Hello all,
I would like to use this email to draw the attention of the OpenBSD
ports tree maintainers to an issue related to the net/onionshare port.
At present, this port has not been updated for approximately six years.
About a year ago, I contacted the maintainer, who indicated that they
were working on an update; however, there have been no visible updates
since then, and the outdated version continues to be distributed by the
project.
This is particularly concerning given the nature of the software.
OnionShare is a security-sensitive tool, as it is used to share files
and exchange messages anonymously over the Tor network. Distributing an
outdated version with known vulnerabilities may have a direct impact on
users’ security and privacy.
Between OnionShare versions 2.0.0 and 2.6.3, the most significant
security fixes were introduced mainly in versions 2.4 and 2.5,
addressing vulnerabilities in core features such as file sharing, file
receiving, and anonymous chat.
In OnionShare 2.4, issues related to authorization and information
disclosure were fixed. Earlier versions allowed, under certain
conditions, file uploads without proper authentication and disclosure of
information about participants in non-public chat rooms, thereby
undermining privacy and access control.
Version 2.5 was especially important from a security perspective. It
fixed multiple vulnerabilities involving insufficient access controls,
denial-of-service (DoS) attacks, and improper handling of user input.
These included issues that could block the file-receiving service, flaws
in path sanitization in the graphical interface, and errors that allowed
chat users to impersonate others by manipulating usernames.
Finally, versions 2.6.x, including 2.6.3, have no publicly known
vulnerabilities specific to the OnionShare core and mainly focus on
stability, compatibility, and maintenance improvements. For this reason,
updating the port to at least version 2.5, and preferably 2.6.3, is
essential to avoid exposure to known vulnerabilities.
Best regards,
David.
- Status of the net/onionshare port and security vulnera... David Uhden Collado
-
