Tor 0.2.1.7-alpha released
Tor 0.2.1.7-alpha fixes a major security problem in Debian and Ubuntu
packages (and maybe other packages) noticed by Theo de Raadt, fixes
a smaller security flaw that might allow an attacker to access local
services, adds better defense against DNS poisoning attacks on exit
relays, further improves hidden service performance, and fixes a variety
of other issues.
https://decvnxytmk.oedi.net/download
Changes in version 0.2.1.7-alpha - 2008-11-08
Security fixes:
- The "ClientDNSRejectInternalAddresses" config option wasn't being
consistently obeyed: if an exit relay refuses a stream because its
exit policy doesn't allow it, we would remember what IP address
the relay said the destination address resolves to, even if it's
an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv. - The "User" and "Group" config options did not clear the
supplementary group entries for the Tor process. The "User" option
is now more robust, and we now set the groups to the specified
user's primary group. The "Group" option is now ignored. For more
detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL
in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum
and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848. - Do not use or believe expired v3 authority certificates. Patch
from Karsten. Bugfix in 0.2.0.x. Fixes bug 851.
Minor features:
- Now NodeFamily and MyFamily config options allow spaces in
identity fingerprints, so it's easier to paste them in.
Suggested by Lucky Green. - Implement the 0x20 hack to better resist DNS poisoning: set the
case on outgoing DNS requests randomly, and reject responses that do
not match the case correctly. This logic can be disabled with the
ServerDNSRamdomizeCase setting, if you are using one of the 0.3%
of servers that do not reliably preserve case in replies. See
"Increased DNS Forgery Resistance through 0x20-Bit Encoding"
for more info. - Preserve case in replies to DNSPort requests in order to support
the 0x20 hack for resisting DNS poisoning attacks.
Hidden service performance improvements:
- When the client launches an introduction circuit, retry with a
new circuit after 30 seconds rather than 60 seconds. - Launch a second client-side introduction circuit in parallel
after a delay of 15 seconds (based on work by Christian Wilms). - Hidden services start out building five intro circuits rather
than three, and when the first three finish they publish a service
descriptor using those. Now we publish our service descriptor much
faster after restart.
Minor bugfixes:
- Minor fix in the warning messages when you're having problems
bootstrapping; also, be more forgiving of bootstrap problems when
we're still making incremental progress on a given bootstrap phase. - When we're choosing an exit node for a circuit, and we have
no pending streams, choose a good general exit rather than one that
supports "all the pending streams". Bugfix on 0.1.1.x. Fix by rovv. - Send a valid END cell back when a client tries to connect to a
nonexistent hidden service port. Bugfix on 0.1.2.15. Fixes bug
840. Patch from rovv. - If a broken client asks a non-exit router to connect somewhere,
do not even do the DNS lookup before rejecting the connection.
Fixes another case of bug 619. Patch from rovv. - Fix another case of assuming, when a specific exit is requested,
that we know more than the user about what hosts it allows.
Fixes another case of bug 752. Patch from rovv. - Check which hops rendezvous stream cells are associated with to
prevent possible guess-the-streamid injection attacks from
intermediate hops. Fixes another case of bug 446. Based on patch
from rovv. - Avoid using a negative right-shift when comparing 32-bit
addresses. Possible fix for bug 845 and bug 811. - Make the assert_circuit_ok() function work correctly on circuits that
have already been marked for close. - Fix read-off-the-end-of-string error in unit tests when decoding
introduction points. - Fix uninitialized size field for memory area allocation: may improve
memory performance during directory parsing. - Treat duplicate certificate fetches as failures, so that we do
not try to re-fetch an expired certificate over and over and over. - Do not say we're fetching a certificate when we'll in fact skip it
because of a pending download.
The original announcement can be found at http://archives.seul.org/or/talk/Nov-2008/msg00229.html
Comments
Please note that the comment area below has been archived.
OT: link on download page to
OT: link on download page to stable OS X bundle is incorrect - should point to https://decvnxytmk.oedi.net/dist/vidalia-bundles/vidalia-bundle-0.2.0.32…
nice catch
Fixed in svn. Thanks!
upgrade to 2.1.7 on OS X
upgrade to 2.1.7 on OS X doesn't install. Complains that current version (2.1.6) is newer than the version being installed
which OS X?
Feel free to submit a bug at bugs.torproject.org. I can't re-create this on any of my OS X test systems.
i wouldlike to one of your
i wouldlike to one of your members
thanks
thanks
when will be the new tor
when will be the new tor browser bundle is coming with Tor 0.2.1.7 alpha? Please make it fast guys.
Soon
Building the TBB is a manual process right now. We also will update to Firefox 2.0.0.18, which needs some investigation to make sure everything works the same wa as before. It's coming.
multiple circuits in tor
Hello,
Can anyone explain why the support for multiple circuits was removed in the latest version of TOR? I see it as a way to improve speed. Thanks.
Krishna
We didn't.
Why do you think we removed this ability?
ver 0.2.0.32
what is difference between TOR 0.2.0.31 and 0.2.0.32
0.2.0.32 on download page, but what is differecne between that version and 0.2.0.31
also, which ver is better, stable or unstable, for users TOR strictly for anonymity (not testing soft)
the difference
Tor 0.2.0.32 is going to be the next stable release. We were all set to release, until we ran into one issue on OS X. The code is ready to release and be announced shortly.
Tor
Hello,
I'm running:
Vidalia 0.0.16
Tor 0.1.2.19
Qt 4.3.2
It's basically just running in the background. Am I protecting myself from anything by having it running or am I not using it properly. I went to the Tor website but the content and getting started is soooo lengthy that I can't get a grasp on if I'm using it correctly.
Any quick reference guides or advice would be greatly appreciated.
L