[tor-announce] Tor 0.2.8.12 is released
nickm at torproject.org
Mon Dec 19 15:04:07 UTC 2016
Hi, all! In addition to today's release of a stable 0.2.9, there's
also a new Tor 0.2.8.12 source release. This release backports a fix
for bug 21018, a medium-severity denial-of-service issue affecting
clients that visit hidden services. See notes on 21018 below for
(If you are about to reply saying "please take me off this list",
instead please follow these instructions:
. If you have trouble, it is probably because you subscribed using a
different address than the one you are trying to unsubscribe with.
You will have to enter the actual email address you used to
Since 0.2.8 is no longer the most recent stable release, you can
download the source from https://dist.torproject.org/ .
Changes in version 0.2.8.12 - 2016-12-19
Tor 0.2.8.12 backports a fix for a medium-severity issue (bug 21018
below) where Tor clients could crash when attempting to visit a
hostile hidden service. Clients are recommended to upgrade as packages
become available for their systems.
It also includes an updated list of fallback directories, backported
Now that the Tor 0.2.9 series is stable, only major bugfixes will be
backported to 0.2.8 in the future.
o Major bugfixes (parsing, security, backported from 0.2.9.8):
- Fix a bug in parsing that could cause clients to read a single
byte past the end of an allocated region. This bug could be used
to cause hardened clients (built with --enable-expensive-hardening)
to crash if they tried to visit a hostile hidden service. Non-
hardened clients are only affected depending on the details of
their platform's memory allocator. Fixes bug 21018; bugfix on
0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
2016-12-002 and as CVE-2016-1254.
o Minor features (fallback directory list, backported from 0.2.9.8):
- Replace the 81 remaining fallbacks of the 100 originally
introduced in Tor 0.2.8.3-alpha in March 2016, with a list of 177
fallbacks (123 new, 54 existing, 27 removed) generated in December
2016. Resolves ticket 20170.
o Minor features (geoip, backported from 0.2.9.7-rc):
- Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2
More information about the tor-announce