Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!

[Peter Palfrader]

On Wed, 26 Oct 2016, Zack Weinberg wrote:

> On Wed, Oct 26, 2016 at 5:54 AM, Peter Palfrader  
> wrote:
> > On Wed, 26 Oct 2016, Alan wrote:
> >> 0.2.5.12 is the latest version from the repo. Im assuming I should pull
> >> down the source and compile it.
> >
> > Depends on the repo.  If you provided a little more information we'd be
> > able to sy more.
> 
> If you're using Debian jessie, you can get an 0.2.8.9 package from
> either backports or the torproject.org repository.

Or one could stay with stable, which has also fixed this bug.

-- 
|  .''`.   ** Debian **
  Peter Palfrader   | : :' :  The  universal
 https://www.palfrader.org/ | `. `'  Operating System
|   `-https://www.debian.org/
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!

[Louie Cardone-Noott]

On Wed, 26 Oct 2016, at 02:04 PM, Zack Weinberg wrote:
> If you're using Debian jessie, you can get an 0.2.8.9 package from
> either backports or the torproject.org repository.  I went with
> backports because that let me also pick up a much newer openssl.
> 
> zw

Zack,

Interesting, I too recently upgraded to the backports version of tor but
didn't think to do openssl too. The current versions as far as I can
tell are:

jessie, 1.0.1t-1+deb8u5 (https://packages.debian.org/jessie/openssl)
jessie-backports, 1.0.2j-1~bpo8+1
(https://packages.debian.org/jessie-backports/openssl)

Is there such a big difference between these?

Louie
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!

[Alan]

Thanks for the advice, I added torproject.org repo and it upgraded to 0.2.8.9

Alan

> On Wed, Oct 26, 2016 at 5:54 AM, Peter Palfrader 
> wrote:
>> On Wed, 26 Oct 2016, Alan wrote:
>>> 0.2.5.12 is the latest version from the repo. Im assuming I should pull
>>> down the source and compile it.
>>
>> Depends on the repo.  If you provided a little more information we'd be
>> able to sy more.
>
> If you're using Debian jessie, you can get an 0.2.8.9 package from
> either backports or the torproject.org repository.  I went with
> backports because that let me also pick up a much newer openssl.
>
> zw
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!

[Peter Palfrader]

On Wed, 26 Oct 2016, Alan wrote:

> 0.2.5.12 is the latest version from the repo. Im assuming I should pull
> down the source and compile it.

Depends on the repo.  If you provided a little more information we'd be
able to sy more.
-- 
|  .''`.   ** Debian **
  Peter Palfrader   | : :' :  The  universal
 https://www.palfrader.org/ | `. `'  Operating System
|   `-https://www.debian.org/
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!

[Alan]

0.2.5.12 is the latest version from the repo. Im assuming I should pull
down the source and compile it.

>> Thanks for the update, my main relay was vulnerable but i've patched it
now to 0.2.8.9.
>>
>> My Raspberry Pi is running 0.2.5.12 -- is that ok?
>
> If your version is from before 2016-10-17, your relay is vulnerable.
>
> To be sure you should be running 0.2.8.9.
>
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>



___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!

[nusenu]

> Thanks for the update, my main relay was vulnerable but i've patched it
> now to 0.2.8.9.
> 
> My Raspberry Pi is running 0.2.5.12 -- is that ok?

If your version is from before 2016-10-17, your relay is vulnerable.

To be sure you should be running 0.2.8.9.





signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!

[nusenu]

nusenu:
> CentOS/RHEL/Fedora
> ===
> 
> yum install --enablerepo=epel-testing tor

correction:

CentOS/RHEL
yum upgrade --enablerepo=epel-testing tor

fedora:
dnf upgrade --enablerepo=updates-testing tor



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!

[John Ricketts]

Markus, I'm too damn old to type that accurately, My hands shake from old 
mechanical keyboards and my eyes are irradiated from old Wyse 50 terminals...

> On Oct 26, 2016, at 02:31, Markus Koch  wrote:
> 
> I did it like a real man, just me hands and putty without any bash scripts 
> and these modern devil tools!
> 
> markus
> 
> 
> Sent from my iPad
> 
>> On 26 Oct 2016, at 09:18, John Ricketts  wrote:
>> 
>> I feel you Markus, I did 24.  I wrote a bash script to 
>> update/upgrade/reboot. 
>> 
>>> On Oct 26, 2016, at 02:17, Markus Koch  wrote:
>>> 
>>> 32 relays updated (Debian + Tor compiled to latest version)
>>> 
>>> I am getting too old for this without a server management system 
>>> 
>>> Markus
>>> 
>>> 
>>> 
>>> 
>>> 2016-10-25 23:48 GMT+02:00 nusenu :
 just a reminder since most of the tor network (including some of the
 biggest operators) still runs vulnerable relays
 
 https://blog.torproject.org/blog/tor-0289-released-important-fixes
 
 
 Since 2/3 directory authorities removed most vulnerable versions from
 their 'recommended versions' you should see a log entry if you run
 outdated versions (except if you run 0.2.5.12).
 
 
 It is not possible to reliable determine the exact CW fraction
 affected[1] due to the fact that patches were released that didn't
 increase tor's version number.
 Therefore it is also possible that you get log entries even if you run a
 patched version (IMHO this hasn't been handled in the most professional
 way).
 
 
 Update instructions
 
 Debian/Ubuntu
 ==
 
 make sure you use the Torproject repository:
 https://www.torproject.org/docs/debian.html.en
 
 (you can also use the debian repository but the Torproject's repo will
 provide you with the latest releases)
 
 
 aptitude update && aptitude install tor
 
 
 CentOS/RHEL/Fedora
 ===
 
 yum install --enablerepo=epel-testing tor
 
 
 FreeBSD
 
 
 pkg update
 pkg upgrade
 
 OpenBSD
 ===
 
 pkg_add -u tor
 
 
 Windows
 
 
 No updated binaries available for this platform yet.
 
 
 
 
 [1] as of 2016-10-25 18:00 (onionoo data)
 conservative estimate
 --
 (counts only 0.2.8.9 and 0.2.9.4-alpha as patched)
 31% CW fraction patched
 
 optimistic estimate
 ---
 (additionally assumes every non-Windows running 0.2.4.27, 0.2.5.12,
 0.2.6.10, 0.2.7.6 that restarted since 2016-10-17 is patched):
 43% CW fraction patched
 
 
 ___
 tor-relays mailing list
 tor-relays@lists.torproject.org
 https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
 
>>> ___
>>> tor-relays mailing list
>>> tor-relays@lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!

[Petrusko]

Haha ok!
Nice hard work so ;)
Good luck for next update ! (hope it will be ok for a long time!)



Le 26/10/2016 à 09:30, Markus Koch a écrit :
> I did it like a real man, just me hands and putty without any bash scripts 
> and these modern devil tools!
>
> markus
>
>
> Sent from my iPad
>
>> On 26 Oct 2016, at 09:18, John Ricketts  wrote:
>>
>> I feel you Markus, I did 24.  I wrote a bash script to 
>> update/upgrade/reboot. 
>>
>>> On Oct 26, 2016, at 02:17, Markus Koch  wrote:
>>>
>>> 32 relays updated (Debian + Tor compiled to latest version)
>>>
>>> I am getting too old for this without a server management system 
>>>
>>> Markus
>>>
>>>
>>>
>>>
>>> 2016-10-25 23:48 GMT+02:00 nusenu :
 just a reminder since most of the tor network (including some of the
 biggest operators) still runs vulnerable relays

 https://blog.torproject.org/blog/tor-0289-released-important-fixes


 Since 2/3 directory authorities removed most vulnerable versions from
 their 'recommended versions' you should see a log entry if you run
 outdated versions (except if you run 0.2.5.12).


 It is not possible to reliable determine the exact CW fraction
 affected[1] due to the fact that patches were released that didn't
 increase tor's version number.
 Therefore it is also possible that you get log entries even if you run a
 patched version (IMHO this hasn't been handled in the most professional
 way).


