Reminder: If you are on 0.2.9.x, make sure you are running 0.2.9.9
Hi, awesome relay operators! About two weeks ago, we put out 0.2.9.9, to fix a significant problem in our build process that led to an easy remote crash attack: o Major bugfixes (security): - Downgrade the "-ftrapv" option from "always on" to "only on when --enable-expensive-hardening is provided." This hardening option, like others, can turn survivable bugs into crashes -- and having it on by default made a (relatively harmless) integer overflow bug into a denial-of-service bug. Fixes bug 21278 (TROVE-2017-001); bugfix on 0.2.9.1-alpha. If you are on some earlier version of 0.2.9.x, it would be really great if you could update your relay some time soon: I want to put out a fix for the underlying bug here, but I'm hesitant to do so while there are still 700 crashable relays on the network. Also if you are on 0.3.0.1-alpha, you should upgrade to 0.3.0.2-alpha or later, but there are only around 53 relays still on that version, so I'm freaking out less about that. best wishes and many thanks, -- Nick
On Thu, Feb 09, 2017 at 01:04:30PM -0500, Nick Mathewson wrote:
If you are on some earlier version of 0.2.9.x, it would be really great if you could update your relay some time soon
And, if you're one of the many relays still on 0.2.9.8, and the reason is something other than "oops, you're right I should upgrade", please let us know! We're wondering in particular if there are major distros out there that are still stuck on 0.2.9.8. Thanks, --Roger
On Thu, 9 Feb 2017 13:36:56 -0500 Roger Dingledine <arma@mit.edu> allegedly wrote:
On Thu, Feb 09, 2017 at 01:04:30PM -0500, Nick Mathewson wrote:
If you are on some earlier version of 0.2.9.x, it would be really great if you could update your relay some time soon
And, if you're one of the many relays still on 0.2.9.8, and the reason is something other than "oops, you're right I should upgrade", please let us know! We're wondering in particular if there are major distros out there that are still stuck on 0.2.9.8.
I am. (Debian Jessie 8.7 - using the tor repos). My log says: Feb 09 07:35:04.000 [notice] Tor 0.2.9.8 (git-a0df013ea241b026) opening new log file. Feb 09 07:35:05.000 [warn] Please upgrade! This version of Tor (0.2.9.8) is not recommended, according to the directory authorities. Recommended versions are: 0.2.4.27,0 .2.4.28,0.2.5.12,0.2.5.13,0.2.7.6,0.2.7.7,0.2.8.9,0.2.8.10,0.2.8.11,0.2.8.12,0.2.9.9,0.3.0.2-alpha,0.3.0.3-alpha Attempting an upgrade from 0.2.9.8 I get nothing. Mick --------------------------------------------------------------------- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net ---------------------------------------------------------------------
To be sure Mick, on a Debian 8.7 too, those commands : --> *apt-get update ; apt-get dist-upgrade** * --> *apt-cache policy tor* tor: Installé : 0.2.9.9-1~d80.jessie+1 Candidat : 0.2.9.9-1~d80.jessie+1 Table de version : *** 0.2.9.9-1~d80.jessie+1 0 500 http://deb.torproject.org/torproject.org/ jessie/main amd64 Packages 100 /var/lib/dpkg/status 0.2.5.12-4 0 500 http://ftp.nl.debian.org/debian/ jessie/main amd64 Packages 500 http://security.debian.org/ jessie/updates/main amd64 Packages mick :
Attempting an upgrade from 0.2.9.8 I get nothing.
-- Petrusko C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
On Thu, Feb 09, 2017 at 07:48:10PM +0000, mick wrote:
I am. (Debian Jessie 8.7 - using the tor repos).
Attempting an upgrade from 0.2.9.8 I get nothing.
Weasel suggests that you run "apt-cache policy tor" and remember what it says, then "apt-get update", then "apt-cache policy tor" again and see what it says. As far as I can tell there aren't any distros on deb.tp.o for which 0.2.9.8 is still a thing. --Roger
Rodger, My log indicates Tor 0.2.5.12 (git-6350e21f2de7272f) apt-cache output: tor: Installed: 0.2.5.12-4 Candidate: 0.2.5.12-4 Version table: *** 0.2.5.12-4 0 500 http://ftp.nl.debian.org/debian/ jessie/main amd64 Packages 500 http://security.debian.org/ jessie/updates/main amd64 Packages 100 /var/lib/dpkg/status I think I read somewhere debian does security backport, hence the old version numbers. You probably know this already. I'm running Debian GNU/Linux 8.7 (jessie) Enjoy, Maarten Roger Dingledine wrote on 09-02-17 19:36:
On Thu, Feb 09, 2017 at 01:04:30PM -0500, Nick Mathewson wrote:
If you are on some earlier version of 0.2.9.x, it would be really great if you could update your relay some time soon
And, if you're one of the many relays still on 0.2.9.8, and the reason is something other than "oops, you're right I should upgrade", please let us know! We're wondering in particular if there are major distros out there that are still stuck on 0.2.9.8.
Thanks, --Roger
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Thu, Feb 09, 2017 at 09:51:14PM +0100, Maarten A. wrote:
My log indicates Tor 0.2.5.12 (git-6350e21f2de7272f) [...] I think I read somewhere debian does security backport, hence the old version numbers. You probably know this already.
I'm running Debian GNU/Linux 8.7 (jessie)
Yep, that is a fine and reasonable version to run. It's old, sure, but it should still be safe and useful. Our fine deb maintainer keeps it patched with the more important security updates. --Roger
Looks like FreeBSD and most people running BSD is (are) lacking behind - "sudo pkg update && sudo pkg upgrade -y" is not bringing success - what do you recommend there? Thanks Paul Am 09.02.2017 um 22:10 schrieb Roger Dingledine:
On Thu, Feb 09, 2017 at 09:51:14PM +0100, Maarten A. wrote:
My log indicates Tor 0.2.5.12 (git-6350e21f2de7272f) [...] I think I read somewhere debian does security backport, hence the old version numbers. You probably know this already.
I'm running Debian GNU/Linux 8.7 (jessie)
Yep, that is a fine and reasonable version to run. It's old, sure, but it should still be safe and useful. Our fine deb maintainer keeps it patched with the more important security updates.
--Roger
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 09.02.2017 23:56, Paul wrote:
Looks like FreeBSD and most people running BSD is (are) lacking behind - "sudo pkg update && sudo pkg upgrade -y" is not bringing success - what do you recommend there?
use FreeBSD ports, there is 0.2.9.9 available. https://www.freebsd.org/ports/index.html
Looks like FreeBSD and most people running BSD is (are) lacking behind - "sudo pkg update && sudo pkg upgrade -y" is not bringing success - what do you recommend there?
If you did not get tor 0.2.9.9 via pkg yet you are probably using the quarterly [1] and not the latest [2] repo. (/etc/pkg/FreeBSD.conf) 'latest' has 0.2.9.9 since 2017-02-05. [1]http://pkg.freebsd.org/FreeBSD:11:amd64/quarterly/All/tor-0.2.9.8.txz [2]http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/tor-0.2.9.9_1.txz
Sorry to be a dunce, but I opened a new relay on Ubuntu 16.10. 0.2.8.8 is in the repository. How do I pull 0.2.9.9? Do I need to download/install the browser bundle off of torproject.org? On Fri, Feb 10, 2017 at 11:21 AM, nusenu <nusenu@openmailbox.org> wrote:
Looks like FreeBSD and most people running BSD is (are) lacking behind - "sudo pkg update && sudo pkg upgrade -y" is not bringing success - what do you recommend there?
If you did not get tor 0.2.9.9 via pkg yet you are probably using the quarterly [1] and not the latest [2] repo. (/etc/pkg/FreeBSD.conf)
'latest' has 0.2.9.9 since 2017-02-05.
[1]http://pkg.freebsd.org/FreeBSD:11:amd64/quarterly/All/tor-0.2.9.8.txz [2]http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/tor-0.2.9.9_1.txz
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hello Marcel, thanks for running a relay. Marcel Krzystek:
Sorry to be a dunce, but I opened a new relay on Ubuntu 16.10. 0.2.8.8 is in the repository. How do I pull 0.2.9.9? Do I need to download/install the browser bundle off of torproject.org?
On Ubuntu you should use the torproject repository to get the latest tor version, you will find a guide here: https://www.torproject.org/docs/debian.html.en#ubuntu
Just to add another data point, the Alpine distribution is currently on 0.2.8.12: https://pkgs.alpinelinux.org/packages?name=tor&branch=&repo=&arch=&maintaine... On 10 February 2017 at 18:27, nusenu <nusenu@openmailbox.org> wrote:
Hello Marcel,
thanks for running a relay.
Marcel Krzystek:
Sorry to be a dunce, but I opened a new relay on Ubuntu 16.10. 0.2.8.8 is in the repository. How do I pull 0.2.9.9? Do I need to download/install the browser bundle off of torproject.org?
On Ubuntu you should use the torproject repository to get the latest tor version, you will find a guide here:
https://www.torproject.org/docs/debian.html.en#ubuntu
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Andy Smith http://andrewmichaelsmith.com | @bingleybeep
Andrew Smith:
Just to add another data point, the Alpine distribution is currently on 0.2.8.12
tor 0.2.8.12 is fine. 0.2.8.x is likely supported until 2018-01-01 (nickm's plan). (and as the subject says, this is more about 0.2.9.x)
Am 10.02.2017 um 19:21 schrieb nusenu:
Looks like FreeBSD and most people running BSD is (are) lacking behind - "sudo pkg update && sudo pkg upgrade -y" is not bringing success - what do you recommend there?
If you did not get tor 0.2.9.9 via pkg yet you are probably using the quarterly [1] and not the latest [2] repo. (/etc/pkg/FreeBSD.conf)
'latest' has 0.2.9.9 since 2017-02-05.
[1]http://pkg.freebsd.org/FreeBSD:11:amd64/quarterly/All/tor-0.2.9.8.txz [2]http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/tor-0.2.9.9_1.txz
@nusenu:Thank you for your hint - I had indeed a quarterly entry there. Now I did a full reinstall like mentioned here: https://forums.freebsd.org/threads/52843/ @fatal: thank you - yes that worked great as well Handling BSD is that easy (!!) - why cant we convince more folks to install it?
On 02/09/2017 02:10 PM, Roger Dingledine wrote:
On Thu, Feb 09, 2017 at 09:51:14PM +0100, Maarten A. wrote:
My log indicates Tor 0.2.5.12 (git-6350e21f2de7272f) [...] I think I read somewhere debian does security backport, hence the old version numbers. You probably know this already.
I'm running Debian GNU/Linux 8.7 (jessie)
Yep, that is a fine and reasonable version to run. It's old, sure, but it should still be safe and useful. Our fine deb maintainer keeps it patched with the more important security updates.
I haven't been able to upgrade from Tor 0.2.7.5, which ARM tells me in red type is "unrecommended," which seems alarming. I'm running 3.2.0-121-generic-pae GNU/Linux on Ubuntu 12.04 (precise).
On 10 Feb 2017, at 13:19, Kenneth Freeman <kencf0618@riseup.net> wrote:
On 02/09/2017 02:10 PM, Roger Dingledine wrote:
On Thu, Feb 09, 2017 at 09:51:14PM +0100, Maarten A. wrote:
My log indicates Tor 0.2.5.12 (git-6350e21f2de7272f) [...] I think I read somewhere debian does security backport, hence the old version numbers. You probably know this already.
I'm running Debian GNU/Linux 8.7 (jessie)
Yep, that is a fine and reasonable version to run. It's old, sure, but it should still be safe and useful. Our fine deb maintainer keeps it patched with the more important security updates.
I haven't been able to upgrade from Tor 0.2.7.5, which ARM tells me in red type is "unrecommended," which seems alarming. I'm running 3.2.0-121-generic-pae GNU/Linux on Ubuntu 12.04 (precise).
If you're on Ubuntu (or Debian) you can get the latest packages using these instructions: https://www.torproject.org/docs/debian.html.en T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
On 02/09/2017 07:25 PM, teor wrote:
I haven't been able to upgrade from Tor 0.2.7.5, which ARM tells me in red type is "unrecommended," which seems alarming. I'm running 3.2.0-121-generic-pae GNU/Linux on Ubuntu 12.04 (precise).
If you're on Ubuntu (or Debian) you can get the latest packages using these instructions:
Many thanks. I'd no clue that this was a Debian release issue -I've been compiling Tor upgrades and running ARM willy-nilly without result!
Nick Mathewson:
there are still 700 crashable relays on the network.
The account for ~12% CW fraction. Sadly big operators are on that list as well, i.e: +-----------------------------------------------+-------------+ | contact | tor_version | +-----------------------------------------------+-------------+ | 0x9F29C15D42A8B6F3 Nos oignons <adminsys@nos- | 0.2.9.8 | | 0x9F29C15D42A8B6F3 Nos oignons <adminsys@nos- | 0.2.9.8 | | 0x9F29C15D42A8B6F3 Nos oignons <adminsys@nos- | 0.2.9.8 | | 0x9F29C15D42A8B6F3 Nos oignons <adminsys@nos- | 0.2.9.8 | | <zwiebeln at online de> | 0.2.9.8 | | <zwiebeln at online de> | 0.2.9.8 | | <zwiebeln at online de> | 0.2.9.8 | | <zwiebeln at online de> | 0.2.9.8 | | <zwiebeln at online de> | 0.2.9.8 | | <zwiebeln at online de> | 0.2.9.8 | | abuse@to-surf-and-protect.net | 0.2.9.8 | | abuse@to-surf-and-protect.net | 0.2.9.8 | | abuse@to-surf-and-protect.net | 0.2.9.8 | | https://www.torservers.net/donate.html <suppo | 0.2.9.8 | | https://www.torservers.net/donate.html <suppo | 0.2.9.8 | | https://www.torservers.net/donate.html <suppo | 0.2.9.8 | | https://www.torservers.net/donate.html <suppo | 0.2.9.8 | | https://www.torservers.net/donate.html <suppo | 0.2.9.8 | | https://www.torservers.net/donate.html <suppo | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | ...
sigh. 3 out of 33 is not too bad, right? could you please tell me which three rodents are still not updated? niftybunny abuse@to-surf-and-protect.net
On 9 Feb 2017, at 22:45, nusenu <nusenu@openmailbox.org> wrote:
Nick Mathewson:
there are still 700 crashable relays on the network.
The account for ~12% CW fraction.
Sadly big operators are on that list as well, i.e:
+-----------------------------------------------+-------------+ | contact | tor_version | +-----------------------------------------------+-------------+ | 0x9F29C15D42A8B6F3 Nos oignons <adminsys@nos- | 0.2.9.8 | | 0x9F29C15D42A8B6F3 Nos oignons <adminsys@nos- | 0.2.9.8 | | 0x9F29C15D42A8B6F3 Nos oignons <adminsys@nos- | 0.2.9.8 | | 0x9F29C15D42A8B6F3 Nos oignons <adminsys@nos- | 0.2.9.8 | | <zwiebeln at online de> | 0.2.9.8 | | <zwiebeln at online de> | 0.2.9.8 | | <zwiebeln at online de> | 0.2.9.8 | | <zwiebeln at online de> | 0.2.9.8 | | <zwiebeln at online de> | 0.2.9.8 | | <zwiebeln at online de> | 0.2.9.8 | | abuse@to-surf-and-protect.net | 0.2.9.8 | | abuse@to-surf-and-protect.net | 0.2.9.8 | | abuse@to-surf-and-protect.net | 0.2.9.8 | | https://www.torservers.net/donate.html <suppo | 0.2.9.8 | | https://www.torservers.net/donate.html <suppo | 0.2.9.8 | | https://www.torservers.net/donate.html <suppo | 0.2.9.8 | | https://www.torservers.net/donate.html <suppo | 0.2.9.8 | | https://www.torservers.net/donate.html <suppo | 0.2.9.8 | | https://www.torservers.net/donate.html <suppo | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | ...
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
could you please tell me which three rodents are still not updated?
If you do not know where you run what version, you can ask onionoo to give you a list of relays with a given contact string: https://onionoo.torproject.org/details?contact=abuse@to-surf-and-protect.net... ctrl+f "0.2.9.8" I added a feature request to filter by tor version https://trac.torproject.org/projects/tor/ticket/21427
Thats nifty! Thank you very much. niftybunny abuse@to-surf-and-protect.net
On 9 Feb 2017, at 23:15, nusenu <nusenu@openmailbox.org> wrote:
could you please tell me which three rodents are still not updated?
If you do not know where you run what version, you can ask onionoo to give you a list of relays with a given contact string:
https://onionoo.torproject.org/details?contact=abuse@to-surf-and-protect.net...
ctrl+f "0.2.9.8"
I added a feature request to filter by tor version https://trac.torproject.org/projects/tor/ticket/21427
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
participants (14)
-
Andrew Smith -
fatal -
Kenneth Freeman -
Maarten A. -
Marcel Krzystek -
mick -
Nick Mathewson -
niftybunny -
nusenu -
Paul -
Petrusko -
Roger Dingledine -
Sebastian Niehaus -
teor