[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #13684 [Tor Browser]: Backport of Mozilla #1066190
#13684: Backport of Mozilla #1066190
---------------------------------+------------------------------
Reporter: arthuredelstein | Owner: tbb-team
Type: defect | Status: needs_review
Priority: normal | Milestone:
Component: Tor Browser | Version:
Resolution: | Keywords: MikePerry201411R
Actual Points: | Parent ID:
Points: |
---------------------------------+------------------------------
Comment (by arthuredelstein):
Replying to [comment:3 mikeperry]:
> What's Mozilla's plan for this fix? I haven't seen any mention of a new
chemspill release, and I can't access that bug in their bugtracker.
>
> I assume this is pinning-related and not going to be backported to 31ESR
for that reason, but has this patch already been merged to mozilla-central
and tagged in an official release? Taking a rush security fix before its
ready might be asking for trouble, especially if it is some subtle
interaction between cert validation and pinning.
Yes, it's pinning-related and in mozilla-central. I also can't see the
Bugzilla bug, but here are two references:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1584
https://www.mozilla.org/security/advisories/mfsa2014-80/
Mozilla describes it as a "moderate" security issue.
The original commit on mozilla-central:
https://hg.mozilla.org/mozilla-central/rev/d02e70f0bf3d
https://github.com/mozilla/gecko-
dev/commit/db0e8cfdbd7507e3883dc19c19cf218e268a9dd4
That version was also included in the FF33 release:
https://hg.mozilla.org/releases/mozilla-release/rev/1e3320340bd2
https://github.com/mozilla/gecko-
dev/commit/344af881b5cc4ff31ea19fbd5b5833b29464f2f1
{{{
> git branch -a --contains 344af881b5cc4ff31ea19fbd5b5833b29464f2f1
remotes/m-c/GECKO330_2014100710_RELBRANCH
remotes/m-c/GECKO330_2014101104_RELBRANCH
remotes/m-c/GECKO331_2014102917_RELBRANCH
remotes/m-c/GECKO331_2014103013_RELBRANCH
remotes/m-c/GECKO331_2014110614_RELBRANCH
remotes/m-c/MOBILE330_2014100810_RELBRANCH
remotes/m-c/MOBILE330_2014101104_RELBRANCH
remotes/m-c/MOBILE331_2014110511_RELBRANCH
remotes/m-c/MOBILE331_2014110613_RELBRANCH
remotes/m-c/b2g34_v2_1
remotes/m-c/beta
remotes/m-c/release
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13684#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs