[tor-talk] Reason Firefox version in TBB is so far behind?

Joe Btfsplk joebtfsplk at gmx.com
Tue Aug 9 15:39:52 UTC 2011 

On 8/9/2011 4:55 AM, Robert Ransom wrote:
> That is why we ship the latest version of Firefox on the 3.6 branch in 
> our stable TBBs. Mozilla is still releasing security updates on the 
> Firefox 3.6 branch. As you can see from 
> https://blog.torproject.org/blog/new-tor-browser-bundles-3 , Firefox 
> 3.6.19 and Firefox 5.0.1 were released on the same day. That is 
> because Firefox 3.6.19 and Firefox 5.0.1 are security-fix releases 
> that fix the same security bug. (Firefox 4.0, 4.0.1, and 5.0 are no 
> longer safe to use, even though their version numbers are greater than 
> 3.6.19.) 

On 2011-08-05, Joe Btfsplk<joebtfsplk at gmx.com>  wrote:

>> As said, it may be unavoidable (currently) for TBB developers to
>> integrate new FF versions quickly, but surely I'm not the 1st to wonder
>> about security issues of using old browser versions.
>> The testing bundles Andrew mentioned are fine for, well... testing, but
>> not for general users.  It's a long way&  many fixes, from Firefox 3.6
>> to 5.0 / 5.0.1.
> There are some bugfixes in Firefox 5.0.1 that aren't in Firefox 3.6.19
> -- notably, Mozilla finally applied our patch to fix Firefox's
> hard-coded timeout when using a SOCKS proxy, so Firefox 5.0 and 5.0.1
> no longer require an HTTP proxy such as Polipo between the browser and
> Tor -- but the main difference between Firefox 3.6.x and Firefox 5.0.x
> is that Firefox 5.0.x contains many new features.  And those features
> introduced a crapload of bugs which have security implications for Tor
> users -- mainly WebGL security bugs, but there were a few nasty
> surprises in the new JavaScript interpreter (see
> https://trac.torproject.org/projects/tor/ticket/2819 ,
> https://trac.torproject.org/projects/tor/ticket/2873 , and
> https://trac.torproject.org/projects/tor/ticket/2874 ).  There were
> plenty of other changes to audit as well; look through Tor's bug
> tracker if you're interested.
>
>
> Robert Ransom
Thanks for the detailed explanation & links to the trac tickets.   It 
sounds like what I suspected - new versions create new security issues 
for Tor, which take time to deal with.  Unfortunate, but...
  Re:  Firefox 5.0 - unsafe:   I was under impression the 5.0.1 update 
was for Mac (possibly Linux) - yes?  I don't get any avail updates, when 
checking manually from my Windows FF 5.0 installation.  I read somewhere 
* Windows * users don't need the 5.0.1 update (though 5.0.1 is what they 
get if d/l the entire package vs updating)??

Have another question then about 2 instances of Tor - which I'll ask in 
another post.

More information about the tor-talk mailing list