14 DAY TRIAL // Two new Tor security updates have been published recently, stable version 2.9.9.9 and development release 0.3.0.2 Alpha, patching a few important vulnerabilities discovered lately.
The most important bug fixed in the Tor 0.2.9.9 and Tor 0.3.0.2 Alpha versions is a denial-of-service (DoS) vulnerability that could allow an attacker to crash relays and clients, even if these weren't compiled with the "--enable-expensive-hardening" option. TOR 0.2.9.x and 0.3.0.1-alpha builds are affected by the issue.
It is recommended to update to Tor 0.2.9.9, which is the current stable release of the software for enabling anonymous communication, as soon as possible. Also, if you're using the development branch, make sure that you're running at least version 0.3.0.2-alpha, which is now available for download, for testing purposes only.
"Downgrade the '-ftrapv' option from 'always on' to 'only on when --enable-expensive-hardening is provided.' This hardening option, like others, can turn survivable bugs into crashes -- and having it on by default made a (relatively harmless) integer overflow bug into a denial-of-service bug," reads the release announcement.
Client-side onion service reachability bug resolved
Tor 0.2.9.9 also attempts to address a known client-side onion service reachability bug that could allow multiple socks requests to force the Tor onion service to mark a few of the introduction points as failed, addresses various portability issues, and updates the GeoIP and GeoIP6 databases to the January 4, 2017 build of the Maxmind GeoLite2 Country database.
As development of the major Tor 0.3 stable series is ongoing, the Tor 0.3.0.2 Alpha is here to improve the way exit clients and relays manage DNS time-to-live values, as well as to fix a bunch of small bugs that could have an impact on the user experience. Download Tor 0.2.9.9 and 0.3.0.2 Alpha tarballs right now from our website.