[tor-talk] Upcoming security releases
Hello! In around two weeks–likely on the 14th or 15th– we plan to put out new stable Tor releases to fix issues in all currently released versions of Tor. There are three issues that will be fixed, with severity levels between "Medium" and "High" according to our classification system. The most severe issue, by our reckoning, is a denial-of-service issue affecting onion service clients. We'll share more details after people have time to patch. To the best of our knowledge, these vulnerabilities are not being exploited in the wild. Our security policy: https://gitlab.torproject.org/legacy/trac/-/wikis/org/teams/NetworkTeam/SecurityPolicy Our registry of vulnerabilities: https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE The new releases will be 0.3.5.15, 0.4.4.9, 0.4.5.9, 0.4.6.5. The issues to be fixed are TROVE-2021-003 through TROVE-2021-006. When these releases are out, we will recommend that everybody upgrade, including clients _and_ relays. Note that Tor 0.4.4.x reaches its end-of-life on 15 June: this will be the last 0.4.4.x release. best wishes, -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.4.6.2-alpha is released
Hi, all! There's a new alpha Tor release! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on gitlab.torproject.org. The source code is available from the download page at https://www.torproject.org/download/tor/ ; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely some time next week. Here's what's new: Changes in version 0.4.6.2-alpha - 2021-04-15 Tor 0.4.6.2-alpha is the second alpha in its series. It fixes several small bugs in previous releases, and solves other issues that had enabled denial-of-service attacks and affected integration with other tools. o Minor features (client): - Clients now check whether their streams are attempting to re-enter the Tor network (i.e. to send Tor traffic over Tor), and close them preemptively if they think exit relays will refuse them for this reason. See ticket 2667 for details. Closes ticket 40271. o Minor features (command line): - Add long format name "--torrc-file" equivalent to the existing command-line option "-f". Closes ticket 40324. Patch by Daniel Pinto. o Minor features (dormant mode): - Add a new 'DormantTimeoutEnabled' option to allow coarse-grained control over whether the client ever becomes dormant from inactivity. Most people won't need this. Closes ticket 40228. o Minor features (fallback directory list): - Regenerate the list of fallback directories to contain a new set of 200 relays. Closes ticket 40265. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2021/04/13. o Minor features (logging): - Edit heartbeat log messages so that more of them begin with the string "Heartbeat: ". Closes ticket 40322; patch from 'cypherpunks'. o Minor bugfixes (bridge, pluggable transport): - Fix a regression that made it impossible start Tor using a bridge line with a transport name and no fingerprint. Fixes bug 40360; bugfix on 0.4.5.4-rc. o Minor bugfixes (channel, DoS): - Fix a non-fatal BUG() message due to a too-early free of a string, when listing a client connection from the DoS defenses subsystem. Fixes bug 40345; bugfix on 0.4.3.4-rc. o Minor bugfixes (compilation): - Fix a compilation warning about unused functions when building with a libc that lacks the GLOB_ALTDIRFUNC constant. Fixes bug 40354; bugfix on 0.4.5.1-alpha. Patch by Daniel Pinto. o Minor bugfixes (configuration): - Fix pattern-matching for directories on all platforms when using %include options in configuration files. This patch also fixes compilation on musl libc based systems. Fixes bug 40141; bugfix on 0.4.5.1-alpha. o Minor bugfixes (relay): - Move the "overload-general" line from extrainfo to the server descriptor. Fixes bug 40364; bugfix on 0.4.6.1-alpha. o Minor bugfixes (testing, BSD): - Fix pattern-matching errors when patterns expand to invalid paths on BSD systems. Fixes bug 40318; bugfix on 0.4.5.1-alpha. Patch by Daniel Pinto. o Documentation (manual): - Move the ServerTransport* options to the "SERVER OPTIONS" section. Closes issue 40331. - Indicate that the HiddenServiceStatistics option also applies to bridges. Closes ticket 40346. - Move the description of BridgeRecordUsageByCountry to the section "STATISTICS OPTIONS". Closes ticket 40323. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Upcoming releases next week to fix denial-of-service bugs in Tor
On Mon, Mar 8, 2021 at 12:12 PM Geoff Down wrote: > > Thanks Nick, > btw when I recently verified the sig on the Tor source download, it said > your key had expired. You might need to refresh it; I've updated the expiration dates. If the keyservers aren't working for you, try https://people.torproject.org/~nickm/public_key.asc -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Upcoming releases next week to fix denial-of-service bugs in Tor
On Mon, Mar 8, 2021 at 10:54 AM Nick Mathewson wrote: > To the best of our knowledge these vulnerabilities are not being > supported in the wild. Oops! I meant to say, "To the best of our knowledge these vulnerabilities are not being exploited in the wild". -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Upcoming releases next week to fix denial-of-service bugs in Tor
Hello! Early next week -- around Tuesday -- we plan to put out new Tor releases to fix a pair of denial-of-service issues that we have found. We are tracking these issues as "High" and "Medium" severity respectively under our security policy at https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/SecurityPolicy . We are tracking these issues as TROVE-2021-001 and TROVE-2021-002 at https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE . All currently supported Tor versions are affected. The impact of these issues is that a remote attacker participating in the directory protocol can cause a denial of service attack against Tor instances. Once the new versions are released, we will recommend that all relays and authorities should upgrade. The impact is worst for directory authorities: we have already distributed patches to the authority operators and encouraged them to upgrade. To the best of our knowledge these vulnerabilities are not being supported in the wild. We'll be releasing more information about these issues after the fixes are available. best wishes, -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.4.5.5-rc is released
Hi, all! There's a new Tor release candidate! We think this will be the last one before 0.4.5.x is stable. The source code is available from the download page at https://www.torproject.org/download/tor/ ; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely in the coming week. Here's what's new: Changes in version 0.4.5.5-rc - 2021-02-01 Tor 0.4.5.5-rc is the third release candidate in its series. We're coming closer and closer to a stable release series. This release fixes an annoyance with address detection code, and somewhat mitigates an ongoing denial-of-service attack. We anticipate no more code changes between this and the stable release, though of course that could change. o Major feature (exit): - Re-entry into the network is now denied at the Exit level to all relays' ORPorts and authorities' ORPorts and DirPorts. This change should help mitgate a set of denial-of-service attacks. Closes ticket 2667. o Minor bugfixes (relay, configuration): - Don't attempt to discover our address (IPv4 or IPv6) if no ORPort for it can be found in the configuration. Fixes bug 40254; bugfix on 0.4.5.1-alpha. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] New release candidate: Tor 0.4.5.4-rc
Hi, all! There's a new release candidate! Unless we find significant new major bugs, this will probably be almost the same as the final 0.4.5.x stable release. Please test it if you can! The source code is available from the download page at https://www.torproject.org/download/tor/ ; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely some time around next Tuesday. Here's what's new: Changes in version 0.4.5.4-rc - 2021-01-22 Tor 0.4.5.4-rc is the second release candidate in its series. It fixes several bugs present in previous releases. We expect that the stable release will be the same, or almost the same, as this releasee candidate, unless serious bugs are found. o Major bugfixes (authority, IPv6): - Do not consider multiple relays in the same IPv6 /64 network to be sybils. Fixes bug 40243; bugfix on 0.4.5.1-alpha. o Major bugfixes (directory cache, performance, windows): - Limit the number of items in the consensus diff cache to 64 on Windows. We hope this will mitigate an issue where Windows relay operators reported Tor using 100% CPU, while we investigate better solutions. Fixes bug 24857; bugfix on 0.3.1.1-alpha. o Minor feature (build system): - New "make lsp" command to generate the compile_commands.json file used by the ccls language server. The "bear" program is needed for this. Closes ticket 40227. o Minor features (authority, logging): - Log more information for directory authority operators during the consensus voting process, and while processing relay descriptors. Closes ticket 40245. - Reject obsolete router/extrainfo descriptors earlier and more quietly, to avoid spamming the logs. Fixes bug 40238; bugfix on 0.4.5.1-alpha. o Minor bugfixes (compilation): - Fix another warning about unreachable fallthrough annotations when building with "--enable-all-bugs-are-fatal" on some compilers. Fixes bug 40241; bugfix on 0.4.5.3-rc. - Change the linker flag ordering in our library search code so that it works for compilers that need the libraries to be listed in the right order. Fixes bug 33624; bugfix on 0.1.1.0-alpha. o Minor bugfixes (config, bridge): - Don't initiate a connection to a bridge configured to use a missing transport. This change reverts an earlier fix that would try to avoid such situations during configuration chcecking, but which doesn't work with DisableNetwork. Fixes bug 40106; bugfix on 0.4.5.1-alpha. o Minor bugfixes (onion services): - Avoid a non-fatal assertion in certain edge-cases when establishing a circuit to an onion service. Fixes bug 32666; bugfix on 0.3.0.3-alpha. o Minor bugfixes (relay): - If we were unable to build our descriptor, don't mark it as having been advertised. Also remove an harmless BUG(). Fixes bug 40231; bugfix on 0.4.5.1-alpha. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Connection padding set to 1 vs auto
On Sat, Aug 8, 2020 at 3:59 PM proc...@riseup.net wrote: > > Hi. I was wondering if setting the connection padding setting in torrc > to 1 instead of auto has any benefit in protecting against a passive > adversary outside the Tor network. I don't think it'll have much effect? The "auto" option means "pad when padding is negotiated"; the "1" option means "pad even if the relay doesn't have padding support." But all currently supported relay versions ought to have padding support, so there shouldn't be a difference, in theory. If I understand correctly (and Mike could correct me here), in its current form, the ConnectionPadding option helps against ISPs who are using common flow-logging settings on their internet routers, or against after-the-fact adversaries who get access to these logs later on. It isn't so useful against an adversary who has set up better logging in advance. (Mike, did I get this right?) cheers, -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.4.4.3-alpha is released
Hi, all! There's a new alpha Tor release! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the download page at https://www.torproject.org/download/tor/ ; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely by mid-August. Here's what's new: Changes in version 0.4.4.3-alpha - 2020-07-27 Tor 0.4.4.3-alpha fixes several annoyances in previous versions, including one affecting NSS users, and several affecting the Linux seccomp2 sandbox. o Major features (fallback directory list): - Replace the 148 fallback directories originally included in Tor 0.4.1.4-rc (of which around 105 are still functional) with a list of 144 fallbacks generated in July 2020. Closes ticket 40061. o Major bugfixes (NSS): - When running with NSS enabled, make sure that NSS knows to expect nonblocking sockets. Previously, we set our TCP sockets as nonblocking, but did not tell NSS, which in turn could lead to unexpected blocking behavior. Fixes bug 40035; bugfix on 0.3.5.1-alpha. o Minor bugfixes (linux seccomp2 sandbox): - Fix a regression on sandboxing rules for the openat() syscall. The fix for bug 25440 fixed the problem on systems with glibc >= 2.27 but broke with versions of glibc. We now choose a rule based on the glibc version. Patch from Daniel Pinto. Fixes bug 27315; bugfix on 0.3.5.11. - Makes the seccomp sandbox allow the correct syscall for opendir according to the running glibc version. This fixes crashes when reloading torrc with sandbox enabled when running on glibc 2.15 to 2.21 and 2.26. Patch from Daniel Pinto. Fixes bug 40020; bugfix on 0.3.5.11. o Minor bugfixes (relay, usability): - Adjust the rules for when to warn about having too many connections to other relays. Previously we'd tolerate up to 1.5 connections per relay on average. Now we tolerate more connections for directory authorities, and raise the number of total connections we need to see before we warn. Fixes bug 33880; bugfix on 0.3.1.1-alpha. o Documentation: - Replace most http:// URLs in our code and documentation with https:// URLs. (We have left unchanged the code in src/ext/, and the text in LICENSE.) Closes ticket 31812. Patch from Jeremy Rand. o Removed features: - Our "check-local" test target no longer tries to use the Coccinelle semantic patching tool parse all the C files. While it is a good idea to try to make sure Coccinelle works on our C before we run a Coccinelle patch, doing so on every test run has proven to be disruptive. You can still run this tool manually with "make check-cocci". Closes ticket 40030. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.4.4.1-alpha is released
Hi, all! There's a new alpha Tor release! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on the bugtracker (or here, while we're getting the new bugtracker working). The source code is available from the download page on www.torproject.org; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely by early July. Here's what's new: Changes in version 0.4.4.1-alpha - 2020-06-16 This is the first alpha release in the 0.4.4.x series. It improves our guard selection algorithms, improves the amount of code that can be disabled when running without relay support, and includes numerous small bugfixes and enhancements. It also lays the ground for some IPv6 features that we'll be developing more in the next (0.4.5) series. Here are the changes since 0.4.3.5. o Major features (Proposal 310, performance + security): - Implements Proposal 310, "Bandaid on guard selection". Proposal 310 solves load-balancing issues with older versions of the guard selection algorithm, and improves its security. Under this new algorithm, a newly selected guard never becomes Primary unless all previously sampled guards are unreachable. Implements recommendation from 32088. (Proposal 310 is linked to the CLAPS project researching optimal client location-aware path selections. This project is a collaboration between the UCLouvain Crypto Group, the U.S. Naval Research Laboratory, and Princeton University.) o Major features (IPv6, relay): - Consider IPv6-only EXTEND2 cells valid on relays. Log a protocol warning if the IPv4 or IPv6 address is an internal address, and internal addresses are not allowed. But continue to use the other address, if it is valid. Closes ticket 33817. - If a relay can extend over IPv4 and IPv6, and both addresses are provided, it chooses between them uniformly at random. Closes ticket 33817. - Re-use existing IPv6 connections for circuit extends. Closes ticket 33817. - Relays may extend circuits over IPv6, if the relay has an IPv6 ORPort, and the client supplies the other relay's IPv6 ORPort in the EXTEND2 cell. IPv6 extends will be used by the relay IPv6 ORPort self-tests in 33222. Closes ticket 33817. o Major features (v3 onion services): - Allow v3 onion services to act as OnionBalance backend instances, by using the HiddenServiceOnionBalanceInstance torrc option. Closes ticket 32709. o Minor feature (developer tools): - Add a script to help check the alphabetical ordering of option names in the manual page. Closes ticket 9. o Minor feature (onion service client, SOCKS5): - Add 3 new SocksPort ExtendedErrors (F2, F3, F7) that reports back new type of onion service connection failures. The semantics of these error codes are documented in proposal 309. Closes ticket 32542. o Minor feature (onion service v3): - If a service cannot upload its descriptor(s), log why at INFO level. Closes ticket 33400; bugfix on 0.3.2.1-alpha. o Minor feature (python scripts): - Stop assuming that /usr/bin/python exists. Instead of using a hardcoded path in scripts that still use Python 2, use /usr/bin/env, similarly to the scripts that use Python 3. Fixes bug 33192; bugfix on 0.4.2. o Minor features (client-only compilation): - Disable more code related to the ext_orport protocol when compiling without support for relay mode. Closes ticket 33368. - Disable more of our self-testing code when support for relay mode is disabled. Closes ticket 33370. o Minor features (code safety): - Check for failures of tor_inet_ntop() and tor_inet_ntoa() functions in DNS and IP address processing code, and adjust codepaths to make them less likely to crash entire Tor instances. Resolves issue 33788. o Minor features (compilation size): - Most server-side DNS code is now disabled when building without support for relay mode. Closes ticket 33366. o Minor features (continuous integration): - Run unit-test and integration test (Stem, Chutney) jobs with ALL_BUGS_ARE_FATAL macro being enabled on Travis and Appveyor. Resolves ticket 32143. o Minor features (control port): - Return a descriptive error message from the 'GETINFO status/fresh- relay-descs' command on the control port. Previously, we returned a generic error of "Error generating descriptor". Closes ticket 32873. Patch by Neel Chauhan. o Minor features (developer tooling): - Refrain from listing all .a files that are generated by the Tor build in .gitignore. Add a single wildcard *.a entry that covers all of them for present and future. Closes ticket
Re: [tor-talk] Tor Post-Quantum Cryptography
On Sun, May 3, 2020 at 6:42 PM bo0od wrote: > > I wonder if Tor has a roadmap for applying pqc into their design, great > to see that some projects trying to add it for experimental state: > Hi! There are several proposals for this: https://gitweb.torproject.org/torspec.git/tree/proposals/263-ntru-for-pq-handshake.txt https://gitweb.torproject.org/torspec.git/tree/proposals/269-hybrid-handshake.txt https://gitweb.torproject.org/torspec.git/tree/proposals/270-newhope-hybrid-handshake.txt We don't have a current implementation timeline for these. Step one in any one of them would be implementing: https://gitweb.torproject.org/torspec.git/tree/proposals/249-large-create-cells.txt or something similar such as: https://github.com/nmathewson/walking-onions-wip/blob/master/other-proposals/xxx-wide-everything.md hth, -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] New alpha release: 0.4.3.3-alpha (with security fix)
Hello! There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.3.3-alpha from the download page on the website. Packages should be available over the coming days, including a new alpha Tor Browser release. Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual. (There are also three stable releases coming out today: 0.3.5.10, 0.4.1.9, and 0.4.2.7. Stable releases get announced on the tor-announce@ mailing list.) These releases fix a couple of denial-of-service vulnerabilities. Everybody running an older version should upgrade as packages become available. Below is the full changelog for 0.4.3.3-alpha. Changes in version 0.4.3.3-alpha - 2020-03-18 Tor 0.4.3.3-alpha fixes several bugs in previous releases, including TROVE-2020-002, a major denial-of-service vulnerability that affected all released Tor instances since 0.2.1.5-alpha. Using this vulnerability, an attacker could cause Tor instances to consume a huge amount of CPU, disrupting their operations for several seconds or minutes. This attack could be launched by anybody against a relay, or by a directory cache against any client that had connected to it. The attacker could launch this attack as much as they wanted, thereby disrupting service or creating patterns that could aid in traffic analysis. This issue was found by OSS-Fuzz, and is also tracked as CVE-2020-10592. We do not have reason to believe that this attack is currently being exploited in the wild, but nonetheless we advise everyone to upgrade as soon as packages are available. o Major bugfixes (security, denial-of-service): - Fix a denial-of-service bug that could be used by anyone to consume a bunch of CPU on any Tor relay or authority, or by directories to consume a bunch of CPU on clients or hidden services. Because of the potential for CPU consumption to introduce observable timing patterns, we are treating this as a high-severity security issue. Fixes bug 33119; bugfix on 0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue as TROVE-2020-002 and CVE-2020-10592. o Major bugfixes (circuit padding, memory leak): - Avoid a remotely triggered memory leak in the case that a circuit padding machine is somehow negotiated twice on the same circuit. Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls. This is also tracked as TROVE-2020-004 and CVE-2020-10593. o Major bugfixes (directory authority): - Directory authorities will now send a 503 (not enough bandwidth) code to clients when under bandwidth pressure. Known relays and other authorities will always be answered regardless of the bandwidth situation. Fixes bug 33029; bugfix on 0.1.2.5-alpha. o Minor features (diagnostic): - Improve assertions and add some memory-poisoning code to try to track down possible causes of a rare crash (32564) in the EWMA code. Closes ticket 33290. o Minor features (directory authorities): - Directory authorities now reject descriptors from relays running Tor versions from the 0.2.9 and 0.4.0 series. The 0.3.5 series is still allowed. Resolves ticket 32672. Patch by Neel Chauhan. o Minor features (usability): - Include more information when failing to parse a configuration value. This should make it easier to tell what's going wrong when a configuration file doesn't parse. Closes ticket 33460. o Minor bugfix (relay, configuration): - Warn if the ContactInfo field is not set, and tell the relay operator that not having a ContactInfo field set might cause their relay to get rejected in the future. Fixes bug 33361; bugfix on 0.1.1.10-alpha. o Minor bugfixes (coding best practices checks): - Allow the "practracker" script to read unicode files when using Python 2. We made the script use unicode literals in 0.4.3.1-alpha, but didn't change the codec for opening files. Fixes bug 33374; bugfix on 0.4.3.1-alpha. o Minor bugfixes (continuous integration): - Remove the buggy and unused mirroring job. Fixes bug 33213; bugfix on 0.3.2.2-alpha. o Minor bugfixes (onion service v3, client): - Remove a BUG() warning that would cause a stack trace if an onion service descriptor was freed while we were waiting for a rendezvous circuit to complete. Fixes bug 28992; bugfix on 0.3.2.1-alpha. o Minor bugfixes (onion services v3): - Fix an assertion failure that could result from a corrupted ADD_ONION control port command. Found by Saibato. Fixes bug 33137; bugfix on 0.3.3.1-alpha. This issue is also tracked as TROVE-2020-003. o Documentation (manpage): - Alphabetize the Server and Directory server sections of the tor manpage. Also split Statistics options into their own
[tor-talk] Upcoming Tor security releases to fix a denial-of-service issue
Hello! Some time this week, we currently plan to put out a set of security updates for all supported versions of Tor. These releases will fix a pair of denial-of-service bugs: one that we are classifying at "low" severity, and one that we are classifying at "high" severity. Our recommendation will be for everybody, including relays and clients, to upgrade once packages are available for their platforms. Although these vulnerabilities are "only" denial-of-service issues, any denial-of-service attack against Tor could be leveraged by an attacker to aid in a traffic analysis attack. To the best of our knowledge, these vulnerabilities are not being exploited in the wild. Currently supported release series are 0.3.5, 0.4.1, 0.4.2, and 0.4.3 (alpha). If you have not yet upgraded to one of those, the time to do so is soon. For our policy and process for handing security issues, please see: https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/SecurityPolicy best wishes, -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] New alpha release: Tor 0.4.3.2-alpha
Hi, all! There's a new alpha Tor release! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the usual place on https://www.torproject.org/download/tor/ . If you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely in the coming week. Here's what's new: Changes in version 0.4.3.2-alpha - 2020-02-10 This is the second stable alpha release in the Tor 0.4.3.x series. It fixes several bugs present in the previous alpha release. Anybody running the previous alpha should upgrade, and look for bugs in this one instead. o Major bugfixes (onion service client, authorization): - On a NEWNYM signal, purge entries from the ephemeral client authorization cache. The permanent ones are kept. Fixes bug 33139; bugfix on 0.4.3.1-alpha. o Minor features (best practices tracker): - Practracker now supports a --regen-overbroad option to regenerate the exceptions file, but only to revise exceptions to be _less_ tolerant of best-practices violations. Closes ticket 32372. o Minor features (continuous integration): - Run Doxygen Makefile target on Travis, so we can learn about regressions in our internal documentation. Closes ticket 32455. - Stop allowing failures on the Travis CI stem tests job. It looks like all the stem hangs we were seeing before are now fixed. Closes ticket 33075. o Minor bugfixes (build system): - Revise configure options that were either missing or incorrect in the configure summary. Fixes bug 32230; bugfix on 0.4.3.1-alpha. o Minor bugfixes (controller protocol): - Fix a memory leak introduced by refactoring of control reply formatting code. Fixes bug 33039; bugfix on 0.4.3.1-alpha. - Fix a memory leak in GETINFO responses. Fixes bug 33103; bugfix on 0.4.3.1-alpha. - When receiving "ACTIVE" or "DORMANT" signals on the control port, report them as SIGNAL events. Previously we would log a bug warning. Fixes bug 33104; bugfix on 0.4.0.1-alpha. o Minor bugfixes (logging): - If we encounter a bug when flushing a buffer to a TLS connection, only log the bug once per invocation of the Tor process. Previously we would log with every occurrence, which could cause us to run out of disk space. Fixes bug 33093; bugfix on 0.3.2.2-alpha. - When logging a bug, do not say "Future instances of this warning will be silenced" unless we are actually going to silence them. Previously we would say this whenever a BUG() check failed in the code. Fixes bug 33095; bugfix on 0.4.1.1-alpha. o Minor bugfixes (onion service v2): - Move a series of v2 onion service warnings to protocol-warning level because they can all be triggered remotely by a malformed request. Fixes bug 32706; bugfix on 0.1.1.14-alpha. o Minor bugfixes (onion service v3, client authorization): - When removing client authorization credentials using the control port, also remove the associated descriptor, so the onion service can no longer be contacted. Fixes bug 33148; bugfix on 0.4.3.1-alpha. o Minor bugfixes (pluggable transports): - When receiving a message on standard error from a pluggable transport, log it at info level, rather than as a warning. Fixes bug 33005; bugfix on 0.4.0.1-alpha. o Minor bugfixes (rust, build): - Fix a syntax warning given by newer versions of Rust that was creating problems for our continuous integration. Fixes bug 33212; bugfix on 0.3.5.1-alpha. o Minor bugfixes (TLS bug handling): - When encountering a bug in buf_read_from_tls(), return a "MISC" error code rather than "WANTWRITE". This change might help avoid some CPU-wasting loops if the bug is ever triggered. Bug reported by opara. Fixes bug 32673; bugfix on 0.3.0.4-alpha. o Code simplification and refactoring (mainloop): - Simplify the ip_address_changed() function by removing redundant checks. Closes ticket 33091. o Documentation (manpage): - Split "Circuit Timeout" options and "Node Selection" options into their own sections of the tor manpage. Closes tickets 32928 and 32929. Work by Swati Thacker as part of Google Season of Docs. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.4.2.4-rc is released
Hi, all! There's a new Tor release candidate! Because it's a release candidate, we'd really like to know about any remaining bugs in it, so we can try to fix them before calling the series stable. As usual you can report bugs on trac.torproject.org. The source code is available from the usual place at https://www.torproject.org/download/tor/; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely by December 3. Here's what's new: Changes in version 0.4.2.4-rc - 2019-11-15 Tor 0.4.2.4-rc is the first release candidate in its series. It fixes several bugs from earlier versions, including a few that would result in stack traces or incorrect behavior. o Minor features (build system): - Make pkg-config use --prefix when cross-compiling, if PKG_CONFIG_PATH is not set. Closes ticket 32191. o Minor features (geoip): - Update geoip and geoip6 to the November 6 2019 Maxmind GeoLite2 Country database. Closes ticket 32440. o Minor bugfixes (client, onion service v3): - Fix a BUG() assertion that occurs within a very small race window between when a client intro circuit opens and when its descriptor gets cleaned up from the cache. The circuit is now closed early, which will trigger a re-fetch of the descriptor and continue the connection. Fixes bug 28970; bugfix on 0.3.2.1-alpha. o Minor bugfixes (code quality): - Fix "make check-includes" so it runs correctly on out-of-tree builds. Fixes bug 31335; bugfix on 0.3.5.1-alpha. o Minor bugfixes (configuration): - Log the option name when skipping an obsolete option. Fixes bug 32295; bugfix on 0.4.2.1-alpha. o Minor bugfixes (crash): - When running Tor with an option like --verify-config or --dump-config that does not start the event loop, avoid crashing if we try to exit early because of an error. Fixes bug 32407; bugfix on 0.3.3.1-alpha. o Minor bugfixes (directory): - When checking if a directory connection is anonymous, test if the circuit was marked for close before looking at its channel. This avoids a BUG() stacktrace if the circuit was previously closed. Fixes bug 31958; bugfix on 0.4.2.1-alpha. o Minor bugfixes (shellcheck): - Fix minor shellcheck errors in the git-*.sh scripts. Fixes bug 32402; bugfix on 0.4.2.1-alpha. - Start checking most scripts for shellcheck errors again. Fixes bug 32402; bugfix on 0.4.2.1-alpha. o Testing (continuous integration): - Use Ubuntu Bionic images for our Travis CI builds, so we can get a recent version of coccinelle. But leave chutney on Ubuntu Trusty, until we can fix some Bionic permissions issues (see ticket 32240). Related to ticket 31919. - Install the mingw OpenSSL package in Appveyor. This makes sure that the OpenSSL headers and libraries match in Tor's Appveyor builds. (This bug was triggered by an Appveyor image update.) Fixes bug 32449; bugfix on 0.3.5.6-rc. - In Travis, use Xcode 11.2 on macOS 10.14. Closes ticket 32241. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.4.2.3-alpha is released
Hi, all! There's a new alpha Tor release! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the usual place on www.torproject.org; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely in a couple of weeks. Here's what's new: Changes in version 0.4.2.3-alpha - 2019-10-24 This release fixes several bugs from the previous alpha release, and from earlier versions of Tor. o Major bugfixes (relay): - Relays now respect their AccountingMax bandwidth again. When relays entered "soft" hibernation (which typically starts when we've hit 90% of our AccountingMax), we had stopped checking whether we should enter hard hibernation. Soft hibernation refuses new connections and new circuits, but the existing circuits can continue, meaning that relays could have exceeded their configured AccountingMax. Fixes bug 32108; bugfix on 0.4.0.1-alpha. o Major bugfixes (v3 onion services): - Onion services now always use the exact number of intro points configured with the HiddenServiceNumIntroductionPoints option (or fewer if nodes are excluded). Before, a service could sometimes pick more intro points than configured. Fixes bug 31548; bugfix on 0.3.2.1-alpha. o Minor feature (onion services, control port): - The ADD_ONION command's keyword "BEST" now defaults to ED25519-V3 (v3) onion services. Previously it defaulted to RSA1024 (v2). Closes ticket 29669. o Minor features (testing): - When running tests that attempt to look up hostnames, replace the libc name lookup functions with ones that do not actually touch the network. This way, the tests complete more quickly in the presence of a slow or missing DNS resolver. Closes ticket 31841. o Minor features (testing, continuous integration): - Disable all but one Travis CI macOS build, to mitigate slow scheduling of Travis macOS jobs. Closes ticket 32177. - Run the chutney IPv6 networks as part of Travis CI. Closes ticket 30860. - Simplify the Travis CI build matrix, and optimise for build time. Closes ticket 31859. - Use Windows Server 2019 instead of Windows Server 2016 in our Appveyor builds. Closes ticket 32086. o Minor bugfixes (build system): - Interpret "--disable-module-dirauth=no" correctly. Fixes bug 32124; bugfix on 0.3.4.1-alpha. - Interpret "--with-tcmalloc=no" correctly. Fixes bug 32124; bugfix on 0.2.0.20-rc. - Stop failing when jemalloc is requested, but tcmalloc is not found. Fixes bug 32124; bugfix on 0.3.5.1-alpha. - When pkg-config is not installed, or a library that depends on pkg-config is not found, tell the user what to do to fix the problem. Fixes bug 31922; bugfix on 0.3.1.1-alpha. o Minor bugfixes (connections): - Avoid trying to read data from closed connections, which can cause needless loops in Libevent and infinite loops in Shadow. Fixes bug 30344; bugfix on 0.1.1.1-alpha. o Minor bugfixes (error handling): - Always lock the backtrace buffer before it is used. Fixes bug 31734; bugfix on 0.2.5.3-alpha. o Minor bugfixes (mainloop, periodic events, in-process API): - Reset the periodic events' "enabled" flag when Tor is shut down cleanly. Previously, this flag was left on, which caused periodic events not to be re-enabled when Tor was relaunched in-process with tor_api.h after a shutdown. Fixes bug 32058; bugfix on 0.3.3.1-alpha. o Minor bugfixes (process management): - Remove overly strict assertions that triggered when a pluggable transport failed to launch. Fixes bug 31091; bugfix on 0.4.0.1-alpha. - Remove an assertion in the Unix process backend. This assertion would trigger when we failed to find the executable for a child process. Fixes bug 31810; bugfix on 0.4.0.1-alpha. o Minor bugfixes (testing): - Avoid intermittent test failures due to a test that had relied on inconsistent timing sources. Fixes bug 31995; bugfix on 0.3.1.3-alpha. - When testing port rebinding, don't busy-wait for tor to log. Instead, actually sleep for a short time before polling again. Also improve the formatting of control commands and log messages. Fixes bug 31837; bugfix on 0.3.5.1-alpha. o Minor bugfixes (tls, logging): - Log bugs about the TLS read buffer's length only once, rather than filling the logs with similar warnings. Fixes bug 31939; bugfix on 0.3.0.4-rc. o Minor bugfixes (v3 onion services): - Fix an implicit conversion from ssize_t to size_t discovered by Coverity. Fixes bug 31682; bugfix on 0.4.2.1-alpha. - Fix a memory leak in an
[tor-talk] Tor 0.4.2.2-alpha is released
Hi, all! There's a new alpha Tor release! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the usual place at https://www.torproject.org/download/tor/; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely in the next couple of weeks. Here's what's new: Changes in version 0.4.2.2-alpha - 2019-10-07 This release fixes several bugs from the previous alpha release, and from earlier versions. It also includes a change in authorities, so that they begin to reject the currently unsupported release series. o Major features (directory authorities): - Directory authorities now reject relays running all currently deprecated release series. The currently supported release series are: 0.2.9, 0.3.5, 0.4.0, 0.4.1, and 0.4.2. Closes ticket 31549. o Major bugfixes (embedded Tor): - Avoid a possible crash when restarting Tor in embedded mode and enabling a different set of publish/subscribe messages. Fixes bug 31898; bugfix on 0.4.1.1-alpha. o Major bugfixes (torrc parsing): - Stop ignoring torrc options after an %include directive, when the included directory ends with a file that does not contain any config options (but does contain comments or whitespace). Fixes bug 31408; bugfix on 0.3.1.1-alpha. o Minor features (auto-formatting scripts): - When annotating C macros, never generate a line that our check- spaces script would reject. Closes ticket 31759. - When annotating C macros, try to remove cases of double-negation. Closes ticket 31779. o Minor features (continuous integration): - When building on Appveyor and Travis, pass the "-k" flag to make, so that we are informed of all compilation failures, not just the first one or two. Closes ticket 31372. o Minor features (geoip): - Update geoip and geoip6 to the October 1 2019 Maxmind GeoLite2 Country database. Closes ticket 31931. o Minor features (maintenance scripts): - Add a Coccinelle script to detect bugs caused by incrementing or decrementing a variable inside a call to log_debug(). Since log_debug() is a macro whose arguments are conditionally evaluated, it is usually an error to do this. One such bug was 30628, in which SENDME cells were miscounted by a decrement operator inside a log_debug() call. Closes ticket 30743. o Minor features (onion services v3): - Assist users who try to setup v2 client authorization in v3 onion services by pointing them to the right documentation. Closes ticket 28966. o Minor bugfixes (Appveyor continuous integration): - Avoid spurious errors when Appveyor CI fails before the install step. Fixes bug 31884; bugfix on 0.3.4.2-alpha. o Minor bugfixes (best practices tracker): - When listing overbroad exceptions, do not also list problems, and do not list insufficiently broad exceptions. Fixes bug 31338; bugfix on 0.4.2.1-alpha. o Minor bugfixes (controller protocol): - Fix the MAPADDRESS controller command to accept one or more arguments. Previously, it required two or more arguments, and ignored the first. Fixes bug 31772; bugfix on 0.4.1.1-alpha. o Minor bugfixes (logging): - Add a missing check for HAVE_PTHREAD_H, because the backtrace code uses mutexes. Fixes bug 31614; bugfix on 0.2.5.2-alpha. - Disable backtrace signal handlers when shutting down tor. Fixes bug 31614; bugfix on 0.2.5.2-alpha. - Rate-limit our the logging message about the obsolete .exit notation. Previously, there was no limit on this warning, which could potentially be triggered many times by a hostile website. Fixes bug 31466; bugfix on 0.2.2.1-alpha. - When initialising log domain masks, only set known log domains. Fixes bug 31854; bugfix on 0.2.1.1-alpha. o Minor bugfixes (logging, protocol violations): - Do not log a nonfatal assertion failure when receiving a VERSIONS cell on a connection using the obsolete v1 link protocol. Log a protocol_warn instead. Fixes bug 31107; bugfix on 0.2.4.4-alpha. o Minor bugfixes (modules): - Explain what the optional Directory Authority module is, and what happens when it is disabled. Fixes bug 31825; bugfix on 0.3.4.1-alpha. o Minor bugfixes (multithreading): - Avoid some undefined behaviour when freeing mutexes. Fixes bug 31736; bugfix on 0.0.7. o Minor bugfixes (relay): - Avoid crashing when starting with a corrupt keys directory where the old ntor key and the new ntor key are identical. Fixes bug 30916; bugfix on 0.2.4.8-alpha. o Minor bugfixes (tests, SunOS): - Avoid a map_anon_nofork test failure due to a signed/unsigned
[tor-talk] Tor 0.4.1.4-rc is released
Hi! There's a new alpha Tor release! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available at https://www.torproject.org/download/tor/; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely in the next month. Here's what's new: Changes in version 0.4.1.4-rc - 2019-07-25 Tor 0.4.1.4-rc fixes a few bugs from previous versions of Tor, and updates to a new list of fallback directories. If no new bugs are found, the next release in the 0.4.1.x serious should be stable. o Major bugfixes (circuit build, guard): - When considering upgrading circuits from "waiting for guard" to "open", always ignore circuits that are marked for close. Otherwise, we can end up in the situation where a subsystem is notified that a closing circuit has just opened, leading to undesirable behavior. Fixes bug 30871; bugfix on 0.3.0.1-alpha. o Minor features (continuous integration): - Our Travis configuration now uses Chutney to run some network integration tests automatically. Closes ticket 29280. o Minor features (fallback directory list): - Replace the 157 fallbacks originally introduced in Tor 0.3.5.6-rc in December 2018 (of which ~122 were still functional), with a list of 148 fallbacks (70 new, 78 existing, 79 removed) generated in June 2019. Closes ticket 28795. o Minor bugfixes (circuit padding): - On relays, properly check that a padding machine is absent before logging a warning about it being absent. Fixes bug 30649; bugfix on 0.4.1.1-alpha. - Add two NULL checks in unreachable places to silence Coverity (CID 144729 and 1447291) and better future-proof ourselves. Fixes bug 31024; bugfix on 0.4.1.1-alpha. o Minor bugfixes (crash on exit): - Avoid a set of possible code paths that could try to use freed memory in routerlist_free() while Tor was exiting. Fixes bug 31003; bugfix on 0.1.2.2-alpha. o Minor bugfixes (logging): - Fix a conflict between the flag used for messaging-domain log messages, and the LD_NO_MOCK testing flag. Fixes bug 31080; bugfix on 0.4.1.1-alpha. o Minor bugfixes (memory leaks): - Fix a trivial memory leak when parsing an invalid value from a download schedule in the configuration. Fixes bug 30894; bugfix on 0.3.4.1-alpha. o Code simplification and refactoring: - Remove some dead code from circpad_machine_remove_token() to fix some Coverity warnings (CID 1447298). Fixes bug 31027; bugfix on 0.4.1.1-alpha. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.4.1.3-alpha is released
Hi, all! There's a new alpha Tor release! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the usual place at https://www.torproject.org/download/tor/ ; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely in the next two weeks. Here's what's new: Changes in version 0.4.1.3-alpha - 2019-06-25 Tor 0.4.1.3-alpha resolves numerous bugs left over from the previous alpha, most of them from earlier release series. o Major bugfixes (Onion service reachability): - Properly clean up the introduction point map when circuits change purpose from onion service circuits to pathbias, measurement, or other circuit types. This should fix some service-side instances of introduction point failure. Fixes bug 29034; bugfix on 0.3.2.1-alpha. o Minor features (geoip): - Update geoip and geoip6 to the June 10 2019 Maxmind GeoLite2 Country database. Closes ticket 30852. o Minor features (logging): - Give a more useful assertion failure message if we think we have minherit() but we fail to make a region non-inheritable. Give a compile-time warning if our support for minherit() is incomplete. Closes ticket 30686. o Minor bugfixes (circuit isolation): - Fix a logic error that prevented the SessionGroup sub-option from being accepted. Fixes bug 22619; bugfix on 0.2.7.2-alpha. o Minor bugfixes (continuous integration): - Allow the test-stem job to fail in Travis, because it sometimes hangs. Fixes bug 30744; bugfix on 0.3.5.4-alpha. - Skip test_rebind on macOS in Travis, because it is unreliable on macOS on Travis. Fixes bug 30713; bugfix on 0.3.5.1-alpha. - Skip test_rebind when the TOR_SKIP_TEST_REBIND environment variable is set. Fixes bug 30713; bugfix on 0.3.5.1-alpha. o Minor bugfixes (directory authorities): - Stop crashing after parsing an unknown descriptor purpose annotation. We think this bug can only be triggered by modifying a local file. Fixes bug 30781; bugfix on 0.2.0.8-alpha. o Minor bugfixes (pluggable transports): - When running as a bridge with pluggable transports, always publish pluggable transport information in our extrainfo descriptor, even if ExtraInfoStatistics is 0. This information is needed by BridgeDB. Fixes bug 30956; bugfix on 0.4.1.1-alpha. o Documentation: - Mention URLs for Travis/Appveyor/Jenkins in ReleasingTor.md. Closes ticket 30630. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] New release: Tor 0.4.1.2-alpha
There's a new alpha Tor release! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from https://www.torproject.org/download/tor/ ; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely some time next week. Here's what's new: Changes in version 0.4.1.2-alpha - 2019-06-06 Tor 0.4.1.2-alpha resolves numerous bugs--some of them from the previous alpha, and some much older. It also contains minor testing improvements, and an improvement to the security of our authenticated SENDME implementation. o Major bugfixes (bridges): - Consider our directory information to have changed when our list of bridges changes. Previously, Tor would not re-compute the status of its directory information when bridges changed, and therefore would not realize that it was no longer able to build circuits. Fixes part of bug 29875. - Do not count previously configured working bridges towards our total of working bridges. Previously, when Tor's list of bridges changed, it would think that the old bridges were still usable, and delay fetching router descriptors for the new ones. Fixes part of bug 29875; bugfix on 0.3.0.1-alpha. o Major bugfixes (flow control, SENDME): - Decrement the stream-level package window after packaging a cell. Previously, it was done inside a log_debug() call, meaning that if debug logs were not enabled, the decrement would never happen, and thus the window would be out of sync with the other end point. Fixes bug 30628; bugfix on 0.4.1.1-alpha. o Major bugfixes (onion service reachability): - Properly clean up the introduction point map and associated state when circuits change purpose from onion service circuits to pathbias, measurement, or other circuit types. This may fix some instances of introduction point failure. Fixes bug 29034; bugfix on 0.3.2.1-alpha. o Minor features (authenticated SENDME): - Ensure that there is enough randomness on every circuit to prevent an attacker from successfully predicting the hashes they will need to include in authenticated SENDME cells. At a random interval, if we have not sent randomness already, we now leave some extra space at the end of a cell that we can fill with random bytes. Closes ticket 26846. o Minor features (continuous integration): - When running coverage builds on Travis, we now set TOR_TEST_RNG_SEED, to avoid RNG-based coverage differences. Part of ticket 28878. o Minor features (maintenance): - Add a new "make autostyle" target that developers can use to apply all automatic Tor style and consistency conversions to the codebase. Closes ticket 30539. o Minor features (testing): - The circuitpadding tests now use a reproducible RNG implementation, so that if a test fails, we can learn why. Part of ticket 28878. - Tor's tests now support an environment variable, TOR_TEST_RNG_SEED, to set the RNG seed for tests that use a reproducible RNG. Part of ticket 28878. - When running tests in coverage mode, take additional care to make our coverage deterministic, so that we can accurately track changes in code coverage. Closes ticket 30519. o Minor bugfixes (configuration, proxies): - Fix a bug that prevented us from supporting SOCKS5 proxies that want authentication along with configured (but unused!) ClientTransportPlugins. Fixes bug 29670; bugfix on 0.2.6.1-alpha. o Minor bugfixes (controller): - POSTDESCRIPTOR requests should work again. Previously, they were broken if a "purpose=" flag was specified. Fixes bug 30580; bugfix on 0.4.1.1-alpha. - Repair the HSFETCH command so that it works again. Previously, it expected a body when it shouldn't have. Fixes bug 30646; bugfix on 0.4.1.1-alpha. o Minor bugfixes (developer tooling): - Fix pre-push hook to allow fixup and squash commits when pushing to non-upstream git remote. Fixes bug 30286; bugfix on 0.4.0.1-alpha. o Minor bugfixes (directory authority): - Move the "bandwidth-file-headers" line in directory authority votes so that it conforms to dir-spec.txt. Fixes bug 30316; bugfix on 0.3.5.1-alpha. o Minor bugfixes (NetBSD): - Fix usage of minherit() on NetBSD and other platforms that define MAP_INHERIT_{ZERO,NONE} instead of INHERIT_{ZERO,NONE}. Fixes bug 30614; bugfix on 0.4.0.2-alpha. Patch from Taylor Campbell. o Minor bugfixes (out-of-memory handler): - When purging the DNS cache because of an out-of-memory condition, try purging just the older entries at first. Previously, we would always purge the whole
[tor-talk] Tor 0.4.1.1-alpha is released
Hi, all! There's a new alpha Tor release! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the usual place at https://www.torproject.org/download/tor/; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely in the next couple of weeks. Here's what's new: Changes in version 0.4.1.1-alpha - 2019-05-22 This is the first alpha in the 0.4.1.x series. It introduces lightweight circuit padding to make some onion-service circuits harder to distinguish, includes a new "authenticated SENDME" feature to make certain denial-of-service attacks more difficult, and improves performance in several areas. o Major features (circuit padding): - Onion service clients now add padding cells at the start of their INTRODUCE and RENDEZVOUS circuits, to make those circuits' traffic look more like general purpose Exit traffic. The overhead for this is 2 extra cells in each direction for RENDEZVOUS circuits, and 1 extra upstream cell and 10 downstream cells for INTRODUCE circuits. This feature is only enabled when also supported by the circuit's middle node. (Clients may specify fixed middle nodes with the MiddleNodes option, and may force-disable this feature with the CircuitPadding torrc.) Closes ticket 28634. o Major features (code organization): - Tor now includes a generic publish-subscribe message-passing subsystem that we can use to organize intermodule dependencies. We hope to use this to reduce dependencies between modules that don't need to be related, and to generally simplify our codebase. Closes ticket 28226. o Major features (controller protocol): - Controller commands are now parsed using a generalized parsing subsystem. Previously, each controller command was responsible for parsing its own input, which led to strange inconsistencies. Closes ticket 30091. o Major features (flow control): - Implement authenticated SENDMEs as detailed in proposal 289. A SENDME cell now includes the digest of the traffic that it acknowledges, so that once an end point receives the SENDME, it can confirm the other side's knowledge of the previous cells that were sent, and prevent certain types of denial-of-service attacks. This behavior is controlled by two new consensus parameters: see the proposal for more details. Fixes ticket 26288. o Major features (performance): - Our node selection algorithm now excludes nodes in linear time. Previously, the algorithm was quadratic, which could slow down heavily used onion services. Closes ticket 30307. o Major features (performance, RNG): - Tor now constructs a fast secure pseudorandom number generator for each thread, to use when performance is critical. This PRNG is based on AES-CTR, using a buffering construction similar to libottery and the (newer) OpenBSD arc4random() code. It outperforms OpenSSL 1.1.1a's CSPRNG by roughly a factor of 100 for small outputs. Although we believe it to be cryptographically strong, we are only using it when necessary for performance. Implements tickets 29023 and 29536. o Major bugfixes (onion service v3): - Fix an unreachable bug in which an introduction point could try to send an INTRODUCE_ACK with a status code that Trunnel would refuse to encode, leading the relay to assert(). We've consolidated the ABI values into Trunnel now. Fixes bug 30454; bugfix on 0.3.0.1-alpha. - Clients can now handle unknown status codes from INTRODUCE_ACK cells. (The NACK behavior will stay the same.) This will allow us to extend status codes in the future without breaking the normal client behavior. Fixes another part of bug 30454; bugfix on 0.3.0.1-alpha. o Minor features (circuit padding): - We now use a fast PRNG when scheduling circuit padding. Part of ticket 28636. - Allow the padding machine designer to pick the edges of their histogram instead of trying to compute them automatically using an exponential formula. Resolves some undefined behavior in the case of small histograms and allows greater flexibility on machine design. Closes ticket 29298; bugfix on 0.4.0.1-alpha. - Allow circuit padding machines to hold a circuit open until they are done padding it. Closes ticket 28780. o Minor features (compile-time modules): - Add a "--list-modules" command to print a list of which compile- time modules are enabled. Closes ticket 30452. o Minor features (continuous integration): - Remove sudo configuration lines from .travis.yml as they are no longer needed with current Travis
[tor-talk] Reminder: 0.3.4 reaches end-of-life on June 10
Hi! This is a reminder that we're going to stop supporting Tor 0.3.4 on June 10, per our policy and schedule at https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases . After this date, we won't do any more security fixes or bugfixes for 0.3.4. If you need the latest and greatest version of Tor, you should be running the 0.4.0 series. If you need a version with long term support, you should be running 0.3.5, which we plan to support until 2022. best wishes, -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.4.0.4-rc is released
Hi, all! There's a new Tor release candidate! It's not a release yet, but if no serious bugs are found, the next stable release will be (almost) identical to it. The source code is available at https://dist.torproject.org/tor-0.4.0.4-rc.tar.gz . If you build Tor from source, why not give it a try? Be sure to check the signature, also available at https://dist.torproject.org/ . And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely quite soon. Here's what's new: Changes in version 0.4.0.4-rc - 2019-04-11 Tor 0.4.0.4-rc is the first release candidate in its series; it fixes several bugs from earlier versions, including some that had affected stability, and one that prevented relays from working with NSS. o Major bugfixes (NSS, relay): - When running with NSS, disable TLS 1.2 ciphersuites that use SHA384 for their PRF. Due to an NSS bug, the TLS key exporters for these ciphersuites don't work -- which caused relays to fail to handshake with one another when these ciphersuites were enabled. Fixes bug 29241; bugfix on 0.3.5.1-alpha. o Minor features (bandwidth authority): - Make bandwidth authorities ignore relays that are reported in the bandwidth file with the flag "vote=0". This change allows us to report unmeasured relays for diagnostic reasons without including their bandwidth in the bandwidth authorities' vote. Closes ticket 29806. - When a directory authority is using a bandwidth file to obtain the bandwidth values that will be included in the next vote, serve this bandwidth file at /tor/status-vote/next/bandwidth. Closes ticket 21377. o Minor features (circuit padding): - Stop warning about undefined behavior in the probability distribution tests. Float division by zero may technically be undefined behavior in C, but it's well defined in IEEE 754. Partial backport of 29298. Closes ticket 29527; bugfix on 0.4.0.1-alpha. o Minor features (continuous integration): - On Travis Rust builds, cleanup Rust registry and refrain from caching the "target/" directory to speed up builds. Resolves issue 29962. o Minor features (dormant mode): - Add a DormantCanceledByStartup option to tell Tor that it should treat a startup event as cancelling any previous dormant state. Integrators should use this option with caution: it should only be used if Tor is being started because of something that the user did, and not if Tor is being automatically started in the background. Closes ticket 29357. o Minor features (geoip): - Update geoip and geoip6 to the April 2 2019 Maxmind GeoLite2 Country database. Closes ticket 29992. o Minor features (NSS, diagnostic): - Try to log an error from NSS (if there is any) and a more useful description of our situation if we are using NSS and a call to SSL_ExportKeyingMaterial() fails. Diagnostic for ticket 29241. o Minor bugfixes (security): - Fix a potential double free bug when reading huge bandwidth files. The issue is not exploitable in the current Tor network because the vulnerable code is only reached when directory authorities read bandwidth files, but bandwidth files come from a trusted source (usually the authorities themselves). Furthermore, the issue is only exploitable in rare (non-POSIX) 32-bit architectures, which are not used by any of the current authorities. Fixes bug 30040; bugfix on 0.3.5.1-alpha. Bug found and fixed by Tobias Stoeckmann. - Verify in more places that we are not about to create a buffer with more than INT_MAX bytes, to avoid possible OOB access in the event of bugs. Fixes bug 30041; bugfix on 0.2.0.16. Found and fixed by Tobias Stoeckmann. o Minor bugfix (continuous integration): - Reset coverage state on disk after Travis CI has finished. This should prevent future coverage merge errors from causing the test suite for the "process" subsystem to fail. The process subsystem was introduced in 0.4.0.1-alpha. Fixes bug 29036; bugfix on 0.2.9.15. - Terminate test-stem if it takes more than 9.5 minutes to run. (Travis terminates the job after 10 minutes of no output.) Diagnostic for 29437. Fixes bug 30011; bugfix on 0.3.5.4-alpha. o Minor bugfixes (bootstrap reporting): - During bootstrap reporting, correctly distinguish pluggable transports from plain proxies. Fixes bug 28925; bugfix on 0.4.0.1-alpha. o Minor bugfixes (C correctness): - Fix an unlikely memory leak in consensus_diff_apply(). Fixes bug 29824; bugfix on 0.3.1.1-alpha. This is Coverity warning CID 1444119. o Minor bugfixes (circuitpadding testing): - Minor tweaks to avoid rare test failures related to timers and monotonic time. Fixes bug 29500;
[tor-talk] Tor 0.4.0.3-alpha is released!
Hi, all! There's a new alpha Tor release! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the usual place on www.torproject.org; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely by TORBROWSER_DATE. Here's what's new: Changes in version 0.4.0.3-alpha - 2019-03-22 Tor 0.4.0.3-alpha is the third in its series; it fixes several small bugs from earlier versions. o Minor features (address selection): - Treat the subnet 100.64.0.0/10 as public for some purposes; private for others. This subnet is the RFC 6598 (Carrier Grade NAT) IP range, and is deployed by many ISPs as an alternative to RFC 1918 that does not break existing internal networks. Tor now blocks SOCKS and control ports on these addresses and warns users if client ports or ExtORPorts are listening on a RFC 6598 address. Closes ticket 28525. Patch by Neel Chauhan. o Minor features (geoip): - Update geoip and geoip6 to the March 4 2019 Maxmind GeoLite2 Country database. Closes ticket 29666. o Minor bugfixes (circuitpadding): - Inspect the circuit-level cell queue before sending padding, to avoid sending padding when too much data is queued. Fixes bug 29204; bugfix on 0.4.0.1-alpha. o Minor bugfixes (logging): - Correct a misleading error message when IPv4Only or IPv6Only is used but the resolved address can not be interpreted as an address of the specified IP version. Fixes bug 13221; bugfix on 0.2.3.9-alpha. Patch from Kris Katterjohn. - Log the correct port number for listening sockets when "auto" is used to let Tor pick the port number. Previously, port 0 was logged instead of the actual port number. Fixes bug 29144; bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn. - Stop logging a BUG() warning when Tor is waiting for exit descriptors. Fixes bug 28656; bugfix on 0.3.5.1-alpha. o Minor bugfixes (memory management): - Refactor the shared random state's memory management so that it actually takes ownership of the shared random value pointers. Fixes bug 29706; bugfix on 0.2.9.1-alpha. o Minor bugfixes (memory management, testing): - Stop leaking parts of the shared random state in the shared-random unit tests. Fixes bug 29599; bugfix on 0.2.9.1-alpha. o Minor bugfixes (pluggable transports): - Fix an assertion failure crash bug when a pluggable transport is terminated during the bootstrap phase. Fixes bug 29562; bugfix on 0.4.0.1-alpha. o Minor bugfixes (Rust, protover): - Add a missing "Padding" value to the Rust implementation of protover. Fixes bug 29631; bugfix on 0.4.0.1-alpha. o Minor bugfixes (single onion services): - Allow connections to single onion services to remain idle without being disconnected. Previously, relays acting as rendezvous points for single onion services were mistakenly closing idle rendezvous circuits after 60 seconds, thinking that they were unused directory-fetching circuits that had served their purpose. Fixes bug 29665; bugfix on 0.2.1.26. o Minor bugfixes (stats): - When ExtraInfoStatistics is 0, stop including PaddingStatistics in relay and bridge extra-info documents. Fixes bug 29017; bugfix on 0.3.1.1-alpha. o Minor bugfixes (testing): - Downgrade some LOG_ERR messages in the address/* tests to warnings. The LOG_ERR messages were occurring when we had no configured network. We were failing the unit tests, because we backported 28668 to 0.3.5.8, but did not backport 29530. Fixes bug 29530; bugfix on 0.3.5.8. - Fix our gcov wrapper script to look for object files at the correct locations. Fixes bug 29435; bugfix on 0.3.5.1-alpha. - Decrease the false positive rate of stochastic probability distribution tests. Fixes bug 29693; bugfix on 0.4.0.1-alpha. o Minor bugfixes (Windows, CI): - Skip the Appveyor 32-bit Windows Server 2016 job, and 64-bit Windows Server 2012 R2 job. The remaining 2 jobs still provide coverage of 64/32-bit, and Windows Server 2016/2012 R2. Also set fast_finish, so failed jobs terminate the build immediately. Fixes bug 29601; bugfix on 0.3.5.4-alpha. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.4.0.2-alpha is released
Hello! There's a new alpha Tor release! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the usual place on www.torproject.org; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely in the next few weeks. This release fixes TROVE-2019-001, a possible security bug involving the KIST cell scheduler code in versions 0.3.2.1-alpha and later. We are not certain that it is possible to exploit this bug in the wild, but to be careful, we recommend that all affected users upgrade. The potential impact is a remote denial-of-service attack against clients or relays. Here's what's new: Changes in version 0.4.0.2-alpha - 2019-02-21 Tor 0.4.0.2-alpha is the second alpha in its series; it fixes several bugs from earlier versions, including several that had broken backward compatibility. It also includes a fix for a medium-severity security bug affecting Tor 0.3.2.1-alpha and later. All Tor instances running an affected release should upgrade to 0.3.3.12, 0.3.4.11, 0.3.5.8, or 0.4.0.2-alpha. o Major bugfixes (cell scheduler, KIST, security): - Make KIST consider the outbuf length when computing what it can put in the outbuf. Previously, KIST acted as though the outbuf were empty, which could lead to the outbuf becoming too full. It is possible that an attacker could exploit this bug to cause a Tor client or relay to run out of memory and crash. Fixes bug 29168; bugfix on 0.3.2.1-alpha. This issue is also being tracked as TROVE-2019-001 and CVE-2019-8955. o Major bugfixes (networking): - Gracefully handle empty username/password fields in SOCKS5 username/password auth messsage and allow SOCKS5 handshake to continue. Previously, we had rejected these handshakes, breaking certain applications. Fixes bug 29175; bugfix on 0.3.5.1-alpha. o Major bugfixes (windows, startup): - When reading a consensus file from disk, detect whether it was written in text mode, and re-read it in text mode if so. Always write consensus files in binary mode so that we can map them into memory later. Previously, we had written in text mode, which confused us when we tried to map the file on windows. Fixes bug 28614; bugfix on 0.4.0.1-alpha. o Minor features (compilation): - Compile correctly when OpenSSL is built with engine support disabled, or with deprecated APIs disabled. Closes ticket 29026. Patches from "Mangix". o Minor features (developer tooling): - Check that bugfix versions in changes files look like Tor versions from the versions spec. Warn when bugfixes claim to be on a future release. Closes ticket 27761. - Provide a git pre-commit hook that disallows commiting if we have any failures in our code and changelog formatting checks. It is now available in scripts/maint/pre-commit.git-hook. Implements feature 28976. o Minor features (directory authority): - When a directory authority is using a bandwidth file to obtain bandwidth values, include the digest of that file in the vote. Closes ticket 26698. o Minor features (geoip): - Update geoip and geoip6 to the February 5 2019 Maxmind GeoLite2 Country database. Closes ticket 29478. o Minor features (testing): - Treat all unexpected ERR and BUG messages as test failures. Closes ticket 28668. o Minor bugfixes (build, compatibility, rust): - Update Cargo.lock file to match the version made by the latest version of Rust, so that "make distcheck" will pass again. Fixes bug 29244; bugfix on 0.3.3.4-alpha. o Minor bugfixes (compilation): - Fix compilation warnings in test_circuitpadding.c. Fixes bug 29169; bugfix on 0.4.0.1-alpha. - Silence a compiler warning in test-memwipe.c on OpenBSD. Fixes bug 29145; bugfix on 0.2.9.3-alpha. Patch from Kris Katterjohn. o Minor bugfixes (documentation): - Describe the contents of the v3 onion service client authorization files correctly: They hold public keys, not private keys. Fixes bug 28979; bugfix on 0.3.5.1-alpha. Spotted by "Felixix". o Minor bugfixes (linux seccomp sandbox): - Fix startup crash when experimental sandbox support is enabled. Fixes bug 29150; bugfix on 0.4.0.1-alpha. Patch by Peter Gerber. o Minor bugfixes (logging): - Avoid logging that we are relaxing a circuit timeout when that timeout is fixed. Fixes bug 28698; bugfix on 0.2.4.7-alpha. - Log more information at "warning" level when unable to read a private key; log more information at "info" level when unable to read a public key. We had warnings here before, but they were lost during our NSS work. Fixes bug 29042;
[tor-talk] Upcoming stable releases to fix a medium-severity security issue
Hi! I'm planning to put out new Tor source releases some time Thursday or Friday. They will be versions 0.3.3.12, 0.3.4.11, 0.3.5.8, and 0.4.0.2-alpha. These versions will, among the usual array of bugfixes, fix a medium-severity security issue: a remote denial-of-service attack vector against relays and clients running version 0.3.2.1-alpha and later. While we don't currently know an exploit for the issue, we hope that all affected relays will upgrade. The issue is traced as TROVE-2019-001, Tor bug #29168, and CVE-2019-8955. One more reminder: the 0.3.3.x series was scheduled to reach end-of-life as of February 22. We've extended that to February 28, but after that date, there will be no more security updates for the 0.3.3.x series. If you need a version that will receive long-term support, we recommend that you stick with 0.3.5.x, which will be supported until 2022. best wishes, -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] [tor-announce] Tor 0.3.5.7 is released
On Sat, Jan 19, 2019 at 6:23 AM Jim wrote: > > Nick Mathewson wrote: > > You can download the source code from the usual place on the website. > > Packages should be available within the next several weeks, with a new > > Tor Browser some time in the next month or so. > > Nick, it would appear your signing key (or sub-key) has expired: > Hi, Jim! You probably need to refresh my key from the keyservers: [1718]$ gpg --list-keys ni...@torproject.org pub 4096R/FE43009C4607B1FB 2016-09-21 [expires: 2020-09-16] uid Nick Mathewson uid Nick Mathewson uid Nick Mathewson uid Nick Mathewson sub 4096R/6AFEE6D49E92B601 2016-09-23 [expires: 2020-09-16] sub 4096R/91DDED0286AC8BFF 2016-09-23 [expires: 2020-09-16] -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.4.0.1-alpha is released!
Hi, all! There's a new alpha Tor release! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the usual place on the www.torproject.org; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely by the end of the month. Here's what's new: Changes in version 0.4.0.1-alpha - 2019-01-18 Tor 0.4.0.1-alpha is the first release in the new 0.4.0.x series. It introduces improved features for power and bandwidth conservation, more accurate reporting of bootstrap progress for user interfaces, and an experimental backend for an exciting new adaptive padding feature. There is also the usual assortment of bugfixes and minor features, all described below. o Major features (battery management, client, dormant mode): - When Tor is running as a client, and it is unused for a long time, it can now enter a "dormant" state. When Tor is dormant, it avoids network and CPU activity until it is reawoken either by a user request or by a controller command. For more information, see the configuration options starting with "Dormant". Implements tickets 2149 and 28335. - The client's memory of whether it is "dormant", and how long it has spent idle, persists across invocations. Implements ticket 28624. - There is a DormantOnFirstStartup option that integrators can use if they expect that in many cases, Tor will be installed but not used. o Major features (bootstrap reporting): - When reporting bootstrap progress, report the first connection uniformly, regardless of whether it's a connection for building application circuits. This allows finer-grained reporting of early progress than previously possible, with the improvements of ticket 27169. Closes tickets 27167 and 27103. Addresses ticket 27308. - When reporting bootstrap progress, treat connecting to a proxy or pluggable transport as separate from having successfully used that proxy or pluggable transport to connect to a relay. Closes tickets 27100 and 28884. o Major features (circuit padding): - Implement preliminary support for the circuit padding portion of Proposal 254. The implementation supports Adaptive Padding (aka WTF-PAD) state machines for use between experimental clients and relays. Support is also provided for APE-style state machines that use probability distributions instead of histograms to specify inter-packet delay. At the moment, Tor does not provide any padding state machines that are used in normal operation: for now, this feature exists solely for experimentation. Closes ticket 28142. o Major features (refactoring): - Tor now uses an explicit list of its own subsystems when initializing and shutting down. Previously, these systems were managed implicitly in various places throughout the codebase. (There may still be some subsystems using the old system.) Closes ticket 28330. o Minor features (bootstrap reporting): - When reporting bootstrap progress, stop distinguishing between situations where only internal paths are available and situations where external paths are available. Previously, Tor would often erroneously report that it had only internal paths. Closes ticket 27402. o Minor features (continuous integration): - Log Python version during each Travis CI job. Resolves issue 28551. o Minor features (controller): - Add a DROPOWNERSHIP command to undo the effects of TAKEOWNERSHIP. Implements ticket 28843. o Minor features (developer tooling): - Provide a git hook script to prevent "fixup!" and "squash!" commits from ending up in the master branch, as scripts/main/pre- push.git-hook. Closes ticket 27993. o Minor features (directory authority): - Directory authorities support a new consensus algorithm, under which the family lines in microdescriptors are encoded in a canonical form. This change makes family lines more compressible in transit, and on the client. Closes ticket 28266; implements proposal 298. o Minor features (directory authority, relay): - Authorities now vote on a "StaleDesc" flag to indicate that a relay's descriptor is so old that the relay should upload again soon. Relays treat this flag as a signal to upload a new descriptor. This flag will eventually let us remove the 'published' date from routerstatus entries, and make our consensus diffs much smaller. Closes ticket 26770; implements proposal 293. o Minor features (fallback directory mirrors): - Update the fallback whitelist based on operator opt-ins and opt- outs. Closes ticket
[tor-talk] Tor 0.3.5.6-rc is released!
