- tor-announce - lists.torproject.org

Tor Browser 7.0.1 is released
by Nicolas Vigier 14 Jun '17

14 Jun '17

Tor Browser 7.0.1 is now available from the Tor Browser Project page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/download-easy.html 2: https://www.torproject.org/dist/torbrowser/7.0.1/ This release features important security updates [3] to Firefox. 3: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/ This is the first minor release in the 7.0 series, updating Firefox to 52.2.0esr, Tor to 0.3.0.8, and HTTPS-Everywhere to 5.2.18. Additionally, we worked around an annoying freezing of Tor Browser which is due to a NoScript bug and made the security slider window slightly larger. Here is the full changelog since 7.0: * All Platforms * Update Firefox to 52.2.0esr * Update Tor to 0.3.0.8 * Update Torbutton to 1.9.7.4 * Bug 22542: Security Settings window too small on macOS 10.12 * Update HTTPS-Everywhere to 5.2.18 * Bug 22362: NoScript's XSS filter freezes the browser * OS X * Bug 22558: Don't update OS X 10.7.x and 10.8.x users to Tor Browser 7.0

1 0

Tor 0.3.0.8 is released, with security fixes for hidden services. (As are 0.2.4.29, 0.2.5.14, 0.2.6.12, 0.2.7.8, 0.2.8.14, and 0.2.9.11)
by Nick Mathewson 08 Jun '17

08 Jun '17

Hello! Source code for a new Tor release (0.3.0.8) is now available on the website. Among other things, it fixes two issues in earlier versions of the hidden service code that would allow an attacker to cause a hidden service to exit with an assertion failure. If you're running a hidden service, you should upgrade to this release, or one of the other versions released today. Source is available on the website now; packages should be available over the next several days. Concurrently with 0.3.0.8, the following versions are also now available: 0.2.4.29, 0.2.5.14, 0.2.6.12, 0.2.7.8, 0.2.8.14, and 0.2.9.11. You can find them all at https://dist.torproject.org/ One last reminder: Tor 0.2.4, 0.2.6, and 0.2.7 will no longer be supported after 1 August of this year. Tor 0.2.8 will not be supported after 1 Jan of 2018. Tor 0.2.5 will not be supported after 1 May of 2018. If you need a release with long-term support, 0.2.9 is what we recommend: we plan to support it until at least 1 Jan 2020. Below are the changelogs for the new stable releases: ================= Changes in version 0.3.0.8 - 2017-06-08 Tor 0.3.0.8 fixes a pair of bugs that would allow an attacker to remotely crash a hidden service with an assertion failure. Anyone running a hidden service should upgrade to this version, or to some other version with fixes for TROVE-2017-004 and TROVE-2017-005. Tor 0.3.0.8 also includes fixes for several key management bugs that sometimes made relays unreliable, as well as several other bugfixes described below. o Major bugfixes (hidden service, relay, security, backport from 0.3.1.3-alpha): - Fix a remotely triggerable assertion failure when a hidden service handles a malformed BEGIN cell. Fixes bug 22493, tracked as TROVE-2017-004 and as CVE-2017-0375; bugfix on 0.3.0.1-alpha. - Fix a remotely triggerable assertion failure caused by receiving a BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. o Major bugfixes (relay, link handshake, backport from 0.3.1.3-alpha): - When performing the v3 link handshake on a TLS connection, report that we have the x509 certificate that we actually used on that connection, even if we have changed certificates since that connection was first opened. Previously, we would claim to have used our most recent x509 link certificate, which would sometimes make the link handshake fail. Fixes one case of bug 22460; bugfix on 0.2.3.6-alpha. o Major bugfixes (relays, key management, backport from 0.3.1.3-alpha): - Regenerate link and authentication certificates whenever the key that signs them changes; also, regenerate link certificates whenever the signed key changes. Previously, these processes were only weakly coupled, and we relays could (for minutes to hours) wind up with an inconsistent set of keys and certificates, which other relays would not accept. Fixes two cases of bug 22460; bugfix on 0.3.0.1-alpha. - When sending an Ed25519 signing->link certificate in a CERTS cell, send the certificate that matches the x509 certificate that we used on the TLS connection. Previously, there was a race condition if the TLS context rotated after we began the TLS handshake but before we sent the CERTS cell. Fixes a case of bug 22460; bugfix on 0.3.0.1-alpha. o Major bugfixes (hidden service v3, backport from 0.3.1.1-alpha): - Stop rejecting v3 hidden service descriptors because their size did not match an old padding rule. Fixes bug 22447; bugfix on tor-0.3.0.1-alpha. o Minor features (fallback directory list, backport from 0.3.1.3-alpha): - Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in December 2016 (of which ~126 were still functional) with a list of 151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May 2017. Resolves ticket 21564. o Minor bugfixes (configuration, backport from 0.3.1.1-alpha): - Do not crash when starting with LearnCircuitBuildTimeout 0. Fixes bug 22252; bugfix on 0.2.9.3-alpha. o Minor bugfixes (correctness, backport from 0.3.1.3-alpha): - Avoid undefined behavior when parsing IPv6 entries from the geoip6 file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. o Minor bugfixes (link handshake, backport from 0.3.1.3-alpha): - Lower the lifetime of the RSA->Ed25519 cross-certificate to six months, and regenerate it when it is within one month of expiring. Previously, we had generated this certificate at startup with a ten-year lifetime, but that could lead to weird behavior when Tor was started with a grossly inaccurate clock. Mitigates bug 22466; mitigation on 0.3.0.1-alpha. o Minor bugfixes (memory leak, directory authority, backport from 0.3.1.2-alpha): - When directory authorities reject a router descriptor due to keypinning, free the router descriptor rather than leaking the memory. Fixes bug 22370; bugfix on 0.2.7.2-alpha. Changes in version 0.2.9.11 - 2017-06-08 Tor 0.2.9.11 backports a fix for a bug that would allow an attacker to remotely crash a hidden service with an assertion failure. Anyone running a hidden service should upgrade to this version, or to some other version with fixes for TROVE-2017-005. (Versions before 0.3.0 are not affected by TROVE-2017-004.) Tor 0.2.9.11 also backports fixes for several key management bugs that sometimes made relays unreliable, as well as several other bugfixes described below. o Major bugfixes (hidden service, relay, security, backport from 0.3.1.3-alpha): - Fix a remotely triggerable assertion failure caused by receiving a BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. o Major bugfixes (relay, link handshake, backport from 0.3.1.3-alpha): - When performing the v3 link handshake on a TLS connection, report that we have the x509 certificate that we actually used on that connection, even if we have changed certificates since that connection was first opened. Previously, we would claim to have used our most recent x509 link certificate, which would sometimes make the link handshake fail. Fixes one case of bug 22460; bugfix on 0.2.3.6-alpha. o Minor features (fallback directory list, backport from 0.3.1.3-alpha): - Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in December 2016 (of which ~126 were still functional) with a list of 151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May 2017. Resolves ticket 21564. o Minor features (future-proofing, backport from 0.3.0.7): - Tor no longer refuses to download microdescriptors or descriptors if they are listed as "published in the future". This change will eventually allow us to stop listing meaningful "published" dates in microdescriptor consensuses, and thereby allow us to reduce the resources required to download consensus diffs by over 50%. Implements part of ticket 21642; implements part of proposal 275. o Minor features (directory authorities, backport from 0.3.0.4-rc) - Directory authorities now reject relays running versions 0.2.9.1-alpha through 0.2.9.4-alpha, because those relays suffer from bug 20499 and don't keep their consensus cache up-to-date. Resolves ticket 20509. o Minor features (geoip): - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 Country database. o Minor bugfixes (control port, backport from 0.3.0.6): - The GETINFO extra-info/digest/<digest> command was broken because of a wrong base16 decode return value check, introduced when refactoring that API. Fixes bug 22034; bugfix on 0.2.9.1-alpha. o Minor bugfixes (correctness, backport from 0.3.1.3-alpha): - Avoid undefined behavior when parsing IPv6 entries from the geoip6 file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. o Minor bugfixes (Linux seccomp2 sandbox, backport from 0.3.0.7): - The getpid() system call is now permitted under the Linux seccomp2 sandbox, to avoid crashing with versions of OpenSSL (and other libraries) that attempt to learn the process's PID by using the syscall rather than the VDSO code. Fixes bug 21943; bugfix on 0.2.5.1-alpha. o Minor bugfixes (memory leak, directory authority, backport from 0.3.1.2-alpha): - When directory authorities reject a router descriptor due to keypinning, free the router descriptor rather than leaking the memory. Fixes bug 22370; bugfix on 0.2.7.2-alpha. Changes in version 0.2.8.14 - 2017-06-08 Tor 0.2.7.8 backports a fix for a bug that would allow an attacker to remotely crash a hidden service with an assertion failure. Anyone running a hidden service should upgrade to this version, or to some other version with fixes for TROVE-2017-005. (Versions before 0.3.0 are not affected by TROVE-2017-004.) o Major bugfixes (hidden service, relay, security): - Fix a remotely triggerable assertion failure caused by receiving a BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. o Minor features (geoip): - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 Country database. o Minor features (fallback directory list, backport from 0.3.1.3-alpha): - Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in December 2016 (of which ~126 were still functional) with a list of 151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May 2017. Resolves ticket 21564. o Minor bugfixes (correctness): - Avoid undefined behavior when parsing IPv6 entries from the geoip6 file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. Changes in version 0.2.7.8 - 2017-06-08 Tor 0.2.7.8 backports a fix for a bug that would allow an attacker to remotely crash a hidden service with an assertion failure. Anyone running a hidden service should upgrade to this version, or to some other version with fixes for TROVE-2017-005. (Versions before 0.3.0 are not affected by TROVE-2017-004.) o Major bugfixes (hidden service, relay, security): - Fix a remotely triggerable assertion failure caused by receiving a BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. o Minor features (geoip): - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 Country database. o Minor bugfixes (correctness): - Avoid undefined behavior when parsing IPv6 entries from the geoip6 file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. Changes in version 0.2.6.12 - 2017-06-08 Tor 0.2.6.12 backports a fix for a bug that would allow an attacker to remotely crash a hidden service with an assertion failure. Anyone running a hidden service should upgrade to this version, or to some other version with fixes for TROVE-2017-005. (Versions before 0.3.0 are not affected by TROVE-2017-004.) o Major bugfixes (hidden service, relay, security): - Fix a remotely triggerable assertion failure caused by receiving a BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. o Minor features (geoip): - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 Country database. o Minor bugfixes (correctness): - Avoid undefined behavior when parsing IPv6 entries from the geoip6 file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. Changes in version 0.2.5.14 - 2017-06-08 Tor 0.2.5.14 backports a fix for a bug that would allow an attacker to remotely crash a hidden service with an assertion failure. Anyone running a hidden service should upgrade to this version, or to some other version with fixes for TROVE-2017-005. (Versions before 0.3.0 are not affected by TROVE-2017-004.) o Major bugfixes (hidden service, relay, security): - Fix a remotely triggerable assertion failure caused by receiving a BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. o Minor features (geoip): - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 Country database. o Minor bugfixes (correctness): - Avoid undefined behavior when parsing IPv6 entries from the geoip6 file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. Changes in version 0.2.4.29 - 2017-06-08 Tor 0.2.4.29 backports a fix for a bug that would allow an attacker to remotely crash a hidden service with an assertion failure. Anyone running a hidden service should upgrade to this version, or to some other version with fixes for TROVE-2017-005. (Versions before 0.3.0 are not affected by TROVE-2017-004.) o Major bugfixes (hidden service, relay, security): - Fix a remotely triggerable assertion failure caused by receiving a BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. o Minor features (geoip): - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 Country database. o Minor bugfixes (correctness): - Avoid undefined behavior when parsing IPv6 entries from the geoip6 file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.

