gmane.network.onion-routing.announce

Tor 0.2.1.29 is released (security patches)

Roger Dingledine — 2011-01-17T15:58:13

Tor 0.2.1.29 continues our recent code security audit work. The main
fix resolves a remote heap overflow vulnerability that can allow remote
code execution. Other fixes address a variety of assert and crash bugs,
most of which we think are hard to exploit remotely.

All Tor users should upgrade.

https://www.torproject.org/download/download

Changes in version 0.2.1.29 - 2011-01-15
  o Major bugfixes (security):
    - Fix a heap overflow bug where an adversary could cause heap
      corruption. This bug probably allows remote code execution
      attacks. Reported by "debuger". Fixes CVE-2011-0427. Bugfix on
      0.1.2.10-rc.
    - Prevent a denial-of-service attack by disallowing any
      zlib-compressed data whose compression factor is implausibly
      high. Fixes part of bug 2324; reported by "doorss".
    - Zero out a few more keys in memory before freeing them. Fixes
      bug 2384 and part of bug 2385. These key instances found by
      "cypherpunks", based on Andrew Case's report about being able

Tor 0.2.1.28 is released (security patches)

Roger Dingledine — 2010-12-20T13:58:30

Tor 0.2.1.28 does some code cleanup to reduce the risk of remotely
exploitable bugs. Thanks to Willem Pinckaers for notifying us of the
issue. The Common Vulnerabilities and Exposures project has assigned
CVE-2010-1676 to this issue.

We also took this opportunity to change the IP address for one of our
directory authorities, and to update the geoip database we ship.

All Tor users should upgrade.

https://www.torproject.org/download/download

Changes in version 0.2.1.28 - 2010-12-17
  o Major bugfixes:
    - Fix a remotely exploitable bug that could be used to crash instances
      of Tor remotely by overflowing on the heap. Remote-code execution
      hasn't been confirmed, but can't be ruled out. Everyone should
      upgrade. Bugfix on the 0.1.1 series and later.

  o Directory authority changes:
    - Change IP address and ports for gabelmoo (v3 directory authority).

  o Minor features:
    - Update to the December 1 2010 Maxmind GeoLite Country database.

----------------------------------------------

Tor 0.2.1.27 is released

Roger Dingledine — 2010-11-26T08:27:40

Tor 0.2.1.27 makes relays work with OpenSSL 0.9.8p and 1.0.0.b --
yet another OpenSSL security patch broke its compatibility with Tor.
We also took this opportunity to fix several crash bugs, integrate a
new directory authority, and update the bundled GeoIP database.

If you operate a relay, please upgrade.

https://www.torproject.org/download/download

Changes in version 0.2.1.27 - 2010-11-23
  o Major bugfixes:
    - Resolve an incompatibility with OpenSSL 0.9.8p and OpenSSL 1.0.0b:
      No longer set the tlsext_host_name extension on server SSL objects;
      but continue to set it on client SSL objects. Our goal in setting
      it was to imitate a browser, not a vhosting server. Fixes bug 2204;
      bugfix on 0.2.1.1-alpha.
    - Do not log messages to the controller while shrinking buffer
      freelists. Doing so would sometimes make the controller connection
      try to allocate a buffer chunk, which would mess up the internals
      of the freelist and cause an assertion failure. Fixes bug 1125;

Tor 0.2.1.26 is released

Roger Dingledine — 2010-06-11T21:43:11

Tor 0.2.1.26 addresses the recent connection and memory overload problems
we've been seeing on relays, especially relays with their DirPort open. If
your relay has been crashing, or you turned it off because it used too
many resources, give this release a try.

This release also fixes yet another instance of broken OpenSSL libraries
that was causing some relays to drop out of the consensus.

People running Tor as a relay should upgrade:
https://www.torproject.org/download

Changes in version 0.2.1.26 - 2010-05-02
  o Major bugfixes:
    - Teach relays to defend themselves from connection overload. Relays
      now close idle circuits early if it looks like they were intended
      for directory fetches. Relays are also more aggressive about closing
      TLS connections that have no circuits on them. Such circuits are
      unlikely to be re-used, and tens of thousands of them were piling
      up at the fast relays, causing the relays to run out of sockets
      and memory. Bugfix on 0.2.0.22-rc (where clie

End of life for Tor 0.2.0.x

Roger Dingledine — 2010-03-30T16:51:52

We have declared end-of-life for Tor 0.2.0.x. Those Tor versions have
several known flaws, and nobody should be using them. You should upgrade.

Specifically, the big flaw in Tor <= 0.2.0.35 is that its list of
directory authorities is out of date, so you'll find it hard to learn
about the network. We're signing the network status consensus with the
old signatures for now, but we're going to stop doing that in a few weeks,
which means your Tor 0.2.0.x will fail to find the current network.

The only exception is people using Debian Lenny -- our nice Debian
packager is trying to keep that package maintained for you.

As a bonus, if you move to a newer Tor you'll get significant performance
boosts as a client, and you'll improve the performance for others as
a relay.

Thanks,
--Roger

------------------------------------------------------------------------

This is the Tor announcements list. If you want to unsubscribe, send
mail to majordomo< at >seul.org with "unsubscribe or-announce" as your message.

Tor 0.2.1.25 is released

Roger Dingledine — 2010-03-30T15:50:57

Tor 0.2.1.25 fixes a regression introduced in 0.2.1.23 that could
prevent relays from guessing their IP address correctly. It also fixes
several minor potential security bugs.

People running Tor as a relay should upgrade:
https://www.torproject.org/download

Changes in version 0.2.1.25 - 2010-03-16
  o Major bugfixes:
    - Fix a regression from our patch for bug 1244 that caused relays
      to guess their IP address incorrectly if they didn't set Address
      in their torrc and/or their address fails to resolve. Bugfix on
      0.2.1.23; fixes bug 1269.
    - When freeing a session key, zero it out completely. We only zeroed
      the first ptrsize bytes. Bugfix on 0.0.2pre8. Discovered and
      patched by ekir. Fixes bug 1254.

  o Minor bugfixes:
    - Fix a dereference-then-NULL-check sequence when publishing
      descriptors. Bugfix on 0.2.1.5-alpha. Discovered by ekir; fixes
      bug 1255.
    - Fix another dereference-then-NULL-check sequence. Bugfix on
      0.2.1.14-rc. Discovered by ekir; fix

Tor 0.2.1.23 and 0.2.1.24 are released

Roger Dingledine — 2010-03-01T04:38:47

Tor 0.2.1.23 fixes a huge client-side performance bug, makes Tor work
again on the latest OS X, and updates the location of a directory
authority.

Tor 0.2.1.24 makes Tor work again on the latest OS X -- this time
for sure!

The Windows and OS X bundles also come with a newer version of Polipo
that fixes some stability and security problems.

People using Tor as a client should upgrade:
https://www.torproject.org/easy-download

Changes in version 0.2.1.23 - 2010-02-13
  o Major bugfixes (performance):
    - We were selecting our guards uniformly at random, and then weighting
      which of our guards we'd use uniformly at random. This imbalance
      meant that Tor clients were severely limited on throughput (and
      probably latency too) by the first hop in their circuit. Now we
      select guards weighted by currently advertised bandwidth. We also
      automatically discard guards picked using the old algorithm. Fixes
      bug 1217; bugfix on 0.2.1.3-alpha. Found by Mike Perry.

  o Major bugfixes:

Tor 0.2.1.22 is released (security fix)

Roger Dingledine — 2010-01-21T05:18:58

Tor 0.2.1.22 rotates two of the seven v3 directory authority keys and
locations, due to a security breach of some of the Torproject servers:
http://archives.seul.org/or/talk/Jan-2010/msg00161.html

It also fixes a privacy problem in bridge directory authorities -- it
would tell you its whole history of bridge descriptors if you make the
right directory request.

Everybody should upgrade:
https://www.torproject.org/easy-download
(Tor Browser Bundle updates coming in the next few days, hopefully.)

Changes in version 0.2.1.22 - 2010-01-19
  o Directory authority changes:
    - Rotate keys (both v3 identity and relay identity) for moria1
      and gabelmoo.

  o Major bugfixes:
    - Stop bridge directory authorities from answering dbg-stability.txt
      directory queries, which would let people fetch a list of all
      bridge identities they track. Bugfix on 0.2.1.6-alpha.

------------------------------------------------------------------------

This is the Tor announcements list. If you want to unsubscribe

Tor 0.2.1.21 is released

Roger Dingledine — 2009-12-29T15:23:14

Tor 0.2.1.21 fixes an incompatibility with the most recent OpenSSL
library. If you use Tor on Linux / Unix and you're getting SSL
renegotiation errors, upgrading should help. We also recommend an
upgrade if you're an exit relay.

https://www.torproject.org/easy-download

Changes in version 0.2.1.21 - 2009-12-21
  o Major bugfixes:
    - Work around a security feature in OpenSSL 0.9.8l that prevents our
      handshake from working unless we explicitly tell OpenSSL that we
      are using SSL renegotiation safely. We are, of course, but OpenSSL
      0.9.8l won't work unless we say we are.
    - Avoid crashing if the client is trying to upload many bytes and the
      circuit gets torn down at the same time, or if the flip side
      happens on the exit relay. Bugfix on 0.2.0.1-alpha; fixes bug 1150.

  o Minor bugfixes:
    - Do not refuse to learn about authority certs and v2 networkstatus
      documents that are older than the latest consensus. This bug might
      have degraded client bootstrapping. Bugf

Tor 0.2.1.20 is released

Roger Dingledine — 2009-11-12T15:14:11

Tor 0.2.1.20 fixes a crash bug when you're accessing many hidden services
at once, prepares for more performance improvements, and fixes a bunch
of smaller bugs.

The Windows and OS X bundles also include a more recent Vidalia, and
switch from Privoxy to Polipo.

The OS X installers are now drag and drop. It's best to un-install
Tor/Vidalia and then install this new bundle, rather than upgrade. If
you want to upgrade, you'll need to update the paths for Tor and Polipo
in the Vidalia Settings window.

https://www.torproject.org/easy-download

Changes in version 0.2.1.20 - 2009-10-15
  o Major bugfixes:
    - Send circuit or stream sendme cells when our window has decreased
      by 100 cells, not when it has decreased by 101 cells. Bug uncovered
      by Karsten when testing the "reduce circuit window" performance
      patch. Bugfix on the 54th commit on Tor -- from July 2002,
      before the release of Tor 0.0.0. This is the new winner of the
      oldest-bug prize.
    - Fix a remotely triggerable memory