-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
It is quite sad that one has to find out about 'critical' security updates [0] via an unrelated thread on tor-talk [1] or the blog [2] instead of getting an announcement on tor-announce [3] - where relay operators are probably expecting such information.
Are tor versions 0.2.3.x and 0.2.4.x affected too?
[0] https://gitweb.torproject.org/tor.git/blob/release-0.2.2:/ReleaseNotes https://trac.torproject.org/projects/tor/ticket/6811 [1] https://lists.torproject.org/pipermail/tor-talk/2012-September/025525.html [2] https://blog.torproject.org/blog/new-bundles-security-release [3] https://lists.torproject.org/pipermail/tor-announce/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
It is quite sad that one has to find out about 'critical' security updates [0] via an unrelated thread on tor-talk [1] or the blog [2] instead of getting an announcement on tor-announce [3] - where relay operators are probably expecting such information.
Are tor versions 0.2.3.x and 0.2.4.x affected too?
Yes, 0.2.3.x is affected and #6811 is fixed in 0.2.3.22-rc https://gitweb.torproject.org/tor.git/blob/tor-0.2.3.22-rc:/ChangeLog
0.2.3.22-rc was announced by roger as usual on tor-talk: https://lists.torproject.org/pipermail/tor-talk/2012-September/025501.html
On Sat, Sep 15, 2012 at 12:25:59PM +0200, tagnaq wrote:
It is quite sad that one has to find out about 'critical' security updates [0] via an unrelated thread on tor-talk [1] or the blog [2] instead of getting an announcement on tor-announce [3] - where relay operators are probably expecting such information.
There, I sent the mail. I'd been waiting a few days to make sure the new packages weren't broken. Thanks for the kick.
In the spectrum of critical, I wouldn't put this one towards the top. There's no code execution or privacy or anonymity issues. So yes, upgrading is definitely a fine idea, but it's not a "cancel your dinner plans to do it" sort of situation.
Are tor versions 0.2.3.x and 0.2.4.x affected too?
Yes. I haven't put an 0.2.4.3-alpha out yet (it's an alpha after all). I should probably do that soon.
--Roger
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
In the spectrum of critical, I wouldn't put this one towards the top. There's no code execution or privacy or anonymity issues. So yes, upgrading is definitely a fine idea, but it's not a "cancel your dinner plans to do it" sort of situation.
I probably misinterpreted erinn's posts [1][2].
Are tor versions 0.2.3.x and 0.2.4.x affected too?
Yes. I haven't put an 0.2.4.3-alpha out yet (it's an alpha after all). I should probably do that soon.
Thanks for releasing 0.2.4.3-alpha.
[1] https://trac.torproject.org/projects/tor/ticket/6803#comment:9 [2] https://blog.torproject.org/blog/new-bundles-security-release
tor-relays@lists.torproject.org
-
Roger Dingledine -
tagnaq