January 2019 - tor-announce - lists.torproject.org

Tor Browser 8.0.5 is released
by Nicolas Vigier 29 Jan '19

29 Jan '19

Tor Browser 8.0.5 is now available from the Tor Browser Project page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/download-easy.html 2: https://www.torproject.org/dist/torbrowser/8.0.5/ This release features important security updates [3] to Firefox. 3: https://www.mozilla.org/en-US/security/advisories/mfsa2019-02/ This new release updates Firefox to 60.5.0esr and Tor to the first stable release in the 0.3.5 series, 0.3.5.7 [4]. 4: https://blog.torproject.org/new-releases-tor-0357-03410-and-03311 Apart from that it contains a number of backports from the alpha series, most notably the proper first-party isolation of range requests when loading PDF documents. We also updated NoScript and HTTPS Everywhere to their latest versions and removed our donation campaign related code. The full changelog since Tor Browser 8.0.4 is: * All platforms * Update Firefox to 60.5.0esr * Update Tor to 0.3.5.7 * Update Torbutton to 2.0.10 * Bug 29035: Clean up our donation campaign and add newsletter sign-up link * Bug 27175: Add pref to allow users to persist custom noscript settings * Update HTTPS Everywhere to 2019.1.7 * Update NoScript to 10.2.1 * Bug 28873: Cascading of permissions is broken * Bug 28720: Some videos are blocked outright on higher security levels * Bug 26540: Enabling pdfjs disableRange option prevents pdfs from loading * Bug 28740: Adapt Windows navigator.platform value on 64-bit systems * Bug 28695: Set default security.pki.name_matching_mode to enforce (3)

1 0

Tor 0.3.3.11 and 0.3.4.10 are released!
by Nick Mathewson 08 Jan '19

08 Jan '19

Hello, everyone! (If you are about to reply saying "please take me off this list", instead please follow these instructions: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/ . If you have trouble, it is probably because you subscribed using a different address than the one you are trying to unsubscribe with. You will have to enter the actual email address you used when you subscribed.) Source code for Tor 0.3.4.10 and 0.3.3.11 isnow available at https://dist.torproject.org. Packages should be available within the next several weeks. For a full list of changes, see the ChangLog and ReleaseNotes files in these releases. -- Nick Mathewson

1 0

Tor 0.3.5.7 is released
by Nick Mathewson 08 Jan '19

08 Jan '19

Hello, everyone! (If you are about to reply saying "please take me off this list", instead please follow these instructions: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/ . If you have trouble, it is probably because you subscribed using a different address than the one you are trying to unsubscribe with. You will have to enter the actual email address you used when you subscribed.) After months of work, Tor 0.3.5.7 is now available! This is the first stable release in the 0.3.5 series, and we hope you find it useful. You can download the source code from the usual place on the website. Packages should be available within the next several weeks, with a new Tor Browser some time in the next month or so. Changes in version 0.3.5.7 - 2019-01-07 Tor 0.3.5.7 is the first stable release in its series; it includes compilation and portability fixes, and a fix for a severe problem affecting directory caches. The Tor 0.3.5 series includes several new features and performance improvements, including client authorization for v3 onion services, cleanups to bootstrap reporting, support for improved bandwidth- measurement tools, experimental support for NSS in place of OpenSSL, and much more. It also begins a full reorganization of Tor's code layout, for improved modularity and maintainability in the future. Finally, there is the usual set of performance improvements and bugfixes that we try to do in every release series. There are a couple of changes in the 0.3.5 that may affect compatibility. First, the default version for newly created onion services is now v3. Use the HiddenServiceVersion option if you want to override this. Second, some log messages related to bootstrapping have changed; if you use stem, you may need to update to the latest version so it will recognize them. We have designated 0.3.5 as a "long-term support" (LTS) series: we will continue to patch major bugs in typical configurations of 0.3.5 until at least 1 Feb 2022. (We do not plan to provide long-term support for embedding, Rust support, NSS support, running a directory authority, or unsupported platforms. For these, you will need to stick with the latest stable release.) Below are the changes since 0.3.5.6-rc. For a complete list of changes since 0.3.4.9, see the ReleaseNotes file. o Major bugfixes (relay, directory): - Always reactivate linked connections in the main loop so long as any linked connection has been active. Previously, connections serving directory information wouldn't get reactivated after the first chunk of data was sent (usually 32KB), which would prevent clients from bootstrapping. Fixes bug 28912; bugfix on 0.3.4.1-alpha. Patch by "cypherpunks3". o Minor features (compilation): - When possible, place our warning flags in a separate file, to avoid flooding verbose build logs. Closes ticket 28924. o Minor features (geoip): - Update geoip and geoip6 to the January 3 2019 Maxmind GeoLite2 Country database. Closes ticket 29012. o Minor features (OpenSSL bug workaround): - Work around a bug in OpenSSL 1.1.1a, which prevented the TLS 1.3 key export function from handling long labels. When this bug is detected, Tor will disable TLS 1.3. We recommend upgrading to a version of OpenSSL without this bug when it becomes available. Closes ticket 28973. o Minor features (performance): - Remove about 96% of the work from the function that we run at startup to test our curve25519_basepoint implementation. Since this function has yet to find an actual failure, we now only run it for 8 iterations instead of 200. Based on our profile information, this change should save around 8% of our startup time on typical desktops, and may have a similar effect on other platforms. Closes ticket 28838. - Stop re-validating our hardcoded Diffie-Hellman parameters on every startup. Doing this wasted time and cycles, especially on low-powered devices. Closes ticket 28851. o Minor bugfixes (compilation): - Fix compilation for Android by adding a missing header to freespace.c. Fixes bug 28974; bugfix on 0.3.5.1-alpha. o Minor bugfixes (correctness): - Fix an unreached code path where we checked the value of "hostname" inside send_resolved_hostname_cell(). Previously, we used it before checking it; now we check it first. Fixes bug 28879; bugfix on 0.1.2.7-alpha. o Minor bugfixes (testing): - Make sure that test_rebind.py actually obeys its timeout, even when it receives a large number of log messages. Fixes bug 28883; bugfix on 0.3.5.4-alpha. - Stop running stem's unit tests as part of "make test-stem", but continue to run stem's unit and online tests during "make test- stem-full". Fixes bug 28568; bugfix on 0.2.6.3-alpha. o Minor bugfixes (windows services): - Make Tor start correctly as an NT service again: previously it was broken by refactoring. Fixes bug 28612; bugfix on 0.3.5.3-alpha. o Code simplification and refactoring: - When parsing a port configuration, make it more obvious to static analyzer tools that we always initialize the address. Closes ticket 28881.

1 0