trondd <tro...@kagu-tsuchi.com> writes: > Update links+ to 2.14 > > Fixes some security related issues: > > * Limit keepalive of ciphers with 64-bit block size to mitigate > the SWEET32 attack > * Improved tor hardening - when the user toggles the "Only Proxies" option > (i.e. when connecting to tor), we reset certain other options to their > default values, so that it is not possible to identify user behind tor > based on the selected options. > * Security bug fixed: Don't load or render the content of > "407 Proxy Authentication Required" reply when using https proxy. > This avoids the FalseCONNECT attack. > Also, don't allow 401 and 407 responses to set cookies.
Should this be backported to -stable? -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
