There is a new release for HTTPS Everywhere out today. This release fixes a serious vulnerability, first discovered by davtur19 via the Tor Project's HackerOne bug bounty program, which allows a remote site to freeze the browser via a maliciously crafted URL.[1] This only affects the 2018.6.13 release, older releases are not vulnerable. No private information is disclosed as a result of this vulnerability.
From the changelog: 2018.6.21 * Fix: URLs with a hostname of '.' cause endless loop to be triggered * Bundled ruleset updates Releases are available for Firefox (both the extension hosted on EFF.org and through addons.mozilla.org) and Chromium. Your browser should automatically download the updates within 24 hours, but we recommend manually downloading to receive the update quicker: Firefox: 1. Navigate to "about:addons" 2. Click the gear icon at the top-right corner 3. Click "Check for Updates" Chrome: 1. Navigate to "chrome://extensions/" 2. In the top-right corner, switch the "Devloper Mode" slider to the "on" position, if it is not there already 3. Click the "Update" link that appears at the top 1. https://trac.torproject.org/projects/tor/ticket/26451
signature.asc
Description: PGP signature
_______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
