[tor-bugs] #18017 [Tor Browser]: Switch to NSS 3.19.2.2 to mitigate SLOTH attack (CVE-2015-7575)

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jan 13 08:30:40 UTC 2016


#18017: Switch to NSS 3.19.2.2 to mitigate SLOTH attack (CVE-2015-7575)
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
     Type:  task                                 |  team
 Priority:  Very High                            |         Status:  closed
Component:  Tor Browser                          |      Milestone:
 Severity:  Critical                             |        Version:
 Keywords:  tbb-security,                        |     Resolution:  fixed
  TorBrowserTeam201601R, tbb-5.5                 |  Actual Points:
Parent ID:                                       |         Points:
  Sponsor:                                       |
-------------------------------------------------+-------------------------
Changes (by gk):

 * status:  needs_review => closed
 * resolution:   => fixed


Comment:

 Replying to [comment:3 mcs]:
 > r=mcs, r=brade
 > The patch looks OK (it matches the one Mozilla applied to Firefox
 43.0.x).
 >
 > This security advisory claims this was Firefox in the ESR 38.5.2 release
 but looking at the Mozilla code, I do not think it was:
 > https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/

 It was not. The issue just got a sec-moderate which precluded it from
 getting applied to the ESR series. But somehow there was a communication
 problem which resulted in the advisory as it is.
 commit 3cd72f27da803a61e29cdb8db98bb545ef77c1af on tor-
 browser-38.5.0esr-5.5-2 has the fix.

 Replying to [comment:4 cypherpunks]:
 > NSS 3.21 is the latest stable with security fixes, should be updated to
 that instead.

 I think it should not. Mozilla engineers said for the ESR 38 3.19.2.2
 should be used and this makes sense.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18017#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list