Re: [tor-relays] security update for obfs4proxy
We have made public the details of the distinguishability bugs that were affecting obfs4: https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/91 https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/obfs4/-/issues/40007 Most bridges are already upgraded, thank you all bridge operators for the work here. Quoting meskio (2022-10-14 11:28:44) > Hello, > > The latest version of obfs4proxy (0.0.14) comes with an important security > fix. > If you are running a obfs4 Tor bridge please upgrade as soon as possible. > > If you use debian you can find the Debian package in stable-backports: > https://packages.debian.org/stable-backports/obfs4proxy > > If you use docker you'll find the latest version in docker hub: > https://hub.docker.com/r/thetorproject/obfs4-bridge/ > > Or you can find the source code in the upstream repository: > https://gitlab.com/yawning/obfs4 > > If you need help upgrading your relay, please use this mailing list or the > Tor > Forum: > https://forum.torproject.net/c/support/relay-operator/17 > > We appreciate a lot your effort and time! > > Thank you -- meskio | https://meskio.net/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: https://meskio.net/crypto.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nos vamos a Croatan. signature.asc Description: signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] security update for obfs4proxy
Quoting tor-relays mailing list via Tor Project Forum (2022-10-29 23:35:39) > I understand that the updated package 0.0.14 is available in Debian 11 > "bullseye" backports. Thank you! > > Unfortunately I am running Ubuntu 22.04 LTS "jammy" on my two VPS and the > most recent version available is 0.0.13. My previous attempt to get 0.0.13 > backported into Ubuntu 20.04 LTS "focal" was not successful [1], therefore I > see little room to get 0.0.14 into jammy or jammy backports. > > On Fedora 35, 36 & 37 obfs4-0.0.11 is available. I am happy to see that a bug > is filed [2] "obfs4-0.0.14 is available" and worked on. > > At the moment I have no possibility to update obfs4proxy, unless I switch to > Debian 11. One of my two hosters is only offering Debian 10 "buster", so even > this would not help. > > I have read the discussion on [3] and would be very happy to see obfs4proxy > for Ubuntu and Fedora (if the folks at Fedora agree or maybe can help?) in > the Tor Project repository. > > In the meantime, until an update is available, please let me know whether I > should shut down my two bridges. Yes, we are exploring if we can provide obfs4proxy in our own repo to solve this problem. In the mean time I have built a backport of the package for jammy: https://people.torproject.org/~meskio/jammy/obfs4proxy_0.0.14-1_amd64.deb If you feel comfortable trusting my package please use it in your system. Thank you. -- meskio | https://meskio.net/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: https://meskio.net/crypto.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nos vamos a Croatan. signature.asc Description: signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] security update for obfs4proxy
Quoting Anonforpeace via tor-relays (2022-11-03 15:49:34) > Is this update not available by running apt-get update && apt It is available if you have the debian backports repo configured, but is not in debian stable, neither in ubuntu stable. You can grab the package manually from: https://packages.debian.org/stable-backports/obfs4proxy -- meskio | https://meskio.net/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: https://meskio.net/crypto.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nos vamos a Croatan. signature.asc Description: signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] security update for obfs4proxy
Hello: Is this update not available by running apt-get update && apt Sent from Proton Mail mobile Original Message On Nov 3, 2022, 10:34 AM, meskio wrote: > A reminder: If you operate a obfs4 bridge, please upgrade obfs4proxy to > 0.0.14 and restart the tor daemon. It is important to keep the users of your > bridge safe. Thank you. Quoting meskio (2022-10-14 11:28:44) > The latest > version of obfs4proxy (0.0.14) comes with an important security > fix. > If > you are running a obfs4 Tor bridge please upgrade as soon as possible. > > If > you use debian you can find the Debian package in stable-backports: > > https://packages.debian.org/stable-backports/obfs4proxy > > If you use docker > you'll find the latest version in docker hub: > > https://hub.docker.com/r/thetorproject/obfs4-bridge/ > > Or you can find the > source code in the upstream repository: > https://gitlab.com/yawning/obfs4 > > > If you need help upgrading your relay, please use this mailing list or the > Tor > Forum: > https://forum.torproject.net/c/support/relay-operator/17 > > > We appreciate a lot your effort and time! -- meskio | https://meskio.net/ > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: > https://meskio.net/crypto.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Nos vamos a Croatan.___ > tor-relays mailing list tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] security update for obfs4proxy
Dear All, I understand that the updated package 0.0.14 is available in Debian 11 "bullseye" backports. Thank you! Unfortunately I am running Ubuntu 22.04 LTS "jammy" on my two VPS and the most recent version available is 0.0.13. My previous attempt to get 0.0.13 backported into Ubuntu 20.04 LTS "focal" was not successful [1], therefore I see little room to get 0.0.14 into jammy or jammy backports. On Fedora 35, 36 & 37 obfs4-0.0.11 is available. I am happy to see that a bug is filed [2] "obfs4-0.0.14 is available" and worked on. At the moment I have no possibility to update obfs4proxy, unless I switch to Debian 11. One of my two hosters is only offering Debian 10 "buster", so even this would not help. I have read the discussion on [3] and would be very happy to see obfs4proxy for Ubuntu and Fedora (if the folks at Fedora agree or maybe can help?) in the Tor Project repository. In the meantime, until an update is available, please let me know whether I should shut down my two bridges. Kind regards, wurstsemmel [1] https://bugs.launchpad.net/ubuntu/+source/obfs4proxy/+bug/1967003 [2] https://bugzilla.redhat.com/show_bug.cgi?id=2036298 [3] https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/obfs4/-/issues/40008 Am 17. Oktober 2022 11:35:47 MESZ schrieb meskio : Quoting Toralf Förster (2022-10-14 20:17:58) On 10/14/22 19:09, meskio wrote: The upstream changelog is here: https://gitlab.com/yawning/obfs4/-/blob/master/ChangeLog But I understand is not easy to understand what the problem is from that changelog. Indeed. BTW the fix was made 5 weeks ago, so I do assume, the (eg. Debian) package needed time to stabilize, or ? Yes, it takes time to get updates into debian, we've being working on it since it was relased: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/obfs4/-/issues/40008 -- meskio | https://meskio.net/ My contact info: https://meskio.net/crypto.txt Nos vamos a Croatan. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] security update for obfs4proxy
A reminder: If you operate a obfs4 bridge, please upgrade obfs4proxy to 0.0.14 and restart the tor daemon. It is important to keep the users of your bridge safe. Thank you. Quoting meskio (2022-10-14 11:28:44) > The latest version of obfs4proxy (0.0.14) comes with an important security > fix. > If you are running a obfs4 Tor bridge please upgrade as soon as possible. > > If you use debian you can find the Debian package in stable-backports: > https://packages.debian.org/stable-backports/obfs4proxy > > If you use docker you'll find the latest version in docker hub: > https://hub.docker.com/r/thetorproject/obfs4-bridge/ > > Or you can find the source code in the upstream repository: > https://gitlab.com/yawning/obfs4 > > If you need help upgrading your relay, please use this mailing list or the > Tor > Forum: > https://forum.torproject.net/c/support/relay-operator/17 > > We appreciate a lot your effort and time! -- meskio | https://meskio.net/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: https://meskio.net/crypto.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nos vamos a Croatan. signature.asc Description: signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] security update for obfs4proxy
Quoting Toralf Förster (2022-10-17 12:56:04) > On 10/17/22 11:41, meskio wrote: > > Will be nice to add those fixes to the package. Maybe you can open two > > issues on > > the debian bugtracker for them. > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021911. Thank you :) -- meskio | https://meskio.net/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: https://meskio.net/crypto.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nos vamos a Croatan. signature.asc Description: signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] security update for obfs4proxy
On 10/17/22 11:41, meskio wrote: Will be nice to add those fixes to the package. Maybe you can open two issues on the debian bugtracker for them. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021911. -- Toralf ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] security update for obfs4proxy
Quoting Toralf Förster (2022-10-16 11:23:18) > On 10/16/22 09:50, Toralf Förster wrote: > > > > After configuring the installation of the unattended_upgrade package to > > consider all packages [1] the new obfs4proxy was installed - but Tor was > > not restarted nor obfs4proxy reloaded. > > > > Isn't this a task for the software package ? > > And IMO the Debian package should re-apply any setcap settings made to > the exe before, eg.: > > setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy > > or? Will be nice to add those fixes to the package. Maybe you can open two issues on the debian bugtracker for them. https://www.debian.org/Bugs/ Or feel free to directly send patches to the package: https://salsa.debian.org/pkg-privacy-team/obfs4proxy Thanks for noticing. -- meskio | https://meskio.net/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: https://meskio.net/crypto.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nos vamos a Croatan. signature.asc Description: signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] security update for obfs4proxy
