assertion failure when running with DNSPort under
      heavy load. Fixes bug 2933; bugfix on 0.2.0.1-alpha.
    • Avoid linkability based on cached hidden service descriptors: forget
      all hidden service descriptors cached as a client when processing a
      SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6.

    Major features:

    • Export GeoIP information on bridge usage to controllers even if we
      have not yet been running for 24 hours. Now Vidalia bridge operators
      can get more accurate and immediate feedback about their
      contributions to the network.

    Major features and bugfixes (node selection):

    • Revise and reconcile the meaning of the ExitNodes, EntryNodes,
      ExcludeEntryNodes, ExcludeExitNodes, ExcludeNodes, and StrictNodes
      options. Previously, we had been ambiguous in describing what
      counted as an "exit" node, and what operations exactly "StrictNodes
      0" would permit. This created confusion when people saw nodes built
      through unexpected circuits, and made it hard to tell real bugs from
      surprises. Now the intended behavior is:
      • "Exit", in the context of ExitNodes and ExcludeExitNodes, means
        a node that delivers user traffic outside the Tor network.
      • "Entry", in the context of EntryNodes, means a node used as the
        first hop of a multihop circuit. It doesn't include direct
        connections to directory servers.
      • "ExcludeNodes" applies to all nodes.
      • "StrictNodes" changes the behavior of ExcludeNodes only. When
        StrictNodes is set, Tor should avoid all nodes listed in
        ExcludeNodes, even when it will make user requests fail. When
        StrictNodes is *not* set, then Tor should follow ExcludeNodes
        whenever it can, except when it must use an excluded node to
        perform self-tests, connect to a hidden service, provide a
        hidden service, fulfill a .exit request, upload directory
        information, or fetch directory information.

      Collectively, the changes to implement the behavior fix bug 1090.

    • ExcludeNodes now takes precedence over EntryNodes and ExitNodes: if
      a node is listed in both, it's treated as excluded.
    • ExcludeNodes now applies to directory nodes -- as a preference if
      StrictNodes is 0, or an absolute requirement if StrictNodes is 1.
      Don't exclude all the directory authorities and set StrictNodes to 1
      unless you really want your Tor to break.
    • ExcludeNodes and ExcludeExitNodes now override exit enclaving.
    • ExcludeExitNodes now overrides .exit requests.
    • We don't use bridges listed in ExcludeNodes.
    • When StrictNodes is 1:
      • We now apply ExcludeNodes to hidden service introduction points
        and to rendezvous points selected by hidden service users. This
        can make your hidden service less reliable: use it with caution!
      • If we have used ExcludeNodes on ourself, do not try relay
        reachability self-tests.
      • If we have excluded all the directory authorities, we will not
        even try to upload our descriptor if we're a relay.
      • Do not honor .exit requests to an excluded node.
    • Remove a misfeature that caused us to ignore the Fast/Stable flags
      when ExitNodes is set. Bugfix on 0.2.2.7-alpha.
    • When the set of permitted nodes changes, we now remove any mappings
      introduced via TrackExitHosts to now-excluded nodes. Bugfix on
      0.1.0.1-rc.
    • We never cannibalize a circuit that had excluded nodes on it, even
      if StrictNodes is 0. Bugfix on 0.1.0.1-rc.
    • Revert a change where we would be laxer about attaching streams to
      circuits than when building the circuits. This was meant to prevent
      a set of bugs where streams were never attachable, but our improved
      code here should make this unnecessary. Bugfix on 0.2.2.7-alpha.
    • Keep track of how many times we launch a new circuit to handle a
      given stream. Too many launches could indicate an inconsistency
      between our "launch a circuit to handle this stream" logic and our
      "attach this stream to one of the available circuits" logic.
    • Improve log messages related to excluded nodes.

    Minor bugfixes:

    • Fix a spurious warning when moving from a short month to a long
      month on relays with month-based BandwidthAccounting. Bugfix on
      0.2.2.17-alpha; fixes bug 3020.
    • When a client finds that an origin circuit has run out of 16-bit
      stream IDs, we now mark it as unusable for new streams. Previously,
      we would try to close the entire circuit. Bugfix on 0.0.6.
    • Add a forgotten cast that caused a compile warning on OS X 10.6.
      Bugfix on 0.2.2.24-alpha.
    • Be more careful about reporting the correct error from a failed
      connect() system call. Under some circumstances, it was possible to
      look at an incorrect value for errno when sending the end reason.
      Bugfix on 0.1.0.1-rc.
    • Correctly handle an "impossible" overflow cases in connection byte
      counting, where we write or read more than 4GB on an edge connection
      in a single second. Bugfix on 0.1.2.8-beta.
    • Correct the warning displayed when a rendezvous descriptor exceeds
      the maximum size. Fixes bug 2750; bugfix on 0.2.1.5-alpha. Found by
      John Brooks.
    • Clients and hidden services now use HSDir-flagged relays for hidden
      service descriptor downloads and uploads even if the relays have no
      DirPort set and the client has disabled TunnelDirConns. This will
      eventually allow us to give the HSDir flag to relays with no
      DirPort. Fixes bug 2722; bugfix on 0.2.1.6-alpha.
    • Downgrade "no current certificates known for authority" message from
      Notice to Info. Fixes bug 2899; bugfix on 0.2.0.10-alpha.
    • Make the SIGNAL DUMP control-port command work on FreeBSD. Fixes bug
      2917. Bugfix on 0.1.1.1-alpha.
    • Only limit the lengths of single HS descriptors, even when multiple
      HS descriptors are published to an HSDir relay in a single POST
      operation. Fixes bug 2948; bugfix on 0.2.1.5-alpha. Found by hsdir.
    • Write the current time into the LastWritten line in our state file,
      rather than the time from the previous write attempt. Also, stop
      trying to use a time of -1 in our log statements. Fixes bug 3039;
      bugfix on 0.2.2.14-alpha.
    • Be more consistent in our treatment of file system paths. "~" should
      get expanded to the user's home directory in the Log config option.
      Fixes bug 2971; bugfix on 0.2.0.1-alpha, which introduced the
      feature for the -f and --DataDirectory options.

    Minor features:

    • Make sure every relay writes a state file at least every 12 hours.
      Previously, a relay could go for weeks without writing its state
      file, and on a crash could lose its bandwidth history, capacity
      estimates, client country statistics, and so on. Addresses bug 3012.
    • Send END_STREAM_REASON_NOROUTE in response to EHOSTUNREACH errors.
      Clients before 0.2.1.27 didn't handle NOROUTE correctly, but such
      clients are already deprecated because of security bugs.
    • Don't allow v0 hidden service authorities to act as clients.
      Required by fix for bug 3000.
    • Ignore SIGNAL NEWNYM commands on relay-only Tor instances. Required
      by fix for bug 3000.
    • Ensure that no empty [dirreq-](read|write)-history lines are added
      to an extrainfo document. Implements ticket 2497.

    Code simplification and refactoring:

    • Remove workaround code to handle directory responses from servers
      that had bug 539 (they would send HTTP status 503 responses _and_
      send a body too). Since only server versions before
      0.2.0.16-alpha/0.1.2.19 were affected, there is no longer reason to
      keep the workaround in place.
    • Remove the old 'fuzzy time' logic. It was supposed to be used for
      handling calculations where we have a known amount of clock skew and
      an allowed amount of unknown skew. But we only used it in three
      places, and we never adjusted the known/unknown skew values. This is
      still something we might want to do someday, but if we do, we'll
      want to do it differently.
    • Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned.
      None of the cases where we did this before were wrong, but by making
      this change we avoid warnings. Fixes bug 2475; bugfix on 0.2.1.28.
    • Use GetTempDir to find the proper temporary directory location on
      Windows when generating temporary files for the unit tests. Patch by
      Gisle Vanem.

    Stockholm Hackfest, May 14th

    We're holding a Tor hackfest on Saturday, May 14th at Ringvägen 100, Stockholm.

    We'll be starting at 10 AM . Thanks to https://www.iis.se/ for hosting the event. We're hoping to provide pizza and drinks for lunch. We have a wiki page available to get an idea of what food you want and any topics you wish to see discussed. https://trac.torproject.org/projects/tor/wiki/2011StockholmHackfest

    Please attend if you have some interest in programming, advocacy, marketing, or research with Tor, or are willing to be persuaded to entertain an interest. :) Tor's a small project (in terms of number of developers) that could really use your help.

    Hope to see you on Saturday!

    Lots of new Tor and Vidalia packages

    New Vidalia and Tor releases mean lots and lots of new packages. You can download most of them from the download page.

