Tor 0.4.0.2-alpha, 0.3.5.8, 0.3.4.11, and 0.3.3.12 release, free software for anonymous communications

Tor 0.3.4.9

Tor 0.4.0.2-alpha, 0.3.5.8, 0.3.4.11, and 0.3.3.12 have been released. It introduces improved features for power and bandwidth conservation, more accurate reporting of bootstrap progress for user interfaces, and an experimental backend for an exciting new adaptive padding feature. There is also the usual assortment of bugfixes and minor features, all described below.

Tor 0.3.4.9

Changelog

v0.3.5.8 – 2019-02-21

  • Major bugfixes (cell scheduler, KIST, security):
    • Make KIST consider the outbuf length when computing what it can put in the outbuf. Previously, KIST acted as though the outbuf were empty, which could lead to the outbuf becoming too full. It is possible that an attacker could exploit this bug to cause a Tor client or relay to run out of memory and crash. Fixes bug 29168; bugfix on 0.3.2.1-alpha. This issue is also being tracked as TROVE-2019-001 and CVE-2019-8955.
  • Major bugfixes (networking, backport from 0.4.0.2-alpha):
    • Gracefully handle empty username/password fields in SOCKS5 username/password auth messsage and allow SOCKS5 handshake to continue. Previously, we had rejected these handshakes, breaking certain applications. Fixes bug 29175; bugfix on 0.3.5.1-alpha.
  • Minor features (compilation, backport from 0.4.0.2-alpha):
    • Compile correctly when OpenSSL is built with engine support disabled, or with deprecated APIs disabled. Closes ticket 29026. Patches from “Mangix”.
  • Minor features (geoip):
    • Update geoip and geoip6 to the February 5 2019 Maxmind GeoLite2 Country database. Closes ticket 29478.
  • Minor features (testing, backport from 0.4.0.2-alpha):
    • Treat all unexpected ERR and BUG messages as test failures. Closes ticket 28668.

v0.4.0.2-Alpha – 2019-02-21

  • Major bugfixes (cell scheduler, KIST, security):
    • Make KIST consider the outbuf length when computing what it can put in the outbuf. Previously, KIST acted as though the outbuf were empty, which could lead to the outbuf becoming too full. It is possible that an attacker could exploit this bug to cause a Tor client or relay to run out of memory and crash. Fixes bug 29168; bugfix on 0.3.2.1-alpha. This issue is also being tracked as TROVE-2019-001 and CVE-2019-8955.
  • Major bugfixes (networking):
    • Gracefully handle empty username/password fields in SOCKS5 username/password auth messsage and allow SOCKS5 handshake to continue. Previously, we had rejected these handshakes, breaking certain applications. Fixes bug 29175; bugfix on 0.3.5.1-alpha.
  • Major bugfixes (windows, startup):
    • When reading a consensus file from disk, detect whether it was written in text mode, and re-read it in text mode if so. Always write consensus files in binary mode so that we can map them into memory later. Previously, we had written in text mode, which confused us when we tried to map the file on windows. Fixes bug 28614; bugfix on 0.4.0.1-alpha.
  • Minor features (compilation):
    • Compile correctly when OpenSSL is built with engine support disabled, or with deprecated APIs disabled. Closes ticket 29026. Patches from “Mangix”.
  • Minor features (developer tooling):
    • Check that bugfix versions in changes files look like Tor versions from the versions spec. Warn when bugfixes claim to be on a future release. Closes ticket 27761.
    • Provide a git pre-commit hook that disallows commiting if we have any failures in our code and changelog formatting checks. It is now available in scripts/maint/pre-commit.git-hook. Implements feature 28976.
  • Minor features (directory authority):
    • When a directory authority is using a bandwidth file to obtain bandwidth values, include the digest of that file in the vote. Closes ticket 26698.
  • More

Download