Tor 0.2.0.33-stable released
Tor 0.2.0.33 fixes a variety of bugs that were making relays less useful
to users. It also finally fixes a bug where a relay or client that's
been off for many days would take a long time to bootstrap.
This update also fixes an important security-related bug reported by
Ilja van Sprundel. You should upgrade. (We'll send out more details
about the bug once people have had some time to upgrade.)
https://www.torproject.org/download.html
Changes in version 0.2.0.33 - 2009-01-21
Security fixes:
- Fix a heap-corruption bug that may be remotely triggerable on
some platforms. Reported by Ilja van Sprundel.
Major bugfixes:
- When a stream at an exit relay is in state "resolving" or
"connecting" and it receives an "end" relay cell, the exit relay
would silently ignore the end cell and not close the stream. If
the client never closes the circuit, then the exit relay never
closes the TCP connection. Bug introduced in Tor 0.1.2.1-alpha;
reported by "wood". - When sending CREATED cells back for a given circuit, use a 64-bit
connection ID to find the right connection, rather than an addr:port
combination. Now that we can have multiple OR connections between
the same ORs, it is no longer possible to use addr:port to uniquely
identify a connection. - Bridge relays that had DirPort set to 0 would stop fetching
descriptors shortly after startup, and then briefly resume
after a new bandwidth test and/or after publishing a new bridge
descriptor. Bridge users that try to bootstrap from them would
get a recent networkstatus but would get descriptors from up to
18 hours earlier, meaning most of the descriptors were obsolete
already. Reported by Tas; bugfix on 0.2.0.13-alpha. - Prevent bridge relays from serving their 'extrainfo' document
to anybody who asks, now that extrainfo docs include potentially
sensitive aggregated client geoip summaries. Bugfix on
0.2.0.13-alpha. - If the cached networkstatus consensus is more than five days old,
discard it rather than trying to use it. In theory it could be
useful because it lists alternate directory mirrors, but in practice
it just means we spend many minutes trying directory mirrors that
are long gone from the network. Also discard router descriptors as
we load them if they are more than five days old, since the onion
key is probably wrong by now. Bugfix on 0.2.0.x. Fixes bug 887.
Minor bugfixes:
- Do not mark smartlist_bsearch_idx() function as ATTR_PURE. This bug
could make gcc generate non-functional binary search code. Bugfix
on 0.2.0.10-alpha. - Build correctly on platforms without socklen_t.
- Compile without warnings on solaris.
- Avoid potential crash on internal error during signature collection.
Fixes bug 864. Patch from rovv. - Correct handling of possible malformed authority signing key
certificates with internal signature types. Fixes bug 880.
Bugfix on 0.2.0.3-alpha. - Fix a hard-to-trigger resource leak when logging credential status.
CID 349. - When we can't initialize DNS because the network is down, do not
automatically stop Tor from starting. Instead, we retry failed
dns_inits() every 10 minutes, and change the exit policy to reject
*:* until one succeeds. Fixes bug 691. - Use 64 bits instead of 32 bits for connection identifiers used with
the controller protocol, to greatly reduce risk of identifier reuse. - When we're choosing an exit node for a circuit, and we have
no pending streams, choose a good general exit rather than one that
supports "all the pending streams". Bugfix on 0.1.1.x. Fix by rovv. - Fix another case of assuming, when a specific exit is requested,
that we know more than the user about what hosts it allows.
Fixes one case of bug 752. Patch from rovv. - Clip the MaxCircuitDirtiness config option to a minimum of 10
seconds. Warn the user if lower values are given in the
configuration. Bugfix on 0.1.0.1-rc. Patch by Sebastian. - Clip the CircuitBuildTimeout to a minimum of 30 seconds. Warn the
user if lower values are given in the configuration. Bugfix on
0.1.1.17-rc. Patch by Sebastian. - Fix a memory leak when we decline to add a v2 rendezvous descriptor to
the cache because we already had a v0 descriptor with the same ID.
Bugfix on 0.2.0.18-alpha. - Fix a race condition when freeing keys shared between main thread
and CPU workers that could result in a memory leak. Bugfix on
0.1.0.1-rc. Fixes bug 889. - Send a valid END cell back when a client tries to connect to a
nonexistent hidden service port. Bugfix on 0.1.2.15. Fixes bug
840. Patch from rovv. - Check which hops rendezvous stream cells are associated with to
prevent possible guess-the-streamid injection attacks from
intermediate hops. Fixes another case of bug 446. Based on patch
from rovv. - If a broken client asks a non-exit router to connect somewhere,
do not even do the DNS lookup before rejecting the connection.
