Tor 0.2.5.12 and 0.2.6.7 are released

by arma | April 7, 2015

Tor 0.2.5.12 and 0.2.6.7 fix two security issues that could be used by an attacker to crash hidden services, or crash clients visiting hidden services. Hidden services should upgrade as soon as possible; clients should upgrade whenever packages become available.

These releases also contain two simple improvements to make hidden services a bit less vulnerable to denial-of-service attacks.

We also made a Tor 0.2.4.27 release so that Debian stable can easily integrate these fixes.

The Tor Browser team is currently evaluating whether to put out a new Tor Browser stable release with these fixes, or wait until next week for their scheduled next stable release. (The bugs can introduce hassles for users, but we don't currently view them as introducing any threats to anonymity.)

Changes in version 0.2.5.12 - 2015-04-06

  • Major bugfixes (security, hidden service):
    • Fix an issue that would allow a malicious client to trigger an assertion failure and halt a hidden service. Fixes bug 15600; bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
    • Fix a bug that could cause a client to crash with an assertion failure when parsing a malformed hidden service descriptor. Fixes bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".
  • Minor features (DoS-resistance, hidden service):
    • Introduction points no longer allow multiple INTRODUCE1 cells to arrive on the same circuit. This should make it more expensive for attackers to overwhelm hidden services with introductions. Resolves ticket 15515.

Changes in version 0.2.6.7 - 2015-04-06

  • Major bugfixes (security, hidden service):
    • Fix an issue that would allow a malicious client to trigger an assertion failure and halt a hidden service. Fixes bug 15600; bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
    • Fix a bug that could cause a client to crash with an assertion failure when parsing a malformed hidden service descriptor. Fixes bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".
  • Minor features (DoS-resistance, hidden service):
    • Introduction points no longer allow multiple INTRODUCE1 cells to arrive on the same circuit. This should make it more expensive for attackers to overwhelm hidden services with introductions. Resolves ticket 15515.
    • Decrease the amount of reattempts that a hidden service performs when its rendezvous circuits fail. This reduces the computational cost for running a hidden service under heavy load. Resolves ticket 11447.

Comments

Please note that the comment area below has been archived.

April 08, 2015

Permalink

You might also want to fix a crash thats happening in TorBrowser when stating invalid SocksPort such as "SocksPort 192.168.55.90:9182" when the local ip address actually is 192.168.54.90.

You can find the new expert bundle for Windows linked from the download page.

The old installers aren't being maintained, because they would require somebody to build and maintain them, and we currently have no such somebodies.

April 16, 2015

In reply to arma

Permalink

What about the command line functionality? I was using 0.2.4.21 on Windows Vista until I decided to upgrade to 0.2.5.12 and found that there was no stdout messages, nor did -version/-h/-help work either. I downloaded the zip file (expert bundle).

I much prefer the way it worked before and I am very hesitant to rely on the Tor Browser (though I have used it).

Thanks.

April 09, 2015

Permalink

Where can I find the installer for latest tor on win32 ?
Im running a tor relay on windows.
The expert bundle on main download page contains a small tor.exe and some libraries that I dont know how to use in windows, so I need the win32 installer.

April 10, 2015

Permalink

"The old installers aren't being maintained, because they would require somebody to build and maintain them, and we currently have no such somebodies."

Accepting that the maintaining an installer for Tor alone is a significant burden on top of maintinaing the installer for the more complicated packages:

There at least ought to be a link on the download page to something explaining this, and providing instructions on what to do with the "new" expert bundle. Alternatively, this could be in a README included in the zip file.

As I remember it, what has become the "expert" bundle was originally the main way that Tor was distributed for Windows. Whether I remember correctly or not, there are plenty of people who don't use, and don't want to use, the Tor browser bundle, but aren't "experts" at manually installing Tor on Windows. It's also not obvious what needs to be done about torrc. Simply unzipping the file and running the tor.exe does not produce the expected previous behavior so it's not unreasonable for people to be confused.

If this information exists, I haven't come across it. The only thing I've found are a few disconnected comments in bug reports, but nothing from anyone in the Tor project itself.

I do appreciate the work done by the maintainers and developers, but there needs to be some alternative to building from source for people who want only Tor.