tor-announce

tor-announce@lists.torproject.org

287 discussions

Tor Browser 8.0.8 is released
by Nicolas Vigier 23 Mar '19

23 Mar '19

Tor Browser 8.0.8 is now available from the Tor Browser Project page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/download-easy.html 2: https://www.torproject.org/dist/torbrowser/8.0.8/ This release features important security updates [3] to Firefox. 3: https://www.mozilla.org/en-US/security/advisories/mfsa2019-10/ The main change in this new release is the update of Firefox to 60.6.1esr, fixing bugs found during the Pwn2Own contest. The full changelog since Tor Browser 8.0.7 is: * All platforms * Update Firefox to 60.6.1esr * Update NoScript to 10.2.4 * Bug 29733: Work around Mozilla's bug 1532530

1 0

Tor Browser 8.0.7 is released
by Nicolas Vigier 19 Mar '19

19 Mar '19

Tor Browser 8.0.7 is now available from the Tor Browser Project page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/download-easy.html 2: https://www.torproject.org/dist/torbrowser/8.0.7/ This release features important security updates [3] to Firefox. 3: https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/ This new release updates Firefox to 60.6.0esr [4] and Tor to the latest stable version, 0.3.5.8 [5]. Moreover, it makes Tor Browser more interoperable with Noscript by telling it that it is running in a Tor Browser context. 4: https://www.mozilla.org/en-US/firefox/60.6.0/releasenotes/ 5: https://blog.torproject.org/new-releases-tor-0402-alpha-0358-03411-and-03312 The full changelog since Tor Browser 8.0.6 is: * All platforms * Update Firefox to 60.6.0esr * Update Tor to 0.3.5.8 * Bug 29660: XMPP can not connect to SOCKS5 anymore * Update Torbutton to 2.0.11 * Bug 29021: Tell NoScript it is running within Tor Browser * Windows * Bug 29081: Harden libwinpthread * Linux * Bug 27531: Add separate LD_LIBRARY_PATH for fteproxy

1 0

New stable Tor releases: 0.3.5.8, 0.3.4.11, and 0.3.3.12 (to fix TROVE-2019-001)
by Nick Mathewson 21 Feb '19

