Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#6949 closed defect (fixed)

remove vulnerable tor versions from 'recommended versions'

Reported by: cypherpunkx Owned by:
Priority: Medium Milestone:
Component: Core Tor/Tor Version:
Severity: Keywords: tor-auth
Cc: sebastian, weasel Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Tor versions prior to v0.2.2.39, v0.2.3.22 and v0.2.4.3 should be removed from the 'recommended versions' consensus parameter to inform relay operators to update (at least the ones that read their logs ;)

The current recommended tor version list looks like this [1]:

consensus 	
client-versions 0.2.2.35,0.2.2.36,0.2.2.37,0.2.2.38,0.2.2.39,0.2.3.10-alpha,0.2.3.11-alpha,0.2.3.12-alpha,0.2.3.13-alpha,0.2.3.14-alpha,0.2.3.15-alpha,0.2.3.16-alpha,0.2.3.17-beta,0.2.3.18-rc,0.2.3.19-rc,0.2.3.20-rc,0.2.3.21-rc,0.2.3.22-rc,0.2.4.1-alpha,0.2.4.2-alpha,0.2.4.3-alpha
	server-versions 0.2.2.35,0.2.2.36,0.2.2.37,0.2.2.38,0.2.2.39,0.2.3.10-alpha,0.2.3.11-alpha,0.2.3.12-alpha,0.2.3.13-alpha,0.2.3.14-alpha,0.2.3.15-alpha,0.2.3.16-alpha,0.2.3.17-beta,0.2.3.18-rc,0.2.3.19-rc,0.2.3.20-rc,0.2.3.21-rc,0.2.3.22-rc,0.2.4.1-alpha,0.2.4.2-alpha,0.2.4.3-alpha

[1] https://metrics.torproject.org/consensus-health.html

Child Tickets

Change History (5)

comment:1 Changed 8 years ago by arma

Cc: sebastian weasel added

See doc/contrib/authority-policy.txt for what I wrote a while ago about our habits for which version to recommend.

I think the tradeoff here is between crying wolf often enough that they stop listening, and removing a not-yet-exploited remote assert bug.

I could go either way here. We've already announced it, so those people who use Tor packages have already upgraded (or will when their packages are ready). So we're left only with the people who don't follow some auto-update mechanism. That makes me lean towards 'unrecommend them'.

Sebastian, weasel, what say you?

comment:2 Changed 8 years ago by arma

weasel and sebastian are both for unrecommending them. let's do it.

comment:3 Changed 8 years ago by Sebastian

Resolution: fixed
Status: newclosed

all done, thanks.

comment:4 Changed 8 years ago by nickm

Keywords: tor-auth added

comment:5 Changed 8 years ago by nickm

Component: Tor Directory AuthorityTor
Note: See TracTickets for help on using tickets.