* Jacob Appelbaum: > This is not accurate. We heard about attempts at exploitation and within > ~24hrs we released an advisory - we had already released fixed code a > ~month before exploitation was found in the wild. Please do not mix up > the time-line. To restate:
> 2.3.25-10 (released June 26 2013) This was released with the following announcement (there wasn't a posting to the tor-announce mailing list): | All of the Tor Browser Bundles have been updated with the new | Firefox 17.0.7esr. There is also a new Tor 0.2.4.14-alpha release | and all of the packages have been updated with that as well. | | https://www.torproject.org/download/download-easy | | Tor Browser Bundle (2.3.25-10) | | Update Firefox to 17.0.7esr | Update zlib to 1.2.8 | Update HTTPS Everywhere to 3.2.2 | Update NoScript to 2.6.6.6 <https://blog.torproject.org/blog/new-tor-browser-bundles-and-tor-02414-alpha-packages> I'm not sure if Tor Browser Bundle users (or even Firefox users) realize that for some time now, almost all Firefox updates from Mozilla contain security-relevant fixes. But noting the security aspect each time your switch to a newer Firefox ESR version can't hurt. On the other hand, those who don't already know this are probably difficult to reach without automated updates. (Automated updates are a mixed blessing because they could invite court orders to roll out specific versions to certain users.) -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
