Re: [Tails-dev] What to do with Firefox 17.0.11ESR?

Delete this message

Reply to this message
Autore: intrigeri
Data:  
To: The Tails public development discussion list
Oggetto: Re: [Tails-dev] What to do with Firefox 17.0.11ESR?
Hi,

winterfairy@??? wrote (23 Nov 2013 12:32:59 GMT) :
> It sounds like only NSS (libnss) have to be updated [1].


I've verified the 17.0.10esr..17.0.11esr diff, and this seems entirely
correct: apart of the NSS bundled copy, only the add-ons blocklist was
updated; and Iceweasel builds against the system's NSS, not the one
bundled in the Firefox sources.

So, it's now obvious that I've targetted my (hurried, limited and
clearly not well thought) efforts to the wrong place last week.

> Is it unlikely that Debian will update the NSS backport with this security
> update?


Once Wheezy gets 3.14.5, squeeze-backports can get it too.
NSS is currently on the Debian security team's "DSA needed" list.

> Because if it was updated, the user would only need to run a simple apt or
> dpkg command, right?


Right.

I think a great course of action to protect Tails 0.21 users could be:

  1. Prepare a 2:3.14.5-1 Debian package for Wheezy.
  2. Test this package on Wheezy.
  3. Propose this package to Debian's NSS maintainer and security team.
  4. Upload this package to the feature-torbrowser-17.0.11esr suite in
     our APT repository.
  5. Test this package in the context of Tails 0.21.
  6. Document how to enable this additional APT suite in Tails, and
     how to upgrade the binary packages built from the NSS source.


I can do #1, #3 and #4.

> By the way, it seems that we are currently running an outdated vulnerable
> libnss version anyway, because it is installed from backports and not
> updated there. Version 3.14.4 also fixed a security issue [2], and
> backports has an unpatched [3] version 3.14.3.


Right. feature/ff24 (pending for review) installs 2:3.15.3-1~bpo60+1,
so Tails 0.22 should be fine.

So, alternatively we could just speed up the 0.22 release, skip the
RC, get it out at the time we had planned for the RC, and put
a point-release out a week later for the next ESR24 update. I'm not
sure how crazy this would be. I can surely make this decision with my
RM hat on, but I'd like to hear what others think first.

Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc