FF 17 vulnerability

[wolfieh]

There was a recent Tor attack that used a Firefox 17 0day (current stable in gentoo). Someone should do a version bump on it.

http://www.twitlonger.com/show/n_1rlo0uu

[eccerr0r]

Ouch, probably should put a high priority bugs.gentoo.org security bug. Not good.

The only saving grace (which is NOT security) is that it appears to be targeting Windows... But don't breathe easy because of it, it's easy enough to change it to Linux.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[broken_chaos]

According to the bug reports filed over at Mozilla, this is already fixed in 17.0.7esr. The Tor Browser Bundle people just didn't update their released version (edit: or, if they did, they broke the fix, or many of their users failed to update). Long story short, when a security update is released, people who rebundle and make use of the code/program in some capacity should probably apply the update ASAP themselves.

https://bugzilla.mozilla.org/show_bug.cgi?id=901365#c23 (the Tor-specific bug report) and http://www.mozilla.org/security/announce/2013/mfsa2013-53.html (the probable security advisory which related to the exploit).

(This also means that anyone who keeps Gentoo up to date is immune. 17.0.7 is in stable and has been for some time.)

[eccerr0r]

Ah so this is not a true 0 day as it appears the discoverer mentioned it didn't work on latest or something like that... Untested against 17.0.7 which is fine, so I guess things are hunky dory. It is weird that 17.0.7 has been released for quite a while and they didn't grab it. Oh well.

17.0.7 is timestamped at the end of June in portage so most people should have it by now.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[broken_chaos]