1
English type: Plain text
[[!meta title="Security audit of automatic upgrades and recent changes"]]
0/740 · 74
2
English type: Plain text
[[!meta date="Fri, 16 May 2025 17:39:24 +0000"]]
49/490 · 49
3
English type: Plain text
[[!pagetemplate template="news.tmpl"]]
39/390 · 39
4
English type: Plain text
[[!tag announce]]
18/180 · 18
5
English type: Plain text
[[!tag security/audit]]
24/240 · 24
6
English type: Plain text
Late 2024, [Radically Open Security](https://www.radicallyopensecurity.com/) conducted another security audit of critical parts of Tails.
0/1370 · 137
7
English type: Plain text
To better protect our users, we addressed the security vulnerabilities as soon as they were discovered and reported to us, without waiting for the audit to be complete and public.
0/1790 · 179
8
English type: Plain text
We can now share with you the [final report](https://gitlab.tails.boum.org/-/project/2/uploads/8e2864e7271d1a34d4419f1cb70ebd18/tails-ros-penetration-test-report-2024.pdf).
0/1720 · 172
9
English type: Plain text
The auditors concluded that:
0/280 · 28
10
English type: Plain text
> The Tails operating system leaves a strong security impression, addressing
> most anonymity-related concerns. We did not find any remote code execution
> vulnerabilities, and all identified issues required a compromised
> low-privileged `amnesia` user – the default user in Tails.
>
> Looking back at the [[previous audit|audit_by_ROS]], we can see the Tails
> developers have made significant progress, demonstrating expertise and a
> serious commitment to security.
0/4760 · 476
11
English type: Title #
Findings
0/100 · 8
12
English type: Plain text
The auditors did not identify any vulnerability in:
0/510 · 51
13
English type: Bullet: '- '
The creation of the Persistent Storage with LUKS2, introduced in [[Tails 5.14|version_5.14]] (June 2023)
0/1040 · 104
14
English type: Plain text
- Our security improvements to [[*Thunderbird*|doc/anonymous_internet/thunderbird]]
0/830 · 83
15
English type: Plain text
- The random seed feature, introduced in [[Tails 6.4|version_6.4]] (June 2024)
0/780 · 78
16
English type: Plain text
The auditors found 4 issues in:
0/310 · 31
17
English type: Plain text
- The automatic upgrade mechanism
0/330 · 33
18
English type: Plain text
- Other important changes since [[Tails 5.8|version_5.8]] (November 2023)
0/730 · 73
19
English type: Plain text
<table>
<tr><th>ID</th><th>Impact</th><th>Description</th><th>Issue</th><th>Status</th><th>Release</th></tr>
<tr><td>OTF-001</td><td>High</td><td>Local privilege escalation in <i>Tails Upgrader</i></td><td>[[!tails_ticket 20701]]</td><td>Fixed</td><td>6.11</td></tr>
<tr><td>OTF-002</td><td>High</td><td>Arbitrary code execution in Python scripts</td><td>[[!tails_ticket 20702]]</td><td>Fixed</td><td>6.11</td></tr>
<tr><td> </td><td></td><td></td><td>[[!tails_ticket 20744]]</td><td>Fixed</td><td>6.12</td></tr>
<tr><td>OTF-003</td><td>Moderate</td><td>Argument injection in privileged GNOME scripts</td><td>[[!tails_ticket 20709]]</td><td>Fixed</td><td>6.11</td></tr>
<tr><td> </td><td></td><td></td><td>[[!tails_ticket 20710]]</td><td>Fixed</td><td>6.11</td></tr>
<tr><td>OTF-004</td><td>Low</td><td>Untrusted search path in Tor Browser launcher</td><td>[[!tails_ticket 20733]]</td><td>Fixed</td><td>6.12</td></tr>
</table>
0/9390 · 939
20
English type: Title #
Postmortem
0/100 · 10