PM 27.2.0 not allowing CRITICAL update to LASTPASS Topic is solved

[SfdudePM]

Latest FIXED VULNERABILITY
LASTPASS Addon version for Firefox:
4.1.36 <== we should all upgrade to this version quickly!

REF:
Important Security Updates for Our Users
https://blog.lastpass.com/2017/03/impor ... 0322190742

Yet, my PM 27.2.0 in Ubuntu 12.04 32-bit,
shows LastPass at version:
3.3.4...

When I try to ugrade LastPass from the official URL above,
it says: ...LASTPASS addon cannot be installed
because it is a JetPack extension...".

Help!
What do I do/not do next to upgrade?
LASTPASS is a critical addon to me (and to many PM users...).

[JustOff]

As far as I know lastpass 2.x and 3.x doesn't have this vulnerability. Сorrect me if I am wrong.

[SfdudePM]

Hi JustOFF -

Nice hearing from you!

Short Answer:
Yes, versions 3.X of LastPass seem to be vulnerable,
according to the Google researchers.

see text under Title:
"Firefox 3.3.2 message-hijacking bug"
in the LastPass Blog link:
https://goo.gl/4lxbJL

[SfdudePM]

I just read in the LAST PASS Blog,
that even the 3.3.4 version
of the LAST PASS addon ( still working in PM ),
will be retired by the end of March...
REF: https://goo.gl/tMITmX

But LP versions 4.+
will not install in PM 27.2! (JetPack incompatibility, etc).

A solution to this seems critical and urgent, now...

It seems mandatory
to do something about this, my friends.

[JustOff]

Try to download 4.1.36a and install it using Moon Tester Tool, but note the warnings and restrictions while doing so! If everything works well I advise you to ask the developers about the official Pale Moon support. All the necessary technical information is here, just add this link to your request.

[SfdudePM]

Thanks, JustOff!

Will try your suggestion
after situation stabilizes with LastPass.

Have already left a comment
on the LASTPASS Blog site.
(let's see what they have to say about LP and PM Users...).

[SfdudePM]

JustOff -
latest LastPass addon v 4.x (non-vulnerable, fixed version)
seems to work ok in PM27.2.0,
using your now world-famous Moon Tester Tool.

Spent some minutes testing.
So far, so good!

Q:
What will happen when LastPass releases
the NEXT (even minor) version of the LP addon "for Firefox"?

PM will show the newest LP addon version
as a possible update...

Do I just use the Moon Tester Tool
as I just did now?
-OR-
Do I allow PaleMoon to upgrade the version (as is usual w/other addons?)

[JustOff]

Moon Tester Tool is for testing and it blocks all updates of installed add-on (that is stated in its description). The only correct way is to ask the developers to support Pale Moon officially.

[troypulk]

Try to download 4.1.36a and install it using Moon Tester Tool, but note the warnings and restrictions while doing so! If everything works well I advise you to ask the developers about the official Pale Moon support. All the necessary technical information is here, just add this link to your request.

Is the Lasspass version 4.1.36a a nightly?

The latest from Lasspass is 4.1.23

"https://addons.cdn.mozilla.net" is not click-able, what's the URL for 4.1.36a so I can look at the other versions?

Thanks

[JustOff]

Is the Lasspass version 4.1.36a a nightly?

The latest from Lasspass is 4.1.23

"https://addons.cdn.mozilla.net" is not click-able, what's the URL for 4.1.36a so I can look at the other versions?

When I go to https://lastpass.com and click to "Get LastPass Free" at the top right corner it send me xpi from the link I posted above, this is all I know.

[back2themoon]

LastPass does not officially support Pale Moon (they've stated it numerous times) so if you want to be on the safe side and still use a password manager, switch to another one that supports your browser as soon as possible. Your title is obviously wrong, it's LastPass that does not allow (=support) the update in Pale Moon, not the other way round.

[troypulk]

Is the Lasspass version 4.1.36a a nightly?

The latest from Lasspass is 4.1.23

"https://addons.cdn.mozilla.net" is not click-able, what's the URL for 4.1.36a so I can look at the other versions?

When I go to https://lastpass.com and click to "Get LastPass Free" at the top right corner it send me xpi from the link I posted above, this is all I know.