21 Feb '19

Hello, everyone! (If you are about to reply saying "please take me off this list", instead please follow these instructions: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/ . If you have trouble, it is probably because you subscribed using a different address than the one you are trying to unsubscribe with. You will have to enter the actual email address you used when you subscribed.) Source code for Tor 0.3.5.8, 0.3.4.11, and 0.3.3.12 is now available from the download page on our website and from the distribution directory at https://dist.tprorject.org . Packages should be available within the next several weeks, with a new Tor Browser likely in March. These releases fix TROVE-2019-001, a possible security bug involving the KIST cell scheduler code in versions 0.3.2.1-alpha and later. We are not certain that it is possible to exploit this bug in the wild, but out of an abundance of caution, we recommend that all affected users upgrade. The potential impact is a remote denial-of-service attack against clients or relays. Also note: 0.3.3.12 is the last anticipated release in the 0.3.3.x series; that series will become unsupported next week. The remaining supported stable series will 0.2.9.x (long-term support until 2020), 0.3.4.x (supported until June), and 0.3.5.x (long-term support until 2022). Below are the changes in 0.3.5.8. For changes in other versions, see their associated ChangeLog files. Changes in version 0.3.5.8 - 2019-02-21 Tor 0.3.5.8 backports serveral fixes from later releases, including fixes for an annoying SOCKS-parsing bug that affected users in earlier 0.3.5.x releases. It also includes a fix for a medium-severity security bug affecting Tor 0.3.2.1-alpha and later. All Tor instances running an affected release should upgrade to 0.3.3.12, 0.3.4.11, 0.3.5.8, or 0.4.0.2-alpha. o Major bugfixes (cell scheduler, KIST, security): - Make KIST consider the outbuf length when computing what it can put in the outbuf. Previously, KIST acted as though the outbuf were empty, which could lead to the outbuf becoming too full. It is possible that an attacker could exploit this bug to cause a Tor client or relay to run out of memory and crash. Fixes bug 29168; bugfix on 0.3.2.1-alpha. This issue is also being tracked as TROVE-2019-001 and CVE-2019-8955. o Major bugfixes (networking, backport from 0.4.0.2-alpha): - Gracefully handle empty username/password fields in SOCKS5 username/password auth messsage and allow SOCKS5 handshake to continue. Previously, we had rejected these handshakes, breaking certain applications. Fixes bug 29175; bugfix on 0.3.5.1-alpha. o Minor features (compilation, backport from 0.4.0.2-alpha): - Compile correctly when OpenSSL is built with engine support disabled, or with deprecated APIs disabled. Closes ticket 29026. Patches from "Mangix". o Minor features (geoip): - Update geoip and geoip6 to the February 5 2019 Maxmind GeoLite2 Country database. Closes ticket 29478. o Minor features (testing, backport from 0.4.0.2-alpha): - Treat all unexpected ERR and BUG messages as test failures. Closes ticket 28668. o Minor bugfixes (onion service v3, client, backport from 0.4.0.1-alpha): - Stop logging a "BUG()" warning and stacktrace when we find a SOCKS connection waiting for a descriptor that we actually have in the cache. It turns out that this can actually happen, though it is rare. Now, tor will recover and retry the descriptor. Fixes bug 28669; bugfix on 0.3.2.4-alpha. o Minor bugfixes (IPv6, backport from 0.4.0.1-alpha): - Fix tor_ersatz_socketpair on IPv6-only systems. Previously, the IPv6 socket was bound using an address family of AF_INET instead of AF_INET6. Fixes bug 28995; bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn. o Minor bugfixes (build, compatibility, rust, backport from 0.4.0.2-alpha): - Update Cargo.lock file to match the version made by the latest version of Rust, so that "make distcheck" will pass again. Fixes bug 29244; bugfix on 0.3.3.4-alpha. o Minor bugfixes (client, clock skew, backport from 0.4.0.1-alpha): - Select guards even if the consensus has expired, as long as the consensus is still reasonably live. Fixes bug 24661; bugfix on 0.3.0.1-alpha. o Minor bugfixes (compilation, backport from 0.4.0.1-alpha): - Compile correctly on OpenBSD; previously, we were missing some headers required in order to detect it properly. Fixes bug 28938; bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn. o Minor bugfixes (documentation, backport from 0.4.0.2-alpha): - Describe the contents of the v3 onion service client authorization files correctly: They hold public keys, not private keys. Fixes bug 28979; bugfix on 0.3.5.1-alpha. Spotted by "Felixix". o Minor bugfixes (logging, backport from 0.4.0.1-alpha): - Rework rep_hist_log_link_protocol_counts() to iterate through all link protocol versions when logging incoming/outgoing connection counts. Tor no longer skips version 5, and we won't have to remember to update this function when new link protocol version is developed. Fixes bug 28920; bugfix on 0.2.6.10. o Minor bugfixes (logging, backport from 0.4.0.2-alpha): - Log more information at "warning" level when unable to read a private key; log more information at "info" level when unable to read a public key. We had warnings here before, but they were lost during our NSS work. Fixes bug 29042; bugfix on 0.3.5.1-alpha. o Minor bugfixes (misc, backport from 0.4.0.2-alpha): - The amount of total available physical memory is now determined using the sysctl identifier HW_PHYSMEM (rather than HW_USERMEM) when it is defined and a 64-bit variant is not available. Fixes bug 28981; bugfix on 0.2.5.4-alpha. Patch from Kris Katterjohn. o Minor bugfixes (onion services, backport from 0.4.0.2-alpha): - Avoid crashing if ClientOnionAuthDir (incorrectly) contains more than one private key for a hidden service. Fixes bug 29040; bugfix on 0.3.5.1-alpha. - In hs_cache_store_as_client() log an HSDesc we failed to parse at "debug" level. Tor used to log it as a warning, which caused very long log lines to appear for some users. Fixes bug 29135; bugfix on 0.3.2.1-alpha. - Stop logging "Tried to establish rendezvous on non-OR circuit..." as a warning. Instead, log it as a protocol warning, because there is nothing that relay operators can do to fix it. Fixes bug 29029; bugfix on 0.2.5.7-rc. o Minor bugfixes (tests, directory clients, backport from 0.4.0.1-alpha): - Mark outdated dirservers when Tor only has a reasonably live consensus. Fixes bug 28569; bugfix on 0.3.2.5-alpha. o Minor bugfixes (tests, backport from 0.4.0.2-alpha): - Detect and suppress "bug" warnings from the util/time test on Windows. Fixes bug 29161; bugfix on 0.2.9.3-alpha. - Do not log an error-level message if we fail to find an IPv6 network interface from the unit tests. Fixes bug 29160; bugfix on 0.2.7.3-rc. o Minor bugfixes (usability, backport from 0.4.0.1-alpha): - Stop saying "Your Guard ..." in pathbias_measure_{use,close}_rate(). Some users took this phrasing to mean that the mentioned guard was under their control or responsibility, which it is not. Fixes bug 28895; bugfix on Tor 0.3.0.1-alpha.

1 1

Tor Browser 8.0.6 is released
by Nicolas Vigier 12 Feb '19

12 Feb '19

Tor Browser 8.0.6 is now available from the Tor Browser Project page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/download-easy.html 2: https://www.torproject.org/dist/torbrowser/8.0.6/ This release features important security updates [3] to Firefox. 3: https://www.mozilla.org/en-US/security/advisories/mfsa2019-05/ The main change in this new release is the update of Firefox to 60.5.1esr, fixing some vulnerabilities in the Skia library [4]. 4: https://googleprojectzero.blogspot.com/2019/02/the-curious-case-of-convexit… The full changelog since Tor Browser 8.0.5 is: * All platforms * Update Firefox to 60.5.1esr * Update HTTPS Everywhere to 2019.1.31 * Bug 29378: Remove 83.212.101.3 from default bridges * Build System * All Platforms * Bug 29235: Build our own version of python3.6 for HTTPS Everywhere

1 0

Tor Browser 8.0.5 is released
by Nicolas Vigier 29 Jan '19

29 Jan '19

Tor Browser 8.0.5 is now available from the Tor Browser Project page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/download-easy.html 2: https://www.torproject.org/dist/torbrowser/8.0.5/ This release features important security updates [3] to Firefox. 3: https://www.mozilla.org/en-US/security/advisories/mfsa2019-02/ This new release updates Firefox to 60.5.0esr and Tor to the first stable release in the 0.3.5 series, 0.3.5.7 [4]. 4: https://blog.torproject.org/new-releases-tor-0357-03410-and-03311 Apart from that it contains a number of backports from the alpha series, most notably the proper first-party isolation of range requests when loading PDF documents. We also updated NoScript and HTTPS Everywhere to their latest versions and removed our donation campaign related code. The full changelog since Tor Browser 8.0.4 is: * All platforms * Update Firefox to 60.5.0esr * Update Tor to 0.3.5.7 * Update Torbutton to 2.0.10 * Bug 29035: Clean up our donation campaign and add newsletter sign-up link * Bug 27175: Add pref to allow users to persist custom noscript settings * Update HTTPS Everywhere to 2019.1.7 * Update NoScript to 10.2.1 * Bug 28873: Cascading of permissions is broken * Bug 28720: Some videos are blocked outright on higher security levels * Bug 26540: Enabling pdfjs disableRange option prevents pdfs from loading * Bug 28740: Adapt Windows navigator.platform value on 64-bit systems * Bug 28695: Set default security.pki.name_matching_mode to enforce (3)

