We have a new stable release today. If you build Tor from source, you can download the source code for 0.4.5.7 on the download page. Packages should be available within the next several weeks, with a new Tor Browser coming next week.
These releases fix a pair of denial-of-service issues, described below. One of these issues is authority-only. The other issue affects all Tor instances, and is most damaging on directory authorities and relays. We recommend that everybody should upgrade to one of these versions once packages are available.
Tor 0.4.5.7 fixes two important denial-of-service bugs in earlier versions of Tor.
One of these vulnerabilities (TROVE-2021-001) would allow an attacker who can send directory data to a Tor instance to force that Tor instance to consume huge amounts of CPU. This is easiest to exploit against authorities, since anybody can upload to them, but directory caches could also exploit this vulnerability against relays or clients when they download. The other vulnerability (TROVE-2021-002) only affects directory authorities, and would allow an attacker to remotely crash the authority with an assertion failure. Patches have already been provided to the authority operators, to help ensure network stability.
We recommend that everybody upgrade to one of the releases that fixes these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available to you.
This release also updates our GeoIP data source, and fixes a few smaller bugs in earlier releases.
Changes in version 0.4.5.7 - 2021-03-16
Major bugfixes (security, denial of service):
Disable the dump_desc() function that we used to dump unparseable information to disk. It was called incorrectly in several places, in a way that could lead to excessive CPU usage. Fixes bug 40286; bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021- 001 and CVE-2021-28089.
Fix a bug in appending detached signatures to a pending consensus document that could be used to crash a directory authority. Fixes bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002 and CVE-2021-28090.
Minor features (geoip data):
We have switched geoip data sources. Previously we shipped IP-to- country mappings from Maxmind's GeoLite2, but in 2019 they changed their licensing terms, so we were unable to update them after that point. We now ship geoip files based on the IPFire Location Database instead. (See https://location.ipfire.org/ for more information). This release updates our geoip files to match the IPFire Location Database as retrieved on 2021/03/12. Closes ticket 40224.
The metrics timeline is a database of news and events that may affect Tor Metrics graphs. This post is about how you can contribute to the timeline and help keep it up to date.
After months of work, we have a new stable release series! If you build Tor from source, you can download the source code for 0.4.5.6 on the download page. Packages should be available within the next several weeks, with a new Tor Browser likely next week.
The Tor 0.4.5.x release series is dedicated to the memory of Karsten Loesing (1979-2020), Tor developer, cypherpunk, husband, and father. Karsten is best known for creating the Tor metrics portal and leading the metrics team, but he was involved in Tor from the early days. For example, while he was still a student he invented and implemented the v2 onion service directory design, and he also served as an ambassador to the many German researchers working in the anonymity field. We loved him and respected him for his patience, his consistency, and his welcoming approach to growing our community.
This release series introduces significant improvements in relay IPv6 address discovery, a new "MetricsPort" mechanism for relay operators to measure performance, LTTng support, build system improvements to help when using Tor as a static library, and significant bugfixes related to Windows relay performance. It also includes numerous smaller features and bugfixes.
Below are the changes since 0.4.4.7. For a list of changes since 0.4.5.5-rc, see the ChangeLog file.
Changes in version 0.4.5.6 - 2021-02-15
Major features (build):
When building Tor, first link all object files into a single static library. This may help with embedding Tor in other programs. Note that most Tor functions do not constitute a part of a stable or supported API: only those functions in tor_api.h should be used if embedding Tor. Closes ticket 40127.
Major features (metrics):
Introduce a new MetricsPort which exposes, through an HTTP interface, a series of metrics that tor collects at runtime. At the moment, the only supported output format is Prometheus data model. Closes ticket 40063. See the manual page for more information and security considerations.
Last August, we asked you to help us fundraise during our second annual Bug Smash Fund campaign. We want to share an update on some of the work that the second year of the Bug Smash Fund has made possible.
