On Fri, Jan 14, 2022 at 12:17:57PM +0100, meskio wrote:
Quoting David Fifield (2022-01-14 03:27:09)
The upstream obfs4 repository has a fix to the Elligator2 public key representative leak (https://github.com/agl/ed25519/issues/27).
I started the conversation with the maintainers in debian to update the package: https://alioth-lists.debian.net/pipermail/pkg-privacy-maintainers/2022/00382...
Thanks, meskio. It was also brought to my attention that Debian's latest version of obfs4proxy is 0.0.8, which does not have the necessary active probing mitigations that we released in 0.0.11. This should also be treated as a security issue. https://packages.debian.org/search?keywords=obfs4proxy
https://gitlab.com/yawning/obfs4/-/commit/1a6129b66ff3e66c347b54fbae203c1c61... https://censorbib.nymity.ch/#Frolov2020a https://github.com/net4people/bbs/issues/26