On 07/01/2018 04:46, Mark H Weaver wrote: > FYI, Mozilla has included two mitigations for Spectre in Firefox 57.0.4. > They are described here: > > > https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ > https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/ > > The blog post notes that one of the mitigations, disabling > SharedArrayBuffer, is not applicable to Firefox 52 ESR because that > version doesn't support SharedArrayBuffer. > > The other mitigation reduces the resolution of performance.now() to 20 > microseconds. This change is included in Firefox 57.0.4, and will > eventually be included in Firefox 52.6 ESR due to be released on Jan 23. > > I didn't want to wait that long, so I backported this second mitigation > to GNU IceCat, which was quite easy. It's now included in the IceCat > package in GNU Guix, along with 100 other fixes cherry-picked from > upstream. I've attached the patch to this email in case it is of > interest. > > I also recommend that you install NoScript and avoid running Javascript > code from the network whenever you can avoid it. Even with this > mitigation applied, there are probably other ways to exploit these flaws > using Javascript. > > Mark > >
Great! Thank you Mark. -- --- Antonio Trande Fedora Project mailto 'sagitter at fedoraproject dot org' GPG key: 0x5E212EE1D35568BE GPG key server: https://keys.fedoraproject.org/
signature.asc
Description: OpenPGP digital signature
-- http://gnuzilla.gnu.org
