Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade Tor to 0.3.5.8 and 0.3.4.11 #4170

Closed
emkll opened this issue Feb 21, 2019 · 2 comments
Closed

Upgrade Tor to 0.3.5.8 and 0.3.4.11 #4170

emkll opened this issue Feb 21, 2019 · 2 comments
Milestone
0.12.1

Comments

@emkll
Copy link
Contributor

emkll commented Feb 21, 2019

Description

Tor has released new versions that contain security fixes: https://blog.torproject.org/new-releases-tor-0402-alpha-0358-03411-and-03312. This ticket is to track the update to Tor for all SecureDrop instances:

  • 0.3.5.8 (Xenial)
  • 0.3.4.11 (Trusty)

Let's target 0.12.1 instead of 0.12.0 Given that:

  1. The claim in the blog post is that these bugs are not exploitable, and the fixes are issued out of an abundance of caution
  2. We have been testing 0.3.4.9 and 0.3.5.7, and so close to 0.12.0, it might
  3. Debs are not yet available at deb.torproject.org
@emkll emkll added this to the 0.12.1 milestone Feb 21, 2019
@emkll emkll mentioned this issue Mar 12, 2019
Merged
3 tasks
@emkll
Copy link
Contributor Author

emkll commented Mar 12, 2019
edited
Loading

0.3.5.8 (Xenial) has been uploaded to apt test.

0.3.4.x was the last series supported and built for Trusty, and the Tor project no longer builds and hosts trusty debs. The last version 0.3.4.9, since then, there were 2 releases in the 0.3.4.x series:

Note the end-of-life for 0.3.4.x series (though after Trusty)

  • 0.3.4.x series will be end-of-life on June 10th 2019
  • 0.3.5.x series will be end of life in Februrary 2022 (or later)

Tor 0.3.5.8 (Xenial) does not work on Trusty, we would need to compile our own deb if we would like to update the Trusty version of tor.

@zenmonkeykstop zenmonkeykstop mentioned this issue Mar 19, 2019
Closed
12 tasks
@conorsch
Copy link
Contributor

conorsch commented Mar 21, 2019
edited
Loading

Tor 0.3.5.8 was released (for Xenial only) as part of SecureDrop 0.12.1. During release procedures, however, we observed that there's still a test-vars update that must be required, specifically bumping the version looked for in molecule/fetch-tor-packages/tests/. We didn't catch that because we don't run the tor fetch logic in CI, but we absolutely should. Proposed actions before close-out:

  • Update target tor version sought in molecule/fetch-tor-packages/tests/ - Update test var for tor 0.3.5.8 #4258
  • Ensure make fetch-tor-packages runs in CI, so errors are caught
  • (Optional) Consider pinning a specific tor version as part of the fetch logic, which would reduce variability particularly during the release window (in case a new version ships between when QA starts and when final release happens).

Once those tasks are complete, we should be fine to close this issue.

@conorsch conorsch mentioned this issue Mar 27, 2019
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.12.1
Development

No branches or pull requests
2 participants
@conorsch @emkll