New release: Tor 0.3.4.9

We have a new stable release today. If you build Tor from source, you can download the source code for Tor 0.3.4.9 from the download page on the website. Packages should be available within the next several weeks, with a new Tor Browser by mid-December.

Tor 0.3.4.9 is the second stable release in its series; it backports numerous fixes, including a fix for a bandwidth management bug that was causing memory exhaustion on relays. Anyone running an earlier version of Tor 0.3.4.9 should upgrade.

Changes In Version 0.3.4.9 – 2018-11-02

  • Major bugfixes (compilation, backport from 0.3.5.3-alpha):
    • Fix compilation on ARM (and other less-used CPUs) when compiling with OpenSSL before 1.1. Fixes bug 27781; bugfix on 0.3.4.1-alpha.
  • Major bugfixes (mainloop, bootstrap, backport from 0.3.5.3-alpha):
    • Make sure Tor bootstraps and works properly if only the ControlPort is set. Prior to this fix, Tor would only bootstrap when a client port was set (Socks, Trans, NATD, DNS or HTTPTunnel port). Fixes bug 27849; bugfix on 0.3.4.1-alpha.
  • Major bugfixes (relay, backport from 0.3.5.3-alpha):
    • When our write bandwidth limit is exhausted, stop writing on the connection. Previously, we had a typo in the code that would make us stop reading instead, leading to relay connections being stuck indefinitely and consuming kernel RAM. Fixes bug 28089; bugfix on 0.3.4.1-alpha.
  • Major bugfixes (restart-in-process, backport from 0.3.5.1-alpha):
    • Fix a use-after-free error that could be caused by passing Tor an impossible set of options that would fail during options_act(). Fixes bug 27708; bugfix on 0.3.3.1-alpha.
  • Minor features (continuous integration, backport from 0.3.5.1-alpha):
    • Don’t do a distcheck with –disable-module-dirauth in Travis. Implements ticket 27252.
    • Only run one online rust build in Travis, to reduce network errors. Skip offline rust builds on Travis for Linux gcc, because they’re redundant. Implements ticket 27252.
    • Skip gcc on OSX in Travis CI, because it’s rarely used. Skip a duplicate hardening-off build in Travis on Tor 0.2.9. Skip gcc on Linux with default settings, because all the non-default builds use gcc on Linux. Implements ticket 27252.
  • Minor features (continuous integration, backport from 0.3.5.3-alpha):
    • Use the Travis Homebrew addon to install packages on macOS during Travis CI. The package list is the same, but the Homebrew addon does not do a `brew update` by default. Implements ticket 27738.
  • Minor features (geoip):
    • Update geoip and geoip6 to the October 9 2018 Maxmind GeoLite2 Country database. Closes ticket 27991.
  • Minor bugfixes (32-bit OSX and iOS, timing, backport from 0.3.5.2-alpha):
    • Fix an integer overflow bug in our optimized 32-bit millisecond- difference algorithm for 32-bit Apple platforms. Previously, it would overflow when calculating the difference between two times more than 47 days apart. Fixes part of bug 27139; bugfix on 0.3.4.1-alpha.
    • Improve the precision of our 32-bit millisecond difference algorithm for 32-bit Apple platforms. Fixes part of bug 27139; bugfix on 0.3.4.1-alpha.
    • Relax the tolerance on the mainloop/update_time_jumps test when running on 32-bit Apple platforms. Fixes part of bug 27139; bugfix on 0.3.4.1-alpha.
  • Minor bugfixes (C correctness, to appear in 0.3.5.4-alpha):
    • Avoid undefined behavior in an end-of-string check when parsing the BEGIN line in a directory object. Fixes bug 28202; bugfix on 0.2.0.3-alpha.
  • Minor bugfixes (CI, appveyor, to appear in 0.3.5.4-alpha):
    • Only install the necessary mingw packages during our appveyor builds. This change makes the build a little faster, and prevents a conflict with a preinstalled mingw openssl that appveyor now ships. Fixes bugs 27943 and 27765; bugfix on 0.3.4.2-alpha.
  • Minor bugfixes (code safety, backport from 0.3.5.3-alpha):
    • Rewrite our assertion macros so that they no longer suppress the compiler’s -Wparentheses warnings. Fixes bug 27709; bugfix
  • Minor bugfixes (continuous integration, backport from 0.3.5.1-alpha):
    • Stop reinstalling identical packages in our Windows CI. Fixes bug 27464; bugfix on 0.3.4.1-alpha.
  • Minor bugfixes (directory authority, to appear in 0.3.5.4-alpha):
    • Log additional info when we get a relay that shares an ed25519 ID with a different relay, instead making a BUG() warning. Fixes bug 27800; bugfix on 0.3.2.1-alpha.
  • Minor bugfixes (directory connection shutdown, backport from 0.3.5.1-alpha):
    • Avoid a double-close when shutting down a stalled directory connection. Fixes bug 26896; bugfix on 0.3.4.1-alpha.
  • Minor bugfixes (HTTP tunnel, backport from 0.3.5.1-alpha):
    • Fix a bug warning when closing an HTTP tunnel connection due to an HTTP request we couldn’t handle. Fixes bug 26470; bugfix on 0.3.2.1-alpha.
  • Minor bugfixes (netflow padding, backport from 0.3.5.1-alpha):
    • Ensure circuitmux queues are empty before scheduling or sending padding. Fixes bug 25505; bugfix on 0.3.1.1-alpha.
  • Minor bugfixes (onion service v3, backport from 0.3.5.1-alpha):
    • When the onion service directory can’t be created or has the wrong permissions, do not log a stack trace. Fixes bug 27335; bugfix on 0.3.2.1-alpha.
  • Minor bugfixes (onion service v3, backport from 0.3.5.2-alpha):
    • Close all SOCKS request (for the same .onion) if the newly fetched descriptor is unusable. Before that, we would close only the first one leaving the other hanging and let to time out by themselves. Fixes bug 27410; bugfix on 0.3.2.1-alpha.
  • Minor bugfixes (onion service v3, backport from 0.3.5.3-alpha):
    • When selecting a v3 rendezvous point, don’t only look at the protover, but also check whether the curve25519 onion key is present. This way we avoid picking a relay that supports the v3 rendezvous but for which we don’t have the microdescriptor. Fixes bug 27797; bugfix on 0.3.2.1-alpha.
  • Minor bugfixes (protover, backport from 0.3.5.3-alpha):
    • Reject protocol names containing bytes other than alphanumeric characters and hyphens ([A-Za-z0-9-]). Fixes bug 27316; bugfix on 0.2.9.4-alpha.
  • Minor bugfixes (rust, backport from 0.3.5.1-alpha):
    • Compute protover votes correctly in the rust version of the protover code. Previously, the protover rewrite in 24031 allowed repeated votes from the same voter for the same protocol version to be counted multiple times in protover_compute_vote(). Fixes bug 27649; bugfix on 0.3.3.5-rc.
    • Reject protover names that contain invalid characters. Fixes bug 27687; bugfix on 0.3.3.1-alpha.
  • Minor bugfixes (rust, backport from 0.3.5.2-alpha):
    • protover_all_supported() would attempt to allocate up to 16GB on some inputs, leading to a potential memory DoS. Fixes bug 27206; bugfix on 0.3.3.5-rc.
  • Minor bugfixes (rust, directory authority, to appear in 0.3.5.4-alpha):
    • Fix an API mismatch in the rust implementation of protover_compute_vote(). This bug could have caused crashes on any directory authorities running Tor with Rust (which we do not yet recommend). Fixes bug 27741; bugfix on 0.3.3.6.
  • Minor bugfixes (rust, to appear in 0.3.5.4-alpha):
    • Fix a potential null dereference in protover_all_supported(). Add a test for it. Fixes bug 27804; bugfix on 0.3.3.1-alpha.
    • Return a string that can be safely freed by C code, not one created by the rust allocator, in protover_all_supported(). Fixes bug 27740; bugfix on 0.3.3.1-alpha.
  • Minor bugfixes (testing, backport from 0.3.5.1-alpha):
    • If a unit test running in a subprocess exits abnormally or with a nonzero status code, treat the test as having failed, even if the test reported success. Without this fix, memory leaks don’t cause the tests to fail, even with LeakSanitizer. Fixes bug 27658; bugfix on 0.2.2.4-alpha.
  • Minor bugfixes (testing, backport from 0.3.5.3-alpha):
    • Make the hs_service tests use the same time source when creating the introduction point and when testing it. Now tests work better on very slow systems like ARM or Travis. Fixes bug 27810; bugfix on 0.3.2.1-alpha.
  • Minor bugfixes (testing, to appear in 0.3.5.4-alpha):
    • Treat backtrace test failures as expected on BSD-derived systems (NetBSD, OpenBSD, and macOS/Darwin) until we solve bug 17808. (FreeBSD failures have been treated as expected since 18204 in 0.2.8.) Fixes bug 27948; bugfix on 0.2.5.2-alpha.

原文:https://blog.torproject.org/new-release-tor-0349

Advertisements

New Release: Tor Browser for Android 1.0a3

Tor Browser for Android 1.0a3 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Moreover, we backport a defense against protocol handler enumeration developed by Mozilla engineers.

Unfortunately, in this release we are temporarily introducing a regression due to a potential proxy-bypass bug within some versions of Android. Tor Browser for Android will not download a website’s “favicon” in this release (the small image shown beside the title of the webpage in the list of tabs). From our investigation into this bug, we found Android versions before Android Oreo (Android version 7 and earlier, API level 25 and earlier) leak some information about which webpage the browser is loading. This was corrected in newer versions of Android, however this temporary regression is necessary because it is likely most users have an older version of Android, and there may be other bugs we haven’t discovered yet. One bug in the Android networking code is one bug too many. We are working on a new way of downloading these icons.

The full changelog since Tor Browser for Android 1.0a2 is:

  • Update Firefox to 60.3.0esr
  • Update Torbutton to 2.1.1
  • Update HTTPS Everywhere to 2018.9.19
  • Backport of fixes for bug 1448014, 1458905, 1441345, and 1448305
  • Bug 1623: Block protocol handler enumeration (backport of fix for #680300)
  • Bug 28125: Prevent proxy-bypass bug by Android networking library

原文:https://blog.torproject.org/new-release-tor-browser-android-10a3

New Release: Tor Browser 8.5a4

Tor Browser 8.5a4 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Highlights in Tor Browser 8.5a4 are a new Tor alpha version, 0.3.5.3-alpha, a fixed layout of our macOS installer window and Stylo (Mozilla’s new CSS engine) being enabled on macOS after fixing a reproducibility issues. Please report any problems you find with those macOS related changes as we think about backporting them for the stable series.

Moreover, we backport a defense against protocol handler enumeration developed by Mozilla engineers and provide Tor Browser on all supported platforms in four additional locales: cs, el, hu, and ka.

Note: It turned out it was a bit premature to ship the new locales as we did not catch bugs in them last minute, so we don’t make them available on our download page. Sorry for the inconvenience.

The full changelog since Tor Browser 8.5a3 is:

  • All Platforms
    • Update Firefox to 60.3.0esr
    • Update Tor to 0.3.5.3-alpha
    • Update Torbutton to 2.1.1
    • Update Tor Launcher to 0.2.17
    • Update HTTPS Everywhere to 2018.9.19
    • Update NoScript to 10.1.9.9
    • Bug 1623: Block protocol handler enumeration (backport of fix for #680300)
    • Bug 27905: Fix many occurrences of “Firefox” in about:preferences
    • Bug 28082: Add locales cs, el, hu, ka
  • Windows
    • Bug 21704: Abort install if CPU is missing SSE2 support
    • Bug 28002: Fix the precomplete file in the en-US installer
  • OS X
    • Bug 26263: App icon positioned incorrectly in macOS DMG installer window
    • Bug 26475: Fix Stylo related reproducibilitiy issue
  • Linux
    • Bug 26475: Fix Stylo related reproducibilitiy issue
    • Bug 28022: Use `/usr/bin/env bash` for bash invocation
  • Android
    • Backport of fixes for bug 1448014, 1458905, 1441345, and 1448305
  • Build System
    • All Platforms
      • Bug 27218: Generate multiple Tor Browser bundles in parallel
    • Windows
    • OS X

原文:https://blog.torproject.org/new-release-tor-browser-85a4

无界浏览18.05正式版 (2018年11月5日)

谢谢大家都测试反馈,请升级到18.05,旧版有时会连接不上或速度慢。

执行版:
http://wujieliulan.com/download/u1805.exe
SHA256:40b1b85a494c25c22a7fe7b7985dfe7a5ecac725f5c06485137cb47e0920ccd7
SHA512:3a172fd962d90c2ac934fba0edc82467d75d64935e78a8a8e1c509c37931ade0dd293349084cd30ac7739db90b028045547ac8c62adf4b4d9679941b5dc7843c
压缩版:
http://wujieliulan.com/download/u1805.zip
SHA256:85d6c3b90a16e85aedfd0aaf3578270bbc5e38358b7c7a26c2da78195d0886e5
SHA512:4d8111d9d8983936405462aeda8b2453f688915238bf34aac8b30dcf652e663ecb95a6cf5216c9fac15eb67cd87a6216e91108832f5bd3c72099ebfa82841c81

原文:http://forums.internetfreedom.org/index.php?topic=23243.0

Best VPNs for China in 2018 (that still work despite the ban)

Update October 2018: As
many of you know, China has already cracked down on VPNs throughout the first
half of 2018 after doing so multiple times over the past couple years. Not only
that, but the Chinese government threatened to ban
all non-state sanctioned VPNs
. Obviously, that hasn’t happened (I’m
using a VPN to write this). So what’s the deal? Do the best
VPNs for China
 still work? As an expat who has spent
over a decade in China, I’d like to offer my thoughts and
recommendations.

What is the best VPN for China?

Sadly, FarWestChina has been unreliably accessible here
in China since 2009, blocked by the “Great Firewall” (i.e. China’s censorship).
I have no idea why it was blocked – other than the fact that I’m talking about
Xinjiang, one of the most sensitive regions in China – and there’s nothing I can
do to unblock the site. Trust me, I’ve tried everything short
of knocking on a government official’s door.

The only way I’ve been able to work on this site from
my home here in China is through what is known as a VPN,
or a Virtual Private Network
.

Because I have over 8 years of first-hand
experience with over 20 different VPN services, I get more than a few
emails every month from people asking me what I recommend as
the best
VPN for China in 2018
. It’s an obvious need for anybody living in
China but more and more people are realizing that online security is something
netizens in every country should consider.

I’m not trying to hard-sell anybody here…more than
anything I just want to provide some helpful information for those people
who need to get a new VPN. A few of the links here and in the video are
affiliate links which means that at
no additional cost to you I will be compensated if you purchase the
service
. I have continually used each of these services from my home here
in China over the past year, so I’m confident about my
recommendations.

When it comes to the best
VPNs for China
, I’ve given you three ways to hear my thoughts: watch
the video, check out the comparison chart or read my person reviews for each VPN
below.

Best VPNs for China | Video Review

Click below to hear my thoughts and see each of these
best VPNs for China in action.

*Click to watch the video and then subscribe to the
FarWestChina Youtube channel
!

Best VPNs for China | Comparison
Chart

*Recommended VPN* Other Excellent Virtual Private
Networks
ExpressVPN NordVPN VyprVPN PureVPN
ExpressVPN, a recommended VPN for China
NordVPN a recommended VPN for China
VyprVPN Logo
UK Post Box virtual mailbox service
Rating
Rating: 5 stars for ExpressVPN 5 stars for NordVPN 4 stars for VyprVPN 4 stars for PureVPN
Established:
Established: 2009 2012 2009 2007
Torrent?
Torrent? ✔ ✔ ✔ ✔
Phone App?
Phone App? ✔ ✔ ✔ ✔
Simultaneous
Connections?
Simultaneous: 3 6 5 5
Servers
Servers 1500+ 4000+ 700+ 750+
Money Back
Guarantee?
Guarantee ✔* ✔* ✔** ✔**
Learn More
ExpressVPN
Learn More
*Recommended*

*Both ExpressVPN and NordVPN offer generous 30-day
money back guarantees.

**VyprVPN and PureVPN offer 7-day and 14-day money back
guarantees respectively.

As I mentioned in the video above, there are
literally hundreds of
VPNs to choose from on the market and there are quite a few good ones that
didn’t make this list.

These, however, have stood the test of time (they are
all at least 5 years old), have made a specific effort to reach the China
market, all offer hundreds of servers across the globe and they all have
unlimited bandwidth.


ExpressVPN in China (Editor’s Choice + 3 Free
months)

Try ExpressVPN, editor's choice for best VPN in ChinaExpressVPN is
my go-to VPN for China 2018. I’m a huge fan of their overall design – the
website, desktop app and mobile app are all beautiful, quick to install and easy
to use.

I always recommend ExpressVPN to
anybody I know who doesn’t consider themselves tech-savvy for a couple of
reasons.

  1. It’s super
    easy
     to set up!
  2. Their software is some of the best in the
    industry.
  3. They offer a no-hassle, 30-day money back
    guarantee.

For those who desire simplicity and ease, ExpressVPN
has been a solid option here in China for the past few years. You
can check out their pricing here and
if you use this link (which is an affiliate link), they’ll give
you 3
months free on any annual plan
!

Click for 3 months
FREE on ExpressVPN


NordVPN in China (66% off Discount Code!)

Click to get 66% off of NordVPN, a best VPN for ChinaNordVPN has
been a surprise addition to my VPN arsenal over past year. They’ve purposefully
entered the China market and are aggressively tackling the blocking issues that
plague all the best VPNs in China.

There are a number of reasons I’ve come to like the
NordVPN software and service.

  1. The software is well-designed, both on computers &
    mobile devices.
  2. They allow 6 simultaneous connections (most VPNs give
    3-5)
  3. They also offer a no-nonsense, 30-day money back
    guarantee.

In many cases, I often tell people to purchase both
ExpressVPN and NordVPN (I have both) to figure out which one works best in your
China location. Best of all, right now they’re running a special where you can
get 66% off a 2-year plan with NordVPN.

Get up to 66% off
NordVPN!


Using VyprVPN in China (68%
Discount)

VyprVPN special pricingI was turned on
to VyprVPN a
couple years ago and have been incredibly impressed with the transparency of the
company (just compare their about page with any other VPN).

Here’s what I love about VyprVPN:

  • Proprietary “Chameleon” protocol for added
    security
  • Simple-to-use software
  • A 3-day FREE trial (but no 30-day money back
    guarantee)

VyprVPN has been around since 2009 but their parent
company, GoldenFrog, has been around for more than a decade providing online
services. I’ve spoken at length with some of their representatives and really
like their focus on the China market, which is comforting considering how much
the Chinese internet landscape changes.

If all of this sound good to you, they have given me a
special link that will allow you to give them a try for free for 3
days
and then get 68% off their 2-year plan.

Click for 68% off
VyprVPN


Using PureVPN in China

*Note: PureVPN
consistently offers some of the lowest prices. Currently you can
get two years of VPN for the price of one with
PureVPN
, which includes up to 5 devices connected!

PureVPN is another popular option here in
China. They boast over 1 million users world-wide and their market share in
China seems to be growing at a rapid pace.

While I wasn’t a big fan of their software at first,
thankfully they have since updated the design and it functions much better.
Their speeds are excellent and I found them to be the best in terms of streaming
– at least for me out here in western China.

What you might find useful is their “Server Selection
Tool” where you tell the software what you want to do (download, stream US
content, stream UK content, etc) and it will tell you which servers best suit
you needs.

Considering the price – which is often one of the
lowest around – PureVPN is an excellent VPN
option
 for the price conscious buyer.

Click for 73% off
PureVPN


 

A Look at 12VPN in China (10% Discount
Code)

Get 12VPNI’ve been
a 12VPN customer
since 2013 and in many ways it’s been my go-to VPN on my phone.
Why? It’s
simple and it just works…every time
.

The software isn’t flashy and they don’t have a
dedicated iPhone or Android app but setup for both was an easy download of
one file that took me all of 5 minutes.

