packages updated (was Re: Running firefox a bit more safely)

Matthew Dillon dillon at apollo.backplane.com
Thu Aug 13 08:37:46 PDT 2015 

    Binary packages have been updated for MASTER and 4.2-RELEASE.  Two
    major changes were made (in addition to many other package updates taken
    from FreeBSD):

    (1) We downgraded the xf86-video-intel dport to 2.99.917.  Version
	2.99.2015.07.23 was not stable and could lead to X crashes.

	If you on an intel machine and running the 2.99.2015.07.23 intel
	driver I strongly recommend upgrading the package, you should get
	2.99.917 back again.

    (2) We upgraded firefox to 40.0_4 (basically
	mozilla/firefox/40.0-candidates/build5).

	This was done to address a brand new exploit as well as stability
	issues.  40.0_1 (build4) fixed the PDF file access exploit but
	did not fix a more serious remote code execution vulnerability
	due to memory corruption, most commonly seen as a seg-fault core
	dump in the CanonicalizeXPCOMParticipant function.

	The previous firefox, 39.0,1, had both the PDF exploit and the
	memory corruption exploit.  Mozilla updated -39 to 39.0.3 which
	appears to have fixed at least the PDF exploit and was also stable,
	but we are not sure if it fixed the second one because the functional
	change made in 40.0_4 has not been made in 39.0.3.

	Since all the synchronization work had been done to get 40.0* into
	the tree, we decided to stick to the 40.* series.

    It took a few days to get everything straightened out, and John Marino
    spent a lot of time on it, because the upgrade to the 40.0* series
    required synchronizing the whole tree and doing a fresh bulk build for
    both -master and -release (and now he's also rebuilding the older 4.0
    release as well).  And then when 40.0,1 and 40.0_3 failed to address
    the issue it took another few hours to bring in 40.0_4 and do a partial
    bulk build to get it integrated.

    We've decided to stick with 40.0_4, which really is the bleeding edge
    insofar as firefox goes but after extensive testing it also appears to
    be quite stable on my workstation, and it seems to have the necessary
    bug fixes.

    All binary dports and /usr/dports sources for MASTER and the 4.2 release
    are now up-to-date.

    A binary update for the older 4.0 release is still in-progress and will
    take ~2 days.

    --

    I also strongly recommend that anyone seriously using any browser, even
    chrome, use the method I described earlier in this thread of segregating
    execution of the application into its own user account to reduce the
    chances that future exploits (and they will happen) will impact your
    security.

						-Matt

More information about the Users mailing list