That's funny because when I do that I get an error message that says:

LassPass could not be install because it is a Jetpack/SDK extension which are not supported in PaleMoon 27.2.0

EDIT:

Okay, I had to go to "More ways to get LastPass" and right click on the FF link and click "save as"

[SfdudePM]

Hi @back2the Moon,

Yes, you are technically right.

It is LastPass which refuses to support PM,
not the other way around.

I left a comment in the LastPass blog,
no response...

But this, our thread, is not about "who is to blame"
but about what to do ref a critical problem (for some of us),
because LastPass is a very good pwd mgr.

What I like most about LastPass
is that when you open a LOGIN page (where I'm already registered),
LastPass will pre-fill the ID and pwd.
I don't need to copy and paste pwds in Login forms...

You mention "switch" to another pwd mgr.,
similar to LastPass?

Any PM-related suggestions and experiences
ref a safe and reliable substitute pwd mgr.
are welcome...
let's share.

Anybody?

[SfdudePM]

@troypulk

Here's how I d/l:
1) Under that big red button "Get LP FREE"
there is a link:
"More ways to Download..."
Click on it!

2) Now, you are in the page:
"More ways to Download..."
It detects you are calling from a LINUX pc...

In the 2nd entry,
LastPass for Firefox (i386 and x64)
far right, there is a link:
"Download"

RIGHT_CLICK on this link
(don't LEFT click!...).
and from the pop up menu,
select:
"SAVE LINK AS".


This will allow you to D/L
the .XPI addon file
you need!

Once D/L you can install this .XPI file
as suggested above, by Just Off .

[back2themoon]

I left a comment in the LastPass blog,no response...

Not sure what you expect, they will either not respond or tell you they don't support it. Many of us have already asked them.

But this, our thread, is not about "who is to blame" but about what to do

Exactly, and my suggestion is to use another password manager. That's the only solution, unless you want to trust your passwords with software that is not meant to work with your browser. I would never take such a risk.

What I like most about LastPass is that when you open a LOGIN page (where I'm already registered),
LastPass will pre-fill the ID and pwd. I don't need to copy and paste pwds in Login forms...

That's what most password managers do, not just LastPass. They can even log you in automatically, not just auto-fill.

You mention "switch" to another pwd mgr., similar to LastPass? Any PM-related suggestions and experiences
ref a safe and reliable substitute pwd mgr.are welcome...

I use Sticky Password which is safer than LastPass, supports Pale Moon (PM x86 only for now, and not on Linux), I'm sure others can suggest solutions equal or better than LastPass that can work on Linux, too.

[SfdudePM]

@back2themoon:
thanks for the recommendation of Sticky Password,
as an alternative to LastPass.

Looks really good.

Unfortunately,
they don't have a Linux version...

According to their Forum posts,
they don't plan to have a Linux version,
any time soon...

[lightning slinger]

Yet, my PM 27.2.0 in Ubuntu 12.04 32-bit,
....

Don't forget 12.04 goes EOL in April!!

[SfdudePM]

Thanks @lightning slinger.

Yes!
Planning to upgrade to Ubuntu 14.04 LTS 32-bit
after the US Tax season.
(don't want to "bork" my PC
in case the "upgrade" fails...).

Planning to use the [ upgrade ] button in "Update Mgr"
to version 14.04 LTS.
That's the version it offers there...so I'll go with that.

Why not go directly
from my version 12.04 LTS to 16.04 LTS ?
Because I think that doing it in 2 steps (via 14.04 first),
is safer.

Just my opinion as a non-Linux expert.

[twigs]

Hi,

Should the 'Known Incompatible Add-Ons' page be updated to include LastPass 4.x? This will be relevant when version 3.x gets retired at the end of 2017

Also on the Incompatible page, the workaround for Dashlane is to use the LastPass Password Manager, so that will need to be changed also.

LastPass not supporting Pale Moon going forward is disappointing, we use LastPass here at work so it looks like I'll have to switch to another browser when they retire 3.x.

I guess it gives us a bit of time to organize some attempt at getting them (and others) to support Pale Moon? A number of people on this page said they posted in the blog but I couldn't find those entries. If we can co-ordinate the user base, perhaps our collective voice may be heard?

[back2themoon]

With all the increasing LastPass vulnerability/exploit announcements, I for one am staying away from it and not going back - Pale Moon compatible or not.