Quoting Toralf Förster (2022-10-14 20:17:58) > On 10/14/22 19:09, meskio wrote: > > The upstream changelog is here: > > https://gitlab.com/yawning/obfs4/-/blob/master/ChangeLog > > But I understand is not easy to understand what the problem is from that > > changelog. > > Indeed. > > BTW the fix was made 5 weeks ago, so I do assume, the (eg. Debian) > package needed time to stabilize, or ? Yes, it takes time to get updates into debian, we've being working on it since it was relased: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/obfs4/-/issues/40008 -- meskio | https://meskio.net/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: https://meskio.net/crypto.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nos vamos a Croatan. signature.asc Description: signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] security update for obfs4proxy
On Fri, Oct 14, 2022 at 06:08:38PM +0200, Toralf Förster wrote: > On 10/14/22 11:28, meskio wrote: > > The latest version of obfs4proxy (0.0.14) comes with an important security > > fix. > > Is there a Changelog available ? The below issue, which is currently confidential, has details of what was fixed. The issue is scheduled to become public by 2022-11-15. https://bugs.torproject.org/tpo/anti-censorship/pluggable-transports/obfs4/40007 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] security update for obfs4proxy
On 10/16/22 09:50, Toralf Förster wrote: After configuring the installation of the unattended_upgrade package to consider all packages [1] the new obfs4proxy was installed - but Tor was not restarted nor obfs4proxy reloaded. Isn't this a task for the software package ? And IMO the Debian package should re-apply any setcap settings made to the exe before, eg.: setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy or? -- Toralf ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] security update for obfs4proxy
On 10/14/22 11:28, meskio wrote: If you use debian you can find the Debian package in stable-backports: https://packages.debian.org/stable-backports/obfs4proxy After configuring the installation of the unattended_upgrade package to consider all packages [1] the new obfs4proxy was installed - but Tor was not restarted nor obfs4proxy reloaded. Isn't this a task for the software package ? [1] https://github.com/toralf/tor-relays/commit/37d2cc993c5b17eaa7510cb4a589b62f705c26a0 -- Toralf ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] security update for obfs4proxy
On 10/14/22 19:09, meskio wrote: The upstream changelog is here: https://gitlab.com/yawning/obfs4/-/blob/master/ChangeLog But I understand is not easy to understand what the problem is from that changelog. Indeed. BTW the fix was made 5 weeks ago, so I do assume, the (eg. Debian) package needed time to stabilize, or ? -- Toralf ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] security update for obfs4proxy
Quoting Toralf Förster (2022-10-14 18:08:38) > On 10/14/22 11:28, meskio wrote: > > The latest version of obfs4proxy (0.0.14) comes with an important security > > fix. > > Is there a Changelog available ? The upstream changelog is here: https://gitlab.com/yawning/obfs4/-/blob/master/ChangeLog But I understand is not easy to understand what the problem is from that changelog. I was pointed out today that "important security fix" might be confusing. To be clear this is 'obfuscation' security fix, this means before 0.0.14 it was possible for an observer on the network to distinguish obfs4 traffic. So is a security problem from the obfs4 user perspective. But is not any risk for bridge operators. An attacker can *not* exploit this issue to do any harm to the operator. -- meskio | https://meskio.net/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: https://meskio.net/crypto.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nos vamos a Croatan. signature.asc Description: signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] security update for obfs4proxy
On 10/14/22 11:28, meskio wrote: The latest version of obfs4proxy (0.0.14) comes with an important security fix. Is there a Changelog available ? -- Toralf ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] security update for obfs4proxy
Hello, The latest version of obfs4proxy (0.0.14) comes with an important security fix. If you are running a obfs4 Tor bridge please upgrade as soon as possible. If you use debian you can find the Debian package in stable-backports: https://packages.debian.org/stable-backports/obfs4proxy If you use docker you'll find the latest version in docker hub: https://hub.docker.com/r/thetorproject/obfs4-bridge/ Or you can find the source code in the upstream repository: https://gitlab.com/yawning/obfs4 If you need help upgrading your relay, please use this mailing list or the Tor Forum: https://forum.torproject.net/c/support/relay-operator/17 We appreciate a lot your effort and time! Thank you -- meskio | https://meskio.net/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: https://meskio.net/crypto.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nos vamos a Croatan. signature.asc Description: signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays