Re: [tor-relays] CVE-2015-7547 Tor network stats
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 23.02.2016 22:12, Tom van der Woerdt wrote: > Op 23/02/16 om 22:10 schreef Toralf Förster: >> Louie Cardone-Noott: >>> Those like me running debian and putting off doing a reboot >>> might find needrestart (package of same name) and checkrestart >>> (package debian-goodies) useful. >> >> Under Gentoo "lib_users -s" is a useful command IMO to see if a >> in-use lib was changed. > > On most linuxes you can do this with "lsof | grep DEL | grep lib" Here is a version with better filtering and output: lsof -n +c 0 | grep 'DEL.*lib' | awk '1 { print $1 ": " $NF }' | sort -u -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJWzNLfAAoJEJe61A/xrcOQA5AQAI+cXfFAqLcEYdeupGcqjLtf 8Mjyyxq10jtB/zpqbxWqdIxyiDJmF3tzKJmzmrKzNmLsz8hfQbFxYLsZjlhdOHX4 N4fMxCX1FNrxKC4TuGFu3PMeFZlmieIGYF8MVg/yZJ0rx4LlA86t2cDXOzi2Qn57 5DGSoyQ8Ll3XBzDhBYJvPmz7kCc0oyjVO+S0m6+uJc9UMeJtuIrMJGEqQzk//pFC ltV24qPF1NhtHbHIsNbmjAnTj+KZ5lDnwWHfc6YNGeiPYH+3DtgT8H/rd9I0Vdv/ QkBaq90okwu0UC1K1PeREol60StSkDbCPzVpqWzVgbB0sq2GoVlccgSog2hwuzUJ mriWh4JxF41NCF0sKNAUVEBHb1VsQQQPn7RVjfHBurDYsDcmPK1LXMDI/AeuWEU0 EX10Fwl7YRzk3UfRICZwT2yVXm3ep9kweKXdMWs4Ql5dM/Y3LQl0/fTm4IzCrO5C wp5qDQqD5OHRsroG5KTKTS5u0Vw2mkESmVfx40NxWhxPZCsYE35IVsarSfSvDFxt 88mKimYqJUYShBAjKfVtB+yWKzHXOMm5TaQdxYbLHVxYo/b9ndlM/IiyFP4U/HuJ YmnjMywZE44bJr+SYfgcUn3SWNFY4VrO9qf2Uoh8VtKbHsGOj+SLdG1nLnQOfELU eaCkGMX0sBif5lhe/Tr+ =v/3o -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] CVE-2015-7547 Tor network stats
Op 23/02/16 om 22:10 schreef Toralf Förster: > Louie Cardone-Noott: >> Those like me running debian and putting off doing a reboot might find >> needrestart (package of same name) and checkrestart (package >> debian-goodies) useful. > > Under Gentoo "lib_users -s" is a useful command IMO to see if a in-use lib > was changed. On most linuxes you can do this with "lsof | grep DEL | grep lib" Tom ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] CVE-2015-7547 Tor network stats
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Louie Cardone-Noott: > Those like me running debian and putting off doing a reboot might find > needrestart (package of same name) and checkrestart (package > debian-goodies) useful. Under Gentoo "lib_users -s" is a useful command IMO to see if a in-use lib was changed. - -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7 -BEGIN PGP SIGNATURE- iF4EAREKAAYFAlbMyt4ACgkQxOrN3gB26U699gD/U9s7pjWorGXEEZ9yvjM50IIg o/EpBZ34y6hGxnWtpNkA/jnroRaIsIqTsrVxrMpV1OkGVHYvuib2uW/XQUGLmLqy =lLbN -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] CVE-2015-7547 Tor network stats
Louie Cardone-Noott: > Based on the exploit, aren't, at most, only the exits vulnerable? I > didn't think middles would do any DNS resolving. I didn't mean to imply that tor does the relevant DNS lookup but most servers will do DNS lookups at some point (even if not caused by tor). signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] CVE-2015-7547 Tor network stats
> you say that 64% of the guard relays and 51% of the exit relaysare are > unpatched ? These numbers are not based on relaycount but on guard/exit probability (so it takes a relay's contributed bandwidth/consensus weight into account). If you are more interested in relay counts: 3754 out of 7268 relays are probably vulnerable (51%). >> ++--+-+ >> | cwfraction | guardprobability | exitprobability | >> ++--+-+ >> | 0.586 |0.639 | 0.518 | >> ++--+-+ 2016-02-23: ++--+-+ | cwfraction | guardprobability | exitprobability | ++--+-+ | 0.560 |0.621 | 0.466 | ++--+-+ signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] CVE-2015-7547 Tor network stats
Based on the exploit, aren't, at most, only the exits vulnerable? I didn't think middles would do any DNS resolving. Those like me running debian and putting off doing a reboot might find needrestart (package of same name) and checkrestart (package debian-goodies) useful. On Tue, 23 Feb 2016, at 07:16 AM, Dmitrii Tcvetkov wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On Mon, 22 Feb 2016 21:16:42 -0800 > Saint Aardvark the Carpeted> wrote: > > Most libraries aren't so central to everything that runs in Linux, and > > restarting the programs that use the library in question is a > > perfectly fine way to ensure you get the new library loaded. But libc > > is so very central to absolutely *everything* (or nearly so) in Linux > > that the best way to ensure everything gets the new, patched versions > > is simply to reboot. > > > It is true, but still reboot should not be so essential for glibc > upgrade. You can just restart (not reload, SIGHUP will not help) services > on your server and they will load new glibc. This will allow > yout to delay server reboot until next kernel upgrade. > > IOW server reboot is easier but is not necessary. > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJWzAdnAAoJEG7QE8vSCezkgTkIAL/B0wBlY/TEvinnIPjj3SLO > loZLceYMnxEscnPTmEGCFY/9w2T+0XCW/sFSOrGd9ji9V5Fubuo06wzqUStsuLwq > HaMuaCLFo4cSI1nHyx99Uu5WG0/Oy2HAVHOsoSSyKT+2XkCKxii4KKtSCXxIUbHk > gUujxXTNhknh8hIXS66mgVIYB26r1rLDcHTO7/LGPcooJjrnP+RbDobEk5e/yqEI > NMQjVDienm/+xWmIBfQBJp98Fi0+I79u4duSs06lRD95mKyxB8oUqw9eD6VOHHwB > 0MQQbRO67mqFrCTi1T1WhSjjj4xsvLfjQSf31PfZm/PCEL6aJ3LFoTP6VkPjMjY= > =6tI4 > -END PGP SIGNATURE- > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] CVE-2015-7547 Tor network stats
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, 22 Feb 2016 21:16:42 -0800 Saint Aardvark the Carpetedwrote: > Most libraries aren't so central to everything that runs in Linux, and > restarting the programs that use the library in question is a > perfectly fine way to ensure you get the new library loaded. But libc > is so very central to absolutely *everything* (or nearly so) in Linux > that the best way to ensure everything gets the new, patched versions > is simply to reboot. > It is true, but still reboot should not be so essential for glibc upgrade. You can just restart (not reload, SIGHUP will not help) services on your server and they will load new glibc. This will allow yout to delay server reboot until next kernel upgrade. IOW server reboot is easier but is not necessary. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWzAdnAAoJEG7QE8vSCezkgTkIAL/B0wBlY/TEvinnIPjj3SLO loZLceYMnxEscnPTmEGCFY/9w2T+0XCW/sFSOrGd9ji9V5Fubuo06wzqUStsuLwq HaMuaCLFo4cSI1nHyx99Uu5WG0/Oy2HAVHOsoSSyKT+2XkCKxii4KKtSCXxIUbHk gUujxXTNhknh8hIXS66mgVIYB26r1rLDcHTO7/LGPcooJjrnP+RbDobEk5e/yqEI NMQjVDienm/+xWmIBfQBJp98Fi0+I79u4duSs06lRD95mKyxB8oUqw9eD6VOHHwB 0MQQbRO67mqFrCTi1T1WhSjjj4xsvLfjQSf31PfZm/PCEL6aJ3LFoTP6VkPjMjY= =6tI4 -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] CVE-2015-7547 Tor network stats
