- tor-announce - lists.torproject.org

New stable Tor releases 0.2.8.15, 0.2.9.12, and 0.3.0.11, with fix for a medium security issue on hidden services
by Nick Mathewson 18 Sep '17

18 Sep '17

Hello! We found a security issue in the hidden service code (CVE-2017-0380, TROVE-2017-008) that can cause sensitive information to be written to your logs if you have set the SafeLogging option to 0. If you are not running a hidden service, or you have not changed the SafeLogging option from its default, you are not affected. If you are running 0.2.5, you are not affected. (0.2.4, 0.2.6, and 0.2.7 are no longer supported.) For more information, including workaround steps, see https://lists.torproject.org/pipermail/tor-talk/2017-September/043585.html Because of this issue, we have released new Tor versions in the 0.2.8, 0.2.9, and 0.3.0 series. If you build Tor from source, you will find the source code for these releases at https://dist.torproject.org/ . Packages should be available over the coming days -- in the meantime, please see the advisory linked above for information on working around this issue. The release series 0.3.1.x has also become stable today; I'll announce that in a separate email. Below are the changelog entries for the new releases mentioned in this email: Changes in version 0.2.8.15 - 2017-09-18 Tor 0.2.8.15 backports a collection of bugfixes from later Tor series. Most significantly, it includes a fix for TROVE-2017-008, a security bug that affects hidden services running with the SafeLogging option disabled. For more information, see https://trac.torproject.org/projects/tor/ticket/23490 Note that Tor 0.2.8.x will no longer be supported after 1 Jan 2018. We suggest that you upgrade to the latest stable release if possible. If you can't, we recommend that you upgrade at least to 0.2.9, which will be supported until 2020. o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha): - Avoid an assertion failure bug affecting our implementation of inet_pton(AF_INET6) on certain OpenBSD systems whose strtol() handling of "0xx" differs from what we had expected. Fixes bug 22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007. o Minor features: - Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2 Country database. o Minor bugfixes (compilation, mingw, backport from 0.3.1.1-alpha): - Backport a fix for an "unused variable" warning that appeared in some versions of mingw. Fixes bug 22838; bugfix on 0.2.8.1-alpha. o Minor bugfixes (defensive programming, undefined behavior, backport from 0.3.1.4-alpha): - Fix a memset() off the end of an array when packing cells. This bug should be harmless in practice, since the corrupted bytes are still in the same structure, and are always padding bytes, ignored, or immediately overwritten, depending on compiler behavior. Nevertheless, because the memset()'s purpose is to make sure that any other cell-handling bugs can't expose bytes to the network, we need to fix it. Fixes bug 22737; bugfix on 0.2.4.11-alpha. Fixes CID 1401591. o Build features (backport from 0.3.1.5-alpha): - Tor's repository now includes a Travis Continuous Integration (CI) configuration file (.travis.yml). This is meant to help new developers and contributors who fork Tor to a Github repository be better able to test their changes, and understand what we expect to pass. To use this new build feature, you must fork Tor to your Github account, then go into the "Integrations" menu in the repository settings for your fork and enable Travis, then push your changes. Closes ticket 22636. Changes in version 0.2.9.12 - 2017-09-18 Tor 0.2.9.12 backports a collection of bugfixes from later Tor series. Most significantly, it includes a fix for TROVE-2017-008, a security bug that affects hidden services running with the SafeLogging option disabled. For more information, see https://trac.torproject.org/projects/tor/ticket/23490 o Major features (security, backport from 0.3.0.2-alpha): - Change the algorithm used to decide DNS TTLs on client and server side, to better resist DNS-based correlation attacks like the DefecTor attack of Greschbach, Pulls, Roberts, Winter, and Feamster. Now relays only return one of two possible DNS TTL values, and clients are willing to believe DNS TTL values up to 3 hours long. Closes ticket 19769. o Major bugfixes (crash, directory connections, backport from 0.3.0.5-rc): - Fix a rare crash when sending a begin cell on a circuit whose linked directory connection had already been closed. Fixes bug 21576; bugfix on 0.2.9.3-alpha. Reported by Alec Muffett. o Major bugfixes (DNS, backport from 0.3.0.2-alpha): - Fix a bug that prevented exit nodes from caching DNS records for more than 60 seconds. Fixes bug 19025; bugfix on 0.2.4.7-alpha. o Major bugfixes (linux TPROXY support, backport from 0.3.1.1-alpha): - Fix a typo that had prevented TPROXY-based transparent proxying from working under Linux. Fixes bug 18100; bugfix on 0.2.6.3-alpha. Patch from "d4fq0fQAgoJ". o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha): - Avoid an assertion failure bug affecting our implementation of inet_pton(AF_INET6) on certain OpenBSD systems whose strtol() handling of "0xx" differs from what we had expected. Fixes bug 22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007. o Minor features (code style, backport from 0.3.1.3-alpha): - Add "Falls through" comments to our codebase, in order to silence GCC 7's -Wimplicit-fallthrough warnings. Patch from Andreas Stieger. Closes ticket 22446. o Minor features (geoip): - Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2 Country database. o Minor bugfixes (bandwidth accounting, backport from 0.3.1.1-alpha): - Roll over monthly accounting at the configured hour and minute, rather than always at 00:00. Fixes bug 22245; bugfix on 0.0.9rc1. Found by Andrey Karpov with PVS-Studio. o Minor bugfixes (compilation, backport from 0.3.1.5-alpha): - Suppress -Wdouble-promotion warnings with clang 4.0. Fixes bug 22915; bugfix on 0.2.8.1-alpha. - Fix warnings when building with libscrypt and openssl scrypt support on Clang. Fixes bug 22916; bugfix on 0.2.7.2-alpha. - When building with certain versions the mingw C header files, avoid float-conversion warnings when calling the C functions isfinite(), isnan(), and signbit(). Fixes bug 22801; bugfix on 0.2.8.1-alpha. o Minor bugfixes (compilation, backport from 0.3.1.7): - Avoid compiler warnings in the unit tests for running tor_sscanf() with wide string outputs. Fixes bug 15582; bugfix on 0.2.6.2-alpha. o Minor bugfixes (compilation, mingw, backport from 0.3.1.1-alpha): - Backport a fix for an "unused variable" warning that appeared in some versions of mingw. Fixes bug 22838; bugfix on 0.2.8.1-alpha. o Minor bugfixes (controller, backport from 0.3.1.7): - Do not crash when receiving a HSPOST command with an empty body. Fixes part of bug 22644; bugfix on 0.2.7.1-alpha. - Do not crash when receiving a POSTDESCRIPTOR command with an empty body. Fixes part of bug 22644; bugfix on 0.2.0.1-alpha. o Minor bugfixes (coverity build support, backport from 0.3.1.5-alpha): - Avoid Coverity build warnings related to our BUG() macro. By default, Coverity treats BUG() as the Linux kernel does: an instant abort(). We need to override that so our BUG() macro doesn't prevent Coverity from analyzing functions that use it. Fixes bug 23030; bugfix on 0.2.9.1-alpha. o Minor bugfixes (defensive programming, undefined behavior, backport from 0.3.1.4-alpha): - Fix a memset() off the end of an array when packing cells. This bug should be harmless in practice, since the corrupted bytes are still in the same structure, and are always padding bytes, ignored, or immediately overwritten, depending on compiler behavior. Nevertheless, because the memset()'s purpose is to make sure that any other cell-handling bugs can't expose bytes to the network, we need to fix it. Fixes bug 22737; bugfix on 0.2.4.11-alpha. Fixes CID 1401591. o Minor bugfixes (file limits, osx, backport from 0.3.1.5-alpha): - When setting the maximum number of connections allowed by the OS, always allow some extra file descriptors for other files. Fixes bug 22797; bugfix on 0.2.0.10-alpha. o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.5-alpha): - Avoid a sandbox failure when trying to re-bind to a socket and mark it as IPv6-only. Fixes bug 20247; bugfix on 0.2.5.1-alpha. o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.4-alpha): - Permit the fchmod system call, to avoid crashing on startup when starting with the seccomp2 sandbox and an unexpected set of permissions on the data directory or its contents. Fixes bug 22516; bugfix on 0.2.5.4-alpha. o Minor bugfixes (relay, backport from 0.3.0.5-rc): - Avoid a double-marked-circuit warning that could happen when we receive DESTROY cells under heavy load. Fixes bug 20059; bugfix on 0.1.0.1-rc. o Minor bugfixes (voting consistency, backport from 0.3.1.1-alpha): - Reject version numbers with non-numeric prefixes (such as +, -, or whitespace). Disallowing whitespace prevents differential version parsing between POSIX-based and Windows platforms. Fixes bug 21507 and part of 21508; bugfix on 0.0.8pre1. o Build features (backport from 0.3.1.5-alpha): - Tor's repository now includes a Travis Continuous Integration (CI) configuration file (.travis.yml). This is meant to help new developers and contributors who fork Tor to a Github repository be better able to test their changes, and understand what we expect to pass. To use this new build feature, you must fork Tor to your Github account, then go into the "Integrations" menu in the repository settings for your fork and enable Travis, then push your changes. Closes ticket 22636. Changes in version 0.3.0.11 - 2017-09-18 Tor 0.3.0.11 backports a collection of bugfixes from Tor the 0.3.1 series. Most significantly, it includes a fix for TROVE-2017-008, a security bug that affects hidden services running with the SafeLogging option disabled. For more information, see https://trac.torproject.org/projects/tor/ticket/23490 o Minor features (code style, backport from 0.3.1.7): - Add "Falls through" comments to our codebase, in order to silence GCC 7's -Wimplicit-fallthrough warnings. Patch from Andreas Stieger. Closes ticket 22446. o Minor features: - Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2 Country database. o Minor bugfixes (compilation, backport from 0.3.1.7): - Avoid compiler warnings in the unit tests for calling tor_sscanf() with wide string outputs. Fixes bug 15582; bugfix on 0.2.6.2-alpha. o Minor bugfixes (controller, backport from 0.3.1.7): - Do not crash when receiving a HSPOST command with an empty body. Fixes part of bug 22644; bugfix on 0.2.7.1-alpha. - Do not crash when receiving a POSTDESCRIPTOR command with an empty body. Fixes part of bug 22644; bugfix on 0.2.0.1-alpha. o Minor bugfixes (file limits, osx, backport from 0.3.1.5-alpha): - When setting the maximum number of connections allowed by the OS, always allow some extra file descriptors for other files. Fixes bug 22797; bugfix on 0.2.0.10-alpha. o Minor bugfixes (logging, relay, backport from 0.3.1.6-rc): - Remove a forgotten debugging message when an introduction point successfully establishes a hidden service prop224 circuit with a client. - Change three other log_warn() for an introduction point to protocol warnings, because they can be failure from the network and are not relevant to the operator. Fixes bug 23078; bugfix on 0.3.0.1-alpha and 0.3.0.2-alpha.

