View previous topic :: View next topic |
Author |
Message |
wolfieh n00b
Joined: 17 Nov 2009 Posts: 54
|
Posted: Sun Aug 04, 2013 11:48 pm Post subject: FF 17 vulnerability |
|
|
There was a recent Tor attack that used a Firefox 17 0day (current stable in gentoo). Someone should do a version bump on it.
http://www.twitlonger.com/show/n_1rlo0uu |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9678 Location: almost Mile High in the USA
|
Posted: Mon Aug 05, 2013 12:28 am Post subject: |
|
|
Ouch, probably should put a high priority bugs.gentoo.org security bug. Not good.
The only saving grace (which is NOT security) is that it appears to be targeting Windows... But don't breathe easy because of it, it's easy enough to change it to Linux. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
broken_chaos Guru
Joined: 18 Jan 2006 Posts: 370 Location: Ontario, Canada
|
Posted: Mon Aug 05, 2013 5:02 am Post subject: |
|
|
According to the bug reports filed over at Mozilla, this is already fixed in 17.0.7esr. The Tor Browser Bundle people just didn't update their released version (edit: or, if they did, they broke the fix, or many of their users failed to update). Long story short, when a security update is released, people who rebundle and make use of the code/program in some capacity should probably apply the update ASAP themselves.
https://bugzilla.mozilla.org/show_bug.cgi?id=901365#c23 (the Tor-specific bug report) and http://www.mozilla.org/security/announce/2013/mfsa2013-53.html (the probable security advisory which related to the exploit).
(This also means that anyone who keeps Gentoo up to date is immune. 17.0.7 is in stable and has been for some time.) |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9678 Location: almost Mile High in the USA
|
Posted: Mon Aug 05, 2013 1:27 pm Post subject: |
|
|
Ah so this is not a true 0 day as it appears the discoverer mentioned it didn't work on latest or something like that... Untested against 17.0.7 which is fine, so I guess things are hunky dory. It is weird that 17.0.7 has been released for quite a while and they didn't grab it. Oh well.
17.0.7 is timestamped at the end of June in portage so most people should have it by now. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
broken_chaos Guru
Joined: 18 Jan 2006 Posts: 370 Location: Ontario, Canada
|
Posted: Mon Aug 05, 2013 6:36 pm Post subject: |
|
|
eccerr0r wrote: | It is weird that 17.0.7 has been released for quite a while and they didn't grab it. |
I looked into it and apparently there was a 17.0.7-based TBB released late June. Either they didn't implement the fix properly or, more likely, many of their users just weren't very diligent at updating. |
|
Back to top |
|
|
|