Fixes another case of bug 619. Patch from rovv. - When a relay gets a create cell it can't decrypt (e.g. because it's
using the wrong onion key), we were dropping it and letting the
client time out. Now actually answer with a destroy cell. Fixes
bug 904. Bugfix on 0.0.2pre8.
Minor bugfixes (hidden services):
- Do not throw away existing introduction points on SIGHUP. Bugfix on
0.0.6pre1. Patch by Karsten. Fixes bug 874.
Minor features:
- Report the case where all signatures in a detached set are rejected
differently than the case where there is an error handling the
detached set. - When we realize that another process has modified our cached
descriptors, print out a more useful error message rather than
triggering an assertion. Fixes bug 885. Patch from Karsten. - Implement the 0x20 hack to better resist DNS poisoning: set the
case on outgoing DNS requests randomly, and reject responses that do
not match the case correctly. This logic can be disabled with the
ServerDNSRamdomizeCase setting, if you are using one of the 0.3%
of servers that do not reliably preserve case in replies. See
"Increased DNS Forgery Resistance through 0x20-Bit Encoding"
for more info. - Check DNS replies for more matching fields to better resist DNS
poisoning. - Never use OpenSSL compression: it wastes RAM and CPU trying to
compress cells, which are basically all encrypted, compressed, or
both.
The original announcement can be found at http://archives.seul.org/or/announce/Jan-2009/msg00000.html
Comments
Please note that the comment area below has been archived.
"Some platforms"
Which platforms are affected? A mail would suffice.
Craig / Gentoo Security
(https://bugs.gentoo.org/show_bug.cgi?id=256078)
Time
We're giving people time to upgrade before announcing the details.
This might be a dumb question but...
I have searched the site but haven't found the following info:
I already have an older version of Tor installed on my iMac (Leopard) and in order to install the new stable version, do I need to uninstall the previous one or does the installer simply overwrites the previous version?
Thanks,
Gene
p.s. the captcha is not visually impaired friendly...
Simply install.
Tor packages overwrite the existing installation. There is no need to un-install and then install at this time.
Runs quiet good. I'm running
Runs quiet good. I'm running 0.2.0.33-stable at ~1600kilobyte/s with 60mb RAM usage. Before i was running 0.2.0.32-stable at ~1600kilobyte/s with 190mb RAM usage. And i think this release will speedup the tor network, because most node speed is limitit by RAM/CPU usage.
so..Thanks for this release. :-)
Uninstall
How can I uninstall Tor?Tried it but don't like it.
It depends on your operating system.
For Windows, just run the uninstaller.
For Apple, https://www.torproject.org/docs/tor-doc-osx.html.en#uninstall
For linux, remove the rpms or whatever is your native package system
UNistall
I dont have uninstall Tor in my computer. What I do to uninstall it? I use Windows Vista.
Uninstall
My operating system is XP,but I don't see uninstaller.I don't even see Tor in start menu or add or remove programs in control panel.Where can I find uninstaller?Thanks
uhm
you have to install it first. Then you might be able to uninstall it...
TBB?
If you downloaded TBB, it doesn't install. It's a "zero-install" configuration.
So I can't uninstall this?
So I can't uninstall this?
there isn't an install
If you are using the TBB, there is no installation, therefore there is no "un-installation". Simply delete the directory you created for the TBB.
Hi there, my name is Colon
Hi there, my name is Colon CleanseVery true. There is nothing
more annoying than unsolicited advice. If a person isn’t asking
you for help or advice, it’s none of your business to intrude.I
totally agree with you.
Suse binaries
Will there soon be precompiled Suse Binaries?
I tried to ompile from source but it doesn't like my openssl.
Coming soon.
They're coming soon, possibly tonight.
suse rpms are now available.
based on opensuse 11, the rpms are now available.
Changed Vidalia 1.1.0 exe/dll in latest vidalia-bundle
Please look into the lastest bundles package for Windows (vidalia-bundle-0.2.0.33-0.1.10.exe) and into the previous one (vidalia-bundle-0.2.0.32-0.1.10.exe).
In both bundles Vidalia have the same version (1.1.0) but there are 3 files changed.