1 0

Tor Browser 7.0.5 is released
by Nicolas Vigier 05 Sep '17

05 Sep '17

Tor Browser 7.0.5 is now available from the Tor Browser Project page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/download-easy.html 2: https://www.torproject.org/dist/torbrowser/7.0.5/ This release makes HTTPS-Everywhere compatible with Tor Browser on higher security levels and ensures that browser windows on macOS are properly rounded. The full changelog since Tor Browser 7.0.4 is: * All Platforms * Update Torbutton to 1.9.7.6 * Bug 22989: Fix dimensions of new windows on macOS * Translations update * Update HTTPS-Everywhere to 2017.8.31 * Update NoScript to 5.0.9 * Bug 23166: Add new obfs4 bridge to the built-in ones * Bug 23258: Fix broken HTTPS-Everywhere on higher security levels * Bug 21270: NoScript settings break WebExtensions add-ons

1 0

Tor Browser 7.0.4 is released
by Nicolas Vigier 08 Aug '17

08 Aug '17

Tor Browser 7.0.4 is now available from the Tor Browser Project page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/download-easy.html 2: https://www.torproject.org/dist/torbrowser/7.0.4/ This release features important security updates [3] to Firefox. 3: https://www.mozilla.org/en-US/security/advisories/mfsa2017-19/ A lot of Tor Browser components have been updated in this release. Apart from the usual Firefox update (to 52.3.0esr) we include a new Tor stable release (0.3.0.10) + an updated HTTPS-Everywhere (5.2.21) and NoScript (5.0.8.1). In this new release we continue to fix regressions that happened due to the transition to Firefox 52. Most notably, we avoid the scary warnings popping up when entering passwords on .onion sites without a TLS certificate (bug 21321 [4]). Handling of our default start page (about:tor) has improved, too, so that using the searchbox on it is working again and it does no longer need enhanced privileges in order to function. 4: https://trac.torproject.org/projects/tor/ticket/21321 The full changelog since Tor Browser 7.0.2 (for Linux since Tor Browser 7.0.3) is: * All Platforms * Update Firefox to 52.3.0esr * Update Tor to 0.3.0.10 * Update Torbutton to 1.9.7.5 * Bug 21999: Fix display of language prompt in non-en-US locales * Bug 18193: Don't let about:tor have chrome privileges * Bug 22535: Search on about:tor discards search query * Bug 21948: Going back to about:tor page gives "Address isn't valid" error * Code clean-up * Translations update * Update Tor Launcher to 0.2.12.3 * Bug 22592: Default bridge settings are not removed * Translations update * Update HTTPS-Everywhere to 5.2.21 * Update NoScript to 5.0.8.1 * Bug 22362: Remove workaround for XSS related browser freezing * Bug 22067: NoScript Click-to-Play bypass with embedded videos and audio * Bug 21321: Exempt .onions from HTTP related security warnings * Bug 22073: Disable GetAddons option on addons page * Bug 22884: Fix broken about:tor page on higher security levels * Windows * Bug 22829: Remove default obfs4 bridge riemann. * Bug 21617: Fix single RWX page on Windows (included in 52.3.0esr) * OS X * Bug 22829: Remove default obfs4 bridge riemann.

1 0

Tor 0.3.0.10 is released
by Nick Mathewson 02 Aug '17

02 Aug '17

(If you are about to reply saying "please take me off this list", instead please follow these instructions: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/ . If you have trouble, it is probably because you subscribed using a different address than the one you are trying to unsubscribe with. You will have to enter the actual email address you used to subscribe.) Hello! Source code for a new Tor release (0.3.0.10) is now available on the website; packages should be available over the next several days. The Tor Browser team tells me they will have a release out next week. One last reminder: Tor 0.2.4, 0.2.6, and 0.2.7 are no longer supported, as of 1 August of this year. If you need a release with long-term support, 0.2.9 is what we recommend: we plan to support it until at least 1 Jan 2020. Below is the changelog for the new stable release: Changes in version 0.3.0.10 - 2017-08-02 Tor 0.3.0.10 backports a collection of small-to-medium bugfixes from the current Tor alpha series. OpenBSD users and TPROXY users should upgrade; others are probably okay sticking with 0.3.0.9. o Major features (build system, continuous integration, backport from 0.3.1.5-alpha): - Tor's repository now includes a Travis Continuous Integration (CI) configuration file (.travis.yml). This is meant to help new developers and contributors who fork Tor to a Github repository be better able to test their changes, and understand what we expect to pass. To use this new build feature, you must fork Tor to your Github account, then go into the "Integrations" menu in the repository settings for your fork and enable Travis, then push your changes. Closes ticket 22636. o Major bugfixes (linux TPROXY support, backport from 0.3.1.1-alpha): - Fix a typo that had prevented TPROXY-based transparent proxying from working under Linux. Fixes bug 18100; bugfix on 0.2.6.3-alpha. Patch from "d4fq0fQAgoJ". o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha): - Avoid an assertion failure bug affecting our implementation of inet_pton(AF_INET6) on certain OpenBSD systems whose strtol() handling of "0xfoo" differs from what we had expected. Fixes bug 22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007. o Minor features (backport from 0.3.1.5-alpha): - Update geoip and geoip6 to the July 4 2017 Maxmind GeoLite2 Country database. o Minor bugfixes (bandwidth accounting, backport from 0.3.1.2-alpha): - Roll over monthly accounting at the configured hour and minute, rather than always at 00:00. Fixes bug 22245; bugfix on 0.0.9rc1. Found by Andrey Karpov with PVS-Studio. o Minor bugfixes (compilation warnings, backport from 0.3.1.5-alpha): - Suppress -Wdouble-promotion warnings with clang 4.0. Fixes bug 22915; bugfix on 0.2.8.1-alpha. - Fix warnings when building with libscrypt and openssl scrypt support on Clang. Fixes bug 22916; bugfix on 0.2.7.2-alpha. - When building with certain versions of the mingw C header files, avoid float-conversion warnings when calling the C functions isfinite(), isnan(), and signbit(). Fixes bug 22801; bugfix on 0.2.8.1-alpha. o Minor bugfixes (compilation, mingw, backport from 0.3.1.1-alpha): - Backport a fix for an "unused variable" warning that appeared in some versions of mingw. Fixes bug 22838; bugfix on 0.2.8.1-alpha. o Minor bugfixes (coverity build support, backport from 0.3.1.5-alpha): - Avoid Coverity build warnings related to our BUG() macro. By default, Coverity treats BUG() as the Linux kernel does: an instant abort(). We need to override that so our BUG() macro doesn't prevent Coverity from analyzing functions that use it. Fixes bug 23030; bugfix on 0.2.9.1-alpha. o Minor bugfixes (directory authority, backport from 0.3.1.1-alpha): - When rejecting a router descriptor for running an obsolete version of Tor without ntor support, warn about the obsolete tor version, not the missing ntor key. Fixes bug 20270; bugfix on 0.2.9.3-alpha. o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.5-alpha): - Avoid a sandbox failure when trying to re-bind to a socket and mark it as IPv6-only. Fixes bug 20247; bugfix on 0.2.5.1-alpha. o Minor bugfixes (unit tests, backport from 0.3.1.5-alpha) - Fix a memory leak in the link-handshake/certs_ok_ed25519 test. Fixes bug 22803; bugfix on 0.3.0.1-alpha.

