Tor 0.2.6.4-rc is released

by nickm | March 10, 2015

Tor 0.2.6.4-rc fixes an issue in the directory code that an attacker might be able to use in order to crash certain Tor directories. It also resolves some minor issues left over from, or introduced in, Tor 0.2.6.3-alpha or earlier.

If no serious issues are found in this release, the next 0.2.6 release will make 0.2.6 the officially stable branch of Tor.

You can download the source from the usual place on the website. Packages should be up in a few days.

NOTE: This is an alpha release. Please expect bugs.

Changes in version 0.2.6.4-rc - 2015-03-09

  • Major bugfixes (crash, OSX, security):
    • Fix a remote denial-of-service opportunity caused by a bug in OSX's _strlcat_chk() function. Fixes bug 15205; bug first appeared in OSX 10.9.
  • Major bugfixes (relay, stability, possible security):
    • Fix a bug that could lead to a relay crashing with an assertion failure if a buffer of exactly the wrong layout is passed to buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on 0.2.0.10-alpha. Patch from "cypherpunks".
    • Do not assert if the 'data' pointer on a buffer is advanced to the very end of the buffer; log a BUG message instead. Only assert if it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha.

 

  • Major bugfixes (FreeBSD IPFW transparent proxy):
    • Fix address detection with FreeBSD transparent proxies, when "TransProxyType ipfw" is in use. Fixes bug 15064; bugfix on 0.2.5.4-alpha.
  • Major bugfixes (Linux seccomp2 sandbox):
    • Pass IPPROTO_TCP rather than 0 to socket(), so that the Linux seccomp2 sandbox doesn't fail. Fixes bug 14989; bugfix on 0.2.6.3-alpha.
    • Allow AF_UNIX hidden services to be used with the seccomp2 sandbox. Fixes bug 15003; bugfix on 0.2.6.3-alpha.
    • Upon receiving sighup with the seccomp2 sandbox enabled, do not crash during attempts to call wait4. Fixes bug 15088; bugfix on 0.2.5.1-alpha. Patch from "sanic".
  • Minor features (controller):
    • Messages about problems in the bootstrap process now include information about the server we were trying to connect to when we noticed the problem. Closes ticket 15006.
  • Minor features (geoip):
    • Update geoip to the March 3 2015 Maxmind GeoLite2 Country database.
    • Update geoip6 to the March 3 2015 Maxmind GeoLite2 Country database.
  • Minor features (logs):
    • Quiet some log messages in the heartbeat and at startup. Closes ticket 14950.
  • Minor bugfixes (certificate handling):
    • If an authority operator accidentally makes a signing certificate with a future publication time, do not discard its real signing certificates. Fixes bug 11457; bugfix on 0.2.0.3-alpha.
    • Remove any old authority certificates that have been superseded for at least two days. Previously, we would keep superseded certificates until they expired, if they were published close in time to the certificate that superseded them. Fixes bug 11454; bugfix on 0.2.1.8-alpha.
  • Minor bugfixes (compilation):
    • Fix a compilation warning on s390. Fixes bug 14988; bugfix on 0.2.5.2-alpha.
    • Fix a compilation warning on FreeBSD. Fixes bug 15151; bugfix on 0.2.6.2-alpha.
  • Minor bugfixes (testing):
    • Fix endianness issues in unit test for resolve_my_address() to have it pass on big endian systems. Fixes bug 14980; bugfix on Tor 0.2.6.3-alpha.
    • Avoid a side-effect in a tor_assert() in the unit tests. Fixes bug 15188; bugfix on 0.1.2.3-alpha. Patch from Tom van der Woerdt.
    • When running the new 'make test-stem' target, use the configured python binary. Fixes bug 15037; bugfix on 0.2.6.3-alpha. Patch from "cypherpunks".
    • When running the zero-length-keys tests, do not use the default torrc file. Fixes bug 15033; bugfix on 0.2.6.3-alpha. Reported by "reezer".
  • Directory authority IP change:
    • The directory authority Faravahar has a new IP address. This closes ticket 14487.
  • Removed code:
    • Remove some lingering dead code that once supported mempools. Mempools were disabled by default in 0.2.5, and removed entirely in 0.2.6.3-alpha. Closes more of ticket 14848; patch by "cypherpunks".

Comments

Please note that the comment area below has been archived.

March 11, 2015

Permalink

please Add Tor button and (New Tor circuit For this site) option in next version of Tor browser(4.0.5?) ,it's so useful

From what I understand, both features are landing in the 4.5 branch. The 4.0 branch is on maintenance only at this point and isn't adding new features. Also, this is a posting about the Tor routing software itself, not Tor Browser.

March 11, 2015

Permalink

Shouldnt tor start using rsa 2048 for onion name generation? 1024 is deprecated and i dont feel safe.

March 13, 2015

Permalink

Latest version of TorBrowser (4.0.5) is connecting to (some) websites without using proxy.

http://i.imgur.com/ho8U7kc.png

As seen in this picture. Tor Browser is configured to go through 127.0.0..1:9150 so it should not show in Proxifier unless it ignores its proxy settings. It showed up connecting to random sites I am not even browsing.

There is no Tor Browser 4.0.5 yet. Are you sure you have an actual Tor Browser?

That said, a blog post about the latest Tor release is unlikely to be the right place to get help for this topic.

March 14, 2015

In reply to arma

Permalink

I am sorry it was 4.0.4.

Yes I am completely sure. I downloaded it from this website. I think if I am capable of setting up a torified VM then I probably can download Tor Browser from the correct website.

You should also experiment with the proxy settings. When you enter invalid SOCKS settings(for connecting to Tor network) it then doesn't connect but when you enter correct ones (without restarting Tor Browser(or Launcher???)) it still won't connect unless you restart.

March 14, 2015

Permalink

Why is not there a hidden service for Torproject.org? Torproject should promote their creations, many don't even know what hidden services are.