[tor-talk] New alpha release: Tor 0.4.4.2-alpha
nickm at torproject.org
Thu Jul 9 17:29:07 UTC 2020
There's a new alpha Tor release! Because it's an alpha, you should
only run it if you're ready to find more bugs than usual, and report
them on trac.torproject.org.
The source code is available from the usual place on
https://www.torproject.org/download/tor/; if you build Tor from
source, why not give it a try? And if you don't build Tor from source,
packages should be ready over the coming days, with a Tor Browser
alpha release likely around the end of the month.
This release fixes numerous issues, including a denial-of-service
attack affecting all clients and relays using the NSS library. (If
your Tor is built with OpenSSL, which is the default, you don't need
to worry about this one. But if you're using NSS, you should upgrade.)
There are also new stable releases today: the announcements for them
will go to the tor-announce mailing list as usual.
Here's what's new:
Changes in version 0.4.4.2-alpha - 2020-07-09
This is the second alpha release in the 0.4.4.x series. It fixes a few
bugs in the previous release, and solves a few usability,
compatibility, and portability issues.
This release also fixes TROVE-2020-001, a medium-severity denial of
service vulnerability affecting all versions of Tor when compiled with
the NSS encryption library. (This is not the default configuration.)
Using this vulnerability, an attacker could cause an affected Tor
instance to crash remotely. This issue is also tracked as CVE-2020-
15572. Anybody running a version of Tor built with the NSS library
should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha
o Major bugfixes (NSS, security):
- Fix a crash due to an out-of-bound memory access when Tor is
compiled with NSS support. Fixes bug 33119; bugfix on
0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001
o Minor features (bootstrap reporting):
- Report more detailed reasons for bootstrap failure when the
failure happens due to a TLS error. Previously we would just call
these errors "MISC" when they happened during read, and "DONE"
when they happened during any other TLS operation. Closes
o Minor features (directory authority):
- Authorities now recommend the protocol versions that are supported
by Tor 0.3.5 and later. (Earlier versions of Tor have been
deprecated since January of this year.) This recommendation will
cause older clients and relays to give a warning on startup, or
when they download a consensus directory. Closes ticket 32696.
o Minor features (entry guards):
- Reinstate support for GUARD NEW/UP/DOWN control port events.
Closes ticket 40001.
o Minor features (linux seccomp2 sandbox, portability):
- Allow Tor to build on platforms where it doesn't know how to
report which syscall caused the linux seccomp2 sandbox to fail.
This change should make the sandbox code more portable to less
common Linux architectures. Closes ticket 34382.
- Permit the unlinkat() syscall, which some Libc implementations use
to implement unlink(). Closes ticket 33346.
o Minor bugfix (CI, Windows):
- Use the correct 64-bit printf format when compiling with MINGW on
Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha.
o Minor bugfix (onion service v3 client):
- Remove a BUG() warning that could occur naturally. Fixes bug
34087; bugfix on 0.3.2.1-alpha.
o Minor bugfix (SOCKS, onion service client):
- Detect v3 onion service addresses of the wrong length when
returning the F6 ExtendedErrors code. Fixes bug 33873; bugfix
o Minor bugfixes (compiler warnings):
- Fix a compiler warning on platforms with 32-bit time_t values.
Fixes bug 40028; bugfix on 0.3.2.8-rc.
o Minor bugfixes (control port, onion service):
- Consistently use 'address' in "Invalid v3 address" response to
ONION_CLIENT_AUTH commands. Previously, we would sometimes say
'addr'. Fixes bug 40005; bugfix on 0.4.3.1-alpha.
o Minor bugfixes (logging):
- Downgrade a noisy log message that could occur naturally when
receiving an extrainfo document that we no longer want. Fixes bug
16016; bugfix on 0.2.6.3-alpha.
o Minor bugfixes (onion services v3):
- Avoid a non-fatal assertion failure in certain edge-cases when
opening an intro circuit as a client. Fixes bug 34084; bugfix
o Deprecated features (onion service v2):
- Add a deprecation warning for version 2 onion services. Closes
o Removed features (IPv6, revert):
- Revert the change in the default value of ClientPreferIPv6OrPort:
it breaks the torsocks use case. The SOCKS resolve command has no
mechanism to ask for a specific address family (v4 or v6), and so
prioritizing IPv6 when an IPv4 address is requested on the SOCKS
interface resulted in a failure. Tor Browser explicitly sets
PreferIPv6, so this should not affect the majority of our users.
Closes ticket 33796; bugfix on 0.4.4.1-alpha.
More information about the tor-talk