[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #10202 [Tor bundles/installation]: Improve harmonization for incorporation of security updates to TBB releases
#10202: Improve harmonization for incorporation of security updates to TBB releases
--------------------------------------+----------------------------------
Reporter: cypherpunks | Owner: erinn
Type: defect | Status: new
Priority: critical | Milestone:
Component: Tor bundles/installation | Version: Tor: 0.2.4.18-rc
Keywords: | Actual Points:
Parent ID: | Points:
--------------------------------------+----------------------------------
Even though TBB is generally quite fast when it comes to patching FF and
NoScript, to whatever extent possible, it's still important for TBB
3.0beta1 to receive the latest NoScript and Firefox updates at the same
time as stable and release candidate TBBs.
As of today, for example,
*TBB 3.0beta-1 is using Firefox ESR 17.0.10esr since 11/6
*TBB 2.4.18-rc-1 is using Firefox 17.0.11esr since 11/19
*TBB 2.3.25-15 is using using Firefox 17.0.11esr since 11/19
Firefox ESR 24.1.1 has been available since 11/15
Yes, it's only been 2 days since the more popular releases were last
patched, but some of vulnerabilities patched in Firefox ESR 24.1.1 (e.g.
NSS) are of particular concern to TBB users.
Requiring volunteer TBB testers to deliberately use vulnerable versions of
Firefox ESR not only puts them at risk individually, but could also
potentially be used to de-anonymize users of stable TBBs if exploitable
vulnerabilities can be used to fingerprint users, since vulnerable and
patched FF ESRs can be distinguished from one another.
Rolling out security updates to modular pieces of TBB like FF ESR,
NoScript, and tor itself seems appropriate to do immediately and
simultaneously whenever possible.
I recognize it's never that easy in practice, but hopefully this is
something that can be increasingly automated as part of the awesome
automated, reproducible build work that the team has been doing.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10202>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs