[Tails-dev] CVE-2024-9680 and Tails 6.8

Delete this message

Reply to this message
Autore: hiraeth
Data:  
To: tails-dev
Oggetto: [Tails-dev] CVE-2024-9680 and Tails 6.8
Hi folks,
I have couple of questions, related to CVE-2024-9680 (use-after-free in
animation timelines) that Mozilla marked as critical [0][1] and fixed in
Firefox ESR 115.16.1 [2].

Tails 6.8 changelog [4] @ 10/07/2024 mentions
* Upgrade Tor Browser to 13.5.6-build1 (tails/tails!1723)

while Tor Browser changelog [3] @ 10/08/2024 mentions
    * Bug 43201: Security fixes from Firefox 131.0.2 [tor-browser]


Question #1: Is Tails 6.8 vulnerable to this attack?

Question #2: Was TBB 13.5.7 bugfix backported before Tails 6.8 was
released or is there 6.8.1 bugfix release in the works?

Cheers,
Hiraeth

[0] https://www.cvedetails.com/cve/CVE-2024-9680/
[1]
https://www.bleepingcomputer.com/news/security/mozilla-fixes-firefox-zero-day-actively-exploited-in-attacks/
[2] https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/
[3]
https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/maint-13.5/projects/browser/Bundle-Data/Docs-TBB/ChangeLog.txt
[4]
https://gitlab.tails.boum.org/tails/tails/-/raw/master/debian/changelog