The latest version of obfs4proxy (0.0.14) comes with an important security fix.
If you are running a obfs4 Tor bridge please upgrade as soon as possible.
--
meskio | https://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
My contact info: https://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.
> The latest version of obfs4proxy (0.0.14) comes with an important security fix.
Is there a Changelog available ?
The upstream changelog is here:
But I understand is not easy to understand what the problem is from that
changelog.
I was pointed out today that "important security fix" might be confusing. To be
clear this is 'obfuscation' security fix, this means before 0.0.14 it was
possible for an observer on the network to distinguish obfs4 traffic. So is a
security problem from the obfs4 user perspective.
But is not any risk for bridge operators. An attacker can *not* exploit this
issue to do any harm to the operator.
···
On 10/14/22 11:28, meskio wrote:
--
meskio | https://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
My contact info: https://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.
After configuring the installation of the unattended_upgrade package to
consider all packages [1] the new obfs4proxy was installed - but Tor was
not restarted nor obfs4proxy reloaded.
Isn't this a task for the software package ?
[1]
···
On 10/14/22 11:28, meskio wrote:
If you use debian you can find the Debian package in stable-backports: Debian -- Error
After configuring the installation of the unattended_upgrade package to
consider all packages [1] the new obfs4proxy was installed - but Tor was
not restarted nor obfs4proxy reloaded.
On 10/14/22 19:09, meskio wrote:
> The upstream changelog is here:
> ChangeLog · master · Yawning Angel / obfs4 · GitLab
> But I understand is not easy to understand what the problem is from that
> changelog.
Indeed.
BTW the fix was made 5 weeks ago, so I do assume, the (eg. Debian)
package needed time to stabilize, or ?
Yes, it takes time to get updates into debian, we've being working on it since
it was relased:
--
meskio | https://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
My contact info: https://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.
On 10/16/22 09:50, Toralf Förster wrote:
>
> After configuring the installation of the unattended_upgrade package to
> consider all packages [1] the new obfs4proxy was installed - but Tor was
> not restarted nor obfs4proxy reloaded.
>
> Isn't this a task for the software package ?
And IMO the Debian package should re-apply any setcap settings made to
the exe before, eg.:
Will be nice to add those fixes to the package. Maybe you can open two issues on
the debian bugtracker for them. Debian bug tracking system
Or feel free to directly send patches to the package:
Thanks for noticing.
--
meskio | https://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
My contact info: https://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.
--
meskio | https://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
My contact info: https://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.
A reminder: If you operate a obfs4 bridge, please upgrade obfs4proxy to 0.0.14
and restart the tor daemon. It is important to keep the users of your bridge
safe.
Thank you.
Quoting meskio (2022-10-14 11:28:44)
···
The latest version of obfs4proxy (0.0.14) comes with an important security
fix.
If you are running a obfs4 Tor bridge please upgrade as soon as possible.
If you use debian you can find the Debian package in stable-backports: Debian -- Error
If you use docker you'll find the latest version in docker hub: Docker
--
meskio | https://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
My contact info: https://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.
I understand that the updated package 0.0.14 is available in Debian 11 “bullseye” backports. Thank you!
Unfortunately I am running Ubuntu 22.04 LTS “jammy” on my two VPS and the most recent version available is 0.0.13. My previous attempt to get 0.0.13 backported into Ubuntu 20.04 LTS “focal” was not successful [1], therefore I see little room to get 0.0.14 into jammy or jammy backports.
On Fedora 35, 36 & 37 obfs4-0.0.11 is available. I am happy to see that a bug is filed [2] “obfs4-0.0.14 is available” and worked on.
At the moment I have no possibility to update obfs4proxy, unless I switch to Debian 11. One of my two hosters is only offering Debian 10 “buster”, so even this would not help.
I have read the discussion on [3] and would be very happy to see obfs4proxy for Ubuntu and Fedora (if the folks at Fedora agree or maybe can help?) in the Tor Project repository.
In the meantime, until an update is available, please let me know whether I should shut down my two bridges.
Hello:
Is this update not available by running apt-get update && apt
···
A reminder: If you operate a obfs4 bridge, please upgrade obfs4proxy to 0.0.14 and restart the tor daemon. It is important to keep the users of your bridge safe. Thank you. Quoting meskio (2022-10-14 11:28:44) > The latest version of obfs4proxy (0.0.14) comes with an important security > fix. > If you are running a obfs4 Tor bridge please upgrade as soon as possible. > > If you use debian you can find the Debian package in stable-backports: > Debian -- Error > > If you use docker you’ll find the latest version in docker hub: > Docker > > Or you can find the source code in the upstream repository: > Yawning Angel / obfs4 · GitLab > > If you need help upgrading your relay, please use this mailing list or the Tor > Forum: > Relay Operator - Tor Project Forum > > We appreciate a lot your effort and time! – meskio | https://meskio.net/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: https://meskio.net/crypto.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nos vamos a Croatan._______________________________________________ tor-relays mailing list tor-relays@lists.torproject.orgtor-relays Info Page
--
meskio | https://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
My contact info: https://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.
Quoting tor-relays mailing list via Tor Project Forum (2022-10-29 23:35:39)
I understand that the updated package 0.0.14 is available in Debian 11
"bullseye" backports. Thank you!
Unfortunately I am running Ubuntu 22.04 LTS "jammy" on my two VPS and the most recent version available is 0.0.13. My previous attempt to get 0.0.13 backported into Ubuntu 20.04 LTS "focal" was not successful [1], therefore I see little room to get 0.0.14 into jammy or jammy backports.
On Fedora 35, 36 & 37 obfs4-0.0.11 is available. I am happy to see that a bug is filed [2] "obfs4-0.0.14 is available" and worked on.
At the moment I have no possibility to update obfs4proxy, unless I switch to Debian 11. One of my two hosters is only offering Debian 10 "buster", so even this would not help.
I have read the discussion on [3] and would be very happy to see obfs4proxy for Ubuntu and Fedora (if the folks at Fedora agree or maybe can help?) in the Tor Project repository.
In the meantime, until an update is available, please let me know whether I
should shut down my two bridges.
Yes, we are exploring if we can provide obfs4proxy in our own repo to solve this
problem.
--
meskio | https://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
My contact info: https://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.
We have made public the details of the distinguishability bugs that were
affecting obfs4:
Most bridges are already upgraded, thank you all bridge operators for the work
here.
Quoting meskio (2022-10-14 11:28:44)
···
Hello,
The latest version of obfs4proxy (0.0.14) comes with an important security fix.
If you are running a obfs4 Tor bridge please upgrade as soon as possible.
If you use debian you can find the Debian package in stable-backports: Debian -- Error
If you use docker you'll find the latest version in docker hub: Docker
--
meskio | https://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
My contact info: https://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.
