Today, we made several new stable Tor releases. Together, they fix an issue in directory authorities, and backport a feature to improve relays' resistance of denial-of-service attacks. In addition, the 0.3.2.10 release fixes a security bug affecting relays running earlier 0.3.2.x versions.

To summarize:

Relays (and bridges) running 0.3.2.1-alpha through 0.3.2.9 should upgrade.

Directory authorities should upgrade.

Relays (and bridges) running 0.3.3.1-alpha should upgrade.

All other relays (and bridges) may wish to upgrade in order to improve their

resistance to denial-of-service attacks.

If you build Tor from source, you can fetch the latest source code from https://dist.torproject.org/. New packages for relays should be available in the coming days.

The 0.3.2.10 changelog is below. For the changes in 0.2.9.15 and 0.3.1.10, please see the ChangeLog file distributed along with the source code. The changes in 0.3.3.3-alpha will be listed in my next blog post.

Tor 0.3.2.10 is the second stable release in the 0.3.2 series. It backports a number of bugfixes, including important fixes for security issues.

It includes an important security fix for a remote crash attack against directory authorities, tracked as TROVE-2018-001.

Additionally, it backports a fix for a bug whose severity we have upgraded: Bug 24700, which was fixed in 0.3.3.2-alpha, can be remotely triggered in order to crash relays with a use-after-free pattern. As such, we are now tracking that bug as TROVE-2018-002 and CVE-2018-0491, and backporting it to earlier releases. This bug affected versions 0.3.2.1-alpha through 0.3.2.9, as well as version 0.3.3.1-alpha.

This release also backports our new system for improved resistance to denial-of-service attacks against relays.

This release also fixes several minor bugs and annoyances from earlier releases.

Relays running 0.3.2.x SHOULD upgrade to one of the versions released today, for the fix to TROVE-2018-002. Directory authorities should also upgrade. (Relays on earlier versions might want to update too for the DoS mitigations.)

Changes in version 0.3.2.10 - 2018-03-03

Major bugfixes (denial-of-service, directory authority, backport from 0.3.3.3-alpha): Fix a protocol-list handling bug that could be used to remotely crash directory authorities with a null-pointer exception. Fixes bug 25074; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001 and CVE-2018-0490.

Major bugfixes (scheduler, KIST, denial-of-service, backport from 0.3.3.2-alpha): Avoid adding the same channel twice in the KIST scheduler pending list, which could lead to remote denial-of-service use-after-free attacks against relays. Fixes bug 24700; bugfix on 0.3.2.1-alpha.

