- Endchan Magrathea

Tor
Endwall
10/18/2016 18:01:00 No. 611 [Reply] report
TOR PROJECT
Tor 0.2.9.4-alpha is released, with important fixes
Posted October 17th, 2016 by nickm
https://blog.torproject.org/blog/tor-0294-alpha-released-important-fixes

Tor 0.2.9.4-alpha fixes a security hole in previous versions of Tor that would allow a remote attacker to crash a Tor client, hidden service, relay, or authority. All Tor users should upgrade to this version, or to 0.2.8.9. Patches will be released for older versions of Tor.

Tor 0.2.9.4-alpha also adds numerous small features and fix-ups to previous versions of Tor, including the implementation of a feature to future- proof the Tor ecosystem against protocol changes, some bug fixes necessary for Tor Browser to use unix domain sockets correctly, and several portability improvements. We anticipate that this will be the last alpha in the Tor 0.2.9 series, and that the next release will be a release candidate.

You can download the source from the usual place on the website. Packages should be available over the next several days. Remember to check the signatures!

Please note: This is an alpha release. You should only try this one if you are interested in tracking Tor development, testing new features, making sure that Tor still builds on unusual platforms, or generally trying to hunt down bugs. If you want a stable experience, please stick to the stable releases.

Below are the changes since 0.2.9.3-alpha.
Changes in version 0.2.9.4-alpha - 2016-10-17

    Major features (security fixes):
        Prevent a class of security bugs caused by treating the contents of a buffer chunk as if they were a NUL-terminated string. At least one such bug seems to be present in all currently used versions of Tor, and would allow an attacker to remotely crash most Tor instances, especially those compiled with extra compiler hardening. With this defense in place, such bugs can't crash Tor, though we should still fix them as they occur. Closes ticket 20384 (TROVE-2016-10-001). 
    Major features (subprotocol versions):
        Tor directory authorities now vote on a set of recommended subprotocol versions, and on a set of required subprotocol versions. Clients and relays that lack support for a _required_ subprotocol version will not start; those that lack support for a _recommended_ subprotocol version will warn the user to upgrade. Closes ticket 19958; implements part of proposal 264.
        Tor now uses "subprotocol versions" to indicate compatibility. Previously, versions of Tor looked at the declared Tor version of a relay to tell whether they could use a given feature. Now, they should be able to rely on its declared subprotocol versions. This change allows compatible implementations of the Tor protocol(s) to exist without pretending to be 100% bug-compatible with particular releases of Tor itself. Closes ticket 19958; implements part of proposal 264. 
...