[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] Reminder: If you are on 0.2.9.x, make sure you are running 0.2.9.9



Hi, awesome relay operators!

About two weeks ago, we put out 0.2.9.9, to fix a significant problem
in our build process that led to an easy remote crash attack:

  o Major bugfixes (security):
    - Downgrade the "-ftrapv" option from "always on" to "only on when
      --enable-expensive-hardening is provided." This hardening option,
      like others, can turn survivable bugs into crashes -- and having
      it on by default made a (relatively harmless) integer overflow bug
      into a denial-of-service bug. Fixes bug 21278 (TROVE-2017-001);
      bugfix on 0.2.9.1-alpha.


If you are on some earlier version of 0.2.9.x, it would be really
great if you could update your relay some time soon: I want to put out
a fix for the underlying bug here, but I'm hesitant to do so while
there are still 700 crashable relays on the network.

Also if you are on 0.3.0.1-alpha, you should upgrade to 0.3.0.2-alpha
or later, but there are only around 53 relays still on that version,
so I'm freaking out less about that.

best wishes and many thanks,
-- 
Nick
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays