New release: Tor 0.4.5.8

We have a new stable release today. If you build Tor from source, you can download the source code for Tor 0.4.5.8 on the download page. Packages should be available within the next several weeks, with a new Tor Browser likely next week.

Tor 0.4.5.8 fixes several bugs in earlier version, backporting fixes from the 0.4.6.x series.

Changes in version 0.4.5.8 - 2021-05-10

  • Minor features (compatibility, Linux seccomp sandbox, backport from 0.4.6.3-rc):
    • Add a workaround to enable the Linux sandbox to work correctly with Glibc 2.33. This version of Glibc has started using the fstatat() system call, which previously our sandbox did not allow. Closes ticket 40382; see the ticket for a discussion of trade-offs.
  • Minor features (compilation, backport from 0.4.6.3-rc):
    • Make the autoconf script build correctly with autoconf versions 2.70 and later. Closes part of ticket 40335.

 

  • Minor features (fallback directory list, backport from 0.4.6.2-alpha):
    • Regenerate the list of fallback directories to contain a new set of 200 relays. Closes ticket 40265.
  • Minor features (geoip data):
    • Update the geoip files to match the IPFire Location Database, as retrieved on 2021/05/07.
  • Minor features (onion services):
    • Add warning message when connecting to now deprecated v2 onion services. As announced, Tor 0.4.5.x is the last series that will support v2 onions. Closes ticket 40373.
  • Minor bugfixes (bridge, pluggable transport, backport from 0.4.6.2-alpha):
    • Fix a regression that made it impossible start Tor using a bridge line with a transport name and no fingerprint. Fixes bug 40360; bugfix on 0.4.5.4-rc.
  • Minor bugfixes (build, cross-compilation, backport from 0.4.6.3-rc):
    • Allow a custom "ar" for cross-compilation. Our previous build script had used the $AR environment variable in most places, but it missed one. Fixes bug 40369; bugfix on 0.4.5.1-alpha.
  • Minor bugfixes (channel, DoS, backport from 0.4.6.2-alpha):
    • Fix a non-fatal BUG() message due to a too-early free of a string, when listing a client connection from the DoS defenses subsystem. Fixes bug 40345; bugfix on 0.4.3.4-rc.
  • Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc):
    • Fix an indentation problem that led to a warning from GCC 11.1.1. Fixes bug 40380; bugfix on 0.3.0.1-alpha.
  • Minor bugfixes (controller, backport from 0.4.6.1-alpha):
    • Fix a "BUG" warning that would appear when a controller chooses the first hop for a circuit, and that circuit completes. Fixes bug 40285; bugfix on 0.3.2.1-alpha.
  • Minor bugfixes (onion service, client, memory leak, backport from 0.4.6.3-rc):
    • Fix a bug where an expired cached descriptor could get overwritten with a new one without freeing it, leading to a memory leak. Fixes bug 40356; bugfix on 0.3.5.1-alpha.
  • Minor bugfixes (testing, BSD, backport from 0.4.6.2-alpha):
    • Fix pattern-matching errors when patterns expand to invalid paths on BSD systems. Fixes bug 40318; bugfix on 0.4.5.1-alpha. Patch by Daniel Pinto.
k239

May 11, 2021

Permalink

Thank you tor people :)

> Packages should be available within the next several weeks, with a new Tor Browser likely next week.

Hey I have a question I just thought of. I use qubes-whonix where the tor client runs in a separate VM and the browser's bundled Tor client is disabled. However the browser's built-in auto-update mechanism is not disabled in whonix.

Does this create a fingerprinting risk for whonix users during the time between when the browser updates itself, and when the Tor client package ships? I.e. due to using mismatched versions of Tor Browser and Tor client, compared to regular users who are using the bundled tor client?

Make sure the tor daemon that isn't bundled has its torrc file configured similarly to the one for the bundled daemon, e.g. not selecting or excluding specific sets of nodes or configuring other options that could increase your fingerprint.

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

4 + 1 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.