X
Thinta lapha ukuze uye kuveshini yamakhalekhukhwini kusayithi.

Isithangami Sabeseki

Lolu chungechunge lwabekwa kunqolobane. Uyacelwa ubuze umbuzo omusha uma udinga usizo.

Patch for Meltdown / Spectre Vulnerability Planned for Firefox ESR v52.5?

Kuphostiwe

Will a patch for the Meltdown / Spectre vulnerabilities be released for the extended support release Firefox ESR v52.5?

I understand that the recent Firefox v57.0.4 patches this vulnerability but the 03-Jan-2018 Mozilla Security Blog entry at https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ is unclear because it states a patch will be released for "all release channels, starting with 57".


32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * Norton Security Premium v22.11.2.7

Will a patch for the Meltdown / Spectre vulnerabilities be released for the extended support release Firefox ESR v52.5? I understand that the recent Firefox v57.0.4 patches this vulnerability but the 03-Jan-2018 Mozilla Security Blog entry at https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ is unclear because it states a patch will be released for "all release channels, starting with 57". ------------ 32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * Norton Security Premium v22.11.2.7

Eminye Imininingwane Yohlelo

Fakela amapulagi

  • iTunes Detector Plug-in

Isisebenziso

  • I-ejenti Engumsebenzisi: Mozilla/5.0 (Windows NT 6.0; rv:52.0) Gecko/20100101 Firefox/52.0

Eminye Imininingwane

philipp
  • Top 25 Contributor
  • Moderator
5304 izisombululo 23419 izimpendulo
Kuphostiwe

Impendulo Ewusizo

hi, at this point we think 52esr isn't affected. the feature that got disabled with 57.0.4 to mitigate potential problems in regards to the Meltdown/Spectre vulnerability wasn't on back then in the first place.

hi, at this point we think 52esr isn't affected. the feature that got disabled with 57.0.4 to mitigate potential problems in regards to the Meltdown/Spectre vulnerability wasn't on back then in the first place.
cor-el
  • Top 10 Contributor
  • Moderator
17467 izisombululo 157838 izimpendulo
Kuphostiwe

Isisombululo Esikhethiwe

See also: *https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

Umnikazi wombuzo

I noticed the Mozilla Security blog https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ was updated to state:

"Firefox 52 ESR does not support SharedArrayBuffer and is less at risk; the performance.now() mitigations will be included in the regularly scheduled Firefox 52.6 ESR release on January 23, 2018."


32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * NS v22.11.2.7

I noticed the Mozilla Security blog https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ was updated to state: ''"Firefox 52 ESR does not support SharedArrayBuffer and is less at risk; the performance.now() mitigations will be included in the regularly scheduled '''Firefox 52.6 ESR''' release on '''January 23, 2018'''."'' --------- 32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * NS v22.11.2.7
Shadow110 1072 izisombululo 14836 izimpendulo
Kuphostiwe

If Intel they have issued a patch but should know which build it is. Use CPU-Z https://www.cpuid.com/ to make sure : https://betanews.com/2018/01/12/intel-transparency-meltdown-patch-problems/ https://newsroom.intel.com/press-kits/security-exploits-intel-products/ No idea on AMD Please let us know if this solved your issue or if need further assistance.

If Intel they have issued a patch but should know which build it is. Use CPU-Z https://www.cpuid.com/ to make sure : https://betanews.com/2018/01/12/intel-transparency-meltdown-patch-problems/ https://newsroom.intel.com/press-kits/security-exploits-intel-products/ No idea on AMD Please let us know if this solved your issue or if need further assistance.
James
  • Moderator
1595 izisombululo 11242 izimpendulo
Kuphostiwe

AMD is not affected by the current version of meltdown and is hard for spectre to affect AMD compared to Intel.

AMD is not affected by the current version of meltdown and is hard for spectre to affect AMD compared to Intel.

Umnikazi wombuzo

My question was specifically about Mozilla's plans for patching the ESR (extended support release) of Firefox, since the FF v57.0.4 security update released on 03-Jan-2017 to mitigate the Spectre vulnerability (see the release notes <here>) was not pushed out to FF ESR users at the same time.

The Mozilla Security blog https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ has been updated to include information about the upcoming 23-Jan-2018 patch for FF ESR so I'll go ahead and mark cor-el's post as the solution.


32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * NS v22.11.2.7

My question was specifically about Mozilla's plans for patching the ESR (extended support release) of Firefox, since the FF v57.0.4 security update released on 03-Jan-2017 to mitigate the Spectre vulnerability (see the release notes <[https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/ here]>) was not pushed out to FF ESR users at the same time. The Mozilla Security blog https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ has been updated to include information about the upcoming 23-Jan-2018 patch for FF ESR so I'll go ahead and mark cor-el's post as the solution. ----------- 32-bit Vista Home Premium SP2 * Firefox ESR v52.5.3 * NS v22.11.2.7

Okulungisiwe ngu lmacri

James
  • Moderator
1595 izisombululo 11242 izimpendulo
Kuphostiwe

There was no 52.5.4 ESR update because it was not needed at the time.

There was no 52.5.'''4''' ESR update because it was not needed at the time.
userht 0 izisombululo 3 izimpendulo
Kuphostiwe

Is Firefox 52.6 -- with performance.now() mitigations -- going to be released as scheduled this Tuesday, 1/23/2018?

Is Firefox 52.6 -- with performance.now() mitigations -- going to be released as scheduled this Tuesday, 1/23/2018?
jscher2000
  • Top 10 Contributor
8685 izisombululo 71000 izimpendulo
Kuphostiwe

userht said

Is Firefox 52.6 -- with performance.now() mitigations -- going to be released as scheduled this Tuesday, 1/23/2018?

I don't think any of the support volunteers are in close contact with the release engineering team. There may be another forum or mailing list where you can find out about any delays.

''userht [[#answer-1067640|said]]'' <blockquote> Is Firefox 52.6 -- with performance.now() mitigations -- going to be released as scheduled this Tuesday, 1/23/2018? </blockquote> I don't think any of the support volunteers are in close contact with the release engineering team. There may be another forum or mailing list where you can find out about any delays.

Umnikazi wombuzo

userht said

Is Firefox 52.6 -- with performance.now() mitigations -- going to be released as scheduled this Tuesday, 1/23/2018?

Hi userht:

The Mozilla Foundation Security Advisory 2018-01 now states that "the precision of performance.now() has been reduced from 5μs to 20μs" to mitigate the Spectre vulnerability in Firefox ESR v52.6.0 (released today, 23-Jan-2018). That security advisory also confirms that "SharedArrayBuffer is already disabled in Firefox 52 ESR ".


32-bit Vista Home Premium SP2 * Firefox ESR v52.6.0 * NS v22.11.2.7

''userht [[#answer-1067640|said]]'' <blockquote> Is Firefox 52.6 -- with performance.now() mitigations -- going to be released as scheduled this Tuesday, 1/23/2018? </blockquote> Hi userht: The [https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/ Mozilla Foundation Security Advisory 2018-01] now states that "''the precision of '''performance.now()''' has been reduced from 5μs to 20μs''" to mitigate the Spectre vulnerability in '''Firefox ESR v52.6.0''' (released today, 23-Jan-2018). That security advisory also confirms that "'''''SharedArrayBuffer''' is already disabled in Firefox 52 ESR ''". ------------- 32-bit Vista Home Premium SP2 * Firefox ESR v52.6.0 * NS v22.11.2.7