Tor 0.3.0.9 is released (with security update for clients)

by nickm | June 29, 2017

Source code for a new Tor release (0.3.0.9) is now available on the website.

Tor 0.3.0.9 fixes a path selection bug that would allow a client to use a guard that was in the same network family as a chosen exit relay. This is a security regression; all clients running earlier versions of 0.3.0.x or 0.3.1.x should upgrade to 0.3.0.9 or 0.3.1.4-alpha when packages become available.  Packages should be available soon, along with a Tor Browser release early next week. 

One last reminder: Tor 0.2.4, 0.2.6, and 0.2.7 will no longer be supported after 1 August of this year.  Tor 0.2.8 will not be supported after 1 Jan of 2018.  Tor 0.2.5 will not be supported after 1 May of 2018.  If you need a release with long-term support, 0.2.9 is
what we recommend: we plan to support it until at least 1 Jan 2020.

This release also backports several other bugfixes from the 0.3.1.x series.

Changes in version 0.3.0.9 - 2017-06-29

  • Major bugfixes (path selection, security, backport from 0.3.1.4-alpha):    
    • When choosing which guard to use for a circuit, avoid the exit's family along with the exit itself. Previously, the new guard selection logic avoided the exit, but did not consider its family. Fixes bug 22753; bugfix on 0.3.0.1-alpha. Tracked as TROVE-2016- 006 and CVE-2017-0377.  
  • Major bugfixes (entry guards, backport from 0.3.1.1-alpha):  
    • Don't block bootstrapping when a primary bridge is offline and we can't get its descriptor. Fixes bug 22325; fixes one case of bug 21969; bugfix on 0.3.0.3-alpha.  

 

  • Major bugfixes (entry guards, backport from 0.3.1.4-alpha):    
    • When starting with an old consensus, do not add new entry guards unless the consensus is "reasonably live" (under 1 day old). Fixes one root cause of bug 22400; bugfix on 0.3.0.1-alpha.  
  • Minor features (geoip):    
    • Update geoip and geoip6 to the June 8 2017 Maxmind GeoLite2 Country database.  
  • Minor bugfixes (voting consistency, backport from 0.3.1.1-alpha):    
    • Reject version numbers with non-numeric prefixes (such as +, -, or whitespace). Disallowing whitespace prevents differential version parsing between POSIX-based and Windows platforms. Fixes bug 21507 and part of 21508; bugfix on 0.0.8pre1.  
  • Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.4-alpha):    
    • Permit the fchmod system call, to avoid crashing on startup when starting with the seccomp2 sandbox and an unexpected set of permissions on the data directory or its contents. Fixes bug 22516; bugfix on 0.2.5.4-alpha.  
  • Minor bugfixes (defensive programming, backport from 0.3.1.4-alpha):  
    • Fix a memset() off the end of an array when packing cells. This bug should be harmless in practice, since the corrupted bytes are still in the same structure, and are always padding bytes, ignored, or immediately overwritten, depending on compiler behavior. Nevertheless, because the memset()'s purpose is to make sure that any other cell-handling bugs can't expose bytes to the network, we need to fix it. Fixes bug 22737; bugfix on 0.2.4.11-alpha. Fixes CID 1401591.  
Tags
stable release
Anonymous

noEnglish (not verified) said:

July 04, 2017

Permalink

I found a bug
Option -> Privcay Tab -> Always use private browsing mode -> Keep until -> I close Tor Browser
Crash error

Anonymous

AnnA (not verified) said:

July 04, 2017

Permalink

Mac : For some 2-3 months Mac doesn't accept soft loaded from the net. One have to go through App Store, if it exists (Tor does not...), at costs...

Anonymous

Brandy (not verified) said:

July 04, 2017

Permalink

how do u set up bitcoin core to use tor?? before there was vidalia control panel but now the whole tor browser opens up... how u open tor without the torbrowser?? pls hlp

Anonymous

Anonymous (not verified) said:

July 04, 2017

Permalink

Sometimes I see concurrent simultaneous connections from my own IP to the same Guard node. So,

# netstat -apn | grep MY_IP

shows up to 4 different connections (they use different src ports and the same dst port) between my IP and my Guard node. Why tor needs to separate these TCP connections? Why one TCP connection between my IP and my Guard is not enough?

