[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #10202 [Tor bundles/installation]: Improve harmonization for incorporation of security updates to TBB releases



#10202: Improve harmonization for incorporation of security updates to TBB releases
--------------------------------------+----------------------------------
 Reporter:  cypherpunks               |          Owner:  erinn
     Type:  defect                    |         Status:  new
 Priority:  critical                  |      Milestone:
Component:  Tor bundles/installation  |        Version:  Tor: 0.2.4.18-rc
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
--------------------------------------+----------------------------------
 Even though TBB is generally quite fast when it comes to patching FF and
 NoScript, to whatever extent possible, it's still important for TBB
 3.0beta1 to receive the latest NoScript and Firefox updates at the same
 time as stable and release candidate TBBs.

 As of today, for example,
 *TBB 3.0beta-1 is using Firefox ESR 17.0.10esr since 11/6
 *TBB 2.4.18-rc-1 is using Firefox 17.0.11esr since 11/19
 *TBB 2.3.25-15 is using using Firefox 17.0.11esr since 11/19

 Firefox ESR 24.1.1 has been available since 11/15

 Yes, it's only been 2 days since the more popular releases were last
 patched, but some of vulnerabilities patched in Firefox ESR 24.1.1 (e.g.
 NSS) are of particular concern to TBB users.

 Requiring volunteer TBB testers to deliberately use vulnerable versions of
 Firefox ESR not only puts them at risk individually, but could also
 potentially be used to de-anonymize users of stable TBBs if exploitable
 vulnerabilities can be used to fingerprint users, since vulnerable and
 patched FF ESRs can be distinguished from one another.

 Rolling out security updates to modular pieces of TBB like FF ESR,
 NoScript, and tor itself seems appropriate to do immediately and
 simultaneously whenever possible.

 I recognize it's never that easy in practice, but hopefully this is
 something that can be increasingly automated as part of the awesome
 automated, reproducible build work that the team has been doing.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10202>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs