tor-announce

tor-announce@lists.torproject.org

September 2016

2 participants
2 discussions

Tor 0.2.8.8 is released
by Nick Mathewson 23 Sep '16

23 Sep '16

Hi, all! There is a new stable release of the Tor source code, with fixes for several important bugs. (If you are about to reply saying "please take me off this list", instead please follow these instructions: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/ . You will have to enter the actual email address you used to subscribe.) You can download the source from the usual place on the website. Packages should be up in a few days. (There is also a concurrent release of Tor 0.2.9.3-alpha; for alpha announcements, please see tor-talk@ or the blog.) ==== Changes in version 0.2.8.8 - 2016-09-23 Tor 0.2.8.8 fixes two crash bugs present in previous versions of the 0.2.8.x series. Relays running 0.2.8.x should upgrade, as should users who select public relays as their bridges. o Major bugfixes (crash): - Fix a complicated crash bug that could affect Tor clients configured to use bridges when replacing a networkstatus consensus in which one of their bridges was mentioned. OpenBSD users saw more crashes here, but all platforms were potentially affected. Fixes bug 20103; bugfix on 0.2.8.2-alpha. o Major bugfixes (relay, OOM handler): - Fix a timing-dependent assertion failure that could occur when we tried to flush from a circuit after having freed its cells because of an out-of-memory condition. Fixes bug 20203; bugfix on 0.2.8.1-alpha. Thanks to "cypherpunks" for help diagnosing this one. o Minor feature (fallback directories): - Remove broken fallbacks from the hard-coded fallback directory list. Closes ticket 20190; patch by teor. o Minor features (geoip): - Update geoip and geoip6 to the September 6 2016 Maxmind GeoLite2 Country database.

1 0

Tor Browser 6.0.5 is released
by Nicolas Vigier 16 Sep '16

16 Sep '16

Tor Browser 6.0.5 is now available from the Tor Browser Project page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/download-easy.html 2: https://www.torproject.org/dist/torbrowser/6.0.5/ This release features important security updates to Firefox including the recently disclosed extension update vulnerability [3]. All users should upgrade as soon as possible. 3: http://seclists.org/dailydave/2016/q3/51 That vulnerability [4] allows an attacker who is able to obtain a valid certificate for addons.mozilla.org to impersonate Mozilla's servers and to deliver a malicious extension update, e.g. for NoScript. This could lead to arbitrary code execution. Moreover, other built-in certificate pinnings are affected as well. Obtaining such a certificate is not an easy task, but it's within reach of powerful adversaries (e.g. nation states). 4: https://bugzilla.mozilla.org/show_bug.cgi?id=1303127 Thanks to everyone who helped investigating this bug and getting a bugfix release out as fast as possible. We are currently building the alpha and hardened bundles (6.5a3 and 6.5a3-hardened) that will contain the fix for alpha/hardened channel users. We expect them to get released at the beginning of next week. Until then users are strongly encouraged to use Tor Browser 6.0.5. Apart from fixing Firefox vulnerabilities this release comes with a new Tor stable version (0.2.8.7), an updated HTTPS-Everywhere (5.2.4), and fixes minor bugs. Here is the full changelog since Tor Browser 6.0.4: * All Platforms * Update Firefox to 45.4.0esr * Update Tor to 0.2.8.7 * Update Torbutton to 1.9.5.7 * Bug 18589: Clear site security settings during New Identity * Bug 19906: "Maximizing Tor Browser" Notification can exist multiple times * Update HTTPS-Everywhere to 5.2.4 * Bug 20092: Rotate ports for default obfs4 bridges * Bug 20040: Add update support for unpacked HTTPS Everywhere * Windows * Bug 19725: Remove old updater files left on disk after upgrade to 6.x * Linux * Bug 19725: Remove old updater files left on disk after upgrade to 6.x * Android * Bug 19706: Store browser data in the app home directory * Build system * All platforms * Upgrade Go to 1.4.3

1 0