Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#18017 closed task (fixed)

Switch to NSS 3.19.2.2 to mitigate SLOTH attack (CVE-2015-7575)

Reported by: gk Owned by: tbb-team
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Critical Keywords: tbb-security, TorBrowserTeam201601R, tbb-5.5
Cc: mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Mozilla thinks backporting the fix for CVE-2015-7575 is not important enough and does not do it. I think giving our context we should do it, though. Let's try switching to NSS 3.19.2.2 in the next release (end of January).

Child Tickets

Change History (5)

comment:1 Changed 4 years ago by mcs

Cc: mcs added

comment:2 Changed 4 years ago by gk

Keywords: TorBrowserTeam201601R added; TorBrowserTeam201601 removed
Status: newneeds_review

bug_18017 in my public tor-browser repo (https://gitweb.torproject.org/user/gk/tor-browser.git/commit/?h=bug_18017) has the switch to NSS 3.19.2.2 up for review.

Last edited 4 years ago by gk (previous) (diff)

comment:3 Changed 4 years ago by mcs

r=mcs, r=brade
The patch looks OK (it matches the one Mozilla applied to Firefox 43.0.x).

This security advisory claims this was Firefox in the ESR 38.5.2 release but looking at the Mozilla code, I do not think it was:
https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/

comment:4 Changed 4 years ago by cypherpunks

NSS 3.21 is the latest stable with security fixes, should be updated to that instead.

comment:5 in reply to:  3 Changed 4 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

Replying to mcs:

r=mcs, r=brade
The patch looks OK (it matches the one Mozilla applied to Firefox 43.0.x).

This security advisory claims this was Firefox in the ESR 38.5.2 release but looking at the Mozilla code, I do not think it was:
https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/

It was not. The issue just got a sec-moderate which precluded it from getting applied to the ESR series. But somehow there was a communication problem which resulted in the advisory as it is.
Commit 3cd72f27da803a61e29cdb8db98bb545ef77c1af on tor-browser-38.5.0esr-5.5-2 has the fix.

Replying to cypherpunks:

NSS 3.21 is the latest stable with security fixes, should be updated to that instead.

I think it should not. Mozilla engineers said for the ESR 38 3.19.2.2 should be used and this makes sense.

Last edited 4 years ago by gk (previous) (diff)
Note: See TracTickets for help on using tickets.