Tor Browser warning: "Your Firefox is out of date."

added TorBrowserTeam201608R component::applications/tor browser owner::tbb-team priority::very high resolution::fixed severity::critical status::closed tbb-6.0-issues type::defect labels

Trac:

Looks like it came from this bug. https://bugzilla.mozilla.org/show_bug.cgi?id=1280378

I'm not sure yet how it gets into Firefox (or Tor Browser for that matter).

Possibly relevant: http://gecko.readthedocs.io/en/latest/toolkit/mozapps/extensions/addon-manager/SystemAddons.html

Trac:
Severity: Normal to Critical
Priority: Medium to Very High

#19891 (moved) is a duplicate.

Trac:
Cc: N/A to b_meson

Replying to arthuredelstein:

Looks like it came from this bug. https://bugzilla.mozilla.org/show_bug.cgi?id=1280378

I'm not sure yet how it gets into Firefox (or Tor Browser for that matter).

It seems the infrastructure was already there starting with Firefox 44:

https://bugzilla.mozilla.org/show_bug.cgi?id=1192924 and https://bugzilla.mozilla.org/show_bug.cgi?id=1213348.

Now, they probably just were ready with the "your Firefox is out of date"-system add-on. I guess we should just disable that update ping with our data:text/plain, trick. And think about how to get rid of already installed system extensions.

Trac:
Keywords: N/A deleted, tbb-6.0-issues added

Okay, I've filed https://bugzilla.mozilla.org/show_bug.cgi?id=1294395 and poked the Mozilla folks on #releng. Hopefully they can tweak the server-side rules in order to affect less of our users while we are working on getting a new version out.

extensions.systemAddon.update.url should be set to "".

Replying to cypherpunks:

extensions.systemAddon.update.url should be set to "".

I think this is a good solution. To check this, I found the location of the XPI in Tor Browser:

arthur@localhost ~/t/Browser> find . -name "*outofdate*"
./TorBrowser/Data/Browser/profile.default/features/{541bf4ef-2e8d-44d5-9aa1-887165d68eec}/outofdate-notifications@mozilla.org.xpi
./TorBrowser/Data/Browser/profile.default/datareporting/archived/2016-08/1470864327100.72bc501f-cad6-4be7-b082-9af725197de9.outofdate-notifications-system-addon.jsonlz4
./TorBrowser/Data/Browser/profile.default/datareporting/archived/2016-08/1470864333700.c7c02599-f462-49f2-8f11-fad83bfc976c.outofdate-notifications-system-addon.jsonlz4

After setting the pref to "", I opened Tor Browser and entered the following in the browser console:

Cu.import("re[/gre/modules/AddonManager.jsm");](/gre/modules/AddonManager.jsm");)
AddonManagerPrivate.backgroundUpdateCheck();

Then I confirmed that the XPI had been removed:

arthur@localhost ~/t/Browser> find . -name "*outofdate*"
./TorBrowser/Data/Browser/profile.default/datareporting/archived/2016-08/1470864327100.72bc501f-cad6-4be7-b082-9af725197de9.outofdate-notifications-system-addon.jsonlz4
./TorBrowser/Data/Browser/profile.default/datareporting/archived/2016-08/1470864333700.c7c02599-f462-49f2-8f11-fad83bfc976c.outofdate-notifications-system-addon.jsonlz4

Here is the relevant code that apparently removes the XPI file. When the pref is empty, url is falsey and yield systemAddonLocation.cleanDirectories(); is called: https://dxr.mozilla.org/mozilla-central/rev/0502bd9e025edde29777ba1de4280f9b52af4663/toolkit/mozapps/extensions/internal/XPIProvider.jsm#3069

Good idea, thanks. I've been a bit too fast it seems. The fix (https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.3.0esr-6.0-1&id=61700466ddefff3005633a6e31f34133eb98197f) was aimed to go into my public repo not directly to tor-browser-45.3.0-6.0-1. Please review, I am holding off starting a build for 6.0.4 until somebody looked at it.

Trac:
Keywords: TorBrowserTeam201608 deleted, TorBrowserTeam201608R added
Status: new to needs_review

Replying to gk:

Good idea, thanks. I've been a bit too fast it seems. The fix (https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.3.0esr-6.0-1&id=61700466ddefff3005633a6e31f34133eb98197f) was aimed to go into my public repo not directly to tor-browser-45.3.0-6.0-1. Please review, I am holding off starting a build for 6.0.4 until somebody looked at it.

Rather than patching firefox.js directly, maybe we should apply this setting in browser/app/profile/000-tor-browser.js as we have with most other prefs? (I notice we have two other changes to firefox.js (from our patches for #5472 (closed) and #4234 (moved)) -- maybe these should also be migrated to 000-tor-browser.js?)

I guess we could I guess, I followed mcs and brade in patching firefox.js here. I think for the fixup release doing that is fine.

FWIW: The alpha and hardened series is not affected and Tails neither (they have app.update.enabled set to false).

Just as an update: this issue got fixed on Mozilla's side meanwhile (thanks to bhearsum and all the other Mozilla folks that helped).

We might want to think about shipping an update though (containing the fix on our side and an updated tor maybe).

Replying to arthuredelstein:

On Tor Browser 6.0.3 (up-to-date) I saw the following warning appear below the URL bar:

"Your Firefox is out of date. Please download a fresh copy." On the right is a button that says "Get Firefox". Obviously we want to disable this warning.

A solution -- Go to about:config/extensions.bootstrappedAddon Reset the string Value to empty Value {} Restart Tor browser. The warning will not appear again.

Solution for the false warning "Your Firefox is out of date. Please download a fresh copy.": https://www.reddit.com/r/TOR/comments/4x8wwk/solution_for_the_false_warning_your_firefox_is/

Trac:
Username: in spatium

#19900 (moved) is a duplicate.

This is fixed on tor-browser-45.3.0esr-6.0-1 and tor-browser-45.3.0esr-6.5-1 (commit 61700466ddefff3005633a6e31f34133eb98197f and 8af42ff851bab2d9b17d380c170f06c28b94c74b) and will be in our next stable, 6.0.4.

Trac:
Status: needs_review to closed
Resolution: N/A to fixed

closed

mentioned in issue #19891 (moved)

mentioned in issue #19900 (moved)

Tor Browser warning: "Your Firefox is out of date."

Child items 0

Activity