- tor-packagers - lists.torproject.org

Upcoming security release - 0.4.8.9
by David Goulet 08 Nov '23

08 Nov '23

Greetings all, Tomorrow, November 9th 2023, we will release 0.4.8.9 fixing a high security issue (TROVE-2023-006)[0]. We hope to get your help on packaging a new version as soon as possible once the tarball comes out. Big thanks to all! David [0] https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE -- +H+xQKzD+G8hsYNM4kfMyxhg3nlzaJhRGnpLuPGgsZQ=

1 0

Change in tor canonical repository
by David Goulet 14 Jun '23

14 Jun '23

Greetings all! In the coming days, we will change our canonical repository for "tor" from: https://gitweb.torproject.org/tor.git https://git.torproject.org/tor.git to our Gitlab instance here: https://gitlab.torproject.org/tpo/core/tor We are in the process of retiring our Gitolite/Gitweb setup in favor of Gitlab for all our projects and thus the reason why. Once the migration is done, the old gitweb.tpo URLs will be proxy-rewrite to our Gitlab but of course that won't work properly for any git:// or ssh:// URLs pointing to git.torproject.org. And so, please, make the change now to our Gitlab URL (from above) in order to not have surprise when we do the switch. Note that all of our projects are moving to Gitlab from git.tpo so take this opportunity to change all your links. Any questions, feel free to drop us an email! Cheers! David -- aqOblRw249TFB+H+tmldz64c9MiiNIOY6CYeLMrcYO8=

1 0

Upcoming security release of tor
by David Goulet 17 Jun '22

17 Jun '22

Greetings! Sorry for the short notice but we had to act fast on this one. Either today or tomorrow, we'll release 0.4.7.8 with an important security fix. This is tracked with TROVE-2022-001[0] and at the moment considered "High" severity. We won't disclose just yet the nature of the issue but we believe it can easily be exploited remotely for all tor network components (service, client, relay, authority) hence the choice of severity. Once the new version is released, we will recommend everyone on the 0.4.7.x series to upgrade immediately including Tor Browser. It is unknown if this vulnerability is being exploited in the wild but we know it is being triggered (intentionally or not) on the network at the moment. We'll be releasing more information about this issue after the release. Thank you all for your precious work and help! David [0] https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE -- 1FbDnuinhS6KgiGbh7w4iFsvBkngasH4o7C0U5HxYdk=

2 2

[RELEASE] Tor 0.4.6.9 and 0.4.7.3-alpha
by David Goulet 17 Dec '21

17 Dec '21

Greetings, We just released 0.4.6.9 and 0.4.7.3-alpha. You can find out about it here: https://forum.torproject.net/t/release-0-4-6-9-and-0-4-7-3-alpha/1265 Download at: https://dist.torproject.org Inline ChangeLog for both versions: Changes in version 0.4.7.3-alpha - 2021-12-15 This third alpha release of the 0.4.7.x series fixes several bugs including two major ones affecting Bridges and Relays (see below). If you are running an earlier 0.4.7.x version, you should upgrade to this version. o Major bugfixes (bridges): - Make Tor work reliably again when you have multiple bridges configured and one or more of them are unreachable. The problem came because we require that we have bridge descriptors for both of our first two bridges (else we refuse to try to connect), but in some cases we would wait three hours before trying to fetch these missing descriptors, and/or never recover when we do try to fetch them. Fixes bugs 40396 and 40495; bugfix on 0.3.0.5-rc and 0.3.2.1-alpha. o Major bugfixes (relay, overload): - Change the MetricsPort DNS "timeout" label to be "tor_timeout" in order to indicate that this was a DNS timeout from tor perspective and not the DNS server itself. - Deprecate overload_dns_timeout_period_secs and overload_dns_timeout_scale_percent consensus parameters as well. They were used to assess the overload state which is no more now. - Don't make Tor DNS timeout trigger an overload general state. These timeouts are different from DNS server timeout. They have to be seen as timeout related to UX and not because of a network problem. Fixes bug 40527; bugfix on 0.4.6.1-alpha. o Minor feature (reproducible build): - The repository can now build reproducible tarballs which adds the build command "make dist-reprod" for that purpose. Closes ticket 26299. o Minor features (compilation): - Give an error message if trying to build with a version of LibreSSL known not to work with Tor. (There's an incompatibility with LibreSSL versions 3.2.1 through 3.4.0 inclusive because of their incompatibility with OpenSSL 1.1.1's TLSv1.3 APIs.) Closes ticket 40511. o Minor features (fallbackdir): - Regenerate fallback directories generated on December 15, 2021. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2021/12/15. o Minor features (portability): - Try to prevent a compiler warning about printf arguments that could sometimes occur on MSYS2 depending on the configuration. Closes ticket 40355. o Minor bugfix (pluggable transport): - Do not kill a managed proxy if one of its transport configurations emits a method error. Instead log a warning and continue processing method arguments. Fixes bug 7362; bugfix on 0.2.3.6-alpha. o Minor bugfixes (bridges): - When we don't yet have a descriptor for one of our bridges, disable the entry guard retry schedule on that bridge. The entry guard retry schedule and the bridge descriptor retry schedule can conflict, e.g. where we mark a bridge as "maybe up" yet we don't try to fetch its descriptor yet, leading Tor to wait (refusing to do anything) until it becomes time to fetch the descriptor. Fixes bug 40497; bugfix on 0.3.0.3-alpha. o Minor bugfixes (compilation): - Fix our configuration logic to detect whether we had OpenSSL 3: previously, our logic was reversed. This has no other effect than to change whether we suppress deprecated API warnings. Fixes bug 40429; bugfix on 0.3.5.13. o Minor bugfixes (controller, path bias): - When a circuit's path is specified, in full or in part, from the controller API, do not count that circuit towards our path-bias calculations. (Doing so was incorrect, since we cannot tell whether the controller is selecting relays randomly.) Resolves a "Bug" warning. Fixes bug 40515; bugfix on 0.2.4.10-alpha. o Minor bugfixes (logging): - When we no longer have enough directory information to use the network, we would log a notice-level message -- but we would not reliably log a message when we recovered and resumed using the network. Now make sure there is always a corresponding message about recovering. Fixes bug 40496; bugfix on 0.3.5.1-alpha. o Minor bugfixes (performance, DoS): - Fix one case of a not-especially viable denial-of-service attack found by OSS-Fuzz in our consensus-diff parsing code. This attack causes a lot small of memory allocations and then immediately frees them: this is only slow when running with all the sanitizers enabled. Fixes one case of bug 40472; bugfix on 0.3.1.1-alpha. o Minor bugfixes (relay): - Reject IPv6-only DirPorts. Our reachability self-test forces DirPorts to be IPv4, but our configuration parser allowed them to be IPv6-only, which led to an assertion failure. Fixes bug 40494; bugfix on 0.4.5.1-alpha. o Minor bugfixes (sandbox): - Fix the sandbox on i386 by modifying it to allow the "clock_gettime64" and "statx" system calls and to filter the "chown32" and "stat64" system calls in place of "chown" and "stat", respectively. Fixes bug 40505; bugfix on 0.2.5.4-alpha. o Documentation (man, relay): - Missing "OverloadStatistics" in tor.1 manpage. Fixes bug 40504; bugfix on 0.4.6.1-alpha. Changes in version 0.4.6.9 - 2021-12-15 This version fixes several bugs from earlier versions of Tor. One important piece is the removal of DNS timeout metric from the overload general signal. See below for more details. o Major bugfixes (relay, overload): - Don't make Tor DNS timeout trigger an overload general state. These timeouts are different from DNS server timeout. They have to be seen as timeout related to UX and not because of a network problem. Fixes bug 40527; bugfix on 0.4.6.1-alpha. o Minor feature (reproducible build): - The repository can now build reproducible tarballs which adds the build command "make dist-reprod" for that purpose. Closes ticket 26299. o Minor features (compilation): - Give an error message if trying to build with a version of LibreSSL known not to work with Tor. (There's an incompatibility with LibreSSL versions 3.2.1 through 3.4.0 inclusive because of their incompatibility with OpenSSL 1.1.1's TLSv1.3 APIs.) Closes ticket 40511. o Minor features (fallbackdir): - Regenerate fallback directories generated on December 15, 2021. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2021/12/15. o Minor bugfixes (compilation): - Fix our configuration logic to detect whether we had OpenSSL 3: previously, our logic was reversed. This has no other effect than to change whether we suppress deprecated API warnings. Fixes bug 40429; bugfix on 0.3.5.13. o Minor bugfixes (relay): - Reject IPv6-only DirPorts. Our reachability self-test forces DirPorts to be IPv4, but our configuration parser allowed them to be IPv6-only, which led to an assertion failure. Fixes bug 40494; bugfix on 0.4.5.1-alpha. o Documentation (man, relay): - Missing "OverloadStatistics" in tor.1 manpage. Fixes bug 40504; bugfix on 0.4.6.1-alpha. Cheers! David -- I1oAG26tseeho4Donns+ByL+PlJSLykdWGFJPx7tCQ8=

1 0

Re: [tor-packagers] [tor-announce] [RELEASE] 0.3.5.17, 0.4.5.11, 0.4.6.8 and 0.4.7.2-alpha
by David Goulet 26 Oct '21

26 Oct '21

On 26 Oct (18:58:53), mick wrote: > On Tue, 26 Oct 2021 11:48:54 -0400 > David Goulet <dgoulet(a)torproject.org> allegedly wrote: > > > The Tor Network Team will from now on do its release announcement > > through our new fancy shiny Discourse forum: > > https://forum.torproject.net > > > > If you are interested in getting notified for each release > > announcement, you should follow this category (once you get an > > account): > > > > https://forum.torproject.net/c/news/tor-release-announcement/28 > > > > And for todays' announcement: > > > > https://forum.torproject.net/t/release-0-3-5-17-0-4-5-11-0-4-6-8-and-0-4-7-… > > > > David > > I do hope that this new forum is a supplement to, and not a > substitution for, the current email based Tor lists. It will supplement. We are working on setting up a way for the forum announcement to be replicated onto mailing lists. David -- QH6XWXtrL9blSvXbw+DdZkn1Xx2UJnR2X56tf0A+EeA=

1 0

[RELEASE] 0.3.5.17, 0.4.5.11, 0.4.6.8 and 0.4.7.2-alpha
by David Goulet 26 Oct '21

26 Oct '21

Greetings! The Tor Network Team will from now on do its release announcement through our new fancy shiny Discourse forum: https://forum.torproject.net If you are interested in getting notified for each release announcement, you should follow this category (once you get an account): https://forum.torproject.net/c/news/tor-release-announcement/28 And for todays' announcement: https://forum.torproject.net/t/release-0-3-5-17-0-4-5-11-0-4-6-8-and-0-4-7-… Cheers! David -- QH6XWXtrL9blSvXbw+DdZkn1Xx2UJnR2X56tf0A+EeA=

1 0

New Tor *security* releases: 0.3.5.16, 0.4.5.10, 0.4.6.7
by David Goulet 16 Aug '21

16 Aug '21

Greetings, There are new security releases today. You can find these releases in the usual place at https://dist.torproject.org. Make sure (as usual) to check the signatures: my key is available at key.cgi?fingerprint=2133BC600AB133E1D826D173FE43009C4607B1FB Security issue is as follow: o Major bugfixes (cryptography, security): - Resolve an assertion failure caused by a behavior mismatch between our batch-signature verification code and our single-signature verification code. This assertion failure could be triggered remotely, leading to a denial of service attack. We fix this issue by disabling batch verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de Valence. For complete ChangeLog for each release, see: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.3.5.16 https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.5.10 https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.6.7 For the ReleaseNotes for the 0.4.6.x series as a whole, see: https://gitweb.torproject.org/tor.git/tree/ReleaseNotes?h=tor-0.4.6.7 Cheers! David -- lMYBijO9FpmEGKJmZQ6s/yKCHF60TEF+oFM4trwRvVk=

1 0

Upcoming security releases on August 16th, 2021
by David Goulet 11 Aug '21

11 Aug '21

Greetings everyone! Before going further, I'm David, part of the Tor network team and I'll be replacing Nick on these announcements for the foreseeable future! Now onto the announcement. We have very recently fixed an important security issue and we are thus quickly rolling out new stable releases on August 16th that is in 5 days. As per our security policy [0], this issue is considered "HIGH" causing a remote crash on possibly all tor instances (client, service, relay). We will share more details after the release. The new releases will be 0.3.5.16, 0.4.5.10 and 0.4.6.7. We are tracking this issue as TROVE-2021-007 which is listed in our registry here[1]. Cheers! David [0] https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/SecurityPol… [1] https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE -- 6R0521l0PHqj/fg0IVJdNhe4W/n1xY+FxzKcOkn37rQ=

1 0

New Tor release: 0.4.6.6
by Nick Mathewson 30 Jun '21

30 Jun '21

Greetings! There's a new stable Tor release today, 0.4.6.6. It changes very little since 0.4.6.5: the only significant change is that we merged the fix for the issue that was preventing builds with older versions of GCC. As usual, you can find the release at https://dist.torproject.org/ . If you are already shipping Tor 0.4.6.5, there is no reason to upgrade to 0.4.6.6. If you have had problems compiling 0.4.6.5, this release should fix them for you. Here's the changelog: Changes in version 0.4.6.6 - 2021-06-30 Tor 0.4.6.6 makes several small fixes on 0.4.6.5, including one that allows Tor to build correctly on older versions of GCC. You should upgrade to this version if you were having trouble building Tor 0.4.6.5; otherwise, there is probably no need. o Minor bugfixes (compilation): - Fix a compilation error when trying to build Tor with a compiler that does not support const variables in static initializers. Fixes bug 40410; bugfix on 0.4.6.5. - Suppress a strict-prototype warning when building with some versions of NSS. Fixes bug 40409; bugfix on 0.3.5.1-alpha. o Minor bugfixes (testing): - Enable the deterministic RNG for unit tests that covers the address set bloomfilter-based API's. Fixes bug 40419; bugfix on 0.3.3.2-alpha. Official announcement to follow after the website has updated. Best wishes, -- Nick

1 0

If you're running into compilation issues with Tor 0.4.6.5 on older GCC versions...
by Nick Mathewson 18 Jun '21

18 Jun '21

These versions of GCC have a bug where they don't accept non-literal constants in static initializers. This leads to the following warning: src/feature/dirclient/dirclient.c: In function ‘dir_client_decompress_response_body’: ./src/lib/log/ratelim.h:55:27: error: initializer element is not constant If you're running into this issue, you can fix it with the attached patch, which will also go into the next 0.4.6.x release. References: https://gitlab.torproject.org/tpo/core/tor/-/issues/40410 https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/398/commits#not… -- Nick

1 0