Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!
On Wed, 26 Oct 2016, Zack Weinberg wrote: > On Wed, Oct 26, 2016 at 5:54 AM, Peter Palfrader > wrote: > > On Wed, 26 Oct 2016, Alan wrote: > >> 0.2.5.12 is the latest version from the repo. Im assuming I should pull > >> down the source and compile it. > > > > Depends on the repo. If you provided a little more information we'd be > > able to sy more. > > If you're using Debian jessie, you can get an 0.2.8.9 package from > either backports or the torproject.org repository. Or one could stay with stable, which has also fixed this bug. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `-https://www.debian.org/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!
On Wed, 26 Oct 2016, at 02:04 PM, Zack Weinberg wrote: > If you're using Debian jessie, you can get an 0.2.8.9 package from > either backports or the torproject.org repository. I went with > backports because that let me also pick up a much newer openssl. > > zw Zack, Interesting, I too recently upgraded to the backports version of tor but didn't think to do openssl too. The current versions as far as I can tell are: jessie, 1.0.1t-1+deb8u5 (https://packages.debian.org/jessie/openssl) jessie-backports, 1.0.2j-1~bpo8+1 (https://packages.debian.org/jessie-backports/openssl) Is there such a big difference between these? Louie ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!
Thanks for the advice, I added torproject.org repo and it upgraded to 0.2.8.9 Alan > On Wed, Oct 26, 2016 at 5:54 AM, Peter Palfrader > wrote: >> On Wed, 26 Oct 2016, Alan wrote: >>> 0.2.5.12 is the latest version from the repo. Im assuming I should pull >>> down the source and compile it. >> >> Depends on the repo. If you provided a little more information we'd be >> able to sy more. > > If you're using Debian jessie, you can get an 0.2.8.9 package from > either backports or the torproject.org repository. I went with > backports because that let me also pick up a much newer openssl. > > zw > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!
On Wed, Oct 26, 2016 at 5:54 AM, Peter Palfrader wrote: > On Wed, 26 Oct 2016, Alan wrote: >> 0.2.5.12 is the latest version from the repo. Im assuming I should pull >> down the source and compile it. > > Depends on the repo. If you provided a little more information we'd be > able to sy more. If you're using Debian jessie, you can get an 0.2.8.9 package from either backports or the torproject.org repository. I went with backports because that let me also pick up a much newer openssl. zw ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!
On Wed, 26 Oct 2016, Alan wrote: > 0.2.5.12 is the latest version from the repo. Im assuming I should pull > down the source and compile it. Depends on the repo. If you provided a little more information we'd be able to sy more. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `-https://www.debian.org/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!
0.2.5.12 is the latest version from the repo. Im assuming I should pull down the source and compile it. >> Thanks for the update, my main relay was vulnerable but i've patched it now to 0.2.8.9. >> >> My Raspberry Pi is running 0.2.5.12 -- is that ok? > > If your version is from before 2016-10-17, your relay is vulnerable. > > To be sure you should be running 0.2.8.9. > > > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!
> Thanks for the update, my main relay was vulnerable but i've patched it > now to 0.2.8.9. > > My Raspberry Pi is running 0.2.5.12 -- is that ok? If your version is from before 2016-10-17, your relay is vulnerable. To be sure you should be running 0.2.8.9. signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!
nusenu: > CentOS/RHEL/Fedora > === > > yum install --enablerepo=epel-testing tor correction: CentOS/RHEL yum upgrade --enablerepo=epel-testing tor fedora: dnf upgrade --enablerepo=updates-testing tor signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!
Markus, I'm too damn old to type that accurately, My hands shake from old mechanical keyboards and my eyes are irradiated from old Wyse 50 terminals... > On Oct 26, 2016, at 02:31, Markus Koch wrote: > > I did it like a real man, just me hands and putty without any bash scripts > and these modern devil tools! > > markus > > > Sent from my iPad > >> On 26 Oct 2016, at 09:18, John Ricketts wrote: >> >> I feel you Markus, I did 24. I wrote a bash script to >> update/upgrade/reboot. >> >>> On Oct 26, 2016, at 02:17, Markus Koch wrote: >>> >>> 32 relays updated (Debian + Tor compiled to latest version) >>> >>> I am getting too old for this without a server management system >>> >>> Markus >>> >>> >>> >>> >>> 2016-10-25 23:48 GMT+02:00 nusenu : just a reminder since most of the tor network (including some of the biggest operators) still runs vulnerable relays https://blog.torproject.org/blog/tor-0289-released-important-fixes Since 2/3 directory authorities removed most vulnerable versions from their 'recommended versions' you should see a log entry if you run outdated versions (except if you run 0.2.5.12). It is not possible to reliable determine the exact CW fraction affected[1] due to the fact that patches were released that didn't increase tor's version number. Therefore it is also possible that you get log entries even if you run a patched version (IMHO this hasn't been handled in the most professional way). Update instructions Debian/Ubuntu == make sure you use the Torproject repository: https://www.torproject.org/docs/debian.html.en (you can also use the debian repository but the Torproject's repo will provide you with the latest releases) aptitude update && aptitude install tor CentOS/RHEL/Fedora === yum install --enablerepo=epel-testing tor FreeBSD pkg update pkg upgrade OpenBSD === pkg_add -u tor Windows No updated binaries available for this platform yet. [1] as of 2016-10-25 18:00 (onionoo data) conservative estimate -- (counts only 0.2.8.9 and 0.2.9.4-alpha as patched) 31% CW fraction patched optimistic estimate --- (additionally assumes every non-Windows running 0.2.4.27, 0.2.5.12, 0.2.6.10, 0.2.7.6 that restarted since 2016-10-17 is patched): 43% CW fraction patched ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >>> ___ >>> tor-relays mailing list >>> tor-relays@lists.torproject.org >>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >> ___ >> tor-relays mailing list >> tor-relays@lists.torproject.org >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!
Haha ok! Nice hard work so ;) Good luck for next update ! (hope it will be ok for a long time!) Le 26/10/2016 à 09:30, Markus Koch a écrit : > I did it like a real man, just me hands and putty without any bash scripts > and these modern devil tools! > > markus > > > Sent from my iPad > >> On 26 Oct 2016, at 09:18, John Ricketts wrote: >> >> I feel you Markus, I did 24. I wrote a bash script to >> update/upgrade/reboot. >> >>> On Oct 26, 2016, at 02:17, Markus Koch wrote: >>> >>> 32 relays updated (Debian + Tor compiled to latest version) >>> >>> I am getting too old for this without a server management system >>> >>> Markus >>> >>> >>> >>> >>> 2016-10-25 23:48 GMT+02:00 nusenu : just a reminder since most of the tor network (including some of the biggest operators) still runs vulnerable relays https://blog.torproject.org/blog/tor-0289-released-important-fixes Since 2/3 directory authorities removed most vulnerable versions from their 'recommended versions' you should see a log entry if you run outdated versions (except if you run 0.2.5.12). It is not possible to reliable determine the exact CW fraction affected[1] due to the fact that patches were released that didn't increase tor's version number. Therefore it is also possible that you get log entries even if you run a patched version (IMHO this hasn't been handled in the most professional way). Update instructions Debian/Ubuntu == make sure you use the Torproject repository: https://www.torproject.org/docs/debian.html.en (you can also use the debian repository but the Torproject's repo will provide you with the latest releases) aptitude update && aptitude install tor CentOS/RHEL/Fedora === yum install --enablerepo=epel-testing tor FreeBSD pkg update pkg upgrade OpenBSD === pkg_add -u tor Windows No updated binaries available for this platform yet. [1] as of 2016-10-25 18:00 (onionoo data) conservative estimate -- (counts only 0.2.8.9 and 0.2.9.4-alpha as patched) 31% CW fraction patched optimistic estimate --- (additionally assumes every non-Windows running 0.2.4.27, 0.2.5.12, 0.2.6.10, 0.2.7.6 that restarted since 2016-10-17 is patched): 43% CW fraction patched ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >>> ___ >>> tor-relays mailing list >>> tor-relays@lists.torproject.org >>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >> ___ >> tor-relays mailing list >> tor-relays@lists.torproject.org >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays -- Petrusko EBE23AE5 signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!
I did it like a real man, just me hands and putty without any bash scripts and these modern devil tools! markus Sent from my iPad > On 26 Oct 2016, at 09:18, John Ricketts wrote: > > I feel you Markus, I did 24. I wrote a bash script to update/upgrade/reboot. > >> On Oct 26, 2016, at 02:17, Markus Koch wrote: >> >> 32 relays updated (Debian + Tor compiled to latest version) >> >> I am getting too old for this without a server management system >> >> Markus >> >> >> >> >> 2016-10-25 23:48 GMT+02:00 nusenu : >>> just a reminder since most of the tor network (including some of the >>> biggest operators) still runs vulnerable relays >>> >>> https://blog.torproject.org/blog/tor-0289-released-important-fixes >>> >>> >>> Since 2/3 directory authorities removed most vulnerable versions from >>> their 'recommended versions' you should see a log entry if you run >>> outdated versions (except if you run 0.2.5.12). >>> >>> >>> It is not possible to reliable determine the exact CW fraction >>> affected[1] due to the fact that patches were released that didn't >>> increase tor's version number. >>> Therefore it is also possible that you get log entries even if you run a >>> patched version (IMHO this hasn't been handled in the most professional >>> way). >>> >>> >>> Update instructions >>> >>> Debian/Ubuntu >>> == >>> >>> make sure you use the Torproject repository: >>> https://www.torproject.org/docs/debian.html.en >>> >>> (you can also use the debian repository but the Torproject's repo will >>> provide you with the latest releases) >>> >>> >>> aptitude update && aptitude install tor >>> >>> >>> CentOS/RHEL/Fedora >>> === >>> >>> yum install --enablerepo=epel-testing tor >>> >>> >>> FreeBSD >>> >>> >>> pkg update >>> pkg upgrade >>> >>> OpenBSD >>> === >>> >>> pkg_add -u tor >>> >>> >>> Windows >>> >>> >>> No updated binaries available for this platform yet. >>> >>> >>> >>> >>> [1] as of 2016-10-25 18:00 (onionoo data) >>> conservative estimate >>> -- >>> (counts only 0.2.8.9 and 0.2.9.4-alpha as patched) >>> 31% CW fraction patched >>> >>> optimistic estimate >>> --- >>> (additionally assumes every non-Windows running 0.2.4.27, 0.2.5.12, >>> 0.2.6.10, 0.2.7.6 that restarted since 2016-10-17 is patched): >>> 43% CW fraction patched >>> >>> >>> ___ >>> tor-relays mailing list >>> tor-relays@lists.torproject.org >>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >>> >> ___ >> tor-relays mailing list >> tor-relays@lists.torproject.org >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!
I feel you Markus, I did 24. I wrote a bash script to update/upgrade/reboot. > On Oct 26, 2016, at 02:17, Markus Koch wrote: > > 32 relays updated (Debian + Tor compiled to latest version) > > I am getting too old for this without a server management system > > Markus > > > > > 2016-10-25 23:48 GMT+02:00 nusenu : >> just a reminder since most of the tor network (including some of the >> biggest operators) still runs vulnerable relays >> >> https://blog.torproject.org/blog/tor-0289-released-important-fixes >> >> >> Since 2/3 directory authorities removed most vulnerable versions from >> their 'recommended versions' you should see a log entry if you run >> outdated versions (except if you run 0.2.5.12). >> >> >> It is not possible to reliable determine the exact CW fraction >> affected[1] due to the fact that patches were released that didn't >> increase tor's version number. >> Therefore it is also possible that you get log entries even if you run a >> patched version (IMHO this hasn't been handled in the most professional >> way). >> >> >> Update instructions >> >> Debian/Ubuntu >> == >> >> make sure you use the Torproject repository: >> https://www.torproject.org/docs/debian.html.en >> >> (you can also use the debian repository but the Torproject's repo will >> provide you with the latest releases) >> >> >> aptitude update && aptitude install tor >> >> >> CentOS/RHEL/Fedora >> === >> >> yum install --enablerepo=epel-testing tor >> >> >> FreeBSD >> >> >> pkg update >> pkg upgrade >> >> OpenBSD >> === >> >> pkg_add -u tor >> >> >> Windows >> >> >> No updated binaries available for this platform yet. >> >> >> >> >> [1] as of 2016-10-25 18:00 (onionoo data) >> conservative estimate >> -- >> (counts only 0.2.8.9 and 0.2.9.4-alpha as patched) >> 31% CW fraction patched >> >> optimistic estimate >> --- >> (additionally assumes every non-Windows running 0.2.4.27, 0.2.5.12, >> 0.2.6.10, 0.2.7.6 that restarted since 2016-10-17 is patched): >> 43% CW fraction patched >> >> >> ___ >> tor-relays mailing list >> tor-relays@lists.torproject.org >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >> > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!
