TROVE: Tor Registry Of Vulnerabilities and Exposures
This page is an experimental registry of Tor software security problems, as we find them. We assign each one a number based on the year, the month, and an index.
For more information on the security policy we're using here, see the network team Security Policy page.
For high-severity issues not already publicly disclosed or being exploited, we will fix them in all affected releases, all at once, as soon as we can. We will notify the world that such a bug exists in advance of the patch, and we will release the patch once we believe it works.
| = TROVE ID = | = Ticket = | = Severity = | = Bug In = | = Fix In = | = Synopsis = | = CVE Id = | = extra = |
|---|---|---|---|---|---|---|---|
| TROVE-2016-10-001 | #20384 (moved) , #20894 (moved) | Medium | 0.2.0.16-alpha | 0.2.4,28, 0.2.5.13, 0.2.6.11 0.2.7.7, 0.2.8.9, 0.2.9.4-alpha | buf_t buffer read beyond end | CVE-2016-8860 | (Debian: tracker DSA-3694 DLA-663-1) |
| TROVE-2016-12-002 | #21018 (moved) | Medium | 0.2.0.8-alpha | 0.2.4.28, 0.2.5.13, 0.2.6.11, 0.2.7.7, 0.2.8.12, 0.2.9.8 0.3.0.1-alpha | parse HS descs one byte past end | CVE-2016-1254 | (Debian: tracker DSA-3741 DLA-754-1) |
| TROVE-2017-001 | #21278 (moved) | Medium | 0.0.8pre1 | 0.2.4.28, 0.2.5.13, 0.2.6.11, 0.2.7.7, 0.2.8.13, 0.2.9.10, 0.3.0.4-rc, | Signed integer overflow when comparing versions | ||
| TROVE-2017-002 | #22253 (moved), #22246 (moved) | Medium | 0.3.0.1-alpha | 0.3.0.7, 0.3.1.1-alpha | Remotely triggerable assertion failure in relays | ||
| TROVE-2017-003 | #22268 (moved) | Low | 0.2.8.1-alpha | 0.2.8.14, 0.2.9.11, 0.3.0.8, 0.3.1.3-alpha | Impersonation of |
initial post | |
| TROVE-2017-004 | #22493 (moved) | High | 0.3.0.1-alpha | 0.3.0.8, 0.3.1.3-alpha | Remote assertion failure against hidden services | CVE-2017-0375 | (Debian: tracker) |
| TROVE-2017-005 | #22494 (moved) | High | 0.2.2.1-alpha | 0.2.4.29, 0.2.5.14, 0.2.6.12, 0.2.7.8, 0.2.8.14, 0.2.9.11 0.3.0.8, 0.3.1.3-alpha | Remote assertion failure against hidden services | CVE-2017-0376 | (Debian: tracker, #864424 DSA-3877 DLA-982-1)) |
| TROVE-2017-006 | #22753 (moved) | Medium | 0.3.0.1-alpha | 0.3.0.9, 0.3.1.4-alpha | Path selection issue | CVE-2017-0377 | (Debian: tracker ) |
| TROVE-2017-007 | #22789 (moved) | Medium | 0.2.3.8-alpha | 0.3.0.10, 0.3.1.5-alpha, 0.2.5.15, 0.2.8.15, 0.2.9.12 | Remote assertion failure on openbsd | ||
| TROVE-2017-008 | #23490 (moved) | Medium | 0.2.7.2-alpha | 0.2.8.15, 0.2.9.12, 0.3.0.11, 0.3.1.7 | Stack disclosure in hidden services logs when SafeLogging disabled | CVE-2017-0380 | (Debian: tracker, #876221) |
