Keep your Tor relays updated!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, I encourage everyone running a relay to use an up to date Tor version. (especially directory authority operators - but they should know better anyway) This might be an obvious recommendation but there are a lot outdated relays (~15%). What are currently recommended Tor versions? You can find out by going to: https://metrics.torproject.org/consensus-health.html (go to "Recommended versions") 0.2.3.1 is also fine (atm). If you don't know what version you are using, run: tor --version If you are running an old version for a specific reason I'd like to hear about it (off-list if you wish). make the Tor network safer - update your relays. tagnaq PS: Next week I'll try to contact relay operators still running <0.2.1.29 <0.2.2.21 update if you want to help reduce the effort. -----BEGIN PGP SIGNATURE----- iF4EAREKAAYFAk3NhE0ACgkQyM26BSNOM7Z7qwEAtao1Z2CPl+GV8lhwG18sSA1N pFLqVQ4h/EmbzicMuAMA/1U59gNti+hs8wYUh8THXky+aKb7YIR7D0hokdpNcWBY =YTaA -----END PGP SIGNATURE-----
On May 13, 2011, at 9:19 PM, tagnaq wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi,
I encourage everyone running a relay to use an up to date Tor version. (especially directory authority operators - but they should know better anyway)
They do. They don't run versions that are too old, see below.
This might be an obvious recommendation but there are a lot outdated relays (~15%).
What are currently recommended Tor versions? You can find out by going to: https://metrics.torproject.org/consensus-health.html (go to "Recommended versions") 0.2.3.1 is also fine (atm).
If you don't know what version you are using, run: tor --version
If you are running an old version for a specific reason I'd like to hear about it (off-list if you wish).
make the Tor network safer - update your relays. tagnaq PS: Next week I'll try to contact relay operators still running <0.2.1.29 <0.2.2.21 update if you want to help reduce the effort.
Before you contact anyone appearing to run 0.2.2.19-alpha, check their descriptor and the git part of the version string therein. Many of those people might run self-compiled versions of Tor that are more up to date than they seem from the version string. Alternatively, some of those relay operators (independent of the version that is shown in the descriptor) might run a version provided by their packaging system that backports security-relevant issues but leaves the rest of the updates alone, and thus doesn't increase the version. Sebastian
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Thanks for your input. As I don't see a reliable way to determine if someone runs a vulnerable version (in a passive way) and I don't want to spam anyone I drop my original intention of trying to contact operators of vulnerable Tor relays. -----BEGIN PGP SIGNATURE----- iF4EAREKAAYFAk3QLoAACgkQyM26BSNOM7ad2QEAiTkGrpZYeROb+VUTgdvRKJiz i6ONXv6i5POQZwpUZD0BAKCnq1n5jlYlRRjAZzlPkZlDWnNz/OQhsrVj/ibQMuMa =Sr5I -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
those people might run self-compiled versions of Tor that are more up to date than they seem from the version string.
Alternatively, some of those relay operators (independent of the version that is shown in the descriptor) might run a version provided by their packaging system that backports security-relevant issues but leaves the rest of the updates alone, and thus doesn't increase the version.
