[tor-relays] security update for obfs4proxy

meskio · October 14, 2022, 9:28am

Hello,

The latest version of obfs4proxy (0.0.14) comes with an important security fix.
If you are running a obfs4 Tor bridge please upgrade as soon as possible.

If you use debian you can find the Debian package in stable-backports:
Debian -- Details of package obfs4proxy in bullseye-backports

If you use docker you'll find the latest version in docker hub:
Docker Hub

Or you can find the source code in the upstream repository:
Yawning Angel / obfs4 · GitLab

If you need help upgrading your relay, please use this mailing list or the Tor
Forum:
Relay Operator - Tor Project Forum

We appreciate a lot your effort and time!

Thank you

···

--
meskio | https://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
My contact info: https://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.

toralf · October 14, 2022, 4:08pm

Is there a Changelog available ?

···

On 10/14/22 11:28, meskio wrote:

The latest version of obfs4proxy (0.0.14) comes with an important security fix.

--
Toralf

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

meskio · October 14, 2022, 5:26pm

Quoting Toralf Förster (2022-10-14 18:08:38)

> The latest version of obfs4proxy (0.0.14) comes with an important security fix.

Is there a Changelog available ?

The upstream changelog is here:

But I understand is not easy to understand what the problem is from that
changelog.

I was pointed out today that "important security fix" might be confusing. To be
clear this is 'obfuscation' security fix, this means before 0.0.14 it was
possible for an observer on the network to distinguish obfs4 traffic. So is a
security problem from the obfs4 user perspective.

But is not any risk for bridge operators. An attacker can *not* exploit this
issue to do any harm to the operator.

···

On 10/14/22 11:28, meskio wrote:

--
meskio | https://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
My contact info: https://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.

toralf · October 14, 2022, 6:17pm

Indeed.

BTW the fix was made 5 weeks ago, so I do assume, the (eg. Debian)
package needed time to stabilize, or ?

···

On 10/14/22 19:09, meskio wrote:

The upstream changelog is here:
ChangeLog · master · Yawning Angel / obfs4 · GitLab
But I understand is not easy to understand what the problem is from that
changelog.

--
Toralf

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

toralf · October 16, 2022, 7:50am

After configuring the installation of the unattended_upgrade package to
consider all packages [1] the new obfs4proxy was installed - but Tor was
not restarted nor obfs4proxy reloaded.

Isn't this a task for the software package ?

[1]

···

On 10/14/22 11:28, meskio wrote:

If you use debian you can find the Debian package in stable-backports:
Debian -- Error

--
Toralf

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

toralf · October 16, 2022, 9:23am

And IMO the Debian package should re-apply any setcap settings made to
the exe before, eg.:

setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy

or?

···

On 10/16/22 09:50, Toralf Förster wrote:

After configuring the installation of the unattended_upgrade package to
consider all packages [1] the new obfs4proxy was installed - but Tor was
not restarted nor obfs4proxy reloaded.

Isn't this a task for the software package ?

--
Toralf

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

dcf · October 17, 2022, 8:08am

The below issue, which is currently confidential, has details of what
was fixed. The issue is scheduled to become public by 2022-11-15.

···

On Fri, Oct 14, 2022 at 06:08:38PM +0200, Toralf Förster wrote:

On 10/14/22 11:28, meskio wrote:
> The latest version of obfs4proxy (0.0.14) comes with an important security fix.

Is there a Changelog available ?

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

meskio · October 17, 2022, 9:35am

Quoting Toralf Förster (2022-10-14 20:17:58)

···

On 10/14/22 19:09, meskio wrote:
> The upstream changelog is here:
> ChangeLog · master · Yawning Angel / obfs4 · GitLab
> But I understand is not easy to understand what the problem is from that
> changelog.

Indeed.

BTW the fix was made 5 weeks ago, so I do assume, the (eg. Debian)
package needed time to stabilize, or ?

Yes, it takes time to get updates into debian, we've being working on it since
it was relased:

--
meskio | https://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
My contact info: https://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.

meskio · October 17, 2022, 9:41am

Quoting Toralf Förster (2022-10-16 11:23:18)

···

On 10/16/22 09:50, Toralf Förster wrote:
>
> After configuring the installation of the unattended_upgrade package to
> consider all packages [1] the new obfs4proxy was installed - but Tor was
> not restarted nor obfs4proxy reloaded.
>
> Isn't this a task for the software package ?

And IMO the Debian package should re-apply any setcap settings made to
the exe before, eg.:

setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy

or?

Will be nice to add those fixes to the package. Maybe you can open two issues on
the debian bugtracker for them.
Debian bug tracking system

Or feel free to directly send patches to the package:

Thanks for noticing.

--
meskio | https://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
My contact info: https://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.

toralf · October 17, 2022, 10:56am

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021911.

···

On 10/17/22 11:41, meskio wrote:

Will be nice to add those fixes to the package. Maybe you can open two issues on
the debian bugtracker for them.

--
Toralf

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

meskio · October 17, 2022, 11:04am

Quoting Toralf Förster (2022-10-17 12:56:04)

···

On 10/17/22 11:41, meskio wrote:
> Will be nice to add those fixes to the package. Maybe you can open two issues on
> the debian bugtracker for them.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021911.

Thank you

--
meskio | https://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
My contact info: https://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.

meskio · November 3, 2022, 2:34pm

A reminder: If you operate a obfs4 bridge, please upgrade obfs4proxy to 0.0.14
and restart the tor daemon. It is important to keep the users of your bridge
safe.

Thank you.

Quoting meskio (2022-10-14 11:28:44)

···

The latest version of obfs4proxy (0.0.14) comes with an important security
fix.
If you are running a obfs4 Tor bridge please upgrade as soon as possible.

If you use debian you can find the Debian package in stable-backports:
  Debian -- Error

If you use docker you'll find the latest version in docker hub:
  Docker

Or you can find the source code in the upstream repository:
  Yawning Angel / obfs4 · GitLab

If you need help upgrading your relay, please use this mailing list or the Tor
Forum:
  Relay Operator - Tor Project Forum

We appreciate a lot your effort and time!

--
meskio | https://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
My contact info: https://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.

tor-relays · October 29, 2022, 9:35pm

Dear All,

I understand that the updated package 0.0.14 is available in Debian 11 “bullseye” backports. Thank you!

Unfortunately I am running Ubuntu 22.04 LTS “jammy” on my two VPS and the most recent version available is 0.0.13. My previous attempt to get 0.0.13 backported into Ubuntu 20.04 LTS “focal” was not successful [1], therefore I see little room to get 0.0.14 into jammy or jammy backports.

On Fedora 35, 36 & 37 obfs4-0.0.11 is available. I am happy to see that a bug is filed [2] “obfs4-0.0.14 is available” and worked on.

At the moment I have no possibility to update obfs4proxy, unless I switch to Debian 11. One of my two hosters is only offering Debian 10 “buster”, so even this would not help.

I have read the discussion on [3] and would be very happy to see obfs4proxy for Ubuntu and Fedora (if the folks at Fedora agree or maybe can help?) in the Tor Project repository.

In the meantime, until an update is available, please let me know whether I should shut down my two bridges.

Kind regards,

wurstsemmel

[1] https://bugs.launchpad.net/ubuntu/+source/obfs4proxy/+bug/1967003
[2] https://bugzilla.redhat.com/show_bug.cgi?id=2036298
[3] https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/obfs4/-/issues/40008

tor-relays · November 3, 2022, 2:49pm

Hello:
Is this update not available by running apt-get update && apt

···

A reminder: If you operate a obfs4 bridge, please upgrade obfs4proxy to 0.0.14 and restart the tor daemon. It is important to keep the users of your bridge safe. Thank you. Quoting meskio (2022-10-14 11:28:44) > The latest version of obfs4proxy (0.0.14) comes with an important security > fix. > If you are running a obfs4 Tor bridge please upgrade as soon as possible. > > If you use debian you can find the Debian package in stable-backports: > Debian -- Error > > If you use docker you’ll find the latest version in docker hub: > Docker > > Or you can find the source code in the upstream repository: > Yawning Angel / obfs4 · GitLab > > If you need help upgrading your relay, please use this mailing list or the Tor > Forum: > Relay Operator - Tor Project Forum > > We appreciate a lot your effort and time! – meskio | https://meskio.net/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: https://meskio.net/crypto.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nos vamos a Croatan._______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org tor-relays Info Page

meskio · November 3, 2022, 4:43pm

Quoting Anonforpeace via tor-relays (2022-11-03 15:49:34)

Is this update not available by running apt-get update && apt

It is available if you have the debian backports repo configured, but is not in
debian stable, neither in ubuntu stable. You can grab the package manually from:
https://packages.debian.org/stable-backports/obfs4proxy

···

--
meskio | https://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
My contact info: https://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.

meskio · November 3, 2022, 6:19pm

Quoting tor-relays mailing list via Tor Project Forum (2022-10-29 23:35:39)

I understand that the updated package 0.0.14 is available in Debian 11
"bullseye" backports. Thank you!

Unfortunately I am running Ubuntu 22.04 LTS "jammy" on my two VPS and the most recent version available is 0.0.13. My previous attempt to get 0.0.13 backported into Ubuntu 20.04 LTS "focal" was not successful [1], therefore I see little room to get 0.0.14 into jammy or jammy backports.

On Fedora 35, 36 & 37 obfs4-0.0.11 is available. I am happy to see that a bug is filed [2] "obfs4-0.0.14 is available" and worked on.

At the moment I have no possibility to update obfs4proxy, unless I switch to Debian 11. One of my two hosters is only offering Debian 10 "buster", so even this would not help.

I have read the discussion on [3] and would be very happy to see obfs4proxy for Ubuntu and Fedora (if the folks at Fedora agree or maybe can help?) in the Tor Project repository.

In the meantime, until an update is available, please let me know whether I
should shut down my two bridges.

Yes, we are exploring if we can provide obfs4proxy in our own repo to solve this
problem.

In the mean time I have built a backport of the package for jammy:
https://people.torproject.org/~meskio/jammy/obfs4proxy_0.0.14-1_amd64.deb
If you feel comfortable trusting my package please use it in your system.

Thank you.

···

--
meskio | https://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
My contact info: https://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.

meskio · January 10, 2023, 6:51pm

We have made public the details of the distinguishability bugs that were
affecting obfs4:

Most bridges are already upgraded, thank you all bridge operators for the work
here.

Quoting meskio (2022-10-14 11:28:44)

···

Hello,

The latest version of obfs4proxy (0.0.14) comes with an important security fix.
If you are running a obfs4 Tor bridge please upgrade as soon as possible.

If you use debian you can find the Debian package in stable-backports:
  Debian -- Error

If you use docker you'll find the latest version in docker hub:
  Docker

Or you can find the source code in the upstream repository:
  Yawning Angel / obfs4 · GitLab

If you need help upgrading your relay, please use this mailing list or the Tor
Forum:
  Relay Operator - Tor Project Forum

We appreciate a lot your effort and time!

Thank you

--
meskio | https://meskio.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
My contact info: https://meskio.net/crypto.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nos vamos a Croatan.