Tor 0.2.8.9 is released, with important fixes

by nickm | October 17, 2016

Tor 0.2.8.9 backports a fix for a security hole in previous versions of Tor that would allow a remote attacker to crash a Tor client, hidden service, relay, or authority. All Tor users should upgrade to this version, or to 0.2.9.4-alpha. Patches will be released for older versions of Tor.
You can download the source from the Tor website. Packages should be available over the next week or so.
Below is a list of changes since 0.2.8.8.

Changes in version 0.2.8.9 - 2016-10-17

  • Major features (security fixes, also in 0.2.9.4-alpha):
    • Prevent a class of security bugs caused by treating the contents of a buffer chunk as if they were a NUL-terminated string. At least one such bug seems to be present in all currently used versions of Tor, and would allow an attacker to remotely crash most Tor instances, especially those compiled with extra compiler hardening. With this defense in place, such bugs can't crash Tor, though we should still fix them as they occur. Closes ticket 20384 (TROVE-2016-10-001).
  • Minor features (geoip):
    • Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2 Country database.

Comments

Please note that the comment area below has been archived.

November 02, 2016

In reply to gk

Permalink

tor Win-Expert Bundle is still win32-0.2.8.7.
maybe an update in 2 weeks - it has been said two weeks ago.
up to now only a warning message pops up "0.2.8.7 is outdated... - please update"
how?

November 08, 2016

In reply to gk

Permalink

It's been three weeks and the Expert Bundle is still at 0.2.8.7. Is there now an ETA on when the build will be available?

October 18, 2016

Permalink

You can download the source from the Tor website. Packages should be available over the next week or so.

In the name of diversity, could we have working packages available for *BSD operating systems? Thanks very much.

there are too few Tor developefs with too much work to do already, i know, but please try to support bsd and mobile better. it will help everyone everywhere.

please also somehow add a basic detection of captcha, and use proxy from startpage.com or wayback.archive.org or translate.google.com
TO ANYONE HAVING TROUBLE READING NEWS SITES; the above 3 proxies are much more safe than working with the captcha, and NO JAVASCRIPT REQUIRED.

thank you Tor developers for your humanitarian work, helping all in china to read censored/politically dangerous topics

> there are too few Tor developefs with too much work to do already, i know,

As human beings, we are all subject to Maslow's hierarchy of needs and wants. All of the basic needs must be met before we start to even think of higher level ones like fighting for human rights, fighting climate change, etc...

It all comes down to how much Tor is willing to pay to recruit developers. If Tor has massive funds like Microsoft or Facebook, we are sure many people with the right skillsets will be making a beeline to Tor.

> but please try to support bsd and mobile better.

At the present moment there's no way to achieve the same level of anonymity on smartphones that one gets out of a personal computer.

In fact the chips and chipsets that constitute the core of smartphones all have proprietary designs. Some of our friends at Qualcomm caution us against using smartphones to surf the internet, even if the websites are harmless like Wikipedia. It appears that the chips and chipsets phone home every time you use your smartphone. It makes you wonder who is really the smart one here: you or the maker of the phone (or the NSA behind it.)

October 18, 2016

Permalink

I'm running Tor clients on Windows mainly but not the Tor browser bundle. Out of curiosity, tho, can the components of said TBB for Win be (easily) detached; such as for example, to run its special version of Firefox with my standalone Tor.exe ?

Any caveats, conflicts of configuration files, directories, whatever ... to be mindful of ?

Conversely, may we extract the "tor.exe" from the bundle and use it instead of our home compiled Tor ? Does that "tor.exe", made by the Torproject, run on systems without SSE2 ?

October 18, 2016

Permalink

When will tor messenger stable be out?
There is no roadmap?
Tor messenger is gonna be really great.Keep up the good work.
Thanks!

October 18, 2016

Permalink

Dear TOR project,

I beg you on behalf of countless unfortunate people who have no voice, please update TOR clients to use suitable bridges by default, and TOR relays to host those bridges by default, as opt-out rather than opt-in, by Dec 1. None of the pluggable transports are perfect but they are better than nothing. The slight "waste" of bandwidth in obfs4/scramblesuit's padding can make many attacks much harder, such as stopping the GFW from being able to tell from packet size alone that somebody is illegally reading about the Dalai Lama. The latency padding might add a few awful milliseconds to page load time, but could prevent Kim Il from using end-to-end timing to find everyone who searches for how to escape North Korea. The slightly harder to detect handshakes may protect TOR against old fashioned DPI that some democracy-hating countries in the eastern hemisphere require carriers use to block TOR. The people who these thingsnmatter the most to are also the least likely to be able to figure out bridges without first making a fatal mistake.
Otherwise, despite all of your commendabke work, you will be somewhat complicit when the viruses NSA sends to all known TOR used are found to be poorly written viruses and evil countries like Russia and Cuba will take advantage of the holes left open by the viruses to kill innocent people just for trying to advocate for democracy and capitalism and Christianity.
Thank you for taking the time to read this, and my deepest regrets for coming across so harsh, but innumerable innocent women and children could be murdered by communists all over the world just for reading the wrong text or advocating the wrong religion.

Sincerely,
a concerned netizen.

October 31, 2016

In reply to by Anonymous (not verified)

Permalink

Dear Tor Project developers,

https://www.torproject.org/docs/faq.html.en#SendPadding gives one arguement against content padding, and the arguement only makes sense if the padding is huge enough to seriously exhaust Tor bandwidth. But just adding a few bytes prevents knowing what page spmeone is reading. The worst case active attack could make the padding useless in some cases, but it couldn't make kt worsenthan without padding, and such active attacks would be rare since they are noticeable unlike passive attacks. No argument is given against latency padding. Just randomly adding up to a few thousandth's of a second delay to each hop would make it many times harder to passively attack Tor, and likely make a lot of active attacks harder, without making web browsing significantly slower than it already is, like a mix net would.
Obviously there aren't enough of you for this world. Just a simple "pull requests welcome" would be greatly appreciated, and/or a minor change to the FAQ, saying that there is a possibility of implementing this in the future.

Best wishes to all of you. Thank you from the bottom of my heart.

"Evil" exists in all countries. Why single out Russia when the USA and NATO are consistently responsible for the world's worst atrocities when measured by lives lost?

October 19, 2016

Permalink

How can I use obsf4bridges with Tor (and not the Tor Browser Bundle)? Can you please add by default these bridges so to ease the process?

Thank you so muh

Get the bridge from https://bridges.torprpject.org
Then find where is a torrc file for operate system you uses. It in different place in the windows, the mac, the linux, so on.
Put the bridge code inmthe torrc file and restart you computer. The link show you how format to use in torrc file. It also show other way to get the bridge... can even get by a email.

October 19, 2016

Permalink

Call your respresentatives and warn them; "don't believe clapper

He says if everyone let him use sorcery to strip us of our human rights, of our humanity, on December 1st, that he will bring 7 year of of peace

It only will be 1260 day of peace and then everything will be way worse than ever before"

Unless you haven't read a single Snowden or Wikileaks document in the last 3 years, why would you ever believe that the government would wait until 12/1? That's fairyland thinking, where we live in actual representative democracies.

It will be absolutely confirmed in a future disclosure that fascists worldwide have already been illegally hacking the end point of every single Tor user it can detect, using the obvious network signature that screams - "I care about privacy and human rights". The zombies walking around glued to their smartphones will simply shrug their shoulders and get back to tweeting about their perfect, shiny, happy Stepford lives.

And when that disclosure happens, the governments will provide themselves with retrospective immunity by using the magic word "Terrorism!", and absolving themselves of millions of felonies. Just like they did when busted for collecting (without ANY legal authority):

- All telephone meta-data;
- All browsing data;
- Personal data-sets on everyone for more than a decade;
- All emails with network splitters, NSLs, or hoovering it up off the Internet backbone;
- Collating biometric data on half the US population;
- etc etc.

October 20, 2016

Permalink

hi nick!

first of i would like to show my appreciation for all your/teams hard work with keeping everyones right for privacy and security alive. much appreaciated!

been using TOR for years now and everytime a new realease is out im scratching my head so i feel now is the time to ask and sort this confusion out.

in the blog it says "All Tor users should upgrade to this version, or to 0.2.9.4-alpha."
but when you go to see the rep list it says it instedt says "(6.5a3)" as the latest alpha version. what is it that i am missing?

when you guys say "upgrade to 0.2.8.9 or 0.2.9.4-alpha im looking for that exakt name in the rep list but cant find it. then there is directlink on frontpage wich instedt shows "6.0.5"

in total we are now up to 4 different version names, atleast 3. this gives lots of questiens. how do i know and where do i find this version when there are no direct link
for those versions and they are named differently?

best regards a confused user

October 20, 2016

Permalink

hi again nick!

when i have downloaded and extracted the tor browser package there are mainly two files showing up: (Browser) folder and (Tor Browser) run icon.

but after a while this file pops up from nowhere:
name: sedv1Dcp3
type: Binary (application/octet-stream)

what is this file?

found in version 6.0.4

however ive seen it many times before in earlier versions.

thanks in advance!

October 21, 2016

Permalink

hello .why it's not possible to create instagram Account using Tor? This was possible in earlier versions when i want to create instagram Account using tor This message appears" Sorry, something went wrong creating your account. Please try again soon."

October 21, 2016

Permalink

Tor 0.2.8.9 backports a fix for a security hole in previous versions of Tor that would allow a remote attacker to crash a Tor client, hidden service, relay, or authority.

It means users of TBB version 6.0.5 are vulnerable to being de-anonymized by hackers and the NSA.

I suppose the date of release of TBB that includes Tor 0.2.8.9 is November 8, 2016 because that's when Tails will release version 2.7, right?

Between now and November 8, what should we vulnerable TBB users do to protect ourselves from hackers acting on behalf of nation states such as the USA, Iran and China?

Why did nickm announce the vulnerabilities now, knowing full well that the 0.2.8.9 will be released on November 8?

