Stable release 0.4.8.14

Where to Download

Changes

Below are the major changes of the released versions and links to more detailed release notes.

Stable

Today, we release tor stable version 0.4.8.14 which fixes a major bug affecting onion service directory cache (HSDir).

Another reason for this release is that the fallback directory list had more than 25% of its relays unreachable or out of the consensus.

Please, upgrade as soon as possible! :slight_smile:

Release Notes

6 Likes

What users of 0.4.9.1-alpha should do?

1 Like

Will there be an updated package in the Debian repo soon? Debian -- Details of package tor in bookworm-backports

1 Like

I’m glad to see that Tor has finally fixed the bug about the HSDir cache. Last year, a paper published at the WWW conference exploited this vulnerability to implement a denial-of-service attack on the Onion service. The attack can stealthily attack any onion service and requires very little spending.

Paper Link:HSDirSniper: A New Attack Exploiting Vulnerabilities in Tor’s Hidden Service Directories

3 Likes

I am happy to help Tor find and test vulnerabilities in the protocol. And I recommend that the Tor team pay attention to the teams working on Tor, such as the team working on this paper. Keeping up with the latest research is good for making Tor more secure.

1 Like

Hi @everydayisoks, we appreciate responsible disclosure and encourage researchers to contact security@torproject.org as far as possible in advance. This allows the Tor Project to collaborate on improving the quality and accuracy of their research, verify findings, and work on mitigating potential vulnerabilities before they become public.

We can offer assurances of confidentiality, and correct handling of pre-print papers that are either under submission or review. Many researchers follow this approach, leading to more productive and fruitful collaborations and stronger security for the Tor network.

If you know the authors, please share this comment with them. Thank you!

4 Likes

Any Idea when Debian and FreeBSD packages will arrive?

Still no updated packages in Debian repos and FreeBSD ports after two weeks. Do we need to update manually or should we just wait?

2 Likes

I do not use Debian packages since a year. Instead I do build Tor from sources.

1 Like

Do you still build a Debian package or just plain tor without Debian scripts and diffs?

1 Like

I just build from source [1]

[1] tor-relays/playbooks/roles/setup_tor/tasks/tor-src.yaml at main · toralf/tor-relays · GitHub

2 Likes

Hi

There’s still no updated package for Debian stable in deb.tpo.org repos after 2 weeks? If there’s not going to be updates anymore at all, this could leave some public relays using outdated versions.

1 Like

Getting this error when trying to update tor in Ubuntu 22.04 LTS, similar error in 24.04 LTS using sudo apt update… Just started in the last day or so.

404 Not Found [IP: 204.8.99.144 443]

Reading package lists… Done

E: The repository ‘Index of /torproject.org jammy Release’ no longer has a Release file.

N: Updating from such a repository can’t be done securely, and is therefore disabled by default.

N: See apt-secure(8) manpage for repository creation and user configuration details.

2 Likes

We have a ticket about this on the bug tracker, [URGENT] Deleted many important folders from the deb.tpo repository (jammy, noble, bullseye, etc) (#42052) · Issues · The Tor Project / TPA / TPA team · GitLab

2 Likes

I don’t have an account on Tor’s GitLab, so I post here

@weasel wrote on the GitLab 1 hour ago:

The tor’s gitlab CI no longer has good support for anything that is not a current Debian adm64.

As such, I recommend you use the packages provided in Debian (in bookworm-backports if you are running stable).

This message conflicts with statement on Tor’s deb repository support page:

Can I use tor from Ubuntu’s repository?

No. Do not use the packages in Ubuntu’s universe. In the past they have not been reliably updated. That means you could be missing stability and security fixes. Instead, please use Tor Debian repository.

I want to remind that issue is about disappearance of Tor’s Ubuntu repositories and Tor website argues against using stock Ubuntu packages from universe.

1 Like

0.4.8.14 update for Debian bookworm seems to be working as of 24.2. Good job!

1 Like

Already on Tor status page as a well-known issue:

1 Like

I understand that the Ubuntu repository issue is being worked on, but can something be done in the interim to fix apt update besides expecting thousands of people to temporarily disable the repository and then re-enable it later?

Maybe put the previous version back where it was, or put a placeholder/empty Release file so apt update won’t get a 404 and bomb out?

1 Like

Resolved: Issues with Ubuntu packages on deb.torproject.org and its Onion Service | Tor Project status

2 Likes

Nice update, ty