(FWD) [tor-announce] Tor 0.3.0.7 is released, with a medium security fix for relays
For those of you who are not on tor-announce... now would be a good time to remember to subscribe to tor-announce. :) --Roger ----- Forwarded message from Nick Mathewson <nickm@torproject.org> ----- Date: Mon, 15 May 2017 18:57:59 -0400 From: Nick Mathewson <nickm@torproject.org> To: tor-announce@lists.torproject.org Subject: [tor-announce] Tor 0.3.0.7 is released, with a medium security fix for relays Hi, all! There's a new Tor release (0.3.0.7) available on the website. It fixes a bug affecting relays running earlier versions of 0.3.0.x that could allow attackers to trigger an assertion failure on those relays. Clients are not affected; neither are relays running versions before 0.3.0.x. If you're running a relay with one of the affected versions, you should upgrade. Source is available on the website now; packages should be available over the next several days. =========== Changes in version 0.3.0.7 - 2017-05-15 Tor 0.3.0.7 fixes a medium-severity security bug in earlier versions of Tor 0.3.0.x, where an attacker could cause a Tor relay process to exit. Relays running earlier versions of Tor 0.3.0.x should upgrade; clients are not affected. o Major bugfixes (hidden service directory, security): - Fix an assertion failure in the hidden service directory code, which could be used by an attacker to remotely cause a Tor relay process to exit. Relays running earlier versions of Tor 0.3.0.x should upgrade. should upgrade. This security issue is tracked as TROVE-2017-002. Fixes bug 22246; bugfix on 0.3.0.1-alpha. o Minor features: - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 Country database. o Minor features (future-proofing): - Tor no longer refuses to download microdescriptors or descriptors if they are listed as "published in the future". This change will eventually allow us to stop listing meaningful "published" dates in microdescriptor consensuses, and thereby allow us to reduce the resources required to download consensus diffs by over 50%. Implements part of ticket 21642; implements part of proposal 275. o Minor bugfixes (Linux seccomp2 sandbox): - The getpid() system call is now permitted under the Linux seccomp2 sandbox, to avoid crashing with versions of OpenSSL (and other libraries) that attempt to learn the process's PID by using the syscall rather than the VDSO code. Fixes bug 21943; bugfix on 0.2.5.1-alpha. _______________________________________________ tor-announce mailing list tor-announce@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce ----- End forwarded message -----
Hi, On 16/05/2017 01:52, Roger Dingledine wrote:
For those of you who are not on tor-announce... now would be a good time to remember to subscribe to tor-announce. :)
I run a couple of relays with Debian 7 Wheezy, which is the old stable version. AS you can see from the Debian package page[1] the latest available version of Tor packaged for Wheezy is 0.2.4.27-3, which to me looks quite behind either 0.2.5.12-4 available in Jessie (stable) or the 0.2.9.X series available through backports or testing. What's the best to do in this cases? * Should I start updating tor manually? * Should I update Debian on the server? (which could well me start with a fresh install? * Is it ok like it is now, provided that the system is updated? Thanks, Cristian [1]: https://packages.debian.org/search?keywords=tor
On 5/17/17 11:04, Cristian Consonni wrote:
Hi,
On 16/05/2017 01:52, Roger Dingledine wrote:
For those of you who are not on tor-announce... now would be a good time to remember to subscribe to tor-announce. :)
I run a couple of relays with Debian 7 Wheezy, which is the old stable version.
AS you can see from the Debian package page[1] the latest available version of Tor packaged for Wheezy is 0.2.4.27-3, which to me looks quite behind either 0.2.5.12-4 available in Jessie (stable) or the 0.2.9.X series available through backports or testing.
What's the best to do in this cases? * Should I start updating tor manually? * Should I update Debian on the server? (which could well me start with a fresh install? * Is it ok like it is now, provided that the system is updated?
Thanks,
Cristian
Cristian You could tell Debian to get Tor from torproject.org https://www.torproject.org/docs/debian.html.en You'd probably tell it you use old stable and want Tor version stable. After a couple of apt commands, I predict you will end up with Tor 0.3.0.7 Matt
On Wed, 17 May 2017 11:32:39 -0400 Matt Traudt <sirmatt@ksu.edu> wrote:
You could tell Debian to get Tor from torproject.org
https://www.torproject.org/docs/debian.html.en
You'd probably tell it you use old stable and want Tor version stable. After a couple of apt commands, I predict you will end up with Tor 0.3.0.7
No he will not, as nobody cares to update the Tor stable repository for 0.3.0.7, all you get on stable is 0.2.9.10. -- With respect, Roman
On Wed, May 17, 2017 at 08:45:26PM +0500, Roman Mamedov wrote:
https://www.torproject.org/docs/debian.html.en
You'd probably tell it you use old stable and want Tor version stable. After a couple of apt commands, I predict you will end up with Tor 0.3.0.7
No he will not, as nobody cares to update the Tor stable repository for 0.3.0.7, all you get on stable is 0.2.9.10.
