You are not logged in.

#1 2015-08-07 19:09:02

pixelou
Member
Registered: 2011-03-30
Posts: 18

Firefox vulnerability

Hi everyone,

A serious vulnerability has been found in firefox yesterday (in the PDFjs module).
You will find more details at:
- https://www.mozilla.org/en-US/security/ … sa2015-78/
- https://blog.mozilla.org/security/2015/ … -the-wild/

The second link mentions that an exploit already existed before mozilla was informed about this problem, and this exploit was found to read the ssh files among others.
Archlinux repo already contains a fixed version of firefox (39.0.3-1).

Note for moderators: I am not sure wether the Archlinux forum is the right place for this topic, many security blogs and website have already published about this, but I thought quite a lot of us might be interested by this issue. Please feel free to close the topic if you wish.

Offline

#2 2015-08-07 19:11:30

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: Firefox vulnerability

We have https://wiki.archlinux.org/index.php/CVE which does link to https://www.mozilla.org/en-US/security/ … sa2015-78/ that you posted.
See also arch-security mailing list.

Last edited by karol (2015-08-07 19:12:53)

Offline

#3 2015-08-07 19:21:18

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 20,230

Re: Firefox vulnerability

Moved to Announcements, Package and Security Advisories


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#4 2015-08-07 23:37:29

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,477
Website

Re: Firefox vulnerability

If you want information like this, you are better off following the arch-security mailing list.

Offline

#5 2015-08-08 08:57:38

pixelou
Member
Registered: 2011-03-30
Posts: 18

Re: Firefox vulnerability

Thanks for the pointer, I did register to the mailing list.

Offline

#6 2015-08-10 08:52:19

Awebb
Member
Registered: 2010-05-06
Posts: 6,613

Re: Firefox vulnerability

ewaller wrote:

Moved to Announcements, Package and Security Advisories

You are aware, that this category also goes to Planet Archlinux?

Offline

#7 2015-08-10 10:54:42

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: Firefox vulnerability

Awebb wrote:
ewaller wrote:

Moved to Announcements, Package and Security Advisories

You are aware, that this category also goes to Planet Archlinux?

Good catch. I've recently unsubscribed from the Arch Linux Planet and missed it / forgot.

I unsubscribed from the 'Other Languages' forum section and a thread I was interested in was started there. The gods hate me.

Offline

#8 2015-08-10 13:55:33

gunnihinn
Member
From: Torreón, Mexico
Registered: 2007-10-28
Posts: 81

Re: Firefox vulnerability

Allan wrote:

If you want information like this, you are better off following the arch-security mailing list.

I'd actually post a news item about it on archlinux.org instead and encourage users to update Firefox. Serious security vulnerabilities affect all users, but not everyone follows security mailing lists. I'd argue that it's the responsibility of those who do to alert the general population when something this serious comes up.

Offline

#9 2015-08-10 14:12:34

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: Firefox vulnerability

gunnihinn wrote:

not everyone follows security mailing lists

https://lists.archlinux.org/pipermail/arch-security/ is not exactly high volume, so I guess those people don't want security info.
You already have somebody listing vulnerabilities and fixing them, all you have to do is read them and follow the suggestions included.

Offline

Board footer

Powered by FluxBB