1 0

Tor Browser 7.0.3 is released
by Nicolas Vigier 27 Jul '17

27 Jul '17

Note: Tor Browser 7.0.3 is a security bugfix release for Linux users only. Users on Windows and macOS are not affected and stay on Tor Browser 7.0.2. Tor Browser 7.0.3 is now available for our Linux users from the Tor Browser Project page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/download-easy.html#linux 2: https://www.torproject.org/dist/torbrowser/7.0.3/ This release features an important security update to Tor Browser for Linux users. On Linux systems with GVfs/GIO support Firefox allows to bypass proxy settings as it ships a whitelist of supported protocols. Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser. Tails and Whonix users, and users of our sandboxed Tor Browser are unaffected, though. The bug got reported to us yesterday by Julian Jackson (@atechdad) via our HackerOne bug bounty program. Thanks! We are not aware of it being exploited in the wild. We are currently preparing updated Linux bundles for our alpha series and they should go live within the next couple of hours. Meanwhile Linux users on that series are strongly encouraged to use the stable bundles or one of the above mentioned tools that are not affected by the underlying problem. Here is the full changelog since 7.0.2: * Linux * Bug 23044: Don't allow GIO supported protocols by default

1 0

Tor Browser 7.0.2 is released
by Nicolas Vigier 03 Jul '17

03 Jul '17

Tor Browser 7.0.2 is now available from the Tor Browser Project page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/download-easy.html 2: https://www.torproject.org/dist/torbrowser/7.0.2/ This release features an important security update to Tor. We are updating Tor to version 0.3.0.9 [3], fixing a path selection bug that would allow a client to use a guard that was in the same network family as a chosen exit relay. This release also updates HTTPS-Everywhere to 5.2.19. 3: https://blog.torproject.org/blog/tor-0309-released-security-update-clients Here is the full changelog since 7.0.1: * All Platforms * Update Tor to 0.3.0.9, fixing bug #22753 * Update HTTPS-Everywhere to 5.2.19

1 0

Tor 0.3.0.9 is released, with a security update for clients.
by Nick Mathewson 29 Jun '17

29 Jun '17

(If you are about to reply saying "please take me off this list", instead please follow these instructions: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/ . If you have trouble, it is probably because you subscribed using a different address than the one you are trying to unsubscribe with. You will have to enter the actual email address you used to subscribe.) Hello! Source code for a new Tor release (0.3.0.9) is now available on the website. Among other things, it fixes an issue affecting clients using prior versions of the 0.3.0.x guard code. All such clients should upgrade as packages become available; clients running 0.2.9.x and earlier are not affected. Source is available on the website now; packages should be available over the next several days. The Tor Browser team tells me they will have a new release out early next week. One last reminder: Tor 0.2.4, 0.2.6, and 0.2.7 will no longer be supported after 1 August of this year. Tor 0.2.8 will not be supported after 1 Jan of 2018. Tor 0.2.5 will not be supported after 1 May of 2018. If you need a release with long-term support, 0.2.9 is what we recommend: we plan to support it until at least 1 Jan 2020. Below is the changelog for the new stable release. Changes in version 0.3.0.9 - 2017-06-29 Tor 0.3.0.9 fixes a path selection bug that would allow a client to use a guard that was in the same network family as a chosen exit relay. This is a security regression; all clients running earlier versions of 0.3.0.x or 0.3.1.x should upgrade to 0.3.0.9 or 0.3.1.4-alpha. This release also backports several other bugfixes from the 0.3.1.x series. o Major bugfixes (path selection, security, backport from 0.3.1.4-alpha): - When choosing which guard to use for a circuit, avoid the exit's family along with the exit itself. Previously, the new guard selection logic avoided the exit, but did not consider its family. Fixes bug 22753; bugfix on 0.3.0.1-alpha. Tracked as TROVE-2016- 006 and CVE-2017-0377. o Major bugfixes (entry guards, backport from 0.3.1.1-alpha): - Don't block bootstrapping when a primary bridge is offline and we can't get its descriptor. Fixes bug 22325; fixes one case of bug 21969; bugfix on 0.3.0.3-alpha. o Major bugfixes (entry guards, backport from 0.3.1.4-alpha): - When starting with an old consensus, do not add new entry guards unless the consensus is "reasonably live" (under 1 day old). Fixes one root cause of bug 22400; bugfix on 0.3.0.1-alpha. o Minor features (geoip): - Update geoip and geoip6 to the June 8 2017 Maxmind GeoLite2 Country database. o Minor bugfixes (voting consistency, backport from 0.3.1.1-alpha): - Reject version numbers with non-numeric prefixes (such as +, -, or whitespace). Disallowing whitespace prevents differential version parsing between POSIX-based and Windows platforms. Fixes bug 21507 and part of 21508; bugfix on 0.0.8pre1. o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.4-alpha): - Permit the fchmod system call, to avoid crashing on startup when starting with the seccomp2 sandbox and an unexpected set of permissions on the data directory or its contents. Fixes bug 22516; bugfix on 0.2.5.4-alpha. o Minor bugfixes (defensive programming, backport from 0.3.1.4-alpha): - Fix a memset() off the end of an array when packing cells. This bug should be harmless in practice, since the corrupted bytes are still in the same structure, and are always padding bytes, ignored, or immediately overwritten, depending on compiler behavior. Nevertheless, because the memset()'s purpose is to make sure that any other cell-handling bugs can't expose bytes to the network, we need to fix it. Fixes bug 22737; bugfix on 0.2.4.11-alpha. Fixes CID 1401591.

1 0

Tor Browser 7.0.1 is released
by Nicolas Vigier 13 Jun '17

13 Jun '17

Tor Browser 7.0.1 is now available from the Tor Browser Project page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/download-easy.html 2: https://www.torproject.org/dist/torbrowser/7.0.1/ This release features important security updates [3] to Firefox. 3: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/ This is the first minor release in the 7.0 series, updating Firefox to 52.2.0esr, Tor to 0.3.0.8, and HTTPS-Everywhere to 5.2.18. Additionally, we worked around an annoying freezing of Tor Browser which is due to a NoScript bug and made the security slider window slightly larger. Here is the full changelog since 7.0: * All Platforms * Update Firefox to 52.2.0esr * Update Tor to 0.3.0.8 * Update Torbutton to 1.9.7.4 * Bug 22542: Security Settings window too small on macOS 10.12 * Update HTTPS-Everywhere to 5.2.18 * Bug 22362: NoScript's XSS filter freezes the browser * OS X * Bug 22558: Don't update OS X 10.7.x and 10.8.x users to Tor Browser 7.0

1 0

Tor 0.3.0.8 is released, with security fixes for hidden services. (As are 0.2.4.29, 0.2.5.14, 0.2.6.12, 0.2.7.8, 0.2.8.14, and 0.2.9.11)
by Nick Mathewson 08 Jun '17

08 Jun '17

Hello! Source code for a new Tor release (0.3.0.8) is now available on the website. Among other things, it fixes two issues in earlier versions of the hidden service code that would allow an attacker to cause a hidden service to exit with an assertion failure. If you're running a hidden service, you should upgrade to this release, or one of the other versions released today. Source is available on the website now; packages should be available over the next several days. Concurrently with 0.3.0.8, the following versions are also now available: 0.2.4.29, 0.2.5.14, 0.2.6.12, 0.2.7.8, 0.2.8.14, and 0.2.9.11. You can find them all at https://dist.torproject.org/ One last reminder: Tor 0.2.4, 0.2.6, and 0.2.7 will no longer be supported after 1 August of this year. Tor 0.2.8 will not be supported after 1 Jan of 2018. Tor 0.2.5 will not be supported after 1 May of 2018. If you need a release with long-term support, 0.2.9 is what we recommend: we plan to support it until at least 1 Jan 2020. Below are the changelogs for the new stable releases: ================= Changes in version 0.3.0.8 - 2017-06-08 Tor 0.3.0.8 fixes a pair of bugs that would allow an attacker to remotely crash a hidden service with an assertion failure. Anyone running a hidden service should upgrade to this version, or to some other version with fixes for TROVE-2017-004 and TROVE-2017-005. Tor 0.3.0.8 also includes fixes for several key management bugs that sometimes made relays unreliable, as well as several other bugfixes described below. o Major bugfixes (hidden service, relay, security, backport from 0.3.1.3-alpha): - Fix a remotely triggerable assertion failure when a hidden service handles a malformed BEGIN cell. Fixes bug 22493, tracked as TROVE-2017-004 and as CVE-2017-0375; bugfix on 0.3.0.1-alpha. - Fix a remotely triggerable assertion failure caused by receiving a BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. o Major bugfixes (relay, link handshake, backport from 0.3.1.3-alpha): - When performing the v3 link handshake on a TLS connection, report that we have the x509 certificate that we actually used on that connection, even if we have changed certificates since that connection was first opened. Previously, we would claim to have used our most recent x509 link certificate, which would sometimes make the link handshake fail. Fixes one case of bug 22460; bugfix on 0.2.3.6-alpha. o Major bugfixes (relays, key management, backport from 0.3.1.3-alpha): - Regenerate link and authentication certificates whenever the key that signs them changes; also, regenerate link certificates whenever the signed key changes. Previously, these processes were only weakly coupled, and we relays could (for minutes to hours) wind up with an inconsistent set of keys and certificates, which other relays would not accept. Fixes two cases of bug 22460; bugfix on 0.3.0.1-alpha. - When sending an Ed25519 signing->link certificate in a CERTS cell, send the certificate that matches the x509 certificate that we used on the TLS connection. Previously, there was a race condition if the TLS context rotated after we began the TLS handshake but before we sent the CERTS cell. Fixes a case of bug 22460; bugfix on 0.3.0.1-alpha. o Major bugfixes (hidden service v3, backport from 0.3.1.1-alpha): - Stop rejecting v3 hidden service descriptors because their size did not match an old padding rule. Fixes bug 22447; bugfix on tor-0.3.0.1-alpha. o Minor features (fallback directory list, backport from 0.3.1.3-alpha): - Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in December 2016 (of which ~126 were still functional) with a list of 151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May 2017. Resolves ticket 21564. o Minor bugfixes (configuration, backport from 0.3.1.1-alpha): - Do not crash when starting with LearnCircuitBuildTimeout 0. Fixes bug 22252; bugfix on 0.2.9.3-alpha. o Minor bugfixes (correctness, backport from 0.3.1.3-alpha): - Avoid undefined behavior when parsing IPv6 entries from the geoip6 file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. o Minor bugfixes (link handshake, backport from 0.3.1.3-alpha): - Lower the lifetime of the RSA->Ed25519 cross-certificate to six months, and regenerate it when it is within one month of expiring. Previously, we had generated this certificate at startup with a ten-year lifetime, but that could lead to weird behavior when Tor was started with a grossly inaccurate clock. Mitigates bug 22466; mitigation on 0.3.0.1-alpha. o Minor bugfixes (memory leak, directory authority, backport from 0.3.1.2-alpha): - When directory authorities reject a router descriptor due to keypinning, free the router descriptor rather than leaking the memory. Fixes bug 22370; bugfix on 0.2.7.2-alpha. Changes in version 0.2.9.11 - 2017-06-08 Tor 0.2.9.11 backports a fix for a bug that would allow an attacker to remotely crash a hidden service with an assertion failure. Anyone running a hidden service should upgrade to this version, or to some other version with fixes for TROVE-2017-005. (Versions before 0.3.0 are not affected by TROVE-2017-004.) Tor 0.2.9.11 also backports fixes for several key management bugs that sometimes made relays unreliable, as well as several other bugfixes described below. o Major bugfixes (hidden service, relay, security, backport from 0.3.1.3-alpha): - Fix a remotely triggerable assertion failure caused by receiving a BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. o Major bugfixes (relay, link handshake, backport from 0.3.1.3-alpha): - When performing the v3 link handshake on a TLS connection, report that we have the x509 certificate that we actually used on that connection, even if we have changed certificates since that connection was first opened. Previously, we would claim to have used our most recent x509 link certificate, which would sometimes make the link handshake fail. Fixes one case of bug 22460; bugfix on 0.2.3.6-alpha. o Minor features (fallback directory list, backport from 0.3.1.3-alpha): - Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in December 2016 (of which ~126 were still functional) with a list of 151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May 2017. Resolves ticket 21564. o Minor features (future-proofing, backport from 0.3.0.7): - Tor no longer refuses to download microdescriptors or descriptors if they are listed as "published in the future". This change will eventually allow us to stop listing meaningful "published" dates in microdescriptor consensuses, and thereby allow us to reduce the resources required to download consensus diffs by over 50%. Implements part of ticket 21642; implements part of proposal 275. o Minor features (directory authorities, backport from 0.3.0.4-rc) - Directory authorities now reject relays running versions 0.2.9.1-alpha through 0.2.9.4-alpha, because those relays suffer from bug 20499 and don't keep their consensus cache up-to-date. Resolves ticket 20509. o Minor features (geoip): - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 Country database. o Minor bugfixes (control port, backport from 0.3.0.6): - The GETINFO extra-info/digest/<digest> command was broken because of a wrong base16 decode return value check, introduced when refactoring that API. Fixes bug 22034; bugfix on 0.2.9.1-alpha. o Minor bugfixes (correctness, backport from 0.3.1.3-alpha): - Avoid undefined behavior when parsing IPv6 entries from the geoip6 file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. o Minor bugfixes (Linux seccomp2 sandbox, backport from 0.3.0.7): - The getpid() system call is now permitted under the Linux seccomp2 sandbox, to avoid crashing with versions of OpenSSL (and other libraries) that attempt to learn the process's PID by using the syscall rather than the VDSO code. Fixes bug 21943; bugfix on 0.2.5.1-alpha. o Minor bugfixes (memory leak, directory authority, backport from 0.3.1.2-alpha): - When directory authorities reject a router descriptor due to keypinning, free the router descriptor rather than leaking the memory. Fixes bug 22370; bugfix on 0.2.7.2-alpha. Changes in version 0.2.8.14 - 2017-06-08 Tor 0.2.7.8 backports a fix for a bug that would allow an attacker to remotely crash a hidden service with an assertion failure. Anyone running a hidden service should upgrade to this version, or to some other version with fixes for TROVE-2017-005. (Versions before 0.3.0 are not affected by TROVE-2017-004.) o Major bugfixes (hidden service, relay, security): - Fix a remotely triggerable assertion failure caused by receiving a BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. o Minor features (geoip): - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 Country database. o Minor features (fallback directory list, backport from 0.3.1.3-alpha): - Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in December 2016 (of which ~126 were still functional) with a list of 151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May 2017. Resolves ticket 21564. o Minor bugfixes (correctness): - Avoid undefined behavior when parsing IPv6 entries from the geoip6 file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. Changes in version 0.2.7.8 - 2017-06-08 Tor 0.2.7.8 backports a fix for a bug that would allow an attacker to remotely crash a hidden service with an assertion failure. Anyone running a hidden service should upgrade to this version, or to some other version with fixes for TROVE-2017-005. (Versions before 0.3.0 are not affected by TROVE-2017-004.) o Major bugfixes (hidden service, relay, security): - Fix a remotely triggerable assertion failure caused by receiving a BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. o Minor features (geoip): - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 Country database. o Minor bugfixes (correctness): - Avoid undefined behavior when parsing IPv6 entries from the geoip6 file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. Changes in version 0.2.6.12 - 2017-06-08 Tor 0.2.6.12 backports a fix for a bug that would allow an attacker to remotely crash a hidden service with an assertion failure. Anyone running a hidden service should upgrade to this version, or to some other version with fixes for TROVE-2017-005. (Versions before 0.3.0 are not affected by TROVE-2017-004.) o Major bugfixes (hidden service, relay, security): - Fix a remotely triggerable assertion failure caused by receiving a BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. o Minor features (geoip): - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 Country database. o Minor bugfixes (correctness): - Avoid undefined behavior when parsing IPv6 entries from the geoip6 file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. Changes in version 0.2.5.14 - 2017-06-08 Tor 0.2.5.14 backports a fix for a bug that would allow an attacker to remotely crash a hidden service with an assertion failure. Anyone running a hidden service should upgrade to this version, or to some other version with fixes for TROVE-2017-005. (Versions before 0.3.0 are not affected by TROVE-2017-004.) o Major bugfixes (hidden service, relay, security): - Fix a remotely triggerable assertion failure caused by receiving a BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. o Minor features (geoip): - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 Country database. o Minor bugfixes (correctness): - Avoid undefined behavior when parsing IPv6 entries from the geoip6 file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. Changes in version 0.2.4.29 - 2017-06-08 Tor 0.2.4.29 backports a fix for a bug that would allow an attacker to remotely crash a hidden service with an assertion failure. Anyone running a hidden service should upgrade to this version, or to some other version with fixes for TROVE-2017-005. (Versions before 0.3.0 are not affected by TROVE-2017-004.) o Major bugfixes (hidden service, relay, security): - Fix a remotely triggerable assertion failure caused by receiving a BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. o Minor features (geoip): - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 Country database. o Minor bugfixes (correctness): - Avoid undefined behavior when parsing IPv6 entries from the geoip6 file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.

