Romeo Papa wrote (07 Aug 2015 23:04:15 GMT) :
PDF.js can be disabled as follows:
1. Type about:config in the Firefox address bar
2. Search for the pdfjs.disabled entry
3. Set the pdfjs.disabled entry to True
https://bugzilla.mozilla.org/show_bug.cgi?id=1179262#c30 reads:
Notice
intrigeri wrote (08 Aug 2015 09:19:50 GMT) :
https://bugzilla.mozilla.org/show_bug.cgi?id=1179262#c30 reads:
Notice that pdfjs.disabled shall not be used, at least without
switching the handler. Not sure how one would switch the handler,
and perhaps it doesn't mean what I think anyway.
... on
Hi again,
intrigeri wrote (08 Aug 2015 09:24:48 GMT) :
... on the other hand, https://access.redhat.com/articles/1563163
documents pdfjs.disabled=True as a mitigation. I trust RedHat security
team to have verified that it indeed blocks exploitation.
I've documented the security hole +
Hi,
Do you want me to try and write a quick patch that would disable PDF.js
by default?
On 08/08/2015 11:19 AM, intrigeri wrote:
Romeo Papa, do you want to research this further? It would be very
useful to add a mitigation measure when mentioning this security issue
in the Known issues
Romeo Papa wrote (08 Aug 2015 11:04:32 GMT) :
Do you want me to try and write a quick patch that would disable PDF.js
by default?
It's too late to fix 1.5~rc1, and 1.5 won't be affected, so:
what for, exactly?
(Thanks for the offer anyway :)
Cheers,
--
intrigeri
Jacob Appelbaum:
On 8/7/15, Georg Koppen g...@torproject.org wrote:
Jacob Appelbaum:
On 8/7/15, jvoisin julien.voi...@dustri.org wrote:
Hello,
I disagree with your analysis;
while the Apparmor profile (♥) will prevent tragic things like gpg key
stealing, please keep in mind that an
On 08/07/2015 02:33 PM, Jacob Appelbaum wrote: By the exploit, as I
understood things? I could be mistaken and
probably am mistaken. I've heard that the vulnerable code is in FF31 -
I haven't looked myself yet.
https://access.redhat.com/articles/1563163
Considering all Red Hat products that
On 8/7/15, intrigeri intrig...@boum.org wrote:
Hi,
that is:
https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/
https://security-tracker.debian.org/tracker/CVE-2015-4495
... apparently only affect Firefox 38.x, so current Tails stable
(1.4.1) is not affected. Most likely
On Fri, Aug 07, 2015 at 01:48:10PM +, Georg Koppen wrote:
Jacob Appelbaum:
The current Tails Tor Browser is 4.5.3 (based on Mozilla Firefox
31.8.0) - so the new alpha won't change anything and the current
browser shouldn't be impacted by it.
Did I understand that correctly?
kytv wrote (07 Aug 2015 14:13:19 GMT) :
Note that Tails 1.5~rc1 includes version 5.0a4-build3 of the Tor
Browser.
Anyone up to propose a patch to the call for testing, that warns users
about it, please let me know (before I start working on it, likely
tomorrow — let's avoid duplicating work). I
On 8/7/15, intrigeri intrig...@boum.org wrote:
Jacob Appelbaum wrote (07 Aug 2015 10:37:25 GMT) :
I've heard that the exploit in the wild doesn't work against esr31 - I
haven't heard that it isn't impacted at all.
Mozilla folks have explicitly written on their enterprise list that
FF31 is
Hello,
I disagree with your analysis;
while the Apparmor profile (♥) will prevent tragic things like gpg key
stealing, please keep in mind that an attacker can access every Firefox
files, like cookies (stealing sessions), stored passwords, changing
preferences (remember http://net.ipcalf.com/ ?),
On 8/7/15, jvoisin julien.voi...@dustri.org wrote:
Hello,
I disagree with your analysis;
while the Apparmor profile (♥) will prevent tragic things like gpg key
stealing, please keep in mind that an attacker can access every Firefox
files, like cookies (stealing sessions), stored passwords,
Jacob Appelbaum:
On 8/7/15, jvoisin julien.voi...@dustri.org wrote:
Hello,
I disagree with your analysis;
while the Apparmor profile (♥) will prevent tragic things like gpg key
stealing, please keep in mind that an attacker can access every Firefox
files, like cookies (stealing sessions),
On 8/7/15, Georg Koppen g...@torproject.org wrote:
Jacob Appelbaum:
On 8/7/15, jvoisin julien.voi...@dustri.org wrote:
Hello,
I disagree with your analysis;
while the Apparmor profile (♥) will prevent tragic things like gpg key
stealing, please keep in mind that an attacker can access every
Jacob Appelbaum wrote (07 Aug 2015 10:37:25 GMT) :
I've heard that the exploit in the wild doesn't work against esr31 - I
haven't heard that it isn't impacted at all.
Mozilla folks have explicitly written on their enterprise list that
FF31 is not affected.
( I think the apparmor profile may
On Sat, 08 Aug 2015, Romeo Papa wrote:
On 08/07/2015 02:33 PM, Jacob Appelbaum wrote: By the exploit, as I
understood things? I could be mistaken and
probably am mistaken. I've heard that the vulnerable code is in FF31 -
I haven't looked myself yet.
PS: Sorry about all the messages I'm apparently sending while writing up
the message I need to see what's happening...
After reading further, I've found the debian page saying only
38.1.0esr-3 is vulnerable
(https://security-tracker.debian.org/tracker/CVE-2015-4495).
But I've also found the
On 08/07/2015 02:13 PM, Georg Koppen wrote:
we determined that the vulnerability isn't present in the current 31
ESR.
That's a quote from Liz Henry, the Firefox release manager.
Georg
FYI, here's the quote's source:
https://bugzilla.mozilla.org/show_bug.cgi?id=1179262#c33
19 matches
Mail list logo