One of the things I’ve truly appreciated about 12VPN is
their commitment to communication. I get periodic emails informing me of changes
in the VPN and changes in the Great Firewall. For example, last year one of
the submarine cables that connects Asia with North America was severed. Out of
the 10 VPNs I had running at the time, 12VPN was the only one that let me know
what was happening and why I should expect slower speeds on the Los Angeles
servers.

In addition to VPN services, 12VPN is also one of the
few companies that offers SmartDNS as part of their package. I won’t go into
details about what SmartDNS is, but suffice to say I use it
to watch Netflix on my Apple TV in
China
 and it is so
much faster
than connecting on a VPN.

Best of all, I have a 12VPN
Discount Code
 that you can use! Just enter FWC10 to
get 10% off your order.

Click for 10% off
12VPN


 

VPNs to Avoid in China

Here’s the thing about the relationship between China
and VPNs – China is always making changes that affect the landscape of VPN use
within the country. If the VPN you choose doesn’t devote resources to adapt
to these changes, that spells trouble for you.

This rules out most small VPN services such
as Buffered or
all the free services such as Hotspot
Shield
. Neither seem to have the manpower or resources to play the
constant game of cat and mouse with China’s internet censors. I’ve had a
difficult time connecting to their servers from within China.

Finally, despite its popularity in China, I
personally don’t recommend Astrill
VPN
. My biggest problem was their customer support but the deal breaker
was that they require users to provide their phone number for authentication. In
China, that kind of connection between my VPN and my phone number is a big
no-no.

Conclusion | Best VPN for China 2018

So that about covers it! Obviously there are plenty of
VPN services which have been left out of this list, but I stand by the fact that
if you’re coming to Asia, these are the best
VPNs for China in 2018
.

If you’re here in China and using a VPN, leave a
comment below to let me know what you use.

原文:https://www.farwestchina.com/tips/top-5-vpns-for-china/

Shadowsocks视窗版客户端(v4.1.2)

@celeron533 celeron533 released this on 13 Sep · 6 commits to master since this release

Assets3

  • Fix plugin CLI argument environment variable issue (#1969 #1818)
  • Other minor bug fixes and improvements (#1978 #1968 #1993)

If you encounter any issue, please refer to https://github.com/shadowsocks/shadowsocks-windows/wiki/Troubleshooting.

如果遇到任何问题,请首先参考 https://github.com/shadowsocks/shadowsocks-windows/wiki/Troubleshooting


Info of Shadowsocks.exe

  • MD5: 7843794F488621D180495F3D480BCF02
  • SHA1: A322A9177F724C80EB930F44FEBDC37A43A4A556
  • SHA256: 69ECB7486AB01CB996E8C43D3432DA010E17C3C4B002BB1E64E580BBA15CFA96
  • SHA512: 2DB4EC5DD2D9DC9FAB08D35FBE3704B476DF63AEF34557389B4A8BB55E8E5CBE7E2AD763C27724DB15DA6146FD0A53454842193C6820CF3AFFAE67F876792FA5

英文:https://github.com/shadowsocks/shadowsocks-windows/releases/tag/4.1.2https://github.com/shadowsocks/shadowsocks-windows/releases/tag/4.1.2

Shadowsocks视窗版客户端(v4.1.1)

@celeron533 celeron533 released this 4 days ago · 5 commits to master since this release

Assets3

  • Fix auto hotkey reg issue when OS wakeup
  • Other minor bug fixes and improvements

If you encounter any issue, please refer to https://github.com/shadowsocks/shadowsocks-windows/wiki/Troubleshooting.

如果遇到任何问题,请首先参考 https://github.com/shadowsocks/shadowsocks-windows/wiki/Troubleshooting


Info of Shadowsocks.exe

  • MD5: 5EBF675DE32F720DDDDAB1911523E5B4
  • SHA1: FEF836207D48120D854D693490359C6A6AACA7A3
  • SHA256: 602EBD1B423EAB06E0698351A1003AFF16A1363476530F4A9040658DCB2A7BCF
  • SHA512: 9077436CE481720E8CA54479BDD6C87E2ADD5C686B8077B83E6FE64A030539620102777BC1FD47D12F79600F520033B3B565B4B000167CF3ACBF35686D17FB44

原文:https://github.com/shadowsocks/shadowsocks-windows/releases/tag/4.1.1