Tor 0.2.0.32 is released
Tor 0.2.0.32 fixes a major security problem in Debian and Ubuntu packages (and maybe other packages) noticed by Theo de Raadt, fixes a smaller security flaw that might allow an attacker to access local services, further improves hidden service performance, and fixes a variety of other issues. https://www.torproject.org/download.html Or use our new https://www.torproject.org/easy-download page. Changes in version 0.2.0.32 - 2008-11-20 o Security fixes: - The User and Group config options did not clear the supplementary group entries for the Tor process. The User option is now more robust, and we now set the groups to the specified user's primary group. The Group option is now ignored. For more detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848 and 857. - The ClientDNSRejectInternalAddresses config option wasn't being consistently obeyed: if an exit relay refuses a stream because its exit policy doesn't allow it, we would remember what IP address the relay said the destination address resolves to, even if it's an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv. o Major bugfixes: - Fix a DOS opportunity during the voting signature collection process at directory authorities. Spotted by rovv. Bugfix on 0.2.0.x. o Major bugfixes (hidden services): - When fetching v0 and v2 rendezvous service descriptors in parallel, we were failing the whole hidden service request when the v0 descriptor fetch fails, even if the v2 fetch is still pending and might succeed. Similarly, if the last v2 fetch fails, we were failing the whole hidden service request even if a v0 fetch is still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha. - When extending a circuit to a hidden service directory to upload a rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all requests failed, because the router descriptor has not been downloaded yet. In these cases, do not attempt to upload the rendezvous descriptor, but wait until the router descriptor is downloaded and retry. Likewise, do not attempt to fetch a rendezvous descriptor from a hidden service directory for which the router descriptor has not yet been downloaded. Fixes bug 767. Bugfix on 0.2.0.10-alpha. o Minor bugfixes: - Fix several infrequent memory leaks spotted by Coverity. - When testing for libevent functions, set the LDFLAGS variable correctly. Found by Riastradh. - Avoid a bug where the FastFirstHopPK 0 option would keep Tor from bootstrapping with tunneled directory connections. Bugfix on 0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam. - When asked to connect to A.B.exit:80, if we don't know the IP for A and we know that server B rejects most-but-not all connections to port 80, we would previously reject the connection. Now, we assume the user knows what they were asking for. Fixes bug 752. Bugfix on 0.0.9rc5. Diagnosed by BarkerJr. - If we overrun our per-second write limits a little, count this as having used up our write allocation for the second, and choke outgoing directory writes. Previously, we had only counted this when we had met our limits precisely. Fixes bug 824. Patch from by rovv. Bugfix on 0.2.0.x. - Remove the old v2 directory authority 'lefkada' from the default list. It has been gone for many months. - Stop doing unaligned memory access that generated bus errors on sparc64. Bugfix on 0.2.0.10-alpha. Fixes bug 862. - Make USR2 log-level switch take effect immediately. Bugfix on 0.1.2.8-beta. o Minor bugfixes (controller): - Make DNS resolved events into CLOSED, not FAILED. Bugfix on 0.1.2.5-alpha. Fix by Robert Hogan. Resolves bug 807. -- Andrew signature.asc Description: Digital signature
Re: Tor 0.2.0.32 is released
On Thu, Dec 04, 2008 at 12:34:16PM -0500, [EMAIL PROTECTED] wrote 4.4K bytes in 97 lines about: For OS X users, there is a packaging bugfix in 0.2.0.32 labelled as 0.2.0.32a in the available packages. It turns out for years we've been shipping a Info.plist with an incorrect key. The issue was discovered and reported as bug 876, https://bugs.torproject.org/flyspray/index.php?id=876do=details. The commit to fix the problem in the 0_2_0 branch is r17472: http://archives.seul.org/or/cvs/Dec-2008/msg00037.html The commit to fix the problem in the Vidalia 0.1 branch is r3361: http://trac.vidalia-project.net/browser/vidalia/branches/vidalia-0.1/pkg/osx?order=datedesc=1 The bug is that the OS X Installer will prompt The chosen volume contains software which is newer then [sic] the software you are installing. The problem is that the Installer looks in the file /Library/Receipts/Vidalia.pkg/Contents/Info.plist for CFBundleShortVersionString. We