Hi, all! There's a new alpha Tor release! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the usual place on www.torproject.org; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely by early February. Here's what's new: Changes in version 0.3.5.6-rc - 2018-12-18 Tor 0.3.5.6-rc fixes numerous small bugs in earlier versions of Tor. It is the first release candidate in the 0.3.5.x series; if no further huge bugs are found, our next release may be the stable 0.3.5.x. o Minor features (continuous integration, Windows): - Always show the configure and test logs, and upload them as build artifacts, when building for Windows using Appveyor CI. Implements 28459. o Minor features (fallback directory list): - Replace the 150 fallbacks originally introduced in Tor 0.3.3.1-alpha in January 2018 (of which ~115 were still functional), with a list of 157 fallbacks (92 new, 65 existing, 85 removed) generated in December 2018. Closes ticket 24803. o Minor features (geoip): - Update geoip and geoip6 to the December 5 2018 Maxmind GeoLite2 Country database. Closes ticket 28744. o Minor bugfixes (compilation): - Add missing dependency on libgdi32.dll for tor-print-ed-signing- cert.exe on Windows. Fixes bug 28485; bugfix on 0.3.5.1-alpha. o Minor bugfixes (continuous integration, Windows): - Explicitly specify the path to the OpenSSL library and do not download OpenSSL from Pacman, but instead use the library that is already provided by AppVeyor. Fixes bug 28574; bugfix on master. o Minor bugfixes (onion service v3): - When deleting an ephemeral onion service (DEL_ONION), do not close any rendezvous circuits in order to let the existing client connections finish by themselves or closed by the application. The HS v2 is doing that already so now we have the same behavior for all versions. Fixes bug 28619; bugfix on 0.3.3.1-alpha. o Minor bugfixes (restart-in-process, boostrap): - Add missing resets of bootstrap tracking state when shutting down (regression caused by ticket 27169). Fixes bug 28524; bugfix on 0.3.5.1-alpha. o Minor bugfixes (testing): - Use a separate DataDirectory for the test_rebind script. Previously, this script would run using the default DataDirectory, and sometimes fail. Fixes bug 28562; bugfix on 0.3.5.1-alpha. Patch from Taylor R Campbell. - Stop leaking memory in an entry guard unit test. Fixes bug 28554; bugfix on 0.3.0.1-alpha. o Minor bugfixes (Windows): - Correctly identify Windows 8.1, Windows 10, and Windows Server 2008 and later from their NT versions. Fixes bug 28096; bugfix on 0.2.2.34; reported by Keifer Bly. - On recent Windows versions, the GetVersionEx() function may report an earlier Windows version than the running OS. To avoid user confusion, add "[or later]" to Tor's version string on affected versions of Windows. Fixes bug 28096; bugfix on 0.2.2.34; reported by Keifer Bly. - Remove Windows versions that were never supported by the GetVersionEx() function. Stop duplicating the latest Windows version in get_uname(). Fixes bug 28096; bugfix on 0.2.2.34; reported by Keifer Bly. o Testing: - Increase logging and tag all log entries with timestamps in test_rebind.py. Provides diagnostics for issue 28229. o Code simplification and refactoring (shared random, dirauth): - Change many tor_assert() to use BUG() instead. The idea is to not crash a dirauth but rather scream loudly with a stacktrace and let it continue run. The shared random subsystem is very resilient and if anything wrong happens with it, at worst a non coherent value will be put in the vote and discarded by the other authorities. Closes ticket 19566. o Documentation (onion services): - Document in the man page that changing ClientOnionAuthDir value or adding a new file in the directory will not work at runtime upon sending a HUP if Sandbox 1. Closes ticket 28128. - Note in the man page that the only real way to fully revoke an onion service v3 client authorization is by restarting the tor process. Closes ticket 28275. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.3.5.5-alpha is released
Hi, all! There's a new alpha Tor release! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the downlaod page on www.torproject.org; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely by the end of next week. Here's what's new: Changes in version 0.3.5.5-alpha - 2018-11-16 Tor 0.3.5.5-alpha includes numerous bugfixes on earlier releases, including several that we hope to backport to older release series in the future. o Major bugfixes (OpenSSL, portability): - Fix our usage of named groups when running as a TLS 1.3 client in OpenSSL 1.1.1. Previously, we only initialized EC groups when running as a relay, which caused clients to fail to negotiate TLS 1.3 with relays. Fixes bug 28245; bugfix on 0.2.9.15 (when TLS 1.3 support was added). o Minor features (geoip): - Update geoip and geoip6 to the November 6 2018 Maxmind GeoLite2 Country database. Closes ticket 28395. o Minor bugfixes (compilation): - Initialize a variable unconditionally in aes_new_cipher(), since some compilers cannot tell that we always initialize it before use. Fixes bug 28413; bugfix on 0.2.9.3-alpha. o Minor bugfixes (connection, relay): - Avoid a logging a BUG() stacktrace when closing connection held open because the write side is rate limited but not the read side. Now, the connection read side is simply shut down until Tor is able to flush the connection and close it. Fixes bug 27750; bugfix on 0.3.4.1-alpha. o Minor bugfixes (continuous integration, Windows): - Manually configure the zstd compiler options, when building using mingw on Appveyor Windows CI. The MSYS2 mingw zstd package does not come with a pkg-config file. Fixes bug 28454; bugfix on 0.3.4.1-alpha. - Stop using an external OpenSSL install, and stop installing MSYS2 packages, when building using mingw on Appveyor Windows CI. Fixes bug 28399; bugfix on 0.3.4.1-alpha. o Minor bugfixes (documentation): - Make Doxygen work again after the code movement in the 0.3.5 source tree. Fixes bug 28435; bugfix on 0.3.5.1-alpha. o Minor bugfixes (Linux seccomp2 sandbox): - Permit the "shutdown()" system call, which is apparently used by OpenSSL under some circumstances. Fixes bug 28183; bugfix on 0.2.5.1-alpha. o Minor bugfixes (logging): - Stop talking about the Named flag in log messages. Clients have ignored the Named flag since 0.3.2. Fixes bug 28441; bugfix on 0.3.2.1-alpha. o Minor bugfixes (memory leaks): - Fix a harmless memory leak in libtorrunner.a. Fixes bug 28419; bugfix on 0.3.3.1-alpha. Patch from Martin Kepplinger. o Minor bugfixes (onion services): - On an intro point for a version 3 onion service, stop closing introduction circuits on an NACK. This lets the client decide whether to reuse the circuit or discard it. Previously, we closed intro circuits when sending NACKs. Fixes bug 27841; bugfix on 0.3.2.1-alpha. Patch by Neel Chaunan. - When replacing a descriptor in the client cache, make sure to close all client introduction circuits for the old descriptor, so we don't end up with unusable leftover circuits. Fixes bug 27471; bugfix on 0.3.2.1-alpha. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Fixing Orchid (again), need help!
On Thu, Nov 8, 2018 at 6:12 AM Masayuki Hatta wrote: > > Hi! > > As I wrote here some time ago, I fixed Orchid the Java Tor, and it > worked for a while. > > https://lists.torproject.org/pipermail/tor-talk/2018-April/044133.html > > Recently (I think it was around July-Aug), Orchid became unworkable > again. I'm trying to but can't figure out the cause, so I appreciate > your help. > > Orchid's repo is here: https://github.com/mhatta/Orchid > > As far as I could see, now Orchid hangs because it can't receive > VERSIONS cells so the first handshake with Directory Authorities can't > be finished. Some change at Dir Auths (updating new version of Tor, I > guess) might cause this, but I can't figure out which changes affect > this. Do you have any idea? > > Best regards, What versions does Orchid send in its VERSIONS cell? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.3.5.4-alpha is released.
Hi, all! There's a new alpha Tor release! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the Download page on www.torproject.org; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely by mid-December. Here's what's new: Changes in version 0.3.5.4-alpha - 2018-11-08 Tor 0.3.5.4-alpha includes numerous bugfixes on earlier versions and improves our continuous integration support. It continues our attempts to stabilize this alpha branch and build it into a foundation for an acceptable long-term-support release. o Major bugfixes (compilation, rust): - Rust tests can now build and run successfully with the --enable-fragile-hardening option enabled. Doing this currently requires the rust beta channel; it will be possible with stable rust once Rust version 1.31 is released. Patch from Alex Crichton. Fixes bugs 27272, 27273, and 27274. Bugfix on 0.3.1.1-alpha. o Major bugfixes (embedding, main loop): - When DisableNetwork becomes set, actually disable periodic events that are already enabled. (Previously, we would refrain from enabling new ones, but we would leave the old ones turned on.) Fixes bug 28348; bugfix on 0.3.4.1-alpha. o Minor features (continuous integration): - Add a Travis CI build for --enable-nss on Linux gcc. Closes ticket 27751. - Add new CI job to Travis configuration to run stem-based integration tests. Closes ticket 27913. o Minor features (Windows, continuous integration): - Build tor on Windows Server 2012 R2 and Windows Server 2016 using Appveyor's CI. Closes ticket 28318. o Minor bugfixes (C correctness, also in 0.3.4.9): - Avoid undefined behavior in an end-of-string check when parsing the BEGIN line in a directory object. Fixes bug 28202; bugfix on 0.2.0.3-alpha. o Minor bugfixes (compilation): - Fix a pair of missing headers on OpenBSD. Fixes bug 28303; bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn. o Minor bugfixes (compilation, OpenSolaris): - Fix compilation on OpenSolaris and its descendants by adding a missing include to compat_pthreads.c. Fixes bug 27963; bugfix on 0.3.5.1-alpha. o Minor bugfixes (configuration): - Refuse to start with relative file paths and RunAsDaemon set (regression from the fix for bug 22731). Fixes bug 28298; bugfix on 0.3.3.1-alpha. o Minor bugfixes (directory authority, also in 0.3.4.9): - Log additional info when we get a relay that shares an ed25519 ID with a different relay, instead of a BUG() warning with a backtrace. Fixes bug 27800; bugfix on 0.3.2.1-alpha. o Minor bugfixes (onion service v3): - Build the service descriptor's signing key certificate before uploading, so we always have a fresh one: leaving no chances for it to expire service side. Fixes bug 27838; bugfix on 0.3.2.1-alpha. o Minor bugfixes (onion service v3, client authorization): - Fix an assert() when adding a client authorization for the first time and then sending a HUP signal to the service. Before that, Tor would stop abruptly. Fixes bug 27995; bugfix on 0.3.5.1-alpha. o Minor bugfixes (onion services): - Unless we have explicitly set HiddenServiceVersion, detect the onion service version and then look for invalid options. Previously, we did the reverse, but that broke existing configs which were pointed to a v2 service and had options like HiddenServiceAuthorizeClient set. Fixes bug 28127; bugfix on 0.3.5.1-alpha. Patch by Neel Chauhan. o Minor bugfixes (portability): - Make the OPE code (which is used for v3 onion services) run correctly on big-endian platforms. Fixes bug 28115; bugfix on 0.3.5.1-alpha. o Minor bugfixes (protover, rust): - Reject extra commas in version strings. Fixes bug 27197; bugfix on 0.3.3.3-alpha. o Minor bugfixes (relay shutdown, systemd): - Notify systemd of ShutdownWaitLength so it can be set to longer than systemd's TimeoutStopSec. In Tor's systemd service file, set TimeoutSec to 60 seconds to allow Tor some time to shut down. Fixes bug 28113; bugfix on 0.2.6.2-alpha. o Minor bugfixes (rust, also in 0.3.4.9): - Fix a potential null dereference in protover_all_supported(). Add a test for it. Fixes bug 27804; bugfix on 0.3.3.1-alpha. - Return a string that can be safely freed by C code, not one created by the rust allocator, in protover_all_supported(). Fixes bug 27740; bugfix on 0.3.3.1-alpha. o Minor bugfixes (rust, directory authority, also in 0.3.4.9): - Fix an API mismatch in the rust implementation of protover_compute_vote(). This bug
[tor-talk] Tor 0.3.5.3-alpha is released
Hi! There's a new alpha Tor release! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the usual place on www.torproject.org; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely in a couple of weeks. Here's what's new: Changes in version 0.3.5.3-alpha - 2018-10-17 Tor 0.3.5.3-alpha fixes several bugs, mostly from previous 0.3.5.x versions. One important fix for relays addresses a problem with rate- limiting code from back in 0.3.4.x: If the fix works out, we'll be backporting it soon. This release is still an alpha, but we hope it's getting closer and closer to stability. o Major features (onion services): - Version 3 onion services can now use the per-service HiddenServiceExportCircuitID option to differentiate client circuits. It communicates with the service by using the HAProxy protocol to assign virtual IP addresses to inbound client circuits. Closes ticket 4700. Patch by Mahrud Sayrafi. o Major bugfixes (compilation): - Fix compilation on ARM (and other less-used CPUs) when compiling with OpenSSL before 1.1. Fixes bug 27781; bugfix on 0.3.4.1-alpha. o Major bugfixes (initialization, crash): - Fix an assertion crash that would stop Tor from starting up if it tried to activate a periodic event too early. Fixes bug 27861; bugfix on 0.3.5.1-alpha. o Major bugfixes (mainloop, bootstrap): - Make sure Tor bootstraps and works properly if only the ControlPort is set. Prior to this fix, Tor would only bootstrap when a client port was set (Socks, Trans, NATD, DNS or HTTPTunnel port). Fixes bug 27849; bugfix on 0.3.4.1-alpha. o Major bugfixes (relay): - When our write bandwidth limit is exhausted, stop writing on the connection. Previously, we had a typo in the code that would make us stop reading instead, leading to relay connections being stuck indefinitely and consuming kernel RAM. Fixes bug 28089; bugfix on 0.3.4.1-alpha. o Minor features (continuous integration): - Use the Travis Homebrew addon to install packages on macOS during Travis CI. The package list is the same, but the Homebrew addon does not do a `brew update` by default. Implements ticket 27738. - Report what program produced the mysterious core file that we occasionally see on Travis CI during make distcheck. Closes ticket 28024. o Minor features (geoip): - Update geoip and geoip6 to the October 9 2018 Maxmind GeoLite2 Country database. Closes ticket 27991. o Minor bugfixes (code safety): - Rewrite our assertion macros so that they no longer suppress the compiler's -Wparentheses warnings. Fixes bug 27709; bugfix on 0.0.6. o Minor bugfixes (compilation): - Compile the ed25519-donna code with a correct declaration of crypto_strongest_rand(). Previously, we built it with one type, but linked it against another in the unit tests, which caused compilation failures with LTO enabled. This could have caused other undefined behavior in the tests. Fixes bug 27728; bugfix on 0.3.5.1-alpha. o Minor bugfixes (compilation, netbsd): - Add a missing include back into procmon.c. Fixes bug 27990; bugfix on 0.3.5.1-alpha. o Minor bugfixes (continuous integration, appveyor): - Install only the necessary mingw packages during our appveyor builds. This change makes the build a little faster, and prevents a conflict with a preinstalled mingw openssl that appveyor now ships. Fixes bugs 27765 and 27943; bugfix on 0.3.4.2-alpha. o Minor bugfixes (directory permissions): - When a user requests a group-readable DataDirectory, give it to them. Previously, when the DataDirectory and the CacheDirectory were the same, the default setting (0) for CacheDirectoryGroupReadable would override the setting for DataDirectoryGroupReadable. Fixes bug 26913; bugfix on 0.3.3.1-alpha. o Minor bugfixes (memory leaks): - Fix a small memory leak when calling Tor with --dump-config. Fixes bug 27893; bugfix on 0.3.2.1-alpha. o Minor bugfixes (networking): - In retry_listeners_ports(), make sure that we're removing a member of old_conns smartlist at most once. Fixes bug 27808; bugfix on 0.3.5.1-alpha. - Refrain from attempting socket rebinding when old and new listeners are in different address families. Fixes bug 27928; bugfix on 0.3.5.1-alpha. o Minor bugfixes (onion service v3): - Stop dumping a stack trace when trying to connect to an intro point without having a descriptor for it. Fixes bug 27774; bugfix on 0.3.2.1-alpha. - Don't warn so loudly when Tor is unable to decode
Re: [tor-talk] bug in tor 0.3.4.8?
On Sun, Sep 30, 2018 at 9:48 AM Udo van den Heuvel wrote: > > On 17/09/2018 17:46, David Goulet wrote: > > Quickly like that, I can't tell you why this is happening or any workaround > > you could do so keep an eye on the ticket. If this is an 0.3.4.x regression, > > we'll find it quickly. > > Issue is still happening, with just port 22 and 53 open. > What can I do to help fix the issue? > > Udo If this is easily reproducible, and you can build from source, using "git bisect" to find the first version that caused it would be very helpful. Do you want more info on how to do that? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.3.5.2-alpha is released
Hello! There's a new alpha Tor release! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the usual place on www.torproject.org; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release very soon. Here's what's new: Changes in version 0.3.5.2-alpha - 2018-09-21 Tor 0.3.5.2-alpha fixes several bugs in 0.3.5.1-alpha, including one that made Tor think it had run out of sockets. Anybody running a relay or an onion service on 0.3.5.1-alpha should upgrade. o Major bugfixes (relay bandwidth statistics): - When we close relayed circuits, report the data in the circuit queues as being written in our relay bandwidth stats. This mitigates guard discovery and other attacks that close circuits for the explicit purpose of noticing this discrepancy in statistics. Fixes bug 23512; bugfix on 0.0.8pre3. o Major bugfixes (socket accounting): - In our socket accounting code, count a socket as closed even when it is closed indirectly by the TLS layer. Previously, we would count these sockets as still in use, and incorrectly believe that we had run out of sockets. Fixes bug 27795; bugfix on 0.3.5.1-alpha. o Minor bugfixes (32-bit OSX and iOS, timing): - Fix an integer overflow bug in our optimized 32-bit millisecond- difference algorithm for 32-bit Apple platforms. Previously, it would overflow when calculating the difference between two times more than 47 days apart. Fixes part of bug 27139; bugfix on 0.3.4.1-alpha. - Improve the precision of our 32-bit millisecond difference algorithm for 32-bit Apple platforms. Fixes part of bug 27139; bugfix on 0.3.4.1-alpha. - Relax the tolerance on the mainloop/update_time_jumps test when running on 32-bit Apple platforms. Fixes part of bug 27139; bugfix on 0.3.4.1-alpha. o Minor bugfixes (onion service v3): - Close all SOCKS request (for the same .onion) if the newly fetched descriptor is unusable. Before that, we would close only the first one leaving the other hanging and let to time out by themselves. Fixes bug 27410; bugfix on 0.3.2.1-alpha. o Minor bugfixes (memory leak): - Fix an unlikely memory leak when trying to read a private key from a ridiculously large file. Fixes bug 27764; bugfix on 0.3.5.1-alpha. This is CID 1439488. o Minor bugfixes (NSS): - Correctly detect failure to open a dummy TCP socket when stealing ownership of an fd from the NSS layer. Fixes bug 27782; bugfix on 0.3.5.1-alpha. o Minor bugfixes (rust): - protover_all_supported() would attempt to allocate up to 16GB on some inputs, leading to a potential memory DoS. Fixes bug 27206; bugfix on 0.3.3.5-rc. o Minor bugfixes (testing): - Revise the "conditionvar_timeout" test so that it succeeds even on heavily loaded systems where the test threads are not scheduled within 200 msec. Fixes bug 27073; bugfix on 0.2.6.3-alpha. o Code simplification and refactoring: - Divide the routerlist.c and dirserv.c modules into smaller parts. Closes ticket 27799. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.3.5.1-alpha is released!
Hi, all! There's a new alpha Tor release! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the usual place on the download page of www.torproject.org; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely some time this week. NOTE 1: There are some UI changes in this one -- please read at least the beginning of the changelog before you move forward. NOTE 2: When you go to check the signature, gpg might tell you that my subkeys are expired. If that happens, you'll need to refresh the key from a public keyserver, or fetch it from https://people.torproject.org/~nickm/public_key.asc . The key and subkeys haven't changed -- only the expiration date has. Here's what's new: Changes in version 0.3.5.1-alpha - 2018-09-18 Tor 0.3.5.1-alpha is the first release of the 0.3.5.x series. It adds client authorization for modern (v3) onion services, improves bootstrap reporting, begins reorganizing Tor's codebase, adds optional support for NSS in place of OpenSSL, and much more. o Major features (onion services, UI change): - For a newly created onion service, the default version is now 3. Tor still supports existing version 2 services, but the operator now needs to set "HiddenServiceVersion 2" in order to create a new version 2 service. For existing services, Tor now learns the version by reading the key file. Closes ticket 27215. o Major features (relay, UI change): - Relays no longer run as exits by default. If the "ExitRelay" option is auto (or unset), and no exit policy is specified with ExitPolicy or ReducedExitPolicy, we now treat ExitRelay as 0. Previously in this case, we allowed exit traffic and logged a warning message. Closes ticket 21530. Patch by Neel Chauhan. - Tor now validates that the ContactInfo config option is valid UTF- 8 when parsing torrc. Closes ticket 27428. o Major features (bootstrap): - Don't report directory progress until after a connection to a relay or bridge has succeeded. Previously, we'd report 80% progress based on cached directory information when we couldn't even connect to the network. Closes ticket 27169. o Major features (new code layout): - Nearly all of Tor's source code has been moved around into more logical places. The "common" directory is now divided into a set of libraries in "lib", and files in the "or" directory have been split into "core" (logic absolutely needed for onion routing), "feature" (independent modules in Tor), and "app" (to configure and invoke the rest of Tor). See doc/HACKING/CodeStructure.md for more information. Closes ticket 26481. This refactoring is not complete: although the libraries have been refactored to be acyclic, the main body of Tor is still too interconnected. We will attempt to improve this in the future. o Major features (onion services v3): - Implement onion service client authorization at the descriptor level: only authorized clients can decrypt a service's descriptor to find out how to contact it. A new torrc option was added to control this client side: ClientOnionAuthDir . On the service side, if the "authorized_clients/" directory exists in the onion service directory path, client configurations are read from the files within. See the manpage for more details. Closes ticket 27547. Patch done by Suphanat Chunhapanya (haxxpop). - Improve revision counter generation in next-gen onion services. Onion services can now scale by hosting multiple instances on different hosts without synchronization between them, which was previously impossible because descriptors would get rejected by HSDirs. Addresses ticket 25552. o Major features (portability, cryptography, experimental, TLS): - Tor now has the option to compile with the NSS library instead of OpenSSL. This feature is experimental, and we expect that bugs may remain. It is mainly intended for environments where Tor's performance is not CPU-bound, and where NSS is already known to be installed. To try it out, configure Tor with the --enable-nss flag. Closes tickets 26631, 26815, and 26816. If you are experimenting with this option and using an old cached consensus, Tor may fail to start. To solve this, delete your "cached-consensus" and "cached-microdesc-consensus" files, (if present), and restart Tor. o Major bugfixes (directory authority): - Actually check that the address we get from DirAuthority configuration line is valid IPv4. Explicitly disallow DirAuthority address to be a DNS hostname. Fixes bug 26488; bugfix
[tor-talk] Tor 0.3.4.7-rc is released!
Hi, all! There's a new Tor release candidate! Because it's not an official release,, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the usual place on www.torproject.org; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely in the next couple of weeks. Here's what's new: Changes in version 0.3.4.7-rc - 2018-08-24 Tor 0.3.4.7-rc fixes several small compilation, portability, and correctness issues in previous versions of Tor. This version is a release candidate: if no serious bugs are found, we expect that the stable 0.3.4 release will be (almost) the same as this release. o Minor features (bug workaround): - Compile correctly on systems that provide the C11 stdatomic.h header, but where C11 atomic functions don't actually compile. Closes ticket 26779; workaround for Debian issue 903709. o Minor features (continuous integration): - Backport Travis rust distcheck to 0.3.3. Closes ticket 24629. - Enable macOS builds in our Travis CI configuration. Closes ticket 24629. - Install libcap-dev and libseccomp2-dev so these optional dependencies get tested on Travis CI. Closes ticket 26560. - Only post Appveyor IRC notifications when the build fails. Implements ticket 27275. - Run asciidoc during Travis CI. Implements ticket 27087. - Use ccache in our Travis CI configuration. Closes ticket 26952. o Minor features (continuous integration, rust): - Use cargo cache in our Travis CI configuration. Closes ticket 26952. o Minor features (directory authorities): - Authorities no longer vote to make the subprotocol version "LinkAuth=1" a requirement: it is unsupportable with NSS, and hasn't been needed since Tor 0.3.0.1-alpha. Closes ticket 27286. o Minor features (geoip): - Update geoip and geoip6 to the August 7 2018 Maxmind GeoLite2 Country database. Closes ticket 27089. o Minor bugfixes (compilation, windows): - Don't link or search for pthreads when building for Windows, even if we are using build environment (like mingw) that provides a pthreads library. Fixes bug 27081; bugfix on 0.1.0.1-rc. o Minor bugfixes (continuous integration): - Improve Appveyor CI IRC logging. Generate correct branches and URLs for pull requests and tags. Use unambiguous short commits. Fixes bug 26979; bugfix on master. - Build with zstd on macOS. Fixes bug 27090; bugfix on 0.3.1.5-alpha. - Pass the module flags to distcheck configure, and log the flags before running configure. (Backported to 0.2.9 and later as a precaution.) Fixes bug 27088; bugfix on 0.3.4.1-alpha. o Minor bugfixes (in-process restart): - Always call tor_free_all() when leaving tor_run_main(). When we did not, restarting tor in-process would cause an assertion failure. Fixes bug 26948; bugfix on 0.3.3.1-alpha. o Minor bugfixes (linux seccomp2 sandbox): - Fix a bug in out sandboxing rules for the openat() syscall. Previously, no openat() call would be permitted, which would break filesystem operations on recent glibc versions. Fixes bug 25440; bugfix on 0.2.9.15. Diagnosis and patch from Daniel Pinto. o Minor bugfixes (onion services): - Fix bug that causes services to not ever rotate their descriptors if they were getting SIGHUPed often. Fixes bug 26932; bugfix on 0.3.2.1-alpha. o Minor bugfixes (portability): - Fix compilation of the unit tests on GNU/Hurd, which does not define PATH_MAX. Fixes bug 26873; bugfix on 0.3.3.1-alpha. Patch from "paulusASol". o Minor bugfixes (rust): - Backport test_rust.sh from master. Fixes bug 26497; bugfix on 0.3.1.5-alpha. - Consistently use ../../.. as a fallback for $abs_top_srcdir in test_rust.sh. Fixes bug 27093; bugfix on 0.3.4.3-alpha. - Protover parsing was accepting the presence of whitespace in version strings, which the C implementation would choke on, e.g. "Desc=1\t,2". Fixes bug 27177; bugfix on 0.3.3.5-rc. - Protover parsing was ignoring a 2nd hyphen and everything after it, accepting entries like "Link=1-5-foo". Fixes bug 27164; bugfix on 0.3.3.1-alpha. - Stop setting $CARGO_HOME. cargo will use the user's $CARGO_HOME, or $HOME/.cargo by default. Fixes bug 26497; bugfix on 0.3.1.5-alpha. - cd to ${abs_top_builddir}/src/rust before running cargo in src/test/test_rust.sh. This makes the working directory consistent between builds and tests. Fixes bug 26497; bugfix on 0.3.3.2-alpha. o Minor bugfixes (testing, bootstrap): - When calculating bootstrap progress, check exit policies and the exit flag. Previously, Tor would only check the exit flag, which
[tor-talk] Tor 0.3.4.6-rc is released
Hi, all! There's a new Tor release candidate! Because it's not a stable release yet, you should only run it if you're ready to find bugs and report them on trac.torproject.org. The source code is available from the usual place on https://www.torproject.org/download/download.html; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely by some time next month. Here's what's new: Changes in version 0.3.4.6-rc - 2018-08-06 Tor 0.3.4.6-rc fixes several small compilation, portability, and correctness issues in previous versions of Tor. This version is a release candidate: if no serious bugs are found, we expect that the stable 0.3.4 release will be (almost) the same as this release. o Major bugfixes (event scheduler): - When we enable a periodic event, schedule it in the event loop rather than running it immediately. Previously, we would re-run periodic events immediately in the middle of (for example) changing our options, with unpredictable effects. Fixes bug 27003; bugfix on 0.3.4.1-alpha. o Minor features (compilation): - When building Tor, prefer to use Python 3 over Python 2, and more recent (contemplated) versions over older ones. Closes ticket 26372. o Minor features (geoip): - Update geoip and geoip6 to the July 3 2018 Maxmind GeoLite2 Country database. Closes ticket 26674. o Minor features (Rust, portability): - Rust cross-compilation is now supported. Closes ticket 25895. o Minor bugfixes (compilation): - Fix a compilation warning on some versions of GCC when building code that calls routerinfo_get_my_routerinfo() twice, assuming that the second call will succeed if the first one did. Fixes bug 26269; bugfix on 0.2.8.2-alpha. o Minor bugfixes (controller): - Report the port correctly when a port is configured to bind to "auto". Fixes bug 26568; bugfix on 0.3.4.1-alpha. - Parse the "HSADDRESS=" parameter in HSPOST commands properly. Previously, it was misparsed and ignored. Fixes bug 26523; bugfix on 0.3.3.1-alpha. Patch by "akwizgran". o Minor bugfixes (correctness, flow control): - Upon receiving a stream-level SENDME cell, verify that our window has not grown too large. Fixes bug 26214; bugfix on svn r54 (pre-0.0.1) o Minor bugfixes (memory, correctness): - Fix a number of small memory leaks identified by coverity. Fixes bug 26467; bugfix on numerous Tor versions. o Minor bugfixes (portability): - Avoid a compilation error in test_bwmgt.c on Solaris 10. Fixes bug 26994; bugfix on 0.3.4.1-alpha. o Minor bugfixes (testing, compatibility): - When running the ntor_ref.py and hs_ntor_ref.py tests, make sure only to pass strings (rather than "bytes" objects) to the Python subprocess module. Python 3 on Windows seems to require this. Fixes bug 26535; bugfix on 0.2.5.5-alpha (for ntor_ref.py) and 0.3.1.1-alpha (for hs_ntor_ref.py). -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] The Onion Report at #hopeconf (video)
On Tue, Jul 31, 2018 at 12:07 PM David Niklas wrote: > > On Sun, 29 Jul 2018 22:51:00 + > nusenu wrote: > > > https://twitter.com/torproject/status/1022840807374635009 > > > > > If you > > > missed The Onion Report at #hopeconf last week with Steph, Alison, > > > George, David, and Matt, you can watch it online and find out all > > > about what different teams at Tor have been up to in our fight for > > > privacy and freedom online > > > > I can't see a thing in this helmet. -- StarWars > Really, I have never used twitter in my life, and I can't find what you > are talking about. Neither can youtube-dl. > > > Could you upload it to youtube or any other site that supports > > torbrowser? > > I second the motion. > It clicks through to a video at the URL: https://livestream.com/internetsociety/hope/videos/178158095 . Youtube-dl works fine for me on that URL. (I'd upload it to youtube for you, but I don't have a youtube account.) -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.3.4.4-rc is released
Hi, all! There's a new Tor release candidate! Because it's not a stable release yet, you should only run it if you're ready to find bugs and report them on trac.torproject.org. The source code is available from the usual place on www.torproject.org; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely by the end of the month. Here's what's new: Changes in version 0.3.4.4-rc - 2018-07-09 Tor 0.3.4.4-rc fixes several small compilation, portability, and correctness issues in previous versions of Tor. This version is a release candidate: if no serious bugs are found, we expect that the stable 0.3.4 release will be (almost) the same as this release. o Minor features (compilation): - When building Tor, prefer to use Python 3 over Python 2, and more recent (contemplated) versions over older ones. Closes ticket 26372. o Minor features (geoip): - Update geoip and geoip6 to the July 3 2018 Maxmind GeoLite2 Country database. Closes ticket 26674. o Minor features (Rust, portability): - Rust cross-compilation is now supported. Closes ticket 25895. o Minor bugfixes (compilation): - Fix a compilation warning on some versions of GCC when building code that calls routerinfo_get_my_routerinfo() twice, assuming that the second call will succeed if the first one did. Fixes bug 26269; bugfix on 0.2.8.2-alpha. o Minor bugfixes (control port): - Report the port correctly when a port is configured to bind to "auto". Fixes bug 26568; bugfix on 0.3.4.1-alpha. - Handle the HSADDRESS= argument to the HSPOST command properly. (Previously, this argument was misparsed and thus ignored.) Fixes bug 26523; bugfix on 0.3.3.1-alpha. Patch by "akwizgran". o Minor bugfixes (correctness, flow control): - Upon receiving a stream-level SENDME cell, verify that our window has not grown too large. Fixes bug 26214; bugfix on svn r54 (pre-0.0.1). o Minor bugfixes (memory, correctness): - Fix a number of small memory leaks identified by coverity. Fixes bug 26467; bugfix on numerous Tor versions. o Minor bugfixes (testing, compatibility): - When running the hs_ntor_ref.py test, make sure only to pass strings (rather than "bytes" objects) to the Python subprocess module. Python 3 on Windows seems to require this. Fixes bug 26535; bugfix on 0.3.1.1-alpha. - When running the ntor_ref.py test, make sure only to pass strings (rather than "bytes" objects) to the Python subprocess module. Python 3 on Windows seems to require this. Fixes bug 26535; bugfix on 0.2.5.5-alpha. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.3.4.3-alpha is released
Hi, all! There's a new alpha Tor release! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the usual place on www.torproject.org; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely over the next several weeks. (Tomorrow's planned TB alpha will probably still have 0.3.4.2-alpha.) Here's what's new! Changes in version 0.3.4.3-alpha - 2018-06-26 Tor 0.3.4.3-alpha fixes several bugs in earlier versions, including one that was causing stability issues on directory authorities. o Major bugfixes (directory authority): - Stop leaking memory on directory authorities when planning to vote. This bug was crashing authorities by exhausting their memory. Fixes bug 26435; bugfix on 0.3.3.6. o Major bugfixes (rust, testing): - Make sure that failing tests in Rust will actually cause the build to fail: previously, they were ignored. Fixes bug 26258; bugfix on 0.3.3.4-alpha. o Minor feature (directory authorities): - Stop warning about incomplete bw lines before the first complete bw line has been found, so that additional header lines can be ignored. Fixes bug 25960; bugfix on 0.2.2.1-alpha o Minor features (relay, diagnostic): - Add several checks to detect whether Tor relays are uploading their descriptors without specifying why they regenerated them. Diagnostic for ticket 25686. o Minor features (unit tests): - Test complete bandwidth measurements files, and test that incomplete bandwidth lines only give warnings when the end of the header has not been detected. Fixes bug 25947; bugfix on 0.2.2.1-alpha o Minor bugfixes (compilation): - Refrain from compiling unit testing related object files when --disable-unittests is set to configure script. Fixes bug 24891; bugfix on 0.2.5.1-alpha. - When linking the libtor_testing.a library, only include the dirauth object files once. Previously, they were getting added twice. Fixes bug 26402; bugfix on 0.3.4.1-alpha. - The --enable-fatal-warnings flag now affects Rust code as well. Closes ticket 26245. o Minor bugfixes (onion services): - Recompute some consensus information after detecting a clock jump, or after transitioning from a non-live consensus to a live consensus. We do this to avoid having an outdated state, and miscalculating the index for next-generation onion services. Fixes bug 24977; bugfix on 0.3.2.1-alpha. o Minor bugfixes (relay): - Relays now correctly block attempts to re-extend to the previous relay by Ed25519 identity. Previously they would warn in this case, but not actually reject the attempt. Fixes bug 26158; bugfix on 0.3.0.1-alpha. o Minor bugfixes (testing): - Fix compilation of the doctests in the Rust crypto crate. Fixes bug 26415; bugfix on 0.3.4.1-alpha. - Instead of trying to read the geoip configuration files from within the unit tests, instead create our own ersatz files with just enough geoip data in the format we expect. Trying to read from the source directory created problems on Windows with mingw, where the build system's paths are not the same as the platform's paths. Fixes bug 25787; bugfix on 0.3.4.1-alpha. - Refrain from trying to get an item from an empty smartlist in test_bridges_clear_bridge_list. Set DEBUG_SMARTLIST in unit tests to catch improper smartlist usage. Furthermore, enable DEBUG_SMARTLIST globally when build is configured with fragile hardening. Fixes bug 26196; bugfix on 0.3.4.1-alpha. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.3.4.2-alpha is released!
