[tor-talk] ANN: Tor-0.2.5.9-rc is released; packages to follow
Nick Mathewson
nickm at torproject.org
Mon Oct 20 19:16:02 UTC 2014
Hi, all!
We've almost got the Tor 0.2.5 release series done. This morning I
released Tor 0.2.5.9-rc, which I hope will be the final release
candidate.
Packages are not built yet, but will follow soon.
You can download the source from the usual places, including
https://dist.torproject.org .
The changelog is as follows:
Changes in version 0.2.5.9-rc - 2014-10-20
Tor 0.2.5.9-rc is the third release candidate for the Tor 0.2.5.x
series. It disables SSL3 in response to the recent "POODLE" attack
(even though POODLE does not affect Tor). It also works around a crash
bug caused by some operating systems' response to the "POODLE" attack
(which does affect Tor). It also contains a few miscellaneous fixes.
o Major security fixes:
- Disable support for SSLv3. All versions of OpenSSL in use with Tor
today support TLS 1.0 or later, so we can safely turn off support
for this old (and insecure) protocol. Fixes bug 13426.
o Major bugfixes (openssl bug workaround):
- Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or
1.0.1j, built with the 'no-ssl3' configuration option. Fixes bug
13471. This is a workaround for an OpenSSL bug.
o Minor bugfixes:
- Disable the sandbox name resolver cache when running tor-resolve:
tor-resolve doesn't use the sandbox code, and turning it on was
breaking attempts to do tor-resolve on a non-default server on
Linux. Fixes bug 13295; bugfix on 0.2.5.3-alpha.
o Compilation fixes:
- Build and run correctly on systems like OpenBSD-current that have
patched OpenSSL to remove get_cipher_by_char and/or its
implementations. Fixes issue 13325.
o Downgraded warnings:
- Downgrade the severity of the 'unexpected sendme cell from client'
from 'warn' to 'protocol warning'. Closes ticket 8093.
More information about the tor-talk
mailing list