 Update instructions

 Debian/Ubuntu
 ==

 make sure you use the Torproject repository:
 https://www.torproject.org/docs/debian.html.en

 (you can also use the debian repository but the Torproject's repo will
 provide you with the latest releases)


 aptitude update && aptitude install tor


 CentOS/RHEL/Fedora
 ===

 yum install --enablerepo=epel-testing tor


 FreeBSD
 

 pkg update
 pkg upgrade

 OpenBSD
 ===

 pkg_add -u tor


 Windows
 

 No updated binaries available for this platform yet.




 [1] as of 2016-10-25 18:00 (onionoo data)
 conservative estimate
 --
 (counts only 0.2.8.9 and 0.2.9.4-alpha as patched)
 31% CW fraction patched

 optimistic estimate
 ---
 (additionally assumes every non-Windows running 0.2.4.27, 0.2.5.12,
 0.2.6.10, 0.2.7.6 that restarted since 2016-10-17 is patched):
 43% CW fraction patched


 ___
 tor-relays mailing list
 tor-relays@lists.torproject.org
 https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

>>> ___
>>> tor-relays mailing list
>>> tor-relays@lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

-- 
Petrusko
EBE23AE5




signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!

[Markus Koch]

I did it like a real man, just me hands and putty without any bash scripts and 
these modern devil tools!

markus


Sent from my iPad

> On 26 Oct 2016, at 09:18, John Ricketts  wrote:
> 
> I feel you Markus, I did 24.  I wrote a bash script to update/upgrade/reboot. 
> 
>> On Oct 26, 2016, at 02:17, Markus Koch  wrote:
>> 
>> 32 relays updated (Debian + Tor compiled to latest version)
>> 
>> I am getting too old for this without a server management system 
>> 
>> Markus
>> 
>> 
>> 
>> 
>> 2016-10-25 23:48 GMT+02:00 nusenu :
>>> just a reminder since most of the tor network (including some of the
>>> biggest operators) still runs vulnerable relays
>>> 
>>> https://blog.torproject.org/blog/tor-0289-released-important-fixes
>>> 
>>> 
>>> Since 2/3 directory authorities removed most vulnerable versions from
>>> their 'recommended versions' you should see a log entry if you run
>>> outdated versions (except if you run 0.2.5.12).
>>> 
>>> 
>>> It is not possible to reliable determine the exact CW fraction
>>> affected[1] due to the fact that patches were released that didn't
>>> increase tor's version number.
>>> Therefore it is also possible that you get log entries even if you run a
>>> patched version (IMHO this hasn't been handled in the most professional
>>> way).
>>> 
>>> 
>>> Update instructions
>>> 
>>> Debian/Ubuntu
>>> ==
>>> 
>>> make sure you use the Torproject repository:
>>> https://www.torproject.org/docs/debian.html.en
>>> 
>>> (you can also use the debian repository but the Torproject's repo will
>>> provide you with the latest releases)
>>> 
>>> 
>>> aptitude update && aptitude install tor
>>> 
>>> 
>>> CentOS/RHEL/Fedora
>>> ===
>>> 
>>> yum install --enablerepo=epel-testing tor
>>> 
>>> 
>>> FreeBSD
>>> 
>>> 
>>> pkg update
>>> pkg upgrade
>>> 
>>> OpenBSD
>>> ===
>>> 
>>> pkg_add -u tor
>>> 
>>> 
>>> Windows
>>> 
>>> 
>>> No updated binaries available for this platform yet.
>>> 
>>> 
>>> 
>>> 
>>> [1] as of 2016-10-25 18:00 (onionoo data)
>>> conservative estimate
>>> --
>>> (counts only 0.2.8.9 and 0.2.9.4-alpha as patched)
>>> 31% CW fraction patched
>>> 
>>> optimistic estimate
>>> ---
>>> (additionally assumes every non-Windows running 0.2.4.27, 0.2.5.12,
>>> 0.2.6.10, 0.2.7.6 that restarted since 2016-10-17 is patched):
>>> 43% CW fraction patched
>>> 
>>> 
>>> ___
>>> tor-relays mailing list
>>> tor-relays@lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>> 
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!

[John Ricketts]

I feel you Markus, I did 24.  I wrote a bash script to update/upgrade/reboot. 

> On Oct 26, 2016, at 02:17, Markus Koch  wrote:
> 
> 32 relays updated (Debian + Tor compiled to latest version)
> 
> I am getting too old for this without a server management system 
> 
> Markus
> 
> 
> 
> 
> 2016-10-25 23:48 GMT+02:00 nusenu :
>> just a reminder since most of the tor network (including some of the
>> biggest operators) still runs vulnerable relays
>> 
>> https://blog.torproject.org/blog/tor-0289-released-important-fixes
>> 
>> 
>> Since 2/3 directory authorities removed most vulnerable versions from
>> their 'recommended versions' you should see a log entry if you run
>> outdated versions (except if you run 0.2.5.12).
>> 
>> 
>> It is not possible to reliable determine the exact CW fraction
>> affected[1] due to the fact that patches were released that didn't
>> increase tor's version number.
>> Therefore it is also possible that you get log entries even if you run a
>> patched version (IMHO this hasn't been handled in the most professional
>> way).
>> 
>> 
>> Update instructions
>> 
>> Debian/Ubuntu
>> ==
>> 
>> make sure you use the Torproject repository:
>> https://www.torproject.org/docs/debian.html.en
>> 
>> (you can also use the debian repository but the Torproject's repo will
>> provide you with the latest releases)
>> 
>> 
>> aptitude update && aptitude install tor
>> 
>> 
>> CentOS/RHEL/Fedora
>> ===
>> 
>> yum install --enablerepo=epel-testing tor
>> 
>> 
>> FreeBSD
>> 
>> 
>> pkg update
>> pkg upgrade
>> 
>> OpenBSD
>> ===
>> 
>> pkg_add -u tor
>> 
>> 
>> Windows
>> 
>> 
>> No updated binaries available for this platform yet.
>> 
>> 
>> 
>> 
>> [1] as of 2016-10-25 18:00 (onionoo data)
>> conservative estimate
>> --
>> (counts only 0.2.8.9 and 0.2.9.4-alpha as patched)
>> 31% CW fraction patched
>> 
>> optimistic estimate
>> ---
>> (additionally assumes every non-Windows running 0.2.4.27, 0.2.5.12,
>> 0.2.6.10, 0.2.7.6 that restarted since 2016-10-17 is patched):
>> 43% CW fraction patched
>> 
>> 
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!

[Petrusko]

Handmade scripts to update everybody ?
(a little curious ;)


Markus Koch :
> I am getting too old for this without a server management system 

-- 
Petrusko
EBE23AE5




signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!

[Markus Koch]

32 relays updated (Debian + Tor compiled to latest version)

I am getting too old for this without a server management system 

Markus




2016-10-25 23:48 GMT+02:00 nusenu :
> just a reminder since most of the tor network (including some of the
> biggest operators) still runs vulnerable relays
>
> https://blog.torproject.org/blog/tor-0289-released-important-fixes
>
>
> Since 2/3 directory authorities removed most vulnerable versions from
> their 'recommended versions' you should see a log entry if you run
> outdated versions (except if you run 0.2.5.12).
>
>
> It is not possible to reliable determine the exact CW fraction
> affected[1] due to the fact that patches were released that didn't
> increase tor's version number.
> Therefore it is also possible that you get log entries even if you run a
> patched version (IMHO this hasn't been handled in the most professional
> way).
>
>
> Update instructions
>
> Debian/Ubuntu
> ==
>
> make sure you use the Torproject repository:
> https://www.torproject.org/docs/debian.html.en
>
> (you can also use the debian repository but the Torproject's repo will
> provide you with the latest releases)
>
>
> aptitude update && aptitude install tor
>
>
> CentOS/RHEL/Fedora
> ===
>
> yum install --enablerepo=epel-testing tor
>
>
> FreeBSD
> 
>
> pkg update
> pkg upgrade
>
> OpenBSD
> ===
>
> pkg_add -u tor
>
>
> Windows
> 
>
> No updated binaries available for this platform yet.
>
>
>
>
> [1] as of 2016-10-25 18:00 (onionoo data)
> conservative estimate
> --
> (counts only 0.2.8.9 and 0.2.9.4-alpha as patched)
> 31% CW fraction patched
>
> optimistic estimate
> ---
> (additionally assumes every non-Windows running 0.2.4.27, 0.2.5.12,
> 0.2.6.10, 0.2.7.6 that restarted since 2016-10-17 is patched):
> 43% CW fraction patched
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!

[Alan]

Thanks for the update, my main relay was vulnerable but i've patched it
now to 0.2.8.9.

My Raspberry Pi is running 0.2.5.12 -- is that ok?


> just a reminder since most of the tor network (including some of the
biggest operators) still runs vulnerable relays
>
> https://blog.torproject.org/blog/tor-0289-released-important-fixes
>
>
> Since 2/3 directory authorities removed most vulnerable versions from
their 'recommended versions' you should see a log entry if you run
outdated versions (except if you run 0.2.5.12).
>
>
> It is not possible to reliable determine the exact CW fraction
> affected[1] due to the fact that patches were released that didn't
increase tor's version number.
> Therefore it is also possible that you get log entries even if you run a
patched version (IMHO this hasn't been handled in the most professional
way).
>
>
> Update instructions
>
> Debian/Ubuntu
> ==
>
> make sure you use the Torproject repository:
> https://www.torproject.org/docs/debian.html.en
>
> (you can also use the debian repository but the Torproject's repo will
provide you with the latest releases)
>
>
> aptitude update && aptitude install tor
>
>
> CentOS/RHEL/Fedora
> ===
>
> yum install --enablerepo=epel-testing tor
>
>
> FreeBSD
> 
>
> pkg update
> pkg upgrade
>
> OpenBSD
> ===
>
> pkg_add -u tor
>
>
> Windows
> 
>
> No updated binaries available for this platform yet.
>
>
>
>
> [1] as of 2016-10-25 18:00 (onionoo data)
> conservative estimate
> --
> (counts only 0.2.8.9 and 0.2.9.4-alpha as patched)
> 31% CW fraction patched
>
> optimistic estimate
> ---
> (additionally assumes every non-Windows running 0.2.4.27, 0.2.5.12,
0.2.6.10, 0.2.7.6 that restarted since 2016-10-17 is patched):
> 43% CW fraction patched
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>



___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!

[Juuso Lapinlampi]

On Tue, Oct 25, 2016 at 09:48:00PM +, nusenu wrote:
> It is not possible to reliable determine the exact CW fraction
> affected[1] due to the fact that patches were released that didn't
> increase tor's version number.

In the case of OpenBSD, MTier published a binary package (patch) only
yesterday. I had reported them to update on 2016-10-19 to use a patch
from openbsd-ports@ mailing list (net/tor port maintainer).

Consequently, OpenBSD 6.0's -stable has tor-0.2.7.6p1 (vulnerable) and
MTier's binary packages have tor-0.2.7.6p2 (not vulnerable). -snapshots
has tor-0.2.8.9.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!

[nusenu]

just a reminder since most of the tor network (including some of the
biggest operators) still runs vulnerable relays

https://blog.torproject.org/blog/tor-0289-released-important-fixes


Since 2/3 directory authorities removed most vulnerable versions from
their 'recommended versions' you should see a log entry if you run
outdated versions (except if you run 0.2.5.12).


It is not possible to reliable determine the exact CW fraction
affected[1] due to the fact that patches were released that didn't
increase tor's version number.
Therefore it is also possible that you get log entries even if you run a
patched version (IMHO this hasn't been handled in the most professional
way).


Update instructions

Debian/Ubuntu
==

make sure you use the Torproject repository:
https://www.torproject.org/docs/debian.html.en

(you can also use the debian repository but the Torproject's repo will
provide you with the latest releases)


aptitude update && aptitude install tor


CentOS/RHEL/Fedora
===

yum install --enablerepo=epel-testing tor


FreeBSD


pkg update
pkg upgrade

OpenBSD
===

pkg_add -u tor


Windows


No updated binaries available for this platform yet.




[1] as of 2016-10-25 18:00 (onionoo data)
conservative estimate
--
(counts only 0.2.8.9 and 0.2.9.4-alpha as patched)
31% CW fraction patched

optimistic estimate
---
(additionally assumes every non-Windows running 0.2.4.27, 0.2.5.12,
0.2.6.10, 0.2.7.6 that restarted since 2016-10-17 is patched):
43% CW fraction patched



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays