- tor-packagers - lists.torproject.org

Tor 0.4.4.3-alpha is available for download
by Nick Mathewson 28 Jul '20

28 Jul '20

Hi! You can download tor-0.4.4.3-alpha at https://dist.torproject.org. The changelog is at https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.4.3-alpha No major changes in this release; just some bugfixes and preparation for the release candidate, which I hope will come out in mid-august. Official announcements to follow after the website is updated. cheers, -- Nick

1 0

Package wiki discontinuation
by Damian Johnson 19 Jul '20

19 Jul '20

Hi all. Just a quick friendly head's up that now that Trac is read-only the packages wiki I've maintained these last three years will be discontinued... https://trac.torproject.org/projects/tor/wiki/doc/packages I suspect hardly anyone used it, but if anyone would care to create a GitLab replacement the script to keep such a page up to date is located at... https://gitweb.torproject.org/doctor.git/tree/package_versions.py Cheers! -Damian

1 0

New releases: 0.3.5.11, 0.4.2.8, 0.4.3.6, and 0.4.4.2-alpha
by Nick Mathewson 09 Jul '20

09 Jul '20

Hello! There are new tor releases in all supported series today. You can download them from https://dist.torproject.org/. Please remember to check the signatures! These releases fix a bunch of issues, including a remote denial of service attack that we are tracking as TROVE-2020-001 (and also as CVE-2020-15572). This DoS attack affects Tor relays and clients that have been compiled to use the NSS library. If you're using OpenSSL (the default) then it doesn't affect you. You can read the changelogs for the individual releases here: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.3.5.11 https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.2.8 https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.3.6 https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.4.2-alpha yrs, -- Nick

1 0

Upcoming releases this week, all series, with security fix
by Nick Mathewson 07 Jul '20

07 Jul '20

Hello! There will be a series of Tor releases later this week -- I'm aiming for Thursday or Friday. They will fix a security issue that we are ranking at "Medium" per our security policy at [1]. The issue is a denial-of-service attack that affects a comparatively uncommon configuration. We are tracking the security issue as TROVE-2020-001. We have requested a CVE, and will include it when we release on Friday. [1] https://gitlab.torproject.org/legacy/trac/-/wikis/org/teams/NetworkTeam/Sec… -- Nick

1 0

Tor 0.4.4.1-alpha is available
by Nick Mathewson 17 Jun '20

17 Jun '20

Hi, all! There is a stable release for 0.4.3.5. You can download it from the usual place at https://dist.torproject.org/ . Official announcements will come soon. Here's the changelog: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.4.1-alpha

1 1

Tor 0.4.3.5 is available
by Nick Mathewson 15 May '20

15 May '20

Hi, all! There is a stable release for 0.4.3.5. You can download it from the usual place at https://dist.torproject.org/ . Official announcements will come after the website has updated. Changes since 0.4.3.4-rc: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.3.5 Changes since 0.4.2.6: https://gitweb.torproject.org/tor.git/tree/ReleaseNotes?h=tor-0.4.3.5

1 0

Tor 0.4.3.4-rc is released!
by Nick Mathewson 13 Apr '20

13 Apr '20

Hi! There's a new release candidate available at https://dist.torproject.org/ . You can read the changelog at https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.3.4-rc This is a release candidate: unless people find serious bugs in it, there probably won't be any changes until the official release comes out in a couple of weeks. You can help by making sure that it gets into the hands of people who will test it. I'll send out official announcements once the website updates. best wishes, -- Nick

1 0

New Tor releases: 0.3.5.10, 0.4.1.9, 0.4.2.7, and 0.4.3.3-alpha
by Nick Mathewson 18 Mar '20

18 Mar '20

Hello! New tor releases are tagged and signed, and available at https://dist.torproject.org/ . Please remember to check the signatures. Here are the changelog links: 0.3.5.10: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.3.5.10 0.4.1.9: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.1.9 0.4.2.7: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.2.7 0.4.3.3-alpha: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.3.3-alpha Note that these releases fix several vulnerabilities, including a remotely triggerable CPU DoS. Everybody running older versions should upgrade to one of these. For TROVE and CVE identifiers and more about the vulnerabilities, please see the ChangeLogs. I'll send official announcements after the website has updated.

1 0

Fwd: Upcoming Tor security releases to fix a denial-of-service issue
by Nick Mathewson 16 Mar '20

16 Mar '20

---------- Forwarded message --------- From: Nick Mathewson <nickm(a)torproject.org> Date: Mon, Mar 16, 2020 at 1:25 PM Subject: Upcoming Tor security releases to fix a denial-of-service issue To: <tor-talk(a)lists.torproject.org> Hello! Some time this week, we currently plan to put out a set of security updates for all supported versions of Tor. These releases will fix a pair of denial-of-service bugs: one that we are classifying at "low" severity, and one that we are classifying at "high" severity. Our recommendation will be for everybody, including relays and clients, to upgrade once packages are available for their platforms. Although these vulnerabilities are "only" denial-of-service issues, any denial-of-service attack against Tor could be leveraged by an attacker to aid in a traffic analysis attack. To the best of our knowledge, these vulnerabilities are not being exploited in the wild. Currently supported release series are 0.3.5, 0.4.1, 0.4.2, and 0.4.3 (alpha). If you have not yet upgraded to one of those, the time to do so is soon. For our policy and process for handing security issues, please see: https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/Securit… best wishes, -- Nick

1 0

Tor 0.4.3.2-alpha is tagged and released
by Nick Mathewson 11 Feb '20

11 Feb '20

Hello! Tor 0.4.3.2-alpha is now available at https://dist.torproject.org/. Please remember to download and check the signature, too. This is a small release, mostly fixing little bugs in the last alpha. I hope it will help us converge on a stable 0.4.3.x release. I'll send out an official announcement once the website is updated. Here's the changelog: Changes in version 0.4.3.2-alpha - 2020-02-10 This is the second stable alpha release in the Tor 0.4.3.x series. It fixes several bugs present in the previous alpha release. Anybody running the previous alpha should upgrade, and look for bugs in this one instead. o Major bugfixes (onion service client, authorization): - On a NEWNYM signal, purge entries from the ephemeral client authorization cache. The permanent ones are kept. Fixes bug 33139; bugfix on 0.4.3.1-alpha. o Minor features (best practices tracker): - Practracker now supports a --regen-overbroad option to regenerate the exceptions file, but only to revise exceptions to be _less_ tolerant of best-practices violations. Closes ticket 32372. o Minor features (continuous integration): - Run Doxygen Makefile target on Travis, so we can learn about regressions in our internal documentation. Closes ticket 32455. - Stop allowing failures on the Travis CI stem tests job. It looks like all the stem hangs we were seeing before are now fixed. Closes ticket 33075. o Minor bugfixes (build system): - Revise configure options that were either missing or incorrect in the configure summary. Fixes bug 32230; bugfix on 0.4.3.1-alpha. o Minor bugfixes (controller protocol): - Fix a memory leak introduced by refactoring of control reply formatting code. Fixes bug 33039; bugfix on 0.4.3.1-alpha. - Fix a memory leak in GETINFO responses. Fixes bug 33103; bugfix on 0.4.3.1-alpha. - When receiving "ACTIVE" or "DORMANT" signals on the control port, report them as SIGNAL events. Previously we would log a bug warning. Fixes bug 33104; bugfix on 0.4.0.1-alpha. o Minor bugfixes (logging): - If we encounter a bug when flushing a buffer to a TLS connection, only log the bug once per invocation of the Tor process. Previously we would log with every occurrence, which could cause us to run out of disk space. Fixes bug 33093; bugfix on 0.3.2.2-alpha. - When logging a bug, do not say "Future instances of this warning will be silenced" unless we are actually going to silence them. Previously we would say this whenever a BUG() check failed in the code. Fixes bug 33095; bugfix on 0.4.1.1-alpha. o Minor bugfixes (onion service v2): - Move a series of v2 onion service warnings to protocol-warning level because they can all be triggered remotely by a malformed request. Fixes bug 32706; bugfix on 0.1.1.14-alpha. o Minor bugfixes (onion service v3, client authorization): - When removing client authorization credentials using the control port, also remove the associated descriptor, so the onion service can no longer be contacted. Fixes bug 33148; bugfix on 0.4.3.1-alpha. o Minor bugfixes (pluggable transports): - When receiving a message on standard error from a pluggable transport, log it at info level, rather than as a warning. Fixes bug 33005; bugfix on 0.4.0.1-alpha. o Minor bugfixes (rust, build): - Fix a syntax warning given by newer versions of Rust that was creating problems for our continuous integration. Fixes bug 33212; bugfix on 0.3.5.1-alpha. o Minor bugfixes (TLS bug handling): - When encountering a bug in buf_read_from_tls(), return a "MISC" error code rather than "WANTWRITE". This change might help avoid some CPU-wasting loops if the bug is ever triggered. Bug reported by opara. Fixes bug 32673; bugfix on 0.3.0.4-alpha. o Code simplification and refactoring (mainloop): - Simplify the ip_address_changed() function by removing redundant checks. Closes ticket 33091. o Documentation (manpage): - Split "Circuit Timeout" options and "Node Selection" options into their own sections of the tor manpage. Closes tickets 32928 and 32929. Work by Swati Thacker as part of Google Season of Docs.

1 0