[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!

To: "tor-relays@xxxxxxxxxxxxxxxxxxxx" <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!
From: John Ricketts <john@xxxxxxxxxxx>
Date: Wed, 26 Oct 2016 07:18:46 +0000
Accept-language: en-US
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 26 Oct 2016 03:25:33 -0400
In-reply-to: <CALsPhAE4-SYC752Op+P0igrwEKc2d3yuZ9-VYOSr84NOU-onwg@mail.gmail.com>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <f4620b8b-585b-20fa-8295-1a87751d7bad@openmailbox.org>, <CALsPhAE4-SYC752Op+P0igrwEKc2d3yuZ9-VYOSr84NOU-onwg@mail.gmail.com>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
Thread-index: AQHSLwmt0G/6glnTOUeKyWM2464DPqC6p4CA//+szro=
Thread-topic: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!

I feel you Markus, I did 24.  I wrote a bash script to update/upgrade/reboot. 

> On Oct 26, 2016, at 02:17, Markus Koch <niftybunny@xxxxxxxxxxxxxx> wrote:
> 
> 32 relays updated (Debian + Tor compiled to latest version)
> 
> I am getting too old for this without a server management system ....
> 
> Markus
> 
> 
> 
> 
> 2016-10-25 23:48 GMT+02:00 nusenu <nusenu@xxxxxxxxxxxxxxx>:
>> just a reminder since most of the tor network (including some of the
>> biggest operators) still runs vulnerable relays
>> 
>> https://blog.torproject.org/blog/tor-0289-released-important-fixes
>> 
>> 
>> Since 2/3 directory authorities removed most vulnerable versions from
>> their 'recommended versions' you should see a log entry if you run
>> outdated versions (except if you run 0.2.5.12).
>> 
>> 
>> It is not possible to reliable determine the exact CW fraction
>> affected[1] due to the fact that patches were released that didn't
>> increase tor's version number.
>> Therefore it is also possible that you get log entries even if you run a
>> patched version (IMHO this hasn't been handled in the most professional
>> way).
>> 
>> 
>> Update instructions
>> 
>> Debian/Ubuntu
>> ==============
>> 
>> make sure you use the Torproject repository:
>> https://www.torproject.org/docs/debian.html.en
>> 
>> (you can also use the debian repository but the Torproject's repo will
>> provide you with the latest releases)
>> 
>> 
>> aptitude update && aptitude install tor
>> 
>> 
>> CentOS/RHEL/Fedora
>> ===================
>> 
>> yum install --enablerepo=epel-testing tor
>> 
>> 
>> FreeBSD
>> ============
>> 
>> pkg update
>> pkg upgrade
>> 
>> OpenBSD
>> ===========
>> 
>> pkg_add -u tor
>> 
>> 
>> Windows
>> ========
>> 
>> No updated binaries available for this platform yet.
>> 
>> 
>> 
>> 
>> [1] as of 2016-10-25 18:00 (onionoo data)
>> conservative estimate
>> ----------------------
>> (counts only 0.2.8.9 and 0.2.9.4-alpha as patched)
>> 31% CW fraction patched
>> 
>> optimistic estimate
>> -------------------
>> (additionally assumes every non-Windows running 0.2.4.27, 0.2.5.12,
>> 0.2.6.10, 0.2.7.6 that restarted since 2016-10-17 is patched):
>> 43% CW fraction patched
>> 
>> 
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays@xxxxxxxxxxxxxxxxxxxx
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>> 
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!
  - From: Markus Koch

References:
- [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!
  - From: nusenu
- Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!
  - From: Markus Koch

Prev by Author: Re: [tor-relays] Rampup speed of Exit relay
Next by Author: Re: [tor-relays] ExitPolicy reject 184.107.0.0/16* funio.com
Previous by thread: Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!
Next by thread: Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!
Index(es):
- Author
- Thread