On 8/7/15, Georg Koppen <gk@???> wrote:
> Jacob Appelbaum:
>> On 8/7/15, jvoisin <julien.voisin@???> wrote:
>>> Hello,
>>>
>>> I disagree with your analysis;
>>> while the Apparmor profile (♥) will prevent tragic things like gpg key
>>> stealing, please keep in mind that an attacker can access every Firefox
>>> files, like cookies (stealing sessions), stored passwords, changing
>>> preferences (remember http://net.ipcalf.com/ ?), executing code inside
>>> the browser, …
>>
>> I believe that the newest Tor Browser alpha will provide a fix. I hope
>> Mike will chime in here...
>
> I don't know what kind of fix you have in mind. All we'll provide is an
> update to ESR 38.2.0. We are basically about to tag the things and start
> building. ETA for the alpha is probably Tuesday.
Ah ha - great. Thank you for chiming in!
The current Tails Tor Browser is 4.5.3 (based on Mozilla Firefox
31.8.0) - so the new alpha won't change anything and the current
browser shouldn't be impacted by it.
Did I understand that correctly?
>
> That said Mozilla's reasoning for not doing a chemspill for ESR 31 was
>
> "we determined that the vulnerability isn't present in the current 31
> ESR."
Hey - that's great news - thanks for clearing that up!
>
> That's a quote from Liz Henry, the Firefox release manager.
>
Perfect - thank you!
All the best,
Jacob