In vidalia-bundle-0.2.0.33-0.1.10.exe:
SHA1(vidalia.exe)= 987592a629b9b768576bb3dd1f25be674eeb7609
SHA1(ssleay32.dll)= 152edc88462c8c2172e9b633f231d9713b7c5f8b
SHA1(QtCore4.dll)= 4a1d7f735a267f66c1616ba6c1b0ec99581326aa
In vidalia-bundle-0.2.0.32-0.1.10.exe
SHA1(vidalia.exe)= 319fd6eaa6e8037af668bacb4cd9f90635d93df3
SHA1(ssleay32.dll)= 96fa129d753d27687525801df696fd900dcdfce0
SHA1(QtCore4.dll)= e6a6789c72c690a9c7cd06f26285a965014ba105
Why vidalia.exe is different ?
Why the QtCore4.dll is different ?
(both QtCore4.dll says to be version 4.4.3.0)
Am I only a paranoid freak and all is OK ?
Can we trust the new 0.2.0.33 bundle ?
Everything was updated from scratch.
A few things:
1) Vidalia for 0.2.0.32 was built by the Vidalia developer Matt, using my tor.exe. 0.2.0.33 vidalia-bundle was built by me from scratch; using the published steps.
2) ssl in the 0.2.0.33 bundle is openssl 0.9.8j, which is the latest version and newer than the version of openssl in 0.2.0.32 bundles.
3) Vidalia for 0.2.0.32 was built by the Vidalia developer Matt, using my tor.exe. 0.2.0.33 vidalia-bundle was built by me from scratch; using the published steps. I don't know why QtCore4.dll is different, since both Matt and I installed from the .exe on trolltech's website.
I signed the 0.2.0.33 bundle because I built it. Matt signed the 0.2.0.32 bundle because he built it. You're free to take our instructions and build your own bundle from the same source code I used.
Flash Player (not)
Pardon a query from an newbie, but I keep getting an error message that my flash player is not installed (although it is, and works fine when I run Firefox non-Tor), with the result that I can't view any videos. Advice welcome.
Re: Flash Player (not)
https://www.torproject.org/torbutton/faq.html.en#noflash
Basically, Flash is unsafe currently. Any website that you accept flash
from can de-anonymize you.
Down the road, we hope to have some more well-understood VM-based
solution, like what Janus VM and Xerobank VM aim to do currently. But
for now, the best answer is either not to use flash with Tor, or to enable
plugins as the other comment suggested but then understand the risks.
I appreciate the help.
I appreciate the help.
Thanx 4 tellling tat !
Thanx 4 tellling tat !
How do I enable plugins with
How do I enable plugins with Tor?
hey buddy go 2 the Add on
hey buddy go 2 the Add on Tor button there is a option called Disable Plugins sume where, it is marked . unmark it then it will work . Give it a try buddy!
read up 3 comments
Read what arma stated 3 comments up. Flash over Tor isn't safe for your anonymity.
thanx!!! ;)
thanx!!! ;)
Re: Installation latest version of Tor
I need some assistance please. I am a basic computer user but I have
been able to install Tor which I have been using daily for months now. My OS is MacOsx Panther 10.3.9 and the Tor bundle installed is 0.2.0.31. The OS is being operated from an external HD.
I am no longer able to upgrade to the latest Tor versions (0.2.0.33) because as soon as I open the installer package of the new version I get the error message:
The Installer package "vidalia-bundle - 0.2.0.33-0.10-ppc" cannot be
opened.
The Bill of Materials for this package was not found.
I have tried several times with the same result. I have tried moving the old Tor, Privoxy and Vidalia folders to the trash but I still get the error message!. Am I doing something wrong? I have always upgraded to
new stable versions of Tor this way.
Thank you in advance for your help.
Louis
bug report
Could you open a bug report at https://bugs.torproject.org/ ? If you could attach the relevant parts of the install.log from /var/log/install.log to the bug that would be great. Thanks!
Intallation of Tor
Thank you for the reply to my post. I shall look for the log, register at
the address you have given, post it there with an explanation of the
difficulty I am encountering.
Fixed
This is fixed, and was tracked as bug 924.
tor versions compatible with Mac OSX 10.3.9 ?
I thought Tor wasn't compatible with any Mac OS earlier than 10.4, but the 1-29-09 question from Louis (Re: Installation latest version of Tor) seemed to suggest that I can Run Tor on my OS 10.3.9.
Can I run Tor on 10.3.9? If so, what version and where do I get it? Any assistance would be appreciated.
