Tor Update Fixes ReachableAddresses Problem

Tor updated its software to 0.2.8.7 and fixed a number of issues, including a bug in the ReachableAddresses option that possibly degrades anonymity.

The Tor Project on Wednesday updated its software package to version 0.2.8.7 and fixed a number of issues, including a bug it calls “important” in the ReachableAddresses option.

ReachableAddresses is a list of IP addresses and ports that are permitted by a firewall; admins can set IP ranges and reject addresses through this feature.

The fix is for a problem in earlier versions, and now allows the use of this option to restrict only the first hop in a path, Tor said in its release.

“In earlier versions of 0.2.8.x, it would apply to every hop in the path, with a possible degradation in anonymity for anyone using an uncommon ReachableAddress setting,” the advisory said. Tor officials urge anyone who sets this option to upgrade immediately.

Yesterday’s update also includes the retirement of a Tor node called the Tonga bridge authority, effective Aug. 31. Tonga has been replaced by a new authority called Bifroest, avoiding any potential disruptions, Tor said. This announcement follows the resignation of a longtime operator known as Lucky Green. Lucky did not provide specifics on his resignation.

Tor bridges are relays that are not listed in the Tor directory, which precludes ISPs from filtering connections to them.

“If you suspect your access to the Tor network is being blocked, you may want to use bridges,” reads an explainer on the Tor website. “The addition of bridges to Tor is a step forward in the blocking resistance race.”

The 0.2.8.7 update also includes minor bug fixes. From the advisory:

  • Minor features (geoip): Update geoip and geoip6 to the August 2 2016 Maxmind GeoLite2 Country database.
  • Minor bugfixes (compilation): Remove an inappropriate “inline” in tortls.c that was causing warnings on older versions of GCC. Fixes bug 19903; bugfix on 0.2.8.1-alpha.
  • Minor bugfixes (fallback directories): Avoid logging a NULL string pointer when loading fallback directory information. Fixes bug 19947; bugfix on 0.2.4.7-alpha and 0.2.8.1-alpha. Report and patch by “rubiate”.

Tor, meanwhile, remains at the center of a court case in which the FBI continues to refuse to hand over an exploit that allowed the government to take control of a child pornography website running on Tor. The FBI used the attack against a still-unknown vulnerability to run the website in early 2015 and collect the IP addresses of users visiting the site.

Defense lawyers in the case on Monday filed a motion accusing the FBI of distributing child pornography for two weeks and that its exploit improved performance on the site. The defense alleges that the number of visitors to the site grew nearly five times and membership grew by 30 percent, Motherboard reported.

The defense argued that the FBI’s actions were “outrageous conduct” and should warrant that the case be dismissed.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.