7

Is there a compiled list of all discovered and fixed Tor vulnerabilities from the time of its creation until now?

I am looking for something like this list for open-ssl

https://www.openssl.org/news/vulnerabilities.html

by vulnerabilities I mean for example exploitable buffer overflows or vulnerabilities because of design decisions that are not stated as accepted trade-offs in Tor designs and were discovered and fixed (or not) at a later date.

Can I obtain such a list by querying the bug tracker?

Roya
  • 3,240
  • 3
  • 19
  • 40
dandroid
  • 195
  • 1
  • 3

1 Answers1

4

Tor's ChangeLog provides all fixed security issues including details about the nature of the vulnerability. There isn't a single compiled list that has just the security issues, unfortunately. For the past few years we have started using CVE numbers for security issues, but since we cannot assign them ourselves this is also tricky. The bug tracker is a good resource to learn more about a bug with a given bug number, but there isn't a security tag either.

For Tor, it's a bit more tricky to ascertain what a security issue is - it could be one of the categories that you mentioned, but also implementation bugs where the specification isn't implemented properly or instances where the specicification was changed later could reasonably be taken into account.

Sebastian
  • 2,229
  • 10
  • 26