[tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!

[nusenu]

just a reminder since most of the tor network (including some of the
biggest operators) still runs vulnerable relays

https://blog.torproject.org/blog/tor-0289-released-important-fixes


Since 2/3 directory authorities removed most vulnerable versions from
their 'recommended versions' you should see a log entry if you run
outdated versions (except if you run 0.2.5.12).


It is not possible to reliable determine the exact CW fraction
affected[1] due to the fact that patches were released that didn't
increase tor's version number.
Therefore it is also possible that you get log entries even if you run a
patched version (IMHO this hasn't been handled in the most professional
way).


Update instructions

Debian/Ubuntu
==============

make sure you use the Torproject repository:
https://www.torproject.org/docs/debian.html.en

(you can also use the debian repository but the Torproject's repo will
provide you with the latest releases)


aptitude update && aptitude install tor


CentOS/RHEL/Fedora
===================

yum install --enablerepo=epel-testing tor


FreeBSD
============

pkg update
pkg upgrade

OpenBSD
===========

pkg_add -u tor


Windows
========

No updated binaries available for this platform yet.




[1] as of 2016-10-25 18:00 (onionoo data)
conservative estimate
----------------------
(counts only 0.2.8.9 and 0.2.9.4-alpha as patched)
31% CW fraction patched

optimistic estimate
-------------------
(additionally assumes every non-Windows running 0.2.4.27, 0.2.5.12,
0.2.6.10, 0.2.7.6 that restarted since 2016-10-17 is patched):
43% CW fraction patched

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20161025/5d7ec00f/attachment.sig>