| TROVE-2017-009 | #24244 (moved) | Medium | 0.2.4 and later | 0.2.5.16, 0.2.8.17, 0.2.9.14, 0.3.0.13, 0.3.1.9, 0.3.2.6-alpha | Replay-cache ineffective for v2 onion services. | CVE-2017-8819 | (Debian: tracker, DSA-4054 ) |
| TROVE-2017-010 | #24245 (moved) | Medium | 0.2.9 and later | 0.2.9.14, 0.3.0.13, 0.3.1.9, 0.3.2.6-alpha | Remote DoS attack against directory authorities | CVE-2017-8820 | (Debian: tracker, DSA-4054 ) |
| TROVE-2017-011 | #24246 (moved) | High | all Tor versions | 0.2.5.16, 0.2.8.17, 0.2.9.14, 0.3.0.13, 0.3.1.9, 0.3.2.6-alpha | An attacker can make Tor ask for a password | CVE-2017-8821 | (Debian: tracker, DSA-4054 ) |
| TROVE-2017-012 | #24333 (moved) | Medium | 0.2.5 and later | 0.2.5.16, 0.2.8.17, 0.2.9.14, 0.3.0.13, 0.3.1.9, 0.3.2.6-alpha | Relays can pick themselves in a circuit path | CVE-2017-8822 | (Debian: tracker, DSA-4054 ) |
| TROVE-2017-013 | #24430 (moved) | High | 0.2.7 and later | 0.2.8.17, 0.2.9.14, 0.3.0.13, 0.3.1.9, 0.3.2.6-alpha | Use-after-free in onion service v2 | CVE-2017-8823 | (Debian: tracker, DSA-4054 ) |
| TROVE-2018-001 | #25074 (moved) | Medium | 0.2.9.4-alpha | 0.2.9.15, 0.3.1.10, 0.3.2.10, 0.3.3.3-alpha | Remote assertion failure in directory authority protocol handling | CVE-2018-0490 | |
| TROVE-2018-002 | #25117 (moved) | Medium | 0.3.2.1-alpha | 0.3.2.10, 0.3.3.2-alpha | Use-after-free in KIST scheduler | CVE-2018-0491 | |
| TROVE-2018-003 | #25250 (moved) | Low | 0.3.3.1-alpha | 0.3.3.3-alpha | Infinite loop in rust protover code | n/a | n/a |
| TROVE-2018-004 | #25251 (moved) | Low | 0.2.9.4-alpha | 0.2.9.15, 0.3.1.10, 0.3.2.10, 0.3.3.3-alpha | Crash on bad protocol information in consensus | n/a | n/a |
| TROVE-2018-005 | #25517 (moved) | Medium/Low | 0.2.9.4-alpha | 0.3.3.6, 0.3.4.2-alpha | Memory exhaustion against directory authorities | n/a | n/a |
| TROVE-2018-006 | #28630 (moved) | n/a | n/a | n/a | false alarm | ||
| TROVE-2019-001 | #29168 (moved) | Medium | 0.3.2.1-alpha | 0.3.3.12, 0.3.4.11, 0.3.5.8, 0.4.0.2-alpha | Remote memory exhaustion attack due to KIST ignoring outbuf highwater marks | CVE-2019-8955 | |
| TROVE-2020-001 | #33119 (moved) | Medium | |||||
| TROVE-2020-002 | #33120 (moved) | High | 0.2.1.5-alpha | 0.3.5.10, 0.4.1.9, 0.4.2.7, 0.4.3.3-alpha | Remote CPU-based denial of service | CVE-2020-10592 | |
| TROVE-2020-003 | #33137 (moved) | Low | 0.3.3.1-alpha | 0.3.5.10, 0.4.1.9, 0.4.2.7, 0.4.3.3-alpha | Local crash, requires authenticated access to control port | n/a | |
| TROVE-2020-004 | #33619 (moved) | Medium | 0.4.0.1-alpha | 0.4.1.9, 0.4.2.7, 0.4.3.3-alpha | Remotely triggered memory leak | CVE-2020-10593 |
Remember: please get CVE-Ids for everything of severity Medium or higher. To get a CVE-Id, visit https://cveform.mitre.org/ .