[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Firefox vs. Tor Browser Bundle release cycles



Thanks for catching my mistake. Firefox ESR 17.0.11 still leaves TBB users
vulnerable to (from
https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html):

Fixed in Firefox ESR 24.2

MFSA 2013-117 Mis-issued ANSSI/DCSSI certificate
MFSA 2013-116 JPEG information leak
MFSA 2013-115 GetElementIC typed array stubs can be generated outside
observed typesets
MFSA 2013-114 Use-after-free in synthetic mouse movement
MFSA 2013-113 Trust settings for built-in roots ignored during EV
certificate validation
MFSA 2013-111 Segmentation violation when replacing ordered list elements
MFSA 2013-109 Use-after-free during Table Editing
MFSA 2013-108 Use-after-free in event listeners
MFSA 2013-104 Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)

Firefox ESR 17.0.11 indeed turns out (somewhat confusingly) to be
equivalent to Firefox ESR 24.1.1, and the TBB based on ESR 17.0.11 was
released only four days after Mozilla's updates, which frankly deserves
praise. TBB's latest code is only one release behind Mozilla's on security
patches.

So I was wrong about precisely how far TBB is behind the latest ESR
release on security patches, but like I said before, at some point the
latest TBB is either shipping known-vulnerable Firefox code or it's not.
From the visual at the bottom of
http://en.wikipedia.org/wiki/Firefox_release_history, it looks like
Firefox ESR 17.0.11 included security patches from Firefox ESR 24.1.1, so
my understanding is that TBB is at least potentially vulnerable to the
known, patched vulnerabilities in the list above.

Whether it's four days or a few weeks at any given time, TBB users are
still perpetually using vulnerable code that Mozilla has already patched
most of the time. And like I said before, it's likely that most TBB users
are probably using even older and more vulnerable Firefox code.

What do you think users can do to help close that gap?

> BM-2D9WhbG2VeKsLCsGBTPLGwDLQyPizSqS85@xxxxxxxxxxxxx:
>> The version of Firefox incorporated into the Tor Browser Bundle (TBB)
>> available via torproject.org is currently multiple releases behind both
>> Firefox ESR and Firefox. The latest-available Tor Browser Bundles
>> generally include versions of Firefox ESR that do not include patches
>> for
>> publicly known security vulnerabilities.
>
> That is wrong. ESR 17.0.11 is/was a security update and we are shipping
> it in the current TBB. Have a look at the ESR cycle to see that we are
> not behind Firefox ESR
> (https://www.mozilla.org/en-US/firefox/organizations/faq/ "What does the
> Mozilla Firefox ESR life cycle look like?"). The new bundles with
> Firefox 24 ESR will come out within the next days.
>
> Georg
>
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>



-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk