[liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
CodesInChaos
codesinchaos at gmail.com
Tue Aug 6 08:11:09 PDT 2013
When the user's version is outdated you already display an update notice.
You could add those items from
https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
that apply to the current version. Listing particular vulnerabilities makes
it clear that you actually should
update and that it isn't just a superfluous notice that's just for annoying
the user.
I wouldn't duplicate the actual advisories, but listing them is a good idea
IMO.
Perhaps something like:
-----------------------------------
This version of TOR Browser is based on Firefox ESR 17.0.6. You need to
upgrade to fix the following security issues:
Fixed in Firefox ESR 17.0.7
MFSA 2013-59 XrayWrappers can be bypassed to run user defined methods in a
privileged context
MFSA 2013-56 PreserveWrapper has inconsistent behavior
MFSA 2013-55 SVG filters can lead to information disclosure
MFSA 2013-54 Data in the body of XHR HEAD requests leads to CSRF attacks
MFSA 2013-53 Execution of unmapped memory through onreadystatechange event
MFSA 2013-51 Privileged content access and execution via XBL
MFSA 2013-50 Memory corruption found using Address Sanitizer
MFSA 2013-49 Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7)
-------------------------------------
(With links to Mozilla's advisories and red-orange-yellow highlighting just
like in the original page)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130806/15f9b7c6/attachment.html>
More information about the liberationtech
mailing list