Index | Thread | Search

From:
David Uhden Collado <daviduhden@gmail.com>
Subject:
Status of the net/onionshare port and security vulnerabilities
To:
ports@openbsd.org
Cc:
george@nycbug.org
Date:
Wed, 21 Jan 2026 00:26:00 +0000

Download raw body.

Thread 
Hello all,

I would like to use this email to draw the attention of the OpenBSD 
ports tree maintainers to an issue related to the net/onionshare port. 
At present, this port has not been updated for approximately six years. 
About a year ago, I contacted the maintainer, who indicated that they 
were working on an update; however, there have been no visible updates 
since then, and the outdated version continues to be distributed by the 
project.

This is particularly concerning given the nature of the software. 
OnionShare is a security-sensitive tool, as it is used to share files 
and exchange messages anonymously over the Tor network. Distributing an 
outdated version with known vulnerabilities may have a direct impact on 
users’ security and privacy.

Between OnionShare versions 2.0.0 and 2.6.3, the most significant 
security fixes were introduced mainly in versions 2.4 and 2.5, 
addressing vulnerabilities in core features such as file sharing, file 
receiving, and anonymous chat.

In OnionShare 2.4, issues related to authorization and information 
disclosure were fixed. Earlier versions allowed, under certain 
conditions, file uploads without proper authentication and disclosure of 
information about participants in non-public chat rooms, thereby 
undermining privacy and access control.

Version 2.5 was especially important from a security perspective. It 
fixed multiple vulnerabilities involving insufficient access controls, 
denial-of-service (DoS) attacks, and improper handling of user input. 
These included issues that could block the file-receiving service, flaws 
in path sanitization in the graphical interface, and errors that allowed 
chat users to impersonate others by manipulating usernames.

Finally, versions 2.6.x, including 2.6.3, have no publicly known 
vulnerabilities specific to the OnionShare core and mainly focus on 
stability, compatibility, and maintenance improvements. For this reason, 
updating the port to at least version 2.5, and preferably 2.6.3, is 
essential to avoid exposure to known vulnerabilities.

Best regards,
David.