-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi,
I encourage everyone running a relay to use an up to date Tor version. (especially directory authority operators - but they should know better anyway)
This might be an obvious recommendation but there are a lot outdated relays (~15%).
What are currently recommended Tor versions? You can find out by going to: https://metrics.torproject.org/consensus-health.html (go to "Recommended versions") 0.2.3.1 is also fine (atm).
If you don't know what version you are using, run: tor --version
If you are running an old version for a specific reason I'd like to hear about it (off-list if you wish).
make the Tor network safer - update your relays. tagnaq PS: Next week I'll try to contact relay operators still running <0.2.1.29 <0.2.2.21 update if you want to help reduce the effort.
On May 13, 2011, at 9:19 PM, tagnaq wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi,
I encourage everyone running a relay to use an up to date Tor version. (especially directory authority operators - but they should know better anyway)
They do. They don't run versions that are too old, see below.
This might be an obvious recommendation but there are a lot outdated relays (~15%).
What are currently recommended Tor versions? You can find out by going to: https://metrics.torproject.org/consensus-health.html (go to "Recommended versions") 0.2.3.1 is also fine (atm).
If you don't know what version you are using, run: tor --version
If you are running an old version for a specific reason I'd like to hear about it (off-list if you wish).
make the Tor network safer - update your relays. tagnaq PS: Next week I'll try to contact relay operators still running <0.2.1.29 <0.2.2.21 update if you want to help reduce the effort.
Before you contact anyone appearing to run 0.2.2.19-alpha, check their descriptor and the git part of the version string therein. Many of those people might run self-compiled versions of Tor that are more up to date than they seem from the version string.
Alternatively, some of those relay operators (independent of the version that is shown in the descriptor) might run a version provided by their packaging system that backports security-relevant issues but leaves the rest of the updates alone, and thus doesn't increase the version.
Sebastian
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Thanks for your input.
As I don't see a reliable way to determine if someone runs a vulnerable version (in a passive way) and I don't want to spam anyone I drop my original intention of trying to contact operators of vulnerable Tor relays.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
those people might run self-compiled versions of Tor that are more up to date than they seem from the version string.
Alternatively, some of those relay operators (independent of the version that is shown in the descriptor) might run a version provided by their packaging system that backports security-relevant issues but leaves the rest of the updates alone, and thus doesn't increase the version.
This is also interesting in the context of #2980, #2988 (Not reporting version is actively harmful).
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 05/15/2011 09:19 PM, Sebastian Hahn wrote:
Before you contact anyone appearing to run 0.2.2.19-alpha, check their descriptor and the git part of the version string therein
vulnerable (CVE-2011-0427): Tor 0.2.2.19-alpha (git-e57cb6b9762a2f94) on Linux i686 (laurel, hardy)
safe (CVE-2011-0427): Tor 0.2.2.19-alpha (git-35fcec38809f9805) on Linux i686 (ides) Tor 0.2.2.19-alpha (git-e0d5a6e184967358) on Linux x86_64 (wii) Tor 0.2.2.19-alpha (git-aba7bb705a69697a) on Linux x86_64 (Amunet)
Regarding contacting operators: I'll try to reach a few high bandwidth vuln. relay operators to reduce "vulnerable bandwidth" without sending many emails.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
I'll try to reach a few high bandwidth vuln. relay operators to reduce "vulnerable bandwidth" without sending many emails.
contacted operators:
Router Name,Bandwidth (KB/s),Platform OldPlanetExpress,6299,Tor 0.2.1.26 on Linux x86_64 pansenserver,4318,Tor 0.2.1.26 on Linux x86_64 torexp2,3609,Tor 0.2.1.28 (r62) on Linux x86_64 jalopy,3509,Tor 0.2.2.20-alpha on Linux x86_64 torexp1,3126,Tor 0.2.1.28 (r211) on Linux x86_64 MopperSmurf,2918,Tor 0.2.2.13-alpha (git-feb8c1b5f67f2c6f) on FreeBSD i386 laurel,2822,Tor 0.2.2.19-alpha (git-e57cb6b9762a2f94) on Linux i686 williamhaines,2777,Tor 0.2.2.17-alpha (git-dadd9608d2720368) on Linux x86_64 normatalmadge,2443,Tor 0.2.2.17-alpha (git-dadd9608d2720368) on Linux x86_64 Shaman0,2227,Tor 0.2.1.25 on Linux x86_64 hardy,2222,Tor 0.2.2.19-alpha (git-e57cb6b9762a2f94) on Linux i686 onconnex80,1406,Tor 0.2.1.27 (re57cb6b9762a2f94) on Linux x86_64 Nyelandsvej,1404,Tor 0.2.1.26 (rbde5a11c51433a6e) on Linux i686 gpfTOR4,1305,Tor 0.2.1.28 (r60ccf2b5f1ac7f66) on Linux x86_64 1000rpmLinux,1208,Tor 0.2.1.26 (r7f4f5a379d6e56c3) on Linux i686 evil,1200,Tor 0.2.1.26 on Linux x86_64 agent,986,Tor 0.2.1.25 on Linux x86_64 PPrivCom029,879,Tor 0.2.1.26 on Linux i686 servicePublic,810,Tor 0.2.1.26 on Linux i686
On Fri, 13 May 2011 21:19:41 +0200 tagnaq tagnaq@gmail.com wrote:
I encourage everyone running a relay to use an up to date Tor version. (especially directory authority operators - but they should know better anyway)
As a reminder, this is why we have tor weather, https://weather.torproject.org/. It will automatically let relay ops know of new versions, if they are outdated, or deserving of a tshirt.
I don't know that I would encourage everyone to run 0.2.3 at this point, it's very, very alpha.
tor-relays@lists.torproject.org
-
Andrew Lewman -
Sebastian Hahn -
tagnaq