| 1 |
I need to correct what I wrote... Things are *not* as bad as I |
| 2 |
misunderstood... |
| 3 |
|
| 4 |
On 161219-18:17+0100, Miroslav Rovis wrote: |
| 5 |
... |
| 6 |
> ... |
| 7 |
> |
| 8 |
> The NSS library that Palemoon uses (as I posted on that link above) is, |
| 9 |
> IIUC, ancient (paste from about:support): |
| 10 |
|
| 11 |
Nope! But see below... |
| 12 |
|
| 13 |
> NSS 3.19.5.0 Basic ECC 3.19.5.0 Basic ECC |
| 14 |
> |
| 15 |
> See in your own portage: |
| 16 |
> |
| 17 |
> # cd /usr/portage/dev-libs/nss/ |
| 18 |
> # grep 'bug #' ChangeLog | cut -d# -f2 | sed 's/)//' | sed 's/\.//' \ |
| 19 |
> | sed 's/\.//'|sort -u |
| 20 |
> 564834 |
| 21 |
> 571086 |
| 22 |
> 574848 |
| 23 |
> 576862 |
| 24 |
> 585372 |
| 25 |
> # |
| 26 |
> |
| 27 |
> Of the above Gentoo Bugzilla bugs, only the last one (585372) is not about vulns but |
| 28 |
> about stable request ("=dev-libs/nss-3.23 stable request"). |
| 29 |
> |
| 30 |
> So all of these: |
| 31 |
Really not! |
| 32 |
|
| 33 |
|
| 34 |
There is talk of 3.19.2.1 and 3.19.4 ... |
| 35 |
> <dev-libs/nspr-4.10.10, <dev-libs/nss-3.20.1: use-after-poison, buffer |
| 36 |
> overflow, integer overflow (CVE-2015-{7181,7182,7183}) |
| 37 |
> https://bugs.gentoo.org/show_bug.cgi?id=564834 |
| 38 |
[There is talk of 3.19.2.1 and 3.19.4] |
| 39 |
on 2015-11-03 20:19:00 UTC here: |
| 40 |
https://bugs.gentoo.org/show_bug.cgi?id=564834#c0 |
| 41 |
|
| 42 |
I don't know about this one, but probably it doesn't apply to what Pale |
| 43 |
Moon either... |
| 44 |
> (CVE-2015-7575, CVE-2016-1938) - <dev-libs/nss-3.21-r2: Weak RSA-MD5 |
| 45 |
> signature allows attack on client certificate authentication (part of SLOTH |
| 46 |
> attack), miscalculations in bignum lib (CVE-2015-7575, CVE-2016-1938) |
| 47 |
> https://bugs.gentoo.org/show_bug.cgi?id=571086 |
| 48 |
|
| 49 |
This bug #574848 |
| 50 |
> dev-libs/nss-3.22[utils] - multilib-minimal_abi_src_install - !!! dobin: |
| 51 |
> checkcert does not exist |
| 52 |
> https://bugs.gentoo.org/show_bug.cgi?id=574848 |
| 53 |
is entirely local error within Gentoo |
| 54 |
|
| 55 |
And there is talk of .19.2.3 ... |
| 56 |
https://bugs.gentoo.org/show_bug.cgi?id=576862#c0 |
| 57 |
> <www-client/firefox{,-bin}-{38.7.0,45.0} |
| 58 |
> <mail-client/thunderbird{,-bin}-38.7.0 <dev-libs/nss-3.22.2 : multiple |
| 59 |
> vulnerabilities (CVE-2016-{1950..1979}, CVE-2016-{2790..2802}) |
| 60 |
> https://bugs.gentoo.org/show_bug.cgi?id=576862 |
| 61 |
[And there is talk of .19.2.3] |
| 62 |
on 2016-03-09 14:42:36 UTC here: |
| 63 |
https://bugs.gentoo.org/show_bug.cgi?id=576862#c0 |
| 64 |
> |
| 65 |
... |
| 66 |
> No addons/extensions yet (not even the eff-https-everywhere, the browser |
| 67 |
> functionalities minimized, privacy browsing set to always, though, and |
| 68 |
> I'll show that too. Ah, no tracking protection in Pale Moon, we'll see |
| 69 |
> to that... But later I'll make page 2 with that cast/trace pair. |
| 70 |
> |
| 71 |
> ( And, regarding the short post by Taiidan@×××.com |
| 72 |
> http://www.gossamer-threads.com/lists/gentoo/user/320794#320794 |
| 73 |
> also something to fake browser fingerprinting, probably start looking from: |
| 74 |
> https://wiki.gentoo.org/wiki/Tor ) |
| 75 |
> |
| 76 |
|
| 77 |
And whether the NSS that Pale Moon uses is fine, maybe some of the devs |
| 78 |
can tell us, I apologize for for having made too hasty and very probably |
| 79 |
wrong conclusion in regard... |
| 80 |
|
| 81 |
Regards! |
| 82 |
-- |
| 83 |
Miroslav Rovis |
| 84 |
Zagreb, Croatia |
| 85 |
http://www.CroatiaFidelis.hr |
Archives