[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Reason Firefox version in TBB is so far behind?



On 8/9/2011 4:55 AM, Robert Ransom wrote:
That is why we ship the latest version of Firefox on the 3.6 branch in our stable TBBs. Mozilla is still releasing security updates on the Firefox 3.6 branch. As you can see from https://blog.torproject.org/blog/new-tor-browser-bundles-3 , Firefox 3.6.19 and Firefox 5.0.1 were released on the same day. That is because Firefox 3.6.19 and Firefox 5.0.1 are security-fix releases that fix the same security bug. (Firefox 4.0, 4.0.1, and 5.0 are no longer safe to use, even though their version numbers are greater than 3.6.19.)

On 2011-08-05, Joe Btfsplk<joebtfsplk@xxxxxxx>  wrote:

As said, it may be unavoidable (currently) for TBB developers to
integrate new FF versions quickly, but surely I'm not the 1st to wonder
about security issues of using old browser versions.
The testing bundles Andrew mentioned are fine for, well... testing, but
not for general users.  It's a long way&  many fixes, from Firefox 3.6
to 5.0 / 5.0.1.
There are some bugfixes in Firefox 5.0.1 that aren't in Firefox 3.6.19
-- notably, Mozilla finally applied our patch to fix Firefox's
hard-coded timeout when using a SOCKS proxy, so Firefox 5.0 and 5.0.1
no longer require an HTTP proxy such as Polipo between the browser and
Tor -- but the main difference between Firefox 3.6.x and Firefox 5.0.x
is that Firefox 5.0.x contains many new features.  And those features
introduced a crapload of bugs which have security implications for Tor
users -- mainly WebGL security bugs, but there were a few nasty
surprises in the new JavaScript interpreter (see
https://trac.torproject.org/projects/tor/ticket/2819 ,
https://trac.torproject.org/projects/tor/ticket/2873 , and
https://trac.torproject.org/projects/tor/ticket/2874 ).  There were
plenty of other changes to audit as well; look through Tor's bug
tracker if you're interested.


Robert Ransom
Thanks for the detailed explanation & links to the trac tickets. It sounds like what I suspected - new versions create new security issues for Tor, which take time to deal with. Unfortunate, but... Re: Firefox 5.0 - unsafe: I was under impression the 5.0.1 update was for Mac (possibly Linux) - yes? I don't get any avail updates, when checking manually from my Windows FF 5.0 installation. I read somewhere * Windows * users don't need the 5.0.1 update (though 5.0.1 is what they get if d/l the entire package vs updating)??

Have another question then about 2 instances of Tor - which I'll ask in another post.
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk