[tor-bugs] #16744 [Tor Browser]: Update TBB to ESR 38.1.1 (MFSA2015-78, CVE-2015-4495) - exploited in the wild
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Aug 11 01:59:12 UTC 2015
#16744: Update TBB to ESR 38.1.1 (MFSA2015-78, CVE-2015-4495) - exploited in the
wild
-----------------------------+----------------------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: new
Priority: critical | Milestone:
Component: Tor Browser | Version:
Resolution: | Keywords: MFSA2015-78, CVE-2015-4495
Actual Points: | Parent ID:
Points: |
-----------------------------+----------------------------------------
Comment (by mikeperry):
The PDF.js exploit in the wild does not affect TBB 4.5 users. It exploited
a specific property of Firefox 38. Unfortunately, this does mean our
5.0a3/5.0a4 alpha users are vulnerable. The "High" Security slider setting
will block the exploit even for those users.
We don't recommend disabling pdf.js long-term via pref, since every other
PDF reader in existence can deanonymize you by loading embedded remote
resources outside of your Tor proxy settings.
5.0 and 5.5a1 will be out on Tuesday, August 11th (ie: in about 12 hours
or so). 4.5 users will be upgraded to 5.0 (based on Firefox 38-esr, but
with the fix included). 5.0a3 and 5.0a4 users will be upgraded to 5.5a1
(also based on Firefox 38-esr, but with the fix included).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16744#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list