On Mon, Jan 17, 2022 at 11:53:55AM +0100, meskio wrote:
Quoting David Fifield (2022-01-14 21:50:32)
On Fri, Jan 14, 2022 at 12:17:57PM +0100, meskio wrote:
Quoting David Fifield (2022-01-14 03:27:09)
The upstream obfs4 repository has a fix to the Elligator2 public key representative leak (https://github.com/agl/ed25519/issues/27).
I started the conversation with the maintainers in debian to update the package: https://alioth-lists.debian.net/pipermail/pkg-privacy-maintainers/2022/00382...
Thanks, meskio. It was also brought to my attention that Debian's latest version of obfs4proxy is 0.0.8, which does not have the necessary active probing mitigations that we released in 0.0.11. This should also be treated as a security issue. https://packages.debian.org/search?keywords=obfs4proxy
Thanks for the info. I'll talk with the packagers about that. They mention having a problem with the fork of uTLS and it's license to be able to update the package. But let's see if is this can be solved somehow.
I think obfs4proxy should work with upstream github.com/refraction-networking/utls if you remove these two calls:
https://gitlab.com/yawning/obfs4/-/blob/cbf3f3cfa09cf48c42aebd1b96fd7952f1dd... utls.EnableVartimeGroups() utls.EnableVartimeAES()