'critical' security update: Tor 0.2.2.39
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 It is quite sad that one has to find out about 'critical' security updates [0] via an unrelated thread on tor-talk [1] or the blog [2] instead of getting an announcement on tor-announce [3] - where relay operators are probably expecting such information. Are tor versions 0.2.3.x and 0.2.4.x affected too? [0] https://gitweb.torproject.org/tor.git/blob/release-0.2.2:/ReleaseNotes https://trac.torproject.org/projects/tor/ticket/6811 [1] https://lists.torproject.org/pipermail/tor-talk/2012-September/025525.html [2] https://blog.torproject.org/blog/new-bundles-security-release [3] https://lists.torproject.org/pipermail/tor-announce/ -----BEGIN PGP SIGNATURE----- iF4EAREKAAYFAlBUV7cACgkQyM26BSNOM7ZeyAEArFSwM5Z0fhtXV6q7pdK9CqXV coEuuHUFrm6gjzkQ+p8A/2z2e+x4sYuJzKhlvFKnwCURw93FSqWEt5MCFRpkd6rV =FkRi -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
It is quite sad that one has to find out about 'critical' security updates [0] via an unrelated thread on tor-talk [1] or the blog [2] instead of getting an announcement on tor-announce [3] - where relay operators are probably expecting such information.
Are tor versions 0.2.3.x and 0.2.4.x affected too?
Yes, 0.2.3.x is affected and #6811 is fixed in 0.2.3.22-rc https://gitweb.torproject.org/tor.git/blob/tor-0.2.3.22-rc:/ChangeLog 0.2.3.22-rc was announced by roger as usual on tor-talk: https://lists.torproject.org/pipermail/tor-talk/2012-September/025501.html -----BEGIN PGP SIGNATURE----- iF4EAREKAAYFAlBUXHAACgkQyM26BSNOM7ZQ5AD9E8CVhsUV9QBjtw90oQjF9BMd 1YPqUVsFAMdxEAffghEA/i9OtTV4A9k0YkIQtyUzsynxRKuAo3D6k4lXqirQrgRv =O6+v -----END PGP SIGNATURE-----
On Sat, Sep 15, 2012 at 12:25:59PM +0200, tagnaq wrote:
It is quite sad that one has to find out about 'critical' security updates [0] via an unrelated thread on tor-talk [1] or the blog [2] instead of getting an announcement on tor-announce [3] - where relay operators are probably expecting such information.
There, I sent the mail. I'd been waiting a few days to make sure the new packages weren't broken. Thanks for the kick. In the spectrum of critical, I wouldn't put this one towards the top. There's no code execution or privacy or anonymity issues. So yes, upgrading is definitely a fine idea, but it's not a "cancel your dinner plans to do it" sort of situation.
Are tor versions 0.2.3.x and 0.2.4.x affected too?
Yes. I haven't put an 0.2.4.3-alpha out yet (it's an alpha after all). I should probably do that soon. --Roger
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
In the spectrum of critical, I wouldn't put this one towards the top. There's no code execution or privacy or anonymity issues. So yes, upgrading is definitely a fine idea, but it's not a "cancel your dinner plans to do it" sort of situation.
I probably misinterpreted erinn's posts [1][2].
Are tor versions 0.2.3.x and 0.2.4.x affected too?
Yes. I haven't put an 0.2.4.3-alpha out yet (it's an alpha after all). I should probably do that soon.
Thanks for releasing 0.2.4.3-alpha. [1] https://trac.torproject.org/projects/tor/ticket/6803#comment:9 [2] https://blog.torproject.org/blog/new-bundles-security-release -----BEGIN PGP SIGNATURE----- iF4EAREKAAYFAlBfZQgACgkQyM26BSNOM7ZW8AEAigv1cCQDzx3mLpersWRB5Fs7 uJcGbq4/FUp7kD+I2W0A/RTKmjJucP+pphpzZvQ/oD7wASYzd98hEXXy6MqO5CLs =pblY -----END PGP SIGNATURE-----
participants (2)
-
Roger Dingledine -
tagnaq