    RPM users: we'll have all of the RPMs up within the next 24 hours. Everyone else, read on for Tor Browser Bundle changelogs and other packages.

    Bridge-by-Default Bundle

    Tor Browser Bundle with Firefox 4

    Tor Browser Bundle (2.2.24-1) alpha; suite=osx

    • Update Tor to 0.2.2.24-alpha
    • Update Vidalia to 0.2.12
    • Update NoScript to 2.1.0.1

    Tor Browser Bundle (2.2.24-1) alpha; suite=linux

    • Update Tor to 0.2.2.24-alpha
    • Update Vidalia to 0.2.12
    • Update NoScript to 2.1.0.1
    • Fix missing extensions by putting them in the right location (closes: #2828)
    • Disable plugin searching (closes: #2827)

    Tor Browser Bundle with Firefox 3.6

    https://www.torproject.org/projects/torbrowser

    Windows 1.3.23: Released 2011-04-13

    • Update Vidalia to 0.2.12
    • Fix langpack mistake that made Firefox only use English

    Linux 1.1.7: Released 2011-04-12

    • Update Tor to 0.2.2.24-alpha
    • Update Vidalia to 0.2.12
    • Update NoScript to 2.1.0.1

    OS X 1.0.15: Released 2011-04-11

    • Update Tor to 0.2.2.24-alpha
    • Update Vidalia to 0.2.12
    • Update NoScript to 2.1.0.1

    Tor 0.2.2.24-alpha is out

    Tor 0.2.2.24-alpha fixes a variety of bugs, including a big bug that
    prevented Tor clients from effectively using "multihomed" bridges,
    that is, bridges that listen on multiple ports or IP addresses so users
    can continue to use some of their addresses even if others get blocked.

    https://www.torproject.org/download/download

    Major bugfixes:

    • Fix a bug where bridge users who configure the non-canonical
      address of a bridge automatically switch to its canonical
      address. If a bridge listens at more than one address, it should be
      able to advertise those addresses independently and any non-blocked
      addresses should continue to work. Bugfix on Tor 0.2.0.x. Fixes
      bug 2510.
    • If you configured Tor to use bridge A, and then quit and
      configured Tor to use bridge B instead, it would happily continue
      to use bridge A if it's still reachable. While this behavior is
      a feature if your goal is connectivity, in some scenarios it's a
      dangerous bug. Bugfix on Tor 0.2.0.1-alpha; fixes bug 2511.
    • Directory authorities now use data collected from their own
      uptime observations when choosing whether to assign the HSDir flag
      to relays, instead of trusting the uptime value the relay reports in
      its descriptor. This change helps prevent an attack where a small
      set of nodes with frequently-changing identity keys can blackhole
      a hidden service. (Only authorities need upgrade; others will be
      fine once they do.) Bugfix on 0.2.0.10-alpha; fixes bug 2709.

    Minor bugfixes:

    • When we restart our relay, we might get a successful connection
      from the outside before we've started our reachability tests,
      triggering a warning: "ORPort found reachable, but I have no
      routerinfo yet. Failing to inform controller of success." This
      bug was harmless unless Tor is running under a controller
      like Vidalia, in which case the controller would never get a
      REACHABILITY_SUCCEEDED status event. Bugfix on 0.1.2.6-alpha;
      fixes bug 1172.
    • Make directory authorities more accurate at recording when
      relays that have failed several reachability tests became
      unreachable, so we can provide more accuracy at assigning Stable,
      Guard, HSDir, etc flags. Bugfix on 0.2.0.6-alpha. Resolves bug 2716.
      - Fix an issue that prevented static linking of libevent on
      some platforms (notably Linux). Fixes bug 2698; bugfix on
      versions 0.2.1.23/0.2.2.8-alpha (the versions introducing
      the --with-static-libevent configure option).
    • We now ask the other side of a stream (the client or the exit)
      for more data on that stream when the amount of queued data on
      that stream dips low enough. Previously, we wouldn't ask the
      other side for more data until either it sent us more data (which
      it wasn't supposed to do if it had exhausted its window!) or we
      had completely flushed all our queued data. This flow control fix
      should improve throughput. Fixes bug 2756; bugfix on the earliest
      released versions of Tor (svn commit r152).
    • Avoid a double-mark-for-free warning when failing to attach a
      transparent proxy connection. (We thought we had fixed this in
      0.2.2.23-alpha, but it turns out our fix was checking the wrong
      connection.) Fixes bug 2757; bugfix on 0.1.2.1-alpha (the original
      bug) and 0.2.2.23-alpha (the incorrect fix).
    • When warning about missing zlib development packages during compile,
      give the correct package names. Bugfix on 0.2.0.1-alpha.

    Minor features:

    • Directory authorities now log the source of a rejected POSTed v3
      networkstatus vote.
    • Make compilation with clang possible when using
      --enable-gcc-warnings by removing two warning optionss that clang
      hasn't implemented yet and by fixing a few warnings. Implements
      ticket 2696.
    • When expiring circuits, use microsecond timers rather than
      one-second timers. This can avoid an unpleasant situation where a
      circuit is launched near the end of one second and expired right
      near the beginning of the next, and prevent fluctuations in circuit
      timeout values.
    • Use computed circuit-build timeouts to decide when to launch
      parallel introduction circuits for hidden services. (Previously,
      we would retry after 15 seconds.)

    Packaging fixes:

    • Create the /var/run/tor directory on startup on OpenSUSE if it is
      not already created. Patch from Andreas Stieger. Fixes bug 2573.

    Documentation changes:

    • Modernize the doxygen configuration file slightly. Fixes bug 2707.
    • Resolve all doxygen warnings except those for missing documentation.
      Fixes bug 2705.
    • Add doxygen documentation for more functions, fields, and types.

    tails anonymous operating system, version 0.7 released

    The latest in the series, tail 0.7 livecd/liveusb anonymous operating system is released. The Amnesic Incognito Live System, version 0.7, is built on top of Debian Squeeze. The full changelog is available at https://tails.boum.org/news/version_0.7/

    Highlight include updated Tor, better hardware and 3G modem support, https everywhere, more anonymity and privacy fixes, debian squeeze-based for updated software all around.

    You can get it at https://tails.boum.org/download/index.en.html

    Web Developers and Firefox Hackers: Help us with Firefox 4

    We need some web-savvy people to help us audit the Torbutton alpha series for Firefox 4. I've performed a preliminary audit, and Torbutton 1.3.2-alpha should be safe from major issues, but a lot more testing is needed. In particular, we need people to test the new Firefox 4 features.

    The notes from my preliminary audit are available in the Torbutton git repository, but note that I have not tested everything that struck me as potentially troublesome, and there may be other things I missed too.

    As a reminder, the types of things we are looking for are things that violate the Torbutton Security Requirements, which may include new ways to bypass proxy settings, to fingerprint users, or to use novel identifiers to correlate Tor and Non-Tor activity.

    In addition, we may have some funding to address outstanding Torbutton-related bugs in Firefox. If you know C++ and/or Firefox internals, we should be able to pay you for your time to address these issues and shepherd the relevant patches through Mozilla's review process.

    If you find issues, or if you are interested in working on fixing these bugs, please contact us at tor-assistants at torproject dot org. Torbutton bugs that you find can be added to the growing pile at the Torbutton Bug Tracker.

    The sooner we get these issues taken care of, the sooner we can confidently release a stable Torbutton for Firefox 4.

    Tor 0.2.2.23-alpha is out

    Tor 0.2.2.23-alpha lets relays record their bandwidth history so when
    they restart they don't lose their bandwidth capacity estimate. This
    release also fixes a diverse set of user-facing bugs, ranging from
    relays overrunning their rate limiting to clients falsely warning about
    clock skew to bridge descriptor leaks by our bridge directory authority.

    https://torproject.org/download/download

    Major bugfixes:

    • Stop sending a CLOCK_SKEW controller status event whenever
      we fetch directory information from a relay that has a wrong clock.
      Instead, only inform the controller when it's a trusted authority
      that claims our clock is wrong. Bugfix on 0.1.2.6-alpha; fixes
      the rest of bug 1074.
    • Fix an assert in parsing router descriptors containing IPv6
      addresses. This one took down the directory authorities when
      somebody tried some experimental code. Bugfix on 0.2.1.3-alpha.
    • Make the bridge directory authority refuse to answer directory
      requests for "all" descriptors. It used to include bridge
      descriptors in its answer, which was a major information leak.
      Found by "piebeer". Bugfix on 0.2.0.3-alpha.
    • If relays set RelayBandwidthBurst but not RelayBandwidthRate,
      Tor would ignore their RelayBandwidthBurst setting,
      potentially using more bandwidth than expected. Bugfix on
      0.2.0.1-alpha. Reported by Paul Wouters. Fixes bug 2470.
    • Ignore and warn if the user mistakenly sets "PublishServerDescriptor
      hidserv" in her torrc. The 'hidserv' argument never controlled
      publication of hidden service descriptors. Bugfix on 0.2.0.1-alpha.

