[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] TROVE-2017-002: deb.torproject.org 0.3.0.x repos no longer updated?



Roger Dingledine:
> There's a new Tor release (0.3.0.7) available on the website.  It
> fixes a bug affecting relays running earlier versions of 0.3.0.x that
> could allow attackers to trigger an assertion failure on those relays.
> Clients are not affected; neither are relays running versions before
> 0.3.0.x.
> 
> If you're running a relay with one of the affected versions, you
> should upgrade.  

As of 2017-05-18 6:00 UTC, about ~14% of the tor network (cw fraction)
runs a vulnerable tor version [1].

~12.3% (cw fraction) of them run Linux (~5% likely use the outdated
repos from deb.torproject.org).
I guess the most efficient method to help tor
relay operators (and the tor network as a whole), is to update the
packages in the affected deb.torproject.org repositories [2].

Is there a particular reason why the tor 0.3.0.x packages at
deb.torproject.org [2] have not been updated since v0.3.0.5-rc?
(they used to get updates within days after a release)

I hope they are not forced to switch to tor-nightly-0.3.0.x-* repos [3]
if they want to get that security fix.
Or is it: "Don't use the experimental repos if you want security updates"?

> packages
> should be available over the next several days.

Is this actually the case or is this just the usual wording from the
default release email and not actually happening in the case? (due to
long term support release 0.2.9.x?)

To help the 1.3% cw-fraction / 87 FreeBSD relays I filed a ticket here:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219364
(tickets filed at trac.tpo about deb.tpo get closed as invalid, so I
stopped doing that [4])

thanks,
nusenu

[1]
https://nusenu.github.io/OrNetStats/#tor-version-distribution-relays
https://nusenu.github.io/OrNetStats/torversions

[2]
https://deb.torproject.org/torproject.org/dists/
[DIR] tor-experimental-0.3.0.x-jessie/  2017-05-12 11:28    -
[DIR] tor-experimental-0.3.0.x-precise/ 2017-05-12 11:28    -
[DIR] tor-experimental-0.3.0.x-sid/     2017-05-12 11:28    -
[DIR] tor-experimental-0.3.0.x-stretch/ 2017-05-12 11:28    -
[DIR] tor-experimental-0.3.0.x-trusty/  2017-05-12 11:28    -
[DIR] tor-experimental-0.3.0.x-wheezy/  2017-05-12 11:28    -
[DIR] tor-experimental-0.3.0.x-xenial/  2017-05-12 11:28    -
[DIR] tor-experimental-0.3.0.x-yakkety/ 2017-05-12 11:28    -
[DIR] tor-experimental-0.3.0.x-zesty/   2017-05-12 11:28    -

[3]
[DIR] tor-nightly-0.3.0.x-stretch/      2017-05-16 13:43    -
[DIR] tor-nightly-0.3.0.x-trusty/       2017-05-16 13:43    -
[DIR] tor-nightly-0.3.0.x-wheezy/       2017-05-16 13:43    -
[DIR] tor-nightly-0.3.0.x-xenial/       2017-05-16 13:43    -
[DIR] tor-nightly-0.3.0.x-yakkety/      2017-05-16 13:43    -
[DIR] tor-nightly-0.3.0.x-zesty/        2017-05-16 13:43    -

[4]
https://trac.torproject.org/projects/tor/ticket/22113

-- 
https://mastodon.social/@nusenu
https://twitter.com/nusenu_


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays