[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #16744 [Tor Browser]: Update TBB to ESR 38.1.1 (MFSA2015-78, CVE-2015-4495) - exploited in the wild

Subject: Re: [tor-bugs] #16744 [Tor Browser]: Update TBB to ESR 38.1.1 (MFSA2015-78, CVE-2015-4495) - exploited in the wild
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 11 Aug 2015 01:59:12 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 10 Aug 2015 21:59:22 -0400
In-reply-to: <051.ec25dfd773bf1f7cbd76c0b18113098b@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <051.ec25dfd773bf1f7cbd76c0b18113098b@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#16744: Update TBB to ESR 38.1.1 (MFSA2015-78, CVE-2015-4495) - exploited in the
wild
-----------------------------+----------------------------------------
     Reporter:  cypherpunks  |      Owner:  tbb-team
         Type:  defect       |     Status:  new
     Priority:  critical     |  Milestone:
    Component:  Tor Browser  |    Version:
   Resolution:               |   Keywords:  MFSA2015-78, CVE-2015-4495
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+----------------------------------------

Comment (by mikeperry):

 The PDF.js exploit in the wild does not affect TBB 4.5 users. It exploited
 a specific property of Firefox 38. Unfortunately, this does mean our
 5.0a3/5.0a4 alpha users are vulnerable. The "High" Security slider setting
 will block the exploit even for those users.

 We don't recommend disabling pdf.js long-term via pref, since every other
 PDF reader in existence can deanonymize you by loading embedded remote
 resources outside of your Tor proxy settings.

 5.0 and 5.5a1 will be out on Tuesday, August 11th (ie: in about 12 hours
 or so). 4.5 users will be upgraded to 5.0 (based on Firefox 38-esr, but
 with the fix included). 5.0a3 and 5.0a4 users will be upgraded to 5.5a1
 (also based on Firefox 38-esr, but with the fix included).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16744#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #16744 [Tor Browser]: PDF Exploit in Firefox
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #14026 [Tor Sysadmin Team]: torproject.org as a hidden service
Next by Author: Re: [tor-bugs] #16744 [Tor Browser]: Update TBB to ESR 38.1.1 (MFSA2015-78, CVE-2015-4495) - exploited in the wild
Previous by thread: Re: [tor-bugs] #16744 [Tor Browser]: Update TBB to ESR 38.1.1 (MFSA2015-78, CVE-2015-4495) - exploited in the wild
Next by thread: Re: [tor-bugs] #16744 [Tor Browser]: Update TBB to ESR 38.1.1 (MFSA2015-78, CVE-2015-4495) - exploited in the wild
Index(es):
- Author
- Thread