Source code for a new Tor release (0.3.0.9) is now available on the website.
Tor 0.3.0.9 fixes a path selection bug that would allow a client to use a guard that was in the same network family as a chosen exit relay. This is a security regression; all clients running earlier versions of 0.3.0.x or 0.3.1.x should upgrade to 0.3.0.9 or 0.3.1.4-alpha when packages become available. Packages should be available soon, along with a Tor Browser release early next week.
One last reminder: Tor 0.2.4, 0.2.6, and 0.2.7 will no longer be supported after 1 August of this year. Tor 0.2.8 will not be supported after 1 Jan of 2018. Tor 0.2.5 will not be supported after 1 May of 2018. If you need a release with long-term support, 0.2.9 is
what we recommend: we plan to support it until at least 1 Jan 2020.
This release also backports several other bugfixes from the 0.3.1.x series.
Changes in version 0.3.0.9 - 2017-06-29
- Major bugfixes (path selection, security, backport from 0.3.1.4-alpha):
- When choosing which guard to use for a circuit, avoid the exit's family along with the exit itself. Previously, the new guard selection logic avoided the exit, but did not consider its family. Fixes bug 22753; bugfix on 0.3.0.1-alpha. Tracked as TROVE-2016- 006 and CVE-2017-0377.
- Major bugfixes (entry guards, backport from 0.3.1.1-alpha):