October 2017 - tor-announce - lists.torproject.org

Tor Browser 7.0.8 is released
by Nicolas Vigier 25 Oct '17

25 Oct '17

Tor Browser 7.0.8 is now available from the Tor Browser Project page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/download-easy.html 2: https://www.torproject.org/dist/torbrowser/7.0.8/ In version 7.0.7 we added a donation banner to point to our end-of-the-year 2017 donation campaign [3]. This new release is fixing a bug which prevented the display of the banner. 3: https://blog.torproject.org/powering-digital-resistance-help-mozilla The full changelog since Tor Browser 7.0.7 is: * All Platforms * Update Torbutton to 1.9.7.9 * Bug 23949: Fix donation banner display * Update locales with translated banner * Translations update

1 0

New stable Tor releases: 0.3.1.8, 0.3.0.12, 0.2.9.13, 0.2.8.16, 0.2.5.15
by Nick Mathewson 25 Oct '17

25 Oct '17

Hi, all! There are new stable Tor releases available for download. If you build Tor from source, you can find the source for the latest stable release on our Download page. You can find the older releases at https://dist.torproject.org/ . Packages should be available over the coming days, including a planned TorBrowser release in November. These releases backport stability fixes from later Tor releases, and add the key for the latest directory authority, "bastet". Below are the changelog entries for the new releases mentioned in this email. Changes in version 0.3.1.8 - 2017-10-25 Tor 0.3.1.7 is the second stable release in the 0.3.1 series. It includes several bugfixes, including a bugfix for a crash issue that had affected relays under memory pressure. It also adds a new directory authority, Bastet. o Directory authority changes: - Add "Bastet" as a ninth directory authority to the default list. Closes ticket 23910. - The directory authority "Longclaw" has changed its IP address. Closes ticket 23592. o Major bugfixes (relay, crash, assertion failure, backport from 0.3.2.2-alpha): - Fix a timing-based assertion failure that could occur when the circuit out-of-memory handler freed a connection's output buffer. Fixes bug 23690; bugfix on 0.2.6.1-alpha. o Minor features (directory authorities, backport from 0.3.2.2-alpha): - Remove longclaw's IPv6 address, as it will soon change. Authority IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves 3/8 directory authorities with IPv6 addresses, but there are also 52 fallback directory mirrors with IPv6 addresses. Resolves 19760. o Minor features (geoip): - Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 Country database. o Minor bugfixes (compilation, backport from 0.3.2.2-alpha): - Fix a compilation warning when building with zstd support on 32-bit platforms. Fixes bug 23568; bugfix on 0.3.1.1-alpha. Found and fixed by Andreas Stieger. o Minor bugfixes (compression, backport from 0.3.2.2-alpha): - Handle a pathological case when decompressing Zstandard data when the output buffer size is zero. Fixes bug 23551; bugfix on 0.3.1.1-alpha. o Minor bugfixes (directory authority, backport from 0.3.2.1-alpha): - Remove the length limit on HTTP status lines that authorities can send in their replies. Fixes bug 23499; bugfix on 0.3.1.6-rc. o Minor bugfixes (hidden service, relay, backport from 0.3.2.2-alpha): - Avoid a possible double close of a circuit by the intro point on error of sending the INTRO_ESTABLISHED cell. Fixes bug 23610; bugfix on 0.3.0.1-alpha. o Minor bugfixes (memory safety, backport from 0.3.2.3-alpha): - Clear the address when node_get_prim_orport() returns early. Fixes bug 23874; bugfix on 0.2.8.2-alpha. o Minor bugfixes (unit tests, backport from 0.3.2.2-alpha): - Fix additional channelpadding unit test failures by using mocked time instead of actual time for all tests. Fixes bug 23608; bugfix on 0.3.1.1-alpha. Changes in version 0.3.0.12 - 2017-10-25 Tor 0.3.0.12 backports a collection of bugfixes from later Tor release series, including a bugfix for a crash issue that had affected relays under memory pressure. It also adds a new directory authority, Bastet. Note: the Tor 0.3.0 series will no longer be supported after 26 Jan 2018. If you need a release with long-term support, please stick with the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later. o Directory authority changes: - Add "Bastet" as a ninth directory authority to the default list. Closes ticket 23910. - The directory authority "Longclaw" has changed its IP address. Closes ticket 23592. o Major bugfixes (relay, crash, assertion failure, backport from 0.3.2.2-alpha): - Fix a timing-based assertion failure that could occur when the circuit out-of-memory handler freed a connection's output buffer. Fixes bug 23690; bugfix on 0.2.6.1-alpha. o Minor features (directory authorities, backport from 0.3.2.2-alpha): - Remove longclaw's IPv6 address, as it will soon change. Authority IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves 3/8 directory authorities with IPv6 addresses, but there are also 52 fallback directory mirrors with IPv6 addresses. Resolves 19760. o Minor features (geoip): - Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 Country database. o Minor bugfixes (directory authority, backport from 0.3.1.5-alpha): - When a directory authority rejects a descriptor or extrainfo with a given digest, mark that digest as undownloadable, so that we do not attempt to download it again over and over. We previously tried to avoid downloading such descriptors by other means, but we didn't notice if we accidentally downloaded one anyway. This behavior became problematic in 0.2.7.2-alpha, when authorities began pinning Ed25519 keys. Fixes bug 22349; bugfix on 0.2.1.19-alpha. o Minor bugfixes (hidden service, relay, backport from 0.3.2.2-alpha): - Avoid a possible double close of a circuit by the intro point on error of sending the INTRO_ESTABLISHED cell. Fixes bug 23610; bugfix on 0.3.0.1-alpha. o Minor bugfixes (memory safety, backport from 0.3.2.3-alpha): - Clear the address when node_get_prim_orport() returns early. Fixes bug 23874; bugfix on 0.2.8.2-alpha. o Minor bugfixes (Windows service, backport from 0.3.1.6-rc): - When running as a Windows service, set the ID of the main thread correctly. Failure to do so made us fail to send log messages to the controller in 0.2.1.16-rc, slowed down controller event delivery in 0.2.7.3-rc and later, and crash with an assertion failure in 0.3.1.1-alpha. Fixes bug 23081; bugfix on 0.2.1.6-alpha. Patch and diagnosis from "Vort". Changes in version 0.2.9.13 - 2017-10-25 Tor 0.2.9.13 backports a collection of bugfixes from later Tor release series, including a bugfix for a crash issue that had affected relays under memory pressure. It also adds a new directory authority, Bastet. o Directory authority changes: - Add "Bastet" as a ninth directory authority to the default list. Closes ticket 23910. - The directory authority "Longclaw" has changed its IP address. Closes ticket 23592. o Major bugfixes (relay, crash, assertion failure, backport from 0.3.2.2-alpha): - Fix a timing-based assertion failure that could occur when the circuit out-of-memory handler freed a connection's output buffer. Fixes bug 23690; bugfix on 0.2.6.1-alpha. o Minor features (directory authorities, backport from 0.3.2.2-alpha): - Remove longclaw's IPv6 address, as it will soon change. Authority IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves 3/8 directory authorities with IPv6 addresses, but there are also 52 fallback directory mirrors with IPv6 addresses. Resolves 19760. o Minor features (geoip): - Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 Country database. o Minor bugfixes (directory authority, backport from 0.3.1.5-alpha): - When a directory authority rejects a descriptor or extrainfo with a given digest, mark that digest as undownloadable, so that we do not attempt to download it again over and over. We previously tried to avoid downloading such descriptors by other means, but we didn't notice if we accidentally downloaded one anyway. This behavior became problematic in 0.2.7.2-alpha, when authorities began pinning Ed25519 keys. Fixes bug 22349; bugfix on 0.2.1.19-alpha. o Minor bugfixes (memory safety, backport from 0.3.2.3-alpha): - Clear the address when node_get_prim_orport() returns early. Fixes bug 23874; bugfix on 0.2.8.2-alpha. o Minor bugfixes (Windows service, backport from 0.3.1.6-rc): - When running as a Windows service, set the ID of the main thread correctly. Failure to do so made us fail to send log messages to the controller in 0.2.1.16-rc, slowed down controller event delivery in 0.2.7.3-rc and later, and crash with an assertion failure in 0.3.1.1-alpha. Fixes bug 23081; bugfix on 0.2.1.6-alpha. Patch and diagnosis from "Vort". Changes in version 0.2.8.16 - 2017-10-25 Tor 0.2.8.16 backports a collection of bugfixes from later Tor release series, including a bugfix for a crash issue that had affected relays under memory pressure. It also adds a new directory authority, Bastet. Note: the Tor 0.2.8 series will no longer be supported after 1 Jan 2018. If you need a release with long-term support, please stick with the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later. o Directory authority changes: - Add "Bastet" as a ninth directory authority to the default list. Closes ticket 23910. - The directory authority "Longclaw" has changed its IP address. Closes ticket 23592. o Major bugfixes (relay, crash, assertion failure, backport from 0.3.2.2-alpha): - Fix a timing-based assertion failure that could occur when the circuit out-of-memory handler freed a connection's output buffer. Fixes bug 23690; bugfix on 0.2.6.1-alpha. o Minor features (directory authorities, backport from 0.3.2.2-alpha): - Remove longclaw's IPv6 address, as it will soon change. Authority IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves 3/8 directory authorities with IPv6 addresses, but there are also 52 fallback directory mirrors with IPv6 addresses. Resolves 19760. o Minor features (geoip): - Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 Country database. Changes in version 0.2.5.15 - 2017-10-25 Tor 0.2.5.15 backports a collection of bugfixes from later Tor release series. It also adds a new directory authority, Bastet. Note: the Tor 0.2.5 series will no longer be supported after 1 May 2018. If you need a release with long-term support, please upgrade to the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later. o Directory authority changes: - Add "Bastet" as a ninth directory authority to the default list. Closes ticket 23910. - The directory authority "Longclaw" has changed its IP address. Closes ticket 23592. o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha): - Avoid an assertion failure bug affecting our implementation of inet_pton(AF_INET6) on certain OpenBSD systems whose strtol() handling of "0xx" differs from what we had expected. Fixes bug 22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007. o Minor features (geoip): - Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 Country database. o Minor bugfixes (defensive programming, undefined behavior, backport from 0.3.1.4-alpha): - Fix a memset() off the end of an array when packing cells. This bug should be harmless in practice, since the corrupted bytes are still in the same structure, and are always padding bytes, ignored, or immediately overwritten, depending on compiler behavior. Nevertheless, because the memset()'s purpose is to make sure that any other cell-handling bugs can't expose bytes to the network, we need to fix it. Fixes bug 22737; bugfix on 0.2.4.11-alpha. Fixes CID 1401591. o Build features (backport from 0.3.1.5-alpha): - Tor's repository now includes a Travis Continuous Integration (CI) configuration file (.travis.yml). This is meant to help new developers and contributors who fork Tor to a Github repository be better able to test their changes, and understand what we expect to pass. To use this new build feature, you must fork Tor to your Github account, then go into the "Integrations" menu in the repository settings for your fork and enable Travis, then push your changes. Closes ticket 22636.

1 0

Tor Browser 7.0.7 is released
by Nicolas Vigier 20 Oct '17

20 Oct '17

Tor Browser 7.0.7 is now available from the Tor Browser Project page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/download-easy.html 2: https://www.torproject.org/dist/torbrowser/7.0.7/ This release updates firefox to 52.4.1esr [3], HTTPS-Everywhere to 2017.10.4 and NoScript to 5.1.2. On Linux the content sandboxing is now enabled. This release is also fixing some crashes and adding a donation banner starting on Oct 23 in order to point to our end-of-the-year 2017 donation campaign. 3: https://www.mozilla.org/en-US/firefox/52.4.1/releasenotes/ The full changelog since Tor Browser 7.0.6 is: * All Platforms * Update Firefox to 52.4.1esr * Update Torbutton to 1.9.7.8 * Bug 23887: Update banner locales and Mozilla text * Bug 23526: Add 2017 Donation banner text * Bug 23483: Donation banner on about:tor for 2017 (testing mode) * Bug 22610: Avoid crashes when canceling external helper app related downloads * Bug 22472: Fix FTP downloads when external helper app dialog is shown * Bug 22471: Downloading pdf files via the PDF viewer download button is broken * Bug 22618: Downloading pdf file via file:/// is stalling * Translations update * Update HTTPS-Everywhere to 2017.10.4 * Update NoScript to 5.1.2 * Bug 23723: Loading entities from NoScript .dtd files is blocked * Bug 23724: NoScript update breaks Security Slider and its icon disappears * Bug 23745: Tab crashes when using Tor Browser to access Google Drive * Bug 22610: Avoid crashes when canceling external helper app related downloads * Bug 22472: Fix FTP downloads when external helper app dialog is shown * Bug 22471: Downloading pdf files via the PDF viewer download button is broken * Bug 22618: Downloading pdf file via file:/// is stalling * Bug 23694: Update the detailsURL in update responses * OS X * Bug 23807: Tab crashes when playing video on High Sierra * Linux * Bug 22692: Enable content sandboxing on Linux

1 0