For what it is worth: We have blog posts specifically for Tor Browser releases. I guess your issue would fit in one of those pretty well. Just for the next time. :) To answer your question: I am not sure yet. Could you give me some steps to reproduce your problem? "not working without javascript" can mean many things...

""not working without javascript" can mean many things..."

Before, you can use the search form field on robtex without javascript on in TBB.
Now, without javascript the site is not able to work.
Before, you can choose between the old -good(-:- "answer" or the new
teeming design. Now you get nothing without javascript)-:.

Anonymous

Anonymous (not verified) said:

July 05, 2017

Permalink

It sounds like Tor faces the most serious problems in China. I'm wondering how Tor (Tor Browser) is working in China now: is it able to pass the Great Firewall, are Chinese able to use Tor and how difficult it is for them to use Tor from china, how effective does the Chinese Gov get in blocking Tor now (in comparison with in the past)??

(I post the questions here since the Tor Browser 7.0.2 post isn't allowed comments).

Anonymous

Anonymous (not verified) said:

July 05, 2017

Permalink

Could I restrict list of my Guard nodes by 1) excluding some countries or by 2) specifying the country I want to choose Guard from? I don't like the idea that most of Tor nodes are now located in Germany. It means that if your Guard is also in Germany, then very often all 3 nodes in the chain are from Germany. It sounds not good...

I know that there was discussion in tor project about path selection, like should different nodes correspond to different AS or not, and so on... But now, AFAIK, only nodes within 0.0.0.0/16 are excluded.

Another point is that Guard should be more trusted node than the others. I know that state adversary can use any hosting providers in the whole globe independently from its own country, but his abilities to monitor and analyze traffic are less restricted in its own country. E.g., in the case of NSA I wouldn't like the idea that my Guard is hosted in US. Moreover, in general, I don't think that it is good idea to choose Guard from your own country. As I understand, path selection should force adversary to make so many international collaborations between countries, that it makes the harm to anonymity mostly impractical.

Maybe I'm totally wrong, and my interaction with Guard selection cannot make things better.

Yes you can restrict your node selection.

I cannot see any simple way to restrict the choice of Guard nodes (except of manually specifying particular node I decide to choose). I don't want to use ExcludeNodes, because I'm OK with middleman nodes (and, probably, Exit nodes) from adversary countries.

Anonymous

Thirdtrytopost (not verified) said:

July 05, 2017

Permalink

Tails 3.01 uses TOR 0.3.0.9 but has a serious flaw. It leaks the http authentication to all web sites visited (a unique ID), so a user can easily be tracked.

Is this a flaw with Tails 3.01 or with TOR 0.3.0.9?

Well, it's not an issue with Tor, because Tor is just the underlying transport -- it does not understand or think about the bytes that it helps you send back and forth to websites.

So you should be looking at Tor Browser, which is also included in Tails.

But it sounds to me like you are misunderstanding something. http client auth is used at far fewer than "all" web sites, for starters.

Are you saying this because you actually found a bug? Or because you went to some "how safe am I" website and it told you to be scared of the phrase "http authentication"? If it's the former, please open a ticket at https://bugs.torproject.org/

Anonymous

joe (not verified) said:

July 16, 2017

Permalink

hi i cant connect to tor network i did what Ive done many times before with installing the tor program.
it seems like its about to connect but doesn't. can any one help

Anonymous

Anonymous (not verified) said:

July 27, 2017

Permalink

After upgrading from 0.2.9.xx to 0.3.0.xx (stable versions from torproject repo for debian) I noticed the following problem with tor client. If tor is not actively used during many hours, it fails to construct new circuits, but old circuits still can be used. I see from netstat that it has few new connections established, but getinfo circuits-status shows that no new circuits are constructed. Any application has connection timeout if I try to use it with tor. To fix the issue I have to restart my tor.

First time my "long live" old circuit was youtube. Next time it was XMPP connection. In both cases I had just one circuit. So, basically, I leave my tor running for night, but at morning it cannot make any new circuit. However, already established circuits continue to work. May it be some interference with ISP preferences? I don't know. But it looks like a tor problem, because according to netstat new connections are got established by tor.

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our support portal or ways to get in touch with us.

About text formats
CAPTCHA

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

1 + 5 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.