1 0

Tor 0.3.3.11 and 0.3.4.10 are released!
by Nick Mathewson 08 Jan '19

08 Jan '19

1 0

Tor 0.3.5.7 is released
by Nick Mathewson 08 Jan '19

08 Jan '19

1 0

Tor Browser 8.0.4 is released
by Nicolas Vigier 11 Dec '18

11 Dec '18

Tor Browser 8.0.4 is now available from the Tor Browser Project page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/download-easy.html 2: https://www.torproject.org/dist/torbrowser/8.0.4/ This release features important security updates to Firefox. 4: https://www.mozilla.org/en-US/security/advisories/mfsa2018-30/ Tor Browser 8.0.4 contains updates to Tor (0.3.4.9 [5]), OpenSSL (1.0.2q) and other bundle components. Additionally, we backported a number of patches from our alpha series where they got some baking time. The most important ones are 5: https://blog.torproject.org/new-release-tor-0349 - a defense against protocol handler enumeration which should enhance our fingerprinting resistance, - enabling Stylo for macOS users by bypassing a reproducibility issue caused by Rust compilation and - setting back the sandboxing level to 5 on Windows (the Firefox default), after working around some Tor Launcher interference causing a broken Tor Browser experience. Moreover, we ship an updated donation banner for our year-end donation campaign. The full changelog since Tor Browser 8.0.3 is: * All platforms * Update Firefox to 60.4.0esr * Update Tor to 0.3.4.9 * Update OpenSSL to 1.0.2q * Update Torbutton to 2.0.9 * Bug 28540: Use new text for 2018 donation banner * Bug 28515: Use en-US for english Torbutton strings * Translations update * Update HTTPS Everywhere to 2018.10.31 * Update NoScript to 10.2.0 * Bug 1623: Block protocol handler enumeration (backport of fix for #680300) * Bug 25794: Disable pointer events * Bug 28608: Disable background HTTP response throttling * Bug 28185: Add smallerRichard to Tor Browser * Windows * Bug 26381: about:tor page does not load on first start on Windows * Bug 28657: Remove broken FTE bridge from Tor Browser * OS X * Bug 26263: App icon positioned incorrectly in macOS DMG installer window * Bug 26475: Fix Stylo related reproducibility issue * Linux * Bug 26475: Fix Stylo related reproducibility issue * Bug 28657: Remove broken FTE bridge from Tor Browser * Build System * All Platforms * Bug 27218: Generate multiple Tor Browser bundles in parallel

