Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails

Delete this message

Reply to this message
Author: Georg Koppen
Date:  
To: The Tails public development discussion list
CC: Mike Perry
Subject: Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
Jacob Appelbaum:
> On 8/7/15, jvoisin <julien.voisin@???> wrote:
>> Hello,
>>
>> I disagree with your analysis;
>> while the Apparmor profile (♥) will prevent tragic things like gpg key
>> stealing, please keep in mind that an attacker can access every Firefox
>> files, like cookies (stealing sessions), stored passwords, changing
>> preferences (remember http://net.ipcalf.com/ ?), executing code inside
>> the browser, …
>
> I believe that the newest Tor Browser alpha will provide a fix. I hope
> Mike will chime in here...


I don't know what kind of fix you have in mind. All we'll provide is an
update to ESR 38.2.0. We are basically about to tag the things and start
building. ETA for the alpha is probably Tuesday.

That said Mozilla's reasoning for not doing a chemspill for ESR 31 was

"we determined that the vulnerability isn't present in the current 31
ESR."

That's a quote from Liz Henry, the Firefox release manager.

Georg