Binary packages have been updated for MASTER and 4.2-RELEASE. Two
major changes were made (in addition to many other package updates taken
from FreeBSD):
(1) We downgraded the xf86-video-intel dport to 2.99.917. Version
2.99.2015.07.23 was not stable and could lead to X crashes.
If you on an intel machine and running the 2.99.2015.07.23 intel
driver I strongly recommend upgrading the package, you should get
2.99.917 back again.
(2) We upgraded firefox to 40.0_4 (basically
mozilla/firefox/40.0-candidates/build5).
This was done to address a brand new exploit as well as stability
issues. 40.0_1 (build4) fixed the PDF file access exploit but
did not fix a more serious remote code execution vulnerability
due to memory corruption, most commonly seen as a seg-fault core
dump in the CanonicalizeXPCOMParticipant function.
The previous firefox, 39.0,1, had both the PDF exploit and the
memory corruption exploit. Mozilla updated -39 to 39.0.3 which
appears to have fixed at least the PDF exploit and was also stable,
but we are not sure if it fixed the second one because the functional
change made in 40.0_4 has not been made in 39.0.3.
Since all the synchronization work had been done to get 40.0* into
the tree, we decided to stick to the 40.* series.
It took a few days to get everything straightened out, and John Marino
spent a lot of time on it, because the upgrade to the 40.0* series
required synchronizing the whole tree and doing a fresh bulk build for
both -master and -release (and now he's also rebuilding the older 4.0
release as well). And then when 40.0,1 and 40.0_3 failed to address
the issue it took another few hours to bring in 40.0_4 and do a partial
bulk build to get it integrated.
We've decided to stick with 40.0_4, which really is the bleeding edge
insofar as firefox goes but after extensive testing it also appears to
be quite stable on my workstation, and it seems to have the necessary
bug fixes.
All binary dports and /usr/dports sources for MASTER and the 4.2 release
are now up-to-date.
A binary update for the older 4.0 release is still in-progress and will
take ~2 days.
--
I also strongly recommend that anyone seriously using any browser, even
chrome, use the method I described earlier in this thread of segregating
execution of the application into its own user account to reduce the
chances that future exploits (and they will happen) will impact your
security.
-Matt
