intrigeri wrote (16 Oct 2012 08:56:18 GMT) :
> closely following 10.0.8esr-1 (uploaded on the 9th), iceweasel
> 10.0.9esr-1 was uploaded on the 13th [...] => could be backported
> right now.
And indeed it was.
> However, it badly breaks torbutton:
NEWS.Debian for torbutton (1.4.6.3-1) reads:
Security fixes introduced in Iceweasel 10.0.8esr prevents Torbutton
from hooking window properties. This means that using this package
is no longer substantially different from disabling websockets,
disabling plugins, and using Private Browsing Mode to prevent
disk leaks.
Due to the very strong risk of fingerprinting and the resulting
reduction of the anonymity set, it is more than strongly advised to
uninstall this package and use the TorBrowserBundle instead. [...]
I guess this raises the priority for replacing iceweasel with
Torbrowser and its dependencies (lizard setup, APT repo).
What do we do for 0.14?
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
