[tor-bugs] #16744 [Tor Browser]: Update TBB to ESR 38.1.1 (MFSA2015-78, CVE-2015-4495) - exploited in the wild

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Aug 9 22:14:11 UTC 2015


#16744: Update TBB to ESR 38.1.1 (MFSA2015-78, CVE-2015-4495) - exploited in the
wild
-----------------------------+----------------------------------------
     Reporter:  cypherpunks  |      Owner:  tbb-team
         Type:  defect       |     Status:  new
     Priority:  critical     |  Milestone:
    Component:  Tor Browser  |    Version:
   Resolution:               |   Keywords:  MFSA2015-78, CVE-2015-4495
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+----------------------------------------

Comment (by cypherpunks):

 https://twitter.com/wiretapped/status/630438666708627458 says the in-the-
 wild malicious payload described in the mozilla blog is now public here:
 https://pastebin.ubuntu.com/12030863/ and recommends setting
 ```pdfjs.disable```.

 will that protect against this vulnerability?

 has anyone considered building a (secure, auditable, etc) mechanism for
 pushing out emergency configuration patches? there have been instructions
 for mitigating many recent firefox bugs with about:config settings.
 couldn't those be deployed automatically in a much more timely fashion
 than tor browser updates?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16744#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list