[tor-relays] security update for obfs4proxy

wurstsemmel at mailbox.org wurstsemmel at mailbox.org
Sat Oct 29 21:35:39 UTC 2022 

Dear All,

I understand that the updated package 0.0.14 is available in Debian 11 
"bullseye" backports. Thank you!

Unfortunately I am running Ubuntu 22.04 LTS "jammy" on my two VPS and 
the most recent version available is 0.0.13. My previous attempt to get 
0.0.13 backported into Ubuntu 20.04 LTS "focal" was not successful [1], 
therefore I see little room to get 0.0.14 into jammy or jammy backports.

On Fedora 35, 36 & 37 obfs4-0.0.11 is available. I am happy to see that 
a bug is filed [2] "obfs4-0.0.14 is available" and worked on.

At the moment I have no possibility to update obfs4proxy, unless I 
switch to Debian 11. One of my two hosters is only offering Debian 10 
"buster", so even this would not help.

I have read the discussion on [3] and would be very happy to see 
obfs4proxy for Ubuntu and Fedora (if the folks at Fedora agree or maybe 
can help?) in the Tor Project repository.

In the meantime, until an update is available, please let me know 
whether I should shut down my two bridges.

Kind regards,

wurstsemmel

[1] https://bugs.launchpad.net/ubuntu/+source/obfs4proxy/+bug/1967003
[2] https://bugzilla.redhat.com/show_bug.cgi?id=2036298
[3] 
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/obfs4/-/issues/40008


Am 17. Oktober 2022 11:35:47 MESZ schrieb meskio <meskio at torproject.org>:

    Quoting Toralf Förster (2022-10-14 20:17:58)

        On 10/14/22 19:09, meskio wrote:

            The upstream changelog is here:
            https://gitlab.com/yawning/obfs4/-/blob/master/ChangeLog But
            I understand is not easy to understand what the problem is
            from that changelog. 

        Indeed. BTW the fix was made 5 weeks ago, so I do assume, the
        (eg. Debian) package needed time to stabilize, or ? 


    Yes, it takes time to get updates into debian, we've being working on it since
    it was relased:
    https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/obfs4/-/issues/40008

    -- meskio | https://meskio.net/
    ------------------------------------------------------------------------
    My contact info: https://meskio.net/crypto.txt
    ------------------------------------------------------------------------
    Nos vamos a Croatan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20221029/b77fd855/attachment-0001.htm>

More information about the tor-relays mailing list