On 8/9/2011 4:55 AM, Robert Ransom wrote:
That is why we ship the latest version of Firefox on the 3.6 branch in our stable TBBs. Mozilla is still releasing security updates on the Firefox 3.6 branch. As you can see from https://blog.torproject.org/blog/new-tor-browser-bundles-3 , Firefox 3.6.19 and Firefox 5.0.1 were released on the same day. That is because Firefox 3.6.19 and Firefox 5.0.1 are security-fix releases that fix the same security bug. (Firefox 4.0, 4.0.1, and 5.0 are no longer safe to use, even though their version numbers are greater than 3.6.19.)
On 2011-08-05, Joe Btfsplk<joebtfsplk@xxxxxxx> wrote:
Thanks for the detailed explanation & links to the trac tickets. It sounds like what I suspected - new versions create new security issues for Tor, which take time to deal with. Unfortunate, but... Re: Firefox 5.0 - unsafe: I was under impression the 5.0.1 update was for Mac (possibly Linux) - yes? I don't get any avail updates, when checking manually from my Windows FF 5.0 installation. I read somewhere * Windows * users don't need the 5.0.1 update (though 5.0.1 is what they get if d/l the entire package vs updating)??As said, it may be unavoidable (currently) for TBB developers to integrate new FF versions quickly, but surely I'm not the 1st to wonder about security issues of using old browser versions. The testing bundles Andrew mentioned are fine for, well... testing, but not for general users. It's a long way& many fixes, from Firefox 3.6 to 5.0 / 5.0.1.There are some bugfixes in Firefox 5.0.1 that aren't in Firefox 3.6.19 -- notably, Mozilla finally applied our patch to fix Firefox's hard-coded timeout when using a SOCKS proxy, so Firefox 5.0 and 5.0.1 no longer require an HTTP proxy such as Polipo between the browser and Tor -- but the main difference between Firefox 3.6.x and Firefox 5.0.x is that Firefox 5.0.x contains many new features. And those features introduced a crapload of bugs which have security implications for Tor users -- mainly WebGL security bugs, but there were a few nasty surprises in the new JavaScript interpreter (see https://trac.torproject.org/projects/tor/ticket/2819 , https://trac.torproject.org/projects/tor/ticket/2873 , and https://trac.torproject.org/projects/tor/ticket/2874 ). There were plenty of other changes to audit as well; look through Tor's bug tracker if you're interested. Robert Ransom
Have another question then about 2 instances of Tor - which I'll ask in another post.
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk