Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails

Delete this message

Reply to this message
Author: Jacob Appelbaum
Date:  
To: The Tails public development discussion list
CC: Mike Perry
Subject: Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
On 8/7/15, Georg Koppen <gk@???> wrote:
> Jacob Appelbaum:
>> On 8/7/15, jvoisin <julien.voisin@???> wrote:
>>> Hello,
>>>
>>> I disagree with your analysis;
>>> while the Apparmor profile (♥) will prevent tragic things like gpg key
>>> stealing, please keep in mind that an attacker can access every Firefox
>>> files, like cookies (stealing sessions), stored passwords, changing
>>> preferences (remember http://net.ipcalf.com/ ?), executing code inside
>>> the browser, …
>>
>> I believe that the newest Tor Browser alpha will provide a fix. I hope
>> Mike will chime in here...
>
> I don't know what kind of fix you have in mind. All we'll provide is an
> update to ESR 38.2.0. We are basically about to tag the things and start
> building. ETA for the alpha is probably Tuesday.


Ah ha - great. Thank you for chiming in!

The current Tails Tor Browser is 4.5.3 (based on Mozilla Firefox
31.8.0) - so the new alpha won't change anything and the current
browser shouldn't be impacted by it.

Did I understand that correctly?

>
> That said Mozilla's reasoning for not doing a chemspill for ESR 31 was
>
> "we determined that the vulnerability isn't present in the current 31
> ESR."


Hey - that's great news - thanks for clearing that up!

>
> That's a quote from Liz Henry, the Firefox release manager.
>


Perfect - thank you!

All the best,
Jacob