Follow

Firefox 72.0.1 and FF ESR 68.4.1 available, fixing a critical security vulnerability exploited in targeted attacks:

mozilla.org/en-US/security/adv

– Mozilla: "We are aware of targeted attacks in the wild abusing this flaw."
– This updates the recently released Firefox 72.0 and FF ESR 68.4.0.
– There will be a Tor Browser update (9.0.4) and likely a Tails OS update soon.

@infosechandbook Hey @fdroidorg could you please update #Firefox Klar? Current version is from 2019-07-11.
Thank you very much for your work!

@infosechandbook
@fdroidorg idea:
In case no maintainer will be found, inform users via an update-like notification that the affected software soon will be removed - and then remove it until maintained again.
What do you think?

@maximpistos

We suggested a similar idea months ago, but it was obviously rejected.

@fdroidorg

@fireglow

There was a discussion regarding this on forum.f-droid.org in 2016/2017. However, we can't find it anymore. Maybe it is still there. Some people argued that unmaintained apps will be moved to the F-Droid Archive repo, so they aren't directly available for most users. Obviously, there are still outdated apps provided by F-Droid.

@fdroidorg @maximpistos

@infosechandbook
ooh right, I misunderstood. Now I get it, thank you.
Yes I agree with that proposal, anything is better than to offer vulnerable software to unsuspecting users.
@fdroidorg @maximpistos
@maximpistos that’s a really good idea!
Just to be clear: is the version available on F-Droid vulnerable?
@infosechandbook @fdroidorg

@maximpistos @infosechandbook @fdroidorg we can mark apps or single versions with the KnownVulnerabiltity antifeature. Users will get a notification the next time they update their package index if they have such an app installed. But even for that we need help from more people. It's hard to know if one of the 2.5k apps is outdated when none of the existing maintainers is even using it.

Sign in to participate in the conversation
chaos.social

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!