Roger Dingledine:
There's a new Tor release (0.3.0.7) available on the website. It fixes a bug affecting relays running earlier versions of 0.3.0.x that could allow attackers to trigger an assertion failure on those relays. Clients are not affected; neither are relays running versions before 0.3.0.x.
If you're running a relay with one of the affected versions, you should upgrade.
As of 2017-05-18 6:00 UTC, about ~14% of the tor network (cw fraction) runs a vulnerable tor version [1].
~12.3% (cw fraction) of them run Linux (~5% likely use the outdated repos from deb.torproject.org). I guess the most efficient method to help tor relay operators (and the tor network as a whole), is to update the packages in the affected deb.torproject.org repositories [2].
Is there a particular reason why the tor 0.3.0.x packages at deb.torproject.org [2] have not been updated since v0.3.0.5-rc? (they used to get updates within days after a release)
I hope they are not forced to switch to tor-nightly-0.3.0.x-* repos [3] if they want to get that security fix. Or is it: "Don't use the experimental repos if you want security updates"?
packages should be available over the next several days.
Is this actually the case or is this just the usual wording from the default release email and not actually happening in the case? (due to long term support release 0.2.9.x?)
To help the 1.3% cw-fraction / 87 FreeBSD relays I filed a ticket here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219364 (tickets filed at trac.tpo about deb.tpo get closed as invalid, so I stopped doing that [4])
thanks, nusenu
[1] https://nusenu.github.io/OrNetStats/#tor-version-distribution-relays https://nusenu.github.io/OrNetStats/torversions
[2] https://deb.torproject.org/torproject.org/dists/ [DIR] tor-experimental-0.3.0.x-jessie/ 2017-05-12 11:28 - [DIR] tor-experimental-0.3.0.x-precise/ 2017-05-12 11:28 - [DIR] tor-experimental-0.3.0.x-sid/ 2017-05-12 11:28 - [DIR] tor-experimental-0.3.0.x-stretch/ 2017-05-12 11:28 - [DIR] tor-experimental-0.3.0.x-trusty/ 2017-05-12 11:28 - [DIR] tor-experimental-0.3.0.x-wheezy/ 2017-05-12 11:28 - [DIR] tor-experimental-0.3.0.x-xenial/ 2017-05-12 11:28 - [DIR] tor-experimental-0.3.0.x-yakkety/ 2017-05-12 11:28 - [DIR] tor-experimental-0.3.0.x-zesty/ 2017-05-12 11:28 -
[3] [DIR] tor-nightly-0.3.0.x-stretch/ 2017-05-16 13:43 - [DIR] tor-nightly-0.3.0.x-trusty/ 2017-05-16 13:43 - [DIR] tor-nightly-0.3.0.x-wheezy/ 2017-05-16 13:43 - [DIR] tor-nightly-0.3.0.x-xenial/ 2017-05-16 13:43 - [DIR] tor-nightly-0.3.0.x-yakkety/ 2017-05-16 13:43 - [DIR] tor-nightly-0.3.0.x-zesty/ 2017-05-16 13:43 -