    Major features:

    • Relays now save observed peak bandwidth throughput rates to their
      state file (along with total usage, which was already saved)
      so that they can determine their correct estimated bandwidth on
      restart. Resolves bug 1863, where Tor relays would reset their
      estimated bandwidth to 0 after restarting.
    • Directory authorities now take changes in router IP address and
      ORPort into account when determining router stability. Previously,
      if a router changed its IP or ORPort, the authorities would not
      treat it as having any downtime for the purposes of stability
      calculation, whereas clients would experience downtime since the
      change could take a while to propagate to them. Resolves issue 1035.
    • Enable Address Space Layout Randomization (ASLR) and Data Execution
      Prevention (DEP) by default on Windows to make it harder for
      attackers to exploit vulnerabilities. Patch from John Brooks.

    Minor bugfixes (on 0.2.1.x and earlier):

    • Fix a rare crash bug that could occur when a client was configured
      with a large number of bridges. Fixes bug 2629; bugfix on
      0.2.1.2-alpha. Bugfix by trac user "shitlei".
    • Avoid a double mark-for-free warning when failing to attach a
      transparent proxy connection. Bugfix on 0.1.2.1-alpha. Fixes
      bug 2279.
    • Correctly detect failure to allocate an OpenSSL BIO. Fixes bug 2378;
      found by "cypherpunks". This bug was introduced before the first
      Tor release, in svn commit r110.
    • Country codes aren't supported in EntryNodes until 0.2.3.x, so
      don't mention them in the manpage. Fixes bug 2450; issue
      spotted by keb and G-Lo.
    • Fix a bug in bandwidth history state parsing that could have been
      triggered if a future version of Tor ever changed the timing
      granularity at which bandwidth history is measured. Bugfix on
      Tor 0.1.1.11-alpha.
    • When a relay decides that its DNS is too broken for it to serve
      as an exit server, it advertised itself as a non-exit, but
      continued to act as an exit. This could create accidental
      partitioning opportunities for users. Instead, if a relay is
      going to advertise reject *:* as its exit policy, it should
      really act with exit policy "reject *:*". Fixes bug 2366.
      Bugfix on Tor 0.1.2.5-alpha. Bugfix by user "postman" on trac.
    • In the special case where you configure a public exit relay as your
      bridge, Tor would be willing to use that exit relay as the last
      hop in your circuit as well. Now we fail that circuit instead.
      Bugfix on 0.2.0.12-alpha. Fixes bug 2403. Reported by "piebeer".
    • Fix a bug with our locking implementation on Windows that couldn't
      correctly detect when a file was already locked. Fixes bug 2504,
      bugfix on 0.2.1.6-alpha.
    • Fix IPv6-related connect() failures on some platforms (BSD, OS X).
      Bugfix on 0.2.0.3-alpha; fixes first part of bug 2660. Patch by
      "piebeer".
    • Set target port in get_interface_address6() correctly. Bugfix
      on 0.1.1.4-alpha and 0.2.0.3-alpha; fixes second part of bug 2660.
    • Directory authorities are now more robust to hops back in time
      when calculating router stability. Previously, if a run of uptime
      or downtime appeared to be negative, the calculation could give
      incorrect results. Bugfix on 0.2.0.6-alpha; noticed when fixing
      bug 1035.
    • Fix an assert that got triggered when using the TestingTorNetwork
      configuration option and then issuing a GETINFO config-text control
      command. Fixes bug 2250; bugfix on 0.2.1.2-alpha.

    Minor bugfixes (on 0.2.2.x):

    • Clients should not weight BadExit nodes as Exits in their node
      selection. Similarly, directory authorities should not count BadExit
      bandwidth as Exit bandwidth when computing bandwidth-weights.
      Bugfix on 0.2.2.10-alpha; fixes bug 2203.
    • Correctly clear our dir_read/dir_write history when there is an
      error parsing any bw history value from the state file. Bugfix on
      Tor 0.2.2.15-alpha.
    • Resolve a bug in verifying signatures of directory objects
      with digests longer than SHA1. Bugfix on 0.2.2.20-alpha.
      Fixes bug 2409. Found by "piebeer".
    • Bridge authorities no longer crash on SIGHUP when they try to
      publish their relay descriptor to themselves. Fixes bug 2572. Bugfix
      on 0.2.2.22-alpha.