1 0

Tor 0.3.4.9 is released
by Nick Mathewson 02 Nov '18

02 Nov '18

Hello, everyone! (If you are about to reply saying "please take me off this list", instead please follow these instructions: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/ . If you have trouble, it is probably because you subscribed using a different address than the one you are trying to unsubscribe with. You will have to enter the actual email address you used when you subscribed.) Source code for Tor 0.3.4.9 is now available; you can download the source code from the usual place on the website. Packages should be available within the next several weeks, with a new Tor Browser by mid-December. Below are the changes since Tor 0.3.4.8: Changes in version 0.3.4.9 - 2018-11-02 Tor 0.3.4.9 is the second stable release in its series; it backports numerous fixes, including a fix for a bandwidth management bug that was causing memory exhaustion on relays. Anyone running an earlier version of Tor 0.3.4.9 should upgrade. o Major bugfixes (compilation, backport from 0.3.5.3-alpha): - Fix compilation on ARM (and other less-used CPUs) when compiling with OpenSSL before 1.1. Fixes bug 27781; bugfix on 0.3.4.1-alpha. o Major bugfixes (mainloop, bootstrap, backport from 0.3.5.3-alpha): - Make sure Tor bootstraps and works properly if only the ControlPort is set. Prior to this fix, Tor would only bootstrap when a client port was set (Socks, Trans, NATD, DNS or HTTPTunnel port). Fixes bug 27849; bugfix on 0.3.4.1-alpha. o Major bugfixes (relay, backport from 0.3.5.3-alpha): - When our write bandwidth limit is exhausted, stop writing on the connection. Previously, we had a typo in the code that would make us stop reading instead, leading to relay connections being stuck indefinitely and consuming kernel RAM. Fixes bug 28089; bugfix on 0.3.4.1-alpha. o Major bugfixes (restart-in-process, backport from 0.3.5.1-alpha): - Fix a use-after-free error that could be caused by passing Tor an impossible set of options that would fail during options_act(). Fixes bug 27708; bugfix on 0.3.3.1-alpha. o Minor features (continuous integration, backport from 0.3.5.1-alpha): - Don't do a distcheck with --disable-module-dirauth in Travis. Implements ticket 27252. - Only run one online rust build in Travis, to reduce network errors. Skip offline rust builds on Travis for Linux gcc, because they're redundant. Implements ticket 27252. - Skip gcc on OSX in Travis CI, because it's rarely used. Skip a duplicate hardening-off build in Travis on Tor 0.2.9. Skip gcc on Linux with default settings, because all the non-default builds use gcc on Linux. Implements ticket 27252. o Minor features (continuous integration, backport from 0.3.5.3-alpha): - Use the Travis Homebrew addon to install packages on macOS during Travis CI. The package list is the same, but the Homebrew addon does not do a `brew update` by default. Implements ticket 27738. o Minor features (geoip): - Update geoip and geoip6 to the October 9 2018 Maxmind GeoLite2 Country database. Closes ticket 27991. o Minor bugfixes (32-bit OSX and iOS, timing, backport from 0.3.5.2-alpha): - Fix an integer overflow bug in our optimized 32-bit millisecond- difference algorithm for 32-bit Apple platforms. Previously, it would overflow when calculating the difference between two times more than 47 days apart. Fixes part of bug 27139; bugfix on 0.3.4.1-alpha. - Improve the precision of our 32-bit millisecond difference algorithm for 32-bit Apple platforms. Fixes part of bug 27139; bugfix on 0.3.4.1-alpha. - Relax the tolerance on the mainloop/update_time_jumps test when running on 32-bit Apple platforms. Fixes part of bug 27139; bugfix on 0.3.4.1-alpha. o Minor bugfixes (C correctness, to appear in 0.3.5.4-alpha): - Avoid undefined behavior in an end-of-string check when parsing the BEGIN line in a directory object. Fixes bug 28202; bugfix on 0.2.0.3-alpha. o Minor bugfixes (CI, appveyor, to appear in 0.3.5.4-alpha): - Only install the necessary mingw packages during our appveyor builds. This change makes the build a little faster, and prevents a conflict with a preinstalled mingw openssl that appveyor now ships. Fixes bugs 27943 and 27765; bugfix on 0.3.4.2-alpha. o Minor bugfixes (code safety, backport from 0.3.5.3-alpha): - Rewrite our assertion macros so that they no longer suppress the compiler's -Wparentheses warnings. Fixes bug 27709; bugfix o Minor bugfixes (continuous integration, backport from 0.3.5.1-alpha): - Stop reinstalling identical packages in our Windows CI. Fixes bug 27464; bugfix on 0.3.4.1-alpha. o Minor bugfixes (directory authority, to appear in 0.3.5.4-alpha): - Log additional info when we get a relay that shares an ed25519 ID with a different relay, instead making a BUG() warning. Fixes bug 27800; bugfix on 0.3.2.1-alpha. o Minor bugfixes (directory connection shutdown, backport from 0.3.5.1-alpha): - Avoid a double-close when shutting down a stalled directory connection. Fixes bug 26896; bugfix on 0.3.4.1-alpha. o Minor bugfixes (HTTP tunnel, backport from 0.3.5.1-alpha): - Fix a bug warning when closing an HTTP tunnel connection due to an HTTP request we couldn't handle. Fixes bug 26470; bugfix on 0.3.2.1-alpha. o Minor bugfixes (netflow padding, backport from 0.3.5.1-alpha): - Ensure circuitmux queues are empty before scheduling or sending padding. Fixes bug 25505; bugfix on 0.3.1.1-alpha. o Minor bugfixes (onion service v3, backport from 0.3.5.1-alpha): - When the onion service directory can't be created or has the wrong permissions, do not log a stack trace. Fixes bug 27335; bugfix on 0.3.2.1-alpha. o Minor bugfixes (onion service v3, backport from 0.3.5.2-alpha): - Close all SOCKS request (for the same .onion) if the newly fetched descriptor is unusable. Before that, we would close only the first one leaving the other hanging and let to time out by themselves. Fixes bug 27410; bugfix on 0.3.2.1-alpha. o Minor bugfixes (onion service v3, backport from 0.3.5.3-alpha): - When selecting a v3 rendezvous point, don't only look at the protover, but also check whether the curve25519 onion key is present. This way we avoid picking a relay that supports the v3 rendezvous but for which we don't have the microdescriptor. Fixes bug 27797; bugfix on 0.3.2.1-alpha. o Minor bugfixes (protover, backport from 0.3.5.3-alpha): - Reject protocol names containing bytes other than alphanumeric characters and hyphens ([A-Za-z0-9-]). Fixes bug 27316; bugfix on 0.2.9.4-alpha. o Minor bugfixes (rust, backport from 0.3.5.1-alpha): - Compute protover votes correctly in the rust version of the protover code. Previously, the protover rewrite in 24031 allowed repeated votes from the same voter for the same protocol version to be counted multiple times in protover_compute_vote(). Fixes bug 27649; bugfix on 0.3.3.5-rc. - Reject protover names that contain invalid characters. Fixes bug 27687; bugfix on 0.3.3.1-alpha. o Minor bugfixes (rust, backport from 0.3.5.2-alpha): - protover_all_supported() would attempt to allocate up to 16GB on some inputs, leading to a potential memory DoS. Fixes bug 27206; bugfix on 0.3.3.5-rc. o Minor bugfixes (rust, directory authority, to appear in 0.3.5.4-alpha): - Fix an API mismatch in the rust implementation of protover_compute_vote(). This bug could have caused crashes on any directory authorities running Tor with Rust (which we do not yet recommend). Fixes bug 27741; bugfix on 0.3.3.6. o Minor bugfixes (rust, to appear in 0.3.5.4-alpha): - Fix a potential null dereference in protover_all_supported(). Add a test for it. Fixes bug 27804; bugfix on 0.3.3.1-alpha. - Return a string that can be safely freed by C code, not one created by the rust allocator, in protover_all_supported(). Fixes bug 27740; bugfix on 0.3.3.1-alpha. o Minor bugfixes (testing, backport from 0.3.5.1-alpha): - If a unit test running in a subprocess exits abnormally or with a nonzero status code, treat the test as having failed, even if the test reported success. Without this fix, memory leaks don't cause the tests to fail, even with LeakSanitizer. Fixes bug 27658; bugfix on 0.2.2.4-alpha. o Minor bugfixes (testing, backport from 0.3.5.3-alpha): - Make the hs_service tests use the same time source when creating the introduction point and when testing it. Now tests work better on very slow systems like ARM or Travis. Fixes bug 27810; bugfix on 0.3.2.1-alpha. o Minor bugfixes (testing, to appear in 0.3.5.4-alpha): - Treat backtrace test failures as expected on BSD-derived systems (NetBSD, OpenBSD, and macOS/Darwin) until we solve bug 17808. (FreeBSD failures have been treated as expected since 18204 in 0.2.8.) Fixes bug 27948; bugfix on 0.2.5.2-alpha.

