Tor 0.2.0.33-stable released

by phobos | January 22, 2009

Tor 0.2.0.33 fixes a variety of bugs that were making relays less useful
to users. It also finally fixes a bug where a relay or client that's
been off for many days would take a long time to bootstrap.

This update also fixes an important security-related bug reported by
Ilja van Sprundel. You should upgrade. (We'll send out more details
about the bug once people have had some time to upgrade.)

https://www.torproject.org/download.html

Changes in version 0.2.0.33 - 2009-01-21
Security fixes:

  • Fix a heap-corruption bug that may be remotely triggerable on
    some platforms. Reported by Ilja van Sprundel.

Major bugfixes:

  • When a stream at an exit relay is in state "resolving" or
    "connecting" and it receives an "end" relay cell, the exit relay
    would silently ignore the end cell and not close the stream. If
    the client never closes the circuit, then the exit relay never
    closes the TCP connection. Bug introduced in Tor 0.1.2.1-alpha;
    reported by "wood".
  • When sending CREATED cells back for a given circuit, use a 64-bit
    connection ID to find the right connection, rather than an addr:port
    combination. Now that we can have multiple OR connections between
    the same ORs, it is no longer possible to use addr:port to uniquely
    identify a connection.
  • Bridge relays that had DirPort set to 0 would stop fetching
    descriptors shortly after startup, and then briefly resume
    after a new bandwidth test and/or after publishing a new bridge
    descriptor. Bridge users that try to bootstrap from them would
    get a recent networkstatus but would get descriptors from up to
    18 hours earlier, meaning most of the descriptors were obsolete
    already. Reported by Tas; bugfix on 0.2.0.13-alpha.
  • Prevent bridge relays from serving their 'extrainfo' document
    to anybody who asks, now that extrainfo docs include potentially
    sensitive aggregated client geoip summaries. Bugfix on
    0.2.0.13-alpha.
  • If the cached networkstatus consensus is more than five days old,
    discard it rather than trying to use it. In theory it could be
    useful because it lists alternate directory mirrors, but in practice
    it just means we spend many minutes trying directory mirrors that
    are long gone from the network. Also discard router descriptors as
    we load them if they are more than five days old, since the onion
    key is probably wrong by now. Bugfix on 0.2.0.x. Fixes bug 887.

Minor bugfixes:

  • Do not mark smartlist_bsearch_idx() function as ATTR_PURE. This bug
    could make gcc generate non-functional binary search code. Bugfix
    on 0.2.0.10-alpha.
  • Build correctly on platforms without socklen_t.
  • Compile without warnings on solaris.
  • Avoid potential crash on internal error during signature collection.
    Fixes bug 864. Patch from rovv.
  • Correct handling of possible malformed authority signing key
    certificates with internal signature types. Fixes bug 880.
    Bugfix on 0.2.0.3-alpha.
  • Fix a hard-to-trigger resource leak when logging credential status.
    CID 349.
  • When we can't initialize DNS because the network is down, do not
    automatically stop Tor from starting. Instead, we retry failed
    dns_inits() every 10 minutes, and change the exit policy to reject
    *:* until one succeeds. Fixes bug 691.
  • Use 64 bits instead of 32 bits for connection identifiers used with
    the controller protocol, to greatly reduce risk of identifier reuse.
  • When we're choosing an exit node for a circuit, and we have
    no pending streams, choose a good general exit rather than one that
    supports "all the pending streams". Bugfix on 0.1.1.x. Fix by rovv.
  • Fix another case of assuming, when a specific exit is requested,
    that we know more than the user about what hosts it allows.
    Fixes one case of bug 752. Patch from rovv.
  • Clip the MaxCircuitDirtiness config option to a minimum of 10
    seconds. Warn the user if lower values are given in the
    configuration. Bugfix on 0.1.0.1-rc. Patch by Sebastian.
  • Clip the CircuitBuildTimeout to a minimum of 30 seconds. Warn the
    user if lower values are given in the configuration. Bugfix on
    0.1.1.17-rc. Patch by Sebastian.
  • Fix a memory leak when we decline to add a v2 rendezvous descriptor to
    the cache because we already had a v0 descriptor with the same ID.
    Bugfix on 0.2.0.18-alpha.
  • Fix a race condition when freeing keys shared between main thread
    and CPU workers that could result in a memory leak. Bugfix on
    0.1.0.1-rc. Fixes bug 889.
  • Send a valid END cell back when a client tries to connect to a
    nonexistent hidden service port. Bugfix on 0.1.2.15. Fixes bug
    840. Patch from rovv.
  • Check which hops rendezvous stream cells are associated with to
    prevent possible guess-the-streamid injection attacks from
    intermediate hops. Fixes another case of bug 446. Based on patch
    from rovv.
  • If a broken client asks a non-exit router to connect somewhere,
    do not even do the DNS lookup before rejecting the connection.
    Fixes another case of bug 619. Patch from rovv.
  • When a relay gets a create cell it can't decrypt (e.g. because it's
    using the wrong onion key), we were dropping it and letting the
    client time out. Now actually answer with a destroy cell. Fixes
    bug 904. Bugfix on 0.0.2pre8.

Minor bugfixes (hidden services):

  • Do not throw away existing introduction points on SIGHUP. Bugfix on
    0.0.6pre1. Patch by Karsten. Fixes bug 874.

Minor features:

  • Report the case where all signatures in a detached set are rejected
    differently than the case where there is an error handling the
    detached set.
  • When we realize that another process has modified our cached
    descriptors, print out a more useful error message rather than
    triggering an assertion. Fixes bug 885. Patch from Karsten.
  • Implement the 0x20 hack to better resist DNS poisoning: set the
    case on outgoing DNS requests randomly, and reject responses that do
    not match the case correctly. This logic can be disabled with the
    ServerDNSRamdomizeCase setting, if you are using one of the 0.3%
    of servers that do not reliably preserve case in replies. See
    "Increased DNS Forgery Resistance through 0x20-Bit Encoding"
    for more info.
  • Check DNS replies for more matching fields to better resist DNS
    poisoning.
  • Never use OpenSSL compression: it wastes RAM and CPU trying to
    compress cells, which are basically all encrypted, compressed, or
    both.

The original announcement can be found at http://archives.seul.org/or/announce/Jan-2009/msg00000.html

Comments

Please note that the comment area below has been archived.

Gene (not verified) said:

January 23, 2009

Permalink

I have searched the site but haven't found the following info:

I already have an older version of Tor installed on my iMac (Leopard) and in order to install the new stable version, do I need to uninstall the previous one or does the installer simply overwrites the previous version?

Thanks,
Gene

p.s. the captcha is not visually impaired friendly...

Anonymous (not verified) said:

January 25, 2009

Permalink

Runs quiet good. I'm running 0.2.0.33-stable at ~1600kilobyte/s with 60mb RAM usage. Before i was running 0.2.0.32-stable at ~1600kilobyte/s with 190mb RAM usage. And i think this release will speedup the tor network, because most node speed is limitit by RAM/CPU usage.

so..Thanks for this release. :-)

Anonymous (not verified) said:

January 25, 2009

Permalink

How can I uninstall Tor?Tried it but don't like it.

Katia (not verified) said:

June 24, 2009

Permalink

I dont have uninstall Tor in my computer. What I do to uninstall it? I use Windows Vista.

Anonymous (not verified) said:

January 26, 2009

Permalink

My operating system is XP,but I don't see uninstaller.I don't even see Tor in start menu or add or remove programs in control panel.Where can I find uninstaller?Thanks

Anonymous (not verified) said:

January 26, 2009

Permalink

you have to install it first. Then you might be able to uninstall it...

phobos

phobos said:

January 26, 2009

Permalink

If you downloaded TBB, it doesn't install. It's a "zero-install" configuration.

If you are using the TBB, there is no installation, therefore there is no "un-installation". Simply delete the directory you created for the TBB.

Anonymous (not verified) said:

January 26, 2009

Permalink

Will there soon be precompiled Suse Binaries?
I tried to ompile from source but it doesn't like my openssl.

Anonymous (not verified) said:

January 27, 2009

Permalink

Please look into the lastest bundles package for Windows (vidalia-bundle-0.2.0.33-0.1.10.exe) and into the previous one (vidalia-bundle-0.2.0.32-0.1.10.exe).

In both bundles Vidalia have the same version (1.1.0) but there are 3 files changed.

In vidalia-bundle-0.2.0.33-0.1.10.exe:
SHA1(vidalia.exe)= 987592a629b9b768576bb3dd1f25be674eeb7609
SHA1(ssleay32.dll)= 152edc88462c8c2172e9b633f231d9713b7c5f8b
SHA1(QtCore4.dll)= 4a1d7f735a267f66c1616ba6c1b0ec99581326aa

In vidalia-bundle-0.2.0.32-0.1.10.exe
SHA1(vidalia.exe)= 319fd6eaa6e8037af668bacb4cd9f90635d93df3
SHA1(ssleay32.dll)= 96fa129d753d27687525801df696fd900dcdfce0
SHA1(QtCore4.dll)= e6a6789c72c690a9c7cd06f26285a965014ba105

Why vidalia.exe is different ?

Why the QtCore4.dll is different ?

(both QtCore4.dll says to be version 4.4.3.0)

Am I only a paranoid freak and all is OK ?

Can we trust the new 0.2.0.33 bundle ?

A few things:

1) Vidalia for 0.2.0.32 was built by the Vidalia developer Matt, using my tor.exe. 0.2.0.33 vidalia-bundle was built by me from scratch; using the published steps.
2) ssl in the 0.2.0.33 bundle is openssl 0.9.8j, which is the latest version and newer than the version of openssl in 0.2.0.32 bundles.
3) Vidalia for 0.2.0.32 was built by the Vidalia developer Matt, using my tor.exe. 0.2.0.33 vidalia-bundle was built by me from scratch; using the published steps. I don't know why QtCore4.dll is different, since both Matt and I installed from the .exe on trolltech's website.

I signed the 0.2.0.33 bundle because I built it. Matt signed the 0.2.0.32 bundle because he built it. You're free to take our instructions and build your own bundle from the same source code I used.

Anonymous (not verified) said:

January 27, 2009

Permalink

Pardon a query from an newbie, but I keep getting an error message that my flash player is not installed (although it is, and works fine when I run Firefox non-Tor), with the result that I can't view any videos. Advice welcome.

https://www.torproject.org/torbutton/faq.html.en#noflash

Basically, Flash is unsafe currently. Any website that you accept flash
from can de-anonymize you.

Down the road, we hope to have some more well-understood VM-based
solution, like what Janus VM and Xerobank VM aim to do currently. But
for now, the best answer is either not to use flash with Tor, or to enable
plugins as the other comment suggested but then understand the risks.

PETER (not verified) said:

January 27, 2009

Permalink

hey buddy go 2 the Add on Tor button there is a option called Disable Plugins sume where, it is marked . unmark it then it will work . Give it a try buddy!

Louis (not verified) said:

January 29, 2009

Permalink

I need some assistance please. I am a basic computer user but I have
been able to install Tor which I have been using daily for months now. My OS is MacOsx Panther 10.3.9 and the Tor bundle installed is 0.2.0.31. The OS is being operated from an external HD.

I am no longer able to upgrade to the latest Tor versions (0.2.0.33) because as soon as I open the installer package of the new version I get the error message:

The Installer package "vidalia-bundle - 0.2.0.33-0.10-ppc" cannot be
opened.

The Bill of Materials for this package was not found.

I have tried several times with the same result. I have tried moving the old Tor, Privoxy and Vidalia folders to the trash but I still get the error message!. Am I doing something wrong? I have always upgraded to
new stable versions of Tor this way.

Thank you in advance for your help.

Louis

Louis (not verified) said:

February 03, 2009

Permalink

Thank you for the reply to my post. I shall look for the log, register at
the address you have given, post it there with an explanation of the
difficulty I am encountering.

Frank Marin (not verified) said:

June 10, 2009

Permalink

I thought Tor wasn't compatible with any Mac OS earlier than 10.4, but the 1-29-09 question from Louis (Re: Installation latest version of Tor) seemed to suggest that I can Run Tor on my OS 10.3.9.

Can I run Tor on 10.3.9? If so, what version and where do I get it? Any assistance would be appreciated.

Thanks,
Frank Marin

tezzer (not verified) said:

June 18, 2009

Permalink

I tried installing the Tor bundle on my mac running 10.5.7. Installation failed with the following error. "The following install step failed: run postflight script for Tor"
Anyone know the reason for this?

Paul Bergstein (not verified) said:

June 26, 2009

Permalink

I currently have Tor 0.2.31 installed on OS X 10.4.11.

When I run the installer for the latest release (0.2.35) the installer says there is already a newer version of Tor installed. If I continue with the install anyway, it fails. There is no error message but the new version does not run.

After restoring the old version of Tor (0.2.31) from backup, everything is OK. Then I tried to uninstall the old version using the supplied script, but it fails, giving me:

root@sebago> ./uninstall_tor_bundle.sh
. tor process appears to already be stopped
. Killing currently running privoxy process, pid is 196
./uninstall_tor_bundle.sh: line 123: ./package_list.txt: No such file or directory
. Removing created user _tor
delete: Invalid Path
. Cleaning up
rm: fts_read: No such file or directory
. Finished

Next, I restored again from backup and tried to manually uninstall following the documentation. However, some of the files and directories that are supposed to be deleted do not exist on my installation. Other files and directories that obviously belong to Tor are not listed in the documentation of what to delete.

After deleting everything I could find that looks like it belongs to Tor I ran the installer for version 0.2.35 again and it says the install was successful, but after restarting and trying to start vidalia, it doesn't run.

Now I have 0.2.31 running again after restoring again from backup, but I am at a total loss as to how to properly uninstall or upgrade!!

Please help!!!

I have the exact same problem. I installed the latest version of Tor, I am told a newer version is already installed, and then when I run Vidalia it doesn't work -- it loads about halfway but never connects to the network.

same person as above: message log reports ...

Jul 12 06:31:38.138 [Notice] Initialized libevent version 1.4.11-stable using method kqueue. Good.
Jul 12 06:31:38.138 [Notice] Opening Socks listener on 127.0.0.1:9050
Jul 12 06:31:38.139 [Notice] Opening Control listener on 127.0.0.1:9051
Jul 12 06:31:38.190 [Notice] Parsing GEOIP file.
Jul 12 06:31:39.822 [Notice] I learned some more directory information, but not enough to build a circuit: We have no network-status consensus.
Jul 12 06:31:39.822 [Notice] Bootstrapped 5%: Connecting to directory server.

... this is where it stops every time.

Anonymous (not verified) said:

December 14, 2009

Permalink

I have something similar - but different - have a black macbook os x 10.4.11 belong to a friend. I downloaded latest Tor release, now when I try to launch vidalia nothing happens.

The app won't even launch. When I click on vidalia it doesn't even appear to start to launch, even when I view what happens in the 'dock' i.e. the icon starts to launch then immediuately stops - no 'bouncing icon' if you know what I mean.

Have tried to load various different versions of Vidalia/tor/polipo. None of them work. The only other version I have that I know works is the one I use on my own titainium PPC G4 (10.4.11) which as I said, is for PPC so just out of curiosity I loaded that, which launches fine and reports that it connects to the tor-network but 'TOR button' reports that the 'proxy refusing connections.' which is not too surprising since it's for PPC

Anonymous (not verified) said:

December 21, 2009

Permalink

I must admit that today is my first time I visit here. However, I have found so many interesting thing in your blog and I really love that. Keep up the good work!I think you should try Reverse Phone Lookup atleast once

Anonymous (not verified) said:

January 08, 2010

Permalink

I loaded that, which launches fine and reports that it connects to the tor-network but 'TOR button' reports that the 'proxy refusing connections.' which is not too surprising since it's for PPC.
Netflix

Anonymous (not verified) said:

January 10, 2010

Permalink

Thanks for taking the time to discuss this, I feel strongly about it and love learning more on this topic. If possible, as you gain expertise, would you mind updating your blog with more information? It is extremely helpful for me.

Criminal Backgrond Check

Anonymous (not verified) said:

May 18, 2010

Permalink

How can i log on to my MT4 meter trader forex platform using tor, also how can i log on to skype using tor. i tried it several times but it did not work. can i log on to this sites with tor? do i need to enable any thing to log on?