1 0

Tor Browser 7.0 is released
by Nicolas Vigier 07 Jun '17

07 Jun '17

The Tor Browser Team is proud to announce the first stable release in the 7.0 series. This release is available from the Tor Browser Project page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/download-easy.html 2: https://www.torproject.org/dist/torbrowser/7.0/ This release brings us up to date with Firefox 52 ESR [3] which contains progress in a number of areas: 3: https://www.mozilla.org/en-US/firefox/organizations/faq/ Most notably we hope having Mozilla's multiprocess mode (e10s) and content sandbox enabled will be one of the major new features in the Tor Browser 7.0 series, both security- and performance-wise. While we are still working on the sandboxing part for Windows [4] (the e10s part is ready), both Linux and macOS have e10s and content sandboxing enabled by default in Tor Browser 7.0. In addition to that, Linux and macOS users have the option to further harden their Tor Browser setup by using only Unix Domain sockets for communication with tor. 4: https://bugs.torproject.org/16010 The highlights in our tracking and fingerprinting resistance improvements are: cookies, view-source requests and the Permissions API are isolated to the first party URL bar domain now to enhance our tracking related defenses. On the fingerprinting side we disabled and/or patched several new features, among them WebGL2, the WebAudio, Social, SpeechSynthesis, and Touch APIs, and the MediaError.message property. With the switch to ESR 52 come new system requirements for Windows and macOS users: On Windows Tor Browser 7.0 won't run on non-SSE2 capable machines anymore. On Apple computers OS X 10.9 is now the minimum system requirement. Besides new system requirements for Windows and macOS users, there are some known issues with Tor Browser 7.0 as well: - Mozilla stopped ALSA support [5] in Firefox 52 for Linux users. This means without having PulseAudio available, sound will be broken in Tor Browser 7.0 on Linux. 5: https://bugzilla.mozilla.org/show_bug.cgi?id=1345661 - The download button in the PDF viewer is currently broken [6]. A workaround for this bug is right-clicking on the PDF file and choosing the "Save as" option. 6: https://trac.torproject.org/projects/tor/ticket/22471 - Tor Browser has recently been freezing on some websites. This is related to a NoScript bug [7] which will hopefully get addressed in a new NoScript version rather soon. If not then we'll ship a workaround for it in the planned Tor Browser 7.0.1 which will update Firefox to 52.2.0esr next week. 7: https://trac.torproject.org/projects/tor/ticket/22362 Apart from switching to the new Firefox ESR and dealing with related issues we included a new Tor stable version (0.3.0.7) and updated our NoScript (5.0.5) and HTTPS-Everywhere versions (5.2.17). We updated our toolchains during the ESR transition as well. In particular we retired the old GCC-based one for our macOS cross-compilation and rely solely on clang/cctools now. The full changelog since Tor Browser 6.5.2 is: * All Platforms * Update Firefox to 52.1.2esr * Update Tor to 0.3.0.7 * Update Torbutton to 1.9.7.3 * Bug 22104: Adjust our content policy whitelist for ff52-esr * Bug 22457: Allow resources loaded by view-source:// * Bug 21627: Ignore HTTP 304 responses when checking redirects * Bug 22459: Adapt our use of the nsIContentPolicy to e10s mode * Bug 21865: Update our JIT preferences in the security slider * Bug 21747: Make 'New Tor Circuit for this Site' work in ESR52 * Bug 21745: Fix handling of catch-all circuit * Bug 21547: Fix circuit display under e10s * Bug 21268: e10s compatibility for New Identity * Bug 21267: Remove window resize implementation for now * Bug 21201: Make Torbutton multiprocess compatible * Translations update * Update Tor Launcher to 0.2.12.2 * Bug 22283: Linux 7.0a4 broken after update due to unix: lines in torrc * Bug 20761: Don't ignore additional SocksPorts * Bug 21920: Don't show locale selection dialog * Bug 21546: Mark Tor Launcher as multiprocess compatible * Bug 21264: Add a README file * Translations update * Update HTTPS-Everywhere to 5.2.17 * Update NoScript to 5.0.5 * Update Go to 1.8.3 (bug 22398) * Bug 21962: Fix crash on about:addons page * Bug 21766: Fix crash when the external application helper dialog is invoked * Bug 21886: Download is stalled in non-e10s mode * Bug 21778: Canvas prompt is not shown in Tor Browser based on ESR52 * Bug 21569: Add first-party domain to Permissions key * Bug 22165: Don't allow collection of local IP addresses * Bug 13017: Work around audio fingerprinting by disabling the Web Audio API * Bug 10286: Disable Touch API and add fingerprinting resistance as fallback * Bug 13612: Disable Social API * Bug 10283: Disable SpeechSynthesis API * Bug 22333: Disable WebGL2 API for now * Bug 21861: Disable additional mDNS code to avoid proxy bypasses * Bug 21684: Don't expose navigator.AddonManager to content * Bug 21431: Clean-up system extensions shipped in Firefox 52 * Bug 22320: Use preference name 'referer.hideOnionSource' everywhere * Bug 16285: Don't ship ClearKey EME system and update EME preferences * Bug 21675: Spoof window.navigator.hardwareConcurrency * Bug 21792: Suppress MediaError.message * Bug 16337: Round times exposed by Animation API to nearest 100ms * Bug 21972: about:support is partially broken * Bug 21726: Keep Graphite support disabled * Bug 21323: Enable Mixed Content Blocking * Bug 21685: Disable remote new tab pages * Bug 21790: Disable captive portal detection * Bug 21686: Disable Microsoft Family Safety support * Bug 22073: Make sure Mozilla's experiments are disabled * Bug 21683: Disable newly added Safebrowsing capabilities * Bug 22071: Disable Kinto-based blocklist update mechanism * Bug 22415: Fix format error in our pipeline patch * Bug 22072: Hide TLS error reporting checkbox * Bug 20761: Don't ignore additional SocksPorts * Bug 21862: Rip out potentially unsafe Rust code * Bug 16485: Improve about:cache page * Bug 22462: Backport of patch for bug 1329521 to fix assertion failure * Bug 21340: Identify and backport new patches from Firefox * Bug 22153: Fix broken feeds on higher security levels * Bug 22025: Fix broken certificate error pages on higher security levels * Bug 21887: Fix broken error pages on higher security levels * Bug 22458: Fix broken `about:cache` page on higher security levels * Bug 21876: Enable e10s by default on all supported platforms * Bug 21876: Always use esr policies for e10s * Bug 20905: Fix resizing issues after moving to a direct Firefox patch * Bug 21875: Modal dialogs are maximized in ESR52 nightly builds * Bug 21885: SVG is not disabled in Tor Browser based on ESR52 * Bug 17334: Hide Referer when leaving a .onion domain (improved patch) * Bug 18531: Uncaught exception when opening ip-check.info * Bug 18574: Uncaught exception when clicking items in Library * Bug 22327: Isolate Page Info media previews to first party domain * Bug 22452: Isolate tab list menuitem favicons to first party domain * Bug 15555: View-source requests are not isolated by first party domain * Bug 3246: Double-key cookies * Bug 8842: Fix XML parsing error * Bug 5293: Neuter fingerprinting with Battery API * Bug 16886: 16886: "Add-on compatibility check dialog" contains Firefox logo * Bug 19645: TBB zooms text when resizing browser window * Bug 19192: Untrust Blue Coat CA * Bug 19955: Avoid confusing warning that favicon load request got cancelled * Bug 20005: Backport fixes for memory leaks investigation * Bug 20755: ltn.com.tw is broken in Tor Browser * Bug 21896: Commenting on website is broken due to CAPTCHA not being displayed * Bug 20680: Rebase Tor Browser patches to 52 ESR * Bug 22429: Add IPv6 address for Lisbeth:443 obfs4 bridge * Bug 22468: Add default obfs4 bridges frosty and dragon * Windows * Bug 22419: Prevent access to file:// * Bug 12426: Make use of HeapEnableTerminationOnCorruption * Bug 19316: Make sure our Windows updates can deal with the SSE2 requirement * Bug 21868: Fix build bustage with FIREFOX_52_0_2esr_RELEASE for Windows * OS X * Bug 21940: Don't allow privilege escalation during update * Bug 22044: Fix broken default search engine on macOS * Bug 21879: Use our default bookmarks on OSX * Bug 21779: Non-admin users can't access Tor Browser on macOS * Bug 21723: Fix inconsistent generation of MOZ_MACBUNDLE_ID * Bug 21724: Make Firefox and Tor Browser distinct macOS apps * Bug 21931: Backport OSX SetupMacCommandLine updater fixes * Bug 15910: Don't download GMPs via the local fallback * Linux * Bug 16285: Remove ClearKey related library stripping * Bug 22041: Fix update error during update to 7.0a3 * Bug 22238: Fix use of hardened wrapper for Firefox build * Bug 21907: Fix runtime error on CentOS 6 * Bug 15910: Don't download GMPs via the local fallback * Android * Bug 19078: Disable RtspMediaResource stuff in Orfox * Build system * Windows * Bug 21837: Fix reproducibility of accessibility code for Windows * Bug 21240: Create patches to fix mingw-w64 compilation of Firefox ESR 52 * Bug 21904: Bump mingw-w64 commit to help with sandbox compilation * Bug 18831: Use own Yasm for Firefox cross-compilation * OS X * Bug 21328: Updating to clang 3.8.0 * Bug 21754: Remove old GCC toolchain and macOS SDK * Bug 19783: Remove unused macOS helper scripts * Bug 10369: Don't use old GCC toolchain anymore for utils * Bug 21753: Replace our old GCC toolchain in PT descriptor * Bug 18530: ESR52 based Tor Browser only runs on macOS 10.9+ * Bug 22328: Remove clang PIE wrappers * Linux * Bug 21930: NSS libraries are missing from mar-tools archive * Bug 21239: Adapt Linux Firefox descriptor to ESR52 (use GTK2) * Bug 21960: Linux bundles based on ESR 52 are not reproducible anymore * Bug 21629: Fix broken ASan builds when switching to ESR 52 * Bug 22444: Use hardening-wrapper when building GCC * Bug 22361: Fix hardening of libraries built in linux/gitian-utils.yml

1 0

Tor 0.3.0.7 is released, with a medium security fix for relays
by Nick Mathewson 15 May '17

15 May '17

Hi, all! There's a new Tor release (0.3.0.7) available on the website. It fixes a bug affecting relays running earlier versions of 0.3.0.x that could allow attackers to trigger an assertion failure on those relays. Clients are not affected; neither are relays running versions before 0.3.0.x. If you're running a relay with one of the affected versions, you should upgrade. Source is available on the website now; packages should be available over the next several days. =========== Changes in version 0.3.0.7 - 2017-05-15 Tor 0.3.0.7 fixes a medium-severity security bug in earlier versions of Tor 0.3.0.x, where an attacker could cause a Tor relay process to exit. Relays running earlier versions of Tor 0.3.0.x should upgrade; clients are not affected. o Major bugfixes (hidden service directory, security): - Fix an assertion failure in the hidden service directory code, which could be used by an attacker to remotely cause a Tor relay process to exit. Relays running earlier versions of Tor 0.3.0.x should upgrade. should upgrade. This security issue is tracked as TROVE-2017-002. Fixes bug 22246; bugfix on 0.3.0.1-alpha. o Minor features: - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 Country database. o Minor features (future-proofing): - Tor no longer refuses to download microdescriptors or descriptors if they are listed as "published in the future". This change will eventually allow us to stop listing meaningful "published" dates in microdescriptor consensuses, and thereby allow us to reduce the resources required to download consensus diffs by over 50%. Implements part of ticket 21642; implements part of proposal 275. o Minor bugfixes (Linux seccomp2 sandbox): - The getpid() system call is now permitted under the Linux seccomp2 sandbox, to avoid crashing with versions of OpenSSL (and other libraries) that attempt to learn the process's PID by using the syscall rather than the VDSO code. Fixes bug 21943; bugfix on 0.2.5.1-alpha.