1 0

Tor Browser 8.0.3 is released
by Nicolas Vigier 23 Oct '18

23 Oct '18

Tor Browser 8.0.3 is now available from the Tor Browser Project page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/download-easy.html 2: https://www.torproject.org/dist/torbrowser/8.0.3/ This release features important security updates [3] to Firefox. 3: https://www.mozilla.org/en-US/security/advisories/mfsa2018-27/ Tor Browser 8.0.3 includes newer NoScript and HTTPS Everywhere versions. Moreover, it ships with a donation banner for our end of the year campaign and includes another round of smaller fixes for Tor Browser 8 issues on Linux systems. We switched as well to a newer API for our NoScript <-> Torbutton communication, which we need for the Security Slider. The full changelog since Tor Browser 8.0.2 is: * All platforms * Update Firefox to 60.3.0esr * Update Torbutton to 2.0.8 * Bug 23925+27959: Donation banner for year end 2018 campaign * Bug 24172: Donation banner clobbers Tor Browser version string * Bug 27760: Use new NoScript API for IPC and fix about:blank issue * Translations update * Update HTTPS Everywhere to 2018.9.19 * Update NoScript to 10.1.9.9 * Linux * Bug 27546: Fix vertical scrollbar behavior in Tor Browser 8 with Gtk3 * Bug 27552: Use bundled dir on CentOS/RHEL 6

1 0

← Newer
1
...
17
18
19
20
21
22
23
...
29
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-announce