X
Tap here to go to the mobile version of the site.

Fóram Tacaíochta

Cuireadh an snáithe seo sa chartlann. Cuir ceist nua má tá cabhair uait.

Patch for Meltdown / Spectre Vulnerability Planned for Firefox ESR v52.5?

Postáilte

Will a patch for the Meltdown / Spectre vulnerabilities be released for the extended support release Firefox ESR v52.5?

I understand that the recent Firefox v57.0.4 patches this vulnerability but the 03-Jan-2018 Mozilla Security Blog entry at https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ is unclear because it states a patch will be released for "all release channels, starting with 57".


32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * Norton Security Premium v22.11.2.7

Will a patch for the Meltdown / Spectre vulnerabilities be released for the extended support release Firefox ESR v52.5? I understand that the recent Firefox v57.0.4 patches this vulnerability but the 03-Jan-2018 Mozilla Security Blog entry at https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ is unclear because it states a patch will be released for "all release channels, starting with 57". ------------ 32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * Norton Security Premium v22.11.2.7

Tuilleadh mionsonraí faoin chóras

Breiseáin Shuiteáilte

  • iTunes Detector Plug-in

Feidhmchlár

  • User Agent: Mozilla/5.0 (Windows NT 6.0; rv:52.0) Gecko/20100101 Firefox/52.0

Tuilleadh Eolais

philipp
  • Top 25 Contributor
  • Moderator
5324 réiteach 23508 freagra

Freagra Cabhrach

hi, at this point we think 52esr isn't affected. the feature that got disabled with 57.0.4 to mitigate potential problems in regards to the Meltdown/Spectre vulnerability wasn't on back then in the first place.

hi, at this point we think 52esr isn't affected. the feature that got disabled with 57.0.4 to mitigate potential problems in regards to the Meltdown/Spectre vulnerability wasn't on back then in the first place.
cor-el
  • Top 10 Contributor
  • Moderator
17579 réiteach 159024 freagra

Réiteach Roghnaithe

See also: *https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

Úinéir na ceiste

I noticed the Mozilla Security blog https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ was updated to state:

"Firefox 52 ESR does not support SharedArrayBuffer and is less at risk; the performance.now() mitigations will be included in the regularly scheduled Firefox 52.6 ESR release on January 23, 2018."


32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * NS v22.11.2.7

I noticed the Mozilla Security blog https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ was updated to state: ''"Firefox 52 ESR does not support SharedArrayBuffer and is less at risk; the performance.now() mitigations will be included in the regularly scheduled '''Firefox 52.6 ESR''' release on '''January 23, 2018'''."'' --------- 32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * NS v22.11.2.7
Shadow110 1072 réiteach 14836 freagra

If Intel they have issued a patch but should know which build it is. Use CPU-Z https://www.cpuid.com/ to make sure : https://betanews.com/2018/01/12/intel-transparency-meltdown-patch-problems/ https://newsroom.intel.com/press-kits/security-exploits-intel-products/ No idea on AMD Please let us know if this solved your issue or if need further assistance.

If Intel they have issued a patch but should know which build it is. Use CPU-Z https://www.cpuid.com/ to make sure : https://betanews.com/2018/01/12/intel-transparency-meltdown-patch-problems/ https://newsroom.intel.com/press-kits/security-exploits-intel-products/ No idea on AMD Please let us know if this solved your issue or if need further assistance.
James
  • Top 25 Contributor
  • Moderator
1602 réiteach 11344 freagra

AMD is not affected by the current version of meltdown and is hard for spectre to affect AMD compared to Intel.

AMD is not affected by the current version of meltdown and is hard for spectre to affect AMD compared to Intel.

Úinéir na ceiste

My question was specifically about Mozilla's plans for patching the ESR (extended support release) of Firefox, since the FF v57.0.4 security update released on 03-Jan-2017 to mitigate the Spectre vulnerability (see the release notes <here>) was not pushed out to FF ESR users at the same time.

The Mozilla Security blog https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ has been updated to include information about the upcoming 23-Jan-2018 patch for FF ESR so I'll go ahead and mark cor-el's post as the solution.


32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * NS v22.11.2.7

My question was specifically about Mozilla's plans for patching the ESR (extended support release) of Firefox, since the FF v57.0.4 security update released on 03-Jan-2017 to mitigate the Spectre vulnerability (see the release notes <[https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/ here]>) was not pushed out to FF ESR users at the same time. The Mozilla Security blog https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ has been updated to include information about the upcoming 23-Jan-2018 patch for FF ESR so I'll go ahead and mark cor-el's post as the solution. ----------- 32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * NS v22.11.2.7

Athraithe ag lmacri ar

James
  • Top 25 Contributor
  • Moderator
1602 réiteach 11344 freagra

There was no 52.5.4 ESR update because it was not needed at the time.

There was no 52.5.'''4''' ESR update because it was not needed at the time.
userht 0 réiteach 3 freagra

Is Firefox 52.6 -- with performance.now() mitigations -- going to be released as scheduled this Tuesday, 1/23/2018?

Is Firefox 52.6 -- with performance.now() mitigations -- going to be released as scheduled this Tuesday, 1/23/2018?
jscher2000
  • Top 10 Contributor
8793 réiteach 71937 freagra

userht said

Is Firefox 52.6 -- with performance.now() mitigations -- going to be released as scheduled this Tuesday, 1/23/2018?

I don't think any of the support volunteers are in close contact with the release engineering team. There may be another forum or mailing list where you can find out about any delays.

''userht [[#answer-1067640|said]]'' <blockquote> Is Firefox 52.6 -- with performance.now() mitigations -- going to be released as scheduled this Tuesday, 1/23/2018? </blockquote> I don't think any of the support volunteers are in close contact with the release engineering team. There may be another forum or mailing list where you can find out about any delays.

Úinéir na ceiste

userht said

Is Firefox 52.6 -- with performance.now() mitigations -- going to be released as scheduled this Tuesday, 1/23/2018?

Hi userht:

The Mozilla Foundation Security Advisory 2018-01 now states that "the precision of performance.now() has been reduced from 5μs to 20μs" to mitigate the Spectre vulnerability in Firefox ESR v52.6.0 (released today, 23-Jan-2018). That security advisory also confirms that "SharedArrayBuffer is already disabled in Firefox 52 ESR ".


32-bit Vista Home Premium SP2 * Firefox ESR v52.6.0 * NS v22.11.2.7

''userht [[#answer-1067640|said]]'' <blockquote> Is Firefox 52.6 -- with performance.now() mitigations -- going to be released as scheduled this Tuesday, 1/23/2018? </blockquote> Hi userht: The [https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/ Mozilla Foundation Security Advisory 2018-01] now states that "''the precision of '''performance.now()''' has been reduced from 5μs to 20μs''" to mitigate the Spectre vulnerability in '''Firefox ESR v52.6.0''' (released today, 23-Jan-2018). That security advisory also confirms that "'''''SharedArrayBuffer''' is already disabled in Firefox 52 ESR ''". ------------- 32-bit Vista Home Premium SP2 * Firefox ESR v52.6.0 * NS v22.11.2.7