Does tor-browser get security fixes on OpenBSD stable?

[Prevet]

I see they have a security advisory for Firefox which affects tor-browser:
https://www.mozilla.org/en-US/securi...s/mfsa2020-49/

Should we stop using OpenBSD tor-browser until it is updated?

Also should we only use tor-browser if we are running OpenBSD current? I know Chrome and Firefox browser get security updates on OpenBSD stable, but I am not sure if tor-browser does.

[jggimi]

The OpenBSD Project's CVS repositories have a web server which can answer these questions, at http://cvsweb.openbsd.org/. (You don't need to bookmark it, as a link is available from the Sidebar on the Project's main web page.) This server differs from the OpenBSD Github mirrors, as it tracks CVS tagging history.

Examine the CVS tagging history for ports/www/tor-browser/Makefile.inc here. All -stable tags are of the form OPENBSD_x_y, and all -release tags are of the form OPENBSD_x_y_BASE.

The -stable ports tree is identical to the -release ports tree when there are no -stable patches, so you will see both types of tags for every -release patch. As an example, revision 1.29 on August 26, 2020 was the -release patch, and is tagged both for OPENBSD_6_8 (-stable) and OPENBSD_6_8_BASE (-release).

Look for patches with -stable tags only. These are -stable patches. I can see one for OpenBSD 6.5-stable committed on June 27, 2019, and one for OpenBSD 6.3-stable committed on May 5, 2018.

The most recent patch I can see was committed today, to -current (tagged HEAD, which means no tag at all), to update to tor-browser 10.0.4. If this patch gets applied to the -stable branch, you will see a new patch committed with a tag of OPENBSD_6_8.

---

Normally, I just look at a port Makefile for patching history. But tor-browser is a complex port that includes a detailed Makefile.inc secondary Makefile.

[Prevet]

Thanks jggimi.