We have a new stable release today. If you build Tor from source, you can download the source code for 0.4.4.6 on the download page. Packages should be available within the next several weeks, with a new Tor Browser likely next week.
Tor 0.4.4.6 is the second stable release in the 0.4.4.x series. It backports fixes from later releases, including a fix for TROVE-2020- 005, a security issue that could be used, under certain cases, by an adversary to observe traffic patterns on a limited number of circuits intended for a different relay.
Changes in version 0.4.4.6 - 2020-11-12
Major bugfixes (security, backport from 0.4.5.1-alpha):
When completing a channel, relays now check more thoroughly to make sure that it matches any pending circuits before attaching those circuits. Previously, address correctness and Ed25519 identities were not checked in this case, but only when extending circuits on an existing channel. Fixes bug 40080; bugfix on 0.2.7.2-alpha. Resolves TROVE-2020-005.
Minor features (directory authorities, backport from 0.4.5.1-alpha):
Authorities now list a different set of protocols as required and recommended. These lists have been chosen so that only truly recommended and/or required protocols are included, and so that clients using 0.2.9 or later will continue to work (even though they are not supported), whereas only relays running 0.3.5 or later will meet the requirements. Closes ticket 40162.
Make it possible to specify multiple ConsensusParams torrc lines. Now directory authority operators can for example put the main ConsensusParams config in one torrc file and then add to it from a different torrc file. Closes ticket 40164.
Communities that depend on forests for their livelihood and environmentalists who fight to protect forests from exploitation live with digital technology in different ways from residents of cities.
You're invited to a virtual State of the Onion on November 16 from 16:00 to 18:00 UTC. We'll this talk about highlights of the work we’ve accomplished during the year and what we are excited about in the upcoming year, plus hear from the Tor community.
Starting today through December 31, every dollar donated to the Tor Project, up to $100,000, will be matched by Friends of Tor. That means that your donation will make double the impact. We’re able to offer this match because of generous folks in our community who believe in Tor, privacy online, and the work to resist the surveillance pandemic.
There's a new alpha release available for download. If you build Tor from source, you can download the source code for Tor 0.4.5.1-alpha from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release some time this month, assuming we get #40172 figured out.
Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual. We'll be trying to put out putting out stable backport releases in the next week or so.
Tor 0.4.5.1-alpha is the first alpha release in the 0.4.5.x series. It improves support for IPv6, address discovery and self-testing, code metrics and tracing.
This release also fixes TROVE-2020-005, a security issue that could be used, under certain cases, by an adversary to observe traffic patterns on a limited number of circuits intended for a different relay. To mount this attack, the adversary would need to actively extend circuits to an incorrect address, as well as compromise a relay's legacy RSA-1024 key. We'll be backporting this fix to other release series soon, after it has had some testing.
Here are the changes since 0.4.4.5.
Changes in version 0.4.5.1-alpha - 2020-11-01
Major features (build):
When building Tor, first link all object files into a single static library. This may help with embedding Tor in other programs. Note that most Tor functions do not constitute a part of a stable or supported API: only those functions in tor_api.h should be used if embedding Tor. Closes ticket 40127.
Major features (metrics):
Introduce a new MetricsPort which exposes, through an HTTP interface, a series of metrics that tor collects at runtime. At the moment, the only supported output format is Prometheus data model. Closes ticket 40063. See the manual page for more information and security considerations.
As many friends and followers of Tor know by now, we spend the final weeks of each year asking for your help as part of our year-end fundraising campaign. For our 2020 campaign, we wanted a theme that conveys a positive message and speaks to the power of this kind of community action. That’s why we decided on the theme Use a Mask, Use Tor.
