Hi, awesome relay operators!
About two weeks ago, we put out 0.2.9.9, to fix a significant problem in our build process that led to an easy remote crash attack:
o Major bugfixes (security): - Downgrade the "-ftrapv" option from "always on" to "only on when --enable-expensive-hardening is provided." This hardening option, like others, can turn survivable bugs into crashes -- and having it on by default made a (relatively harmless) integer overflow bug into a denial-of-service bug. Fixes bug 21278 (TROVE-2017-001); bugfix on 0.2.9.1-alpha.
If you are on some earlier version of 0.2.9.x, it would be really great if you could update your relay some time soon: I want to put out a fix for the underlying bug here, but I'm hesitant to do so while there are still 700 crashable relays on the network.
Also if you are on 0.3.0.1-alpha, you should upgrade to 0.3.0.2-alpha or later, but there are only around 53 relays still on that version, so I'm freaking out less about that.
best wishes and many thanks,
On Thu, Feb 09, 2017 at 01:04:30PM -0500, Nick Mathewson wrote:
If you are on some earlier version of 0.2.9.x, it would be really great if you could update your relay some time soon
And, if you're one of the many relays still on 0.2.9.8, and the reason is something other than "oops, you're right I should upgrade", please let us know! We're wondering in particular if there are major distros out there that are still stuck on 0.2.9.8.
Thanks, --Roger
On Thu, 9 Feb 2017 13:36:56 -0500 Roger Dingledine arma@mit.edu allegedly wrote:
On Thu, Feb 09, 2017 at 01:04:30PM -0500, Nick Mathewson wrote:
If you are on some earlier version of 0.2.9.x, it would be really great if you could update your relay some time soon
And, if you're one of the many relays still on 0.2.9.8, and the reason is something other than "oops, you're right I should upgrade", please let us know! We're wondering in particular if there are major distros out there that are still stuck on 0.2.9.8.
I am. (Debian Jessie 8.7 - using the tor repos). My log says:
Feb 09 07:35:04.000 [notice] Tor 0.2.9.8 (git-a0df013ea241b026) opening new log file. Feb 09 07:35:05.000 [warn] Please upgrade! This version of Tor (0.2.9.8) is not recommended, according to the directory authorities. Recommended versions are: 0.2.4.27,0 .2.4.28,0.2.5.12,0.2.5.13,0.2.7.6,0.2.7.7,0.2.8.9,0.2.8.10,0.2.8.11,0.2.8.12,0.2.9.9,0.3.0.2-alpha,0.3.0.3-alpha
Attempting an upgrade from 0.2.9.8 I get nothing.
Mick
--------------------------------------------------------------------- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net ---------------------------------------------------------------------
To be sure Mick, on a Debian 8.7 too, those commands :
--> *apt-get update ; apt-get dist-upgrade** * --> *apt-cache policy tor* tor: Installé : 0.2.9.9-1~d80.jessie+1 Candidat : 0.2.9.9-1~d80.jessie+1 Table de version : *** 0.2.9.9-1~d80.jessie+1 0 500 http://deb.torproject.org/torproject.org/ jessie/main amd64 Packages 100 /var/lib/dpkg/status 0.2.5.12-4 0 500 http://ftp.nl.debian.org/debian/ jessie/main amd64 Packages 500 http://security.debian.org/ jessie/updates/main amd64 Packages
mick :
Attempting an upgrade from 0.2.9.8 I get nothing.
On Thu, Feb 09, 2017 at 07:48:10PM +0000, mick wrote:
I am. (Debian Jessie 8.7 - using the tor repos).
Attempting an upgrade from 0.2.9.8 I get nothing.
Weasel suggests that you run "apt-cache policy tor" and remember what it says, then "apt-get update", then "apt-cache policy tor" again and see what it says.
As far as I can tell there aren't any distros on deb.tp.o for which 0.2.9.8 is still a thing.
--Roger
2017-02-09 20:48 GMT+01:00 mick mbm@rlogin.net:
Attempting an upgrade from 0.2.9.8 I get nothing.
I have Jessie and tor from jessie-backports, tor version is 0.2.9.9.
Sebastian
Rodger,
My log indicates Tor 0.2.5.12 (git-6350e21f2de7272f) apt-cache output: tor: Installed: 0.2.5.12-4 Candidate: 0.2.5.12-4 Version table: *** 0.2.5.12-4 0 500 http://ftp.nl.debian.org/debian/ jessie/main amd64 Packages 500 http://security.debian.org/ jessie/updates/main amd64 Packages 100 /var/lib/dpkg/status
I think I read somewhere debian does security backport, hence the old version numbers. You probably know this already.
I'm running Debian GNU/Linux 8.7 (jessie)
Enjoy,
Maarten
Roger Dingledine wrote on 09-02-17 19:36:
On Thu, Feb 09, 2017 at 01:04:30PM -0500, Nick Mathewson wrote:
If you are on some earlier version of 0.2.9.x, it would be really great if you could update your relay some time soon
And, if you're one of the many relays still on 0.2.9.8, and the reason is something other than "oops, you're right I should upgrade", please let us know! We're wondering in particular if there are major distros out there that are still stuck on 0.2.9.8.
Thanks, --Roger
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Thu, Feb 09, 2017 at 09:51:14PM +0100, Maarten A. wrote:
My log indicates Tor 0.2.5.12 (git-6350e21f2de7272f)
[...]
I think I read somewhere debian does security backport, hence the old version numbers. You probably know this already.
I'm running Debian GNU/Linux 8.7 (jessie)
Yep, that is a fine and reasonable version to run. It's old, sure, but it should still be safe and useful. Our fine deb maintainer keeps it patched with the more important security updates.
--Roger
Looks like FreeBSD and most people running BSD is (are) lacking behind - "sudo pkg update && sudo pkg upgrade -y" is not bringing success - what do you recommend there?
Thanks
Paul
Am 09.02.2017 um 22:10 schrieb Roger Dingledine:
On Thu, Feb 09, 2017 at 09:51:14PM +0100, Maarten A. wrote:
My log indicates Tor 0.2.5.12 (git-6350e21f2de7272f)
[...]
I think I read somewhere debian does security backport, hence the old version numbers. You probably know this already.
I'm running Debian GNU/Linux 8.7 (jessie)
Yep, that is a fine and reasonable version to run. It's old, sure, but it should still be safe and useful. Our fine deb maintainer keeps it patched with the more important security updates.
--Roger
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 09.02.2017 23:56, Paul wrote:
Looks like FreeBSD and most people running BSD is (are) lacking behind - "sudo pkg update && sudo pkg upgrade -y" is not bringing success - what do you recommend there?
use FreeBSD ports, there is 0.2.9.9 available.
Looks like FreeBSD and most people running BSD is (are) lacking behind - "sudo pkg update && sudo pkg upgrade -y" is not bringing success - what do you recommend there?
If you did not get tor 0.2.9.9 via pkg yet you are probably using the quarterly [1] and not the latest [2] repo. (/etc/pkg/FreeBSD.conf)
'latest' has 0.2.9.9 since 2017-02-05.
[1]http://pkg.freebsd.org/FreeBSD:11:amd64/quarterly/All/tor-0.2.9.8.txz [2]http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/tor-0.2.9.9_1.txz
Sorry to be a dunce, but I opened a new relay on Ubuntu 16.10. 0.2.8.8 is in the repository. How do I pull 0.2.9.9? Do I need to download/install the browser bundle off of torproject.org?
On Fri, Feb 10, 2017 at 11:21 AM, nusenu nusenu@openmailbox.org wrote:
Looks like FreeBSD and most people running BSD is (are) lacking behind - "sudo pkg update && sudo pkg upgrade -y" is not bringing success - what do you recommend there?
If you did not get tor 0.2.9.9 via pkg yet you are probably using the quarterly [1] and not the latest [2] repo. (/etc/pkg/FreeBSD.conf)
'latest' has 0.2.9.9 since 2017-02-05.
[1]http://pkg.freebsd.org/FreeBSD:11:amd64/quarterly/All/tor-0.2.9.8.txz [2]http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/tor-0.2.9.9_1.txz
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hello Marcel,
thanks for running a relay.
Marcel Krzystek:
Sorry to be a dunce, but I opened a new relay on Ubuntu 16.10. 0.2.8.8 is in the repository. How do I pull 0.2.9.9? Do I need to download/install the browser bundle off of torproject.org?
On Ubuntu you should use the torproject repository to get the latest tor version, you will find a guide here:
Just to add another data point, the Alpine distribution is currently on 0.2.8.12: https://pkgs.alpinelinux.org/packages?name=tor&branch=&repo=&arc...
On 10 February 2017 at 18:27, nusenu nusenu@openmailbox.org wrote:
Hello Marcel,
thanks for running a relay.
Marcel Krzystek:
Sorry to be a dunce, but I opened a new relay on Ubuntu 16.10. 0.2.8.8 is in the repository. How do I pull 0.2.9.9? Do I need to download/install
the
browser bundle off of torproject.org?
On Ubuntu you should use the torproject repository to get the latest tor version, you will find a guide here:
https://www.torproject.org/docs/debian.html.en#ubuntu
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Andrew Smith:
Just to add another data point, the Alpine distribution is currently on 0.2.8.12
tor 0.2.8.12 is fine. 0.2.8.x is likely supported until 2018-01-01 (nickm's plan).
(and as the subject says, this is more about 0.2.9.x)
Am 10.02.2017 um 19:21 schrieb nusenu:
Looks like FreeBSD and most people running BSD is (are) lacking behind - "sudo pkg update && sudo pkg upgrade -y" is not bringing success - what do you recommend there?
If you did not get tor 0.2.9.9 via pkg yet you are probably using the quarterly [1] and not the latest [2] repo. (/etc/pkg/FreeBSD.conf)
'latest' has 0.2.9.9 since 2017-02-05.
[1]http://pkg.freebsd.org/FreeBSD:11:amd64/quarterly/All/tor-0.2.9.8.txz [2]http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/tor-0.2.9.9_1.txz
@nusenu:Thank you for your hint - I had indeed a quarterly entry there. Now I did a full reinstall like mentioned here: https://forums.freebsd.org/threads/52843/
@fatal: thank you - yes that worked great as well
Handling BSD is that easy (!!) - why cant we convince more folks to install it?
On 02/09/2017 02:10 PM, Roger Dingledine wrote:
On Thu, Feb 09, 2017 at 09:51:14PM +0100, Maarten A. wrote:
My log indicates Tor 0.2.5.12 (git-6350e21f2de7272f)
[...]
I think I read somewhere debian does security backport, hence the old version numbers. You probably know this already.
I'm running Debian GNU/Linux 8.7 (jessie)
Yep, that is a fine and reasonable version to run. It's old, sure, but it should still be safe and useful. Our fine deb maintainer keeps it patched with the more important security updates.
I haven't been able to upgrade from Tor 0.2.7.5, which ARM tells me in red type is "unrecommended," which seems alarming. I'm running 3.2.0-121-generic-pae GNU/Linux on Ubuntu 12.04 (precise).
On 10 Feb 2017, at 13:19, Kenneth Freeman kencf0618@riseup.net wrote:
On 02/09/2017 02:10 PM, Roger Dingledine wrote:
On Thu, Feb 09, 2017 at 09:51:14PM +0100, Maarten A. wrote:
My log indicates Tor 0.2.5.12 (git-6350e21f2de7272f)
[...]
I think I read somewhere debian does security backport, hence the old version numbers. You probably know this already.
I'm running Debian GNU/Linux 8.7 (jessie)
Yep, that is a fine and reasonable version to run. It's old, sure, but it should still be safe and useful. Our fine deb maintainer keeps it patched with the more important security updates.
I haven't been able to upgrade from Tor 0.2.7.5, which ARM tells me in red type is "unrecommended," which seems alarming. I'm running 3.2.0-121-generic-pae GNU/Linux on Ubuntu 12.04 (precise).
If you're on Ubuntu (or Debian) you can get the latest packages using these instructions:
https://www.torproject.org/docs/debian.html.en
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
On 02/09/2017 07:25 PM, teor wrote:
I haven't been able to upgrade from Tor 0.2.7.5, which ARM tells me in red type is "unrecommended," which seems alarming. I'm running 3.2.0-121-generic-pae GNU/Linux on Ubuntu 12.04 (precise).
If you're on Ubuntu (or Debian) you can get the latest packages using these instructions:
Many thanks. I'd no clue that this was a Debian release issue -I've been compiling Tor upgrades and running ARM willy-nilly without result!
Nick Mathewson:
there are still 700 crashable relays on the network.
The account for ~12% CW fraction.
Sadly big operators are on that list as well, i.e:
+-----------------------------------------------+-------------+ | contact | tor_version | +-----------------------------------------------+-------------+ | 0x9F29C15D42A8B6F3 Nos oignons <adminsys@nos- | 0.2.9.8 | | 0x9F29C15D42A8B6F3 Nos oignons <adminsys@nos- | 0.2.9.8 | | 0x9F29C15D42A8B6F3 Nos oignons <adminsys@nos- | 0.2.9.8 | | 0x9F29C15D42A8B6F3 Nos oignons <adminsys@nos- | 0.2.9.8 | | <zwiebeln at online de> | 0.2.9.8 | | <zwiebeln at online de> | 0.2.9.8 | | <zwiebeln at online de> | 0.2.9.8 | | <zwiebeln at online de> | 0.2.9.8 | | <zwiebeln at online de> | 0.2.9.8 | | <zwiebeln at online de> | 0.2.9.8 | | abuse@to-surf-and-protect.net | 0.2.9.8 | | abuse@to-surf-and-protect.net | 0.2.9.8 | | abuse@to-surf-and-protect.net | 0.2.9.8 | | https://www.torservers.net/donate.html <suppo | 0.2.9.8 | | https://www.torservers.net/donate.html <suppo | 0.2.9.8 | | https://www.torservers.net/donate.html <suppo | 0.2.9.8 | | https://www.torservers.net/donate.html <suppo | 0.2.9.8 | | https://www.torservers.net/donate.html <suppo | 0.2.9.8 | | https://www.torservers.net/donate.html <suppo | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | ...
sigh.
3 out of 33 is not too bad, right?
could you please tell me which three rodents are still not updated?
niftybunny abuse@to-surf-and-protect.net
On 9 Feb 2017, at 22:45, nusenu nusenu@openmailbox.org wrote:
Nick Mathewson:
there are still 700 crashable relays on the network.
The account for ~12% CW fraction.
Sadly big operators are on that list as well, i.e:
+-----------------------------------------------+-------------+ | contact | tor_version | +-----------------------------------------------+-------------+ | 0x9F29C15D42A8B6F3 Nos oignons <adminsys@nos- | 0.2.9.8 | | 0x9F29C15D42A8B6F3 Nos oignons <adminsys@nos- | 0.2.9.8 | | 0x9F29C15D42A8B6F3 Nos oignons <adminsys@nos- | 0.2.9.8 | | 0x9F29C15D42A8B6F3 Nos oignons <adminsys@nos- | 0.2.9.8 | | <zwiebeln at online de> | 0.2.9.8 | | <zwiebeln at online de> | 0.2.9.8 | | <zwiebeln at online de> | 0.2.9.8 | | <zwiebeln at online de> | 0.2.9.8 | | <zwiebeln at online de> | 0.2.9.8 | | <zwiebeln at online de> | 0.2.9.8 | | abuse@to-surf-and-protect.net | 0.2.9.8 | | abuse@to-surf-and-protect.net | 0.2.9.8 | | abuse@to-surf-and-protect.net | 0.2.9.8 | | https://www.torservers.net/donate.html <suppo | 0.2.9.8 | | https://www.torservers.net/donate.html <suppo | 0.2.9.8 | | https://www.torservers.net/donate.html <suppo | 0.2.9.8 | | https://www.torservers.net/donate.html <suppo | 0.2.9.8 | | https://www.torservers.net/donate.html <suppo | 0.2.9.8 | | https://www.torservers.net/donate.html <suppo | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | | see https://www.artikel5ev.de/torcontact/ | 0.2.9.8 | ...
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
could you please tell me which three rodents are still not updated?
If you do not know where you run what version, you can ask onionoo to give you a list of relays with a given contact string:
https://onionoo.torproject.org/details?contact=abuse@to-surf-and-protect.net...
ctrl+f "0.2.9.8"
I added a feature request to filter by tor version https://trac.torproject.org/projects/tor/ticket/21427
Thats nifty! Thank you very much.
niftybunny abuse@to-surf-and-protect.net
On 9 Feb 2017, at 23:15, nusenu nusenu@openmailbox.org wrote:
could you please tell me which three rodents are still not updated?
If you do not know where you run what version, you can ask onionoo to give you a list of relays with a given contact string:
https://onionoo.torproject.org/details?contact=abuse@to-surf-and-protect.net...
ctrl+f "0.2.9.8"
I added a feature request to filter by tor version https://trac.torproject.org/projects/tor/ticket/21427
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
Andrew Smith -
fatal -
Kenneth Freeman -
Maarten A. -
Marcel Krzystek -
mick -
Nick Mathewson -
niftybunny -
nusenu -
Paul -
Petrusko -
Roger Dingledine -
Sebastian Niehaus -
teor