Tor 0.2.8.7 is released, with important fixes

by nickm | August 24, 2016

Tor 0.2.8.7 fixes an important bug related to the ReachableAddresses option in 0.2.8.6, and replaces a retiring bridge authority. Everyone who sets the ReachableAddresses option, and all bridges, are strongly encouraged to upgrade.
You can download the source from the Tor website. Packages should be available over the next week or so.

Below is a list of changes since 0.2.8.6.

Changes in version 0.2.8.7 - 2016-08-24

  • Directory authority changes:
    • The "Tonga" bridge authority has been retired; the new bridge authority is "Bifroest". Closes tickets 19728 and 19690.
  • Major bugfixes (client, security):
    • Only use the ReachableAddresses option to restrict the first hop in a path. In earlier versions of 0.2.8.x, it would apply to every hop in the path, with a possible degradation in anonymity for anyone using an uncommon ReachableAddress setting. Fixes bug 19973; bugfix on 0.2.8.2-alpha.
  • Minor features (geoip):
    • Update geoip and geoip6 to the August 2 2016 Maxmind GeoLite2 Country database.
  • Minor bugfixes (compilation):
    • Remove an inappropriate "inline" in tortls.c that was causing warnings on older versions of GCC. Fixes bug 19903; bugfix on 0.2.8.1-alpha.
  • Minor bugfixes (fallback directories):
    • Avoid logging a NULL string pointer when loading fallback directory information. Fixes bug 19947; bugfix on 0.2.4.7-alpha and 0.2.8.1-alpha. Report and patch by "rubiate".

Comments

Please note that the comment area below has been archived.

August 24, 2016

Permalink

Everyone who sets the ReachableAddresses option, and all bridges, are strongly encouraged to upgrade.

1. What does "ReachableAddresses" option do?

2. Under what circumstances would a user set "ReachableAddresses" option?

3. Do you mean that users who use bridges need to upgrade to version 0.2.8.7?

1&2
if you trust some routers/countries etc you can enumerate them in the "ReachableAddresses" option.

so "Everyone who sets the ReachableAddresses option" means previous tor versions follow this restriction when building circuits, 0.2.8.7 - don't.

tor design is slowly moving away from user controlling circuits building.

August 25, 2016

Permalink

As there is an important bug fix in version 0.2.8.7, would it be possible to update the expert version on the downloads page please ?

The current version available is still 0.2.8.6

Thank you.

August 26, 2016

Permalink

Event Viewer :
EMET version 5.5.5871.31892
EMET detected SimExecFlow mitigation and will close the application: firefox.exe

EMET version 5.5.5871.31892 EMET detected SimExecFlow mitigation and will close the application: firefox.exe SimExecFlow check failed: Application : C:\Users\user\Desktop\Tor Browser\Browser\firefox.exe User Name : user-PC\user Session ID : 1 PID : 0x11E8 (4584) TID : 0x6DC (1756) CodeAddress : 0x5443CB2A CodeStackPtr : 0x52DBE0 CalledAddress : 0x769E48F3 API name : kernel32.LoadLibraryW StackPtr : 0x0052D9A0 FramePtr : 0x52DD8C

Thanks for your help

August 30, 2016

In reply to gk

Permalink

This is Tor, not TBB (yes?)
So, presumably drop this into Tor subfolders of current TBB (6.0.4? or whatever beta TBB?)

August 30, 2016

Permalink

Could "somebody" edit zen.css for this site?
Use a paler color than the medium-dark green of
background: #009933;
(Yah, browser images off is less popular, so is fingerprintable)

if "possible", then thank you.

August 31, 2016

Permalink

Hello

The FreeBSD port of Tor remains at version 0.2.8.6. https://www.freshports.org/security/tor/

I lack the secure communications infrastructure to e-mail the port maintainer myself to remind them to upgrade. Could someone here please do that (see maintainer address in freshports link above).

I believe it would be important to make tor 0.2.8.7 available as soon as possible, because of the aforementioned bridge authority changes.

Thank you.

September 01, 2016

Permalink

When you say "released" where exactly ? The main download area is still showing 0.2.8.6.

September 02, 2016

Permalink

Crypto in VM is easy exploitable? Disable deduplication!
https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_p…
"We find that, while [Deduplication Flip Feng Shui] is surprisingly practical and effective, existing cryptographic software is wholly unequipped to counter it,"
"We can reliably corrupt the memory of a target VM in a highly precise and controlled way."
"Our attacks allow an attacker to completely compromise co-hosted cloud VMs with relatively little effort,"

For all running MS networks: firewalling SMB
https://support.microsoft.com/en-us/kb/3185535

September 02, 2016

Permalink

Is this actually a partial release to selected people only ?

Will the public (especially windows users) be able to download this soon ?

Thank you.

September 08, 2016

Permalink

Having intermittent trouble with meek-azure. Sometimes work fine, but most of time tor stuck establishing directory connection and simply sends regular interval keep alive traffic to azure server but does not proceed to connect and eventually times out. meek-amazon work fine. Note this in China, but had same issue in other countries.

Opening Socks listener on 127.0.0.1:9150
Bootstrapped 5%: Connecting to directory server
Bootstrapped 10%: Finishing handshake with directory server
Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (DONE; DONE; count 1; recommendation warn; host at 0.0.2.0:3)
1 connections have failed:
1 connections died in state handshaking (Tor, v3 handshake) with SSL state SSL negotiation finished successfully in OPEN
Closing no-longer-configured Socks listener on 127.0.0.1:9150

September 10, 2016

Permalink

Hello torproject,

there are a lot of valid Guard nodes tor is choosing willingly with really
old tor versions , 2.4.x or 2.5.x or 2.6.x.

Using these old versions could be a security problem?
2.7.x is better?