Tor 0.2.8.9 is released, with important fixes

by nickm | October 17, 2016

Tor 0.2.8.9 backports a fix for a security hole in previous versions of Tor that would allow a remote attacker to crash a Tor client, hidden service, relay, or authority. All Tor users should upgrade to this version, or to 0.2.9.4-alpha. Patches will be released for older versions of Tor.
You can download the source from the Tor website. Packages should be available over the next week or so.
Below is a list of changes since 0.2.8.8.

Changes in version 0.2.8.9 - 2016-10-17

  • Major features (security fixes, also in 0.2.9.4-alpha):
    • Prevent a class of security bugs caused by treating the contents of a buffer chunk as if they were a NUL-terminated string. At least one such bug seems to be present in all currently used versions of Tor, and would allow an attacker to remotely crash most Tor instances, especially those compiled with extra compiler hardening. With this defense in place, such bugs can't crash Tor, though we should still fix them as they occur. Closes ticket 20384 (TROVE-2016-10-001).
  • Minor features (geoip):
    • Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2 Country database.
Anonymous

Anonymous (not verified) said:

November 04, 2016

Permalink

So TBB got no updates since September 16th, 2016.

Meanwhile, a phletora of "important security fixes" were rolled out, but only for those who use the standalone tor packages.

In other words: The tech nerds got updates. John Doe, Amil Halid, Boe Jong Un and other less experienced users are left alone in the rain. Sounds legit.

Anonymous

Anonymous (not verified) said:

November 06, 2016

Permalink

Ok, I knew it was time to upgrade everything but... Tor is afik being choked by my ISP.
Somewhere in the middle of America but that's not fooling anybody as I can't get Tor to load. Tried for about a half hour, twice. My IP address is hanging out like madonna's everything. Of course I could "cop" out and say something stupid like "if you've done nothing wrong, why should you fear the Secret Police, Citizen?"

As to an earlier question about Instagram and another about Capcha, both of them are Google properties. Capcha makes the Orwellian statement "are you a robot? prove you're human" while and at the same time using automated code to spy on everybody in the world. Instagram sounds like somebody harvesting images for the purpose of identifying everybody.

My opinion, neither of them should be accommodated by Tor. I'll try again from a different server later.

There was a youtube from one of the Defcon IS a youtube typing that is easier than backing up and editing but it's titled How The Tor Users Got Caught. Good stuff, nice and cautionary. In case anybody still thinks it's a good thing to post identifiable stuff about yourself on a system like Tor which is about anonymity. Like pictures of yourself.

Anonymous

Anonymous (not verified) said:

November 08, 2016

Permalink

It's been three weeks now and an up to date Windows expert bundle is still not available...