1 0

Tor 0.3.0.6 is released! (New stable series)
by Nick Mathewson 27 Apr '17

27 Apr '17

Hi, all! After months of work, a new Tor release series is finally stable. (If you are about to reply saying "please take me off this list", instead please follow these instructions: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/ . If you have trouble, it is probably because you subscribed using a different address than the one you are trying to unsubscribe with. You will have to enter the actual email address you used to subscribe.) You can download the source code from the usual place on the website. Packages should be up within the next several weeks, with the next Tor Browser release planned around the end of May or beginning of June. ====== Changes in version 0.3.0.6 - 2017-04-26 Tor 0.3.0.6 is the first stable release of the Tor 0.3.0 series. With the 0.3.0 series, clients and relays now use Ed25519 keys to authenticate their link connections to relays, rather than the old RSA1024 keys that they used before. (Circuit crypto has been Curve25519-authenticated since 0.2.4.8-alpha.) We have also replaced the guard selection and replacement algorithm to behave more robustly in the presence of unreliable networks, and to resist guard- capture attacks. This series also includes numerous other small features and bugfixes, along with more groundwork for the upcoming hidden-services revamp. Per our stable release policy, we plan to support the Tor 0.3.0 release series for at least the next nine months, or for three months after the first stable release of the 0.3.1 series: whichever is longer. If you need a release with long-term support, we recommend that you stay with the 0.2.9 series. Below are the changes since 0.2.9.10. For a list of only the changes since 0.3.0.5-rc, see the ChangeLog file. o Major features (directory authority, security): - The default for AuthDirPinKeys is now 1: directory authorities will reject relays where the RSA identity key matches a previously seen value, but the Ed25519 key has changed. Closes ticket 18319. o Major features (guard selection algorithm): - Tor's guard selection algorithm has been redesigned from the ground up, to better support unreliable networks and restrictive sets of entry nodes, and to better resist guard-capture attacks by hostile local networks. Implements proposal 271; closes ticket 19877. o Major features (next-generation hidden services): - Relays can now handle v3 ESTABLISH_INTRO cells as specified by prop224 aka "Next Generation Hidden Services". Service and clients don't use this functionality yet. Closes ticket 19043. Based on initial code by Alec Heifetz. - Relays now support the HSDir version 3 protocol, so that they can can store and serve v3 descriptors. This is part of the next- generation onion service work detailled in proposal 224. Closes ticket 17238. o Major features (protocol, ed25519 identity keys): - Clients now support including Ed25519 identity keys in the EXTEND2 cells they generate. By default, this is controlled by a consensus parameter, currently disabled. You can turn this feature on for testing by setting ExtendByEd25519ID in your configuration. This might make your traffic appear different than the traffic generated by other users, however. Implements part of ticket 15056; part of proposal 220. - Relays now understand requests to extend to other relays by their Ed25519 identity keys. When an Ed25519 identity key is included in an EXTEND2 cell, the relay will only extend the circuit if the other relay can prove ownership of that identity. Implements part of ticket 15056; part of proposal 220. - Relays now use Ed25519 to prove their Ed25519 identities and to one another, and to clients. This algorithm is faster and more secure than the RSA-based handshake we've been doing until now. Implements the second big part of proposal 220; Closes ticket 15055. o Major features (security): - Change the algorithm used to decide DNS TTLs on client and server side, to better resist DNS-based correlation attacks like the DefecTor attack of Greschbach, Pulls, Roberts, Winter, and Feamster. Now relays only return one of two possible DNS TTL values, and clients are willing to believe DNS TTL values up to 3 hours long. Closes ticket 19769. o Major bugfixes (client, onion service, also in 0.2.9.9): - Fix a client-side onion service reachability bug, where multiple socks requests to an onion service (or a single slow request) could cause us to mistakenly mark some of the service's introduction points as failed, and we cache that failure so eventually we run out and can't reach the service. Also resolves a mysterious "Remote server sent bogus reason code 65021" log warning. The bug was introduced in ticket 17218, where we tried to remember the circuit end reason as a uint16_t, which mangled negative values. Partially fixes bug 21056 and fixes bug 20307; bugfix on 0.2.8.1-alpha. o Major bugfixes (crash, directory connections): - Fix a rare crash when sending a begin cell on a circuit whose linked directory connection had already been closed. Fixes bug 21576; bugfix on 0.2.9.3-alpha. Reported by Alec Muffett. o Major bugfixes (directory authority): - During voting, when marking a relay as a probable sybil, do not clear its BadExit flag: sybils can still be bad in other ways too. (We still clear the other flags.) Fixes bug 21108; bugfix on 0.2.0.13-alpha. o Major bugfixes (DNS): - Fix a bug that prevented exit nodes from caching DNS records for more than 60 seconds. Fixes bug 19025; bugfix on 0.2.4.7-alpha. o Major bugfixes (IPv6 Exits): - Stop rejecting all IPv6 traffic on Exits whose exit policy rejects any IPv6 addresses. Instead, only reject a port over IPv6 if the exit policy rejects that port on more than an IPv6 /16 of addresses. This bug was made worse by 17027 in 0.2.8.1-alpha, which rejected a relay's own IPv6 address by default. Fixes bug 21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha. o Major bugfixes (parsing): - Fix an integer underflow bug when comparing malformed Tor versions. This bug could crash Tor when built with --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor 0.2.9.8, which were built with -ftrapv by default. In other cases it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix on 0.0.8pre1. Found by OSS-Fuzz. - When parsing a malformed content-length field from an HTTP message, do not read off the end of the buffer. This bug was a potential remote denial-of-service attack against Tor clients and relays. A workaround was released in October 2016, to prevent this bug from crashing Tor. This is a fix for the underlying issue, which should no longer matter (if you applied the earlier patch). Fixes bug 20894; bugfix on 0.2.0.16-alpha. Bug found by fuzzing using AFL (http://lcamtuf.coredump.cx/afl/) o Major bugfixes (scheduler): - Actually compare circuit policies in ewma_cmp_cmux(). This bug caused the channel scheduler to behave more or less randomly, rather than preferring channels with higher-priority circuits. Fixes bug 20459; bugfix on 0.2.6.2-alpha. o Major bugfixes (security, also in 0.2.9.9): - Downgrade the "-ftrapv" option from "always on" to "only on when --enable-expensive-hardening is provided." This hardening option, like others, can turn survivable bugs into crashes--and having it on by default made a (relatively harmless) integer overflow bug into a denial-of-service bug. Fixes bug 21278 (TROVE-2017-001); bugfix on 0.2.9.1-alpha. o Minor feature (client): - Enable IPv6 traffic on the SocksPort by default. To disable this, a user will have to specify "NoIPv6Traffic". Closes ticket 21269. o Minor feature (fallback scripts): - Add a check_existing mode to updateFallbackDirs.py, which checks if fallbacks in the hard-coded list are working. Closes ticket 20174. Patch by haxxpop. o Minor feature (protocol versioning): - Add new protocol version for proposal 224. HSIntro now advertises version "3-4" and HSDir version "1-2". Fixes ticket 20656. o Minor features (ciphersuite selection): - Allow relays to accept a wider range of ciphersuites, including chacha20-poly1305 and AES-CCM. Closes the other part of 15426. - Clients now advertise a list of ciphersuites closer to the ones preferred by Firefox. Closes part of ticket 15426. o Minor features (controller): - Add "GETINFO sr/current" and "GETINFO sr/previous" keys, to expose shared-random values to the controller. Closes ticket 19925. - When HSFETCH arguments cannot be parsed, say "Invalid argument" rather than "unrecognized." Closes ticket 20389; patch from Ivan Markin. o Minor features (controller, configuration): - Each of the *Port options, such as SocksPort, ORPort, ControlPort, and so on, now comes with a __*Port variant that will not be saved to the torrc file by the controller's SAVECONF command. This change allows TorBrowser to set up a single-use domain socket for each time it launches Tor. Closes ticket 20956. - The GETCONF command can now query options that may only be meaningful in context-sensitive lists. This allows the controller to query the mixed SocksPort/__SocksPort style options introduced in feature 20956. Implements ticket 21300. o Minor features (diagnostic, directory client): - Warn when we find an unexpected inconsistency in directory download status objects. Prevents