Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#10202 closed defect (fixed)

Improve harmonization for incorporation of security updates to TBB releases

Reported by: cypherpunks Owned by: erinn
Priority: Very High Milestone:
Component: Applications/Tor bundles/installation Version: Tor: 0.2.4.18-rc
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Even though TBB is generally quite fast when it comes to patching FF and NoScript, to whatever extent possible, it's still important for TBB 3.0beta1 to receive the latest NoScript and Firefox updates at the same time as stable and release candidate TBBs.

As of today, for example,
*TBB 3.0beta-1 is using Firefox ESR 17.0.10esr since 11/6
*TBB 2.4.18-rc-1 is using Firefox 17.0.11esr since 11/19
*TBB 2.3.25-15 is using using Firefox 17.0.11esr since 11/19

Firefox ESR 24.1.1 has been available since 11/15

Yes, it's only been 2 days since the more popular releases were last patched, but some of vulnerabilities patched in Firefox ESR 24.1.1 (e.g. NSS) are of particular concern to TBB users.

Requiring volunteer TBB testers to deliberately use vulnerable versions of Firefox ESR not only puts them at risk individually, but could also potentially be used to de-anonymize users of stable TBBs if exploitable vulnerabilities can be used to fingerprint users, since vulnerable and patched FF ESRs can be distinguished from one another.

Rolling out security updates to modular pieces of TBB like FF ESR, NoScript, and tor itself seems appropriate to do immediately and simultaneously whenever possible.

I recognize it's never that easy in practice, but hopefully this is something that can be increasingly automated as part of the awesome automated, reproducible build work that the team has been doing.

Child Tickets

Change History (2)

comment:1 Changed 6 years ago by cypherpunks

Resolution: fixed
Status: newclosed

TBB 3.0-beta2 was released a few hours after this ticket was posted, thanks to the hard work of erinn and others.

Still, fully "catching up" to Firefox's release cycle (including their alpha/beta cycles) could still further reduce the amount of time already-patched vulnerabilities were left in the wild for TBB.

Four days between the release of ESR 17.0.11 and incorporation into TBB is actually still quite a long time when it's safe to assume that "lazy" exploits are probably at least occasionally based on inferences from observing FF's bug reporting and patch development processes.

Last edited 6 years ago by cypherpunks (previous) (diff)

comment:2 Changed 6 years ago by arma

All hail the upcoming TBB 3, along with our build automation plans: https://www.torproject.org/about/jobs-lead-automation

Note: See TracTickets for help on using tickets.