[tbb-bugs] #18017 [Tor Browser]: Switch to NSS 3.19.2.2 to mitigate SLOTH attack (CVE-2015-7575)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jan 13 08:30:40 UTC 2016
#18017: Switch to NSS 3.19.2.2 to mitigate SLOTH attack (CVE-2015-7575)
-------------------------------------------------+-------------------------
Reporter: gk | Owner: tbb-
Type: task | team
Priority: Very High | Status: closed
Component: Tor Browser | Milestone:
Severity: Critical | Version:
Keywords: tbb-security, | Resolution: fixed
TorBrowserTeam201601R, tbb-5.5 | Actual Points:
Parent ID: | Points:
Sponsor: |
-------------------------------------------------+-------------------------
Changes (by gk):
* status: needs_review => closed
* resolution: => fixed
Comment:
Replying to [comment:3 mcs]:
> r=mcs, r=brade
> The patch looks OK (it matches the one Mozilla applied to Firefox
43.0.x).
>
> This security advisory claims this was Firefox in the ESR 38.5.2 release
but looking at the Mozilla code, I do not think it was:
> https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/
It was not. The issue just got a sec-moderate which precluded it from
getting applied to the ESR series. But somehow there was a communication
problem which resulted in the advisory as it is.
commit 3cd72f27da803a61e29cdb8db98bb545ef77c1af on tor-
browser-38.5.0esr-5.5-2 has the fix.
Replying to [comment:4 cypherpunks]:
> NSS 3.21 is the latest stable with security fixes, should be updated to
that instead.
I think it should not. Mozilla engineers said for the ESR 38 3.19.2.2
should be used and this makes sense.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18017#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list