Thanks,
Frank Marin
re: tor versions compatible with Mac OSX 10.3.9 ?
Yes, Tor works with OS X 10.3.9. You can download it at https://www.torproject.org/download. Look at the second Apple icon where it says "PowerPC Only (OSX 10.3)".
Install Failed
I tried installing the Tor bundle on my mac running 10.5.7. Installation failed with the following error. "The following install step failed: run postflight script for Tor"
Anyone know the reason for this?
Cannot upgrade or uninstall tor 0.2.31 on OS X
I currently have Tor 0.2.31 installed on OS X 10.4.11.
When I run the installer for the latest release (0.2.35) the installer says there is already a newer version of Tor installed. If I continue with the install anyway, it fails. There is no error message but the new version does not run.
After restoring the old version of Tor (0.2.31) from backup, everything is OK. Then I tried to uninstall the old version using the supplied script, but it fails, giving me:
root@sebago> ./uninstall_tor_bundle.sh
. tor process appears to already be stopped
. Killing currently running privoxy process, pid is 196
./uninstall_tor_bundle.sh: line 123: ./package_list.txt: No such file or directory
. Removing created user _tor
delete: Invalid Path
. Cleaning up
rm: fts_read: No such file or directory
. Finished
Next, I restored again from backup and tried to manually uninstall following the documentation. However, some of the files and directories that are supposed to be deleted do not exist on my installation. Other files and directories that obviously belong to Tor are not listed in the documentation of what to delete.
After deleting everything I could find that looks like it belongs to Tor I ran the installer for version 0.2.35 again and it says the install was successful, but after restarting and trying to start vidalia, it doesn't run.
Now I have 0.2.31 running again after restoring again from backup, but I am at a total loss as to how to properly uninstall or upgrade!!
Please help!!!
I have the exact same
I have the exact same problem. I installed the latest version of Tor, I am told a newer version is already installed, and then when I run Vidalia it doesn't work -- it loads about halfway but never connects to the network.
same person as above:
same person as above: message log reports ...
Jul 12 06:31:38.138 [Notice] Initialized libevent version 1.4.11-stable using method kqueue. Good.
Jul 12 06:31:38.138 [Notice] Opening Socks listener on 127.0.0.1:9050
Jul 12 06:31:38.139 [Notice] Opening Control listener on 127.0.0.1:9051
Jul 12 06:31:38.190 [Notice] Parsing GEOIP file.
Jul 12 06:31:39.822 [Notice] I learned some more directory information, but not enough to build a circuit: We have no network-status consensus.
Jul 12 06:31:39.822 [Notice] Bootstrapped 5%: Connecting to directory server.
... this is where it stops every time.
I have something similar -
I have something similar - but different - have a black macbook os x 10.4.11 belong to a friend. I downloaded latest Tor release, now when I try to launch vidalia nothing happens.
The app won't even launch. When I click on vidalia it doesn't even appear to start to launch, even when I view what happens in the 'dock' i.e. the icon starts to launch then immediuately stops - no 'bouncing icon' if you know what I mean.
Have tried to load various different versions of Vidalia/tor/polipo. None of them work. The only other version I have that I know works is the one I use on my own titainium PPC G4 (10.4.11) which as I said, is for PPC so just out of curiosity I loaded that, which launches fine and reports that it connects to the tor-network but 'TOR button' reports that the 'proxy refusing connections.' which is not too surprising since it's for PPC
I must admit that today is
I must admit that today is my first time I visit here. However, I have found so many interesting thing in your blog and I really love that. Keep up the good work!I think you should try Reverse Phone Lookup atleast once
I loaded that, which
I loaded that, which launches fine and reports that it connects to the tor-network but 'TOR button' reports that the 'proxy refusing connections.' which is not too surprising since it's for PPC.
Netflix
Thanks for taking the time
Thanks for taking the time to discuss this, I feel strongly about it and love learning more on this topic. If possible, as you gain expertise, would you mind updating your blog with more information? It is extremely helpful for me.
Criminal Backgrond Check
I must say your post is
I must say your post is fabulous. thanks for telling all this to us.
How can i log on to my MT4
How can i log on to my MT4 meter trader forex platform using tor, also how can i log on to skype using tor. i tried it several times but it did not work. can i log on to this sites with tor? do i need to enable any thing to log on?
How do I connect my forex
How do I connect my forex meta trader 4 (mt4) to tor circuit