Tor 0.2.9.10 is released
Tor 0.2.9.10 backports a security fix for users who build Tor with the --enable-expensive-hardening option. It also includes fixes for some major issues affecting directory authorities, LibreSSL compatibility, and IPv6 correctness.
The Tor 0.2.9.x release series is now marked as a long-term-support series. We intend to backport security fixes to 0.2.9.x until at least January of 2020.
You can download the source code from https://dist.torproject.org/ but most users should wait for next week's upcoming Tor Browser release, or for their upcoming system package updates.
Changes in version 0.2.9.10 - 2017-03-01
- Major bugfixes (directory authority, 0.3.0.3-alpha):
- During voting, when marking a relay as a probable sybil, do not clear its BadExit flag: sybils can still be bad in other ways too. (We still clear the other flags.) Fixes bug 21108; bugfix on 0.2.0.13-alpha.
- Major bugfixes (IPv6 Exits, backport from 0.3.0.3-alpha):
- Stop rejecting all IPv6 traffic on Exits whose exit policy rejects any IPv6 addresses. Instead, only reject a port over IPv6 if the exit policy rejects that port on more than an IPv6 /16 of addresses. This bug was made worse by 17027 in 0.2.8.1-alpha, which rejected a relay's own IPv6 address by default. Fixes bug 21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha.
- Major bugfixes (parsing, also in 0.3.0.4-rc):
- Fix an integer underflow bug when comparing malformed Tor versions. This bug could crash Tor when built with --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor 0.2.9.8, which were built with -ftrapv by default. In other cases it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix on 0.0.8pre1. Found by OSS-Fuzz.
- Minor features (directory authorities, also in 0.3.0.4-rc):
- Minor features (geoip):
- Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 Country database.
- Minor features (portability, compilation, backport from 0.3.0.3-alpha):
- Minor bugfixes (code correctness, also in 0.3.0.4-rc):
- Repair a couple of (unreachable or harmless) cases of the risky comparison-by-subtraction pattern that caused bug 21278.
- Minor bugfixes (tor-resolve, backport from 0.3.0.3-alpha):
- The tor-resolve command line tool now rejects hostnames over 255 characters in length. Previously, it would silently truncate them, which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5. Patch by "junglefowl".
Comments
Please note that the comment area below has been archived.
Could you answer to the
Could you answer to the question about ControlPort:
https://blog.torproject.org/comment/reply/1297/232924
and question about exonerator:
https://blog.torproject.org/comment/reply/1306/234709
?
Thanks!
I replied with my two cents
I replied with my two cents on the first one. I would be interested in hearing what the Tor people have to say.
I cannot see it yet. If
I cannot see it yet. If anybody cares. these are the comments/questions from these threads, consequently:
https://blog.torproject.org/blog/tor-0299-released
https://blog.torproject.org/blog/tor-0303-alpha-released
I cannot see it yet. Already
I cannot see it yet.
Already got it, thanks, and replied ( on the thread https://blog.torproject.org/blog/tor-0299-released ). That would be nice if arma lets us know his opinion about ControlPort discussion.
Then, concerning the second question, I think karsten gave good reply https://blog.torproject.org/comment/reply/1311/241421 in the thread about Atlas https://blog.torproject.org/blog/atlas-recent-improvements#comments
I wonder why my Debian
I wonder why my Debian jessie doesn't show an update, it's still version 0.2.9.9. I use official onion tor repository for apt-get. Am I alone who has this problem?
most users should wait for
most users should wait for next week's upcoming Tor Browser release, or for their upcoming system package updates.
They have just arrived to apt-get of Debian, Tor repo! Thanks!
I see that around middle of
I see that around middle of September 2016 about 1 thousand bridges suddenly disappeared, then reappeared, and then disappeared again and started to grow monotonically and linearly (it looks even more artificial if you observe it from the perspective of the graph for last years):
https://metrics.torproject.org/networksize.html?start=2016-08-06&end=20…
What is this? Do they all belong to the same entity? It is also strange that during 2015 the amount of bridges was only decreasing.
Moreover, I see that during 2013 amount of Tor relays was continuously growing, in total the amount was increased 1.5 times. The same is true for 2014. However, during last 2 years the amount of Tor relays is almost the same. How it can happen in natural circumstances? In addition, during the half of 2015 the amount of relays was only decreasing:
https://metrics.torproject.org/networksize.html?start=2011-08-06&end=20…
I think people knowing statistics theory would say it is quite improbable behavior. Natural dependence should be close to logarithm, but what we see is very far from that.
Nice work, only 6 days until
Nice work, only 6 days until the win32 build. Thanks!
i always wondered if the
i always wondered if the dark web was real is this it
Thanks
Thanks