    Minor features:

    • Log less aggressively about circuit timeout changes, and improve
      some other circuit timeout messages. Resolves bug 2004.
    • Log a little more clearly about the times at which we're no longer
      accepting new connections. Resolves bug 2181.
    • Reject attempts at the client side to open connections to private
      IP addresses (like 127.0.0.1, 10.0.0.1, and so on) with
      a randomly chosen exit node. Attempts to do so are always
      ill-defined, generally prevented by exit policies, and usually
      in error. This will also help to detect loops in transparent
      proxy configurations. You can disable this feature by setting
      "ClientRejectInternalAddresses 0" in your torrc.
    • Always treat failure to allocate an RSA key as an unrecoverable
      allocation error.
    • Update to the March 1 2011 Maxmind GeoLite Country database.

    Minor features (log subsystem):

    • Add documentation for configuring logging at different severities in
      different log domains. We've had this feature since 0.2.1.1-alpha,
      but for some reason it never made it into the manpage. Fixes
      bug 2215.
    • Make it simpler to specify "All log domains except for A and B".
      Previously you needed to say "[*,~A,~B]". Now you can just say
      "[~A,~B]".
    • Add a "LogMessageDomains 1" option to include the domains of log
      messages along with the messages. Without this, there's no way
      to use log domains without reading the source or doing a lot
      of guessing.

    Packaging changes:

    • Stop shipping the Tor specs files and development proposal documents
      in the tarball. They are now in a separate git repository at
      git://git.torproject.org/torspec.git

    Tor 0.2.1.30 is released

    Tor 0.2.1.30 fixes a variety of less critical bugs. The main other change is a slight tweak to Tor's TLS handshake that makes relays and bridges that run this new version reachable from Iran again. We don't expect this tweak will win the arms race long-term, but it buys us time until we roll out a better solution.

    https://www.torproject.org/download/download

    Major bugfixes:

    • Stop sending a CLOCK_SKEW controller status event whenever
      we fetch directory information from a relay that has a wrong clock.
      Instead, only inform the controller when it's a trusted authority
      that claims our clock is wrong. Bugfix on 0.1.2.6-alpha; fixes
      the rest of bug 1074.
    • Fix a bounds-checking error that could allow an attacker to
      remotely crash a directory authority. Bugfix on 0.2.1.5-alpha.
      Found by "piebeer".
    • If relays set RelayBandwidthBurst but not RelayBandwidthRate,
      Tor would ignore their RelayBandwidthBurst setting,
      potentially using more bandwidth than expected. Bugfix on
      0.2.0.1-alpha. Reported by Paul Wouters. Fixes bug 2470.
    • Ignore and warn if the user mistakenly sets "PublishServerDescriptor
      hidserv" in her torrc. The 'hidserv' argument never controlled
      publication of hidden service descriptors. Bugfix on 0.2.0.1-alpha.

    Minor features:

    • Adjust our TLS Diffie-Hellman parameters to match those used by
      Apache's mod_ssl.
    • Update to the February 1 2011 Maxmind GeoLite Country database.

    Minor bugfixes:

    • Check for and reject overly long directory certificates and
      directory tokens before they have a chance to hit any assertions.
      Bugfix on 0.2.1.28. Found by "doorss".
    • Bring the logic that gathers routerinfos and assesses the
      acceptability of circuits into line. This prevents a Tor OP from
      getting locked in a cycle of choosing its local OR as an exit for a
      path (due to a .exit request) and then rejecting the circuit because
      its OR is not listed yet. It also prevents Tor clients from using an
      OR running in the same instance as an exit (due to a .exit request)
      if the OR does not meet the same requirements expected of an OR
      running elsewhere. Fixes bug 1859; bugfix on 0.1.0.1-rc.

    Packaging changes:

    • Stop shipping the Tor specs files and development proposal documents
      in the tarball. They are now in a separate git repository at
      git://git.torproject.org/torspec.git
    • Do not include Git version tags as though they are SVN tags when
      generating a tarball from inside a repository that has switched
      between branches. Bugfix on 0.2.1.15-rc; fixes bug 2402.
    Syndicate content Syndicate content