[tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!

John Ricketts john at quintex.com
Wed Oct 26 07:37:45 UTC 2016


Markus, I'm too damn old to type that accurately, My hands shake from old mechanical keyboards and my eyes are irradiated from old Wyse 50 terminals...

> On Oct 26, 2016, at 02:31, Markus Koch <niftybunny at googlemail.com> wrote:
> 
> I did it like a real man, just me hands and putty without any bash scripts and these modern devil tools!
> 
> markus
> 
> 
> Sent from my iPad
> 
>> On 26 Oct 2016, at 09:18, John Ricketts <john at quintex.com> wrote:
>> 
>> I feel you Markus, I did 24.  I wrote a bash script to update/upgrade/reboot. 
>> 
>>> On Oct 26, 2016, at 02:17, Markus Koch <niftybunny at googlemail.com> wrote:
>>> 
>>> 32 relays updated (Debian + Tor compiled to latest version)
>>> 
>>> I am getting too old for this without a server management system ....
>>> 
>>> Markus
>>> 
>>> 
>>> 
>>> 
>>> 2016-10-25 23:48 GMT+02:00 nusenu <nusenu at openmailbox.org>:
>>>> just a reminder since most of the tor network (including some of the
>>>> biggest operators) still runs vulnerable relays
>>>> 
>>>> https://blog.torproject.org/blog/tor-0289-released-important-fixes
>>>> 
>>>> 
>>>> Since 2/3 directory authorities removed most vulnerable versions from
>>>> their 'recommended versions' you should see a log entry if you run
>>>> outdated versions (except if you run 0.2.5.12).
>>>> 
>>>> 
>>>> It is not possible to reliable determine the exact CW fraction
>>>> affected[1] due to the fact that patches were released that didn't
>>>> increase tor's version number.
>>>> Therefore it is also possible that you get log entries even if you run a
>>>> patched version (IMHO this hasn't been handled in the most professional
>>>> way).
>>>> 
>>>> 
>>>> Update instructions
>>>> 
>>>> Debian/Ubuntu
>>>> ==============
>>>> 
>>>> make sure you use the Torproject repository:
>>>> https://www.torproject.org/docs/debian.html.en
>>>> 
>>>> (you can also use the debian repository but the Torproject's repo will
>>>> provide you with the latest releases)
>>>> 
>>>> 
>>>> aptitude update && aptitude install tor
>>>> 
>>>> 
>>>> CentOS/RHEL/Fedora
>>>> ===================
>>>> 
>>>> yum install --enablerepo=epel-testing tor
>>>> 
>>>> 
>>>> FreeBSD
>>>> ============
>>>> 
>>>> pkg update
>>>> pkg upgrade
>>>> 
>>>> OpenBSD
>>>> ===========
>>>> 
>>>> pkg_add -u tor
>>>> 
>>>> 
>>>> Windows
>>>> ========
>>>> 
>>>> No updated binaries available for this platform yet.
>>>> 
>>>> 
>>>> 
>>>> 
>>>> [1] as of 2016-10-25 18:00 (onionoo data)
>>>> conservative estimate
>>>> ----------------------
>>>> (counts only 0.2.8.9 and 0.2.9.4-alpha as patched)
>>>> 31% CW fraction patched
>>>> 
>>>> optimistic estimate
>>>> -------------------
>>>> (additionally assumes every non-Windows running 0.2.4.27, 0.2.5.12,
>>>> 0.2.6.10, 0.2.7.6 that restarted since 2016-10-17 is patched):
>>>> 43% CW fraction patched
>>>> 
>>>> 
>>>> _______________________________________________
>>>> tor-relays mailing list
>>>> tor-relays at lists.torproject.org
>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>> 
>>> _______________________________________________
>>> tor-relays mailing list
>>> tor-relays at lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


More information about the tor-relays mailing list