tor-announce

tor-announce@lists.torproject.org

January 2020

2 participants
2 discussions

New stable releases: Tor 0.4.1.8 and 0.4.2.6
by Nick Mathewson 30 Jan '20

30 Jan '20

Hello, everyone! (If you are about to reply saying "please take me off this list", instead please follow these instructions: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/ . If you have trouble, it is probably because you subscribed using a different address than the one you are trying to unsubscribe with. You will have to enter the actual email address you used when you subscribed.) Source code for Tor 0.4.2.6 is now available from the usual place at https://www.torproject.org/download/tor/ . Packages should be available within the next several weeks, with a new Tor Browser by mid-February. Source code for Tor 0.4.1.8 is available from our distribution site, at https://dist.torproject.org/ . Change logs for these releases are below. A reminder about supported releases: 0.2.9.x releases are no longer supported as of Jan 1, and 0.4.0.x releases will no longer be supported as of Feb 2. The currently supported stable series are 0.3.5.x, 0.4.1.x, and 0.4.2.x. For more information about our support policies, see https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTor… Changes in version 0.4.2.6 - 2020-01-30 This is the second stable release in the 0.4.2.x series. It backports several bugfixes from 0.4.3.1-alpha, including some that had affected the Linux seccomp2 sandbox or Windows services. If you're running with one of those configurations, you'll probably want to upgrade; otherwise, you should be fine with 0.4.2.5. o Major bugfixes (linux seccomp sandbox, backport from 0.4.3.1-alpha): - Correct how we use libseccomp. Particularly, stop assuming that rules are applied in a particular order or that more rules are processed after the first match. Neither is the case! In libseccomp <2.4.0 this lead to some rules having no effect. libseccomp 2.4.0 changed how rules are generated, leading to a different ordering, which in turn led to a fatal crash during startup. Fixes bug 29819; bugfix on 0.2.5.1-alpha. Patch by Peter Gerber. - Fix crash when reloading logging configuration while the experimental sandbox is enabled. Fixes bug 32841; bugfix on 0.4.1.7. Patch by Peter Gerber. o Minor bugfixes (correctness checks, backport from 0.4.3.1-alpha): - Use GCC/Clang's printf-checking feature to make sure that tor_assertf() arguments are correctly typed. Fixes bug 32765; bugfix on 0.4.1.1-alpha. o Minor bugfixes (logging, crash, backport from 0.4.3.1-alpha): - Avoid a possible crash when trying to log a (fatal) assertion failure about mismatched magic numbers in configuration objects. Fixes bug 32771; bugfix on 0.4.2.1-alpha. o Minor bugfixes (testing, backport from 0.4.3.1-alpha): - When TOR_DISABLE_PRACTRACKER is set, do not apply it to the test_practracker.sh script. Doing so caused a test failure. Fixes bug 32705; bugfix on 0.4.2.1-alpha. - When TOR_DISABLE_PRACTRACKER is set, log a notice to stderr when skipping practracker checks. Fixes bug 32705; bugfix on 0.4.2.1-alpha. o Minor bugfixes (windows service, backport from 0.4.3.1-alpha): - Initialize the publish/subscribe system when running as a windows service. Fixes bug 32778; bugfix on 0.4.1.1-alpha. o Testing (backport from 0.4.3.1-alpha): - Turn off Tor's Sandbox in Chutney jobs, and run those jobs on Ubuntu Bionic. Turning off the Sandbox is a work-around, until we fix the sandbox errors in 32722. Closes ticket 32240. - Re-enable the Travis CI macOS Chutney build, but don't let it prevent the Travis job from finishing. (The Travis macOS jobs are slow, so we don't want to have it delay the whole CI process.) Closes ticket 32629. o Testing (continuous integration, backport from 0.4.3.1-alpha): - Use zstd in our Travis Linux builds. Closes ticket 32242. Changes in version 0.4.1.8 - 2020-01-30 This release backports several bugfixes from later release series, including some that had affected the Linux seccomp2 sandbox or Windows services. If you're running with one of those configurations, you'll probably want to upgrade; otherwise, you should be fine with your current version of 0.4.1.x. o Major bugfixes (linux seccomp sandbox, backport from 0.4.3.1-alpha): - Correct how we use libseccomp. Particularly, stop assuming that rules are applied in a particular order or that more rules are processed after the first match. Neither is the case! In libseccomp <2.4.0 this lead to some rules having no effect. libseccomp 2.4.0 changed how rules are generated, leading to a different ordering, which in turn led to a fatal crash during startup. Fixes bug 29819; bugfix on 0.2.5.1-alpha. Patch by Peter Gerber. - Fix crash when reloading logging configuration while the experimental sandbox is enabled. Fixes bug 32841; bugfix on 0.4.1.7. Patch by Peter Gerber. o Minor bugfixes (crash, backport form 0.4.2.4-rc): - When running Tor with an option like --verify-config or --dump-config that does not start the event loop, avoid crashing if we try to exit early because of an error. Fixes bug 32407; bugfix on 0.3.3.1-alpha. o Minor bugfixes (windows service, backport from 0.4.3.1-alpha): - Initialize the publish/subscribe system when running as a windows service. Fixes bug 32778; bugfix on 0.4.1.1-alpha. o Testing (backport from 0.4.3.1-alpha): - Turn off Tor's Sandbox in Chutney jobs, and run those jobs on Ubuntu Bionic. Turning off the Sandbox is a work-around, until we fix the sandbox errors in 32722. Closes ticket 32240. - Re-enable the Travis CI macOS Chutney build, but don't let it prevent the Travis job from finishing. (The Travis macOS jobs are slow, so we don't want to have it delay the whole CI process.) Closes ticket 32629. o Testing (continuous integration, backport from 0.4.3.1-alpha): - Use zstd in our Travis Linux builds. Closes ticket 32242.

1 0

Tor Browser 9.0.4 is released
by Nicolas Vigier 11 Jan '20

11 Jan '20

Tor Browser 9.0.4 is now available from the Tor Browser download page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/ 2: https://www.torproject.org/dist/torbrowser/9.0.4/ This release fixes a critical security issue in Firefox [3]: CVE-2019-17026. 3: https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/ Note: There was no email sent on this list for version 9.0.3, which was released just before 9.0.4. You can find the announce for 9.0.3 on our blog [4]. 4: https://blog.torproject.org/new-release-tor-browser-903 The full changelog since Tor Browser 9.0.3 is: * All Platforms * Update Firefox to 68.4.1esr

1 0