On Sat, Sep 15, 2012 at 12:25:59PM +0200, tagnaq wrote:
It is quite sad that one has to find out about 'critical' security updates [0] via an unrelated thread on tor-talk [1] or the blog [2] instead of getting an announcement on tor-announce [3] - where relay operators are probably expecting such information.
There, I sent the mail. I'd been waiting a few days to make sure the new packages weren't broken. Thanks for the kick.
In the spectrum of critical, I wouldn't put this one towards the top. There's no code execution or privacy or anonymity issues. So yes, upgrading is definitely a fine idea, but it's not a "cancel your dinner plans to do it" sort of situation.
Are tor versions 0.2.3.x and 0.2.4.x affected too?
Yes. I haven't put an 0.2.4.3-alpha out yet (it's an alpha after all). I should probably do that soon.
--Roger