Opened 9 months ago

Closed 3 weeks ago

#2179 closed defect (wontfix)

Wrapper version outdated

Reported by: anonymous maybe Owned by:
Priority: minor Milestone: undecided
Component: wrapper Version: 0.9.33
Keywords: Cc:
Parent Tickets:

Description

Wrapper version outdated in all i2p versions or installations. and this is really critical problem because any vulnerability that the wrapper have will cause any user to be vulnerable to that bug, and that causing i2p as well to be vulnerable.

this is user safety issue, and what we need is either to have upgrade mechanism to wrapper with i2p OR removing wrapper entirely and finding alternatives to its dependencies.

wrapper version for now:-

  • I2P Version and Running Environment
 I2P version:	0.9.33-0-1ubuntu1
Java version:	Oracle Corporation 1.8.0_151 (OpenJDK Runtime Environment 1.8.0_151-8u151-b12-1-b12)
Wrapper version:	3.5.30
Server version:	9.2.23.v20171218
Servlet version:	Jasper JSP 2.3 Engine
JSTL version:	standard-taglib 1.2.5
Platform:	Linux amd64 4.9.56-21.pvops.qubes.x86_64
Jcpuid version:	3
Processor:	Haswell Core i3/i5/i7 model 60 (coreihwl)
Jbigi:	Locally optimized native BigInteger library loaded from file
Jbigi version:	4
GMP version:	6.1.2
Encoding:	UTF-8
Charset:	UTF-8

and latest wrapper version for now 3.5.33

Subtickets

Change History (5)

comment:1 follow-up: Changed 9 months ago by zzz

  • Priority changed from critical to minor
  • Status changed from new to open

It's not outdated in "all i2p versions or installations".

Debian/Ubuntu? and other package installs will get the latest version available from their distribution package manager.

New I2P installs as of 0.9.33 include wrapper 3.5.34 which is the latest available from https://wrapper.tanukisoftware.com/doc/english/download.jsp

Users may update manually following the instructions at https://geti2p.net/en/misc/manual-wrapper

Have you identified a wrapper vulnerability that justifies marking this issue "critical" ? Or is this just theoretical?

Updating is difficult because we can't update the wrapper while it's running, especially on Windows where we can't move or overwrite a running executable.

Also, there are a dozen wrapper executables based on OS and architecture.

Don't have any ideas on how to accomplish this. That's why we haven't done it already.

comment:2 in reply to: ↑ 1 Changed 9 months ago by anonymous maybe

Replying to zzz:

It's not outdated in "all i2p versions or installations".

Debian/Ubuntu? and other package installs will get the latest version available from their distribution package manager.

New I2P installs as of 0.9.33 include wrapper 3.5.34 which is the latest available from https://wrapper.tanukisoftware.com/doc/english/download.jsp

Users may update manually following the instructions at https://geti2p.net/en/misc/manual-wrapper

Have you identified a wrapper vulnerability that justifies marking this issue "critical" ? Or is this just theoretical?

Updating is difficult because we can't update the wrapper while it's running, especially on Windows where we can't move or overwrite a running executable.

Also, there are a dozen wrapper executables based on OS and architecture.

Don't have any ideas on how to accomplish this. That's why we haven't done it already.

yeah thats what im saying , its theoretical but very likely to happen. so we can upgrade it with i2p and thats ofcourse better than leaving it outdated.

comment:3 Changed 7 months ago by echelon

  • Status changed from open to infoneeded

comment:4 Changed 3 weeks ago by anonymous maybe

  • Status changed from infoneeded to open

what info do u need?

comment:5 Changed 3 weeks ago by zzz

  • Resolution set to wontfix
  • Status changed from open to closed

We're not going to do anything with this.

Note: See TracTickets for help on using tickets.