[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Firefox vs. Tor Browser Bundle release cycles


Firefox ESR 17.0.11 indeed turns out (somewhat confusingly) to beÂ
equivalent to Firefox ESR 24.1.1, and the TBB based on ESR 17.0.11 wasÂ
released only four days after Mozilla's updates, which frankly deservesÂ
praise. TBB's latest code is only one release behind Mozilla's on securityÂ

ESR17 has hit end of life at Mozilla and wonât be receiving any more security updates. There was no 17.0.12 released yesterday, for example. In order for TBB to be current for recent security updates, it needs to be off of the ESR24 branch.

That said, outside of the advisories, the bugs for a given release of Firefox are not opened to the public for a minimum of six weeks (one release cycle) following a release and sometimes a bit more as to avoid any self-zero day events.

So I was wrong about precisely how far TBB is behind the latest ESRÂ
release on security patches, but like I said before, at some point theÂ
latest TBB is either shipping known-vulnerable Firefox code or it's not.Â
From the visual at the bottom ofÂ
http://en.wikipedia.org/wiki/Firefox_release_history, it looks likeÂ
Firefox ESR 17.0.11 included security patches from Firefox ESR 24.1.1, soÂ
my understanding is that TBB is at least potentially vulnerable to theÂ
known, patched vulnerabilities in the list above.Â

No, ESR 17.0.11 included some ESR 24.1.1 patches. There is not a 1:1 mapping. The codebase is different and the same fixes are not always applied to the older codebase, either due to lack of defect but also sometimes due to overall code changes that make it difficult or dangerous to apply the patches.

Al Billings

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to