mistakenly called it CFBundleSortVersionString, which Apple inserts 1 as the value. The upgrade to Vidalia from 0.1.9 to 0.1.10 apparently triggered the issue. The fix is to put the correct value in place for the future. The simplest way to do this is to have the users click Continue when prompted. We could have spent a lot of time trying to fix it for the user to hide the issue, but well, that is fraught with problems and complexities. A simple click of Continue is far simpler and less error prone. The difference between the released 0.2.0.32 Tor code is the inclusion of r17472. It's not really 0.2.0.32a per se, but since we lack package versions, I had to distinguish it in some way. -- Andrew signature.asc Description: Digital signature
Re: Tor 0.2.0.32 is released
Thank you, is a new version for OSX10.3.9 on the way? GD On 4 Dec 2008, at 17:48, [EMAIL PROTECTED] wrote: On Thu, Dec 04, 2008 at 12:34:16PM -0500, [EMAIL PROTECTED] wrote 4.4K bytes in 97 lines about: For OS X users, there is a packaging bugfix in 0.2.0.32 labelled as 0.2.0.32a in the available packages. It turns out for years we've been shipping a Info.plist with an incorrect key. The issue was discovered and reported as bug 876, https://bugs.torproject.org/flyspray/index.php?id=876do=details. The commit to fix the problem in the 0_2_0 branch is r17472: http://archives.seul.org/or/cvs/Dec-2008/msg00037.html The commit to fix the problem in the Vidalia 0.1 branch is r3361: http://trac.vidalia-project.net/browser/vidalia/branches/vidalia-0.1/ pkg/osx?order=datedesc=1 The bug is that the OS X Installer will prompt The chosen volume contains software which is newer then [sic] the software you are installing. The problem is that the Installer looks in the file /Library/Receipts/Vidalia.pkg/Contents/Info.plist for CFBundleShortVersionString. We mistakenly called it CFBundleSortVersionString, which Apple inserts 1 as the value. The upgrade to Vidalia from 0.1.9 to 0.1.10 apparently triggered the issue. The fix is to put the correct value in place for the future. The simplest way to do this is to have the users click Continue when prompted. We could have spent a lot of time trying to fix it for the user to hide the issue, but well, that is fraught with problems and complexities. A simple click of Continue is far simpler and less error prone. The difference between the released 0.2.0.32 Tor code is the inclusion of r17472. It's not really 0.2.0.32a per se, but since we lack package versions, I had to distinguish it in some way. -- Andrew
Re: Tor 0.2.0.32 is released
On Thu, Dec 04, 2008 at 05:56:11PM +, [EMAIL PROTECTED] wrote 1.8K bytes in 43 lines about: Thank you, is a new version for OSX10.3.9 on the way? Yes. There is a tor-only package for 10.3.9 available at: https://www.torproject.org/dist/osx-old/Tor-0.2.0.32a-ppc-Bundle.dmg The vidalia bundle for PPC is coming shortly. The machine I use to make the ppc bundles is a G3 iMac. Qt 4.4.3 takes 23 hours to compile, assuming no errors. It appears Qt 4.4.3 doesn't support 10.3.9 anymore, so it has a slew of issues when compiling. I'm compiling qt 4.4.1 right now (because 4.4.2 had lots of issues) and well, it has another 10 hours of compiling to go. -- Andrew
Re: Tor 0.2.0.32 is released
On Thu, Dec 4, 2008 at 11:34 AM, [EMAIL PROTECTED] wrote: Tor 0.2.0.32 fixes a major security problem in Debian and Ubuntu packages (and maybe other packages) noticed by Theo de Raadt, fixes a smaller security flaw that might allow an attacker to access local services, further improves hidden service performance, and fixes a variety of other issues. Are there any bugs open with Debian/Ubuntu to get these merged into the security branches? I haven't checked Debian, but Ubuntu 8.10 is currently still at 0.31. https://www.torproject.org/download.html Or use our new https://www.torproject.org/easy-download page. Changes in version 0.2.0.32 - 2008-11-20 o Security fixes: - The User and Group config options did not clear the supplementary group entries for the Tor process. The User option is now more robust, and we now set the groups to the specified user's primary group. The Group option is now ignored. For more detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848 and 857. - The ClientDNSRejectInternalAddresses config option wasn't being consistently obeyed: if an exit relay refuses a stream because its exit policy doesn't allow it, we would remember what IP address the relay said the destination address resolves to, even if it's an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv. o Major bugfixes: - Fix a DOS opportunity during the voting signature