This is also interesting in the context of #2980, #2988 (Not reporting version is actively harmful). -----BEGIN PGP SIGNATURE----- iF4EAREKAAYFAk3QNFwACgkQyM26BSNOM7YLWAEAlHF7fLBC5IPvqEHUZzKr3LaF e4EV0VxaD3lZcviOgT0BAJqGt+FCPjETh+6FwZ9L7WOvwvAGuY8uJg7KHuTK5Gj4 =qr4g -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 05/15/2011 09:19 PM, Sebastian Hahn wrote:
Before you contact anyone appearing to run 0.2.2.19-alpha, check their descriptor and the git part of the version string therein
vulnerable (CVE-2011-0427): Tor 0.2.2.19-alpha (git-e57cb6b9762a2f94) on Linux i686 (laurel, hardy) safe (CVE-2011-0427): Tor 0.2.2.19-alpha (git-35fcec38809f9805) on Linux i686 (ides) Tor 0.2.2.19-alpha (git-e0d5a6e184967358) on Linux x86_64 (wii) Tor 0.2.2.19-alpha (git-aba7bb705a69697a) on Linux x86_64 (Amunet) Regarding contacting operators: I'll try to reach a few high bandwidth vuln. relay operators to reduce "vulnerable bandwidth" without sending many emails. -----BEGIN PGP SIGNATURE----- iF4EAREKAAYFAk3RhwsACgkQyM26BSNOM7aESwD+Is/m0TytdV5jGdNF9A3nxJ30 EMvNTnqO48Dww9fUJtUA/2/47nynqqLT9AwzR1jod2VQ/s5VnEhHbk/46wGXqyCw =aHHB -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
I'll try to reach a few high bandwidth vuln. relay operators to reduce "vulnerable bandwidth" without sending many emails.
contacted operators: Router Name,Bandwidth (KB/s),Platform OldPlanetExpress,6299,Tor 0.2.1.26 on Linux x86_64 pansenserver,4318,Tor 0.2.1.26 on Linux x86_64 torexp2,3609,Tor 0.2.1.28 (r62) on Linux x86_64 jalopy,3509,Tor 0.2.2.20-alpha on Linux x86_64 torexp1,3126,Tor 0.2.1.28 (r211) on Linux x86_64 MopperSmurf,2918,Tor 0.2.2.13-alpha (git-feb8c1b5f67f2c6f) on FreeBSD i386 laurel,2822,Tor 0.2.2.19-alpha (git-e57cb6b9762a2f94) on Linux i686 williamhaines,2777,Tor 0.2.2.17-alpha (git-dadd9608d2720368) on Linux x86_64 normatalmadge,2443,Tor 0.2.2.17-alpha (git-dadd9608d2720368) on Linux x86_64 Shaman0,2227,Tor 0.2.1.25 on Linux x86_64 hardy,2222,Tor 0.2.2.19-alpha (git-e57cb6b9762a2f94) on Linux i686 onconnex80,1406,Tor 0.2.1.27 (re57cb6b9762a2f94) on Linux x86_64 Nyelandsvej,1404,Tor 0.2.1.26 (rbde5a11c51433a6e) on Linux i686 gpfTOR4,1305,Tor 0.2.1.28 (r60ccf2b5f1ac7f66) on Linux x86_64 1000rpmLinux,1208,Tor 0.2.1.26 (r7f4f5a379d6e56c3) on Linux i686 evil,1200,Tor 0.2.1.26 on Linux x86_64 agent,986,Tor 0.2.1.25 on Linux x86_64 PPrivCom029,879,Tor 0.2.1.26 on Linux i686 servicePublic,810,Tor 0.2.1.26 on Linux i686 -----BEGIN PGP SIGNATURE----- iF4EAREKAAYFAk3RmnEACgkQyM26BSNOM7YQugEAtJpdwwRp+ce1XEQ2oA4bzSye 8SrFPgDZzUu389KYQ74A/iXb+Ig4J4NjWhk9CmYsGfVbrTON/k9IQnRTXX0ELIJK =3coB -----END PGP SIGNATURE-----
On Fri, 13 May 2011 21:19:41 +0200 tagnaq <tagnaq@gmail.com> wrote:
I encourage everyone running a relay to use an up to date Tor version. (especially directory authority operators - but they should know better anyway)
As a reminder, this is why we have tor weather, https://weather.torproject.org/. It will automatically let relay ops know of new versions, if they are outdated, or deserving of a tshirt. I don't know that I would encourage everyone to run 0.2.3 at this point, it's very, very alpha. -- Andrew pgp 0x74ED336B
participants (3)
-
Andrew Lewman -
Sebastian Hahn -
tagnaq