Hi, you say that 64% of the guard relays and 51% of the exit relaysare are unpatched ? That's horrible! ~Josef Am 22.02.2016 um 23:44 schrieb nusenu: > Hi, > > if we assume for simplicity that every relay running Linux that has not > rebooted since 2016-02-16 is vulnerable to CVE-2015-7547, than these are > the current stats (optimistic, because we assume that everyone that > rebooted did also update). > > Vulnerable relays: > > ++--+-+ > | cwfraction | guardprobability | exitprobability | > ++--+-+ > | 0.586 |0.639 | 0.518 | > ++--+-+ > (1=100%) > > Apply patches and reboot. > > Debian > https://www.debian.org/security/2016/dsa-3481 > > RHEL/CentOS > https://rhn.redhat.com/errata/RHSA-2016-0176.html > > Ubuntu > http://www.ubuntu.com/usn/usn-2900-1/ > > > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] CVE-2015-7547 Tor network stats
SuperSluether disturbed my sleep to write: > Hi, > > My Raspberry Pi and Ubuntu Server already have the updated version of libc6. > Is a reboot still required? I thought only kernel updates required a reboot. When you update a shared library, any running program that uses that library still has the *old* copy in memory until that program is restarted. Say you've got a program named "foo" running on your server that uses a library named "libbar", and you upgrade libbar without restarting foo. The running instance of foo still has the *old* version of libbar in its memory, and will not get the new one until it's restarted. Most libraries aren't so central to everything that runs in Linux, and restarting the programs that use the library in question is a perfectly fine way to ensure you get the new library loaded. But libc is so very central to absolutely *everything* (or nearly so) in Linux that the best way to ensure everything gets the new, patched versions is simply to reboot. -- Saint Aardvark the Carpeted http://saintaardvarkthecarpeted.com Because the plural of Anecdote is Myth. signature.asc Description: Digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] CVE-2015-7547 Tor network stats
Hi, My Raspberry Pi and Ubuntu Server already have the updated version of libc6. Is a reboot still required? I thought only kernel updates required a reboot. On 02/22/2016 04:44 PM, nusenu wrote: Hi, if we assume for simplicity that every relay running Linux that has not rebooted since 2016-02-16 is vulnerable to CVE-2015-7547, than these are the current stats (optimistic, because we assume that everyone that rebooted did also update). Vulnerable relays: ++--+-+ | cwfraction | guardprobability | exitprobability | ++--+-+ | 0.586 |0.639 | 0.518 | ++--+-+ (1=100%) Apply patches and reboot. Debian https://www.debian.org/security/2016/dsa-3481 RHEL/CentOS https://rhn.redhat.com/errata/RHSA-2016-0176.html Ubuntu http://www.ubuntu.com/usn/usn-2900-1/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] CVE-2015-7547 Tor network stats
Hi, if we assume for simplicity that every relay running Linux that has not rebooted since 2016-02-16 is vulnerable to CVE-2015-7547, than these are the current stats (optimistic, because we assume that everyone that rebooted did also update). Vulnerable relays: ++--+-+ | cwfraction | guardprobability | exitprobability | ++--+-+ | 0.586 |0.639 | 0.518 | ++--+-+ (1=100%) Apply patches and reboot. Debian https://www.debian.org/security/2016/dsa-3481 RHEL/CentOS https://rhn.redhat.com/errata/RHSA-2016-0176.html Ubuntu http://www.ubuntu.com/usn/usn-2900-1/ signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays