[tor-relays] update obfs4proxy if you run a bridge

Mailing Lists tor-relays
1

Hello,

TL;RD:
  if you are a bridge operator please update obfs4proxy to a version>=0.0.12.

There is a new version of obfs4proxy (>=0.0.12) which fixes a security issue[0].
Tor Browser has already updated to the new version, which reduces a bit the
security problem, but introduces a partial incompatibility between versions[1].
Because of that updating to the latest version greatly will help bridge users.

If you use debian you can find the latest version bullseye-backports[2].
If you use docker there is a new version of the official docker image that you
can upgrade to[3].

Thank you for running bridges,
let me know if you need any help upgrading it.

[0] [anti-censorship-team] obfs4proxy-0.0.12 (2021-12-31) fixes the Elligator2 bug
[1] Tor Browser's new obfs4proxy client has compatibility issues with old obfs4proxy bridges (#40804) · Issues · The Tor Project / Applications / Tor Browser · GitLab
[2] Debian -- Details of package obfs4proxy in bullseye-backports
[3] Docker Hub

···

--
meskio | https://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
My contact info: https://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.

3 Likes
2

Thanks, done.

Worth noting I had to adjust (on Debian) /etc/apparmor.d/abstractions/tor to contain:

/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,

To prevent the error:

apparmor="DENIED" operation="open" profile="system_tor" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size

per [1].

And be sure to setcap the obfs4proxy binary again if running on a port<1024, as well as restart Tor after updating.

Cheers.

[1]: Bug#1004012: tor: AppArmor policy needs update for recent obfs4proxy

···

On 21 Mar 2022, 17:46 +0000, meskio <meskio@torproject.org>, wrote:

Hello,

TL;RD:
if you are a bridge operator please update obfs4proxy to a version>=0.0.12.

1 Like
3

I'm not really familar with Debian and do wonder, what line I have to add to /etc/apt/apt.conf.d/50unattended-upgrades to get that automatically installed ? Maybe I need to add the repo too ?

Currently it looks like:

~# cat /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Origins-Pattern {
     "origin=Debian,codename=${distro_codename},label=Debian";
     "origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
     "origin=TorProject";
};
Unattended-Upgrade::Package-Blacklist {
};
Unattended-Upgrade::Automatic-Reboot "true";

···

On 3/21/22 18:45, meskio wrote:

Thank you for running bridges,
let me know if you need any help upgrading it.

--
Toralf

1 Like
4

Yes, first edit '/etc/apt/sources.list':

# bullseye-backports, previously on backports.debian.org
deb Index of /debian bullseye-backports main
#deb-src Index of /debian bullseye-backports main

Then install:

apt update
apt install -t bullseye-backports obfs4proxy

https://backports.debian.org/Instructions/
You should always install individual packages from the backports archive.
Don't use apt-pinning for the whole backport archive in
'/etc/apt/preferences'.

···

On Wednesday, March 23, 2022 6:08:10 PM CET Toralf Förster wrote:

On 3/21/22 18:45, meskio wrote:

> Thank you for running bridges,
> let me know if you need any help upgrading it.

I'm not really familar with Debian and do wonder, what line I have to
add to /etc/apt/apt.conf.d/50unattended-upgrades to get that
automatically installed ? Maybe I need to add the repo too ?

--
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

1 Like