Romeo Papa wrote (08 Aug 2015 11:04:32 GMT) :
> Do you want me to try and write a quick patch that would disable PDF.js
> by default?
It's too late to fix 1.5~rc1, and 1.5 won't be affected, so:
what for, exactly?
(Thanks for the offer anyway :)
Cheers,
--
intrigeri
Hi,
Do you want me to try and write a quick patch that would disable PDF.js
by default?
On 08/08/2015 11:19 AM, intrigeri wrote:
> Romeo Papa, do you want to research this further? It would be very
> useful to add a mitigation measure when mentioning this security issue
> in the "Known issues" se
Hi again,
intrigeri wrote (08 Aug 2015 09:24:48 GMT) :
> ... on the other hand, https://access.redhat.com/articles/1563163
> documents pdfjs.disabled=True as a mitigation. I trust RedHat security
> team to have verified that it indeed blocks exploitation.
I've documented the security hole + mitig
intrigeri wrote (08 Aug 2015 09:19:50 GMT) :
> https://bugzilla.mozilla.org/show_bug.cgi?id=1179262#c30 reads:
> "Notice that "pdfjs.disabled" shall not be used, at least without
> switching the handler." Not sure how one would "switch the handler",
> and perhaps it doesn't mean what I think anyway
Romeo Papa wrote (07 Aug 2015 23:04:15 GMT) :
> PDF.js can be disabled as follows:
> 1. Type about:config in the Firefox address bar
> 2. Search for the pdfjs.disabled entry
> 3. Set the pdfjs.disabled entry to True
https://bugzilla.mozilla.org/show_bug.cgi?id=1179262#c30 reads:
"Noti
On 08/07/2015 02:13 PM, Georg Koppen wrote:
> "we determined that the vulnerability isn't present in the current 31
> ESR."
>
> That's a quote from Liz Henry, the Firefox release manager.
>
> Georg
FYI, here's the quote's source:
https://bugzilla.mozilla.org/show_bug.cgi?id=1179262#c33
__
PS: Sorry about all the messages I'm apparently sending while writing up
the message I need to see what's happening...
After reading further, I've found the debian page saying only
38.1.0esr-3 is vulnerable
(https://security-tracker.debian.org/tracker/CVE-2015-4495).
But I've also found the origi
On Sat, 08 Aug 2015, Romeo Papa wrote:
> On 08/07/2015 02:33 PM, Jacob Appelbaum wrote:> By the exploit, as I
> understood things? I could be mistaken and
> > probably am mistaken. I've heard that the vulnerable code is in FF31 -
> > I haven't looked myself yet.
>
> https://access.redhat.com/arti
On 08/07/2015 02:33 PM, Jacob Appelbaum wrote:> By the exploit, as I
understood things? I could be mistaken and
> probably am mistaken. I've heard that the vulnerable code is in FF31 -
> I haven't looked myself yet.
https://access.redhat.com/articles/1563163
Considering "all Red Hat products that
kytv wrote (07 Aug 2015 14:13:19 GMT) :
> Note that Tails 1.5~rc1 includes version 5.0a4-build3 of the Tor
> Browser.
Anyone up to propose a patch to the call for testing, that warns users
about it, please let me know (before I start working on it, likely
tomorrow — let's avoid duplicating work).
On Fri, Aug 07, 2015 at 01:48:10PM +, Georg Koppen wrote:
> Jacob Appelbaum:
> >
> > The current Tails Tor Browser is 4.5.3 (based on Mozilla Firefox
> > 31.8.0) - so the new alpha won't change anything and the current
> > browser shouldn't be impacted by it.
> >
> > Did I understand that cor
Jacob Appelbaum:
> On 8/7/15, Georg Koppen wrote:
>> Jacob Appelbaum:
>>> On 8/7/15, jvoisin wrote:
Hello,
I disagree with your analysis;
while the Apparmor profile (♥) will prevent tragic things like gpg key
stealing, please keep in mind that an attacker can access every
On 8/7/15, Georg Koppen wrote:
> Jacob Appelbaum:
>> On 8/7/15, jvoisin wrote:
>>> Hello,
>>>
>>> I disagree with your analysis;
>>> while the Apparmor profile (♥) will prevent tragic things like gpg key
>>> stealing, please keep in mind that an attacker can access every Firefox
>>> files, like c
On 8/7/15, intrigeri wrote:
> Jacob Appelbaum wrote (07 Aug 2015 10:37:25 GMT) :
>> I've heard that the exploit in the wild doesn't work against esr31 - I
>> haven't heard that it isn't impacted at all.
>
> Mozilla folks have explicitly written on their "enterprise" list that
> FF31 is not affecte
Jacob Appelbaum:
> On 8/7/15, jvoisin wrote:
>> Hello,
>>
>> I disagree with your analysis;
>> while the Apparmor profile (♥) will prevent tragic things like gpg key
>> stealing, please keep in mind that an attacker can access every Firefox
>> files, like cookies (stealing sessions), stored passwo
Jacob Appelbaum wrote (07 Aug 2015 10:37:25 GMT) :
> I've heard that the exploit in the wild doesn't work against esr31 - I
> haven't heard that it isn't impacted at all.
Mozilla folks have explicitly written on their "enterprise" list that
FF31 is not affected.
> ( I think the apparmor profile m
On 8/7/15, jvoisin wrote:
> Hello,
>
> I disagree with your analysis;
> while the Apparmor profile (♥) will prevent tragic things like gpg key
> stealing, please keep in mind that an attacker can access every Firefox
> files, like cookies (stealing sessions), stored passwords, changing
> preferenc
Hello,
I disagree with your analysis;
while the Apparmor profile (♥) will prevent tragic things like gpg key
stealing, please keep in mind that an attacker can access every Firefox
files, like cookies (stealing sessions), stored passwords, changing
preferences (remember http://net.ipcalf.com/ ?),
On 8/7/15, intrigeri wrote:
> Hi,
>
> that is:
>
> https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/
> https://security-tracker.debian.org/tracker/CVE-2015-4495
>
> ... apparently only affect Firefox 38.x, so current Tails stable
> (1.4.1) is not affected. Most likely Tails 1.5~rc
Hi,
that is:
https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/
https://security-tracker.debian.org/tracker/CVE-2015-4495
... apparently only affect Firefox 38.x, so current Tails stable
(1.4.1) is not affected. Most likely Tails 1.5~rc1 is affected, but
our AppArmor policy shoul
20 matches
Mail list logo