Requesting Tor packages SRU micro version update exception
cp at axs.org
Fri Jul 17 21:56:45 UTC 2015
I am requesting "SRU micro version update exception" for Tor packages. Tor packages with security fixes appear to be maintained upstream at TorProject.org and Debian. Most of the time I think the Debian packages will resolve the Ubuntu security issues. However because of the timing of the release cycles of Debian and Ubuntu, backporting a TorProject.org package could occasionally be used to resolve the issue.
It appears that Tor never receives any security updates, or at least it hasn't since 2012.
According to the Security Team wiki  the "MOTU Swat team is responsible for helping to coordinate community supported updates in Ubuntu". Six days ago I emailed all members of the MOTU Swat team (one team members email bounced) about the issue and no one replied.
The primary reason the Tor network exists is provide people a way to improve their "privacy and security on the Internet." 
The number of CVE issues for each of the supported Ubuntu releases.
Instructions on installing the TorProject.org packages: https://www.torproject.org/docs/debian.html.en
Debian squeeze-lts is understaffed to maintain all of the security issues, and it has been updated with tor 0.2.4.27-1~deb6u1.
I backported the unmodified Debian packages and uploaded them to my PPA. https://launchpad.net/~cp/+archive/ubuntu/bug-fixes/
More information about the technical-board