= TROVE: Tor Registry Of Vulnerabilities and Exposures =

This page is an experimental registry of Tor software security problems, as we find them.  We assign each one a number based on the year, ~~the month,~~ and an index.

For more information on the security policy we're using here, see [https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/SecurityPolicy the network team Security Policy page].

||= TROVE ID =||= Ticket =||= Severity =||= Bug In =||= Fix In =||= Synopsis =||= [https://cve.mitre.org/ CVE Id] =||= extra =||
|| TROVE-2016-10-001 || #20384 , #20894 || Medium || 0.2.0.16-alpha  || 0.2.4,28, 0.2.5.13, 0.2.6.11 0.2.7.7, 0.2.8.9, 0.2.9.4-alpha  || buf_t buffer read beyond end || CVE-2016-8860 || (Debian: [https://security-tracker.debian.org/tracker/CVE-2016-8860 tracker] [https://www.debian.org/security/2016/dsa-3694 DSA-3694] [https://lists.debian.org/debian-lts-announce/2016/10/msg00019.html DLA-663-1])
|| TROVE-2016-12-002 || #21018 || Medium || 0.2.0.8-alpha || 0.2.4.28, 0.2.5.13, 0.2.6.11, 0.2.7.7, 0.2.8.12, 0.2.9.8 0.3.0.1-alpha || parse HS descs one byte past end || CVE-2016-1254 || (Debian: [https://security-tracker.debian.org/tracker/CVE-2016-1254 tracker] [https://www.debian.org/security/2016/dsa-3741 DSA-3741] [https://lists.debian.org/debian-lts-announce/2016/12/msg00030.html DLA-754-1]) ||
|| TROVE-2017-001 || #21278 || Medium || 0.0.8pre1 || 0.2.4.28, 0.2.5.13, 0.2.6.11, 0.2.7.7, 0.2.8.13, 0.2.9.10, 0.3.0.4-rc,  || Signed integer overflow when comparing versions || || ||
|| TROVE-2017-002 || #22253, #22246 || Medium || 0.3.0.1-alpha || 0.3.0.7, 0.3.1.1-alpha || Remotely triggerable assertion failure in relays || || ||
|| TROVE-2017-003 || #22268 || Low || 0.2.8.1-alpha || 0.2.8.14, 0.2.9.11, 0.3.0.8, 0.3.1.3-alpha || Impersonation of ~~a single~~ a few fallback directory mirrors || || [https://lists.torproject.org/pipermail/tor-relays/2017-May/012281.html initial post] ||
|| TROVE-2017-004 || #22493 || High || 0.3.0.1-alpha ||0.3.0.8, 0.3.1.3-alpha || Remote assertion failure against hidden services || CVE-2017-0375 || (Debian: [https://security-tracker.debian.org/tracker/CVE-2017-0375 tracker]) ||
|| TROVE-2017-005 || #22494 || High ||  0.2.2.1-alpha || 0.2.4.29, 0.2.5.14, 0.2.6.12, 0.2.7.8, 0.2.8.14, 0.2.9.11 0.3.0.8, 0.3.1.3-alpha || Remote assertion failure against hidden services || CVE-2017-0376 || (Debian: [https://security-tracker.debian.org/tracker/CVE-2017-0376 tracker], [https://bugs.debian.org/864424 #864424] [https://www.debian.org/security/2017/dsa-3877 DSA-3877] [https://lists.debian.org/debian-lts-announce/2017/06/msg00011.html DLA-982-1])) ||
|| TROVE-2017-006 || #22753 || Medium || 0.3.0.1-alpha || 0.3.0.9, 0.3.1.4-alpha || Path selection issue || CVE-2017-0377 || (Debian: [https://security-tracker.debian.org/tracker/CVE-2017-0377 tracker] ) ||
|| TROVE-2017-007 || #22789 || Medium || 0.2.3.8-alpha || 0.3.0.10, 0.3.1.5-alpha, ''0.2.5.15'', 0.2.8.15, 0.2.9.12 || Remote assertion failure on openbsd || || ||
|| TROVE-2017-008 || #23490 || Medium || 0.2.7.2-alpha || 0.2.8.15, 0.2.9.12, 0.3.0.11, 0.3.1.7 || Stack disclosure in hidden services logs when SafeLogging disabled || CVE-2017-0380 || (Debian: [https://security-tracker.debian.org/tracker/CVE-2017-0380 tracker], [https://bugs.debian.org/876221 #876221])  ||
|| TROVE-2017-009 || #24244 || Medium || 0.2.4 and later || 0.2.5.16, 0.2.8.17, 0.2.9.14, 0.3.0.13, 0.3.1.9, 0.3.2.6-alpha || Replay-cache ineffective for v2 onion services. || CVE-2017-8819 || (Debian: [https://security-tracker.debian.org/tracker/CVE-2017-8819 tracker], [https://www.debian.org/security/2017/dsa-4054 DSA-4054] )
|| TROVE-2017-010 || #24245 || Medium || 0.2.9 and later || 0.2.9.14, 0.3.0.13, 0.3.1.9, 0.3.2.6-alpha || Remote DoS attack against directory authorities || CVE-2017-8820 || (Debian: [https://security-tracker.debian.org/tracker/CVE-2017-8820 tracker], [https://www.debian.org/security/2017/dsa-4054 DSA-4054] )
|| TROVE-2017-011 || #24246 || High || all Tor versions || 0.2.5.16, 0.2.8.17, 0.2.9.14, 0.3.0.13, 0.3.1.9, 0.3.2.6-alpha || An attacker can make Tor ask for a password || CVE-2017-8821 || (Debian: [https://security-tracker.debian.org/tracker/CVE-2017-8821 tracker], [https://www.debian.org/security/2017/dsa-4054 DSA-4054] )
|| TROVE-2017-012 || #24333 || Medium || 0.2.5 and later || 0.2.5.16, 0.2.8.17, 0.2.9.14, 0.3.0.13, 0.3.1.9, 0.3.2.6-alpha || Relays can pick themselves in a circuit path || CVE-2017-8822 || (Debian: [https://security-tracker.debian.org/tracker/CVE-2017-8822 tracker], [https://www.debian.org/security/2017/dsa-4054 DSA-4054] )
|| TROVE-2017-013 || #24430 || High || 0.2.7 and later || 0.2.8.17, 0.2.9.14, 0.3.0.13, 0.3.1.9, 0.3.2.6-alpha || Use-after-free in onion service v2 || CVE-2017-8823 || (Debian: [https://security-tracker.debian.org/tracker/CVE-2017-8823 tracker], [https://www.debian.org/security/2017/dsa-4054 DSA-4054] )
|| TROVE-2018-001 || #25074 || Medium || 0.2.9.4-alpha  || 0.2.9.15, 0.3.1.10, 0.3.2.10, 0.3.3.3-alpha || Remote assertion failure in directory authority protocol handling || CVE-2018-0490 ||    ||
|| TROVE-2018-002 || #25117 || Medium || 0.3.2.1-alpha || 0.3.2.10, 0.3.3.2-alpha || Use-after-free in KIST scheduler || CVE-2018-0491 ||    ||
|| TROVE-2018-003 || #25250 || Low || 0.3.3.1-alpha || 0.3.3.3-alpha || Infinite loop in rust protover code || n/a || n/a
|| TROVE-2018-004 || #25251 || Low || 0.2.9.4-alpha || 0.2.9.15, 0.3.1.10, 0.3.2.10, 0.3.3.3-alpha  || Crash on bad protocol information in consensus || n/a || n/a
|| TROVE-2018-005 || #25517 || Medium/Low || 0.2.9.4-alpha || 0.3.3.6, 0.3.4.2-alpha || Memory exhaustion against directory authorities || n/a || n/a
|| TROVE-2018-006 || #28630 || n/a || n/a || n/a || false alarm  || || ||
|| TROVE-2019-001 || #29168 || Medium || 0.3.2.1-alpha || 0.3.3.12, 0.3.4.11, 0.3.5.8, 0.4.0.2-alpha || Remote memory exhaustion attack due to KIST ignoring outbuf highwater marks || CVE-2019-8955 || ||
 
Remember: please get CVE-Ids for everything of severity Medium or higher.  To get a CVE-Id, visit https://cveform.mitre.org/ .