Hi, all! We've almost got the Tor 0.2.5 release series done. This morning I released Tor 0.2.5.9-rc, which I hope will be the final release candidate.
Packages are not built yet, but will follow soon. You can download the source from the usual places, including https://dist.torproject.org . The changelog is as follows: Changes in version 0.2.5.9-rc - 2014-10-20 Tor 0.2.5.9-rc is the third release candidate for the Tor 0.2.5.x series. It disables SSL3 in response to the recent "POODLE" attack (even though POODLE does not affect Tor). It also works around a crash bug caused by some operating systems' response to the "POODLE" attack (which does affect Tor). It also contains a few miscellaneous fixes. o Major security fixes: - Disable support for SSLv3. All versions of OpenSSL in use with Tor today support TLS 1.0 or later, so we can safely turn off support for this old (and insecure) protocol. Fixes bug 13426. o Major bugfixes (openssl bug workaround): - Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or 1.0.1j, built with the 'no-ssl3' configuration option. Fixes bug 13471. This is a workaround for an OpenSSL bug. o Minor bugfixes: - Disable the sandbox name resolver cache when running tor-resolve: tor-resolve doesn't use the sandbox code, and turning it on was breaking attempts to do tor-resolve on a non-default server on Linux. Fixes bug 13295; bugfix on 0.2.5.3-alpha. o Compilation fixes: - Build and run correctly on systems like OpenBSD-current that have patched OpenSSL to remove get_cipher_by_char and/or its implementations. Fixes issue 13325. o Downgraded warnings: - Downgrade the severity of the 'unexpected sendme cell from client' from 'warn' to 'protocol warning'. Closes ticket 8093. -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
