Hello,
The latest version of obfs4proxy (0.0.14) comes with an important security fix. If you are running a obfs4 Tor bridge please upgrade as soon as possible.
If you use debian you can find the Debian package in stable-backports: https://packages.debian.org/stable-backports/obfs4proxy
If you use docker you'll find the latest version in docker hub: https://hub.docker.com/r/thetorproject/obfs4-bridge/
Or you can find the source code in the upstream repository: https://gitlab.com/yawning/obfs4
If you need help upgrading your relay, please use this mailing list or the Tor Forum: https://forum.torproject.net/c/support/relay-operator/17
We appreciate a lot your effort and time!
Thank you
Quoting Toralf Förster (2022-10-14 18:08:38)
On 10/14/22 11:28, meskio wrote:
The latest version of obfs4proxy (0.0.14) comes with an important security fix.
Is there a Changelog available ?
The upstream changelog is here: https://gitlab.com/yawning/obfs4/-/blob/master/ChangeLog But I understand is not easy to understand what the problem is from that changelog.
I was pointed out today that "important security fix" might be confusing. To be clear this is 'obfuscation' security fix, this means before 0.0.14 it was possible for an observer on the network to distinguish obfs4 traffic. So is a security problem from the obfs4 user perspective.
But is not any risk for bridge operators. An attacker can *not* exploit this issue to do any harm to the operator.
On Fri, Oct 14, 2022 at 06:08:38PM +0200, Toralf Förster wrote:
On 10/14/22 11:28, meskio wrote:
The latest version of obfs4proxy (0.0.14) comes with an important security fix.
Is there a Changelog available ?
The below issue, which is currently confidential, has details of what was fixed. The issue is scheduled to become public by 2022-11-15.
https://bugs.torproject.org/tpo/anti-censorship/pluggable-transports/obfs4/4...
On 10/14/22 11:28, meskio wrote:
If you use debian you can find the Debian package in stable-backports: https://packages.debian.org/stable-backports/obfs4proxy
After configuring the installation of the unattended_upgrade package to consider all packages [1] the new obfs4proxy was installed - but Tor was not restarted nor obfs4proxy reloaded.
Isn't this a task for the software package ?
[1] https://github.com/toralf/tor-relays/commit/37d2cc993c5b17eaa7510cb4a589b62f...
-- Toralf
On 10/16/22 09:50, Toralf Förster wrote:
After configuring the installation of the unattended_upgrade package to consider all packages [1] the new obfs4proxy was installed - but Tor was not restarted nor obfs4proxy reloaded.
Isn't this a task for the software package ?
And IMO the Debian package should re-apply any setcap settings made to the exe before, eg.:
setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy
or?
-- Toralf
Quoting Toralf Förster (2022-10-16 11:23:18)
On 10/16/22 09:50, Toralf Förster wrote:
After configuring the installation of the unattended_upgrade package to consider all packages [1] the new obfs4proxy was installed - but Tor was not restarted nor obfs4proxy reloaded.
Isn't this a task for the software package ?
And IMO the Debian package should re-apply any setcap settings made to the exe before, eg.:
setcap cap_net_bind_service=+ep /usr/bin/obfs4proxyor?
Will be nice to add those fixes to the package. Maybe you can open two issues on the debian bugtracker for them. https://www.debian.org/Bugs/
Or feel free to directly send patches to the package: https://salsa.debian.org/pkg-privacy-team/obfs4proxy
Thanks for noticing.
On 10/17/22 11:41, meskio wrote:
Will be nice to add those fixes to the package. Maybe you can open two issues on the debian bugtracker for them.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021911.
-- Toralf
Quoting Toralf Förster (2022-10-17 12:56:04)
On 10/17/22 11:41, meskio wrote:
Will be nice to add those fixes to the package. Maybe you can open two issues on the debian bugtracker for them.
Thank you :)
A reminder: If you operate a obfs4 bridge, please upgrade obfs4proxy to 0.0.14 and restart the tor daemon. It is important to keep the users of your bridge safe.
Thank you.
Quoting meskio (2022-10-14 11:28:44)
The latest version of obfs4proxy (0.0.14) comes with an important security fix. If you are running a obfs4 Tor bridge please upgrade as soon as possible.
If you use debian you can find the Debian package in stable-backports: https://packages.debian.org/stable-backports/obfs4proxy
If you use docker you'll find the latest version in docker hub: https://hub.docker.com/r/thetorproject/obfs4-bridge/
Or you can find the source code in the upstream repository: https://gitlab.com/yawning/obfs4
If you need help upgrading your relay, please use this mailing list or the Tor Forum: https://forum.torproject.net/c/support/relay-operator/17
We appreciate a lot your effort and time!
Hello: Is this update not available by running apt-get update && apt
Sent from Proton Mail mobile
-------- Original Message -------- On Nov 3, 2022, 10:34 AM, meskio wrote:
A reminder: If you operate a obfs4 bridge, please upgrade obfs4proxy to 0.0.14 and restart the tor daemon. It is important to keep the users of your bridge safe. Thank you. Quoting meskio (2022-10-14 11:28:44) > The latest version of obfs4proxy (0.0.14) comes with an important security > fix. > If you are running a obfs4 Tor bridge please upgrade as soon as possible. > > If you use debian you can find the Debian package in stable-backports: > https://packages.debian.org/stable-backports/obfs4proxy > > If you use docker you'll find the latest version in docker hub: > https://hub.docker.com/r/thetorproject/obfs4-bridge/ > > Or you can find the source code in the upstream repository: > https://gitlab.com/yawning/obfs4 > > If you need help upgrading your relay, please use this mailing list or the Tor > Forum: > https://forum.torproject.net/c/support/relay-operator/17 > > We appreciate a lot your effort and time! -- meskio | https://meskio.net/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: https://meskio.net/crypto.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nos vamos a Croatan._______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Quoting Anonforpeace via tor-relays (2022-11-03 15:49:34)
Is this update not available by running apt-get update && apt
It is available if you have the debian backports repo configured, but is not in debian stable, neither in ubuntu stable. You can grab the package manually from: https://packages.debian.org/stable-backports/obfs4proxy
We have made public the details of the distinguishability bugs that were affecting obfs4: https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/91 https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/obfs4...
Most bridges are already upgraded, thank you all bridge operators for the work here.
Quoting meskio (2022-10-14 11:28:44)
Hello,
The latest version of obfs4proxy (0.0.14) comes with an important security fix. If you are running a obfs4 Tor bridge please upgrade as soon as possible.
If you use debian you can find the Debian package in stable-backports: https://packages.debian.org/stable-backports/obfs4proxy
If you use docker you'll find the latest version in docker hub: https://hub.docker.com/r/thetorproject/obfs4-bridge/
Or you can find the source code in the upstream repository: https://gitlab.com/yawning/obfs4
If you need help upgrading your relay, please use this mailing list or the Tor Forum: https://forum.torproject.net/c/support/relay-operator/17
We appreciate a lot your effort and time!
Thank you
tor-relays@lists.torproject.org
-
Anonforpeace -
David Fifield -
meskio -
Toralf Förster