Hi, all! In addition to today's release of a stable 0.2.9, there's also a new Tor 0.2.8.12 source release. This release backports a fix for bug 21018, a medium-severity denial-of-service issue affecting clients that visit hidden services. See notes on 21018 below for more information.

(If you are about to reply saying "please take me off this list", instead please follow these instructions: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/ . If you have trouble, it is probably because you subscribed using a different address than the one you are trying to unsubscribe with. You will have to enter the actual email address you used to subscribe.)

Since 0.2.8 is no longer the most recent stable release, you can download the source from https://dist.torproject.org/ .

============================================================

Changes in version 0.2.8.12 - 2016-12-19 Tor 0.2.8.12 backports a fix for a medium-severity issue (bug 21018 below) where Tor clients could crash when attempting to visit a hostile hidden service. Clients are recommended to upgrade as packages become available for their systems.

It also includes an updated list of fallback directories, backported from 0.2.9.

Now that the Tor 0.2.9 series is stable, only major bugfixes will be backported to 0.2.8 in the future.

o Major bugfixes (parsing, security, backported from 0.2.9.8): - Fix a bug in parsing that could cause clients to read a single byte past the end of an allocated region. This bug could be used to cause hardened clients (built with --enable-expensive-hardening) to crash if they tried to visit a hostile hidden service. Non- hardened clients are only affected depending on the details of their platform's memory allocator. Fixes bug 21018; bugfix on 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE- 2016-12-002 and as CVE-2016-1254.

o Minor features (fallback directory list, backported from 0.2.9.8): - Replace the 81 remaining fallbacks of the 100 originally introduced in Tor 0.2.8.3-alpha in March 2016, with a list of 177 fallbacks (123 new, 54 existing, 27 removed) generated in December 2016. Resolves ticket 20170.

o Minor features (geoip, backported from 0.2.9.7-rc): - Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2 Country database.