I need to correct what I wrote... Things are *not* as bad as I misunderstood...
On 161219-18:17+0100, Miroslav Rovis wrote:
...
> ...
>
> The NSS library that Palemoon uses (as I posted on that link above) is,
> IIUC, ancient (paste from about:support):
Nope! But see below...
> NSS 3.19.5.0 Basic ECC 3.19.5.0 Basic ECC
>
> See in your own portage:
>
> # cd /usr/portage/dev-libs/nss/
> # grep 'bug #' ChangeLog | cut -d# -f2 | sed 's/)//' | sed 's/\.//' \
> | sed 's/\.//'|sort -u
> 564834
> 571086
> 574848
> 576862
> 585372
> #
>
> Of the above Gentoo Bugzilla bugs, only the last one (585372) is not about
> vulns but
> about stable request ("=dev-libs/nss-3.23 stable request").
>
> So all of these:
Really not!
There is talk of 3.19.2.1 and 3.19.4 ...
> <dev-libs/nspr-4.10.10, <dev-libs/nss-3.20.1: use-after-poison, buffer
> overflow, integer overflow (CVE-2015-{7181,7182,7183})
> https://bugs.gentoo.org/show_bug.cgi?id=564834
[There is talk of 3.19.2.1 and 3.19.4]
on 2015-11-03 20:19:00 UTC here:
https://bugs.gentoo.org/show_bug.cgi?id=564834#c0
I don't know about this one, but probably it doesn't apply to what Pale
Moon either...
> (CVE-2015-7575, CVE-2016-1938) - <dev-libs/nss-3.21-r2: Weak RSA-MD5
> signature allows attack on client certificate authentication (part of SLOTH
> attack), miscalculations in bignum lib (CVE-2015-7575, CVE-2016-1938)
> https://bugs.gentoo.org/show_bug.cgi?id=571086
This bug #574848
> dev-libs/nss-3.22[utils] - multilib-minimal_abi_src_install - !!! dobin:
> checkcert does not exist
> https://bugs.gentoo.org/show_bug.cgi?id=574848
is entirely local error within Gentoo
And there is talk of .19.2.3 ...
https://bugs.gentoo.org/show_bug.cgi?id=576862#c0
> <www-client/firefox{,-bin}-{38.7.0,45.0}
> <mail-client/thunderbird{,-bin}-38.7.0 <dev-libs/nss-3.22.2 : multiple
> vulnerabilities (CVE-2016-{1950..1979}, CVE-2016-{2790..2802})
> https://bugs.gentoo.org/show_bug.cgi?id=576862
[And there is talk of .19.2.3]
on 2016-03-09 14:42:36 UTC here:
https://bugs.gentoo.org/show_bug.cgi?id=576862#c0
>
...
> No addons/extensions yet (not even the eff-https-everywhere, the browser
> functionalities minimized, privacy browsing set to always, though, and
> I'll show that too. Ah, no tracking protection in Pale Moon, we'll see
> to that... But later I'll make page 2 with that cast/trace pair.
>
> ( And, regarding the short post by taii...@gmx.com
> http://www.gossamer-threads.com/lists/gentoo/user/320794#320794
> also something to fake browser fingerprinting, probably start looking from:
> https://wiki.gentoo.org/wiki/Tor )
>
And whether the NSS that Pale Moon uses is fine, maybe some of the devs
can tell us, I apologize for for having made too hasty and very probably
wrong conclusion in regard...
Regards!
--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
signature.asc
Description: Digital signature
