[tor-announce] Tor is released

Nick Mathewson nickm at torproject.org
Mon Dec 19 15:04:07 UTC 2016

Hi, all! In addition to today's release of a stable 0.2.9, there's
also a new Tor source release. This release backports a fix
for bug 21018, a medium-severity denial-of-service issue affecting
clients that visit hidden services. See notes on 21018 below for
more information.

(If you are about to reply saying "please take me off this list",
instead please follow these instructions:
.  If you have trouble, it is probably because you subscribed using a
different address than the one you are trying to unsubscribe with.
You will have to enter the actual email address you used to

Since 0.2.8 is no longer the most recent stable release, you can
download the source from https://dist.torproject.org/ .


Changes in version - 2016-12-19
  Tor backports a fix for a medium-severity issue (bug 21018
  below) where Tor clients could crash when attempting to visit a
  hostile hidden service. Clients are recommended to upgrade as packages
  become available for their systems.

  It also includes an updated list of fallback directories, backported
  from 0.2.9.

  Now that the Tor 0.2.9 series is stable, only major bugfixes will be
  backported to 0.2.8 in the future.

  o Major bugfixes (parsing, security, backported from
    - Fix a bug in parsing that could cause clients to read a single
      byte past the end of an allocated region. This bug could be used
      to cause hardened clients (built with --enable-expensive-hardening)
      to crash if they tried to visit a hostile hidden service. Non-
      hardened clients are only affected depending on the details of
      their platform's memory allocator. Fixes bug 21018; bugfix on Found by using libFuzzer. Also tracked as TROVE-
      2016-12-002 and as CVE-2016-1254.

  o Minor features (fallback directory list, backported from
    - Replace the 81 remaining fallbacks of the 100 originally
      introduced in Tor in March 2016, with a list of 177
      fallbacks (123 new, 54 existing, 27 removed) generated in December
      2016. Resolves ticket 20170.

  o Minor features (geoip, backported from
    - Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2
      Country database.

More information about the tor-announce mailing list