collection process at directory authorities. Spotted by rovv. Bugfix on 0.2.0.x. o Major bugfixes (hidden services): - When fetching v0 and v2 rendezvous service descriptors in parallel, we were failing the whole hidden service request when the v0 descriptor fetch fails, even if the v2 fetch is still pending and might succeed. Similarly, if the last v2 fetch fails, we were failing the whole hidden service request even if a v0 fetch is still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha. - When extending a circuit to a hidden service directory to upload a rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all requests failed, because the router descriptor has not been downloaded yet. In these cases, do not attempt to upload the rendezvous descriptor, but wait until the router descriptor is downloaded and retry. Likewise, do not attempt to fetch a rendezvous descriptor from a hidden service directory for which the router descriptor has not yet been downloaded. Fixes bug 767. Bugfix on 0.2.0.10-alpha. o Minor bugfixes: - Fix several infrequent memory leaks spotted by Coverity. - When testing for libevent functions, set the LDFLAGS variable correctly. Found by Riastradh. - Avoid a bug where the FastFirstHopPK 0 option would keep Tor from bootstrapping with tunneled directory connections. Bugfix on 0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam. - When asked to connect to A.B.exit:80, if we don't know the IP for A and we know that server B rejects most-but-not all connections to port 80, we would previously reject the connection. Now, we assume the user knows what they were asking for. Fixes bug 752. Bugfix on 0.0.9rc5. Diagnosed by BarkerJr. - If we overrun our per-second write limits a little, count this as having used up our write allocation for the second, and choke outgoing directory writes. Previously, we had only counted this when we had met our limits precisely. Fixes bug 824. Patch from by rovv. Bugfix on 0.2.0.x. - Remove the old v2 directory authority 'lefkada' from the default list. It has been gone for many months. - Stop doing unaligned memory access that generated bus errors on sparc64. Bugfix on 0.2.0.10-alpha. Fixes bug 862. - Make USR2 log-level switch take effect immediately. Bugfix on 0.1.2.8-beta. o Minor bugfixes (controller): - Make DNS resolved events into CLOSED, not FAILED. Bugfix on 0.1.2.5-alpha. Fix by Robert Hogan. Resolves bug 807. -- Andrew -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJOBSYO50JPzGwl0sRAo63AJ9uVH8Rk0CSf9PXPlWfQuxqTt1IzQCeMtFB hvuayLifVdMBanIy2Za6y5M= =UkKO -END PGP SIGNATURE-
Re: Tor 0.2.0.32 is released
Standard install failed the same way. When I tried to install https://www.torproject.org/dist/osx-old/Tor-0.2.0.31-ppc-Bundle.dmg I got an 'unknown package error' before the install process began. Fortunately the https://www.torproject.org/dist/vidalia-bundles/vidalia-bundle -0.2.0.31-0.1.9-ppc.dmg still worked to restore the status-quo-ante. On 4 Dec 2008, at 18:20, Geoff Down wrote: That's a binary install? I tried it (custom install without the startup script) but got a 'There were errors, try reinstalling' message. I's broken my old version dyld: /usr/bin/tor can't open library: /usr/local/lib/libevent-1.4.2.dylib (No such file or directory, errno = 2) Trace/BPT trap GD On 4 Dec 2008, at 18:07, [EMAIL PROTECTED] wrote: On Thu, Dec 04, 2008 at 05:56:11PM +, [EMAIL PROTECTED] wrote 1.8K bytes in 43 lines about: Thank you, is a new version for OSX10.3.9 on the way? Yes. There is a tor-only package for 10.3.9 available at: https://www.torproject.org/dist/osx-old/Tor-0.2.0.32a-ppc-Bundle.dmg The vidalia bundle for PPC is coming shortly. The machine I use to make the ppc bundles is a G3 iMac. Qt 4.4.3 takes 23 hours to compile, assuming no errors. It appears Qt 4.4.3 doesn't support 10.3.9 anymore, so it has a slew of issues when compiling. I'm compiling qt 4.4.1 right now (because 4.4.2 had lots of issues) and well, it has another 10 hours of compiling to go. -- Andrew
Re: Tor 0.2.0.32 is released
On Fri, Dec 05, 2008 at 12:55:34AM +, [EMAIL PROTECTED] wrote 1.5K bytes in 40 lines about: Standard install failed the same way. You found another packaging bug. It's fixed. The Tor PowerPC-only binary is available at: https://www.torproject.org/dist/osx-old/Tor-0.2.0.32b-ppc-Bundle.dmg and .asc. The issue didn't show up during testing because I had a test version of libevent installed. Libevent 1.4.8 is compiled and installed according to the OS X build directions. And on a clean OS X 10.3.9 system, the b package installs correctly and without error. Thanks for reporting the issue. -- Andrew