Hi, all! There's a new alpha Tor release! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the usual place on www.torproject.org; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely some time in the next few weeks. There's also a new stable release coming out today; as usual, that one gets announced on the tor-announce mailing list. = Changes in version 0.3.4.2-alpha - 2018-06-12 Tor 0.3.4.2-alpha fixes several minor bugs in the previous alpha release, and forward-ports an authority-only security fix from 0.3.3.6. o Directory authority changes: - Add an IPv6 address for the "dannenberg" directory authority. Closes ticket 26343. o Major bugfixes (security, directory authority, denial-of-service, also in 0.3.3.6): - Fix a bug that could have allowed an attacker to force a directory authority to use up all its RAM by passing it a maliciously crafted protocol versions string. Fixes bug 25517; bugfix on 0.2.9.4-alpha. This issue is also tracked as TROVE-2018-005. o Minor features (continuous integration): - Add the necessary configuration files for continuous integration testing on Windows, via the Appveyor platform. Closes ticket 25549. Patches from Marcin Cieślak and Isis Lovecruft. o Minor features (geoip): - Update geoip and geoip6 to the June 7 2018 Maxmind GeoLite2 Country database. Closes ticket 26351. o Minor bugfixes (compatibility, openssl): - Work around a change in OpenSSL 1.1.1 where return values that would previously indicate "no password" now indicate an empty password. Without this workaround, Tor instances running with OpenSSL 1.1.1 would accept descriptors that other Tor instances would reject. Fixes bug 26116; bugfix on 0.2.5.16. o Minor bugfixes (compilation): - Silence unused-const-variable warnings in zstd.h with some GCC versions. Fixes bug 26272; bugfix on 0.3.1.1-alpha. - Fix compilation when using OpenSSL 1.1.0 with the "no-deprecated" flag enabled. Fixes bug 26156; bugfix on 0.3.4.1-alpha. - Avoid a compiler warning when casting the return value of smartlist_len() to double with DEBUG_SMARTLIST enabled. Fixes bug 26283; bugfix on 0.2.4.10-alpha. o Minor bugfixes (control port): - Do not count 0-length RELAY_COMMAND_DATA cells as valid data in CIRC_BW events. Previously, such cells were counted entirely in the OVERHEAD field. Now they are not. Fixes bug 26259; bugfix on 0.3.4.1-alpha. o Minor bugfixes (controller): - Improve accuracy of the BUILDTIMEOUT_SET control port event's TIMEOUT_RATE and CLOSE_RATE fields. (We were previously miscounting the total number of circuits for these field values.) Fixes bug 26121; bugfix on 0.3.3.1-alpha. o Minor bugfixes (hardening): - Prevent a possible out-of-bounds smartlist read in protover_compute_vote(). Fixes bug 26196; bugfix on 0.2.9.4-alpha. o Minor bugfixes (onion services): - Fix a bug that blocked the creation of ephemeral v3 onion services. Fixes bug 25939; bugfix on 0.3.4.1-alpha. o Minor bugfixes (test coverage tools): - Update our "cov-diff" script to handle output from the latest version of gcov, and to remove extraneous timestamp information from its output. Fixes bugs 26101 and 26102; bugfix on 0.2.5.1-alpha. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Post Quantum Tor
For current work on postquantum handshake support in Tor, see proposals 263, 269, 270, and ticket #24985. A digression: Personally, I don't agree that the evidence is so convincing about the NSA being able to break 256-bit ECDSA today: if they have it, then they'd treat it as a big secret, and not go around cagily implying that they had it. When they brag publicly about their capabilities, they're usually not doing so on order to advertise secret advances that the world doesn't know about. Of course, by the same argument, we don't have much evidence that there *aren't* scalable quantum computers today. If somebody has one, it makes sense that they would be keeping quiet about it. And even if there aren't large-scale quantum computers today, we need to keep in mind that any future such quantum computer would be able to decrypt today's traffic. So I think the sensible thing to do is to be cautious, and work under the assumption that we'll need to move our key exchange to a PQ handshake, according to something like the proposals above. cheers, -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.3.4.1-alpha: source code now released
Hi, all! There's a new alpha Tor release! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the usual place on www.torproject.org; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely some time in the coming weeks. (And no, we haven't forgotten about the 0.3.3.x series -- there should be a stable release out there "really soon now".) Here's what's new since 0.3.3.5-rc! Changes in version 0.3.4.1-alpha - 2018-05-17 Tor 0.3.4.1-alpha is the first release in the 0.3.4.x series. It includes refactoring to begin reducing Tor's binary size and idle CPU usage on mobile, along with prep work for new bandwidth scanners, improvements to the experimental "vanguards" feature, and numerous other small features and bugfixes. o New system requirements: - Tor no longer tries to support old operating systems without mmap() or some local equivalent. Apparently, compilation on such systems has been broken for some time, without anybody noticing or complaining. Closes ticket 25398. o Major feature (directory authority, modularization): - The directory authority subsystem has been modularized. The code is now located in src/or/dirauth/, and is compiled in by default. To disable the module, the configure option --disable-module-dirauth has been added. This module may be disabled by default in some future release. Closes ticket 25610. o Major features (main loop, CPU usage): - When Tor is disabled (via DisableNetwork or via hibernation), it no longer needs to run any per-second events. This change should make it easier for mobile applications to disable Tor while the device is sleeping, or Tor is not running. Closes ticket 26063. - Tor no longer enables all of its periodic events by default. Previously, Tor would enable all possible main loop events, regardless of whether it needed them. Furthermore, many of these events are now disabled with Tor is hibernating or DisableNetwork is set. This is a big step towards reducing client CPU usage by reducing the amount of wake-ups the daemon does. Closes ticket 25376 and 25762. - The bandwidth-limitation logic has been refactored so that bandwidth calculations are performed on-demand, rather than every TokenBucketRefillInterval milliseconds. This change should improve the granularity of our bandwidth calculations, and limit the number of times that the Tor process needs to wake up when it is idle. Closes ticket 25373. - Move responsibility for many operations from a once-per-second callback to a callback that is only scheduled as needed. Moving this functionality has allowed us to disable the callback when Tor's network is disabled. Once enough items are removed from our once-per-second callback, we can eliminate it entirely to conserve CPU when idle. The functionality removed includes: closing connections, circuits, and channels (ticket 25932); consensus voting (25937); flushing log callbacks (25951); honoring delayed SIGNEWNYM requests (25949); rescanning the consensus cache (25931); saving the state file to disk (25948); warning relay operators about unreachable ports (25952); and keeping track of Tor's uptime (26009). o Major bugfixes (directory authorities, security): - When directory authorities read a zero-byte bandwidth file, they would previously log a warning with the contents of an uninitialised buffer. They now log a warning about the empty file instead. Fixes bug 26007; bugfix on 0.2.2.1-alpha. o Major bugfixes (crash): - Avoid a rare assertion failure in the circuit build timeout code if we fail to allow any circuits to actually complete. Fixes bug 25733; bugfix on 0.2.2.2-alpha. o Major bugfixes (directory authority): - Avoid a crash when testing router reachability on a router that could have an ed25519 ID, but which does not. Fixes bug 25415; bugfix on 0.3.3.2-alpha. o Major bugfixes (onion service): - Correctly detect when onion services get disabled after HUP. Fixes bug 25761; bugfix on 0.3.2.1. o Major bugfixes (protover, voting): - Revise Rust implementation of protover to use a more memory- efficient voting algorithm and corresponding data structures, thus avoiding a potential (but small impact) DoS attack where specially crafted protocol strings would expand to several potential megabytes in memory. In the process, several portions of code were revised to be methods on new, custom types, rather than functions taking interchangeable types, thus increasing type safety of
[tor-talk] Tor 0.3.3.5-rc: source code is released!
Hi, all! There's a new Tor release candidate available as source code! Because it's an release candidate, you should only run it if you're ready to find bugs, and report them on trac.torproject.org. The source code is available from the usual place on www.torproject.org; if you build Tor from source, why not give it a try? And if you don' t build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely some time this week. Here's what's new: Changes in version 0.3.3.5-rc - 2018-04-15 Tor 0.3.3.5-rc fixes various bugs in earlier versions of Tor, including some that could affect reliability or correctness. This is the first release candidate in the 0.3.3 series. If we find no new bugs or regression here, then the first stable 0.3.3 release will be nearly identical to this one. o Major bugfixes (security, protover, voting): - Revise Rust implementation of protover to use a more memory- efficient voting algorithm and corresponding data structures, thus avoiding a potential memory-based DoS attack where specially crafted protocol strings would expand to fill available memory. Fixes bug 24031; bugfix on 0.3.3.1-alpha. o Major bugfixes (performance, load balancing): - Directory authorities no longer vote in favor of the Guard flag for relays without directory support. Starting in Tor 0.3.0.1-alpha, clients have been avoiding using such relays in the Guard position, leading to increasingly broken load balancing for the 5%-or-so of Guards that don't advertise directory support. Fixes bug 22310; bugfix on 0.3.0.6. o Minor feature (continuous integration): - Update the Travis CI configuration to use the stable Rust channel, now that we have decided to require that. Closes ticket 25714. o Minor features (config options): - Change the way the default value for MaxMemInQueues is calculated. We now use 40% of the hardware RAM if the system has 8 GB RAM or more. Otherwise we use the former value of 75%. Closes ticket 24782. o Minor features (geoip): - Update geoip and geoip6 to the April 3 2018 Maxmind GeoLite2 Country database. Closes ticket 25718. o Minor bugfixes (client): - When using a listed relay as a bridge, and also using microdescriptors, and considering that relay as a non-bridge in a circuit, treat its microdescriptor as a valid source of information about that relay. This change should prevent a non- fatal assertion error. Fixes bug 25691; bugfix on 0.3.3.4-alpha. o Minor bugfixes (controller): - Restore the correct operation of the RESOLVE command, which had been broken since we added the ability to enable/disable DNS on specific listener ports. Fixes bug 25617; bugfix on 0.2.9.3-alpha. o Minor bugfixes (distribution, compilation, rust): - Build correctly when the rust dependencies submodule is loaded, but the TOR_RUST_DEPENDENCIES environment variable is not set. Fixes bug 25679; bugfix on 0.3.3.1-alpha. - Actually include all of our Rust source in our source distributions. (Previously, a few of the files were accidentally omitted.) Fixes bug 25732; bugfix on 0.3.3.2-alpha. o Minor bugfixes (documentation): - Document that the PerConnBW{Rate,Burst} options will fall back to their corresponding consensus parameters only if those parameters are set. Previously we had claimed that these values would always be set in the consensus. Fixes bug 25296; bugfix on 0.2.2.7-alpha. - Revert a misformatting issue in the ExitPolicy documentation. Fixes bug 25582; bugfix on 0.3.3.1-alpha. o Minor bugfixes (exit node DNS retries): - Re-attempt timed-out DNS queries 3 times before failure, since our timeout is 5 seconds for them, but clients wait 10-15. Also allow slightly more timeouts per resolver when an exit has multiple resolvers configured. Fixes bug 21394; bugfix on 0.3.1.9. o Minor bugfixes (onion services): - Re-instate counting the client HSDir fetch circuits against the MaxClientCircuitsPending rate limit. Fixes bug 24989; bugfix on 0.3.3.1-alpha. - Remove underscores from the _HSLayer{2,3}Nodes options. This expert-user configuration can now be enabled as HSLayer{2,3}Nodes. Fixes bug 25581; bugfix on 0.3.3.1-alpha o Code simplification and refactoring: - Move the list of default directory authorities to its own file. Closes ticket 24854. Patch by "beastr0". o Documentation (manpage, denial of service): - Provide more detail about the denial-of-service options, by listing each mitigation and explaining how they relate. Closes ticket 25248. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.3.3.4-alpha source code is released
Hi, all! There's a new alpha Tor release available as source code! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the usual place on www.torproject.org; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely by some time in April. Here's what's new: Changes in version 0.3.3.4-alpha - 2018-03-29 Tor 0.3.3.4-alpha includes various bugfixes for issues found during the alpha testing of earlier releases in its series. We are approaching a stable 0.3.3.4-alpha release: more testing is welcome! o New system requirements: - When built with Rust, Tor now depends on version 0.2.39 of the libc crate. Closes tickets 25310 and 25664. o Major bugfixes (relay, connection): - If we have failed to connect to a relay and received a connection refused, timeout, or similar error (at the TCP level), do not try that same address/port again for 60 seconds after the failure has occurred. Fixes bug 24767; bugfix on 0.0.6. o Minor features (geoip): - Update geoip and geoip6 to the March 8 2018 Maxmind GeoLite2 Country database. Closes ticket 25469. o Minor features (log messages): - Improve log message in the out-of-memory handler to include information about memory usage from the different compression backends. Closes ticket 25372. o Minor features (sandbox): - Explicitly permit the poll() system call when the Linux seccomp2-based sandbox is enabled: apparently, some versions of libc use poll() when calling getpwnam(). Closes ticket 25313. o Minor bugfixes (C correctness): - Fix a very unlikely (impossible, we believe) null pointer dereference. Fixes bug 25629; bugfix on 0.2.9.15. Found by Coverity; this is CID 1430932. o Minor bugfixes (channel, client): - Better identify client connection when reporting to the geoip client cache. Fixes bug 24904; bugfix on 0.3.1.7. o Minor bugfixes (compilation): - Fix a C99 compliance issue in our configuration script that caused compilation issues when compiling Tor with certain versions of xtools. Fixes bug 25474; bugfix on 0.3.2.5-alpha. o Minor bugfixes (controller, reliability): - Avoid a (nonfatal) assertion failure when extending a one-hop circuit from the controller to become a multihop circuit. Fixes bug 24903; bugfix on 0.2.5.2-alpha. o Minor bugfixes (networking): - Tor will no longer reject IPv6 address strings from TorBrowser when they are passed as hostnames in SOCKS5 requests. Fixes bug 25036, bugfix on Tor 0.3.1.2. - string_is_valid_hostname() will not consider IP strings to be valid hostnames. Fixes bug 25055; bugfix on Tor 0.2.5.5. o Minor bugfixes (onion service v3): - Avoid an assertion failure when the next the next onion service descriptor rotation type is out of sync with the consensus's valid-after time. Instead, log a warning message with extra information, so we can better hunt down the cause of this assertion. Fixes bug 25306; bugfix on 0.3.2.1-alpha. o Minor bugfixes (testing): - Avoid intermittent test failures due to a test that had relied on onion service introduction point creation finishing within 5 seconds of real clock time. Fixes bug 25450; bugfix on 0.3.1.3-alpha. - Rust crates are now automatically detected and tested. Previously, some crates were not tested by `make test-rust` due to a static string in the `src/test/test_rust.sh` script specifying which crates to test. Fixes bug 25560; bugfix on 0.3.3.3-alpha. o Minor bugfixes (testing, benchmarks): - Fix a crash when running benchmark tests on win32 systems. The crash was due to a mutex that wasn't initialized before logging and options were initialized. Fixes bug 25479; bugfix on 0.3.3.3-alpha. o Minor bugfixes (warnings, ipv6): - Avoid a bug warning that could occur when trying to connect to a relay over IPv6. This warning would occur on a Tor instance that downloads router descriptors, but prefers to use microdescriptors. Fixes bug 25213; bugfix on 0.3.3.1-alpha. o Code simplification and refactoring: - Remove the old (deterministic) directory retry logic entirely: We've used exponential backoff exclusively for some time. Closes ticket 23814. o Documentation: - Improved the documentation of AccountingStart parameter. Closes ticket 23635. - Update the documentation for "Log" to include the current list of logging domains. Closes ticket 25378. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to
[tor-talk] New releases today: relays, please consider upgrading.
Hi! There are new security releases today. The official announcement just went to tor-announce, but I want to make sure that people on this list see it too. In brief: * Directory authorities should upgrade. * Relays running 0.3.2.1-alpha through 0.3.2.9 should upgrade. * Relays running 0.3.3.1-alpha should upgrade. * All other relays may wish to upgrade in order to improve their resistance to denial-of-service attacks. * [Clients should not need to upgrade, but may wish to anyway, in order to get other features or bugfixes.] If you build Tor from source, the source code is available at https://dist.torproject.org/ . Packages should be available over the coming days. For the complete announcement, including changelogs, see https://lists.torproject.org/pipermail/tor-announce/2018-March/000152.html best wishes, -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Upcoming security releases for Tor 0.2.9 and up.
Hi! This coming week, we'll be putting out new stable releases for 0.2.9 and later to fix a few security bugs. The highest-severity bug to be fixed is severity "medium". These releases will also backport the anti-DoS features from Tor 0.3.3. Relays and authorities should be sure to upgrade once packages are available; these issues are not high-priority for clients. best wishes, -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.3.3.2-alpha is released
Hi, all! There's a new alpha Tor release! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the usual place on www.torproject.org; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely in a couple of weeks. = Here's what's new! Changes in version 0.3.3.2-alpha - 2018-02-10 Tor 0.3.3.2-alpha is the second alpha in the 0.3.3.x series. It introduces a mechanism to handle the high loads that many relay operators have been reporting recently. It also fixes several bugs in older releases. If this new code proves reliable, we plan to backport it to older supported release series. o Major features (denial-of-service mitigation): - Give relays some defenses against the recent network overload. We start with three defenses (default parameters in parentheses). First: if a single client address makes too many concurrent connections (>100), hang up on further connections. Second: if a single client address makes circuits too quickly (more than 3 per second, with an allowed burst of 90) while also having too many connections open (3), refuse new create cells for the next while (1-2 hours). Third: if a client asks to establish a rendezvous point to you directly, ignore the request. These defenses can be manually controlled by new torrc options, but relays will also take guidance from consensus parameters, so there's no need to configure anything manually. Implements ticket 24902. o Major bugfixes (netflow padding): - Stop adding unneeded channel padding right after we finish flushing to a connection that has been trying to flush for many seconds. Instead, treat all partial or complete flushes as activity on the channel, which will defer the time until we need to add padding. This fix should resolve confusing and scary log messages like "Channel padding timeout scheduled 221453ms in the past." Fixes bug 22212; bugfix on 0.3.1.1-alpha. o Major bugfixes (protocol versions): - Add Link protocol version 5 to the supported protocols list. Fixes bug 25070; bugfix on 0.3.1.1-alpha. o Major bugfixes (scheduler, consensus): - The scheduler subsystem was failing to promptly notice changes in consensus parameters, making it harder to switch schedulers network-wide. Fixes bug 24975; bugfix on 0.3.2.1-alpha. o Minor features (denial-of-service avoidance): - Make our OOM handler aware of the geoip client history cache so it doesn't fill up the memory. This check is important for IPv6 and our DoS mitigation subsystem. Closes ticket 25122. o Minor features (directory authority): - When directory authorities are unable to add signatures to a pending consensus, log the reason why. Closes ticket 24849. o Minor features (geoip): - Update geoip and geoip6 to the February 7 2018 Maxmind GeoLite2 Country database. o Minor features (logging, diagnostic): - When logging a failure to create an onion service's descriptor, also log what the problem with the descriptor was. Diagnostic for ticket 24972. o Minor bugfix (channel connection): - Use the actual observed address of an incoming relay connection, not the canonical address of the relay from its descriptor, when making decisions about how to handle the incoming connection. Fixes bug 24952; bugfix on 0.2.4.11-alpha. Patch by "ffmancera". o Minor bugfix (directory authority): - Directory authorities, when refusing a descriptor from a rejected relay, now explicitly tell the relay (in its logs) to set a valid ContactInfo address and contact the bad-relays@ mailing list. Fixes bug 25170; bugfix on 0.2.9.1. o Minor bugfixes (all versions of Tor): - Use the "misspell" tool to detect and fix typos throughout the source code. Fixes bug 23650; bugfix on various versions of Tor. Patch from Deepesh Pathak. o Minor bugfixes (circuit, cannibalization): - Don't cannibalize preemptively-built circuits if we no longer recognize their first hop. This situation can happen if our Guard relay went off the consensus after the circuit was created. Fixes bug 24469; bugfix on 0.0.6. o Minor bugfixes (correctness): - Remove a nonworking, unnecessary check to see whether a circuit hop's identity digest was set when the circuit failed. Fixes bug 24927; bugfix on 0.2.4.4-alpha. o Minor bugfixes (logging): - Don't treat inability to store a cached consensus object as a bug: it can happen normally when we are out of disk space. Fixes bug 24859; bugfix on 0.3.1.1-alpha. - Fix a (mostly harmless) race condition when invoking
[tor-talk] Tor 0.3.3.1-alpha is released!
Hi, all! There's a new alpha Tor release! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the usual place on www.torproject.org; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with an alpha Tor Browser release likely some time in February. = Here's what's new! Changes in version 0.3.3.1-alpha - 2018-01-25 Tor 0.3.3.1-alpha is the first release in the 0.3.3.x series. It adds several new features to Tor, including several improvements to bootstrapping, and support for an experimental "vanguards" feature to resist guard discovery attacks. This series also includes better support for applications that need to embed Tor or manage v3 onion services. o Major features (embedding): - There is now a documented stable API for programs that need to embed Tor. See tor_api.h for full documentation and known bugs. Closes ticket 23684. - Tor now has support for restarting in the same process. Controllers that run Tor using the "tor_api.h" interface can now restart Tor after Tor has exited. This support is incomplete, however: we fixed crash bugs that prevented it from working at all, but many bugs probably remain, including a possibility of security issues. Implements ticket 24581. o Major features (IPv6, directory documents): - Add consensus method 27, which adds IPv6 ORPorts to the microdesc consensus. This information makes it easier for IPv6 clients to bootstrap and choose reachable entry guards. Implements 23826. - Add consensus method 28, which removes IPv6 ORPorts from microdescriptors. Now that the consensus contains IPv6 ORPorts, they are redundant in microdescs. This change will be used by Tor clients on 0.2.8.x and later. (That is to say, with all Tor clients having IPv6 bootstrap and guard support.) Implements 23828. - Expand the documentation for AuthDirHasIPv6Connectivity when it is set by different numbers of authorities. Fixes 23870 on 0.2.4.1-alpha. o Major features (onion service v3, control port): - The control port now supports commands and events for v3 onion services. It is now possible to create ephemeral v3 services using ADD_ONION. Additionally, several events (HS_DESC, HS_DESC_CONTENT, CIRC and CIRC_MINOR) and commands (GETINFO, HSPOST, ADD_ONION and DEL_ONION) have been extended to support v3 onion services. Closes ticket 20699; implements proposal 284. o Major features (onion services): - Provide torrc options to pin the second and third hops of onion service circuits to a list of nodes. The option HSLayer2Guards pins the second hop, and the option HSLayer3Guards pins the third hop. These options are for use in conjunction with experiments with "vanguards" for preventing guard enumeration attacks. Closes ticket 13837. o Major features (rust, portability, experimental): - Tor now ships with an optional implementation of one of its smaller modules (protover.c) in the Rust programming language. To try it out, install a Rust build environment, and configure Tor with "--enable-rust --enable-cargo-online-mode". This should not cause any user-visible changes, but should help us gain more experience with Rust, and plan future Rust integration work. Implementation by Chelsea Komlo. Closes ticket 22840. o Major features (storage, configuration): - Users can store cached directory documents somewhere other than the DataDirectory by using the CacheDirectory option. Similarly, the storage location for relay's keys can be overridden with the KeyDirectory option. Closes ticket 22703. o Major features (v3 onion services, ipv6): - When v3 onion service clients send introduce cells, they now include the IPv6 address of the rendezvous point, if it has one. Current v3 onion services running 0.3.2 ignore IPv6 addresses, but in future Tor versions, IPv6-only v3 single onion services will be able to use IPv6 addresses to connect directly to the rendezvous point. Closes ticket 23577. Patch by Neel Chauhan. o Major bugfixes (onion services, retry behavior): - Fix an "off by 2" error in counting rendezvous failures on the onion service side. While we thought we would stop the rendezvous attempt after one failed circuit, we were actually making three circuit attempts before giving up. Now switch to a default of 2, and allow the consensus parameter "hs_service_max_rdv_failures" to override. Fixes bug 24895; bugfix on 0.0.6. - New-style (v3) onion services now obey the "max rendezvous circuit attempts" logic. Previously they would make as many rendezvous
[tor-talk] Tor 0.3.2.8-rc is released
Hi, all! Tor 0.3.2.8-rc is released. If you build Tor from source code, why not fetch it from our download page and try it out? If you use precompiled packages, then there should be releases soon. There probably won't be a Tor Browser release for this one; this issues fixed here are mainly (but not exclusively) relevant to relays. Changes in version 0.3.2.8-rc - 2017-12-21 Tor 0.3.2.8-rc fixes a pair of bugs in the KIST and KISTLite schedulers that had led servers under heavy load to overload their outgoing connections. All relay operators running earlier 0.3.2.x versions should upgrade. This version also includes a mitigation for over-full DESTROY queues leading to out-of-memory conditions: if it works, we will soon backport it to earlier release series. This is the second release candidate in the 0.3.2 series. If we find no new bugs or regression here, then the first stable 0.3.2 release will be nearly identical to this. o Major bugfixes (KIST, scheduler): - The KIST scheduler did not correctly account for data already enqueued in each connection's send socket buffer, particularly in cases when the TCP/IP congestion window was reduced between scheduler calls. This situation lead to excessive per-connection buffering in the kernel, and a potential memory DoS. Fixes bug 24665; bugfix on 0.3.2.1-alpha. o Minor features (geoip): - Update geoip and geoip6 to the December 6 2017 Maxmind GeoLite2 Country database. o Minor bugfixes (hidden service v3): - Bump hsdir_spread_store parameter from 3 to 4 in order to increase the probability of reaching a service for a client missing microdescriptors. Fixes bug 24425; bugfix on 0.3.2.1-alpha. o Minor bugfixes (memory usage): - When queuing DESTROY cells on a channel, only queue the circuit-id and reason fields: not the entire 514-byte cell. This fix should help mitigate any bugs or attacks that fill up these queues, and free more RAM for other uses. Fixes bug 24666; bugfix on 0.2.5.1-alpha. o Minor bugfixes (scheduler, KIST): - Use a sane write limit for KISTLite when writing onto a connection buffer instead of using INT_MAX and shoving as much as it can. Because the OOM handler cleans up circuit queues, we are better off at keeping them in that queue instead of the connection's buffer. Fixes bug 24671; bugfix on 0.3.2.1-alpha. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.3.2.7-rc is released!
Hi, all! Tor 0.3.2.7-rc is released. If you build Tor from source code, why not fetch it from our download page and try it out? If you use precompiled packages, then there should be releases soon, including a Tor Browser alpha release likely next week. Here are the changes since 0.3.2.6-alpha: Changes in version 0.3.2.7-rc - 2017-12-14 Tor 0.3.2.7-rc fixes various bugs in earlier versions of Tor, including some that could affect reliability or correctness. This is the first release candidate in the 0.3.2 series. If we find no new bugs or regression here, then the first stable 0.3.2. release will be nearly identical to this. o Major bugfixes (circuit prediction): - Fix circuit prediction logic so that a client doesn't treat a port as being "handled" by a circuit if that circuit already has isolation settings on it. This change should make Tor clients more responsive by improving their chances of having a pre-created circuit ready for use when a request arrives. Fixes bug 18859; bugfix on 0.2.3.3-alpha. o Minor features (logging): - Provide better warnings when the getrandom() syscall fails. Closes ticket 24500. o Minor features (portability): - Tor now compiles correctly on arm64 with libseccomp-dev installed. (It doesn't yet work with the sandbox enabled.) Closes ticket 24424. o Minor bugfixes (bridge clients, bootstrap): - Retry directory downloads when we get our first bridge descriptor during bootstrap or while reconnecting to the network. Keep retrying every time we get a bridge descriptor, until we have a reachable bridge. Fixes part of bug 24367; bugfix on 0.2.0.3-alpha. - Stop delaying bridge descriptor fetches when we have cached bridge descriptors. Instead, only delay bridge descriptor fetches when we have at least one reachable bridge. Fixes part of bug 24367; bugfix on 0.2.0.3-alpha. - Stop delaying directory fetches when we have cached bridge descriptors. Instead, only delay bridge descriptor fetches when all our bridges are definitely unreachable. Fixes part of bug 24367; bugfix on 0.2.0.3-alpha. o Minor bugfixes (compilation): - Fix a signed/unsigned comparison warning introduced by our fix to TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16. o Minor bugfixes (correctness): - Fix several places in our codebase where a C compiler would be likely to eliminate a check, based on assuming that undefined behavior had not happened elsewhere in the code. These cases are usually a sign of redundant checking or dubious arithmetic. Found by Georg Koppen using the "STACK" tool from Wang, Zeldovich, Kaashoek, and Solar-Lezama. Fixes bug 24423; bugfix on various Tor versions. o Minor bugfixes (onion service v3): - Fix a race where an onion service would launch a new intro circuit after closing an old one, but fail to register it before freeing the previously closed circuit. This bug was making the service unable to find the established intro circuit and thus not upload its descriptor, thus making a service unavailable for up to 24 hours. Fixes bug 23603; bugfix on 0.3.2.1-alpha. o Minor bugfixes (scheduler, KIST): - Properly set the scheduler state of an unopened channel in the KIST scheduler main loop. This prevents a harmless but annoying log warning. Fixes bug 24502; bugfix on 0.3.2.4-alpha. - Avoid a possible integer overflow when computing the available space on the TCP buffer of a channel. This had no security implications; but could make KIST allow too many cells on a saturated connection. Fixes bug 24590; bugfix on 0.3.2.1-alpha. - Downgrade to "info" a harmless warning about the monotonic time moving backwards: This can happen on platform not supporting monotonic time. Fixes bug 23696; bugfix on 0.3.2.1-alpha. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] New Tor security releases: 0.2.5.16, 0.2.8.17, 0.2.9.14, 0.3.0.13, 0.3.1.9, and 0.3.2.6-alpha
There are new releases of Tor to fix several security issues. If you build Tor from source code, you can download them from the download page on the website. If you need an older release series, go to https://dist.torproject.org/ . For users who do not build from source: packages should be available soon. All users should upgrade when possible. These releases fix the following security bugs. For more information on each one, see the links from https://trac.torproject.org/projects/tor/wiki/TROVE TROVE-2017-009: Replay-cache ineffective for v2 onion services TROVE-2017-010: Remote DoS attack against directory authorities TROVE-2017-011: An attacker can make Tor ask for a password TROVE-2017-012: Relays can pick themselves in a circuit path TROVE-2017-013: Use-after-free in onion service v2 Remember that the following release series are approaching end-of-life: 0.2.8 on 1 Jan 2018 0.3.0 on 26 Jan 2018 0.2.5 on 1 May 2018 If you need a release series with long term support, stick to 0.2.9.x. Otherwise, please stay up-to-date with the latest stable release series (or with the alphas, if you are feeling brave and you like reporting bugs). Below is the changelog for 0.3.2.6-alpha. The changelogs for the stable releases were sent to tor-announce as usual. Changes in version 0.3.2.6-alpha - 2017-12-01 This version of Tor is the latest in the 0.3.2 alpha series. It includes fixes for several important security issues. All Tor users should upgrade to this release, or to one of the other releases coming out today. o Major bugfixes (security): - Fix a denial of service bug where an attacker could use a malformed directory object to cause a Tor instance to pause while OpenSSL would try to read a passphrase from the terminal. (Tor instances run without a terminal, which is the case for most Tor packages, are not impacted.) Fixes bug 24246; bugfix on every version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821. Found by OSS-Fuzz as testcase 6360145429790720. - Fix a denial of service issue where an attacker could crash a directory authority using a malformed router descriptor. Fixes bug 24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010 and CVE-2017-8820. - When checking for replays in the INTRODUCE1 cell data for a (legacy) onion service, correctly detect replays in the RSA- encrypted part of the cell. We were previously checking for replays on the entire cell, but those can be circumvented due to the malleability of Tor's legacy hybrid encryption. This fix helps prevent a traffic confirmation attack. Fixes bug 24244; bugfix on 0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009 and CVE-2017-8819. o Major bugfixes (security, onion service v2): - Fix a use-after-free error that could crash v2 Tor onion services when they failed to open circuits while expiring introduction points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is also tracked as TROVE-2017-013 and CVE-2017-8823. o Major bugfixes (security, relay): - When running as a relay, make sure that we never build a path through ourselves, even in the case where we have somehow lost the version of our descriptor appearing in the consensus. Fixes part of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked as TROVE-2017-012 and CVE-2017-8822. - When running as a relay, make sure that we never choose ourselves as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This issue is also tracked as TROVE-2017-012 and CVE-2017-8822. o Minor feature (relay statistics): - Change relay bandwidth reporting stats interval from 4 hours to 24 hours in order to reduce the efficiency of guard discovery attacks. Fixes ticket 23856. o Minor features (directory authority): - Add an IPv6 address for the "bastet" directory authority. Closes ticket 24394. o Minor bugfixes (client): - By default, do not enable storage of client-side DNS values. These values were unused by default previously, but they should not have been cached at all. Fixes bug 24050; bugfix on 0.2.6.3-alpha. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Security releases tomorrow for Tor
Hello! I'm sending this message to announce that we will be releasing new stable and versions of Tor tomorrow, to fix 5 security bugs. I apologise for the short notice; we've had to move up our intended release date in order to try to match with release deadlines for downstream projects. We have classified 3 of these bugs as Medium and 2 as High, per draft security process at https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/SecurityPolicy . The most serious bugs are a pair of denial-of-service issues, which we treat as high security because of the possibility of escalating them for traffic-analysis purposes. Note that only the following series are supported, and only they will receive updates: 0.2.5, 0.2.8, 0.2.9, 0.3.0, 0.3.1, and 0.3.2. 0.2.8 and 0.3.0 will become unsupported in January; 0.2.5 will become unsupported in May. best wishes, -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.3.2.5-alpha is released
Hello! There's a fun new alpha you can run! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the usual place on www.torproject.org ; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days. There probably won't be a Tor Browser release for this one -- it's likelier to include the next alpha instead, which should be out in early December. Here's what's new since 0.3.2.4-alpha: Changes in version 0.3.2.5-alpha - 2017-11-22 Tor 0.3.2.5-alpha is the fifth alpha release in the 0.3.2.x series. It fixes several stability and reliability bugs, including a fix for intermittent bootstrapping failures that some people have been seeing since the 0.3.0.x series. Please test this alpha out -- many of these fixes will soon be backported to stable Tor versions if no additional bugs are found in them. o Major bugfixes (bootstrapping): - Fetch descriptors aggressively whenever we lack enough to build circuits, regardless of how many descriptors we are missing. Previously, we would delay launching the fetch when we had fewer than 15 missing descriptors, even if some of those descriptors were blocking circuits from building. Fixes bug 23985; bugfix on 0.1.1.11-alpha. The effects of this bug became worse in 0.3.0.3-alpha, when we began treating missing descriptors from our primary guards as a reason to delay circuits. - Don't try fetching microdescriptors from relays that have failed to deliver them in the past. Fixes bug 23817; bugfix on 0.3.0.1-alpha. o Minor features (directory authority): - Make the "Exit" flag assignment only depend on whether the exit policy allows connections to ports 80 and 443. Previously relays would get the Exit flag if they allowed connections to one of these ports and also port 6667. Resolves ticket 23637. o Minor features (geoip): - Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2 Country database. o Minor features (linux seccomp2 sandbox): - Update the sandbox rules so that they should now work correctly with Glibc 2.26. Closes ticket 24315. o Minor features (logging): - Downgrade a pair of log messages that could occur when an exit's resolver gave us an unusual (but not forbidden) response. Closes ticket 24097. - Improve the message we log when re-enabling circuit build timeouts after having received a consensus. Closes ticket 20963. o Minor bugfixes (compilation): - Fix a memory leak warning in one of the libevent-related configuration tests that could occur when manually specifying -fsanitize=address. Fixes bug 24279; bugfix on 0.3.0.2-alpha. Found and patched by Alex Xu. - When detecting OpenSSL on Windows from our configure script, make sure to try linking with the ws2_32 library. Fixes bug 23783; bugfix on 0.3.2.2-alpha. o Minor bugfixes (control port, linux seccomp2 sandbox): - Avoid a crash when attempting to use the seccomp2 sandbox together with the OwningControllerProcess feature. Fixes bug 24198; bugfix on 0.2.5.1-alpha. o Minor bugfixes (control port, onion services): - Report "FAILED" instead of "UPLOAD_FAILED" "FAILED" for the HS_DESC event when a service is not able to upload a descriptor. Fixes bug 24230; bugfix on 0.2.7.1-alpha. o Minor bugfixes (directory cache): - Recover better from empty or corrupt files in the consensus cache directory. Fixes bug 24099; bugfix on 0.3.1.1-alpha. - When a consensus diff calculation is only partially successful, only record the successful parts as having succeeded. Partial success can happen if (for example) one compression method fails but the others succeed. Previously we misrecorded all the calculations as having succeeded, which would later cause a nonfatal assertion failure. Fixes bug 24086; bugfix on 0.3.1.1-alpha. o Minor bugfixes (logging): - Only log once if we notice that KIST support is gone. Fixes bug 24158; bugfix on 0.3.2.1-alpha. - Suppress a log notice when relay descriptors arrive. We already have a bootstrap progress for this so no need to log notice everytime tor receives relay descriptors. Microdescriptors behave the same. Fixes bug 23861; bugfix on 0.2.8.2-alpha. o Minor bugfixes (network layer): - When closing a connection via close_connection_immediately(), we mark it as "not blocked on bandwidth", to prevent later calls from trying to unblock it, and give it permission to read. This fixes a backtrace warning that can happen on relays under various circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc. o Minor bugfixes (onion services): - The
[tor-talk] New alpha release: Tor 0.3.2.4-alpha
Hello, everyone! There's a groovy new alpha you can run and look for bugs in! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the usual place on www.torproject.org ; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely by some time in the next week or so. Here's what's new since 0.3.2.3-alpha! Changes in version 0.3.2.4-alpha - 2017-11-08 Tor 0.3.2.4-alpha is the fourth alpha release in the 0.3.2.x series. It fixes several stability and reliability bugs, especially including a major reliability issue that has been plaguing fast exit relays in recent months. o Major bugfixes (exit relays, DNS): - Fix an issue causing DNS to fail on high-bandwidth exit nodes, making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on 0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for identifying and finding a workaround to this bug and to Moritz, Arthur Edelstein, and Roger for helping to track it down and analyze it. o Major bugfixes (scheduler, channel): - Stop processing scheduled channels if they closed while flushing cells. This can happen if the write on the connection fails leading to the channel being closed while in the scheduler loop. Fixes bug 23751; bugfix on 0.3.2.1-alpha. o Minor features (logging, scheduler): - Introduce a SCHED_BUG() function to log extra information about the scheduler state if we ever catch a bug in the scheduler. Closes ticket 23753. o Minor features (removed deprecations): - The ClientDNSRejectInternalAddresses flag can once again be set in non-testing Tor networks, so long as they do not use the default directory authorities. This change also removes the deprecation of this flag from 0.2.9.2-alpha. Closes ticket 21031. o Minor features (testing): - Our fuzzing tests now test the encrypted portions of v3 onion service descriptors. Implements more of 21509. o Minor bugfixes (directory client): - On failure to download directory information, delay retry attempts by a random amount based on the "decorrelated jitter" algorithm. Our previous delay algorithm tended to produce extra-long delays too easily. Fixes bug 23816; bugfix on 0.2.9.1-alpha. o Minor bugfixes (IPv6, v3 single onion services): - Remove buggy code for IPv6-only v3 single onion services, and reject attempts to configure them. This release supports IPv4, dual-stack, and IPv6-only v3 onion services; and IPv4 and dual- stack v3 single onion services. Fixes bug 23820; bugfix on 0.3.2.1-alpha. o Minor bugfixes (logging, relay): - Give only a protocol warning when the ed25519 key is not consistent between the descriptor and microdescriptor of a relay. This can happen, for instance, if the relay has been flagged NoEdConsensus. Fixes bug 24025; bugfix on 0.3.2.1-alpha. o Minor bugfixes (manpage, onion service): - Document that the HiddenServiceNumIntroductionPoints option is 0-10 for v2 services and 0-20 for v3 services. Fixes bug 24115; bugfix on 0.3.2.1-alpha. o Minor bugfixes (memory leaks): - Fix a minor memory leak at exit in the KIST scheduler. This bug should have no user-visible impact. Fixes bug 23774; bugfix on 0.3.2.1-alpha. - Fix a memory leak when decrypting a badly formatted v3 onion service descriptor. Fixes bug 24150; bugfix on 0.3.2.1-alpha. Found by OSS-Fuzz; this is OSS-Fuzz issue 3994. o Minor bugfixes (onion services): - Cache some needed onion service client information instead of constantly computing it over and over again. Fixes bug 23623; bugfix on 0.3.2.1-alpha. - Properly retry HSv3 descriptor fetches when missing required directory information. Fixes bug 23762; bugfix on 0.3.2.1-alpha. o Minor bugfixes (path selection): - When selecting relays by bandwidth, avoid a rounding error that could sometimes cause load to be imbalanced incorrectly. Previously, we would always round upwards; now, we round towards the nearest integer. This had the biggest effect when a relay's weight adjustments should have given it weight 0, but it got weight 1 instead. Fixes bug 23318; bugfix on 0.2.4.3-alpha. - When calculating the fraction of nodes that have descriptors, and all nodes in the network have zero bandwidths, count the number of nodes instead. Fixes bug 23318; bugfix on 0.2.4.10-alpha. - Actually log the total bandwidth in compute_weighted_bandwidths(). Fixes bug 24170; bugfix on 0.2.4.3-alpha. o Minor bugfixes (relay, crash): - Avoid a crash when transitioning from client mode to bridge mode.
[tor-talk] New alpha release: 0.3.2.3-alpha
Hi, all! There's a fun new alpha you can run and look for bugs in! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the usual place on www.torproject.org ; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely by some time in November. (There were also new stable releases a few days ago, but they get announced on the nice low-volume tor-announcements mailing list.) Here's what's new since 0.3.2.2-alpha! Changes in version 0.3.2.3-alpha - 2017-10-27 Tor 0.3.2.3-alpha is the third release in the 0.3.2 series. It fixes numerous small bugs in earlier versions of 0.3.2.x, and adds a new directory authority, Bastet. o Directory authority changes: - Add "Bastet" as a ninth directory authority to the default list. Closes ticket 23910. - The directory authority "Longclaw" has changed its IP address. Closes ticket 23592. o Minor features (bridge): - Bridge relays can now set the BridgeDistribution config option to add a "bridge-distribution-request" line to their bridge descriptor, which tells BridgeDB how they'd like their bridge address to be given out. (Note that as of Oct 2017, BridgeDB does not yet implement this feature.) As a side benefit, this feature provides a way to distinguish bridge descriptors from non-bridge descriptors. Implements tickets 18329. o Minor features (client, entry guards): - Improve log messages when missing descriptors for primary guards. Resolves ticket 23670. o Minor features (geoip): - Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 Country database. o Minor bugfixes (bridge): - Overwrite the bridge address earlier in the process of retrieving its descriptor, to make sure we reach it on the configured address. Fixes bug 20532; bugfix on 0.2.0.10-alpha. o Minor bugfixes (documentation): - Document better how to read gcov, and what our gcov postprocessing scripts do. Fixes bug 23739; bugfix on 0.2.9.1-alpha. o Minor bugfixes (entry guards): - Tor now updates its guard state when it reads a consensus regardless of whether it's missing descriptors. That makes tor use its primary guards to fetch descriptors in some edge cases where it would previously have used fallback directories. Fixes bug 23862; bugfix on 0.3.0.1-alpha. o Minor bugfixes (hidden service client): - When handling multiple SOCKS request for the same .onion address, only fetch the service descriptor once. - When a descriptor fetch fails with a non-recoverable error, close all pending SOCKS requests for that .onion. Fixes bug 23653; bugfix on 0.3.2.1-alpha. o Minor bugfixes (hidden service): - Always regenerate missing hidden service public key files. Prior to this, if the public key was deleted from disk, it wouldn't get recreated. Fixes bug 23748; bugfix on 0.3.2.2-alpha. Patch from "cathugger". - Make sure that we have a usable ed25519 key when the intro point relay supports ed25519 link authentication. Fixes bug 24002; bugfix on 0.3.2.1-alpha. o Minor bugfixes (hidden service, v2): - When reloading configured hidden services, copy all information from the old service object. Previously, some data was omitted, causing delays in descriptor upload, and other bugs. Fixes bug 23790; bugfix on 0.2.1.9-alpha. o Minor bugfixes (memory safety, defensive programming): - Clear the target address when node_get_prim_orport() returns early. Fixes bug 23874; bugfix on 0.2.8.2-alpha. o Minor bugfixes (relay): - Avoid a BUG warning when receiving a dubious CREATE cell while an option transition is in progress. Fixes bug 23952; bugfix on 0.3.2.1-alpha. o Minor bugfixes (testing): - Adjust the GitLab CI configuration to more closely match that of Travis CI. Fixes bug 23757; bugfix on 0.3.2.2-alpha. - Prevent scripts/test/coverage from attempting to move gcov output to the root directory. Fixes bug 23741; bugfix on 0.2.5.1-alpha. - When running unit tests as root, skip a test that would fail because it expects a permissions error. This affects some continuous integration setups. Fixes bug 23758; bugfix on 0.3.2.2-alpha. - Stop unconditionally mirroring the tor repository in GitLab CI. This prevented developers from enabling GitLab CI on master. Fixes bug 23755; bugfix on 0.3.2.2-alpha. - Fix the hidden service v3 descriptor decoding fuzzing to use the latest decoding API correctly. Fixes bug 21509; bugfix on 0.3.2.1-alpha. o Minor bugfixes (warnings): - When we get an HTTP request on a SOCKS port, tell the user
[tor-talk] New alpha release: 0.3.2.1-alpha (and new release series too!)
Hi, everybody! After lots of work, we've got a tasty new alpha ready for you to find bugs in! Because it's an alpha, you should only run it if you're ready to find more bugs than usual, and report them on trac.torproject.org. The source code is available from the usual place on www.torproject.org ; if you build Tor from source, why not give it a try? And if you don't build Tor from source, packages should be ready over the coming days, with a Tor Browser alpha release likely by the end of the month. (There were also new stable releases today, but they get announced on the nice low-volume tor-announcements mailing list.) If everything goes well, we're hoping to get this release series stabilized by mid-December. Here's what's new! Changes in version 0.3.2.1-alpha - 2017-09-18 Tor 0.3.2.1-alpha is the first release in the 0.3.2.x series. It includes support for our next-generation ("v3") onion service protocol, and adds a new circuit scheduler for more responsive forwarding decisions from relays. There are also numerous other small features and bugfixes here. Below are the changes since Tor 0.3.1.7. o Major feature (scheduler, channel): - Tor now uses new schedulers to decide which circuits should deliver cells first, in order to improve congestion at relays. The first type is called "KIST" ("Kernel Informed Socket Transport"), and is only available on Linux-like systems: it uses feedback from the kernel to prevent the kernel's TCP buffers from growing too full. The second new scheduler type is called "KISTLite": it behaves the same as KIST, but runs on systems without kernel support for inspecting TCP implementation details. The old scheduler is still available, under the name "Vanilla". To change the default scheduler preference order, use the new "Schedulers" option. (The default preference order is "KIST,KISTLite,Vanilla".) Matt Traudt implemented KIST, based on research by Rob Jansen, John Geddes, Christ Wacek, Micah Sherr, and Paul Syverson. For more information, see the design paper at http://www.robgjansen.com/publications/kist-sec2014.pdf and the followup implementation paper at https://arxiv.org/abs/1709.01044. Closes ticket 12541. o Major features (next-generation onion services): - Tor now supports the next-generation onion services protocol for clients and services! As part of this release, the core of proposal 224 has been implemented and is available for experimentation and testing by our users. This newer version of onion services ("v3") features many improvements over the legacy system, including: a) Better crypto (replaced SHA1/DH/RSA1024 with SHA3/ed25519/curve25519) b) Improved directory protocol, leaking much less information to directory servers. c) Improved directory protocol, with smaller surface for targeted attacks. d) Better onion address security against impersonation. e) More extensible introduction/rendezvous protocol. f) A cleaner and more modular codebase. You can identify a next-generation onion address by its length: they are 56 characters long, as in "4acth47i6kxnvkewtm6q7ib2s3ufpo5sqbsnzjpbi7utijcltosqemad.onion". In the future, we will release more options and features for v3 onion services, but we first need a testing period, so that the current codebase matures and becomes more robust. Planned features include: offline keys, advanced client authorization, improved guard algorithms, and statistics. For full details, see proposal 224. Legacy ("v2") onion services will still work for the foreseeable future, and will remain the default until this new codebase gets tested and hardened. Service operators who want to experiment with the new system can use the 'HiddenServiceVersion 3' torrc directive along with the regular onion service configuration options. We will publish a blog post about this new feature soon! Enjoy! o Major bugfixes (usability, control port): - Report trusted clock skew indications as bootstrap errors, so controllers can more easily alert users when their clocks are wrong. Fixes bug 23506; bugfix on 0.1.2.6-alpha. o Minor features (bug detection): - Log a warning message with a stack trace for any attempt to call get_options() during option validation. This pattern has caused subtle bugs in the past. Closes ticket 22281. o Minor features (client): - You can now use Tor as a tunneled HTTP proxy: use the new HTTPTunnelPort option to open a port that accepts HTTP CONNECT requests. Closes ticket 22407. - Add an extra check to make sure that we always use the newer guard selection code for picking our guards. Closes ticket 22779. - When downloading (micro)descriptors, don't
[tor-talk] Advisory: Stack disclosure in hidden services logs when SafeLogging disabled
[TROVE-2017-008. CVE-2017-0380. Severity: medium] Hello! We have found a possible problem with the code that reports an error during the construction of an introduction point circuit. Because of this bug, it is possible that some hidden services will sometimes write sensitive information into their logs. This bug can only happen when the SafeLogging option is disabled, and SafeLogging is enabled by default. If you have not disabled SafeLogging, then you should be fine. We are tracking this bug as TROVE-2017-008 and as ticket #23490. It is also CVE-2017-0380. MITIGATION: 1. If you are not running a hidden service, then you don't need to do anything. This bug does not affect you. 2. If you are running 0.2.5.x, this bug does not affect you: it first appeared in 0.2.7.2-alpha. Other bugs do affect you, though: 0.2.5.x is pretty old! (If you are running 0.2.4, or 0.2.6, or 0.2.7, you should just upgrade. We aren't supporting those releases.) 3. Make sure that you did not change the value of the SafeLogging option in your configuration -- or if you did, that you set it to "1". SafeLogging needs to be turned to "0" or "relay" for this bug to occur. 4. If you did disable SafeLogging, re-enable it: Set it to 1, and use a HUP signal to tell Tor to reload its configuration. 5. If you did disable SafeLogging, you should delete any old logs that were generated with SafeLogging disabled. (You should be regularly removing old logs anyway, as a best security practice.) ACKNOWLEDGMENTS: We found this when we re-added scan-build's dead assignment checker into the checkers that we run on Tor. Obviously, it's time to make sure that scan-build gets run more frequently. FIX: There are patches for this issue linked from ticket #23490 on our bugtracker. I will be putting out updated releases today. This bug will be fixed in 0.2.8.15, 0.2.9.12, 0.3.0.11, 0.3.1.7, and 0.3.2.1-alpha. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.3.1.6-rc is released!
Hi, all! There's a new Tor release candidate available! The source is available from the "download" page on the website on the website, and packages should be available before long. The Tor Browser team expects to get a release out later this month. This is a release candidate; please help find bugs in it! If we don't find any new critical problems, we'll be calling this release series "stable" soon. Changes in version 0.3.1.6-rc - 2017-09-05 Tor 0.3.1.6-rc fixes a few small bugs and annoyances in the 0.3.1 release series, including a bug that produced weird behavior on Windows directory caches. This is the first release candidate in the Tor 0.3.1 series. If we find no new bugs or regressions here, the first stable 0.3.1 release will be nearly identical to it. o Major bugfixes (windows, directory cache): - On Windows, do not try to delete cached consensus documents and diffs before they are unmapped from memory--Windows won't allow that. Instead, allow the consensus cache directory to grow larger, to hold files that might need to stay around longer. Fixes bug 22752; bugfix on 0.3.1.1-alpha. o Minor features (directory authority): - Improve the message that authorities report to relays that present RSA/Ed25519 keypairs that conflict with previously pinned keys. Closes ticket 22348. o Minor features (geoip): - Update geoip and geoip6 to the August 3 2017 Maxmind GeoLite2 Country database. o Minor features (testing): - Add more tests for compression backend initialization. Closes ticket 22286. o Minor bugfixes (directory cache): - Fix a memory leak when recovering space in the consensus cache. Fixes bug 23139; bugfix on 0.3.1.1-alpha. o Minor bugfixes (hidden service): - Increase the number of circuits that a service is allowed to open over a specific period of time. The value was lower than it should be (8 vs 12) in the normal case of 3 introduction points. Fixes bug 22159; bugfix on 0.3.0.5-rc. - Fix a BUG warning during HSv3 descriptor decoding that could be cause by a specially crafted descriptor. Fixes bug 23233; bugfix on 0.3.0.1-alpha. Bug found by "haxxpop". - Rate-limit the log messages if we exceed the maximum number of allowed intro circuits. Fixes bug 22159; bugfix on 0.3.1.1-alpha. o Minor bugfixes (logging, relay): - Remove a forgotten debugging message when an introduction point successfully establishes a hidden service prop224 circuit with a client. - Change three other log_warn() for an introduction point to protocol warnings, because they can be failure from the network and are not relevant to the operator. Fixes bug 23078; bugfix on 0.3.0.1-alpha and 0.3.0.2-alpha. o Minor bugfixes (relay): - When a relay is not running as a directory cache, it will no longer generate compressed consensuses and consensus diff information. Previously, this was a waste of disk and CPU. Fixes bug 23275; bugfix on 0.3.1.1-alpha. o Minor bugfixes (robustness, error handling): - Improve our handling of the cases where OpenSSL encounters a memory error while encoding keys and certificates. We haven't observed these errors in the wild, but if they do happen, we now detect and respond better. Fixes bug 19418; bugfix on all versions of Tor. Reported by Guido Vranken. o Minor bugfixes (stability): - Avoid crashing on a double-free when unable to load or process an included file. Fixes bug 23155; bugfix on 0.3.1.1-alpha. Found with the clang static analyzer. o Minor bugfixes (testing): - Fix an undersized buffer in test-memwipe.c. Fixes bug 23291; bugfix on 0.2.7.2-alpha. Found and patched by Ties Stuij. - Port the hs_ntor handshake test to work correctly with recent versions of the pysha3 module. Fixes bug 23071; bugfix on 0.3.1.1-alpha. o Minor bugfixes (Windows service): - When running as a Windows service, set the ID of the main thread correctly. Failure to do so made us fail to send log messages to the controller in 0.2.1.16-rc, slowed down controller event delivery in 0.2.7.3-rc and later, and crash with an assertion failure in 0.3.1.1-alpha. Fixes bug 23081; bugfix on 0.2.1.6-alpha. Patch and diagnosis from "Vort". -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.3.1.5-alpha is released!
Hi, all! There's a new alpha Tor release available! The source is available from the "download" page on the website on the website, and packages should be available before long. The Tor Browser team expects to get a release out early next week. This is an alpha release: if you aren't up for finding and reporting bugs, you should stick with a stable release series. As usual, I'll be sending alpha announcements here, and stable announcements to tor-announce. Please test these alpha releases if you *can* report bugs: we want to have all the bugs squashed before 0.3.1.x is finally declared stable. Finally, this release also marks the end of support for the Tor 0.2.4.x, 0.2.6.x, and 0.2.7.x release series. Those releases will receive no further bug or security fixes. Anyone still running or distributing one of those versions should upgrade. Changes in version 0.3.1.5-alpha - 2017-08-01 Tor 0.3.1.5-alpha improves the performance of consensus diff calculation, fixes a crash bug on older versions of OpenBSD, and fixes several other bugs. If no serious bugs are found in this version, the next version will be a release candidate. o Major features (build system, continuous integration): - Tor's repository now includes a Travis Continuous Integration (CI) configuration file (.travis.yml). This is meant to help new developers and contributors who fork Tor to a Github repository be better able to test their changes, and understand what we expect to pass. To use this new build feature, you must fork Tor to your Github account, then go into the "Integrations" menu in the repository settings for your fork and enable Travis, then push your changes. Closes ticket 22636. o Major bugfixes (openbsd, denial-of-service): - Avoid an assertion failure bug affecting our implementation of inet_pton(AF_INET6) on certain OpenBSD systems whose strtol() handling of "0xfoo" differs from what we had expected. Fixes bug 22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007. o Major bugfixes (relay, performance): - Perform circuit handshake operations at a higher priority than we use for consensus diff creation and compression. This should prevent circuits from starving when a relay or bridge receives a new consensus, especially on lower-powered machines. Fixes bug 22883; bugfix on 0.3.1.1-alpha. o Minor features (bridge authority): - Add "fingerprint" lines to the networkstatus-bridges file produced by bridge authorities. Closes ticket 22207. o Minor features (directory cache, consensus diff): - Add a new MaxConsensusAgeForDiffs option to allow directory cache operators with low-resource environments to adjust the number of consensuses they'll store and generate diffs from. Most cache operators should leave it unchanged. Helps to work around bug 22883. o Minor features (geoip): - Update geoip and geoip6 to the July 4 2017 Maxmind GeoLite2 Country database. o Minor features (relay, performance): - Always start relays with at least two worker threads, to prevent priority inversion on slow tasks. Part of the fix for bug 22883. - Allow background work to be queued with different priorities, so that a big pile of slow low-priority jobs will not starve out higher priority jobs. This lays the groundwork for a fix for bug 22883. o Minor bugfixes (build system, rust): - Fix a problem where Rust toolchains were not being found when building without --enable-cargo-online-mode, due to setting the $HOME environment variable instead of $CARGO_HOME. Fixes bug 22830; bugfix on 0.3.1.1-alpha. Fix by Chelsea Komlo. o Minor bugfixes (compatibility, zstd): - Write zstd epilogues correctly when the epilogue requires reallocation of the output buffer, even with zstd 1.3.0. (Previously, we worked on 1.2.0 and failed with 1.3.0). Fixes bug 22927; bugfix on 0.3.1.1-alpha. o Minor bugfixes (compilation warnings): - Suppress -Wdouble-promotion warnings with clang 4.0. Fixes bug 22915; bugfix on 0.2.8.1-alpha. - Fix warnings when building with libscrypt and openssl scrypt support on Clang. Fixes bug 22916; bugfix on 0.2.7.2-alpha. - Compile correctly when both openssl 1.1.0 and libscrypt are detected. Previously this would cause an error. Fixes bug 22892; bugfix on 0.3.1.1-alpha. - When building with certain versions of the mingw C header files, avoid float-conversion warnings when calling the C functions isfinite(), isnan(), and signbit(). Fixes bug 22801; bugfix on 0.2.8.1-alpha. o Minor bugfixes (coverity build support): - Avoid Coverity build warnings related to our BUG() macro. By default, Coverity treats BUG() as the Linux kernel does: an instant abort(). We need to override that so our BUG() macro doesn't
[tor-talk] Reminder: Support for 0.2.4, 0.2.6, and 0.27 will end on 1 August 2017
Hi! This is a reminder that we will not be making new releases for the 0.2.4, 0.2.6, or 0.2.7 release series after 1 August 2017. If you are running one of those series, please make a plan to upgrade some time before then! 0.2.5 will still be supported until 1 May 2018. 0.2.9 support will continue until 1 Jan 2020 -- use that if you need a release that will be supported long-term. Versions 0.2.3 and earlier are not supported at all. Support for other releases (0.3.1 and 0.3.0) will continue according to the schedule at https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases . best wishes, -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] 0.3.1.4-alpha is released (with guard-related security fix)
On Thu, Jun 29, 2017 at 6:55 PM, Nick Mathewson <ni...@torproject.org> wrote: > Hi, all! > > The latest alpha, 0.3.1.3-alpha, is now released. Argh. I knew I'd make a copy-and-paste error. The new release is 0.3.1.4-alpha, of course. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] 0.3.1.4-alpha is released (with guard-related security fix)
Hi, all! The latest alpha, 0.3.1.3-alpha, is now released. The source is available on the website, and packages should be available before long. The Tor Browser team expects to get a release out early next week. This release has a security fix for clients, so if you are running any 0.3.0.x or 0.3.1.x version released before today, you should upgrade when you can. This is an alpha release: if you aren't up for finding and reporting bugs, you should stick with a stable release series. As usual, I'll be sending alpha announcements here, and stable announcements to tor-announce. Please test these alpha releases if you *can* report bugs: we want to have all the bugs squashed before 0.3.1.x is finally declared stable. Changes in version 0.3.1.4-alpha - 2017-06-29 Tor 0.3.1.4-alpha fixes a path selection bug that would allow a client to use a guard that was in the same network family as a chosen exit relay. This is a security regression; all clients running earlier versions of 0.3.0.x or 0.3.1.x should upgrade to 0.3.0.9 or 0.3.1.4-alpha. This release also fixes several other bugs introduced in 0.3.0.x and 0.3.1.x, including others that can affect bandwidth usage and correctness. o New dependencies: - To build with zstd and lzma support, Tor now requires the pkg-config tool at build time. (This requirement was new in 0.3.1.1-alpha, but was not noted at the time. Noting it here to close ticket 22623.) o Major bugfixes (path selection, security): - When choosing which guard to use for a circuit, avoid the exit's family along with the exit itself. Previously, the new guard selection logic avoided the exit, but did not consider its family. Fixes bug 22753; bugfix on 0.3.0.1-alpha. Tracked as TROVE-2016- 006 and CVE-2017-0377. o Major bugfixes (compression, zstd): - Correctly detect a full buffer when decompressing a large zstd- compressed input. Previously, we would sometimes treat a full buffer as an error. Fixes bug 22628; bugfix on 0.3.1.1-alpha. o Major bugfixes (directory protocol): - Ensure that we send "304 Not modified" as HTTP status code when a client is attempting to fetch a consensus or consensus diff, and the best one we can send them is one they already have. Fixes bug 22702; bugfix on 0.3.1.1-alpha. o Major bugfixes (entry guards): - When starting with an old consensus, do not add new entry guards unless the consensus is "reasonably live" (under 1 day old). Fixes one root cause of bug 22400; bugfix on 0.3.0.1-alpha. o Minor features (bug mitigation, diagnostics, logging): - Avoid an assertion failure, and log a better error message, when unable to remove a file from the consensus cache on Windows. Attempts to mitigate and diagnose bug 22752. o Minor features (geoip): - Update geoip and geoip6 to the June 8 2017 Maxmind GeoLite2 Country database. o Minor bugfixes (compression): - When compressing or decompressing a buffer, check for a failure to create a compression object. Fixes bug 22626; bugfix on 0.3.1.1-alpha. - When decompressing a buffer, check for extra data after the end of the compressed data. Fixes bug 22629; bugfix on 0.3.1.1-alpha. - When decompressing an object received over an anonymous directory connection, if we have already decompressed it using an acceptable compression method, do not reject it for looking like an unacceptable compression method. Fixes part of bug 22670; bugfix on 0.3.1.1-alpha. - When serving directory votes compressed with zlib, do not claim to have compressed them with zstd. Fixes bug 22669; bugfix on 0.3.1.1-alpha. - When spooling compressed data to an output buffer, don't try to spool more data when there is no more data to spool and we are not trying to flush the input. Previously, we would sometimes launch compression requests with nothing to do, which interferes with our 22672 checks. Fixes bug 22719; bugfix on 0.2.0.16-alpha. o Minor bugfixes (defensive programming): - Detect and break out of infinite loops in our compression code. We don't think that any such loops exist now, but it's best to be safe. Closes ticket 22672. - Fix a memset() off the end of an array when packing cells. This bug should be harmless in practice, since the corrupted bytes are still in the same structure, and are always padding bytes, ignored, or immediately overwritten, depending on compiler behavior. Nevertheless, because the memset()'s purpose is to make sure that any other cell-handling bugs can't expose bytes to the network, we need to fix it. Fixes bug 22737; bugfix on 0.2.4.11-alpha. Fixes CID 1401591. o Minor bugfixes (linux seccomp2 sandbox): - Permit the fchmod system call, to avoid crashing on startup when starting with the
[tor-talk] Tor 0.3.1.3-alpha is released (with security fix for hidden services)
Hi! The latest alpha, 0.3.1.3-alpha, is now released. The source is available on the website, and packages should be available before too long. It has a security fix for hidden services, so if you are running a hidden service, you should upgrade to this version (or to one of the 7 other versions released today). This is an alpha release: if you aren't up for finding and reporting bugs, you should stick with a stable release series. As usual, I'll be sending alpha announcements here, and stable announcements to tor-announce. Changes in version 0.3.1.3-alpha - 2017-06-08 Tor 0.3.1.3-alpha fixes a pair of bugs that would allow an attacker to remotely crash a hidden service with an assertion failure. Anyone running a hidden service should upgrade to this version, or to some other version with fixes for TROVE-2017-004 and TROVE-2017-005. Tor 0.3.1.3-alpha also includes fixes for several key management bugs that sometimes made relays unreliable, as well as several other bugfixes described below. o Major bugfixes (hidden service, relay, security): - Fix a remotely triggerable assertion failure when a hidden service handles a malformed BEGIN cell. Fixes bug 22493, tracked as TROVE-2017-004 and as CVE-2017-0375; bugfix on 0.3.0.1-alpha. - Fix a remotely triggerable assertion failure caused by receiving a BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. o Major bugfixes (relay, link handshake): - When performing the v3 link handshake on a TLS connection, report that we have the x509 certificate that we actually used on that connection, even if we have changed certificates since that connection was first opened. Previously, we would claim to have used our most recent x509 link certificate, which would sometimes make the link handshake fail. Fixes one case of bug 22460; bugfix on 0.2.3.6-alpha. o Major bugfixes (relays, key management): - Regenerate link and authentication certificates whenever the key that signs them changes; also, regenerate link certificates whenever the signed key changes. Previously, these processes were only weakly coupled, and we relays could (for minutes to hours) wind up with an inconsistent set of keys and certificates, which other relays would not accept. Fixes two cases of bug 22460; bugfix on 0.3.0.1-alpha. - When sending an Ed25519 signing->link certificate in a CERTS cell, send the certificate that matches the x509 certificate that we used on the TLS connection. Previously, there was a race condition if the TLS context rotated after we began the TLS handshake but before we sent the CERTS cell. Fixes a case of bug 22460; bugfix on 0.3.0.1-alpha. o Major bugfixes (torrc, crash): - Fix a crash bug when using %include in torrc. Fixes bug 22417; bugfix on 0.3.1.1-alpha. Patch by Daniel Pinto. o Minor features (code style): - Add "Falls through" comments to our codebase, in order to silence GCC 7's -Wimplicit-fallthrough warnings. Patch from Andreas Stieger. Closes ticket 22446. o Minor features (diagnostic): - Add logging messages to try to diagnose a rare bug that seems to generate RSA->Ed25519 cross-certificates dated in the 1970s. We think this is happening because of incorrect system clocks, but we'd like to know for certain. Diagnostic for bug 22466. o Minor bugfixes (correctness): - Avoid undefined behavior when parsing IPv6 entries from the geoip6 file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. o Minor bugfixes (directory protocol): - Check for libzstd >= 1.1, because older versions lack the necessary streaming API. Fixes bug 22413; bugfix on 0.3.1.1-alpha. o Minor bugfixes (link handshake): - Lower the lifetime of the RSA->Ed25519 cross-certificate to six months, and regenerate it when it is within one month of expiring. Previously, we had generated this certificate at startup with a ten-year lifetime, but that could lead to weird behavior when Tor was started with a grossly inaccurate clock. Mitigates bug 22466; mitigation on 0.3.0.1-alpha. o Minor bugfixes (storage directories): - Always check for underflows in the cached storage directory usage. If the usage does underflow, re-calculate it. Also, avoid a separate underflow when the usage is not known. Fixes bug 22424; bugfix on 0.3.1.1-alpha. o Minor bugfixes (unit tests): - The unit tests now pass on systems where localhost is misconfigured to some IPv4 address other than 127.0.0.1. Fixes bug 6298; bugfix on 0.0.9pre2. o Documentation: - Clarify the manpage for the (deprecated) torify script. Closes ticket 6892. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe
Re: [tor-talk] Upcoming Tor releases tomorrow, to fix Hidden Service remote DoS bugs
On Wed, Jun 7, 2017 at 11:15 AM, Nick Mathewson <ni...@freehaven.net> wrote: > Hi, all! > > Tomorrow we'll be putting out new releases in all supported series > (0.2.4 through 0.3.1) to fix two vulnerabilities that we have found in > the hidden service code. These vulnerabilities allow an attacker to > cause a hidden service to crash with an assertion failure. We believe > that is the only impact. We are tracking these vulnerabilities as > TROVE-2017-004 and TROVE-2017-005. > > For more information about how we handle security issues in Tor, see > our draft policy at: > > https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/SecurityPolicy These releases are now available from https://dist.torproject.org/ . They are: 0.2.4.29, 0.2.5.14, 0.2.6.12, 0.2.7.8, 0.2.8.14, 0.2.9.11, 0.3.0.8, and 0.3.1.3-alpha. It will take a while for the website download page to upgrade, since the system that updates the website tends to get bogged down when there are lots of builders running at once. I'll send out the regular announcements once the download page is up-to-date, since it tends to confuse people when I don't wait for that. If you're running a hidden service, I recommend that you upgrade as soon as a package is available for your system. best wishes, -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Upcoming Tor releases tomorrow, to fix Hidden Service remote DoS bugs
Hi, all! Tomorrow we'll be putting out new releases in all supported series (0.2.4 through 0.3.1) to fix two vulnerabilities that we have found in the hidden service code. These vulnerabilities allow an attacker to cause a hidden service to crash with an assertion failure. We believe that is the only impact. We are tracking these vulnerabilities as TROVE-2017-004 and TROVE-2017-005. For more information about how we handle security issues in Tor, see our draft policy at: https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/SecurityPolicy best wishes, -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.3.1.2-alpha is released!
(Also, 0.3.0.7 was released last week. If you didn't know, you should subscribe to tor-announcements.) Hi, all! You can find the source code for Tor 0.3.1.2-alpha at www.torrpoject.org at the usual place. It's an alpha, so please expect plenty of bugs, and be ready to report them. Packages should be out over the next weeks -- I'd expect this series to hit Tor Browser alpha releases some time in the middle of June. This alpha release is coming out a little ahead of schedule to fix bug 22368, which was affecting relay stability and preventing us from getting good testing information about the 0.3.1.x series. === Changes in version 0.3.1.2-alpha - 2017-05-26 Tor 0.3.1.2-alpha is the second release in the 0.3.1.x series. It fixes a few bugs found while testing 0.3.1.1-alpha, including a memory corruption bug that affected relay stability. Below are the changes since 0.3.1.1-alpha. o Major bugfixes (crash, relay): - Fix a memory-corruption bug in relays that set MyFamily. Previously, they would double-free MyFamily elements when making the next descriptor or when changing their configuration. Fixes bug 22368; bugfix on 0.3.1.1-alpha. o Minor bugfixes (logging): - Log a better message when a directory authority replies to an upload with an unexpected status code. Fixes bug 11121; bugfix on 0.1.0.1-rc. o Minor bugfixes (memory leak, directory authority): - When directory authorities reject a router descriptor due to keypinning, free the router descriptor rather than leaking the memory. Fixes bug 22370; bugfix on 0.2.7.2-alpha. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.3.1.1-alpha is released!
(Also, 0.3.0.7 was released last week. If you didn't know, you should subscribe to tor-announcements.) Hi, all! You can find the source code for Tor 0.3.0.1-alpha www.torrpoject.org at the usual place. It's an alpha, so please expect plenty of bugs, and be ready to report them. Packages should be out over the next weeks -- I'd expect this series to hit Tor Browser alpha releases some time in the middle of June. === Changes in version 0.3.1.1-alpha - 2017-05-22 Tor 0.3.1.1-alpha is the first release in the 0.3.1.x series. It reduces the bandwidth usage for Tor's directory protocol, adds some basic padding to resist netflow-based traffic analysis and to serve as the basis of other padding in the future, and adds rust support to the build system. It also contains numerous other small features and improvements to security, correctness, and performance. Below are the changes since 0.3.0.7. o Major features (directory protocol): - Tor relays and authorities can now serve clients an abbreviated version of the consensus document, containing only the changes since an older consensus document that the client holds. Clients now request these documents when available. When both client and server use this new protocol, they will use far less bandwidth (up to 94% less) to keep the client's consensus up-to-date. Implements proposal 140; closes ticket 13339. Based on work by Daniel Martí. - Tor can now compress directory traffic with lzma or with zstd compression algorithms, which can deliver better bandwidth performance. Because lzma is computationally expensive, it's only used for documents that can be compressed once and served many times. Support for these algorithms requires that tor is built with the libzstd and/or liblzma libraries available. Implements proposal 278; closes ticket 21662. - Relays now perform the more expensive compression operations, and consensus diff generation, in worker threads. This separation avoids delaying the main thread when a new consensus arrives. o Major features (experimental): - Tor can now build modules written in Rust. To turn this on, pass the "--enable-rust" flag to the configure script. It's not time to get excited yet: currently, there is no actual Rust functionality beyond some simple glue code, and a notice at startup to tell you that Rust is running. Still, we hope that programmers and packagers will try building Tor with Rust support, so that we can find issues and solve portability problems. Closes ticket 22106. o Major features (traffic analysis resistance): - Connections between clients and relays now send a padding cell in each direction every 1.5 to 9.5 seconds (tunable via consensus parameters). This padding will not resist specialized eavesdroppers, but it should be enough to make many ISPs' routine network flow logging less useful in traffic analysis against Tor users. Padding is negotiated using Tor's link protocol, so both relays and clients must upgrade for this to take effect. Clients may still send padding despite the relay's version by setting ConnectionPadding 1 in torrc, and may disable padding by setting ConnectionPadding 0 in torrc. Padding may be minimized for mobile users with the torrc option ReducedConnectionPadding. Implements Proposal 251 and Section 2 of Proposal 254; closes ticket 16861. - Relays will publish 24 hour totals of padding and non-padding cell counts to their extra-info descriptors, unless PaddingStatistics 0 is set in torrc. These 24 hour totals are also rounded to multiples of 1. o Major bugfixes (connection usage): - We use NETINFO cells to try to determine if both relays involved in a connection will agree on the canonical status of that connection. We prefer the connections where this is the case for extend cells, and try to close connections where relays disagree on their canonical status early. Also, we now prefer the oldest valid connection for extend cells. These two changes should reduce the number of long-term connections that are kept open between relays. Fixes bug 17604; bugfix on 0.2.5.5-alpha. - Relays now log hourly statistics (look for "channel_check_for_duplicates" lines) on the total number of connections to other relays. If the number of connections per relay is unexpectedly large, this log message is at notice level. Otherwise it is at info. o Major bugfixes (entry guards): - Don't block bootstrapping when a primary bridge is offline and we can't get its descriptor. Fixes bug 22325; fixes one case of bug 21969; bugfix on 0.3.0.3-alpha. o Major bugfixes (linux TPROXY support): - Fix a typo that had prevented TPROXY-based
Re: [tor-talk] 0.3.0.6 on fedora 24: systemd?
On Thu, Apr 27, 2017 at 7:43 AM, Udo van den Heuvelwrote: > Hello, > > I noticed that 0.3.0.6 was out so I started a build. > I noticed this popping up: > > checking pkg-config is at least version 0.9.0... yes > checking for SYSTEMD... no > configure: Okay, checking for systemd a different way... > checking for SYSTEMD... no > > > Fedora 24 /does/ use systemd, so what is wrong? That check isn't just for "are you running systemd" -- it's for "do you have the right headers and libraries to build Tor with extra systemd support". If you want to do that, you probably need to install systemd-devel. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.3.0.5-rc: almost stable!
Hi all! Tor 0.3.0.5-rc is now tagged and released. It's in still "release candidate" status, which means we think it should be pretty stable, but we hope you'll find more bugs for us to fix. You can download the source code from the usual place on the website. Packages should be out over the next several weeks, including Tor Browser alpha releases later this month. If you do build from source, please remember to check the signatures! = Changes in version 0.3.0.5-rc - 2017-04-05 Tor 0.3.0.5-rc fixes a few remaining bugs, large and small, in the 0.3.0 release series. This is the second release candidate in the Tor 0.3.0 series, and has much fewer changes than the first. If we find no new bugs or regressions here, the first stable 0.3.0 release will be nearly identical to it. o Major bugfixes (crash, directory connections): - Fix a rare crash when sending a begin cell on a circuit whose linked directory connection had already been closed. Fixes bug 21576; bugfix on 0.2.9.3-alpha. Reported by Alec Muffett. o Major bugfixes (guard selection): - Fix a guard selection bug where Tor would refuse to bootstrap in some cases if the user swapped a bridge for another bridge in their configuration file. Fixes bug 21771; bugfix on 0.3.0.1-alpha. Reported by "torvlnt33r". o Minor features (geoip): - Update geoip and geoip6 to the March 7 2017 Maxmind GeoLite2 Country database. o Minor bugfix (compilation): - Fix a warning when compiling hs_service.c. Previously, it had no exported symbols when compiled for libor.a, resulting in a compilation warning from clang. Fixes bug 21825; bugfix on 0.3.0.1-alpha. o Minor bugfixes (hidden services): - Make hidden services check for failed intro point connections, even when they have exceeded their intro point creation limit. Fixes bug 21596; bugfix on 0.2.7.2-alpha. Reported by Alec Muffett. - Make hidden services with 8 to 10 introduction points check for failed circuits immediately after startup. Previously, they would wait for 5 minutes before performing their first checks. Fixes bug 21594; bugfix on 0.2.3.9-alpha. Reported by Alec Muffett. o Minor bugfixes (memory leaks): - Fix a memory leak when using GETCONF on a port option. Fixes bug 21682; bugfix on 0.3.0.3-alpha. o Minor bugfixes (relay): - Avoid a double-marked-circuit warning that could happen when we receive DESTROY cells under heavy load. Fixes bug 20059; bugfix on 0.1.0.1-rc. o Minor bugfixes (tests): - Run the entry_guard_parse_from_state_full() test with the time set to a specific date. (The guard state that this test was parsing contained guards that had expired since the test was first written.) Fixes bug 21799; bugfix on 0.3.0.1-alpha. o Documentation: - Update the description of the directory server options in the manual page, to clarify that a relay no longer needs to set DirPort in order to be a directory cache. Closes ticket 21720. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.3.0.4-rc
Hi! We're making progress: Tor 0.3.0.4-rc is now "release candidate" status, which means we think we might be just about stable, but we hope you'll find some more bugs. You can download the source code from the usual place on the website. Packages should be out over the next several weeks, including Tor Browser releases next week. (Tor 0.2.9.10 just came out too, but stable releases go on the tor-announcements list.) = Changes in version 0.3.0.4-rc - 2017-03-01 Tor 0.3.0.4-rc fixes some remaining bugs, large and small, in the 0.3.0 release series, and introduces a few reliability features to keep them from coming back. This is the first release candidate in the Tor 0.3.0 series. If we find no new bugs or regressions here, the first stable 0.3.0 release will be nearly identical to it. o Major bugfixes (bridges): - When the same bridge is configured multiple times with the same identity, but at different address:port combinations, treat those bridge instances as separate guards. This fix restores the ability of clients to configure the same bridge with multiple pluggable transports. Fixes bug 21027; bugfix on 0.3.0.1-alpha. o Major bugfixes (hidden service directory v3): - Stop crashing on a failed v3 hidden service descriptor lookup failure. Fixes bug 21471; bugfixes on tor-0.3.0.1-alpha. o Major bugfixes (parsing): - When parsing a malformed content-length field from an HTTP message, do not read off the end of the buffer. This bug was a potential remote denial-of-service attack against Tor clients and relays. A workaround was released in October 2016, to prevent this bug from crashing Tor. This is a fix for the underlying issue, which should no longer matter (if you applied the earlier patch). Fixes bug 20894; bugfix on 0.2.0.16-alpha. Bug found by fuzzing using AFL (http://lcamtuf.coredump.cx/afl/). - Fix an integer underflow bug when comparing malformed Tor versions. This bug could crash Tor when built with --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor 0.2.9.8, which were built with -ftrapv by default. In other cases it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix on 0.0.8pre1. Found by OSS-Fuzz. o Minor feature (protocol versioning): - Add new protocol version for proposal 224. HSIntro now advertises version "3-4" and HSDir version "1-2". Fixes ticket 20656. o Minor features (directory authorities): - Directory authorities now reject descriptors that claim to be malformed versions of Tor. Helps prevent exploitation of bug 21278. - Reject version numbers with components that exceed INT32_MAX. Otherwise 32-bit and 64-bit platforms would behave inconsistently. Fixes bug 21450; bugfix on 0.0.8pre1. o Minor features (geoip): - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 Country database. o Minor features (reliability, crash): - Try better to detect problems in buffers where they might grow (or think they have grown) over 2 GB in size. Diagnostic for bug 21369. o Minor features (testing): - During 'make test-network-all', if tor logs any warnings, ask chutney to output them. Requires a recent version of chutney with the 21572 patch. Implements 21570. o Minor bugfixes (certificate expiration time): - Avoid using link certificates that don't become valid till some time in the future. Fixes bug 21420; bugfix on 0.2.4.11-alpha o Minor bugfixes (code correctness): - Repair a couple of (unreachable or harmless) cases of the risky comparison-by-subtraction pattern that caused bug 21278. - Remove a redundant check for the UseEntryGuards option from the options_transition_affects_guards() function. Fixes bug 21492; bugfix on 0.3.0.1-alpha. o Minor bugfixes (directory mirrors): - Allow relays to use directory mirrors without a DirPort: these relays need to be contacted over their ORPorts using a begindir connection. Fixes one case of bug 20711; bugfix on 0.2.8.2-alpha. - Clarify the message logged when a remote relay is unexpectedly missing an ORPort or DirPort: users were confusing this with a local port. Fixes another case of bug 20711; bugfix on 0.2.8.2-alpha. o Minor bugfixes (guards): - Don't warn about a missing guard state on timeout-measurement circuits: they aren't supposed to be using guards. Fixes an instance of bug 21007; bugfix on 0.3.0.1-alpha. - Silence a BUG() warning when attempting to use a guard whose descriptor we don't know, and make this scenario less likely to happen. Fixes bug 21415; bugfix on 0.3.0.1-alpha. o Minor bugfixes (hidden service): - Pass correct buffer length when encoding legacy ESTABLISH_INTRO cells. Previously, we were using sizeof() on a pointer,
Re: [tor-talk] Towards new stable releases (0.2.4 through 0.2.9)
On Fri, Feb 17, 2017 at 5:19 PM, Nick Mathewson <ni...@torproject.org> wrote: > Hi, all! > > As part of an effort to actually be predictable about supporting old > releases, I'm hoping to put out stable releases of 0.2.4 through 0.2.9 > some time early next month. (See [1] for our planned schedule of when > we're dropping support for what.) > > This isn't an easy effort, though! Some of those release series > haven't seen updates in quite a while. Moreover, the 0.2.7 branch > had drifted substantially far away from what a stable release should > backport, and I had to re-create it starting at the last 0.2.7 release > [2]. > > Because of this, these stable releases are probably going to need more > testing than usual before we can call them ready for mass consumption. > So instead of just testing them internally, I'm putting up the some > preliminary source distributions now. You can see them at > https://people.torproject.org/~nickm/volatile/stable/ [3]. Each of > them has a "-dev" suffix in its version number to indicate that it is > a development version -- not yet an official release. Update: I have just uploaded new tarballs to the above directory. They are still not the releases, but they may become the releases some time this week. They now have ChangeLogs files. I'm not anticipating any more fixes in these upcoming versions of 0.2.4 through 0.2.9, though there are one or two more fixes we'd like to get into 0.3.0.4-rc before it comes out. Same caveats and requests as before apply. > If you're interested in helping make sure that the next stable > releases really are stable, and you're already experienced at building > from source, please give one or more of these releases a try. (If you > don't build your own "tor" from source, don't worry. You probably > don't want to touch these yet.) > > Any bug reports would be really helpful, especially if there are any > regressions since the previous stable version in each series. > > I hope that in the future, a clear backport policy combined with a > more regular habit of putting out stable releases will keep us from > having to do big backport collections of this kind. > > > [1] > https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases > > [2] https://trac.torproject.org/projects/tor/ticket/20512 > > [3] I am aware of the contradiction in the URL. peace, -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Towards new stable releases (0.2.4 through 0.2.9)
Hi, all! As part of an effort to actually be predictable about supporting old releases, I'm hoping to put out stable releases of 0.2.4 through 0.2.9 some time early next month. (See [1] for our planned schedule of when we're dropping support for what.) This isn't an easy effort, though! Some of those release series haven't seen updates in quite a while. Moreover, the 0.2.7 branch had drifted substantially far away from what a stable release should backport, and I had to re-create it starting at the last 0.2.7 release [2]. Because of this, these stable releases are probably going to need more testing than usual before we can call them ready for mass consumption. So instead of just testing them internally, I'm putting up the some preliminary source distributions now. You can see them at https://people.torproject.org/~nickm/volatile/stable/ [3]. Each of them has a "-dev" suffix in its version number to indicate that it is a development version -- not yet an official release. The changelogs are not yet correct for these tarballs. I haven't even started them yet. I hope I'll find time over the next week or so. You can look at the "changes" directories in the appropriate release-0.2.* Git branches for the inputs that will go into the changelogs. If you're interested in helping make sure that the next stable releases really are stable, and you're already experienced at building from source, please give one or more of these releases a try. (If you don't build your own "tor" from source, don't worry. You probably don't want to touch these yet.) Any bug reports would be really helpful, especially if there are any regressions since the previous stable version in each series. I hope that in the future, a clear backport policy combined with a more regular habit of putting out stable releases will keep us from having to do big backport collections of this kind. [1] https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases [2] https://trac.torproject.org/projects/tor/ticket/20512 [3] I am aware of the contradiction in the URL. cheers, -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.3.0.3-alpha is released!
Hi! There's yet another new alpha release. I think we're closing in on stability for this series, which is a pretty nice feeling. You can download the source code from the usual place on the website. It's an alpha, so please expect bugs and be ready to report them. Packages should be out over the next several weeks. = Changes in version 0.3.0.3-alpha - 2017-02-03 Tor 0.3.0.3-alpha fixes a few significant bugs introduced over the 0.3.0.x development series, including some that could cause authorities to behave badly. There is also a fix for a longstanding bug that could prevent IPv6 exits from working. Tor 0.3.0.3-alpha also includes some smaller features and bugfixes. The Tor 0.3.0.x release series is now in patch-freeze: no additional features will be considered for inclusion in 0.3.0.x. We suspect that some bugs will probably remain, however, and we encourage people to test this release. o Major bugfixes (directory authority): - During voting, when marking a relay as a probable sybil, do not clear its BadExit flag: sybils can still be bad in other ways too. (We still clear the other flags.) Fixes bug 21108; bugfix on 0.2.0.13-alpha. - When deciding whether we have just found a router to be reachable, do not penalize it for not having performed an Ed25519 link handshake if it does not claim to support an Ed25519 handshake. Previously, we would treat such relays as non-running. Fixes bug 21107; bugfix on 0.3.0.1-alpha. o Major bugfixes (entry guards): - Stop trying to build circuits through entry guards for which we have no descriptor. Also, stop crashing in the case that we *do* accidentally try to build a circuit in such a state. Fixes bug 21242; bugfix on 0.3.0.1-alpha. o Major bugfixes (IPv6 Exits): - Stop rejecting all IPv6 traffic on Exits whose exit policy rejects any IPv6 addresses. Instead, only reject a port over IPv6 if the exit policy rejects that port on more than an IPv6 /16 of addresses. This bug was made worse by 17027 in 0.2.8.1-alpha, which rejected a relay's own IPv6 address by default. Fixes bug 21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha. o Minor feature (client): - Enable IPv6 traffic on the SocksPort by default. To disable this, a user will have to specify "NoIPv6Traffic". Closes ticket 21269. o Minor feature (fallback scripts): - Add a check_existing mode to updateFallbackDirs.py, which checks if fallbacks in the hard-coded list are working. Closes ticket 20174. Patch by haxxpop. o Minor features (ciphersuite selection): - Clients now advertise a list of ciphersuites closer to the ones preferred by Firefox. Closes part of ticket 15426. - Allow relays to accept a wider range of ciphersuites, including chacha20-poly1305 and AES-CCM. Closes the other part of 15426. o Minor features (controller, configuration): - Each of the *Port options, such as SocksPort, ORPort, ControlPort, and so on, now comes with a __*Port variant that will not be saved to the torrc file by the controller's SAVECONF command. This change allows TorBrowser to set up a single-use domain socket for each time it launches Tor. Closes ticket 20956. - The GETCONF command can now query options that may only be meaningful in context-sensitive lists. This allows the controller to query the mixed SocksPort/__SocksPort style options introduced in feature 20956. Implements ticket 21300. o Minor features (portability, compilation): - Autoconf now checks to determine if OpenSSL structures are opaque, instead of explicitly checking for OpenSSL version numbers. Part of ticket 21359. - Support building with recent LibreSSL code that uses opaque structures. Closes ticket 21359. o Minor features (relay): - We now allow separation of exit and relay traffic to different source IP addresses, using the OutboundBindAddressExit and OutboundBindAddressOR options respectively. Closes ticket 17975. Written by Michael Sonntag. o Minor bugfix (logging): - Don't recommend the use of Tor2web in non-anonymous mode. Recommending Tor2web is a bad idea because the client loses all anonymity. Tor2web should only be used in specific cases by users who *know* and understand the issues. Fixes bug 21294; bugfix on 0.2.9.3-alpha. o Minor bugfixes (client): - Always recover from failures in extend_info_from_node(), in an attempt to prevent any recurrence of bug 21242. Fixes bug 21372; bugfix on 0.2.3.1-alpha. o Minor bugfixes (client, entry guards): - Fix a bug warning (with backtrace) when we fail a channel that circuits to fallback directories on it. Fixes bug 21128; bugfix on 0.3.0.1-alpha. - Fix a spurious bug warning (with backtrace) when removing an expired
[tor-talk] Tor 0.3.0.1-alpha is out!
(Also, Tor 0.2.9.8 and Tor 0.2.8.12 are out. If you didn't know, you should subscribe to tor-announce an/or read the Tor blog!) You can find the Tor 0.3.0.1-alpha source on the website at the usual place. It's an alpha, so please expect plenty of bugs, and be ready to report them. Packages should be out over the next weeks -- I'd expect this to hit Tor Browser alphas by the end of January or so. === Changes in version 0.3.0.1-alpha - 2016-12-19 Tor 0.3.0.1-alpha is the first alpha release in the 0.3.0 development series. It strengthens Tor's link and circuit handshakes by identifying relays by their Ed25519 keys, improves the algorithm that clients use to choose and maintain their list of guards, and includes additional backend support for the next-generation hidden service design. It also contains numerous other small features and improvements to security, correctness, and performance. Below are the changes since 0.2.9.8. o Major features (guard selection algorithm): - Tor's guard selection algorithm has been redesigned from the ground up, to better support unreliable networks and restrictive sets of entry nodes, and to better resist guard-capture attacks by hostile local networks. Implements proposal 271; closes ticket 19877. o Major features (next-generation hidden services): - Relays can now handle v3 ESTABLISH_INTRO cells as specified by prop224 aka "Next Generation Hidden Services". Service and clients don't use this functionality yet. Closes ticket 19043. Based on initial code by Alec Heifetz. - Relays now support the HSDir version 3 protocol, so that they can can store and serve v3 descriptors. This is part of the next- generation onion service work detailled in proposal 224. Closes ticket 17238. o Major features (protocol, ed25519 identity keys): - Relays now use Ed25519 to prove their Ed25519 identities and to one another, and to clients. This algorithm is faster and more secure than the RSA-based handshake we've been doing until now. Implements the second big part of proposal 220; Closes ticket 15055. - Clients now support including Ed25519 identity keys in the EXTEND2 cells they generate. By default, this is controlled by a consensus parameter, currently disabled. You can turn this feature on for testing by setting ExtendByEd25519ID in your configuration. This might make your traffic appear different than the traffic generated by other users, however. Implements part of ticket 15056; part of proposal 220. - Relays now understand requests to extend to other relays by their Ed25519 identity keys. When an Ed25519 identity key is included in an EXTEND2 cell, the relay will only extend the circuit if the other relay can prove ownership of that identity. Implements part of ticket 15056; part of proposal 220. o Major bugfixes (scheduler): - Actually compare circuit policies in ewma_cmp_cmux(). This bug caused the channel scheduler to behave more or less randomly, rather than preferring channels with higher-priority circuits. Fixes bug 20459; bugfix on 0.2.6.2-alpha. o Minor features (controller): - When HSFETCH arguments cannot be parsed, say "Invalid argument" rather than "unrecognized." Closes ticket 20389; patch from Ivan Markin. o Minor features (diagnostic, directory client): - Warn when we find an unexpected inconsistency in directory download status objects. Prevents some negative consequences of bug 20593. o Minor features (directory authority): - Add a new authority-only AuthDirTestEd25519LinkKeys option (on by default) to control whether authorities should try to probe relays by their Ed25519 link keys. This option will go away in a few releases--unless we encounter major trouble in our ed25519 link protocol rollout, in which case it will serve as a safety option. o Minor features (directory cache): - Relays and bridges will now refuse to serve the consensus they have if they know it is too old for a client to use. Closes ticket 20511. o Minor features (ed25519 link handshake): - Advertise support for the ed25519 link handshake using the subprotocol-versions mechanism, so that clients can tell which relays can identity themselves by Ed25519 ID. Closes ticket 20552. o Minor features (fingerprinting resistence, authentication): - Extend the length of RSA keys used for TLS link authentication to 2048 bits. (These weren't used for forward secrecy; for forward secrecy, we used P256.) Closes ticket 13752. o Minor features (infrastructure): - Implement smartlist_add_strdup() function. Replaces the use of smartlist_add(sl, tor_strdup(str)). Closes ticket 20048. o Minor bugfixes (client): - When clients that use bridges
[tor-talk] Tor 0.2.9.7-rc is released: small changes, nearly done!
Hi, all! I just tagged and uploaded Tor 0.2.9.7-rc. The source is available at the usual place in the website. Other packages should be available soon. This Tor release will probably go into the hardened TB series coming out in the next couple of days. (I hear that 0.2.9.6-rc will be in the regular alphas, since those builds froze a little before I finished this Tor release.) We're rapidly running out of serious bugs to fix in 0.2.9.x, so this is probably the last release candidate before stable ... unless you find bugs while testing! Please try these releases, and let us know if anything breaks. Testing either 0.2.9.6-rc or 0.2.9.7-rc would be quite helpful. Changes in version 0.2.9.7-rc - 2016-12-12 Tor 0.2.9.7-rc fixes a few small bugs remaining in Tor 0.2.9.6-rc, including a few that had prevented tests from passing on some platforms. o Minor features (geoip): - Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2 Country database. o Minor bugfix (build): - The current Git revision when building from a local repository is now detected correctly when using git worktrees. Fixes bug 20492; bugfix on 0.2.3.9-alpha. o Minor bugfixes (directory authority): - When computing old Tor protocol line version in protover, we were looking at 0.2.7.5 twice instead of a specific case for 0.2.9.1-alpha. Fixes bug 20810; bugfix on tor-0.2.9.4-alpha. o Minor bugfixes (download scheduling): - Resolve a "bug" warning when considering a download schedule whose delay had approached INT_MAX. Fixes 20875; bugfix on 0.2.9.5-alpha. o Minor bugfixes (logging): - Downgrade a harmless log message about the pending_entry_connections list from "warn" to "info". Mitigates bug 19926. o Minor bugfixes (memory leak): - Fix a small memory leak when receiving AF_UNIX connections on a SocksPort. Fixes bug 20716; bugfix on 0.2.6.3-alpha. - When moving a signed descriptor object from a source to an existing destination, free the allocated memory inside that destination object. Fixes bug 20715; bugfix on tor-0.2.8.3-alpha. o Minor bugfixes (memory leak, use-after-free, linux seccomp2 sandbox): - Fix a memory leak and use-after-free error when removing entries from the sandbox's getaddrinfo() cache. Fixes bug 20710; bugfix on 0.2.5.5-alpha. Patch from "cypherpunks". o Minor bugfixes (portability): - Use the correct spelling of MAC_OS_X_VERSION_10_12 on configure.ac Fixes bug 20935; bugfix on 0.2.9.6-rc. o Minor bugfixes (unit tests): - Stop expecting NetBSD unit tests to report success for ipfw. Part of a fix for bug 19960; bugfix on 0.2.9.5-alpha. - Fix tolerances in unit tests for monotonic time comparisons between nanoseconds and microseconds. Previously, we accepted a 10 us difference only, which is not realistic on every platform's clock_gettime(). Fixes bug 19974; bugfix on 0.2.9.1-alpha. - Remove a double-free in the single onion service unit test. Stop ignoring a return value. Make future changes less error-prone. Fixes bug 20864; bugfix on 0.2.9.6-rc. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.2.9.5-alpha is released
Hi, all! There is a new alpha release of the Tor source code, with numerous bugfixes. We're getting closer to stable, but we still need testing! You can download the source from the usual place on the website. Packages should be up within a few days. Please remember to check the signature. Please also note that the signature may be with a key you aren't familiar with. That's because my PGP key changed a couple of months ago: see https://people.torproject.org/~nickm/key-transition-statement-2.txt.asc for more information. Changes in version 0.2.9.5-alpha - 2016-11-08 Tor 0.2.9.5-alpha fixes numerous bugs discovered in the previous alpha version. We believe one or two probably remain, and we encourage everyone to test this release. o Major bugfixes (client performance): - Clients now respond to new application stream requests immediately when they arrive, rather than waiting up to one second before starting to handle them. Fixes part of bug 19969; bugfix on 0.2.8.1-alpha. o Major bugfixes (client reliability): - When Tor leaves standby because of a new application request, open circuits as needed to serve that request. Previously, we would potentially wait a very long time. Fixes part of bug 19969; bugfix on 0.2.8.1-alpha. o Major bugfixes (download scheduling): - When using an exponential backoff schedule, do not give up on downloading just because we have failed a bunch of times. Since each delay is longer than the last, retrying indefinitely won't hurt. Fixes bug 20536; bugfix on 0.2.9.1-alpha. - If a consensus expires while we are waiting for certificates to download, stop waiting for certificates. - If we stop waiting for certificates less than a minute after we started downloading them, do not consider the certificate download failure a separate failure. Fixes bug 20533; bugfix on 0.2.0.9-alpha. - Remove the maximum delay on exponential-backoff scheduling. Since we now allow an infinite number of failures (see ticket 20536), we must now allow the time to grow longer on each failure. Fixes part of bug 20534; bugfix on 0.2.9.1-alpha. - Make our initial download delays closer to those from 0.2.8. Fixes another part of bug 20534; bugfix on 0.2.9.1-alpha. - When determining when to download a directory object, handle times after 2038 if the operating system supports them. (Someday this will be important!) Fixes bug 20587; bugfix on 0.2.8.1-alpha. - When using exponential backoff in test networks, use a lower exponent, so the delays do not vary as much. This helps test networks bootstrap consistently. Fixes bug 20597; bugfix on 20499. o Minor features (geoip): - Update geoip and geoip6 to the November 3 2016 Maxmind GeoLite2 Country database. o Minor bugfixes (client directory scheduling): - Treat "relay too busy to answer request" as a failed request and a reason to back off on our retry frequency. This is safe now that exponential backoffs retry indefinitely, and avoids a bug where we would reset our download schedule erroneously. Fixes bug 20593; bugfix on 0.2.9.1-alpha. o Minor bugfixes (client, logging): - Remove a BUG warning in circuit_pick_extend_handshake(). Instead, assume all nodes support EXTEND2. Use ntor whenever a key is available. Fixes bug 20472; bugfix on 0.2.9.3-alpha. - On DNSPort, stop logging a BUG warning on a failed hostname lookup. Fixes bug 19869; bugfix on 0.2.9.1-alpha. o Minor bugfixes (hidden services): - When configuring hidden services, check every hidden service directory's permissions. Previously, we only checked the last hidden service. Fixes bug 20529; bugfix the work to fix 13942 in 0.2.6.2-alpha. o Minor bugfixes (portability): - Fix compilation with OpenSSL 1.1 and less commonly-used CPU architectures. Closes ticket 20588. - Use ECDHE ciphers instead of ECDH in tortls tests. LibreSSL has removed the ECDH ciphers which caused the tests to fail on platforms which use it. Fixes bug 20460; bugfix on 0.2.8.1-alpha. - Fix implicit conversion warnings under OpenSSL 1.1. Fixes bug 20551; bugfix on 0.2.1.1-alpha. o Minor bugfixes (relay bootstrap): - Ensure relays don't make multiple connections during bootstrap. Fixes bug 20591; bugfix on 0.2.8.1-alpha. o Minor bugfixes (relay): - Work around a memory leak in OpenSSL 1.1 when encoding public keys. Fixes bug 20553; bugfix on 0.0.2pre8. - Avoid a small memory leak when informing worker threads about rotated onion keys. Fixes bug 20401; bugfix on 0.2.6.3-alpha. - Do not try to parallelize workers more than 16x without the user explicitly configuring us to do so, even if we do detect more than 16 CPU cores. Fixes bug 19968; bugfix on 0.2.3.1-alpha. o Minor
Re: [tor-talk] Tor 0.2.9.4-alpha is released
On Sun, Nov 6, 2016 at 7:35 AM, Dash Fourwrote: > Hi Nick, > > > First time this happens (I have been compiling tor sources with this > compiler since around 2009). Not sure about using the -Wlogical-op warning > though. > > Here is what I get: > > == > gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I./src/ext -Isrc/ext > -I./src/ext/trunnel -I./src/trunnel -I./src/common -Isrc/common > -I./src/ext/trunnel -I./src/trunnel -I./src/or -Isrc/or > -DSHARE_DATADIR="\"/usr/share\"" -DLOCALSTATEDIR="\"/var\"" > -DBINDIR="\"/usr/bin\"" -I./src/common-ftrapv -O2 -g -pipe -Wall > -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector > --param=ssp-buffer-size=4 -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 > -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables -U_FORTIFY_SOURCE > -D_FORTIFY_SOURCE=2 -fstack-protector-all -Wstack-protector --param > ssp-buffer-size=1 -fPIE -fno-omit-frame-pointer -fasynchronous-unwind-tables > -Wall -fno-strict-aliasing -Waddress -Warray-bounds -Wextra -Winit-self > -Wlogical-op -Wmissing-field-initializers -Wmissing-format-attribute > -Wmissing-noreturn -Wnormalized=id -Woverlength-strings -Woverride-init > -Wshadow -Wstrict-overflow=2 -Wsync-nand -Wunused-but-set-parameter > -Wunused-but-set-variable -Wvariadic-macros -W -Wfloat-equal -Wundef > -Wpointer-arith -Wstrict-prototypes -Wmissing-prototypes -Wwrite-strings > -Wredundant-decls -Wchar-subscripts -Wcomment -Wformat=2 -Wwrite-strings > -Wnested-externs -Wbad-function-cast -Wswitch-enum -Waggregate-return > -Wpacked -Wunused -Wunused-parameter -Wold-style-definition > -Wmissing-declarations -Werror -c -o src/common/util.o src/common/util.c > cc1: warnings being treated as errors > src/common/util.c: In function 'tor_strstrip': > src/common/util.c:643: error: logical '&&' with non-zero constant will > always evaluate as true > src/common/util.c: In function 'tor_escape_str_for_pt_args': > src/common/util.c:1397: error: logical '&&' with non-zero constant will > always evaluate as true > src/common/util.c: In function 'str_num_before': > src/common/util.c:4730: error: logical '&&' with non-zero constant will > always evaluate as true > make[1]: *** [src/common/util.o] Error 1 > make[1]: *** Waiting for unfinished jobs > make[1]: Leaving directory `/builddir/build/BUILD/tor-0.2.9.4-alpha' > make: *** [all] Error 2 > error: Bad exit status from /var/tmp/rpm-tmp.fmqO31 (%build) > == > > util.c:643: > if (strchr(strip, *readp)) { > > util.c:1397: > if (strchr(chars_to_escape, *string)) > > util.c:4730: > const char *cp = strchr(s, ch); > > > This link [1] may offer some explanation/workaround (I know it is for a > different - older - version of gcc, but the point still stands). > > For the time being, I use "tor_cv_cflags_Wlogical_op=no" to disable this > warning, but I am not sure whether this is the correct way of dealing with > the issue. > > > [1] http://seclists.org/wireshark/2013/Jan/6 Yeah -- my guess here is that you have a version of GCC that is either much older or much newer than your version of glibc. Turning off the warning is a perfectly fine solution. best wishes, -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor 0.2.9.4-alpha is released
On Sat, Oct 22, 2016 at 10:27 PM, Dash Four <m...@bitmessage.ch> wrote: > Nick Mathewson wrote: >> >> Hi, all! There is a new alpha release of the Tor source code, with >> fixes for a security bug. You should probably upgrade as packages >> become available. >> > I am having trouble compiling this version. I get the WLogical-op warning > and "logical '&&' with non-zero constant will always evaluate as true" error > message. > > The "offending" file is util.c:643, util.c:1397 and util.c4730. > > Quick look at ./configure and Google search tells me to use > "tor_cv_cflags_Wlogical_op=no", and if I use that all is well (compiles OK, > haven't run this yet), but I am not sure whether that's right. > > My compiler is pretty old (GCC 4.4.5-2), so that might be what is causing > this issue. If I'm reading that right, that line is just a strchr() call? Do all the glibc strchr() calls have this problem with your gcc and -Wlogical-op ? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor DNS Deanonymization
On Tue, Oct 18, 2016 at 10:39 AM, Philipp Winter <p...@nymity.ch> wrote: > On Sun, Oct 16, 2016 at 01:15:32AM -0400, Nick Mathewson wrote: >> On Fri, Oct 14, 2016 at 11:09 AM, Philipp Winter <p...@nymity.ch> wrote: >> [...] >> > There are two ways to mitigate the issue. First, we need better >> > defences against website fingerprinting, so an attacker learns less by >> > observing the connection to your guard relay. Second, we need to >> > improve the DNS setup of exit relays. I would like to see less relays >> > use Google's resolver, and we need to move towards encrypted DNS. >> >> Thanks, Philipp! >> >> Could you comment at all about whether our current exit side dns >> caching approach makes the attack harder, easier, or doesn't matter? > > Generally, the longer exit relays cache domains, the less precise the > attack. The trade-off is illustrated in Figure 10b in our paper [0]. > At the moment, exit relays cache domains for only 60 seconds [1], > regardless of the domain's TTL. If that bug is fixed, the attack > becomes a bit harder to mount. It can become even harder if exit relays > were to cache each domain for, say, 10 minutes or more. > > [0] <https://nymity.ch/tor-dns/tor-dns.pdf> > [1] <https://bugs.torproject.org/19025> Thanks! I've just pulled #19025 (and its sibling, #19769) into consideration for 0.3.0. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.2.9.4-alpha is released
Hi, all! There is a new alpha release of the Tor source code, with fixes for a security bug. You should probably upgrade as packages become available. (If you are about to reply saying "please take me off this list", instead please follow these instructions: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/ . You will have to enter the actual email address you used to subscribe.) You can download the source from the usual place on the website. Packages should be up within a few days. If you maintain an older version of Tor, you can find backported patches for this fix at https://trac.torproject.org/projects/tor/ticket/20384 . (There is also a concurrent release of Tor 0.2.8.9; for stable releases, see tor-announce@ or the blog. Changes in version 0.2.9.4-alpha - 2016-10-17 Tor 0.2.9.4-alpha fixes a security hole in previous versions of Tor that would allow a remote attacker to crash a Tor client, hidden service, relay, or authority. All Tor users should upgrade to this version, or to 0.2.8.9. Patches will be released for older versions of Tor. Tor 0.2.9.4-alpha also adds numerous small features and fix-ups to previous versions of Tor, including the implementation of a feature to future- proof the Tor ecosystem against protocol changes, some bug fixes necessary for Tor Browser to use unix domain sockets correctly, and several portability improvements. We anticipate that this will be the last alpha in the Tor 0.2.9 series, and that the next release will be a release candidate. o Major features (security fixes): - Prevent a class of security bugs caused by treating the contents of a buffer chunk as if they were a NUL-terminated string. At least one such bug seems to be present in all currently used versions of Tor, and would allow an attacker to remotely crash most Tor instances, especially those compiled with extra compiler hardening. With this defense in place, such bugs can't crash Tor, though we should still fix them as they occur. Closes ticket 20384 (TROVE-2016-10-001). o Major features (subprotocol versions): - Tor directory authorities now vote on a set of recommended subprotocol versions, and on a set of required subprotocol versions. Clients and relays that lack support for a _required_ subprotocol version will not start; those that lack support for a _recommended_ subprotocol version will warn the user to upgrade. Closes ticket 19958; implements part of proposal 264. - Tor now uses "subprotocol versions" to indicate compatibility. Previously, versions of Tor looked at the declared Tor version of a relay to tell whether they could use a given feature. Now, they should be able to rely on its declared subprotocol versions. This change allows compatible implementations of the Tor protocol(s) to exist without pretending to be 100% bug-compatible with particular releases of Tor itself. Closes ticket 19958; implements part of proposal 264. o Minor feature (fallback directories): - Remove broken fallbacks from the hard-coded fallback directory list. Closes ticket 20190; patch by teor. o Minor features (client, directory): - Since authorities now omit all routers that lack the Running and Valid flags, we assume that any relay listed in the consensus must have those flags. Closes ticket 20001; implements part of proposal 272. o Minor features (compilation, portability): - Compile correctly on MacOS 10.12 (aka "Sierra"). Closes ticket 20241. o Minor features (development tools, etags): - Teach the "make tags" Makefile target how to correctly find "MOCK_IMPL" function definitions. Patch from nherring; closes ticket 16869. o Minor features (geoip): - Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2 Country database. o Minor features (unix domain sockets): - When configuring a unix domain socket for a SocksPort, ControlPort, or Hidden service, you can now wrap the address in quotes, using C-style escapes inside the quotes. This allows unix domain socket paths to contain spaces. o Minor features (virtual addresses): - Increase the maximum number of bits for the IPv6 virtual network prefix from 16 to 104. In this way, the condition for address allocation is less restrictive. Closes ticket 20151; feature on 0.2.4.7-alpha. o Minor bugfixes (address discovery): - Stop reordering IP addresses returned by the OS. This makes it more likely that Tor will guess the same relay IP address every time. Fixes issue 20163; bugfix on 0.2.7.1-alpha, ticket 17027. Reported by René Mayrhofer, patch by "cypherpunks". o Minor bugfixes (client, unix domain sockets): - Disable IsolateClientAddr when using AF_UNIX backed SocksPorts as the client address is
Re: [tor-talk] Tor DNS Deanonymization
On Fri, Oct 14, 2016 at 11:09 AM, Philipp Winterwrote: [...] > There are two ways to mitigate the issue. First, we need better > defences against website fingerprinting, so an attacker learns less by > observing the connection to your guard relay. Second, we need to > improve the DNS setup of exit relays. I would like to see less relays > use Google's resolver, and we need to move towards encrypted DNS. Thanks, Philipp! Could you comment at all about whether our current exit side dns caching approach makes the attack harder, easier, or doesn't matter? Best wishes, -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.2.9.3-alpha is released
Hi, all! There is a new alpha release of the Tor source code, with fixes for several important bugs, and numerous other updates. (If you are about to reply saying "please take me off this list", instead please follow these instructions: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/ . You will have to enter the actual email address you used to subscribe.) You can download the source from the usual place on the website. Packages should be up in a few days. (There is also a concurrent release of Tor 0.2.8.8; for stable announcements, please see tor-announce@ or the blog.) == Changes in version 0.2.9.3-alpha - 2016-09-23 Tor 0.2.9.3-alpha adds improved support for entities that want to make high-performance services available through the Tor .onion mechanism without themselves receiving anonymity as they host those services. It also tries harder to ensure that all steps on a circuit are using the strongest crypto possible, strengthens some TLS properties, and resolves several bugs -- including a pair of crash bugs from the 0.2.8 series. Anybody running an earlier version of 0.2.9.x should upgrade. o Major bugfixes (crash, also in 0.2.8.8): - Fix a complicated crash bug that could affect Tor clients configured to use bridges when replacing a networkstatus consensus in which one of their bridges was mentioned. OpenBSD users saw more crashes here, but all platforms were potentially affected. Fixes bug 20103; bugfix on 0.2.8.2-alpha. o Major bugfixes (relay, OOM handler, also in 0.2.8.8): - Fix a timing-dependent assertion failure that could occur when we tried to flush from a circuit after having freed its cells because of an out-of-memory condition. Fixes bug 20203; bugfix on 0.2.8.1-alpha. Thanks to "cypherpunks" for help diagnosing this one. o Major features (circuit building, security): - Authorities, relays and clients now require ntor keys in all descriptors, for all hops (except for rare hidden service protocol cases), for all circuits, and for all other roles. Part of ticket 19163. - Tor authorities, relays, and clients only use ntor, except for rare cases in the hidden service protocol. Part of ticket 19163. o Major features (single-hop "hidden" services): - Add experimental HiddenServiceSingleHopMode and HiddenServiceNonAnonymousMode options. When both are set to 1, every hidden service on a Tor instance becomes a non-anonymous Single Onion Service. Single Onions make one-hop (direct) connections to their introduction and renzedvous points. One-hop circuits make Single Onion servers easily locatable, but clients remain location-anonymous. This is compatible with the existing hidden service implementation, and works on the current tor network without any changes to older relays or clients. Implements proposal 260, completes ticket 17178. Patch by teor and asn. o Major features (resource management): - Tor can now notice it is about to run out of sockets, and preemptively close connections of lower priority. (This feature is off by default for now, since the current prioritizing method is yet not mature enough. You can enable it by setting "DisableOOSCheck 0", but watch out: it might close some sockets you would rather have it keep.) Closes ticket 18640. o Major bugfixes (circuit building): - Hidden service client-to-intro-point and service-to-rendezvous- point cicruits use the TAP key supplied by the protocol, to avoid epistemic attacks. Fixes bug 19163; bugfix on 0.2.4.18-rc. o Major bugfixes (compilation, OpenBSD): - Fix a Libevent-detection bug in our autoconf script that would prevent Tor from linking successfully on OpenBSD. Patch from rubiate. Fixes bug 19902; bugfix on 0.2.9.1-alpha. o Major bugfixes (hidden services): - Clients now require hidden services to include the TAP keys for their intro points in the hidden service descriptor. This prevents an inadvertent upgrade to ntor, which a malicious hidden service could use to distinguish clients by consensus version. Fixes bug 20012; bugfix on 0.2.4.8-alpha. Patch by teor. o Minor features (security, TLS): - Servers no longer support clients that without AES ciphersuites. (3DES is no longer considered an acceptable cipher.) We believe that no such Tor clients currently exist, since Tor has required OpenSSL 0.9.7 or later since 2009. Closes ticket 19998. o Minor feature (fallback directories): - Remove broken entries from the hard-coded fallback directory list. Closes ticket 20190; patch by teor. o Minor features (geoip, also in 0.2.8.8): - Update geoip and geoip6 to the September 6 2016 Maxmind GeoLite2 Country database. o Minor feature (port flags): - Add new flags to the *Port
[tor-talk] Tor 0.2.9.2-alpha is released
Hi, all! There is a new alpha release of the Tor source code, with fixes for several important bugs, and numerous other updates. (If you are about to reply saying "please take me off this list", instead please follow these instructions: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/ . You will have to enter the actual email address you used to subscribe.) You can download the source from the usual place on the website. Packages should be up in a few days. (There is also a concurrent release of Tor 0.2.8-7; for stable announcements, please see tor-announce@ or the blog.) Changes in version 0.2.9.2-alpha - 2016-08-24 Tor 0.2.9.2-alpha continues development of the 0.2.9 series with several new features and bugfixes. It also includes an important authority update and an important bugfix from 0.2.8.7. Everyone who sets the ReachableAddresses option, and all bridges, are strongly encouraged to upgrade to 0.2.8.7, or to 0.2.9.2-alpha. o Directory authority changes (also in 0.2.8.7): - The "Tonga" bridge authority has been retired; the new bridge authority is "Bifroest". Closes tickets 19728 and 19690. o Major bugfixes (client, security, also in 0.2.8.7): - Only use the ReachableAddresses option to restrict the first hop in a path. In earlier versions of 0.2.8.x, it would apply to every hop in the path, with a possible degradation in anonymity for anyone using an uncommon ReachableAddress setting. Fixes bug 19973; bugfix on 0.2.8.2-alpha. o Major features (user interface): - Tor now supports the ability to declare options deprecated, so that we can recommend that people stop using them. Previously, this was done in an ad-hoc way. Closes ticket 19820. o Major bugfixes (directory downloads): - Avoid resetting download status for consensuses hourly, since we already have another, smarter retry mechanism. Fixes bug 8625; bugfix on 0.2.0.9-alpha. o Minor features (config): - Warn users when descriptor and port addresses are inconsistent. Mitigates bug 13953; patch by teor. o Minor features (geoip): - Update geoip and geoip6 to the August 2 2016 Maxmind GeoLite2 Country database. o Minor features (user interface): - There is a new --list-deprecated-options command-line option to list all of the deprecated options. Implemented as part of ticket 19820. o Minor bugfixes (code style): - Fix an integer signedness conversion issue in the case conversion tables. Fixes bug 19168; bugfix on 0.2.1.11-alpha. o Minor bugfixes (compilation): - Build correctly on versions of libevent2 without support for evutil_secure_rng_add_bytes(). Fixes bug 19904; bugfix on 0.2.5.4-alpha. - Fix a compilation warning on GCC versions before 4.6. Our ENABLE_GCC_WARNING macro used the word "warning" as an argument, when it is also required as an argument to the compiler pragma. Fixes bug 19901; bugfix on 0.2.9.1-alpha. o Minor bugfixes (compilation, also in 0.2.8.7): - Remove an inappropriate "inline" in tortls.c that was causing warnings on older versions of GCC. Fixes bug 19903; bugfix on 0.2.8.1-alpha. o Minor bugfixes (fallback directories, also in 0.2.8.7): - Avoid logging a NULL string pointer when loading fallback directory information. Fixes bug 19947; bugfix on 0.2.4.7-alpha and 0.2.8.1-alpha. Report and patch by "rubiate". o Minor bugfixes (logging): - Log a more accurate message when we fail to dump a microdescriptor. Fixes bug 17758; bugfix on 0.2.2.8-alpha. Patch from Daniel Pinto. o Minor bugfixes (memory leak): - Fix a series of slow memory leaks related to parsing torrc files and options. Fixes bug 19466; bugfix on 0.2.1.6-alpha. o Deprecated features: - A number of DNS-cache-related sub-options for client ports are now deprecated for security reasons, and may be removed in a future version of Tor. (We believe that client-side DNS cacheing is a bad idea for anonymity, and you should not turn it on.) The options are: CacheDNS, CacheIPv4DNS, CacheIPv6DNS, UseDNSCache, UseIPv4Cache, and UseIPv6Cache. - A number of options are deprecated for security reasons, and may be removed in a future version of Tor. The options are: AllowDotExit, AllowInvalidNodes, AllowSingleHopCircuits, AllowSingleHopExits, ClientDNSRejectInternalAddresses, CloseHSClientCircuitsImmediatelyOnTimeout, CloseHSServiceRendCircuitsImmediatelyOnTimeout, ExcludeSingleHopRelays, FastFirstHopPK, TLSECGroup, UseNTorHandshake, and WarnUnsafeSocks. - The *ListenAddress options are now deprecated as unnecessary: the corresponding *Port options should be used instead. These options may someday be removed. The affected options are: ControlListenAddress, DNSListenAddress, DirListenAddress,
[tor-talk] Tor 0.2.9.1-alpha is released
Hi, everybody! Tor 0.2.9.1-alpha is the first alpha release in the 0.2.9 development series. It improves our support for hardened builds and compiler warnings, deploys some critical infrastructure for improvements to hidden services, includes a new timing backend that we hope to use for better support for traffic padding, makes it easier for programmers to log unexpected events, and contains other small improvements to security, correctness, and performance. You can download the source from the usual place on the website. Packages should be available over the next several days. Remember to check the signatures! Please note: This is an alpha release. You should only try this one if you are interested in tracking Tor development, testing new features, making sure that Tor still builds on unusual platforms, or generally trying to hunt down bugs. Below are the changes since 0.2.8.6. Changes in version 0.2.9.1-alpha - 2016-08-08 o New system requirements: - Tor now requires Libevent version 2.0.10-stable or later. Older versions of Libevent have less efficient backends for several platforms, and lack the DNS code that we use for our server-side DNS support. This implements ticket 19554. - Tor now requires zlib version 1.2 or later, for security, efficiency, and (eventually) gzip support. (Back when we started, zlib 1.1 and zlib 1.0 were still found in the wild. 1.2 was released in 2003. We recommend the latest version.) o Major features (build, hardening): - Tor now builds with -ftrapv by default on compilers that support it. This option detects signed integer overflow (which C forbids), and turns it into a hard-failure. We do not apply this option to code that needs to run in constant time to avoid side-channels; instead, we use -fwrapv in that code. Closes ticket 17983. - When --enable-expensive-hardening is selected, stop applying the clang/gcc sanitizers to code that needs to run in constant time. Although we are aware of no introduced side-channels, we are not able to prove that there are none. Related to ticket 17983. o Major features (compilation): - Our big list of extra GCC warnings is now enabled by default when building with GCC (or with anything like Clang that claims to be GCC-compatible). To make all warnings into fatal compilation errors, pass --enable-fatal-warnings to configure. Closes ticket 19044. - Use the Autoconf macro AC_USE_SYSTEM_EXTENSIONS to automatically turn on C and POSIX extensions. (Previously, we attempted to do this on an ad hoc basis.) Closes ticket 19139. o Major features (directory authorities, hidden services): - Directory authorities can now perform the shared randomness protocol specified by proposal 250. Using this protocol, directory authorities generate a global fresh random value every day. In the future, this value will be used by hidden services to select HSDirs. This release implements the directory authority feature; the hidden service side will be implemented in the future as part of proposal 224. Resolves ticket 16943; implements proposal 250. o Major features (downloading, random exponential backoff): - When we fail to download an object from a directory service, wait for an (exponentially increasing) randomized amount of time before retrying, rather than a fixed interval as we did before. This prevents a group of Tor instances from becoming too synchronized, or a single Tor instance from becoming too predictable, in its download schedule. Closes ticket 15942. o Major bugfixes (exit policies): - Avoid disclosing exit outbound bind addresses, configured port bind addresses, and local interface addresses in relay descriptors by default under ExitPolicyRejectPrivate. Instead, only reject these (otherwise unlisted) addresses if ExitPolicyRejectLocalInterfaces is set. Fixes bug 18456; bugfix on 0.2.7.2-alpha. Patch by teor. o Major bugfixes (hidden service client): - Allow Tor clients with appropriate controllers to work with FetchHidServDescriptors set to 0. Previously, this option also disabled descriptor cache lookup, thus breaking hidden services entirely. Fixes bug 18704; bugfix on 0.2.0.20-rc. Patch by "twim". o Minor features (build, hardening): - Detect and work around a libclang_rt problem that would prevent clang from finding __mulodi4() on some 32-bit platforms, and thus keep -ftrapv from linking on those systems. Closes ticket 19079. - When building on a system without runtime support for the runtime hardening options, try to log a useful warning at configuration time, rather than an incomprehensible warning at link time. If expensive hardening was requested, this warning becomes an error. Closes ticket
[tor-talk] Tor 0.2.8.5-rc is released
Tor 0.2.8.5-rc is the second release candidate in the Tor 0.2.8 series. If we find no new bugs or regressions here, the first stable 0.2.8 release will be identical to it. It has a few small bugfixes against previous versions. You can download the source from the usual place on the website. Packages should be available over the next several days. Remember to check the signatures! PLEASE NOTE: This is a release candidate. We think that we solved all of the showstopper bugs, but we also thought the same thing about 0.2.8.4-rc: crucial bugs may remain. Please only run this release if you're willing to test and find bugs. If no showstopper bugs are found, we'll be putting out 0.2.8.6 as a stable release. The changelog follows: Changes in version 0.2.8.5-rc - 2016-07-07 o Directory authority changes: - Urras is no longer a directory authority. Closes ticket 19271. o Major bugfixes (heartbeat): - Fix a regression that would crash Tor when the periodic "heartbeat" log messages were disabled. Fixes bug 19454; bugfix on tor-0.2.8.1-alpha. Reported by "kubaku". o Minor features (build): - Tor now again builds with the recent OpenSSL 1.1 development branch (tested against 1.1.0-pre6-dev). Closes ticket 19499. - When building manual pages, set the timezone to "UTC", so that the output is reproducible. Fixes bug 19558; bugfix on 0.2.2.9-alpha. Patch from intrigeri. o Minor bugfixes (fallback directory selection): - Avoid errors during fallback selection if there are no eligible fallbacks. Fixes bug 19480; bugfix on 0.2.8.3-alpha. Patch by teor. o Minor bugfixes (IPv6, microdescriptors): - Don't check node addresses when we only have a routerstatus. This allows IPv6-only clients to bootstrap by fetching microdescriptors from fallback directory mirrors. (The microdescriptor consensus has no IPv6 addresses in it.) Fixes bug 19608; bugfix on 0.2.8.2-alpha. o Minor bugfixes (logging): - Reduce pointlessly verbose log messages when directory servers can't be found. Fixes bug 18849; bugfix on 0.2.8.3-alpha and 0.2.8.1-alpha. Patch by teor. - When a fallback directory changes its fingerprint from the hard- coded fingerprint, log a less severe, more explanatory log message. Fixes bug 18812; bugfix on 0.2.8.1-alpha. Patch by teor. o Minor bugfixes (Linux seccomp2 sandboxing): - Allow statistics to be written to disk when "Sandbox 1" is enabled. Fixes bugs 19556 and 19957; bugfix on 0.2.5.1-alpha and 0.2.6.1-alpha respectively. o Minor bugfixes (user interface): - Remove a warning message "Service [scrubbed] not found after descriptor upload". This message appears when one uses HSPOST control command to upload a service descriptor. Since there is only a descriptor and no service, showing this message is pointless and confusing. Fixes bug 19464; bugfix on 0.2.7.2-alpha. o Fallback directory list: - Add a comment to the generated fallback directory list that explains how to comment out unsuitable fallbacks in a way that's compatible with the stem fallback parser. - Update fallback whitelist and blacklist based on relay operator emails. Blacklist unsuitable (non-working, over-volatile) fallbacks. Resolves ticket 19071. Patch by teor. - Update hard-coded fallback list to remove unsuitable fallbacks. Resolves ticket 19071. Patch by teor. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.2.8.4-rc is released
Tor 0.2.8.4-rc is the first release candidate in the Tor 0.2.8 series. If we find no new bugs or regressions here, the first stable 0.2.8 release will be identical to it. It has a few small bugfixes against previous versions. You can download the source from the usual place on the website. Packages should be available over the next several days. Remember to check the signatures! PLEASE NOTE: This is a release candidate. We think that we solved all of the showstopper bugs, but crucial bugs may remain. Please only run this release if you're willing to test and find bugs. If no showstopper bugs are found, we'll be putting out 0.2.8.5 as a stable release. The changelog follows. Changes in version 0.2.8.4-rc - 2016-06-15 o Major bugfixes (user interface): - Correctly give a warning in the cases where a relay is specified by nickname, and one such relay is found, but it is not officially Named. Fixes bug 19203; bugfix on 0.2.3.1-alpha. o Minor features (build): - Tor now builds once again with the recent OpenSSL 1.1 development branch (tested against 1.1.0-pre5 and 1.1.0-pre6-dev). o Minor features (geoip): - Update geoip and geoip6 to the June 7 2016 Maxmind GeoLite2 Country database. o Minor bugfixes (compilation): - Cause the unit tests to compile correctly on mingw64 versions that lack sscanf. Fixes bug 19213; bugfix on 0.2.7.1-alpha. o Minor bugfixes (downloading): - Predict more correctly whether we'll be downloading over HTTP when we determine the maximum length of a URL. This should avoid a "BUG" warning about the Squid HTTP proxy and its URL limits. Fixes bug 19191. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Reminder: we have nightly builds!
Hi, friends! Here's a reminder about one way you can help make sure that our releases are good and work well. If you like running software that might break all the time, and reporting bugs in it, you should check out our nightly builds! They live at https://people.torproject.org/~linus/builds/ They are automatically built every night from the latest TorBrowser source code. By testing these, you can help us find bugs _before_ we ship our code to the userbase at large. Warnings: * Did I mention there might be bugs? * These nightly builds do not have an automated update channel. Automated updates won't work, even though you'll get regular warnings that there is a newer TorBrowser. * If you're not sure how to install these or how to check the signatures, you should probably avoid the nightly builds. :) best wishes and many thanks, -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.2.8.2-alpha is released
Tor 0.2.8.2-alpha is the second alpha in its series. It fixes numerous bugs in earlier versions of Tor, including some that prevented authorities using Tor 0.2.7.x from running correctly. IPv6 and directory support should also be much improved. You can download the source from the usual place on the website. Packages should be available over the next several days. PLEASE NOTE: This is an alpha release. Expect a lot of bugs. Only run this release if you're willing to find bugs and report them. :) Changes in version 0.2.8.2-alpha - 2016-03-28 Changes in version 0.2.8.2-alpha - 2016-03-28 Tor 0.2.8.2-alpha is the second alpha in its series. It fixes numerous bugs in earlier versions of Tor, including some that prevented authorities using Tor 0.2.7.x from running correctly. IPv6 and directory support should also be much improved. o New system requirements: - Tor no longer supports versions of OpenSSL with a broken implementation of counter mode. (This bug was present in OpenSSL 1.0.0, and was fixed in OpenSSL 1.0.0a.) Tor still detects, but no longer runs with, these versions. - Tor no longer attempts to support platforms where the "time_t" type is unsigned. (To the best of our knowledge, only OpenVMS does this, and Tor has never actually built on OpenVMS.) Closes ticket 18184. - Tor now uses Autoconf version 2.63 or later, and Automake 1.11 or later (released in 2008 and 2009 respectively). If you are building Tor from the git repository instead of from the source distribution, and your tools are older than this, you will need to upgrade. Closes ticket 17732. o Major bugfixes (security, pointers): - Avoid a difficult-to-trigger heap corruption attack when extending a smartlist to contain over 16GB of pointers. Fixes bug 18162; bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely. Reported by Guido Vranken. o Major bugfixes (bridges, pluggable transports): - Modify the check for OR connections to private addresses. Allow bridges on private addresses, including pluggable transports that ignore the (potentially private) address in the bridge line. Fixes bug 18517; bugfix on 0.2.8.1-alpha. Reported by gk, patch by teor. o Major bugfixes (compilation): - Repair hardened builds under the clang compiler. Previously, our use of _FORTIFY_SOURCE would conflict with clang's address sanitizer. Fixes bug 14821; bugfix on 0.2.5.4-alpha. o Major bugfixes (crash on shutdown): - Correctly handle detaching circuits from muxes when shutting down. Fixes bug 18116; bugfix on 0.2.8.1-alpha. - Fix an assert-on-exit bug related to counting memory usage in rephist.c. Fixes bug 18651; bugfix on 0.2.8.1-alpha. o Major bugfixes (crash on startup): - Fix a segfault during startup: If a Unix domain socket was configured as listener (such as a ControlSocket or a SocksPort "unix:" socket), and tor was started as root but not configured to switch to another user, tor would segfault while trying to string compare a NULL value. Fixes bug 18261; bugfix on 0.2.8.1-alpha. Patch by weasel. o Major bugfixes (dns proxy mode, crash): - Avoid crashing when running as a DNS proxy. Fixes bug 16248; bugfix on 0.2.0.1-alpha. Patch from "cypherpunks". o Major bugfixes (relays, bridge clients): - Ensure relays always allow IPv4 OR and Dir connections. Ensure bridge clients use the address configured in the bridge line. Fixes bug 18348; bugfix on 0.2.8.1-alpha. Reported by sysrqb, patch by teor. o Major bugfixes (voting): - Actually enable support for authorities to match routers by their Ed25519 identities. Previously, the code had been written, but some debugging code that had accidentally been left in the codebase made it stay turned off. Fixes bug 17702; bugfix on 0.2.7.2-alpha. - When collating votes by Ed25519 identities, authorities now include a "NoEdConsensus" flag if the ed25519 value (or lack thereof) for a server does not reflect the majority consensus. Related to bug 17668; bugfix on 0.2.7.2-alpha. - When generating a vote with keypinning disabled, never include two entries for the same ed25519 identity. This bug was causing authorities to generate votes that they could not parse when a router violated key pinning by changing its RSA identity but keeping its Ed25519 identity. Fixes bug 17668; fixes part of bug 18318. Bugfix on 0.2.7.2-alpha. o Minor features (security, win32): - Set SO_EXCLUSIVEADDRUSE on Win32 to avoid a local port-stealing attack. Fixes bug 18123; bugfix on all tor versions. Patch by teor. o Minor features (bug-resistance): - Make Tor survive errors involving connections without a corresponding event object. Previously we'd fail with an
[tor-talk] The CVE-2015-7547 glibc getaddrinfo() vulnerability, and you.
summary: New glibc bug. If you use glibc, install your vendor's patches as they become available. Tor is not an easy target for this attack, but you should upgrade anyway. Hello, all! There's apparently a new buffer overflow vulnerability in glibc, with a patch out today. If you are running some GNU/linux distribution that uses the GNU C library, then you should upgrade as soon as your distribution has a patch. (And if they don't get a patch for you soon, maybe you should switch to a distribution that fixes security holes promptly.) More info abouve CVE-2015-7547 here: * https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html If I'm reading Tor's code correctly, and if I'm reading the vulnerability description correctly, Tor should not be an easy target here. Tor never uses glibc's resolver to make DNS requests for any attacker-controlled addresses. So in order to mount an attack based on the this vulnerability, I think you'd need to successfully take over one of somebody's configured addresses, first by figuring out what they're resolving, and then either by compromising an appropriate DNS server or running an appropriate DNS cache poisoning attack. Of course, glibc users should upgrade anyway, for a few reasons: * Tor is not the only program you are running; some other program is probably affected. * My analysis could be wrong. * Who knows, your nameserver might be evil or MITM'd. Stay safe out there! -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.2.8.1-alpha is released.
. Closes ticket 13696. o Minor features (accounting): - Added two modes to the AccountingRule option: One for limiting only the number of bytes sent ("AccountingRule out"), and one for limiting only the number of bytes received ("AccountingRule in"). Closes ticket 15989; patch from "unixninja92". o Minor features (build): - Since our build process now uses "make distcheck", we no longer force "make dist" to depend on "make check". Closes ticket 17893; patch from "cypherpunks." - Tor now builds successfully with the recent OpenSSL 1.1 development branch, and with the latest LibreSSL. Closes tickets 17549, 17921, and 17984. o Minor features (controller): - Adds the FallbackDir entries to 'GETINFO config/defaults'. Closes tickets 16774 and 17817. Patch by George Tankersley. - New 'GETINFO hs/service/desc/id/' command to retrieve a hidden service descriptor from a service's local hidden service descriptor cache. Closes ticket 14846. - Add 'GETINFO exit-policy/reject-private/[default,relay]', so controllers can examine the the reject rules added by ExitPolicyRejectPrivate. This makes it easier for stem to display exit policies. o Minor features (crypto): - Add SHA512 support to crypto.c. Closes ticket 17663; patch from George Tankersley. - Add SHA3 and SHAKE support to crypto.c. Closes ticket 17783. - When allocating a digest state object, allocate no more space than we actually need. Previously, we would allocate as much space as the state for the largest algorithm would need. This change saves up to 672 bytes per circuit. Closes ticket 17796. - Improve performance when hashing non-multiple of 8 sized buffers, based on Andrew Moon's public domain SipHash-2-4 implementation. Fixes bug 17544; bugfix on 0.2.5.3-alpha. o Minor features (directory downloads): - Wait for busy authorities and fallback directories to become non- busy when bootstrapping. (A similar change was made in 6c443e987d for directory caches chosen from the consensus.) Closes ticket 17864; patch by "teor". - Add UseDefaultFallbackDirs, which enables any hard-coded fallback directory mirrors. The default is 1; set it to 0 to disable fallbacks. Implements ticket 17576. Patch by "teor". o Minor features (geoip): - Update geoip and geoip6 to the January 5 2016 Maxmind GeoLite2 Country database. o Minor features (IPv6): - Add an argument 'ipv6=address:orport' to the DirAuthority and FallbackDir torrc options, to specify an IPv6 address for an authority or fallback directory. Add hard-coded ipv6 addresses for directory authorities that have them. Closes ticket 17327; patch from Nick Mathewson and "teor". - Add address policy assume_action support for IPv6 addresses. - Limit IPv6 mask bits to 128. - Warn when comparing against an AF_UNSPEC address in a policy, it's almost always a bug. Closes ticket 17863; patch by "teor". - Allow users to configure directory authorities and fallback directory servers with IPv6 addresses and ORPorts. Resolves ticket 6027. - routerset_parse now accepts IPv6 literal addresses. Fixes bug 17060; bugfix on 0.2.1.3-alpha. Patch by "teor". - Make tor_ersatz_socketpair work on IPv6-only systems. Fixes bug 17638; bugfix on 0.0.2pre8. Patch by "teor". o Minor features (logging): - When logging to syslog, allow a tag to be added to the syslog identity (the string prepended to every log message). The tag can be configured with SyslogIdentityTag and defaults to none. Setting it to "foo" will cause logs to be tagged as "Tor-foo". Closes ticket 17194. o Minor features (portability): - Use timingsafe_memcmp() where available. Closes ticket 17944; patch from <lo...@hackers.mu>. o Minor features (relay, address discovery): - Add a family argument to get_interface_addresses_raw() and subfunctions to make network interface address interogation more efficient. Now Tor can specifically ask for IPv4, IPv6 or both types of interfaces from the operating system. Resolves ticket 17950. - When get_interface_address6_list(.,AF_UNSPEC,.) is called and fails to enumerate interface addresses using the platform-specific API, have it rely on the UDP socket fallback technique to try and find out what IP addresses (both IPv4 and IPv6) our machine has. Resolves ticket 17951. o Minor features (replay cache): - The replay cache now uses SHA256 instead of SHA1. Implements feature 8961. Patch by "teor", issue reported by "rransom". o Minor features (unix file permi
Re: [tor-talk] Funding Tor Development trough Referral/Affiliate Marketing
On Sun, Jan 10, 2016 at 10:29 AM, Moritz Bartlwrote: > On 01/10/2016 03:08 PM, Fabio Pietrosanti (naif) - lists wrote: >> I'm wondering if that couldn't be a very interesting model also for >> TorBrowser, whereby the TorBrowser would automatically inject a referral >> ID (in the HTTP header or URL parameters) [...] >> That kind of model could be implemented with a custom plug-in within the >> Tor Browser. > > My first reaction was that this is highly unethical. > > I can see this happening as a plugin and an option within the setup > wizard to enable it (opt-in). It can probably be done similarly to the > proof-of-concept HTTPS Everywhere ruleset > https://github.com/chris-barry/darkweb-everywhere > > I still don't have a very good feeling about it. Agreed. -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.2.7.5 is released!
Hi, all! Tor 0.2.7.5 is the first stable release in the Tor 0.2.7 series. It makes no changes beyond those in 0.2.7.4-rc; the summary below lists all changes in the 0.2.7 series. You can download the source from the usual place on the website. Packages should be up in a few days. (Below is the 0.2.7.5 changelog. See the ReleaseNotes for a complete list of everything that changed in 0.2.7) Changes in version 0.2.7.5 - 2015-11-20 The Tor 0.2.7 release series is dedicated to the memory of Tor user and privacy advocate Caspar Bowden (1961-2015). Caspar worked tirelessly to advocate human rights regardless of national borders, and oppose the encroachments of mass surveillance. He opposed national exceptionalism, he brought clarity to legal and policy debates, he understood and predicted the impact of mass surveillance on the world, and he laid the groundwork for resisting it. While serving on the Tor Project's board of directors, he brought us his uncompromising focus on technical excellence in the service of humankind. Caspar was an inimitable force for good and a wonderful friend. He was kind, humorous, generous, gallant, and believed we should protect one another without exception. We honor him here for his ideals, his efforts, and his accomplishments. Please honor his memory with works that would make him proud. Tor 0.2.7.5 is the first stable release in the Tor 0.2.7 series. The 0.2.7 series adds a more secure identity key type for relays, improves cryptography performance, resolves several longstanding hidden-service performance issues, improves controller support for hidden services, and includes small bugfixes and performance improvements throughout the program. This release series also includes more tests than before, and significant simplifications to which parts of Tor invoke which others. (This release contains no code changes since 0.2.7.4-rc.) -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How the NSA breaks Diffie-Hellmann
On Tue, Oct 20, 2015 at 4:52 AM, Lluís <2015@gmail.com> wrote: > I understand, from a post to this list, than tor is switching from RSA > to elliptic curve key generation. > > What would we expect from that update ? > For encryption, it already happened back in 0.2.4, with the introduction of the ntor protocol. (And with the use of ecdhe in tls where available.) The remaining use of RSA is for authentication, and should be mostly phased out over the next 8 months. -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor 0.2.7.3-rc is released
This, the first release candidate in the 0.2.7 series, contains numerous usability fixes for Ed25519 keys, safeguards against several misconfiguration problems, significant simplifications to Tor's callgraph, and numerous bugfixes and small features. This is the most tested release of Tor to date. The unit tests cover 39.40% of the code, and the integration tests (accessible with "make test-full-online", requiring stem and chutney and a network connection) raise the coverage to 64.49%. You can download the source from the usual place on the website. Packages should be up in a few days. NOTE: This is a release candidate. We think we've squashed most of the bugs, but there are probably a few left over. Changes in version 0.2.7.3-rc - 2015-09-25 o Major features (security, hidden services): - Hidden services, if using the EntryNodes option, are required to use more than one EntryNode, in order to avoid a guard discovery attack. (This would only affect people who had configured hidden services and manually specified the EntryNodes option with a single entry-node. The impact was that it would be easy to remotely identify the guard node used by such a hidden service. See ticket for more information.) Fixes ticket 14917. o Major features (Ed25519 keys, keypinning): - The key-pinning option on directory authorities is now advisory- only by default. In a future version, or when the AuthDirPinKeys option is set, pins are enforced again. Disabling key-pinning seemed like a good idea so that we can survive the fallout of any usability problems associated with Ed25519 keys. Closes ticket 17135. o Major features (Ed25519 performance): - Improve the speed of Ed25519 operations and Curve25519 keypair generation when built targeting 32 bit x86 platforms with SSE2 available. Implements ticket 16535. - Improve the runtime speed of Ed25519 signature verification by using Ed25519-donna's batch verification support. Implements ticket 16533. o Major features (performance testing): - The test-network.sh script now supports performance testing. Requires corresponding chutney performance testing changes. Patch by "teor". Closes ticket 14175. o Major features (relay, Ed25519): - Significant usability improvements for Ed25519 key management. Log messages are better, and the code can recover from far more failure conditions. Thanks to "s7r" for reporting and diagnosing so many of these! - Add a new OfflineMasterKey option to tell Tor never to try loading or generating a secret Ed25519 identity key. You can use this in combination with tor --keygen to manage offline and/or encrypted Ed25519 keys. Implements ticket 16944. - Add a --newpass option to allow changing or removing the passphrase of an encrypted key with tor --keygen. Implements part of ticket 16769. - On receiving a HUP signal, check to see whether the Ed25519 signing key has changed, and reload it if so. Closes ticket 16790. o Major bugfixes (relay, Ed25519): - Avoid crashing on 'tor --keygen'. Fixes bug 16679; bugfix on 0.2.7.2-alpha. Reported by "s7r". - Improve handling of expired signing keys with offline master keys. Fixes bug 16685; bugfix on 0.2.7.2-alpha. Reported by "s7r". o Minor features (client-side privacy): - New KeyAliveSOCKSAuth option to indefinitely extend circuit lifespan when IsolateSOCKSAuth and streams with SOCKS authentication are attached to the circuit. This allows applications like TorBrowser to manage circuit lifetime on their own. Implements feature 15482. - When logging malformed hostnames from SOCKS5 requests, respect SafeLogging configuration. Fixes bug 16891; bugfix on 0.1.1.16-rc. o Minor features (compilation): - Give a warning as early as possible when trying to build with an unsupported OpenSSL version. Closes ticket 16901. - Fail during configure if we're trying to build against an OpenSSL built without ECC support. Fixes bug 17109, bugfix on 0.2.7.1-alpha which started requiring ECC. o Minor features (geoip): - Update geoip and geoip6 to the September 3 2015 Maxmind GeoLite2 Country database. o Minor features (hidden services): - Relays need to have the Fast flag to get the HSDir flag. As this is being written, we'll go from 2745 HSDirs down to 2342, a ~14% drop. This change should make some attacks against the hidden service directory system harder. Fixes ticket 15963. - Turn on hidden service statistics collection by setting the torrc option HiddenServiceStatistics to "1" by default. (This keeps track only of the fraction of traffic used by hidden services, and the total number of hidden services in existence.) Closes ticket 15254. - Client now uses an introduction
Re: [tor-talk] New mailing list: tor-teachers
On Sat, Sep 5, 2015 at 11:41 PM, Alison Macrinawrote: > Hi all, > > I'm writing to invite folks to a new Tor mailing list: tor-teachers. > This list is for all the awesome people around the world who are > teaching Tor to their communities, who want to work collectively with > other teachers of Tor to support each other, build community, and make > our work even better. > > Here's what this new list is for: > > 1. Discussion and info sharing around Tor teaching/training events (who > we're teaching, when, where) > 2. Curriculum development, standardization, organization, and > translation into different languages > 3. Sharing strategies for teaching different kinds of groups and > individuals, including visionary stuff (ideology of Tor) with practical > stuff (how to use the darn thing), and problem solving > 4. Warm fuzzy success stories from our trainings > 5. Community building: encouraging and connecting all the lovely people > educating others about Tor > > The goal of this list is to grow the set of people around the world who > are comfortable, empowered, and prepared to speak to others about Tor, > and create and run a common communication channel for this outreach > community. > > mrphs (n...@torproject.org) and I are the administrators of this list. > Please join us by signing up here: > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-teachers > > See you on the list! This sounds awesome, Alison, and thanks for organizing it! (And thanks to Nima too!) Could there be some mechanism for reporting highlights from this list to the wider world, whether via this list, Tor Weekly News, or some other means? Also, please never hesitate to file usability/teachability bugs against Tor. Let's have the easiest software on earth. cheers, -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Introducing KroTor
On Wed, Sep 2, 2015 at 11:30 AM, Deepankar Tyagiwrote: > Hi everyone!, > > I recently finished my GSOC project in which I ported Tor codebase to > chrome's native client (also ported libevent). > This enables tor's official C codebase to run inside Chrome browser as an > app, it creates a system wide (tor)socks proxy at port . > > The app has been published on webstore ( all relevant links are at end of > mail) > > Currently it lacks a functional GUI ie ability to add proxy settings, > modify proxy port etc; I am working on it and next version will have one. > > Any feedback and suggestions are welcome. > > (Apologies if I sent the mail to wrong mailing list) Interesting stuff. I'm hoping nobody tries to use this as a TorBrowser substitute, but it's a neat piece of engineering. Have you considered submitting your patches upstream? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] (no subject)
On Tue, Aug 11, 2015 at 9:28 PM, Thomas White thomaswh...@riseup.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Does anyone in Tor want to name a price to get this task done? Can then be followed by a match donation to be spent with on whatever you wish once the multicore has been added. Hi, Thomas, and congratulations! You've asked a question I wasn't prepared to answer. Here's a thread we had about it today: 18:25 nickm So, I assume people have seen the tor-relays/tor-talk thread about Hey Tor folks, what would you want in exchange for making tor parallelize better 18:25 nickm Do we have a way of even answering that? 18:26 nickm If not, I think we should reply to say This is a generous offer and we need to apologize for taking so long, but it's not been something we had a way of answering before. We'll try to come up with such a way and see what it outputs RSN 18:26 nickm thoughts? 18:44 arma4 sounds plausible. i think the issue is a combination of not enough developerpower and also not enough money 18:44 arma4 a short small amount of money wouldn't be enough to overcome the first issue, 18:45 arma4 and we need to overcome both 18:47 nickm yeah. I think that anything less than a year fulltime of dev time, plus overhead and incidentals, can't work out here. 18:47 nickm plus, no timeline promised 18:48 nickm arma4: thoughts? 18:49 arma4 are there any incremental steps that can be done, by other people, in the mean time? 18:49 nickm in theory sure 18:49 arma4 it seems like a wildly unpredictable amount of work 18:50 nickm in practice nobody who isn't a Solid Wizard is going to get much done here 18:50 arma4 and it's not even clear, to me, what architecture we should use to parallelize cleanly 18:50 arma4 all of this ipc stuff sounds great in theory until you try to run the program on ios or something and then boy are you surprised 18:51 nickm I have an architecture in mind for circuit crypto 18:51 nickm for tls, I have no bloody clue 18:52 toml but would we feel good about taking a shot if there was one full-time equivalent devoted to the problem? 18:52 arma4 maybe explaining very briefly why it isn't trivial, and why it is going to be hard to do right, would be helpful for the folks wondering why we don't just do it already 18:52 toml arma: I agree that we should take the opportunity to explain the challenge 18:52 arma4 toml: and if we had said full-time developer, would this be the most important thing to have her work on? 18:53 arma4 so far the answer has been no, other things are more important 18:53 toml well, it would be an answer to the question: what would it take? 18:53 toml so if they put cash on the barrel head, we could dedicate. (I would bet there would be other associated benefits not strictly related) 18:54 toml probably the cost would be too steep, but they would know where we stand. (part of the education piece) 18:55 * nickm suggests that we just copy-and-paste this conversation into the thread 18:56 arma4 sounds good 18:58 toml arma: and let's always use the term full-time equivalent. There is an industry standard for a FTE amount, but we reserve the right to apportion those funds among more than one person. 18:58 nickm any more to add ? 19:00 nickm I feel like we could safely say More than 80k and less than 500k on this today, and if those numbers don't scare people away, invest time into digging into getter numbers 19:01 arma4 sounds good. it is basically a big architectural change inside tor. our work on better testing and better modularity is (slowly) moving us in the right direction as we wait. 19:01 toml I would say minimum $100K, as this would leapfrog several other priorities. 19:02 nickm also overhead 19:02 toml si 19:02 nickm yeah, good point, toml 19:03 nickm OTOH, we can also mention the $0 price point: for no money at all, we will _care_ about this, because we already do. And at some point eventually, somebody will surely work on it in their free time, one of these days 19:03 toml (and that is too low for a FT equivalent, but it is enought to motivate us to explore 19:03 arma4 heck, not only do we care, but we even wrote up a thing on how it might be done 19:04 toml arma: should we share that? (or share it again?) 19:05 arma4 nickm should point to it in his response i hope 19:06 arma4 he wrote it so hopefully he knows what is the best thing to point at :) 19:06 nickm well,it's quite old and maybe I should revise some morning/afternoon when I am smarter 19:08 toml perhaps leave it as is — show how long we have been thinking on this. Then maybe a add brief bit on things we have learned since, at your leisure. 19:08 arma4 that way lies paralysis. which is almost like parallelization, but not quite. :) 18:13 nickm ok. So I am going to add this to topics for the wednesday core tor dev meeting, and send it to the ml, unless somebody objects? I think the URL I was asked to add was
[tor-talk] Tor 0.2.7.2-alpha is released
This, the second alpha in the Tor 0.2.7 series, has a number of new features, including a way to manually pick the number of introduction points for hidden services, and the much stronger Ed25519 signing key algorithm for regular Tor relays (including support for encrypted offline identity keys in the new algorithm). Support for Ed25519 on relays is currently limited to signing router descriptors; later alphas in this series will extend Ed25519 key support to more parts of the Tor protocol. You can download the source from the usual place on the website. Packages should be up in a few days. NOTE: This is an alpha release. Please expect bugs. o Major features (Ed25519 identity keys, Proposal 220): - All relays now maintain a stronger identity key, using the Ed25519 elliptic curve signature format. This master key is designed so that it can be kept offline. Relays also generate an online signing key, and a set of other Ed25519 keys and certificates. These are all automatically regenerated and rotated as needed. Implements part of ticket 12498. - Directory authorities now vote on Ed25519 identity keys along with RSA1024 keys. Implements part of ticket 12498. - Directory authorities track which Ed25519 identity keys have been used with which RSA1024 identity keys, and do not allow them to vary freely. Implements part of ticket 12498. - Microdescriptors now include Ed25519 identity keys. Implements part of ticket 12498. - Add support for offline encrypted Ed25519 master keys. To use this feature on your tor relay, run tor --keygen to make a new master key (or to make a new signing key if you already have a master key). Closes ticket 13642. o Major features (Hidden services): - Add the torrc option HiddenServiceNumIntroductionPoints, to specify a fixed number of introduction points. Its maximum value is 10 and default is 3. Using this option can increase a hidden service's reliability under load, at the cost of making it more visible that the hidden service is facing extra load. Closes ticket 4862. - Remove the adaptive algorithm for choosing the number of introduction points, which used to change the number of introduction points (poorly) depending on the number of connections the HS sees. Closes ticket 4862. o Major features (onion key cross-certification): - Relay descriptors now include signatures of their own identity keys, made using the TAP and ntor onion keys. These signatures allow relays to prove ownership of their own onion keys. Because of this change, microdescriptors will no longer need to include RSA identity keys. Implements proposal 228; closes ticket 12499. o Major features (performance): - Improve the runtime speed of Ed25519 operations by using the public-domain Ed25519-donna by Andrew M. (floodyberry). Implements ticket 16467. - Improve the runtime speed of the ntor handshake by using an optimized curve25519 basepoint scalarmult implementation from the public-domain Ed25519-donna by Andrew M. (floodyberry), based on ideas by Adam Langley. Implements ticket 9663. o Major bugfixes (client-side privacy, also in 0.2.6.9): - Properly separate out each SOCKSPort when applying stream isolation. The error occurred because each port's session group was being overwritten by a default value when the listener connection was initialized. Fixes bug 16247; bugfix on 0.2.6.3-alpha. Patch by jojelino. o Major bugfixes (hidden service clients, stability, also in 0.2.6.10): - Stop refusing to store updated hidden service descriptors on a client. This reverts commit 9407040c59218 (which indeed fixed bug 14219, but introduced a major hidden service reachability regression detailed in bug 16381). This is a temporary fix since we can live with the minor issue in bug 14219 (it just results in some load on the network) but the regression of 16381 is too much of a setback. First-round fix for bug 16381; bugfix on 0.2.6.3-alpha. o Major bugfixes (hidden services): - When cannibalizing a circuit for an introduction point, always extend to the chosen exit node (creating a 4 hop circuit). Previously Tor would use the current circuit exit node, which changed the original choice of introduction point, and could cause the hidden service to skip excluded introduction points or reconnect to a skipped introduction point. Fixes bug 16260; bugfix on 0.1.0.1-rc. o Major bugfixes (open file limit): - The open file limit wasn't checked before calling tor_accept_socket_nonblocking(), which would make Tor exceed the limit. Now, before opening a new socket, Tor validates the open file limit just before, and if the max has been reached, return an error. Fixes