TROVE-2023-006 vulnerability not yet addressed in Whonix-16?

Hi everyone, the TROVE-2023-006 vulnerability, Tor ticket tor#40883, Remote triggerable assert on onion services is available on http://eweiibe6tdjsdprb4px6rqrzzcsi22m4koia44kc5pcjr7nec2rlxyad.onion/tpo/core/team/-/wikis/NetworkTeam/TROVE

Bug in is Tor version, Fix in is in Tor version

After the latest Whonix-16 update I can still see the Tor version 4.7.13 that is vulnerable to the TROVE-2023-006. Will the Tor version be updated in the Whonix-16? If not, what steps should be completed to update to the Tor version that fixed the TROVE-2023-006 vulnerability (

It’s not according to Debian’s tracker. See TEMP-0000000-556BB5. It is however still vulnerable to TROVE-2023-004.

See Tor integration in Whonix Development Notes also.

It doesn’t make sense for me to stay on Qubes R4.1 / Whonix 16.

Qubes-Whonix Support Schedule

If you want newer Tor versions quicker, see this:

(Whonix is based on Kicksecure.)

If Debian doesn’t fix this then this is unlikely to get fixed.

1 Like

I noticed you run your own mirror for KickSecure for some packages? Why not we compile Tor that is quicker to update instead of relying strictly on Debian packages as we know are always slow to update?

I am not doing that to avoid the extraneous maintenance burden.


Additionally in context of this ticket. For anyone who doesn’t know…

Whonix 16 is “oldstable”, speak outdated. Its support is only dragged along due to Qubes R4.2 still being RC instead of final. Kinda Qubes “LTS” (“long term support”).

I don’t think “LTS” / two major versions at the same time support is a good idea given the already sparsely available resources.

Development focus in on Whonix 17, where all packages are more upgraded and therefore hopefully be more secure.

If you care about new / sophisticated attacks being addressed / hosting onion services, I don’t think it’s a good idea to stay on “oldstable” / “LTS”.

Hence my previous answer: