2014-09-25 22:29:20 UTC
The version of `tor` shipped in Tails 1.1.2 really is 0.2.4.24, *not*
0.2.4.21 as reported in the logs and by `tor --version`. The reason is
that the package was built with outdated files generated by
`autogen.sh`, but this only affects the reported version, not the code.
For the paranoid, to "sort of" verify my claim you can run (inside Tails):
string /usr/sbin/tor | grep gabelmoo
and you'll get
gabelmoo orport=443 no-v2
v3ident=ED03BB616EB2F60BEC80151114BB25CEF515B226 22.214.171.124:80 F204
4413 DAC2 E02E 3D6B CF47 35A1 9BCA 1DE9 7281
which shows (notice the new IP address) that the tor binary has code
from at least commit 0eec8e2  from upstream tor, which is the last
I actually noticed all this before building the final 1.1.2 image, fixed
it and built new packages, but somehow the upload to the APT repo failed
and I didn't notice this, or I uploaded the "bad" packages again. In
either case I must have omitted to verify that the "good" packages ended
up in the resulting Tails. Sorry for this, but the release process for
1.1.2 was quite stressful. Oh well...
I've added a known issues entry to the release announcement for Tails
1.1.2 in hope to reduce the support burden for this. Also Cc:ing various
support channels to raise awareness for the same reason.
Again, sorry for this!