[tor-talk] Firefox vs. Tor Browser Bundle release cycles

[Al Billings]

Hello,

Firefox ESR 17.0.11 indeed turns out (somewhat confusingly) to be 
equivalent to Firefox ESR 24.1.1, and the TBB based on ESR 17.0.11 was 
released only four days after Mozilla's updates, which frankly deserves 
praise. TBB's latest code is only one release behind Mozilla's on security 
patches. 


ESR17 has hit end of life at Mozilla and won’t be receiving any more security updates. There was no 17.0.12 released yesterday, for example. In order for TBB to be current for recent security updates, it needs to be off of the ESR24 branch.



That said, outside of the advisories, the bugs for a given release of Firefox are not opened to the public for a minimum of six weeks (one release cycle) following a release and sometimes a bit more as to avoid any self-zero day events.



So I was wrong about precisely how far TBB is behind the latest ESR 
release on security patches, but like I said before, at some point the 
latest TBB is either shipping known-vulnerable Firefox code or it's not. 
From the visual at the bottom of 
http://en.wikipedia.org/wiki/Firefox_release_history, it looks like 
Firefox ESR 17.0.11 included security patches from Firefox ESR 24.1.1, so 
my understanding is that TBB is at least potentially vulnerable to the 
known, patched vulnerabilities in the list above. 


No, ESR 17.0.11 included some ESR 24.1.1 patches. There is not a 1:1 mapping. The codebase is different and the same fixes are not always applied to the older codebase, either due to lack of defect but also sometimes due to overall code changes that make it difficult or dangerous to apply the patches.


-- 
Al Billings
http://makehacklearn.org