-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I'm happy to announce txtorcon 0.15.0:
* added support for NULL control-port-authentication which is often appropriate when used with a UNIX domain socket * switched to https://docs.python.org/3/library/ipaddress.html instead of Google's ipaddr; the API should be the same from a user perspective but **packagers and tutorials** will want to change their instructions slightly (``pip install ipaddress`` or ``apt-get install python-ipaddress`` are the new ways). * support the new ADD_ONION and DEL_ONION "ephemeral hidden services" commands in TorConfig * a first stealth-authentication implementation (for "normal" hidden services, not ephemeral) * bug-fix from https://github.com/david415 to raise ConnectionRefusedError instead of StopIteration when running out of SOCKS ports. * new feature from https://github.com/david415 adding a ``build_timeout_circuit`` method which provides a Deferred that callbacks only when the circuit is completely built and errbacks if the provided timeout expires. This is useful because :doc:`TorState.build_circuit` callbacks as soon as a Circuit instance can be provided (and then you'd use :doc:`Circuit.when_built` to find out when it's done building). * new feature from https://github.com/coffeemakr falling back to password authentication if cookie authentication isn't available (or fails, e.g. because the file isn't readable). * both TorState and TorConfig now have a ``.from_protocol`` class-method. * spec-compliant string-un-escaping from https://github.com/coffeemakr * fix https://github.com/meejah/txtorcon/issues/176
You can download the release from PyPI or GitHub (or of course "pip install txtorcon"):
https://pypi.python.org/pypi/txtorcon/0.15.0 https://github.com/meejah/txtorcon/releases/tag/v0.15.0
Releases are also available from the hidden service:
http://timaq4ygg2iegci7.onion/txtorcon-0.15.0.tar.gz http://timaq4ygg2iegci7.onion/txtorcon-0.15.0.tar.gz.asc
You can verify the sha256sum of both by running the following 4 lines in a shell wherever you have the files downloaded:
cat <<EOF | sha256sum --check f2e8cdb130aa48d63c39603c2404d9496c669fa8b4c724497ca6bfa7752a9475 dist/txtorcon-0.15.0.tar.gz a359fb5e560263499400018262494378b3d347cd04a361adb08939df95ecedf6 dist/txtorcon-0.15.0-py2-none-any.whl EOF
thanks, meejah
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
There was a small issue in 0.15.0 noticed by the Debian reproducible builds (thanks irl@debian for your packaging work!)
* fix issue 179 (Circuit.age() incorrect default arg)
You can download the release from PyPI or GitHub (or of course "pip install txtorcon"):
https://pypi.python.org/pypi/txtorcon/0.15.1 https://github.com/meejah/txtorcon/releases/tag/v0.15.1
Releases are also available from the hidden service:
http://timaq4ygg2iegci7.onion/txtorcon-0.15.1.tar.gz http://timaq4ygg2iegci7.onion/txtorcon-0.15.1.tar.gz.asc
You can verify the sha256sum of both by running the following 4 lines in a shell wherever you have the files downloaded:
cat <<EOF | sha256sum --check bbf69b7642d18b0678580e91d92ed91601759aea2de0e971539a2fb96fbd607c txtorcon-0.15.1.tar.gz 35c15acb2fda99dc35279286f905e38e3e19f15fe229c13164d4ae37a75d6df7 txtorcon-0.15.1-py2-none-any.whl EOF
thanks, meejah
https://threatpost.com/serious-tcp-bug-in-linux-systems-allows-traffic-hijac...
… The vulnerable TCP implementation (CVE-2016-5696) could affect an untold number of devices running Linux, including embedded computers, mobile phones and more. …
… Attacks can disrupt or degrade supposedly encrypted traffic, including connections over the Tor network, the researchers wrote. …
...Systems Allows Traffic Hijacking https://wp.me/p3AjUX-vak Attacks can disrupt or degrade supposedly encrypted traffic, including connections over the Tor network, the researchers wrote.
See more at: Serious TCP Bug in Linux Systems Allows Traffic Hijacking https://wp.me/p3AjUX-vak Attacks can disrupt or degrade supposedly encrypted traffic, including connections over the Tor network, the researchers wrote.
See more at: Serious TCP Bug in Linux Systems Allows Traffic Hijacking https://wp.me/p3AjUX-vak Attacks can disrupt or degrade supposedly encrypted traffic, including connections over the Tor network, the researchers wrote.
See more at: Serious TCP Bug in Linux Systems Allows Traffic Hijacking https://wp.me/p3AjUX-vak
Dear Liste, concerned Tor relay operators, TCP abolitionists and so called network forensics experts,
We already have several tools that can detect various types of TCP injection attacks; for instance: https://github.com/david415/HoneyBadger
For fun I'll write some TCP inference exploits as described in that most excellent paper so everyone can enjoy blind TCP injection attacks. I'll be sure to post my results here later... unless i get completely distracted by yet another software development project.
meow >.<
David
On Fri, Aug 12, 2016 at 04:39:10PM +0200, Liste wrote:
https://threatpost.com/serious-tcp-bug-in-linux-systems-allows-traffic-hijac...
… The vulnerable TCP implementation (CVE-2016-5696) could affect an untold number of devices running Linux, including embedded computers, mobile phones and more. …
… Attacks can disrupt or degrade supposedly encrypted traffic, including connections over the Tor network, the researchers wrote. …
...Systems Allows Traffic Hijacking https://wp.me/p3AjUX-vak Attacks can disrupt or degrade supposedly encrypted traffic, including connections over the Tor network, the researchers wrote.
See more at: Serious TCP Bug in Linux Systems Allows Traffic Hijacking https://wp.me/p3AjUX-vak Attacks can disrupt or degrade supposedly encrypted traffic, including connections over the Tor network, the researchers wrote.
See more at: Serious TCP Bug in Linux Systems Allows Traffic Hijacking https://wp.me/p3AjUX-vak Attacks can disrupt or degrade supposedly encrypted traffic, including connections over the Tor network, the researchers wrote.
See more at: Serious TCP Bug in Linux Systems Allows Traffic Hijacking https://wp.me/p3AjUX-vak
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Hi,
On Fri, Aug 12, 2016 at 02:40:10AM +0400, meejah wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
There was a small issue in 0.15.0 noticed by the Debian reproducible builds (thanks irl@debian for your packaging work!)
Will get this packaged over the weekend. (:
For those interested, I am also packaging txtorcon for jessie-backports and for Ubuntu suites on deb.tpo, as this is a dependency of ooniprobe.
Thanks, Iain.
"Iain R. Learmonth" irl@torproject.org writes:
Will get this packaged over the weekend. (:
Sweet :)
For those interested, I am also packaging txtorcon for jessie-backports and for Ubuntu suites on deb.tpo, as this is a dependency of ooniprobe.
FWIW, I have seen a few warnings recently about txtorcon being removed from testing because tor will be. But, I'm not sure that tor should be a *dependency* of txtorcon (just recommended). Obviously, it's not going to be super useful without a Tor to talk to ;) but you might have built tor yourself from source etc. (or even have it running on a different machine).
Probably there's some Debian policy guidance around this that I don't know about :)
Thansk again for the packaging work! meejah
On Fri, Aug 12, 2016 at 10:21:41PM +0400, meejah wrote:
"Iain R. Learmonth" irl@torproject.org writes:
Will get this packaged over the weekend. (:
Sweet :)
Got distracted over the weekend but starting on this now.
For those interested, I am also packaging txtorcon for jessie-backports and for Ubuntu suites on deb.tpo, as this is a dependency of ooniprobe.
FWIW, I have seen a few warnings recently about txtorcon being removed from testing because tor will be. But, I'm not sure that tor should be a *dependency* of txtorcon (just recommended). Obviously, it's not going to be super useful without a Tor to talk to ;) but you might have built tor yourself from source etc. (or even have it running on a different machine).
Everything in the Debian archive should be able to run with only things installed from the Debian archive. Debian policy requires that Tor be a dependency of txtorcon as without Tor, it's pretty useless.
The warnings do seem to have gone away now, so I guess Tor is fixed. (:
Thanks, Iain.
oh no! does that mean txtorcon will eventually be removed from debian?
On Mon, Aug 15, 2016 at 9:28 AM, Iain R. Learmonth irl@torproject.org wrote:
On Fri, Aug 12, 2016 at 10:21:41PM +0400, meejah wrote:
"Iain R. Learmonth" irl@torproject.org writes:
Will get this packaged over the weekend. (:
Sweet :)
Got distracted over the weekend but starting on this now.
For those interested, I am also packaging txtorcon for jessie-backports and for Ubuntu suites on deb.tpo, as this is a dependency of ooniprobe.
FWIW, I have seen a few warnings recently about txtorcon being removed from testing because tor will be. But, I'm not sure that tor should be a *dependency* of txtorcon (just recommended). Obviously, it's not going to be super useful without a Tor to talk to ;) but you might have built tor yourself from source etc. (or even have it running on a different machine).
Everything in the Debian archive should be able to run with only things installed from the Debian archive. Debian policy requires that Tor be a dependency of txtorcon as without Tor, it's pretty useless.
The warnings do seem to have gone away now, so I guess Tor is fixed. (:
Thanks, Iain.
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
-
David Stainton -
dawuud -
Iain R. Learmonth -
Liste -
meejah