[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #16744 [Tor Browser]: Update TBB to ESR 38.1.1 (MFSA2015-78, CVE-2015-4495) - exploited in the wild



#16744: Update TBB to ESR 38.1.1 (MFSA2015-78, CVE-2015-4495) - exploited in the
wild
-----------------------------+----------------------------------------
     Reporter:  cypherpunks  |      Owner:  tbb-team
         Type:  defect       |     Status:  new
     Priority:  critical     |  Milestone:
    Component:  Tor Browser  |    Version:
   Resolution:               |   Keywords:  MFSA2015-78, CVE-2015-4495
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+----------------------------------------

Comment (by mikeperry):

 The PDF.js exploit in the wild does not affect TBB 4.5 users. It exploited
 a specific property of Firefox 38. Unfortunately, this does mean our
 5.0a3/5.0a4 alpha users are vulnerable. The "High" Security slider setting
 will block the exploit even for those users.

 We don't recommend disabling pdf.js long-term via pref, since every other
 PDF reader in existence can deanonymize you by loading embedded remote
 resources outside of your Tor proxy settings.

 5.0 and 5.5a1 will be out on Tuesday, August 11th (ie: in about 12 hours
 or so). 4.5 users will be upgraded to 5.0 (based on Firefox 38-esr, but
 with the fix included). 5.0a3 and 5.0a4 users will be upgraded to 5.5a1
 (also based on Firefox 38-esr, but with the fix included).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16744#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs