[Pkg-privacy-maintainers] Bug#1004374: Bug#1004374: obfs4proxy: Traffic is trivially distinguishable (Elligator2 public key representative leak)
Ana Custura
ana at netstat.org.uk
Thu Jan 27 22:42:26 GMT 2022
Hi,
I've been in touch with Debian Security last week, they suggested an
update to unstable first. I'm now working on packaging the dependencies
for version 0.0.11 and shipping an update.
Thanks,
Ana
On 26/01/2022 07:00, intrigeri wrote:
> Package: obfs4proxy
> Version: 0.0.8-1+b6
> Severity: important
> Tags: security
>
> Hi,
>
> Please see
> https://lists.torproject.org/pipermail/anti-censorship-team/2022-January/000213.html
>
> tl;dr:
>
>> All existing versions prior to the migration to the new code […] are
>> fatally broken, and trivial to distinguish via some simple math.
> Given obfs4proxy's explicit traffic obfuscation goal, this looks like
> an important security issue to me.
>
> (For those who might be wondering: whether/when this bug is fixed in
> Debian does not impact Tails since we've switched to using the
> obfs4proxy binary from the Tor Browser tarball.)
>
> Thanks for maintaining obfs4proxy in Debian,
> cheers!
>
> _______________________________________________
> Pkg-privacy-maintainers mailing list
> Pkg-privacy-maintainers at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-privacy-maintainers
More information about the Pkg-privacy-maintainers
mailing list