Software Update: Tor 0.2.1.24

Tor is a network that can be used to surf the Internet anonymously. All users’ tcp traffic is routed through different Tor routers, after which it is no longer possible for the recipient to determine who the original sender was. This information is still present within the Tor network, so that answers – of course also via the system of routers – eventually arrive at the right place. The developers have released version 0.2.1.24 with the following announcement:

Tor 0.2.1.23 and 0.2.1.24 are released

Tor 0.2.1.23 fixes a huge client-side performance bug, makes Tor work again on the latest OS X, and updates the location of a directory authority.

Tor 0.2.1.24 makes Tor work again on the latest OS X — this time for sure!

The Windows and OS X bundles also come with a newer version of Polipo that fixes some stability and security problems.

Changes in version 0.2.1.23

Major bug fixes (performance):

• We were selecting our guards uniformly at random, and then weighting which of our guards we’d use uniformly at random. This imbalance meant that Tor clients were severely limited on throughput (and probably latency too) by the first hop in their circuit. Now we select guards weighted by currently advertised bandwidth. We also automatically discard guards picked using the old algorithm. Fixes bug 1217; bug fix on 0.2.1.3-alpha. Found by Mike Perry.

Major bug fixes:

• Make Tor work again on the latest OS X: when deciding whether to use strange flags to turn TLS renegotiation on, detect the OpenSSL version at run-time, not compile time. We need to do this because Apple doesn’t update its dev-tools headers when it updates its libraries in a security patch.
• Fix a potential buffer overflow in lookup_last_hid_serv_request() that could happen on 32-bit platforms with 64-bit time_t. Also fix a memory leak when requesting a hidden service descriptor we’ve requested before. Fixes bug 1242, bug fix on 0.2.0.18-alpha. Found by aakova.

Minor bug fixes:

• Refactor resolve_my_address() to not use gethostbyname() anymore. Fixes bug 1244; bug fix on 0.0.2pre25. Reported by Mike Mestnik.

Minor features:

• Avoid a mad rush at the beginning of each month when each client rotates half of its guards. Instead we spread the rotation out throughout the month, but we still avoid leaving a precise timestamp in the state file about when we first picked the guard. Improves over the behavior introduced in 0.1.2.17.

Changes in version 0.2.1.24

Minor bug fixes:

• Work correctly out-of-the-box with even more vendor-patched versions of OpenSSL. In particular, make it so Debian and OS X don’t need customized patches to run/build.