When the user's version is outdated you already display an update notice. You could add those items from https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html that apply to the current version. Listing particular vulnerabilities makes it clear that you actually should update and that it isn't just a superfluous notice that's just for annoying the user.
I wouldn't duplicate the actual advisories, but listing them is a good idea IMO. Perhaps something like: ----------------------------------- This version of TOR Browser is based on Firefox ESR 17.0.6. You need to upgrade to fix the following security issues: Fixed in Firefox ESR 17.0.7 MFSA 2013-59 XrayWrappers can be bypassed to run user defined methods in a privileged context MFSA 2013-56 PreserveWrapper has inconsistent behavior MFSA 2013-55 SVG filters can lead to information disclosure MFSA 2013-54 Data in the body of XHR HEAD requests leads to CSRF attacks MFSA 2013-53 Execution of unmapped memory through onreadystatechange event MFSA 2013-51 Privileged content access and execution via XBL MFSA 2013-50 Memory corruption found using Address Sanitizer MFSA 2013-49 Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7) ------------------------------------- (With links to Mozilla's advisories and red-orange-yellow highlighting just like in the original page)
-- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
