[tor-relays] TROVE-2017-002: deb.torproject.org 0.3.0.x repos no longer updated?

nusenu nusenu-lists at riseup.net
Thu May 18 08:23:00 UTC 2017 

Roger Dingledine:
> There's a new Tor release (0.3.0.7) available on the website.  It
> fixes a bug affecting relays running earlier versions of 0.3.0.x that
> could allow attackers to trigger an assertion failure on those relays.
> Clients are not affected; neither are relays running versions before
> 0.3.0.x.
> 
> If you're running a relay with one of the affected versions, you
> should upgrade.  

As of 2017-05-18 6:00 UTC, about ~14% of the tor network (cw fraction)
runs a vulnerable tor version [1].

~12.3% (cw fraction) of them run Linux (~5% likely use the outdated
repos from deb.torproject.org).
I guess the most efficient method to help tor
relay operators (and the tor network as a whole), is to update the
packages in the affected deb.torproject.org repositories [2].

Is there a particular reason why the tor 0.3.0.x packages at
deb.torproject.org [2] have not been updated since v0.3.0.5-rc?
(they used to get updates within days after a release)

I hope they are not forced to switch to tor-nightly-0.3.0.x-* repos [3]
if they want to get that security fix.
Or is it: "Don't use the experimental repos if you want security updates"?

> packages
> should be available over the next several days.

Is this actually the case or is this just the usual wording from the
default release email and not actually happening in the case? (due to
long term support release 0.2.9.x?)

To help the 1.3% cw-fraction / 87 FreeBSD relays I filed a ticket here:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219364
(tickets filed at trac.tpo about deb.tpo get closed as invalid, so I
stopped doing that [4])

thanks,
nusenu

[1]
https://nusenu.github.io/OrNetStats/#tor-version-distribution-relays
https://nusenu.github.io/OrNetStats/torversions

[2]
https://deb.torproject.org/torproject.org/dists/
[DIR] tor-experimental-0.3.0.x-jessie/  2017-05-12 11:28    -
[DIR] tor-experimental-0.3.0.x-precise/ 2017-05-12 11:28    -
[DIR] tor-experimental-0.3.0.x-sid/     2017-05-12 11:28    -
[DIR] tor-experimental-0.3.0.x-stretch/ 2017-05-12 11:28    -
[DIR] tor-experimental-0.3.0.x-trusty/  2017-05-12 11:28    -
[DIR] tor-experimental-0.3.0.x-wheezy/  2017-05-12 11:28    -
[DIR] tor-experimental-0.3.0.x-xenial/  2017-05-12 11:28    -
[DIR] tor-experimental-0.3.0.x-yakkety/ 2017-05-12 11:28    -
[DIR] tor-experimental-0.3.0.x-zesty/   2017-05-12 11:28    -

[3]
[DIR] tor-nightly-0.3.0.x-stretch/      2017-05-16 13:43    -
[DIR] tor-nightly-0.3.0.x-trusty/       2017-05-16 13:43    -
[DIR] tor-nightly-0.3.0.x-wheezy/       2017-05-16 13:43    -
[DIR] tor-nightly-0.3.0.x-xenial/       2017-05-16 13:43    -
[DIR] tor-nightly-0.3.0.x-yakkety/      2017-05-16 13:43    -
[DIR] tor-nightly-0.3.0.x-zesty/        2017-05-16 13:43    -

[4]
https://trac.torproject.org/projects/tor/ticket/22113

-- 
https://mastodon.social/@nusenu
https://twitter.com/nusenu_


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20170518/743bd61c/attachment.sig>

More information about the tor-relays mailing list