[liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Florian Weimer
fw at deneb.enyo.de
Tue Aug 6 15:11:35 PDT 2013
* Jacob Appelbaum:
> This is not accurate. We heard about attempts at exploitation and within
> ~24hrs we released an advisory - we had already released fixed code a
> ~month before exploitation was found in the wild. Please do not mix up
> the time-line. To restate:
> 2.3.25-10 (released June 26 2013)
This was released with the following announcement (there wasn't a
posting to the tor-announce mailing list):
| All of the Tor Browser Bundles have been updated with the new
| Firefox 17.0.7esr. There is also a new Tor 0.2.4.14-alpha release
| and all of the packages have been updated with that as well.
|
| https://www.torproject.org/download/download-easy
|
| Tor Browser Bundle (2.3.25-10)
|
| Update Firefox to 17.0.7esr
| Update zlib to 1.2.8
| Update HTTPS Everywhere to 3.2.2
| Update NoScript to 2.6.6.6
<https://blog.torproject.org/blog/new-tor-browser-bundles-and-tor-02414-alpha-packages>
I'm not sure if Tor Browser Bundle users (or even Firefox users)
realize that for some time now, almost all Firefox updates from
Mozilla contain security-relevant fixes. But noting the security
aspect each time your switch to a newer Firefox ESR version can't
hurt. On the other hand, those who don't already know this are
probably difficult to reach without automated updates.
(Automated updates are a mixed blessing because they could invite
court orders to roll out specific versions to certain users.)
More information about the liberationtech
mailing list