Handmade scripts to update everybody ? (a little curious ;) Markus Koch : > I am getting too old for this without a server management system -- Petrusko EBE23AE5 signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!
32 relays updated (Debian + Tor compiled to latest version) I am getting too old for this without a server management system Markus 2016-10-25 23:48 GMT+02:00 nusenu : > just a reminder since most of the tor network (including some of the > biggest operators) still runs vulnerable relays > > https://blog.torproject.org/blog/tor-0289-released-important-fixes > > > Since 2/3 directory authorities removed most vulnerable versions from > their 'recommended versions' you should see a log entry if you run > outdated versions (except if you run 0.2.5.12). > > > It is not possible to reliable determine the exact CW fraction > affected[1] due to the fact that patches were released that didn't > increase tor's version number. > Therefore it is also possible that you get log entries even if you run a > patched version (IMHO this hasn't been handled in the most professional > way). > > > Update instructions > > Debian/Ubuntu > == > > make sure you use the Torproject repository: > https://www.torproject.org/docs/debian.html.en > > (you can also use the debian repository but the Torproject's repo will > provide you with the latest releases) > > > aptitude update && aptitude install tor > > > CentOS/RHEL/Fedora > === > > yum install --enablerepo=epel-testing tor > > > FreeBSD > > > pkg update > pkg upgrade > > OpenBSD > === > > pkg_add -u tor > > > Windows > > > No updated binaries available for this platform yet. > > > > > [1] as of 2016-10-25 18:00 (onionoo data) > conservative estimate > -- > (counts only 0.2.8.9 and 0.2.9.4-alpha as patched) > 31% CW fraction patched > > optimistic estimate > --- > (additionally assumes every non-Windows running 0.2.4.27, 0.2.5.12, > 0.2.6.10, 0.2.7.6 that restarted since 2016-10-17 is patched): > 43% CW fraction patched > > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!
Thanks for the update, my main relay was vulnerable but i've patched it now to 0.2.8.9. My Raspberry Pi is running 0.2.5.12 -- is that ok? > just a reminder since most of the tor network (including some of the biggest operators) still runs vulnerable relays > > https://blog.torproject.org/blog/tor-0289-released-important-fixes > > > Since 2/3 directory authorities removed most vulnerable versions from their 'recommended versions' you should see a log entry if you run outdated versions (except if you run 0.2.5.12). > > > It is not possible to reliable determine the exact CW fraction > affected[1] due to the fact that patches were released that didn't increase tor's version number. > Therefore it is also possible that you get log entries even if you run a patched version (IMHO this hasn't been handled in the most professional way). > > > Update instructions > > Debian/Ubuntu > == > > make sure you use the Torproject repository: > https://www.torproject.org/docs/debian.html.en > > (you can also use the debian repository but the Torproject's repo will provide you with the latest releases) > > > aptitude update && aptitude install tor > > > CentOS/RHEL/Fedora > === > > yum install --enablerepo=epel-testing tor > > > FreeBSD > > > pkg update > pkg upgrade > > OpenBSD > === > > pkg_add -u tor > > > Windows > > > No updated binaries available for this platform yet. > > > > > [1] as of 2016-10-25 18:00 (onionoo data) > conservative estimate > -- > (counts only 0.2.8.9 and 0.2.9.4-alpha as patched) > 31% CW fraction patched > > optimistic estimate > --- > (additionally assumes every non-Windows running 0.2.4.27, 0.2.5.12, 0.2.6.10, 0.2.7.6 that restarted since 2016-10-17 is patched): > 43% CW fraction patched > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!
On Tue, Oct 25, 2016 at 09:48:00PM +, nusenu wrote: > It is not possible to reliable determine the exact CW fraction > affected[1] due to the fact that patches were released that didn't > increase tor's version number. In the case of OpenBSD, MTier published a binary package (patch) only yesterday. I had reported them to update on 2016-10-19 to use a patch from openbsd-ports@ mailing list (net/tor port maintainer). Consequently, OpenBSD 6.0's -stable has tor-0.2.7.6p1 (vulnerable) and MTier's binary packages have tor-0.2.7.6p2 (not vulnerable). -snapshots has tor-0.2.8.9. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays