New Release: Tor 0.3.5.2-alpha

by nickm | September 21, 2018

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.3.5.2-alpha from the usual place on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release very soon.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

Tor 0.3.5.2-alpha fixes several bugs in 0.3.5.1-alpha, including one that made Tor think it had run out of sockets. Anybody running a relay or an onion service on 0.3.5.1-alpha should upgrade.

Changes in version 0.3.5.2-alpha - 2018-09-21

  • Major bugfixes (relay bandwidth statistics):
    • When we close relayed circuits, report the data in the circuit queues as being written in our relay bandwidth stats. This mitigates guard discovery and other attacks that close circuits for the explicit purpose of noticing this discrepancy in statistics. Fixes bug 23512; bugfix on 0.0.8pre3.
  • Major bugfixes (socket accounting):
    • In our socket accounting code, count a socket as closed even when it is closed indirectly by the TLS layer. Previously, we would count these sockets as still in use, and incorrectly believe that we had run out of sockets. Fixes bug 27795; bugfix on 0.3.5.1-alpha.

 

  • Minor bugfixes (32-bit OSX and iOS, timing):
    • Fix an integer overflow bug in our optimized 32-bit millisecond- difference algorithm for 32-bit Apple platforms. Previously, it would overflow when calculating the difference between two times more than 47 days apart. Fixes part of bug 27139; bugfix on 0.3.4.1-alpha.
    • Improve the precision of our 32-bit millisecond difference algorithm for 32-bit Apple platforms. Fixes part of bug 27139; bugfix on 0.3.4.1-alpha.
    • Relax the tolerance on the mainloop/update_time_jumps test when running on 32-bit Apple platforms. Fixes part of bug 27139; bugfix on 0.3.4.1-alpha.
  • Minor bugfixes (onion service v3):
    • Close all SOCKS request (for the same .onion) if the newly fetched descriptor is unusable. Before that, we would close only the first one leaving the other hanging and let to time out by themselves. Fixes bug 27410; bugfix on 0.3.2.1-alpha.
  • Minor bugfixes (memory leak):
    • Fix an unlikely memory leak when trying to read a private key from a ridiculously large file. Fixes bug 27764; bugfix on 0.3.5.1-alpha. This is CID 1439488.
  • Minor bugfixes (NSS):
    • Correctly detect failure to open a dummy TCP socket when stealing ownership of an fd from the NSS layer. Fixes bug 27782; bugfix on 0.3.5.1-alpha.
  • Minor bugfixes (rust):
    • protover_all_supported() would attempt to allocate up to 16GB on some inputs, leading to a potential memory DoS. Fixes bug 27206; bugfix on 0.3.3.5-rc.
  • Minor bugfixes (testing):
    • Revise the "conditionvar_timeout" test so that it succeeds even on heavily loaded systems where the test threads are not scheduled within 200 msec. Fixes bug 27073; bugfix on 0.2.6.3-alpha.
  • Code simplification and refactoring:
    • Divide the routerlist.c and dirserv.c modules into smaller parts. Closes ticket 27799.

Comments

Please note that the comment area below has been archived.

September 21, 2018

Permalink

When we close relayed circuits, report the data in the circuit queues as being written in our relay bandwidth stats. This mitigates guard discovery and other attacks that close circuits for the explicit purpose of noticing this discrepancy in statistics. Fixes bug 23512
I think we need it fixed in 0.3.4 and other branches ASAP, especially if it is the attack which is already massively observed in the wild (I've just read info from this ticket).

September 21, 2018

Permalink

there's a bug in noscript, which doesn't apply to regular use of noscript in firefox.
whenever i launch tor, the standard settings for default category allows js, fetch and others.

September 22, 2018

Permalink

My Tor Browser is constantly updating It downloads updates, installs them and than after the restart it does the same again and again and again.

October 28, 2018

Permalink

All was great the Tor project was real since it had not forgotten the XP users though the browser started to warn me that my system was öld". its XP Pro sp 3. The browser fails now and the new updates ver isnt for XP. The dos ver is ok it loads then hangs in dos with the message now ''created a circuit''...... and nothing more the window just hangs. No browser no Duck GoGo.Cant find the manual for the dos install anywhere so her I am any help thnaks