Tor 0.3.0.7 was released last week!
Hello! This release came out 11 days ago, but since the blog was down at the time, I was only able to announce on the tor-announce@ mailing list. Nevertheless, I'm copying it here in case anyone didn't see it.
Tor 0.3.0.7 fixes a medium-severity security bug in earlier versions of Tor 0.3.0.x, where an attacker could cause a Tor relay process to exit. Relays running earlier versions of Tor 0.3.0.x should upgrade; clients are not affected.
If you build Tor from source, you can find it at the usual place on the website. Packages should be ready over the next weeks.
Changes in version 0.3.0.7 - 2017-05-15
- Major bugfixes (hidden service directory, security):
- Fix an assertion failure in the hidden service directory code, which could be used by an attacker to remotely cause a Tor relay process to exit. Relays running earlier versions of Tor 0.3.0.x should upgrade. This security issue is tracked as TROVE-2017-002. Fixes bug 22246; bugfix on 0.3.0.1-alpha.
- Minor features:
- Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 Country database.
- Minor features (future-proofing):
- Tor no longer refuses to download microdescriptors or descriptors if they are listed as "published in the future". This change will eventually allow us to stop listing meaningful "published" dates in microdescriptor consensuses, and thereby allow us to reduce the resources required to download consensus diffs by over 50%. Implements part of ticket 21642; implements part of proposal 275.
- Minor bugfixes (Linux seccomp2 sandbox):
- The getpid() system call is now permitted under the Linux seccomp2 sandbox, to avoid crashing with versions of OpenSSL (and other libraries) that attempt to learn the process's PID by using the syscall rather than the VDSO code. Fixes bug 21943; bugfix on 0.2.5.1-alpha.
Comments
Please note that the comment area below has been archived.
So, hm, what's the deal with…
So, hm, what's the deal with no .*debs showing up for stable 0.3.x?
Can you please update expert…
Can you please update expert bundle link on download page?
https://dist.torproject.org/torbrowser/7.0a4/tor-win32-0.3.0.6.zip
The expert bundle gets…
The expert bundle gets updated when Tor Browser gets updated. So presumably when there's a 7.0a5 out is when there will be a newer one.
I agree that's not perfect. In the meantime, see also Linus's nightly builds:
https://people.torproject.org/~linus/builds/
Non-English nightly builds…
Non-English nightly builds are awful. It looks like no one uses them.
I would believe that no one…
I would believe that no one uses them.
If there is something wrong with them, please consider opening a ticket on https://bugs.torproject.org/ ?
Thanks.
In what regard are they…
In what regard are they awful? Which locale are you talking about? I just gave the russian bundle a try on Linux and Windows it looks to me not that different from then en-US one and a quick test did not show a different behavior.
Struggling to get into Tor…
Struggling to get into Tor for a large part of May 2017. Still can't get in. By the time it reaches the "checktor." Site, it has timed out.
No I have not downloaded the fix. I saw the message but only the message. There was no download link.
Could you be more specific…
Could you be more specific about the issues you are seeing? And what fix you are talking about?
Logs could also be very helpful. When Tor Browser is open, click the green onion button to the left of the URL bar, then click Tor Network Settings, then click Copy Tor Log To Clipboard. If you could paste the logs to somewhere like https://paste.debian.net and share the resulting link, that could be very helpful.
Error. Page cannot be…
Error. Page cannot be displayed. Please contact your service provider for more details. (32)
ISP BLOCKING TOR!
I have been away for a few…
I have been away for a few weeks and on my return TOR updated but will not open now any ideas please?