[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-announce] Tor 0.3.0.9 is released, with a security update for clients.



(If you are about to reply saying "please take me off this list",
instead please follow these instructions:
 https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/
.  If you have trouble, it is probably because you subscribed using a
different address than the one you are trying to unsubscribe with.
You will have to enter the actual email address you used to
subscribe.)


Hello!

Source code for a new Tor release (0.3.0.9) is now available on the
website. Among other things, it fixes an issue affecting clients using
prior versions of the 0.3.0.x guard code.  All such clients should
upgrade as packages become available; clients running 0.2.9.x and
earlier are not affected.

Source is available on the website now; packages should be available
over the next several days. The Tor Browser team tells me they will
have a new release out early next week.

One last reminder: Tor 0.2.4, 0.2.6, and 0.2.7 will no longer be
supported after 1 August of this year.  Tor 0.2.8 will not be
supported after 1 Jan of 2018.  Tor 0.2.5 will not be supported after
1 May of 2018.  If you need a release with long-term support, 0.2.9 is
what we recommend: we plan to support it until at least 1 Jan 2020.


Below is the changelog for the new stable release.

Changes in version 0.3.0.9 - 2017-06-29
  Tor 0.3.0.9 fixes a path selection bug that would allow a client
  to use a guard that was in the same network family as a chosen exit
  relay. This is a security regression; all clients running earlier
  versions of 0.3.0.x or 0.3.1.x should upgrade to 0.3.0.9 or
  0.3.1.4-alpha.

  This release also backports several other bugfixes from the 0.3.1.x
  series.

  o Major bugfixes (path selection, security, backport from 0.3.1.4-alpha):
    - When choosing which guard to use for a circuit, avoid the exit's
      family along with the exit itself. Previously, the new guard
      selection logic avoided the exit, but did not consider its family.
      Fixes bug 22753; bugfix on 0.3.0.1-alpha. Tracked as TROVE-2016-
      006 and CVE-2017-0377.

  o Major bugfixes (entry guards, backport from 0.3.1.1-alpha):
    - Don't block bootstrapping when a primary bridge is offline and we
      can't get its descriptor. Fixes bug 22325; fixes one case of bug
      21969; bugfix on 0.3.0.3-alpha.

  o Major bugfixes (entry guards, backport from 0.3.1.4-alpha):
    - When starting with an old consensus, do not add new entry guards
      unless the consensus is "reasonably live" (under 1 day old). Fixes
      one root cause of bug 22400; bugfix on 0.3.0.1-alpha.

  o Minor features (geoip):
    - Update geoip and geoip6 to the June 8 2017 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (voting consistency, backport from 0.3.1.1-alpha):
    - Reject version numbers with non-numeric prefixes (such as +, -, or
      whitespace). Disallowing whitespace prevents differential version
      parsing between POSIX-based and Windows platforms. Fixes bug 21507
      and part of 21508; bugfix on 0.0.8pre1.

  o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.4-alpha):
    - Permit the fchmod system call, to avoid crashing on startup when
      starting with the seccomp2 sandbox and an unexpected set of
      permissions on the data directory or its contents. Fixes bug
      22516; bugfix on 0.2.5.4-alpha.

  o Minor bugfixes (defensive programming, backport from 0.3.1.4-alpha):
    - Fix a memset() off the end of an array when packing cells. This
      bug should be harmless in practice, since the corrupted bytes are
      still in the same structure, and are always padding bytes,
      ignored, or immediately overwritten, depending on compiler
      behavior. Nevertheless, because the memset()'s purpose is to make
      sure that any other cell-handling bugs can't expose bytes to the
      network, we need to fix it. Fixes bug 22737; bugfix on
      0.2.4.11-alpha. Fixes CID 1401591.
_______________________________________________
tor-announce mailing list
tor-announce@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce