1 |
I need to correct what I wrote... Things are *not* as bad as I |
2 |
misunderstood... |
3 |
|
4 |
On 161219-18:17+0100, Miroslav Rovis wrote: |
5 |
... |
6 |
> ... |
7 |
> |
8 |
> The NSS library that Palemoon uses (as I posted on that link above) is, |
9 |
> IIUC, ancient (paste from about:support): |
10 |
|
11 |
Nope! But see below... |
12 |
|
13 |
> NSS 3.19.5.0 Basic ECC 3.19.5.0 Basic ECC |
14 |
> |
15 |
> See in your own portage: |
16 |
> |
17 |
> # cd /usr/portage/dev-libs/nss/ |
18 |
> # grep 'bug #' ChangeLog | cut -d# -f2 | sed 's/)//' | sed 's/\.//' \ |
19 |
> | sed 's/\.//'|sort -u |
20 |
> 564834 |
21 |
> 571086 |
22 |
> 574848 |
23 |
> 576862 |
24 |
> 585372 |
25 |
> # |
26 |
> |
27 |
> Of the above Gentoo Bugzilla bugs, only the last one (585372) is not about vulns but |
28 |
> about stable request ("=dev-libs/nss-3.23 stable request"). |
29 |
> |
30 |
> So all of these: |
31 |
Really not! |
32 |
|
33 |
|
34 |
There is talk of 3.19.2.1 and 3.19.4 ... |
35 |
> <dev-libs/nspr-4.10.10, <dev-libs/nss-3.20.1: use-after-poison, buffer |
36 |
> overflow, integer overflow (CVE-2015-{7181,7182,7183}) |
37 |
> https://bugs.gentoo.org/show_bug.cgi?id=564834 |
38 |
[There is talk of 3.19.2.1 and 3.19.4] |
39 |
on 2015-11-03 20:19:00 UTC here: |
40 |
https://bugs.gentoo.org/show_bug.cgi?id=564834#c0 |
41 |
|
42 |
I don't know about this one, but probably it doesn't apply to what Pale |
43 |
Moon either... |
44 |
> (CVE-2015-7575, CVE-2016-1938) - <dev-libs/nss-3.21-r2: Weak RSA-MD5 |
45 |
> signature allows attack on client certificate authentication (part of SLOTH |
46 |
> attack), miscalculations in bignum lib (CVE-2015-7575, CVE-2016-1938) |
47 |
> https://bugs.gentoo.org/show_bug.cgi?id=571086 |
48 |
|
49 |
This bug #574848 |
50 |
> dev-libs/nss-3.22[utils] - multilib-minimal_abi_src_install - !!! dobin: |
51 |
> checkcert does not exist |
52 |
> https://bugs.gentoo.org/show_bug.cgi?id=574848 |
53 |
is entirely local error within Gentoo |
54 |
|
55 |
And there is talk of .19.2.3 ... |
56 |
https://bugs.gentoo.org/show_bug.cgi?id=576862#c0 |
57 |
> <www-client/firefox{,-bin}-{38.7.0,45.0} |
58 |
> <mail-client/thunderbird{,-bin}-38.7.0 <dev-libs/nss-3.22.2 : multiple |
59 |
> vulnerabilities (CVE-2016-{1950..1979}, CVE-2016-{2790..2802}) |
60 |
> https://bugs.gentoo.org/show_bug.cgi?id=576862 |
61 |
[And there is talk of .19.2.3] |
62 |
on 2016-03-09 14:42:36 UTC here: |
63 |
https://bugs.gentoo.org/show_bug.cgi?id=576862#c0 |
64 |
> |
65 |
... |
66 |
> No addons/extensions yet (not even the eff-https-everywhere, the browser |
67 |
> functionalities minimized, privacy browsing set to always, though, and |
68 |
> I'll show that too. Ah, no tracking protection in Pale Moon, we'll see |
69 |
> to that... But later I'll make page 2 with that cast/trace pair. |
70 |
> |
71 |
> ( And, regarding the short post by Taiidan@×××.com |
72 |
> http://www.gossamer-threads.com/lists/gentoo/user/320794#320794 |
73 |
> also something to fake browser fingerprinting, probably start looking from: |
74 |
> https://wiki.gentoo.org/wiki/Tor ) |
75 |
> |
76 |
|
77 |
And whether the NSS that Pale Moon uses is fine, maybe some of the devs |
78 |
can tell us, I apologize for for having made too hasty and very probably |
79 |
wrong conclusion in regard... |
80 |
|
81 |
Regards! |
82 |
-- |
83 |
Miroslav Rovis |
84 |
Zagreb, Croatia |
85 |
http://www.CroatiaFidelis.hr |