some negative consequences of bug 20593. o Minor features (directory authorities): - Directory authorities now reject descriptors that claim to be malformed versions of Tor. Helps prevent exploitation of bug 21278. - Reject version numbers with components that exceed INT32_MAX. Otherwise 32-bit and 64-bit platforms would behave inconsistently. Fixes bug 21450; bugfix on 0.0.8pre1. o Minor features (directory authority): - Add a new authority-only AuthDirTestEd25519LinkKeys option (on by default) to control whether authorities should try to probe relays by their Ed25519 link keys. This option will go away in a few releases--unless we encounter major trouble in our ed25519 link protocol rollout, in which case it will serve as a safety option. o Minor features (directory cache): - Relays and bridges will now refuse to serve the consensus they have if they know it is too old for a client to use. Closes ticket 20511. o Minor features (ed25519 link handshake): - Advertise support for the ed25519 link handshake using the subprotocol-versions mechanism, so that clients can tell which relays can identity themselves by Ed25519 ID. Closes ticket 20552. o Minor features (entry guards): - Add UseEntryGuards to TEST_OPTIONS_DEFAULT_VALUES in order to not break regression tests. - Require UseEntryGuards when UseBridges is set, in order to make sure bridges aren't bypassed. Resolves ticket 20502. o Minor features (fallback directories): - Allow 3 fallback relays per operator, which is safe now that we are choosing 200 fallback relays. Closes ticket 20912. - Annotate updateFallbackDirs.py with the bandwidth and consensus weight for each candidate fallback. Closes ticket 20878. - Display the relay fingerprint when downloading consensuses from fallbacks. Closes ticket 20908. - Exclude relays affected by bug 20499 from the fallback list. Exclude relays from the fallback list if they are running versions known to be affected by bug 20499, or if in our tests they deliver a stale consensus (i.e. one that expired more than 24 hours ago). Closes ticket 20539. - Make it easier to change the output sort order of fallbacks. Closes ticket 20822. - Reduce the minimum fallback bandwidth to 1 MByte/s. Part of ticket 18828. - Require fallback directories to have the same address and port for 7 days (now that we have enough relays with this stability). Relays whose OnionOO stability timer is reset on restart by bug 18050 should upgrade to Tor 0.2.8.7 or later, which has a fix for this issue. Closes ticket 20880; maintains short-term fix in 0.2.8.2-alpha. - Require fallbacks to have flags for 90% of the time (weighted decaying average), rather than 95%. This allows at least 73% of clients to bootstrap in the first 5 seconds without contacting an authority. Part of ticket 18828. - Select 200 fallback directories for each release. Closes ticket 20881. o Minor features (fingerprinting resistence, authentication): - Extend the length of RSA keys used for TLS link authentication to 2048 bits. (These weren't used for forward secrecy; for forward secrecy, we used P256.) Closes ticket 13752. o Minor features (geoip): - Update geoip and geoip6 to the April 4 2017 Maxmind GeoLite2 Country database. o Minor features (geoip, also in 0.2.9.9): - Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2 Country database. o Minor features (infrastructure): - Implement smartlist_add_strdup() function. Replaces the use of smartlist_add(sl, tor_strdup(str)). Closes ticket 20048. o Minor features (linting): - Enhance the changes file linter to warn on Tor versions that are prefixed with "tor-". Closes ticket 21096. o Minor features (logging): - In several places, describe unset ed25519 keys as "<unset>", rather than the scary "AAAAAAAA...AAA". Closes ticket 21037. o Minor features (portability, compilation): - Autoconf now checks to determine if OpenSSL structures are opaque, instead of explicitly checking for OpenSSL version numbers. Part of ticket 21359. - Support building with recent LibreSSL code that uses opaque structures. Closes ticket 21359. o Minor features (relay): - We now allow separation of exit and relay traffic to different source IP addresses, using the OutboundBindAddressExit and OutboundBindAddressOR options respectively. Closes ticket 17975. Written by Michael Sonntag. o Minor features (reliability, crash): - Try better to detect problems in buffers where they might grow (or think they have grown) over 2 GB in size. Diagnostic for bug 21369. o Minor features (testing): - During 'make test-network-all', if tor logs any warnings, ask chutney to output them. Requires a recent version of chutney with the 21572 patch. Implements 21570. o Minor bugfix (control protocol): - The reply to a "GETINFO config/names" request via the control protocol now spells the type "Dependent" correctly. This is a breaking change in the control protocol. (The field seems to be ignored by the most common known controllers.) Fixes bug 18146; bugfix on 0.1.1.4-alpha. - The GETINFO extra-info/digest/<digest> command was broken because of a wrong base16 decode return value check, introduced when refactoring that API. Fixes bug 22034; bugfix on 0.2.9.1-alpha. o Minor bugfix (logging): - Don't recommend the use of Tor2web in non-anonymous mode. Recommending Tor2web is a bad idea because the client loses all anonymity. Tor2web should only be used in specific cases by users who *know* and understand the issues. Fixes bug 21294; bugfix on 0.2.9.3-alpha. o Minor bugfixes (bug resilience): - Fix an unreachable size_t overflow in base64_decode(). Fixes bug 19222; bugfix on 0.2.0.9-alpha. Found by Guido Vranken; fixed by Hans Jerry Illikainen. o Minor bugfixes (build): - Replace obsolete Autoconf macros with their modern equivalent and prevent similar issues in the future. Fixes bug 20990; bugfix on 0.1.0.1-rc. o Minor bugfixes (certificate expiration time): - Avoid using link certificates that don't become valid till some time in the future. Fixes bug 21420; bugfix on 0.2.4.11-alpha o Minor bugfixes (client): - Always recover from failures in extend_info_from_node(), in an attempt to prevent any recurrence of bug 21242. Fixes bug 21372; bugfix on 0.2.3.1-alpha. - When clients that use bridges start up with a cached consensus on disk, they were ignoring it and downloading a new one. Now they use the cached one. Fixes bug 20269; bugfix on 0.2.3.12-alpha. o Minor bugfixes (code correctness): - Repair a couple of (unreachable or harmless) cases of the risky comparison-by-subtraction pattern that caused bug 21278. o Minor bugfixes (config): - Don't assert on startup when trying to get the options list and LearnCircuitBuildTimeout is set to 0: we are currently parsing the options so of course they aren't ready yet. Fixes bug 21062; bugfix on 0.2.9.3-alpha. o Minor bugfixes (configuration): - Accept non-space whitespace characters after the severity level in the `Log` option. Fixes bug 19965; bugfix on 0.2.1.1-alpha. - Support "TByte" and "TBytes" units in options given in bytes. "TB", "terabyte(s)", "TBit(s)" and "terabit(s)" were already supported. Fixes bug 20622; bugfix on 0.2.0.14-alpha. o Minor bugfixes (configure, autoconf): - Rename the configure option --enable-expensive-hardening to --enable-fragile-hardening. Expensive hardening makes the tor daemon abort when some kinds of issues are detected. Thus, it makes tor more at risk of remote crashes but safer against RCE or heartbleed bug category. We now try to explain this issue in a message from the configure script. Fixes bug 21290; bugfix on 0.2.5.4-alpha. o Minor bugfixes (consensus weight): - Add new consensus method that initializes bw weights to 1 instead of 0. This prevents a zero weight from making it all the way to the end (happens in small testing networks) and causing an error. Fixes bug 14881; bugfix on 0.2.2.17-alpha. o Minor bugfixes (crash prevention): - Fix an (currently untriggerable, but potentially dangerous) crash bug when base32-encoding inputs whose sizes are not a multiple of 5. Fixes bug 21894; bugfix on 0.2.9.1-alpha. o Minor bugfixes (dead code): - Remove a redundant check for PidFile changes at runtime in options_transition_allowed(): this check is already performed regardless of whether the sandbox is active. Fixes bug 21123; bugfix on 0.2.5.4-alpha. o Minor bugfixes (descriptors): - Correctly recognise downloaded full descriptors as valid, even when using microdescriptors as circuits. This affects clients with FetchUselessDescriptors set, and may affect directory authorities. Fixes bug 20839; bugfix on 0.2.3.2-alpha. o Minor bugfixes (directory mirrors): - Allow relays to use directory mirrors without a DirPort: these relays need to be contacted over their ORPorts using a begindir connection. Fixes one case of bug 20711; bugfix on 0.2.8.2-alpha. - Clarify the message logged when a remote relay is unexpectedly missing an ORPort or DirPort: users were confusing this with a local port. Fixes another case of bug 20711; bugfix on 0.2.8.2-alpha. o Minor bugfixes (directory system): - Bridges and relays now use microdescriptors (like clients do) rather than old-style router descriptors. Now bridges will blend in with clients in terms of the circuits they build. Fixes bug 6769; bugfix on 0.2.3.2-alpha. - Download all consensus flavors, descriptors, and authority certificates when FetchUselessDescriptors is set, regardless of whether tor is a directory cache or not. Fixes bug 20667; bugfix on all recent tor versions. o Minor bugfixes (documentation): - Update the tor manual page to document every option that can not be changed while tor is running. Fixes bug 21122. o Minor bugfixes (ed25519 certificates): - Correctly interpret ed25519 certificates that would expire some time after 19 Jan 2038. Fixes bug 20027; bugfix on 0.2.7.2-alpha. o Minor bugfixes (fallback directories): - Avoid checking fallback candidates' DirPorts if they are down in OnionOO. When a relay operator has multiple relays, this prioritizes relays that are up over relays that are down. Fixes bug 20926; bugfix on 0.2.8.3-alpha. - Stop failing when OUTPUT_COMMENTS is True in updateFallbackDirs.py. Fixes bug 20877; bugfix on 0.2.8.3-alpha. - Stop failing when a relay has no uptime data in updateFallbackDirs.py. Fixes bug 20945; bugfix on 0.2.8.1-alpha. o Minor bugfixes (hidden service): - Clean up the code for expiring intro points with no associated circuits. It was causing, rarely, a service with some expiring introduction points to not open enough additional introduction points. Fixes part of bug 21302; bugfix on 0.2.7.2-alpha. - Resolve two possible underflows which could lead to creating and closing a lot of introduction point circuits in a non-stop loop. Fixes bug 21302; bugfix on 0.2.7.2-alpha. - Stop setting the torrc option HiddenServiceStatistics to "0" just because we're not a bridge or relay. Instead, we preserve whatever value the user set (or didn't set). Fixes bug 21150; bugfix on 0.2.6.2-alpha. o Minor bugfixes (hidden services): - Make hidden services check for failed intro point connections, even when they have exceeded their intro point creation limit. Fixes bug 21596; bugfix on 0.2.7.2-alpha. Reported by Alec Muffett. - Make hidden services with 8 to 10 introduction points check for failed circuits immediately after startup. Previously, they would wait for 5 minutes before performing their first checks. Fixes bug 21594; bugfix on 0.2.3.9-alpha. Reported by Alec Muffett. - Stop ignoring misconfigured hidden services. Instead, refuse to start tor until the misconfigurations have been corrected. Fixes bug 20559; bugfix on multiple commits in 0.2.7.1-alpha and earlier. o Minor bugfixes (IPv6): - Make IPv6-using clients try harder to find an IPv6 directory server. Fixes bug 20999; bugfix on 0.2.8.2-alpha. - When IPv6 addresses have not been downloaded yet (microdesc consensus documents don't list relay IPv6 addresses), use hard- coded addresses for authorities, fallbacks, and configured bridges. Now IPv6-only clients can use microdescriptors. Fixes bug 20996; bugfix on b167e82 from 19608 in 0.2.8.5-alpha. o Minor bugfixes (memory leak at exit): - Fix a small harmless memory leak at exit of the previously unused RSA->Ed identity cross-certificate. Fixes bug 17779; bugfix on 0.2.7.2-alpha. o Minor bugfixes (onion services): - Allow the number of introduction points to be as low as 0, rather than as low as 3. Fixes bug 21033; bugfix on 0.2.7.2-alpha. o Minor bugfixes (portability): - Use "OpenBSD" compiler macro instead of "OPENBSD" or "__OpenBSD__". It is supported by OpenBSD itself, and also by most OpenBSD variants (such as Bitrig). Fixes bug 20980; bugfix on 0.1.2.1-alpha. o Minor bugfixes (portability, also in 0.2.9.9): - Avoid crashing when Tor is built using headers that contain CLOCK_MONOTONIC_COARSE, but then tries to run on an older kernel without CLOCK_MONOTONIC_COARSE. Fixes bug 21035; bugfix on 0.2.9.1-alpha. - Fix Libevent detection on platforms without Libevent 1 headers installed. Fixes bug 21051; bugfix on 0.2.9.1-alpha. o Minor bugfixes (relay): - Avoid a double-marked-circuit warning that could happen when we receive DESTROY cells under heavy load. Fixes bug 20059; bugfix on 0.1.0.1-rc. - Honor DataDirectoryGroupReadable when tor is a relay. Previously, initializing the keys would reset the DataDirectory to 0700 instead of 0750 even if DataDirectoryGroupReadable was set to 1. Fixes bug 19953; bugfix on 0.0.2pre16. Patch by "redfish". o Minor bugfixes (testing): - Fix Raspbian build issues related to missing socket errno in test_util.c. Fixes bug 21116; bugfix on 0.2.8.2. Patch by "hein". - Remove undefined behavior from the backtrace generator by removing its signal handler. Fixes bug 21026; bugfix on 0.2.5.2-alpha. - Use bash in src/test/test-network.sh. This ensures we reliably call chutney's newer tools/test-network.sh when available. Fixes bug 21562; bugfix on 0.2.9.1-alpha. o Minor bugfixes (tor-resolve): - The tor-resolve command line tool now rejects hostnames over 255 characters in length. Previously, it would silently truncate them, which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5. Patch by "junglefowl". o Minor bugfixes (unit tests): - Allow the unit tests to pass even when DNS lookups of bogus addresses do not fail as expected. Fixes bug 20862 and 20863; bugfix on unit tests introduced in 0.2.8.1-alpha through 0.2.9.4-alpha. o Minor bugfixes (util): - When finishing writing a file to disk, if we were about to replace the file with the temporary file created before and we fail to replace it, remove the temporary file so it doesn't stay on disk. Fixes bug 20646; bugfix on 0.2.0.7-alpha. Patch by fk. o Minor bugfixes (Windows services): - Be sure to initialize the monotonic time subsystem before using it, even when running as an NT service. Fixes bug 21356; bugfix on 0.2.9.1-alpha. o Minor bugfixes (Windows): - Check for getpagesize before using it to mmap files. This fixes compilation in some MinGW environments. Fixes bug 20530; bugfix on 0.1.2.1-alpha. Reported by "ice". o Code simplification and refactoring: - Abolish all global guard context in entrynodes.c; replace with new guard_selection_t structure as preparation for proposal 271. Closes ticket 19858. - Extract magic numbers in circuituse.c into defined variables. - Introduce rend_service_is_ephemeral() that tells if given onion service is ephemeral. Replace unclear NULL-checkings for service directory with this function. Closes ticket 20526. - Refactor circuit_is_available_for_use to remove unnecessary check. - Refactor circuit_predict_and_launch_new for readability and testability. Closes ticket 18873. - Refactor code to manipulate global_origin_circuit_list into separate functions. Closes ticket 20921. - Refactor large if statement in purpose_needs_anonymity to use switch statement instead. Closes part of ticket 20077. - Refactor the hashing API to return negative values for errors, as is done as throughout the codebase. Closes ticket 20717. - Remove data structures that were used to index or_connection objects by their RSA identity digests. These structures are fully redundant with the similar structures used in the channel abstraction. - Remove duplicate code in the channel_write_*cell() functions. Closes ticket 13827; patch from Pingl. - Remove redundant behavior of is_sensitive_dir_purpose, refactor to use only purpose_needs_anonymity. Closes part of ticket 20077. - The code to generate and parse EXTEND and EXTEND2 cells has been replaced with code automatically generated by the "trunnel" utility. o Documentation (formatting): - Clean up formatting of tor.1 man page and HTML doc, where <pre> blocks were incorrectly appearing. Closes ticket 20885. o Documentation (man page): - Clarify many options in tor.1 and add some min/max values for HiddenService options. Closes ticket 21058. o Documentation: - Change '1' to 'weight_scale' in consensus bw weights calculation comments, as that is reality. Closes ticket 20273. Patch from pastly. - Clarify that when ClientRejectInternalAddresses is enabled (which is the default), multicast DNS hostnames for machines on the local network (of the form *.local) are also rejected. Closes ticket 17070. - Correct the value for AuthDirGuardBWGuarantee in the manpage, from 250 KBytes to 2 MBytes. Fixes bug 20435; bugfix on 0.2.5.6-alpha. - Include the "TBits" unit in Tor's man page. Fixes part of bug 20622; bugfix on 0.2.5.1-alpha. - Small fixes to the fuzzing documentation. Closes ticket 21472. - Stop the man page from incorrectly stating that HiddenServiceDir must already exist. Fixes 20486. - Update the description of the directory server options in the manual page, to clarify that a relay no longer needs to set DirPort in order to be a directory cache. Closes ticket 21720. o Removed features: - The AuthDirMaxServersPerAuthAddr option no longer exists: The same limit for relays running on a single IP applies to authority IP addresses as well as to non-authority IP addresses. Closes ticket 20960. - The UseDirectoryGuards torrc option no longer exists: all users that use entry guards will also use directory guards. Related to proposal 271; implements part of ticket 20831. o Testing: - Add tests for networkstatus_compute_bw_weights_v10. - Add unit tests circuit_predict_and_launch_new. - Extract dummy_origin_circuit_new so it can be used by other test functions. - New unit tests for tor_htonll(). Closes ticket 19563. Patch from "overcaffeinated". - Perform the coding style checks when running the tests and fail when coding style violations are found. Closes ticket 5500.

1 0

Tor Browser 6.5.2 is released
by Nicolas Vigier 19 Apr '17

19 Apr '17

Tor Browser 6.5.2 is now available from the Tor Browser Project page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/download-easy.html 2: https://www.torproject.org/dist/torbrowser/6.5.2/ This release features important security updates [3] to Firefox. 3: https://www.mozilla.org/en-US/security/advisories/mfsa2017-11/ This should be the last minor release in the 6.5 series. This release updates Firefox to 45.9.0esr, Noscript to 5.0.2, and HTTPS-Everywhere to 5.2.14. Moreover, we included a fix for the broken Twitter experience and worked around a Windows related crash bug. To improve our censorship resistance we additionally updated the bridges we ship. Here is the full changelog since 6.5.1: * All Platforms * Update Firefox to 45.9.0esr * Update HTTPS-Everywhere to 5.2.14 * Update NoScript to 5.0.2 * Bug 21555+16450: Don't remove Authorization header on subdomains (e.g. Twitter) * Bug 19316: Make sure our Windows updates can deal with the SSE2 requirement * Bug 21917: Add new obfs4 bridges * Bug 21918: Move meek-amazon to d2cly7j4zqgua7.cloudfront.net backend * Windows * Bug 21795: Fix Tor Browser crashing on github.com

1 0

Tor Browser 6.5.1 is released
by Nicolas Vigier 08 Mar '17

08 Mar '17

Tor Browser 6.5.1 is now available from the Tor Browser Project page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/download-easy.html 2: https://www.torproject.org/dist/torbrowser/6.5.1/ This release features important security updates [3] to Firefox. 3: https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/ This is the first minor release in the 6.5 series and it mainly contains updates to several of our Tor Browser components: Firefox got updated to 45.8.0esr, Tor to 0.2.9.10, OpenSSL to 1.0.1k, and HTTPS-Everywhere to 5.2.11. Additionally, we updated the bridges we ship with Tor Browser and fixed some regressions that came with our last release. In Tor Browser 6.5 we introduced filtering of content requests to resource:// and chrome:// URIs [4] in order to neuter a fingerprinting vector. This change however breaks the Session Manager addon [5]. Users who think having extensions like that one working is much more important than avoiding the possible information leakage associated with that can now toggle the 'extensions.torbutton.resource_and_chrome_uri_fingerprinting' preference, setting it to 'true' to disable our defense against this type of fingerprinting. 4: https://trac.torproject.org/projects/tor/ticket/8725 5: https://trac.torproject.org/projects/tor/ticket/21396 An other regression introduced in Tor Browser 6.5 is the resizing of the window [6]. We are currently working on a fix for this issue. 6: https://trac.torproject.org/projects/tor/ticket/20905 Here is the full changelog since 6.5: * All Platforms * Update Firefox to 45.8.0esr * Tor to 0.2.9.10 * OpenSSL to 1.0.2k * Update Torbutton to 1.9.6.14 * Bug 21396: Allow leaking of resource/chrome URIs (off by default) * Bug 21574: Add link for zh manual and create manual links dynamically * Bug 21330: Non-usable scrollbar appears in tor browser security settings * Translation updates * Update HTTPS-Everywhere to 5.2.11 * Bug 21514: Restore W^X JIT implementation removed from ESR45 * Bug 21536: Remove scramblesuit bridge * Bug 21342: Move meek-azure to the meek.azureedge.net backend and cymrubridge02 bridge * Linux * Bug 21326: Update the "Using a system-installed Tor" section in start script

1 0

Tor 0.2.9.10 is released
by Nick Mathewson 01 Mar '17

01 Mar '17

(If you are about to reply saying "please take me off this list", instead please follow these instructions: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/ You will have to enter the actual email address you used to subscribe.) You can download the source code from https://dist.torproject.org/ but most users should wait for the upcoming Tor Browser release, or for their upcoming system package updates. (0.3.0.4-rc also came out today, but non-stable releases get announced on tor-talk.) Changes in version 0.2.9.10 - 2017-03-01 Tor 0.2.9.10 backports a security fix from a later Tor release. It also includes fixes for some major issues affecting directory authorities, LibreSSL compatibility, and IPv6 correctness. The Tor 0.2.9.x release series is now marked as a long-term-support series. We intend to backport security fixes to 0.2.9.x until at least January of 2020. o Major bugfixes (directory authority, 0.3.0.3-alpha): - During voting, when marking a relay as a probable sybil, do not clear its BadExit flag: sybils can still be bad in other ways too. (We still clear the other flags.) Fixes bug 21108; bugfix on 0.2.0.13-alpha. o Major bugfixes (IPv6 Exits, backport from 0.3.0.3-alpha): - Stop rejecting all IPv6 traffic on Exits whose exit policy rejects any IPv6 addresses. Instead, only reject a port over IPv6 if the exit policy rejects that port on more than an IPv6 /16 of addresses. This bug was made worse by 17027 in 0.2.8.1-alpha, which rejected a relay's own IPv6 address by default. Fixes bug 21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha. o Major bugfixes (parsing, also in 0.3.0.4-rc): - Fix an integer underflow bug when comparing malformed Tor versions. This bug could crash Tor when built with --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor 0.2.9.8, which were built with -ftrapv by default. In other cases it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix on 0.0.8pre1. Found by OSS-Fuzz. o Minor features (directory authorities, also in 0.3.0.4-rc): - Directory authorities now reject descriptors that claim to be malformed versions of Tor. Helps prevent exploitation of bug 21278. - Reject version numbers with components that exceed INT32_MAX. Otherwise 32-bit and 64-bit platforms would behave inconsistently. Fixes bug 21450; bugfix on 0.0.8pre1. o Minor features (geoip): - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 Country database. o Minor features (portability, compilation, backport from 0.3.0.3-alpha): - Autoconf now checks to determine if OpenSSL structures are opaque, instead of explicitly checking for OpenSSL version numbers. Part of ticket 21359. - Support building with recent LibreSSL code that uses opaque structures. Closes ticket 21359. o Minor bugfixes (code correctness, also in 0.3.0.4-rc): - Repair a couple of (unreachable or harmless) cases of the risky comparison-by-subtraction pattern that caused bug 21278. o Minor bugfixes (tor-resolve, backport from 0.3.0.3-alpha): - The tor-resolve command line tool now rejects hostnames over 255 characters in length. Previously, it would silently truncate them, which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5. Patch by "junglefowl".

1 0

Tor Browser 6.5 is released
by Nicolas Vigier 25 Jan '17

25 Jan '17

Tor Browser 6.5 is now available from the Tor Browser Project page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/download-easy.html 2: https://www.torproject.org/dist/torbrowser/6.5/ This release features important security updates [3] to Firefox. 3: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/ This is a major release and the first one in the 6.5 series. First of all it fixes the usual critical bugs in Firefox by updating to ESR 45.7.0. It contains version updates to other bundle components as well: Tor to 0.2.9.9, OpenSSL to 1.0.2j, HTTPS-Everywhere to 5.2.9, and NoScript to 2.9.5.3. Besides those updates Tor Browser 6.5 ships with a lot of the improvements we have been working on in the past couple of months. On the security side we always block remote JAR files [4] now and remove the support for SHA-1 HPKP pins [5]. Additionally we backported from an other firefox branch patches to mark JIT pages as non-writable and other crash fixes that could disrupt a Tor Browser session quite reliably. 4: https://trac.torproject.org/projects/tor/ticket/20123 5: https://trac.torproject.org/projects/tor/ticket/19164 With respect to user tracking and fingerprinting we now isolate SharedWorker script requests to the first party domain. We improved our timer resolution spoofing and reduced the timing precision for AudioContext, HTMLMediaElement, and Mediastream elements. We stopped user fingerprinting via internal resource:// URLs, and for Windows users we fixed a regression introduced in Tor Browser 6.0 which could leak the local timezone if JavaScript were enabled. A great deal of our time was spent on improving the usability of Tor Browser. We redesigned the security slider and improved its labels. We moved a lot of Torbutton's privacy settings directly into the respective Firefox menu making it cleaner and more straightforward to use. Finally, we moved as many Torbutton features as possible into Firefox to make it easier for upstreaming them. This allowed us to resolve a couple of window resizing bugs that piled on over the course of the past years. The features mentioned above are only some of the highlights in Tor Browser 6.5. The full changelog since 6.0.8 is: * All Platforms * Update Firefox to 45.7.0esr * Tor to 0.2.9.9 * OpenSSL to 1.0.2j * Update Torbutton to 1.9.6.12 * Bug 16622: Timezone spoofing moved to tor-browser.git * Bug 17334: Move referrer spoofing for .onion domains into tor-browser.git * Bug 8725: Block addon resource and url fingerprinting with nsIContentPolicy * Bug 20701: Allow the directory listing stylesheet in the content policy * Bug 19837: Whitelist internal URLs that Firefox requires for media * Bug 19206: Avoid SOCKS auth and NEWNYM collisions when sharing a tor client * Bug 19273: Improve external app launch handling and associated warnings * Bug 15852: Remove/synchronize Torbutton SOCKS pref logic * Bug 19733: GETINFO response parser doesn't handle AF_UNIX entries + IPv6 * Bug 17767: Make "JavaScript disabled" more visible in Security Slider * Bug 20556: Use pt-BR strings from now on * Bug 20614: Add links to Tor Browser User Manual * Bug 20414: Fix non-rendering arrow on OS X * Bug 20728: Fix bad preferences.xul dimensions * Bug 19898: Use DuckDuckGo on about:tor * Bug 21091: Hide the update check menu entry when running under the sandbox * Bug 19459: Move resizing code to tor-browser.git * Bug 20264: Change security slider to 3 options * Bug 20347: Enhance security slider's custom mode * Bug 20123: Disable remote jar on all security levels * Bug 20244: Move privacy checkboxes to about:preferences#privacy * Bug 17546: Add tooltips to explain our privacy checkboxes * Bug 17904: Allow security settings dialog to resize * Bug 18093: Remove 'Restore Defaults' button * Bug 20373: Prevent redundant dialogs opening * Bug 20318: Remove helpdesk link from about:tor * Bug 21243: Add links for pt, es, and fr Tor Browser manuals * Bug 20753: Remove obsolete StartPage locale strings * Bug 21131: Remove 2016 donation banner * Bug 18980: Remove obsolete toolbar button code * Bug 18238: Remove unused Torbutton code and strings * Bug 20388+20399+20394: Code clean-up * Translation updates * Update Tor Launcher to 0.2.10.3 * Bug 19568: Set CurProcD for Thunderbird/Instantbird * Bug 19432: Remove special handling for Instantbird/Thunderbird * Translation updates * Update HTTPS-Everywhere to 5.2.9 * Update NoScript to 2.9.5.3 * Bug 16622: Spoof timezone with Firefox patch * Bug 17334: Spoof referrer when leaving a .onion domain * Bug 19273: Write C++ patch for external app launch handling * Bug 19459: Size new windows to 1000x1000 or nearest 200x100 (Firefox patch) * Bug 12523: Mark JIT pages as non-writable * Bug 20123: Always block remote jar files * Bug 19193: Reduce timing precision for AudioContext, HTMLMediaElement, and MediaStream * Bug 19164: Remove support for SHA-1 HPKP pins * Bug 19186: KeyboardEvents are only rounding to 100ms * Bug 16998: Isolate preconnect requests to URL bar domain * Bug 19478: Prevent millisecond resolution leaks in File API * Bug 20471: Allow javascript: links from HTTPS first party pages * Bug 20244: Move privacy checkboxes to about:preferences#privacy * Bug 20707: Fix broken preferences tab in non-en-US alpha bundles * Bug 20709: Fix wrong update URL in alpha bundles * Bug 19481: Point the update URL to aus1.torproject.org * Bug 20556: Start using pt-BR instead of pt-PT for Portuguese * Bug 20442: Backport fix for local path disclosure after drag and drop * Bug 20160: Backport fix for broken MP3-playback * Bug 20043: Isolate SharedWorker script requests to first party * Bug 18923: Add script to run all Tor Browser regression tests * Bug 20651: DuckDuckGo does not work with JavaScript disabled * Bug 19336+19835: Enhance about:tbupdate page * Bug 20399+15852: Code clean-up * Windows * Bug 20981: On Windows, check TZ for timezone first * Bug 18175: Maximizing window and restarting leads to non-rounded window size * Bug 13437: Rounded inner window accidentally grows to non-rounded size * OS X * Bug 20590: Badly resized window due to security slider notification bar on OS X * Bug 20439: Make the build PIE on OSX * Linux * Bug 20691: Updater breaks if unix domain sockets are used * Bug 15953: Weird resizing dance on Tor Browser startup * Build system * All platforms * Bug 20927: Upgrade Go to 1.7.4 * Bug 20583: Make the downloads.json file reproducible * Bug 20133: Don't apply OpenSSL patch anymore * Bug 19528: Set MOZ_BUILD_DATE based on Firefox version * Bug 18291: Remove some uses of libfaketime * Bug 18845: Make zip and tar helpers generate reproducible archives * OS X * Bug 20258: Make OS X Tor archive reproducible again * Bug 20184: Make OS X builds reproducible (use clang for compiling tor) * Bug 19856: Make OS X builds reproducible (getting libfaketime back) * Bug 19410: Fix incremental updates by taking signatures into account * Bug 20210: In dmg2mar, extract old mar file to copy permissions to the new one

1 0

Tor 0.2.9.9 is released
by Roger Dingledine 23 Jan '17

23 Jan '17

(If you are about to reply saying "please take me off this list", instead please follow these instructions: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/ You will have to enter the actual email address you used to subscribe.) Tor 0.2.9.9 fixes a denial-of-service bug where an attacker could cause relays and clients to crash, even if they were not built with the --enable-expensive-hardening option. This bug affects all 0.2.9.x versions, and also affects 0.3.0.1-alpha: all relays running an affected version should upgrade. This release also resolves a client-side onion service reachability bug, and resolves a pair of small portability issues. You can download the source code from https://dist.torproject.org/ but most users should wait for the upcoming Tor Browser release, or for their upcoming system package updates. Changes in version 0.2.9.9 - 2017-01-23 o Major bugfixes (security): - Downgrade the "-ftrapv" option from "always on" to "only on when --enable-expensive-hardening is provided." This hardening option, like others, can turn survivable bugs into crashes -- and having it on by default made a (relatively harmless) integer overflow bug into a denial-of-service bug. Fixes bug 21278 (TROVE-2017-001); bugfix on 0.2.9.1-alpha. o Major bugfixes (client, onion service): - Fix a client-side onion service reachability bug, where multiple socks requests to an onion service (or a single slow request) could cause us to mistakenly mark some of the service's introduction points as failed, and we cache that failure so eventually we run out and can't reach the service. Also resolves a mysterious "Remote server sent bogus reason code 65021" log warning. The bug was introduced in ticket 17218, where we tried to remember the circuit end reason as a uint16_t, which mangled negative values. Partially fixes bug 21056 and fixes bug 20307; bugfix on 0.2.8.1-alpha. o Minor features (geoip): - Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2 Country database. o Minor bugfixes (portability): - Avoid crashing when Tor is built using headers that contain CLOCK_MONOTONIC_COARSE, but then tries to run on an older kernel without CLOCK_MONOTONIC_COARSE. Fixes bug 21035; bugfix on 0.2.9.1-alpha. - Fix Libevent detection on platforms without Libevent 1 headers installed. Fixes bug 21051; bugfix on 0.2.9.1-alpha.

1 0