Stable release 0.4.8.20

dgoulet · November 11, 2025, 5:45pm

Where to Download

Changes

Below are the major changes of the released versions and links to more detailed release notes.

Stable

Yesterday, we quietly released version 0.4.8.20 to allow relay operators some time to upgrade and help mitigate medium-severity remote crash issues that were reported a few days ago through the HackerOne platform.

We have reserved two TROVE entries for these issues: TROVE-2025-014 and TROVE-2025-015.

Once a sufficient number of relays have upgraded, we will make the tickets associated with these TROVE entries public in the near future.

In the meantime, if any relay operators experience crashes or unusually high memory usage, please report it to us via the Tor relays mailing list: tor-relays@lists.torproject.org.

As of this announcement, our 0.4.8.20 Debian package on https://deb.torproject.org is now available. And so, as always, please upgrade as soon as possible.

Thank you!

Release Notes

0.4.8.x

yet_another_tor_node · November 13, 2025, 5:55pm

uname -a

Linux pcname 5.10.0-33-amd64 #1 SMP Debian 5.10.226-1 (2024-10-03) x86_64 GNU/Linux

cat /etc/debian_version

11.11

apt-get update

Hit:1
Hit:2 %^(^&)(&^&%^#@*&%^ bullseye InRelease
Hit:3 (%^$(%^#(^%#(&%^# bullseye-security InRelease
Hit:4 (^&%(*^#@_)$(&^ bullseye-updates InRelease
Hit:5
Hit:6 $%&%$^%^$%^$%$ bullseye InRelease
Reading package lists… Done

# apt-get --only-upgrade install tor
Reading package lists… Done
Building dependency tree… Done
Reading state information… Done
Suggested packages:
mixmaster torbrowser-launcher socat apparmor-utils nyx obfs4proxy
The following packages will be upgraded:
tor
1 upgraded, 0 newly installed, 0 to remove and 362 not upgraded.
Need to get 2,092 kB of archives.
After this operation, 2,048 B of additional disk space will be used.
Err:1 ^&%(^&%$&)^$%#&(^%$^@( bullseye/main amd64 tor amd64 0.4.8.18-1~d11.bullseye+1
404 Not Found [IP: 95.216.163.36 443]
E: Failed to fetch https: //deb . torproject . org/torproject.org/pool/main/t/tor/tor_0.4.8.18-1~d11.bullseye%2B1_amd64.deb 404 Not Found [IP: 95.216.163.36 443]
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
——————————-
What am I doing wrong ?

code9n · November 14, 2025, 9:44am

re. 41D4F82AB54AE5C5FB8D3CD24B4FC84350EFEF03

I can’t get this release. I have these repositories enabled:

Hit:1 Index of /debian bullseye InRelease
Hit:2 Index of /debian bullseye-updates InRelease
Hit:3 Index of /debian-security bullseye-security InRelease
Hit:4 Index of /torproject.org bullseye InRelease

I’m just trying to update like normal sudo apt update sudo apt upgrade .

Or with sudo apt install tor or dpkg -l tor I keep getting told I’m running the latest version - 0.4.8.18 .

Most all the other relays I look at have the same,

“This relay is running a version of Tor that is too old and may be missing important security fixes. If this is your relay, you should update it as soon as possible.”

, not recommended warning.

Any advice? Thanks.

anonymous4 · November 14, 2025, 9:34pm

+1 to needing a bullseye package

root:~# apt update
Get:1 http://security.debian.org/debian-security bullseye-security InRelease [27.2 kB]
Hit:2 http://deb.debian.org/debian bullseye InRelease
Hit:3 http://deb.debian.org/debian bullseye-updates InRelease
Hit:4 https://deb.torproject.org/torproject.org bullseye InRelease
Get:5 http://security.debian.org/debian-security bullseye-security/main Sources [272 kB]
Fetched 299 kB in 1s (410 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
root:~# apt install tor
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
tor is already the newest version (0.4.8.18-1~d11.bullseye+1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

yurikoles · November 16, 2025, 2:56pm

Bullseye End of Life (EOL) 2024-08-14, Current oldoldstable release, under LTS support

You heard about bookworm and trixie, right?

Kemp · November 16, 2025, 2:56pm

Debian bullseye is no longer supported now that trixie is out and bookworm has been made the oldstable. You must release upgrade at least to bookworm.

atari · November 19, 2025, 7:21am

will there be 0.4.8.20 packages in the official Debian-trixie-repo anytime soon? Debian -- Details of package tor in trixie

atari · December 26, 2025, 9:42am

For Debian Trixie it is possible to upgrade your tor manually by installing a package from Debian sid: Debian -- Details of package tor in sid (choose your correct architecture)

For amd64:

wget https://ftp.debian.org/debian/pool/main/t/tor/tor_0.4.8.21-1_amd64.deb
sudo dpkg -i tor_0.4.8.21-1_amd64.deb

adrianalan · December 28, 2025, 9:45pm

bullseye is the current LTS release for Debian through August 2026. Expecting Debian users to move away from the LTS release for one package does not seem like best practice. The more likely scenario is relay and bridge operators like myself will remain on 04.18 weakening the security and stability of the Tor network because we are unwilling to migrate our entire OS to a future and therefore less stable and secure OS version just for Tor.

Lind · December 29, 2025, 2:33pm

To be blunt, you’re likely to be less stable or secure if you stay on Bullseye instead of migrating to Bookworm or Trixie (you should migrate to Trixie if possible, though). Bullseye being on LTS means its security support is not done by the debian security team anymore, and there are some packages that have already EOLed and won’t receive updates from upstream, like the security-critical library OpenSSL (1.1.1w on bullseye reached EOL on 2023).
Even Debian themselves recommend users to migrate to latest stable release “whenever possible”. You can see it mentioned in the LTS announcement of bullseye published in 2024:

Whenever possible, users are encouraged to upgrade their machines to Debian 12, alias “Bookworm”, the current Debian stable release.

adrianalan · December 30, 2025, 9:41am

This seems confusing given most corporations typically select the current LTS as the most stable version of the product. For at least the past five years I have always pushed for adoption of LTS for any software at my company in order to standardize on a stable solution. Is Debian an outlier in their approach to LTS? Or is this the continuing fallout from prioritizing “inclusivity” over coding in open source?

jarl · December 30, 2025, 11:29am

It is the first sentence on the Debian Wiki page you linked to…

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years

So no, this has nothing to do with “inclusivity” but your lack of understanding…

All Debian releases go through the lifecycle of testing → stable → oldstable → oldoldstable/LTS. There are no specific LTS Versions like Ubuntu 24.04 (LTS) vs Ubuntu 25.10 or the different Firefox versions. So if you use an old Debian version without a specific need you just use unnecessary old and less supported software.

Lind · December 31, 2025, 3:00am

The polite part:

Unlike Ubuntu, which maintains LTS releases for 5 years and non-LTS releases for 9 months, Debian fully supports every release for 3 years then hand it to LTS team for another 2 years. There’s no “LTS releases” and “non-LTS releases” in Debian, every Debian release becomes LTS 3 years after its first release.

The not-so-polite part:

I’m sorry, are you one of those [VULGAR REDACTED] that associates everything you don’t actually understand but disagree with anyway with “diversity”, “equity”, “inclusivity” or “woke”???

code9n · December 31, 2025, 2:32pm

Solved. thanks.