Why doesn't whonix-gw run the latest 0.2.8.x tor?
48 views
Skip to first unread message
Joonas Lehtonen
Jan 29, 2017, 6:36:04 AM1/29/17
to qubes...@googlegroups.com, Patrick Schleizer
Hi,
whonix-gw apparently uses tor 0.2.8.10, the latest 0.2.8.x version being
0.2.8.12 (released 2016-12-19).
Why is it not updated?
I guess there is very little risk in upgrading from 0.2.8.10 to 0.2.8.12.
I'm using a default whonix-gw template with
deb http://deb.whonix.org jessie main
From the tor 0.2.8.12 changelog:
> o Major bugfixes (parsing, security, backported from 0.2.9.8):
> - Fix a bug in parsing that could cause clients to read a single
> byte past the end of an allocated region. This bug could be used
> to cause hardened clients (built with --enable-expensive-hardening)
> to crash if they tried to visit a hostile hidden service. Non-
> hardened clients are only affected depending on the details of
> their platform's memory allocator. Fixes bug 21018; bugfix on
> 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
> 2016-12-002 and as CVE-2016-1254.
https://deb.whonix.org/dists/jessie/main/binary-amd64/Packages:
>
> Package: tor
> Version: 0.2.8.10-1~d80.jessie+1
> Architecture: amd64
> Maintainer: Peter Palfrader <wea...@debian.org>
> Installed-Size: 3935
[...]
> Priority: optional
> Section: net
> Filename: pool/main/t/tor/tor_0.2.8.10-1~d80.jessie+1_amd64.deb
> Size: 1422520
> SHA256: b36f5e8fc4590f6fa8431e7114fb187ce9f892f406b9bc55cdf28ef611320f89
> SHA1: afb6720c65df114b772d02554f563fdbb385b7b7
> MD5sum: 7a9c9fd5616f51eec6420d3254273ee3
whonix-gw apparently uses tor 0.2.8.10, the latest 0.2.8.x version being
0.2.8.12 (released 2016-12-19).
Why is it not updated?
I guess there is very little risk in upgrading from 0.2.8.10 to 0.2.8.12.
I'm using a default whonix-gw template with
deb http://deb.whonix.org jessie main
From the tor 0.2.8.12 changelog:
> o Major bugfixes (parsing, security, backported from 0.2.9.8):
> - Fix a bug in parsing that could cause clients to read a single
> byte past the end of an allocated region. This bug could be used
> to cause hardened clients (built with --enable-expensive-hardening)
> to crash if they tried to visit a hostile hidden service. Non-
> hardened clients are only affected depending on the details of
> their platform's memory allocator. Fixes bug 21018; bugfix on
> 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
> 2016-12-002 and as CVE-2016-1254.
https://deb.whonix.org/dists/jessie/main/binary-amd64/Packages:
>
> Package: tor
> Version: 0.2.8.10-1~d80.jessie+1
> Architecture: amd64
> Maintainer: Peter Palfrader <wea...@debian.org>
> Installed-Size: 3935
[...]
> Priority: optional
> Section: net
> Filename: pool/main/t/tor/tor_0.2.8.10-1~d80.jessie+1_amd64.deb
> Size: 1422520
> SHA256: b36f5e8fc4590f6fa8431e7114fb187ce9f892f406b9bc55cdf28ef611320f89
> SHA1: afb6720c65df114b772d02554f563fdbb385b7b7
> MD5sum: 7a9c9fd5616f51eec6420d3254273ee3
cez...@gmail.com
Jan 29, 2017, 8:15:07 AM1/29/17
to qubes-users, patrick-ma...@whonix.org, joonas....@openmailbox.org
Maybe this will change with the new upcoming funding plans, it would be very positive change if so.
For the time being, I suppose you can install your own updated Whonix?
Joonas Lehtonen
Jan 29, 2017, 8:40:58 AM1/29/17
to qubes...@googlegroups.com
cez...@gmail.com:
> My guess is lack of time and funding. Qubes definitely could need
> better funding. The Qubes team are doing a great job, but they might
> be limited on what they can manage to get done because there are so
> many things on the to-do list.
>
> Maybe this will change with the new upcoming funding plans, it would
> be very positive change if so.
>
> For the time being, I suppose you can install your own updated
> Whonix?
This is about the whonix repo (deb.whonix.org) not Qubes repos and the
> better funding. The Qubes team are doing a great job, but they might
> be limited on what they can manage to get done because there are so
> many things on the to-do list.
>
> Maybe this will change with the new upcoming funding plans, it would
> be very positive change if so.
>
> For the time being, I suppose you can install your own updated
> Whonix?
Whonix repo is managed by Whonix (Patrick).
Unman
Jan 29, 2017, 6:36:22 PM1/29/17
to Joonas Lehtonen, qubes...@googlegroups.com
addressed to the Whonix forums.
If you were running a torVM then you'd be at 0.2.9.9-1.
But put it in perspective - if you used the Debian package you'd be at a
lowly 2.5.12 for Jessie.
Patrick Schleizer
Feb 4, 2017, 12:57:24 PM2/4/17
to cez...@gmail.com, qubes-users, joonas....@openmailbox.org
cez...@gmail.com:
Right.
Gave the upgrade low priority and I am pretty conservative when it comes
to stable upgrades. It's not too hard to upload a package to the stable
repository that then would wreck connectivity for most users.
Posted on January 29, 2017:
> Tor was updated to 0.2.9.9-1~d80.jessie+1 in Whonix
stable-proposed-updates as well as in testers repository.
https://forums.whonix.org/t/tor-0-2-9-9-1-d80-jessie-1-stable-upgrade-testers-wanted
Cheers,
Patrick
> Den søndag den 29. januar 2017 kl. 12.36.04 UTC+1 skrev Joonas
> My guess is lack of time and funding.
> [...]
Right.
Gave the upgrade low priority and I am pretty conservative when it comes
to stable upgrades. It's not too hard to upload a package to the stable
repository that then would wreck connectivity for most users.
Posted on January 29, 2017:
> Tor was updated to 0.2.9.9-1~d80.jessie+1 in Whonix
stable-proposed-updates as well as in testers repository.
https://forums.whonix.org/t/tor-0-2-9-9-1-d80-jessie-1-stable-upgrade-testers-wanted
Cheers,
Patrick
Reply all
Reply to author
Forward
0 new messages