My guess is that our fine debian maintainer is leaving it at 0.2.9.10 while Stretch finishes its freeze and goes stable: https://wiki.debian.org/DebianStretch Tor 0.2.9.x is our most recent long-term-stable release: https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorR... So it is wiser to have 0.2.9 in the next Debian stable, rather than using 0.3.0 and then having Tor want to abandon 0.3.0 well before Stretch's expected lifetime. More context: with the quicker release period for the Tor program, we realized we can't actually support every single stable release version for years, or we'll go mad. So we adopted the "long term stable" idea that's been going around lately, and we coordinated with Debian to make sure their stable and our LTS lined up: https://blog.torproject.org/blog/updates-old-tor-stable-release-series-02428... I don't think we did any coordination with Ubuntu though, since there is nobody there to coordinate with. :( --Roger
On Wed, 17 May 2017 18:36:12 -0400 Roger Dingledine <arma@mit.edu> wrote:
My guess is that our fine debian maintainer is leaving it at 0.2.9.10 while Stretch finishes its freeze and goes stable: https://wiki.debian.org/DebianStretch
I don't mean packages in the Debian official repo, but those at deb.torproject.org. Surely those shouldn't have any dependence on Debian freeze/stable cycles.
Tor 0.2.9.x is our most recent long-term-stable release: https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorR...
So it is wiser to have 0.2.9 in the next Debian stable, rather than using 0.3.0 and then having Tor want to abandon 0.3.0 well before Stretch's expected lifetime.
-- With respect, Roman
Nope. Even the official Tor repos still only serve 0.2.9.10. The 0.3.x branch is still only marked as experimental. Regards, /peter On 05/17/2017 05:32 PM, Matt Traudt wrote:
On 5/17/17 11:04, Cristian Consonni wrote:
Hi,
On 16/05/2017 01:52, Roger Dingledine wrote:
For those of you who are not on tor-announce... now would be a good time to remember to subscribe to tor-announce. :)
I run a couple of relays with Debian 7 Wheezy, which is the old stable version.
AS you can see from the Debian package page[1] the latest available version of Tor packaged for Wheezy is 0.2.4.27-3, which to me looks quite behind either 0.2.5.12-4 available in Jessie (stable) or the 0.2.9.X series available through backports or testing.
What's the best to do in this cases? * Should I start updating tor manually? * Should I update Debian on the server? (which could well me start with a fresh install? * Is it ok like it is now, provided that the system is updated?
Thanks,
Cristian
Cristian
You could tell Debian to get Tor from torproject.org
https://www.torproject.org/docs/debian.html.en
You'd probably tell it you use old stable and want Tor version stable. After a couple of apt commands, I predict you will end up with Tor 0.3.0.7
Matt _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi, On 17/05/2017 17:32, Matt Traudt wrote:
On 17/05/2017 18:02, fcornu@wardsback.org wrote:
I'm also running tor on wheezy : Currently running v0.2.9.9.
To ease your life in remaining up to date, you can as well get tor from the Tor Project itself, by using this apt config file :
# cat /etc/apt/sources.list.d/tor.list deb http://deb.torproject.org/torproject.org wheezy main
Thanks for the pointers, I completely missed that page when I made the first installation. Now, I have updated Tor to the latest version available on the repo indicated above. Cristian
On 2017-05-17 17:04, Cristian Consonni wrote:
Hi,
On 16/05/2017 01:52, Roger Dingledine wrote:
For those of you who are not on tor-announce... now would be a good time to remember to subscribe to tor-announce. :)
I run a couple of relays with Debian 7 Wheezy, which is the old stable version.
AS you can see from the Debian package page[1] the latest available version of Tor packaged for Wheezy is 0.2.4.27-3, which to me looks quite behind either 0.2.5.12-4 available in Jessie (stable) or the 0.2.9.X series available through backports or testing.
What's the best to do in this cases? * Should I start updating tor manually? * Should I update Debian on the server? (which could well me start with a fresh install? * Is it ok like it is now, provided that the system is updated?
Thanks,
Cristian
Hi, I'm also running tor on wheezy : Currently running v0.2.9.9. To ease your life in remaining up to date, you can as well get tor from the Tor Project itself, by using this apt config file : # cat /etc/apt/sources.list.d/tor.list deb http://deb.torproject.org/torproject.org wheezy main Hope this helps -- Frédéric CORNU http://wardsback..org
On Wed, May 17, 2017 at 05:04:29PM +0200, Cristian Consonni wrote:
I run a couple of relays with Debian 7 Wheezy, which is the old stable version.
Thanks for running relays!
AS you can see from the Debian package page[1] the latest available version of Tor packaged for Wheezy is 0.2.4.27-3, which to me looks quite behind either 0.2.5.12-4 available in Jessie (stable) or the 0.2.9.X series available through backports or testing.
What's the best to do in this cases? * Should I start updating tor manually?
Definitely don't build Tor yourself. If you want to switch to the deb.torproject.org repo as suggested in this thread, that is a fine option.
* Should I update Debian on the server? (which could well me start with a fresh install?
Tor 0.2.4.x is still supported until Aug 1, 2017: https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorR... But it's my understanding that Debian wheezy becomes oldoldstable once Squeeze is declared stable? Meaning now would be a good time for you to consider upgrading anyway? :)
* Is it ok like it is now, provided that the system is updated?
It is ok like it is now, for the next 2.5 months, and then it will become a bad idea. (Who knows, maybe the nice people who step in to offer long-term-stable support to Wheezy, if anybody does, will be convinceable to update it to Tor 0.2.5. But running a partially supported oldoldstable is less good than upgrading your Debian.) --Roger
On Wed, May 17, 2017 at 06:13:55PM -0400, Roger Dingledine wrote:
But it's my understanding that Debian wheezy becomes oldoldstable once Squeeze is declared stable? Meaning now would be a good time for you to consider upgrading anyway? :)
Whoops, I meant Stretch, not Squeeze. Sorry for the spam. --Roger
Cristian Consonni dijo [Wed, May 17, 2017 at 05:04:29PM +0200]:
AS you can see from the Debian package page[1] the latest available version of Tor packaged for Wheezy is 0.2.4.27-3, which to me looks quite behind either 0.2.5.12-4 available in Jessie (stable) or the 0.2.9.X series available through backports or testing.
What's the best to do in this cases? * Should I start updating tor manually? * Should I update Debian on the server? (which could well me start with a fresh install? * Is it ok like it is now, provided that the system is updated?
While Debian Wheezy (7, our "oldstable" release) still has security support via LTS¹, it is not recommended to run a Tor relay with such old packages. In fact, not even the version available in Jessie (8, our "stable" release - 0.2.5.12-4) is recommended nowadays. I suggest you to update to _at least_ Jessie and use the version in backports (depends on your sysadmining, but if your machine's only use is to run a Tor node, I'd suggest installing Stretch, 9, which has 0.2.9.9-1). ¹ https://wiki.debian.org/LTS
Roger Dingledine:
There's a new Tor release (0.3.0.7) available on the website. It fixes a bug affecting relays running earlier versions of 0.3.0.x that could allow attackers to trigger an assertion failure on those relays. Clients are not affected; neither are relays running versions before 0.3.0.x.
If you're running a relay with one of the affected versions, you should upgrade.
As of 2017-05-18 6:00 UTC, about ~14% of the tor network (cw fraction) runs a vulnerable tor version [1]. ~12.3% (cw fraction) of them run Linux (~5% likely use the outdated repos from deb.torproject.org). I guess the most efficient method to help tor relay operators (and the tor network as a whole), is to update the packages in the affected deb.torproject.org repositories [2]. Is there a particular reason why the tor 0.3.0.x packages at deb.torproject.org [2] have not been updated since v0.3.0.5-rc? (they used to get updates within days after a release) I hope they are not forced to switch to tor-nightly-0.3.0.x-* repos [3] if they want to get that security fix. Or is it: "Don't use the experimental repos if you want security updates"?
packages should be available over the next several days.
Is this actually the case or is this just the usual wording from the default release email and not actually happening in the case? (due to long term support release 0.2.9.x?) To help the 1.3% cw-fraction / 87 FreeBSD relays I filed a ticket here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219364 (tickets filed at trac.tpo about deb.tpo get closed as invalid, so I stopped doing that [4]) thanks, nusenu [1] https://nusenu.github.io/OrNetStats/#tor-version-distribution-relays https://nusenu.github.io/OrNetStats/torversions [2] https://deb.torproject.org/torproject.org/dists/ [DIR] tor-experimental-0.3.0.x-jessie/ 2017-05-12 11:28 - [DIR] tor-experimental-0.3.0.x-precise/ 2017-05-12 11:28 - [DIR] tor-experimental-0.3.0.x-sid/ 2017-05-12 11:28 - [DIR] tor-experimental-0.3.0.x-stretch/ 2017-05-12 11:28 - [DIR] tor-experimental-0.3.0.x-trusty/ 2017-05-12 11:28 - [DIR] tor-experimental-0.3.0.x-wheezy/ 2017-05-12 11:28 - [DIR] tor-experimental-0.3.0.x-xenial/ 2017-05-12 11:28 - [DIR] tor-experimental-0.3.0.x-yakkety/ 2017-05-12 11:28 - [DIR] tor-experimental-0.3.0.x-zesty/ 2017-05-12 11:28 - [3] [DIR] tor-nightly-0.3.0.x-stretch/ 2017-05-16 13:43 - [DIR] tor-nightly-0.3.0.x-trusty/ 2017-05-16 13:43 - [DIR] tor-nightly-0.3.0.x-wheezy/ 2017-05-16 13:43 - [DIR] tor-nightly-0.3.0.x-xenial/ 2017-05-16 13:43 - [DIR] tor-nightly-0.3.0.x-yakkety/ 2017-05-16 13:43 - [DIR] tor-nightly-0.3.0.x-zesty/ 2017-05-16 13:43 - [4] https://trac.torproject.org/projects/tor/ticket/22113 -- https://mastodon.social/@nusenu https://twitter.com/nusenu_
tor 0.3.0.7 reached the deb.tpo repos -- https://mastodon.social/@nusenu https://twitter.com/nusenu_
On 19.05.2017 16:16, nusenu wrote:
tor 0.3.0.7 reached the deb.tpo repos
Just to make sure I don't misunderstand: As of today, should using deb http://deb.torproject.org/torproject.org jessie main deb-src http://deb.torproject.org/torproject.org jessie main result in Tor 0.3.0.7 being used? I still see Tor 0.2.9.10 (git-e28303bcf90b842d) and it won't update. -Ralph
Exactly Ralph, the same here. -- Sincerely yours / M.f.G. / Sincères salutations Sebastian Urbach --------------------------------------------------------------------------- Those who surrender freedom for security will not have, nor do they deserve, either one. --------------------------------------------------------------------------- Benjamin Franklin (1706-1790) Am 21. Mai 2017 13:50:59 schrieb Ralph Seichter <tor-relays-ml@horus-it.de>:
On 19.05.2017 16:16, nusenu wrote:
tor 0.3.0.7 reached the deb.tpo repos
Just to make sure I don't misunderstand: As of today, should using
deb http://deb.torproject.org/torproject.org jessie main deb-src http://deb.torproject.org/torproject.org jessie main
result in Tor 0.3.0.7 being used? I still see Tor 0.2.9.10 (git-e28303bcf90b842d) and it won't update.
-Ralph _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
I expected that question.
tor 0.3.0.7 reached the deb.tpo repos
Just to make sure I don't misunderstand: As of today, should using
deb http://deb.torproject.org/torproject.org jessie main deb-src http://deb.torproject.org/torproject.org jessie main
result in Tor 0.3.0.7 being used?
No, only if you choose the 0.3.0.x repos on deb.torproject.org The 0.3.0.x repos got updated to 0.3.0.7 (from 0.3.0.5-rc). That was the important part in the context of TROVE-2017-002 since tor prior to 0.3.0.1-alpha is not vulnerable. If you want 0.3.0.7 regardless, you will have to adjust the sources.list file, as Roger suggested, the stable repos will probably stay at 0.2.9.x and that is fine (LTS release). -- https://mastodon.social/@nusenu https://twitter.com/nusenu_
On 21.05.2017 14:05, nusenu wrote:
I expected that question.
:-)
If you want 0.3.0.7 regardless, you will have to adjust the sources.list file, as Roger suggested
Alright, after adding the lines deb http://deb.torproject.org/torproject.org tor-experimental-0.3.0.x-jessie main deb-src http://deb.torproject.org/torproject.org tor-experimental-0.3.0.x-jessie main apt pulled Tor version 0.3.0.7. -Ralph
The fixed tor version reached FreeBSD package repos you can now upgrade with the 'pkg' command. -- https://mastodon.social/@nusenu https://twitter.com/nusenu_
participants (10)
-
Cristian Consonni -
fcornu@wardsback.org -
Gunnar Wolf -
Matt Traudt -
nusenu -
Peter Ludikovsky -
Ralph Seichter -
Roger Dingledine -
Roman Mamedov -
Sebastian Urbach