October 21, 2016

Permalink

Bit off-topic but important:
is Tails out of danger?

http://dirtycow.ninja/
“Most serious” Linux privilege-escalation bug ever is under active exploit
As to who is being targeted, anyone running Linux on a web facing server is vulnerable

October 21, 2016

Permalink

Firefox 49.0.2 released.
Security fixes for Tor Browser Bundle, too?

October 22, 2016

Permalink

If Tor project cannot build each new "important" release, then can you please provide clear and up to date build instructions. I would like to build on a Linux system, but for use on Windows boxen (so, cross compile) ... if possible.

Alternatively, perhaps is there a suitable virtualbox vm of any OS to compile the latest version for win32 ourselves?

Tor will never do this.

Obfuscation is what they do best.

Why make it easy for Joe Blow to do what they do, then he wouldn't need them, then they would have no use statistics.

Do as Tor does, become as Tor is.

When you do build, don't forget to remove all the malware (auto-update, clock sync, and so on).

https://cpunks.org/

October 26, 2016

Permalink

When I start tor 2.8.7 I'm getting warnings about not using that version and I'm asked to go to torproject.org and download 2.8.9. 2.8.9 does not exist for Windows and others OS.

Congratulations for your great policy release. And I know the answer you are going to give: "compile it yourself". In that case do not ask to download tor, ask to download the source code for 2.8.9.

Just imagine if every project worked the same and users had to compile Firefox, because developers are too busy to release it themselves. Only that tor is a security program, and yet it takes months to compile and release obsolete versions.

October 28, 2016

Permalink

Please provide instructions (and keep them updated) how to compile latest version Tor and Tor Browser from source-code on Linux and Windows.

October 28, 2016

Permalink

Is it not possible for Exit-nodes to do DNS redirect and run Firefox exploit?

For example, user browses torproject.org and malicious node instead of connecting to torproject.org makes you connect to his malicious destination containing Firefox RCE exploit. In this case, HTTPS certificate would not match however exploit code would still be run.

October 30, 2016

Permalink

I have a question: I run a tor relay on ubuntu desktop, and I saw that a new update it's available. Do i need to update it? If the answer is yes, how i have to do it? Thanks :)

November 02, 2016

Permalink

Hi,

This is a minor bug and maybe it's known already..
I use 2 monitors running Win8.1 64bit:
1. 1920x1200 (main)
2. 1680x1050 (taskbar)

When I open Tor, it opens on the 2nd monitor but with the Tool&AddressBar outside the screen.
I know how to move the screen, but other users might not.
What determines the height of the browser? The main monitor resolution?

November 02, 2016

Permalink

Suggestion for the Tor Manual. Inform users that running a exit relay from their home is a bad idea.

"Should I run an exit relay from my home?

No. If law enforcement becomes interested in traffic from your exit relay, it's possible that officers will seize your computer. For that reason, it's best not to run your exit relay in your home or using your home Internet connection.

Instead, consider running your exit relay in a commercial facility that is supportive of Tor. Have a separate IP address for your exit relay, and don't route your own traffic through it."

https://www.torproject.org/eff/tor-legal-faq.html.en

November 03, 2016

Permalink

this is absolutely bag out of order, what hope for security is there, if someone makes an announcement for security issues for current build and after 3 weeks theres no update released?

So lets have our users be vulnerable until tor devs can build the binaries for the announcement above a month later?

Nice, well done guys.

November 04, 2016

Permalink

Tor browser says it's version is 6.0.5 (based on Mozilla Firefox 45.4.0) but this page says you're on 0.2.8.9

November 04, 2016

Permalink

So TBB got no updates since September 16th, 2016.

Meanwhile, a phletora of "important security fixes" were rolled out, but only for those who use the standalone tor packages.

In other words: The tech nerds got updates. John Doe, Amil Halid, Boe Jong Un and other less experienced users are left alone in the rain. Sounds legit.

November 06, 2016

Permalink

Ok, I knew it was time to upgrade everything but... Tor is afik being choked by my ISP.
Somewhere in the middle of America but that's not fooling anybody as I can't get Tor to load. Tried for about a half hour, twice. My IP address is hanging out like madonna's everything. Of course I could "cop" out and say something stupid like "if you've done nothing wrong, why should you fear the Secret Police, Citizen?"

As to an earlier question about Instagram and another about Capcha, both of them are Google properties. Capcha makes the Orwellian statement "are you a robot? prove you're human" while and at the same time using automated code to spy on everybody in the world. Instagram sounds like somebody harvesting images for the purpose of identifying everybody.

My opinion, neither of them should be accommodated by Tor. I'll try again from a different server later.

There was a youtube from one of the Defcon IS a youtube typing that is easier than backing up and editing but it's titled How The Tor Users Got Caught. Good stuff, nice and cautionary. In case anybody still thinks it's a good thing to post identifiable stuff about yourself on a system like Tor which is about anonymity. Like pictures of yourself.

November 08, 2016

Permalink

It's been three weeks now and an up to date Windows expert bundle is still not available...