[anti-censorship-team] obfs4proxy-0.0.11 (2019-06-21) fixes active probing vulnerabilities
David Fifield
david at bamsoftware.com
Mon Jan 17 19:55:39 UTC 2022
On Mon, Jan 17, 2022 at 11:53:55AM +0100, meskio wrote:
> Quoting David Fifield (2022-01-14 21:50:32)
> > On Fri, Jan 14, 2022 at 12:17:57PM +0100, meskio wrote:
> > > Quoting David Fifield (2022-01-14 03:27:09)
> > > > The upstream obfs4 repository has a fix to the Elligator2 public key
> > > > representative leak (https://github.com/agl/ed25519/issues/27).
> > >
> > > I started the conversation with the maintainers in debian to update the package:
> > > https://alioth-lists.debian.net/pipermail/pkg-privacy-maintainers/2022/003823.html
> >
> > Thanks, meskio. It was also brought to my attention that Debian's latest
> > version of obfs4proxy is 0.0.8, which does not have the necessary active
> > probing mitigations that we released in 0.0.11. This should also be
> > treated as a security issue.
> > https://packages.debian.org/search?keywords=obfs4proxy
>
> Thanks for the info. I'll talk with the packagers about that. They mention
> having a problem with the fork of uTLS and it's license to be able to update the
> package. But let's see if is this can be solved somehow.
I think obfs4proxy should work with upstream
github.com/refraction-networking/utls if you remove these two calls:
https://gitlab.com/yawning/obfs4/-/blob/cbf3f3cfa09cf48c42aebd1b96fd7952f1ddb25d/transports/meeklite/transport.go#L248-249
utls.EnableVartimeGroups()
utls.EnableVartimeAES()
More information about the anti-censorship-team
mailing list