Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails

Nachricht löschen

Nachricht beantworten
Autor: intrigeri
Datum:  
To: The Tails public development discussion list
Betreff: Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
intrigeri wrote (08 Aug 2015 09:19:50 GMT) :
> https://bugzilla.mozilla.org/show_bug.cgi?id=1179262#c30 reads:
> "Notice that "pdfjs.disabled" shall not be used, at least without
> switching the handler." Not sure how one would "switch the handler",
> and perhaps it doesn't mean what I think anyway.


... on the other hand, https://access.redhat.com/articles/1563163
documents pdfjs.disabled=True as a mitigation. I trust RedHat security
team to have verified that it indeed blocks exploitation.

And Arch Linux' ASA-201508-1 also documents the same mitigation.

> Romeo Papa, do you want to research this further? It would be very
> useful to add a mitigation measure when mentioning this security issue
> in the "Known issues" section of the 1.5~rc1 call for testing.


s/add/document/

Cheers,
--
intrigeri