Tor is released

by arma | January 23, 2017

Tor fixes a denial-of-service bug where an attacker could cause relays and clients to crash, even if they were not built with the --enable-expensive-hardening option. This bug affects all 0.2.9.x versions, and also affects all relays running an affected version should upgrade.
Tor also improves how exit relays and clients handle DNS time-to-live values, makes directory authorities enforce the 1-to-1 mapping of relay RSA identity keys to ED25519 identity keys, fixes a client-side onion service reachability bug, does better at selecting the set of fallback directories, and more.

You can download the source code from but most users should wait for the upcoming 7.0a Tor Browser alpha release, or for their upcoming system package updates.

Changes in version - 2017-01-23

  • Major bugfixes (security, also in
    • Downgrade the "-ftrapv" option from "always on" to "only on when --enable-expensive-hardening is provided." This hardening option, like others, can turn survivable bugs into crashes--and having it on by default made a (relatively harmless) integer overflow bug into a denial-of-service bug. Fixes bug 21278 (TROVE-2017-001); bugfix on
  • Major features (security):
    • Change the algorithm used to decide DNS TTLs on client and server side, to better resist DNS-based correlation attacks like the DefecTor attack of Greschbach, Pulls, Roberts, Winter, and Feamster. Now relays only return one of two possible DNS TTL values, and clients are willing to believe DNS TTL values up to 3 hours long. Closes ticket 19769.


  • Major features (directory authority, security):
    • The default for AuthDirPinKeys is now 1: directory authorities will reject relays where the RSA identity key matches a previously seen value, but the Ed25519 key has changed. Closes ticket 18319.
  • Major bugfixes (client, guard, crash):
    • In circuit_get_global_origin_list(), return the actual list of origin circuits. The previous version of this code returned the list of all the circuits, and could have caused strange bugs, including possible crashes. Fixes bug 21118; bugfix on
  • Major bugfixes (client, onion service, also in
    • Fix a client-side onion service reachability bug, where multiple socks requests to an onion service (or a single slow request) could cause us to mistakenly mark some of the service's introduction points as failed, and we cache that failure so eventually we run out and can't reach the service. Also resolves a mysterious "Remote server sent bogus reason code 65021" log warning. The bug was introduced in ticket 17218, where we tried to remember the circuit end reason as a uint16_t, which mangled negative values. Partially fixes bug 21056 and fixes bug 20307; bugfix on
  • Major bugfixes (DNS):
    • Fix a bug that prevented exit nodes from caching DNS records for more than 60 seconds. Fixes bug 19025; bugfix on
  • Minor features (controller):
    • Add "GETINFO sr/current" and "GETINFO sr/previous" keys, to expose shared-random values to the controller. Closes ticket 19925.
  • Minor features (entry guards):
    • Add UseEntryGuards to TEST_OPTIONS_DEFAULT_VALUES in order to not break regression tests.
    • Require UseEntryGuards when UseBridges is set, in order to make sure bridges aren't bypassed. Resolves ticket 20502.
  • Minor features (fallback directories):
    • Select 200 fallback directories for each release. Closes ticket 20881.
    • Allow 3 fallback relays per operator, which is safe now that we are choosing 200 fallback relays. Closes ticket 20912.
    • Exclude relays affected by bug 20499 from the fallback list. Exclude relays from the fallback list if they are running versions known to be affected by bug 20499, or if in our tests they deliver a stale consensus (i.e. one that expired more than 24 hours ago). Closes ticket 20539.
    • Reduce the minimum fallback bandwidth to 1 MByte/s. Part of ticket 18828.
    • Require fallback directories to have the same address and port for 7 days (now that we have enough relays with this stability). Relays whose OnionOO stability timer is reset on restart by bug 18050 should upgrade to Tor or later, which has a fix for this issue. Closes ticket 20880; maintains short-term fix in
    • Require fallbacks to have flags for 90% of the time (weighted decaying average), rather than 95%. This allows at least 73% of clients to bootstrap in the first 5 seconds without contacting an authority. Part of ticket 18828.
    • Annotate with the bandwidth and consensus weight for each candidate fallback. Closes ticket 20878.
    • Make it easier to change the output sort order of fallbacks. Closes ticket 20822.
    • Display the relay fingerprint when downloading consensuses from fallbacks. Closes ticket 20908.
  • Minor features (geoip, also in
    • Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2 Country database.
  • Minor features (next-gen onion service directories):
    • Remove the "EnableOnionServicesV3" consensus parameter that we introduced in relays are now always willing to act as v3 onion service directories. Resolves ticket 19899.
  • Minor features (linting):
    • Enhance the changes file linter to warn on Tor versions that are prefixed with "tor-". Closes ticket 21096.
  • Minor features (logging):
    • In several places, describe unset ed25519 keys as "<unset>", rather than the scary "AAAAAAAA...AAA". Closes ticket 21037.
  • Minor bugfix (control protocol):
    • The reply to a "GETINFO config/names" request via the control protocol now spells the type "Dependent" correctly. This is a breaking change in the control protocol. (The field seems to be ignored by the most common known controllers.) Fixes bug 18146; bugfix on
  • Minor bugfixes (bug resilience):
    • Fix an unreachable size_t overflow in base64_decode(). Fixes bug 19222; bugfix on Found by Guido Vranken; fixed by Hans Jerry Illikainen.
  • Minor bugfixes (build):
    • Replace obsolete Autoconf macros with their modern equivalent and prevent similar issues in the future. Fixes bug 20990; bugfix on
  • Minor bugfixes (client, guards):
    • Fix bug where Tor would think that there are circuits waiting for better guards even though those circuits have been freed. Fixes bug 21142; bugfix on
  • Minor bugfixes (config):
    • Don't assert on startup when trying to get the options list and LearnCircuitBuildTimeout is set to 0: we are currently parsing the options so of course they aren't ready yet. Fixes bug 21062; bugfix on
  • Minor bugfixes (controller):
    • Make the GETINFO interface for inquiring about entry guards support the new guards backend. Fixes bug 20823; bugfix on
  • Minor bugfixes (dead code):
    • Remove a redundant check for PidFile changes at runtime in options_transition_allowed(): this check is already performed regardless of whether the sandbox is active. Fixes bug 21123; bugfix on
  • Minor bugfixes (documentation):
    • Update the tor manual page to document every option that can not be changed while tor is running. Fixes bug 21122.
  • Minor bugfixes (fallback directories):
    • Stop failing when a relay has no uptime data in Fixes bug 20945; bugfix on
    • Avoid checking fallback candidates' DirPorts if they are down in OnionOO. When a relay operator has multiple relays, this prioritizes relays that are up over relays that are down. Fixes bug 20926; bugfix on
    • Stop failing when OUTPUT_COMMENTS is True in Fixes bug 20877; bugfix on
  • Minor bugfixes (guards, bootstrapping):
    • When connecting to a directory guard during bootstrap, do not mark the guard as successful until we receive a good-looking directory response from it. Fixes bug 20974; bugfix on
  • Minor bugfixes (onion services):
    • Fix the config reload pruning of old vs new services so it actually works when both ephemeral and non-ephemeral services are configured. Fixes bug 21054; bugfix on
    • Allow the number of introduction points to be as low as 0, rather than as low as 3. Fixes bug 21033; bugfix on
  • Minor bugfixes (IPv6):
    • Make IPv6-using clients try harder to find an IPv6 directory server. Fixes bug 20999; bugfix on
    • When IPv6 addresses have not been downloaded yet (microdesc consensus documents don't list relay IPv6 addresses), use hard- coded addresses for authorities, fallbacks, and configured bridges. Now IPv6-only clients can use microdescriptors. Fixes bug 20996; bugfix on b167e82 from 19608 in
  • Minor bugfixes (memory leaks):
    • Fix a memory leak when configuring hidden services. Fixes bug 20987; bugfix on
  • Minor bugfixes (portability, also in
    • Avoid crashing when Tor is built using headers that contain CLOCK_MONOTONIC_COARSE, but then tries to run on an older kernel without CLOCK_MONOTONIC_COARSE. Fixes bug 21035; bugfix on
    • Fix Libevent detection on platforms without Libevent 1 headers installed. Fixes bug 21051; bugfix on
  • Minor bugfixes (relay):
    • Honor DataDirectoryGroupReadable when tor is a relay. Previously, initializing the keys would reset the DataDirectory to 0700 instead of 0750 even if DataDirectoryGroupReadable was set to 1. Fixes bug 19953; bugfix on 0.0.2pre16. Patch by "redfish".
  • Minor bugfixes (testing):
    • Remove undefined behavior from the backtrace generator by removing its signal handler. Fixes bug 21026; bugfix on
  • Minor bugfixes (unit tests):
    • Allow the unit tests to pass even when DNS lookups of bogus addresses do not fail as expected. Fixes bug 20862 and 20863; bugfix on unit tests introduced in through
  • Code simplification and refactoring:
    • Refactor code to manipulate global_origin_circuit_list into separate functions. Closes ticket 20921.
  • Documentation (formatting):
    • Clean up formatting of tor.1 man page and HTML doc, where <pre> blocks were incorrectly appearing. Closes ticket 20885.
  • Documentation (man page):
    • Clarify many options in tor.1 and add some min/max values for HiddenService options. Closes ticket 21058.


Please note that the comment area below has been archived.

January 24, 2017


Yeah, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA is kind of scary. It's like my computer is screaming.

January 25, 2017

In reply to arma


Automated bot. Hopefully you guys switch to a better blogging platform with a small captcha to ward off bots.

I assume you are the ENCRYPT URL person. Come back when you can explain how "URI percent-encoding" qualifies as encryption (hint: "It doesn't, at all") or how it will provide any security or obscurity what so ever (hint: "It provides neither").