1 0

Tor Browser 7.0 is released
by Nicolas Vigier 07 Jun '17

07 Jun '17

The Tor Browser Team is proud to announce the first stable release in the 7.0 series. This release is available from the Tor Browser Project page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/download-easy.html 2: https://www.torproject.org/dist/torbrowser/7.0/ This release brings us up to date with Firefox 52 ESR [3] which contains progress in a number of areas: 3: https://www.mozilla.org/en-US/firefox/organizations/faq/ Most notably we hope having Mozilla's multiprocess mode (e10s) and content sandbox enabled will be one of the major new features in the Tor Browser 7.0 series, both security- and performance-wise. While we are still working on the sandboxing part for Windows [4] (the e10s part is ready), both Linux and macOS have e10s and content sandboxing enabled by default in Tor Browser 7.0. In addition to that, Linux and macOS users have the option to further harden their Tor Browser setup by using only Unix Domain sockets for communication with tor. 4: https://bugs.torproject.org/16010 The highlights in our tracking and fingerprinting resistance improvements are: cookies, view-source requests and the Permissions API are isolated to the first party URL bar domain now to enhance our tracking related defenses. On the fingerprinting side we disabled and/or patched several new features, among them WebGL2, the WebAudio, Social, SpeechSynthesis, and Touch APIs, and the MediaError.message property. With the switch to ESR 52 come new system requirements for Windows and macOS users: On Windows Tor Browser 7.0 won't run on non-SSE2 capable machines anymore. On Apple computers OS X 10.9 is now the minimum system requirement. Besides new system requirements for Windows and macOS users, there are some known issues with Tor Browser 7.0 as well: - Mozilla stopped ALSA support [5] in Firefox 52 for Linux users. This means without having PulseAudio available, sound will be broken in Tor Browser 7.0 on Linux. 5: https://bugzilla.mozilla.org/show_bug.cgi?id=1345661 - The download button in the PDF viewer is currently broken [6]. A workaround for this bug is right-clicking on the PDF file and choosing the "Save as" option. 6: https://trac.torproject.org/projects/tor/ticket/22471 - Tor Browser has recently been freezing on some websites. This is related to a NoScript bug [7] which will hopefully get addressed in a new NoScript version rather soon. If not then we'll ship a workaround for it in the planned Tor Browser 7.0.1 which will update Firefox to 52.2.0esr next week. 7: https://trac.torproject.org/projects/tor/ticket/22362 Apart from switching to the new Firefox ESR and dealing with related issues we included a new Tor stable version (0.3.0.7) and updated our NoScript (5.0.5) and HTTPS-Everywhere versions (5.2.17). We updated our toolchains during the ESR transition as well. In particular we retired the old GCC-based one for our macOS cross-compilation and rely solely on clang/cctools now. The full changelog since Tor Browser 6.5.2 is: * All Platforms * Update Firefox to 52.1.2esr * Update Tor to 0.3.0.7 * Update Torbutton to 1.9.7.3 * Bug 22104: Adjust our content policy whitelist for ff52-esr * Bug 22457: Allow resources loaded by view-source:// * Bug 21627: Ignore HTTP 304 responses when checking redirects * Bug 22459: Adapt our use of the nsIContentPolicy to e10s mode * Bug 21865: Update our JIT preferences in the security slider * Bug 21747: Make 'New Tor Circuit for this Site' work in ESR52 * Bug 21745: Fix handling of catch-all circuit * Bug 21547: Fix circuit display under e10s * Bug 21268: e10s compatibility for New Identity * Bug 21267: Remove window resize implementation for now * Bug 21201: Make Torbutton multiprocess compatible * Translations update * Update Tor Launcher to 0.2.12.2 * Bug 22283: Linux 7.0a4 broken after update due to unix: lines in torrc * Bug 20761: Don't ignore additional SocksPorts * Bug 21920: Don't show locale selection dialog * Bug 21546: Mark Tor Launcher as multiprocess compatible * Bug 21264: Add a README file * Translations update * Update HTTPS-Everywhere to 5.2.17 * Update NoScript to 5.0.5 * Update Go to 1.8.3 (bug 22398) * Bug 21962: Fix crash on about:addons page * Bug 21766: Fix crash when the external application helper dialog is invoked * Bug 21886: Download is stalled in non-e10s mode * Bug 21778: Canvas prompt is not shown in Tor Browser based on ESR52 * Bug 21569: Add first-party domain to Permissions key * Bug 22165: Don't allow collection of local IP addresses * Bug 13017: Work around audio fingerprinting by disabling the Web Audio API * Bug 10286: Disable Touch API and add fingerprinting resistance as fallback * Bug 13612: Disable Social API * Bug 10283: Disable SpeechSynthesis API * Bug 22333: Disable WebGL2 API for now * Bug 21861: Disable additional mDNS code to avoid proxy bypasses * Bug 21684: Don't expose navigator.AddonManager to content * Bug 21431: Clean-up system extensions shipped in Firefox 52 * Bug 22320: Use preference name 'referer.hideOnionSource' everywhere * Bug 16285: Don't ship ClearKey EME system and update EME preferences * Bug 21675: Spoof window.navigator.hardwareConcurrency * Bug 21792: Suppress MediaError.message * Bug 16337: Round times exposed by Animation API to nearest 100ms * Bug 21972: about:support is partially broken * Bug 21726: Keep Graphite support disabled * Bug 21323: Enable Mixed Content Blocking * Bug 21685: Disable remote new tab pages * Bug 21790: Disable captive portal detection * Bug 21686: Disable Microsoft Family Safety support * Bug 22073: Make sure Mozilla's experiments are disabled * Bug 21683: Disable newly added Safebrowsing capabilities * Bug 22071: Disable Kinto-based blocklist update mechanism * Bug 22415: Fix format error in our pipeline patch * Bug 22072: Hide TLS error reporting checkbox * Bug 20761: Don't ignore additional SocksPorts * Bug 21862: Rip out potentially unsafe Rust code * Bug 16485: Improve about:cache page * Bug 22462: Backport of patch for bug 1329521 to fix assertion failure * Bug 21340: Identify and backport new patches from Firefox * Bug 22153: Fix broken feeds on higher security levels * Bug 22025: Fix broken certificate error pages on higher security levels * Bug 21887: Fix broken error pages on higher security levels * Bug 22458: Fix broken `about:cache` page on higher security levels * Bug 21876: Enable e10s by default on all supported platforms * Bug 21876: Always use esr policies for e10s * Bug 20905: Fix resizing issues after moving to a direct Firefox patch * Bug 21875: Modal dialogs are maximized in ESR52 nightly builds * Bug 21885: SVG is not disabled in Tor Browser based on ESR52 * Bug 17334: Hide Referer when leaving a .onion domain (improved patch) * Bug 18531: Uncaught exception when opening ip-check.info * Bug 18574: Uncaught exception when clicking items in Library * Bug 22327: Isolate Page Info media previews to first party domain * Bug 22452: Isolate tab list menuitem favicons to first party domain * Bug 15555: View-source requests are not isolated by first party domain * Bug 3246: Double-key cookies * Bug 8842: Fix XML parsing error * Bug 5293: Neuter fingerprinting with Battery API * Bug 16886: 16886: "Add-on compatibility check dialog" contains Firefox logo * Bug 19645: TBB zooms text when resizing browser window * Bug 19192: Untrust Blue Coat CA * Bug 19955: Avoid confusing warning that favicon load request got cancelled * Bug 20005: Backport fixes for memory leaks investigation * Bug 20755: ltn.com.tw is broken in Tor Browser * Bug 21896: Commenting on website is broken due to CAPTCHA not being displayed * Bug 20680: Rebase Tor Browser patches to 52 ESR * Bug 22429: Add IPv6 address for Lisbeth:443 obfs4 bridge * Bug 22468: Add default obfs4 bridges frosty and dragon * Windows * Bug 22419: Prevent access to file:// * Bug 12426: Make use of HeapEnableTerminationOnCorruption * Bug 19316: Make sure our Windows updates can deal with the SSE2 requirement * Bug 21868: Fix build bustage with FIREFOX_52_0_2esr_RELEASE for Windows * OS X * Bug 21940: Don't allow privilege escalation during update * Bug 22044: Fix broken default search engine on macOS * Bug 21879: Use our default bookmarks on OSX * Bug 21779: Non-admin users can't access Tor Browser on macOS * Bug 21723: Fix inconsistent generation of MOZ_MACBUNDLE_ID * Bug 21724: Make Firefox and Tor Browser distinct macOS apps * Bug 21931: Backport OSX SetupMacCommandLine updater fixes * Bug 15910: Don't download GMPs via the local fallback * Linux * Bug 16285: Remove ClearKey related library stripping * Bug 22041: Fix update error during update to 7.0a3 * Bug 22238: Fix use of hardened wrapper for Firefox build * Bug 21907: Fix runtime error on CentOS 6 * Bug 15910: Don't download GMPs via the local fallback * Android * Bug 19078: Disable RtspMediaResource stuff in Orfox * Build system * Windows * Bug 21837: Fix reproducibility of accessibility code for Windows * Bug 21240: Create patches to fix mingw-w64 compilation of Firefox ESR 52 * Bug 21904: Bump mingw-w64 commit to help with sandbox compilation * Bug 18831: Use own Yasm for Firefox cross-compilation * OS X * Bug 21328: Updating to clang 3.8.0 * Bug 21754: Remove old GCC toolchain and macOS SDK * Bug 19783: Remove unused macOS helper scripts * Bug 10369: Don't use old GCC toolchain anymore for utils * Bug 21753: Replace our old GCC toolchain in PT descriptor * Bug 18530: ESR52 based Tor Browser only runs on macOS 10.9+ * Bug 22328: Remove clang PIE wrappers * Linux * Bug 21930: NSS libraries are missing from mar-tools archive * Bug 21239: Adapt Linux Firefox descriptor to ESR52 (use GTK2) * Bug 21960: Linux bundles based on ESR 52 are not reproducible anymore * Bug 21629: Fix broken ASan builds when switching to ESR 52 * Bug 22444: Use hardening-wrapper when building GCC * Bug 22361: Fix hardening of libraries built in linux/gitian-utils.yml

1 0