Bug in is Tor version 0.4.8.1-alpha, Fix in is in Tor version 0.4.8.9.
After the latest Whonix-16 update I can still see the Tor version 4.7.13 that is vulnerable to the TROVE-2023-006. Will the Tor version be updated in the Whonix-16? If not, what steps should be completed to update to the Tor version that fixed the TROVE-2023-006 vulnerability (0.4.8.9)?
I noticed you run your own mirror for KickSecure for some packages? Why not we compile Tor that is quicker to update instead of relying strictly on Debian packages as we know are always slow to update?
I am not doing that to avoid the extraneous maintenance burden.
related:
Additionally in context of this ticket. For anyone who doesn’t know…
Whonix 16 is “oldstable”, speak outdated. Its support is only dragged along due to Qubes R4.2 still being RC instead of final. Kinda Qubes “LTS” (“long term support”).
I don’t think “LTS” / two major versions at the same time support is a good idea given the already sparsely available resources.
Development focus in on Whonix 17, where all packages are more upgraded and therefore hopefully be more secure.
If you care about new / sophisticated attacks being addressed / hosting onion services, I don’t think it’s a good idea to stay on “oldstable” / “LTS”.