Tor 0.2.9.10 is released

by nickm | March 1, 2017

Tor 0.2.9.10 backports a security fix for users who build Tor with the --enable-expensive-hardening option. It also includes fixes for some major issues affecting directory authorities, LibreSSL compatibility, and IPv6 correctness.
The Tor 0.2.9.x release series is now marked as a long-term-support series. We intend to backport security fixes to 0.2.9.x until at least January of 2020.
You can download the source code from https://utuhewzcso.oedi.net/ but most users should wait for next week's upcoming Tor Browser release, or for their upcoming system package updates.

Changes in version 0.2.9.10 - 2017-03-01

  • Major bugfixes (directory authority, 0.3.0.3-alpha):
    • During voting, when marking a relay as a probable sybil, do not clear its BadExit flag: sybils can still be bad in other ways too. (We still clear the other flags.) Fixes bug 21108; bugfix on 0.2.0.13-alpha.
  • Major bugfixes (IPv6 Exits, backport from 0.3.0.3-alpha):
    • Stop rejecting all IPv6 traffic on Exits whose exit policy rejects any IPv6 addresses. Instead, only reject a port over IPv6 if the exit policy rejects that port on more than an IPv6 /16 of addresses. This bug was made worse by 17027 in 0.2.8.1-alpha, which rejected a relay's own IPv6 address by default. Fixes bug 21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha.

 

  • Major bugfixes (parsing, also in 0.3.0.4-rc):
    • Fix an integer underflow bug when comparing malformed Tor versions. This bug could crash Tor when built with --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor 0.2.9.8, which were built with -ftrapv by default. In other cases it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix on 0.0.8pre1. Found by OSS-Fuzz.
  • Minor features (directory authorities, also in 0.3.0.4-rc):
    • Directory authorities now reject descriptors that claim to be malformed versions of Tor. Helps prevent exploitation of bug 21278.
    • Reject version numbers with components that exceed INT32_MAX. Otherwise 32-bit and 64-bit platforms would behave inconsistently. Fixes bug 21450; bugfix on 0.0.8pre1.
  • Minor features (geoip):
    • Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 Country database.
  • Minor features (portability, compilation, backport from 0.3.0.3-alpha):
    • Autoconf now checks to determine if OpenSSL structures are opaque, instead of explicitly checking for OpenSSL version numbers. Part of ticket 21359.
    • Support building with recent LibreSSL code that uses opaque structures. Closes ticket 21359.
  • Minor bugfixes (code correctness, also in 0.3.0.4-rc):
    • Repair a couple of (unreachable or harmless) cases of the risky comparison-by-subtraction pattern that caused bug 21278.
  • Minor bugfixes (tor-resolve, backport from 0.3.0.3-alpha):
    • The tor-resolve command line tool now rejects hostnames over 255 characters in length. Previously, it would silently truncate them, which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5. Patch by "junglefowl".

Comments

Please note that the comment area below has been archived.

I cannot see it yet.

Already got it, thanks, and replied ( on the thread https://vbdvexcmqi.oedi.net/blog/tor-0299-released ). That would be nice if arma lets us know his opinion about ControlPort discussion.

Then, concerning the second question, I think karsten gave good reply https://vbdvexcmqi.oedi.net/comment/reply/1311/241421 in the thread about Atlas https://vbdvexcmqi.oedi.net/blog/atlas-recent-improvements#comments

March 05, 2017

Permalink

I wonder why my Debian jessie doesn't show an update, it's still version 0.2.9.9. I use official onion tor repository for apt-get. Am I alone who has this problem?

March 05, 2017

Permalink

most users should wait for next week's upcoming Tor Browser release, or for their upcoming system package updates.
They have just arrived to apt-get of Debian, Tor repo! Thanks!

March 05, 2017

Permalink

I see that around middle of September 2016 about 1 thousand bridges suddenly disappeared, then reappeared, and then disappeared again and started to grow monotonically and linearly (it looks even more artificial if you observe it from the perspective of the graph for last years):
https://metrics.torproject.org/networksize.html?start=2016-08-06&end=20…
What is this? Do they all belong to the same entity? It is also strange that during 2015 the amount of bridges was only decreasing.

Moreover, I see that during 2013 amount of Tor relays was continuously growing, in total the amount was increased 1.5 times. The same is true for 2014. However, during last 2 years the amount of Tor relays is almost the same. How it can happen in natural circumstances? In addition, during the half of 2015 the amount of relays was only decreasing:
https://metrics.torproject.org/networksize.html?start=2011-08-06&end=20…

I think people knowing statistics theory would say it is quite improbable behavior. Natural dependence should be close to logarithm, but what we see is very far from that.