Hello, Firefox ESR 17.0.11 indeed turns out (somewhat confusingly) to be equivalent to Firefox ESR 24.1.1, and the TBB based on ESR 17.0.11 was released only four days after Mozilla's updates, which frankly deserves praise. TBB's latest code is only one release behind Mozilla's on security patches.
ESR17 has hit end of life at Mozilla and won’t be receiving any more security updates. There was no 17.0.12 released yesterday, for example. In order for TBB to be current for recent security updates, it needs to be off of the ESR24 branch. That said, outside of the advisories, the bugs for a given release of Firefox are not opened to the public for a minimum of six weeks (one release cycle) following a release and sometimes a bit more as to avoid any self-zero day events. So I was wrong about precisely how far TBB is behind the latest ESR release on security patches, but like I said before, at some point the latest TBB is either shipping known-vulnerable Firefox code or it's not. From the visual at the bottom of http://en.wikipedia.org/wiki/Firefox_release_history, it looks like Firefox ESR 17.0.11 included security patches from Firefox ESR 24.1.1, so my understanding is that TBB is at least potentially vulnerable to the known, patched vulnerabilities in the list above. No, ESR 17.0.11 included some ESR 24.1.1 patches. There is not a 1:1 mapping. The codebase is different and the same fixes are not always applied to the older codebase, either due to lack of defect but also sometimes due to overall code changes that make it difficult or dangerous to apply the patches. -- Al Billings http://makehacklearn.org -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
