Re: [tor-relays] relays and CUPS vulnerabilities

George and I took the opportunity to scan relays and bridges to see if
they have this vulnerable cups-browsed service running. We found 14 relay
IP addresses that did, and 4 bridge IP addresses. This is a pretty good
rate overall!

(I had been expecting to find more bridges, because they're more likely
to be at home and people might be running them from their stock Ubuntu
desktop install or the like. But we found very few, and maybe that is
because at many homes everything is NATed/firewalled by default.)

12 of the 18 had proper contactinfo and I emailed them. One bounced,
one replied and fixed it, and the others haven't replied yet.

There is a fine policy question here, which is "ok so what now? Do we
leave them in place or bump them out of the network?"

I figure I'll wait a week or so and scan these 18 again. But I fear that
the package "fix" will just correct a buffer overflow or something and it
will leave the "they listen to the whole internet and add any printers
that the internet sends them" behavior intact (because one is a bug,
the other is a feature), so my scan won't actually be able to tell if
they updated. Fortunately, which next step we choose doesn't matter much
here, because the numbers we're talking about are so small.

There is a larger conversation we could have, around whether we should
make vulnerability scanning of relays a more common or automated or scaled
thing. I like the idea in theory but in practice I don't think it should
be a high priority compared to our other network health priorities.

I'm tracking details and next steps about the cups issue on the gitlab
ticket,

--Roger