tor-announce February 2019

tor-announce@lists.torproject.org

2 participants
2 discussions

New stable Tor releases: 0.3.5.8, 0.3.4.11, and 0.3.3.12 (to fix TROVE-2019-001)
by Nick Mathewson 21 Feb '19

21 Feb '19

Hello, everyone! (If you are about to reply saying "please take me off this list", instead please follow these instructions: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/ . If you have trouble, it is probably because you subscribed using a different address than the one you are trying to unsubscribe with. You will have to enter the actual email address you used when you subscribed.) Source code for Tor 0.3.5.8, 0.3.4.11, and 0.3.3.12 is now available from the download page on our website and from the distribution directory at https://dist.tprorject.org . Packages should be available within the next several weeks, with a new Tor Browser likely in March. These releases fix TROVE-2019-001, a possible security bug involving the KIST cell scheduler code in versions 0.3.2.1-alpha and later. We are not certain that it is possible to exploit this bug in the wild, but out of an abundance of caution, we recommend that all affected users upgrade. The potential impact is a remote denial-of-service attack against clients or relays. Also note: 0.3.3.12 is the last anticipated release in the 0.3.3.x series; that series will become unsupported next week. The remaining supported stable series will 0.2.9.x (long-term support until 2020), 0.3.4.x (supported until June), and 0.3.5.x (long-term support until 2022). Below are the changes in 0.3.5.8. For changes in other versions, see their associated ChangeLog files. Changes in version 0.3.5.8 - 2019-02-21 Tor 0.3.5.8 backports serveral fixes from later releases, including fixes for an annoying SOCKS-parsing bug that affected users in earlier 0.3.5.x releases. It also includes a fix for a medium-severity security bug affecting Tor 0.3.2.1-alpha and later. All Tor instances running an affected release should upgrade to 0.3.3.12, 0.3.4.11, 0.3.5.8, or 0.4.0.2-alpha. o Major bugfixes (cell scheduler, KIST, security): - Make KIST consider the outbuf length when computing what it can put in the outbuf. Previously, KIST acted as though the outbuf were empty, which could lead to the outbuf becoming too full. It is possible that an attacker could exploit this bug to cause a Tor client or relay to run out of memory and crash. Fixes bug 29168; bugfix on 0.3.2.1-alpha. This issue is also being tracked as TROVE-2019-001 and CVE-2019-8955. o Major bugfixes (networking, backport from 0.4.0.2-alpha): - Gracefully handle empty username/password fields in SOCKS5 username/password auth messsage and allow SOCKS5 handshake to continue. Previously, we had rejected these handshakes, breaking certain applications. Fixes bug 29175; bugfix on 0.3.5.1-alpha. o Minor features (compilation, backport from 0.4.0.2-alpha): - Compile correctly when OpenSSL is built with engine support disabled, or with deprecated APIs disabled. Closes ticket 29026. Patches from "Mangix". o Minor features (geoip): - Update geoip and geoip6 to the February 5 2019 Maxmind GeoLite2 Country database. Closes ticket 29478. o Minor features (testing, backport from 0.4.0.2-alpha): - Treat all unexpected ERR and BUG messages as test failures. Closes ticket 28668. o Minor bugfixes (onion service v3, client, backport from 0.4.0.1-alpha): - Stop logging a "BUG()" warning and stacktrace when we find a SOCKS connection waiting for a descriptor that we actually have in the cache. It turns out that this can actually happen, though it is rare. Now, tor will recover and retry the descriptor. Fixes bug 28669; bugfix on 0.3.2.4-alpha. o Minor bugfixes (IPv6, backport from 0.4.0.1-alpha): - Fix tor_ersatz_socketpair on IPv6-only systems. Previously, the IPv6 socket was bound using an address family of AF_INET instead of AF_INET6. Fixes bug 28995; bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn. o Minor bugfixes (build, compatibility, rust, backport from 0.4.0.2-alpha): - Update Cargo.lock file to match the version made by the latest version of Rust, so that "make distcheck" will pass again. Fixes bug 29244; bugfix on 0.3.3.4-alpha. o Minor bugfixes (client, clock skew, backport from 0.4.0.1-alpha): - Select guards even if the consensus has expired, as long as the consensus is still reasonably live. Fixes bug 24661; bugfix on 0.3.0.1-alpha. o Minor bugfixes (compilation, backport from 0.4.0.1-alpha): - Compile correctly on OpenBSD; previously, we were missing some headers required in order to detect it properly. Fixes bug 28938; bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn. o Minor bugfixes (documentation, backport from 0.4.0.2-alpha): - Describe the contents of the v3 onion service client authorization files correctly: They hold public keys, not private keys. Fixes bug 28979; bugfix on 0.3.5.1-alpha. Spotted by "Felixix". o Minor bugfixes (logging, backport from 0.4.0.1-alpha): - Rework rep_hist_log_link_protocol_counts() to iterate through all link protocol versions when logging incoming/outgoing connection counts. Tor no longer skips version 5, and we won't have to remember to update this function when new link protocol version is developed. Fixes bug 28920; bugfix on 0.2.6.10. o Minor bugfixes (logging, backport from 0.4.0.2-alpha): - Log more information at "warning" level when unable to read a private key; log more information at "info" level when unable to read a public key. We had warnings here before, but they were lost during our NSS work. Fixes bug 29042; bugfix on 0.3.5.1-alpha. o Minor bugfixes (misc, backport from 0.4.0.2-alpha): - The amount of total available physical memory is now determined using the sysctl identifier HW_PHYSMEM (rather than HW_USERMEM) when it is defined and a 64-bit variant is not available. Fixes bug 28981; bugfix on 0.2.5.4-alpha. Patch from Kris Katterjohn. o Minor bugfixes (onion services, backport from 0.4.0.2-alpha): - Avoid crashing if ClientOnionAuthDir (incorrectly) contains more than one private key for a hidden service. Fixes bug 29040; bugfix on 0.3.5.1-alpha. - In hs_cache_store_as_client() log an HSDesc we failed to parse at "debug" level. Tor used to log it as a warning, which caused very long log lines to appear for some users. Fixes bug 29135; bugfix on 0.3.2.1-alpha. - Stop logging "Tried to establish rendezvous on non-OR circuit..." as a warning. Instead, log it as a protocol warning, because there is nothing that relay operators can do to fix it. Fixes bug 29029; bugfix on 0.2.5.7-rc. o Minor bugfixes (tests, directory clients, backport from 0.4.0.1-alpha): - Mark outdated dirservers when Tor only has a reasonably live consensus. Fixes bug 28569; bugfix on 0.3.2.5-alpha. o Minor bugfixes (tests, backport from 0.4.0.2-alpha): - Detect and suppress "bug" warnings from the util/time test on Windows. Fixes bug 29161; bugfix on 0.2.9.3-alpha. - Do not log an error-level message if we fail to find an IPv6 network interface from the unit tests. Fixes bug 29160; bugfix on 0.2.7.3-rc. o Minor bugfixes (usability, backport from 0.4.0.1-alpha): - Stop saying "Your Guard ..." in pathbias_measure_{use,close}_rate(). Some users took this phrasing to mean that the mentioned guard was under their control or responsibility, which it is not. Fixes bug 28895; bugfix on Tor 0.3.0.1-alpha.

1 1

Tor Browser 8.0.6 is released
by Nicolas Vigier 12 Feb '19

12 Feb '19

Tor Browser 8.0.6 is now available from the Tor Browser Project page [1] and also from our distribution directory [2]. 1: https://www.torproject.org/download/download-easy.html 2: https://www.torproject.org/dist/torbrowser/8.0.6/ This release features important security updates [3] to Firefox. 3: https://www.mozilla.org/en-US/security/advisories/mfsa2019-05/ The main change in this new release is the update of Firefox to 60.5.1esr, fixing some vulnerabilities in the Skia library [4]. 4: https://googleprojectzero.blogspot.com/2019/02/the-curious-case-of-convexit… The full changelog since Tor Browser 8.0.5 is: * All platforms * Update Firefox to 60.5.1esr * Update HTTPS Everywhere to 2019.1.31 * Bug 29378: Remove 83.212.101.3 from default bridges * Build System * All Platforms * Bug 29235: Build our own version of python3.6 for HTTPS Everywhere

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-announce February 2019