How often does Basilisk address security vulnerabilities Topic is solved

Board for discussions around the Basilisk web browser.

Moderator: satrow

Locked
Hitchhiker
Apollo supporter
Apollo supporter
Posts: 32
Joined: 2017-12-10, 11:06
Location: The Netherlands

How often does Basilisk address security vulnerabilities

Post by Hitchhiker » 2017-12-10, 16:43

I note that in the latest release of Basilisk the security vulnerabilities mentioned in this article haven't been addressed yet.

Mozilla tends to address these kind of issues within 48 hours as was the case in this particular case, but Basilisk doesn't seem to follow the same pattern, or at least I haven't seen any further updates to date.

So my question is, what's your policy regarding security vulnerabilities.

User avatar
Sajadi
Board Warrior
Board Warrior
Posts: 1058
Joined: 2013-04-19, 00:46

Re: How often does Basilisk address security vulnerabilities

Post by Sajadi » 2017-12-10, 18:50

The thing is a browser fork is not as rapid in bugfixes as compared with the "original" project.

But this does not only apply to Pale Moon but also affects Vivaldi, Brave or similar. Also, it is unlikely that every security flaw is exploited everywhere as soon as it is found. So, panic is overrated in most cases ;)

As soon as it is possible to address security issues and as soon as informations about issues are retrieved as soon they are fixed.

User avatar
Isengrim
Board Warrior
Board Warrior
Posts: 1004
Joined: 2015-09-08, 22:54
Location: 127.0.0.1
Contact:

Re: How often does Basilisk address security vulnerabilities

Post by Isengrim » 2017-12-10, 19:08

It also depends on if the weakness is even relevant to Basilisk. The article doesn't specify how far back the vulnerable code was introduced.
Linux Mint 19.2 Cinnamon (64-bit), Windows 7 (64-bit), Windows 10 build 1803 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story

GMforker
Astronaut
Astronaut
Posts: 537
Joined: 2015-08-27, 06:29
Location: Czech Republic

Re: How often does Basilisk address security vulnerabilities

Post by GMforker » 2017-12-10, 20:19

Isengrim wrote:It also depends on if the weakness is even relevant to Basilisk. The article doesn't specify how far back the vulnerable code was introduced.
IMHO: However, better would be a complete list of security vulnerabilities / CVEs:
CVE-2017-7840 - PM 27.6.2
CVE-xxxx-xxxx - not implemented, because...
CVE-2017-7825 - PM 27.5.1
...

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 25032
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: How often does Basilisk address security vulnerabilities

Post by Moonchild » 2017-12-11, 09:24

GMforker wrote:IMHO: However, better would be a complete list of security vulnerabilities / CVEs:
CVE-2017-7840 - PM 27.6.2
CVE-xxxx-xxxx - not implemented, because...
CVE-2017-7825 - PM 27.5.1
Nobody does this. Nobody in their right mind would want to post a wall of "not implemented, because it doesn't apply to our code" CVEs.
Everything RELEVANT is ALWAYS ported across.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 25032
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: How often does Basilisk address security vulnerabilities

Post by Moonchild » 2017-12-11, 09:41

Let me sketch the process here for sec bugs in general, because I do sec bugs myself (since I'm a trusted enough party for Mozilla to be granted sec bug access on request):
  1. A security-vulnerable bug is found
  2. Mozilla fixes it
  3. When a new version of Firefox with relevant sec fixes is published, I contact Mozilla's Security team
  4. I wait for them to grant me access to the related bugzilla security bugs (this is required to be able to perform the next step)
  5. Given the details of the vulnerability and patches, I evaluate applicability of the vulnerability and code patches (audit)
  6. If applicable and relevant, I port patches or write code to mitigate
  7. If critical enough of a vulnerability (severe security breach, etc.) and exploited in the wild, I create a point release (chemspill/uplift). If not critical, the patch will ride the normal release schedule and be in the next normally scheduled release.
Since I'm not given access until a new Firefox is published and I have to wait whatever arbitrary delay there is between my request for access and actually being granted it, things aren't instant. That being said, most vulnerabilities found are not both critical and exploited in the wild, so do not need a 0-day patch.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

Hitchhiker
Apollo supporter
Apollo supporter
Posts: 32
Joined: 2017-12-10, 11:06
Location: The Netherlands

Re: How often does Basilisk address security vulnerabilities

Post by Hitchhiker » 2017-12-11, 13:52

Moonchild wrote:Let me sketch the process here for sec bugs in general, because I do sec bugs myself (since I'm a trusted enough party for Mozilla to be granted sec bug access on request):
  1. A security-vulnerable bug is found
  2. Mozilla fixes it
  3. When a new version of Firefox with relevant sec fixes is published, I contact Mozilla's Security team
  4. I wait for them to grant me access to the related bugzilla security bugs (this is required to be able to perform the next step)
  5. Given the details of the vulnerability and patches, I evaluate applicability of the vulnerability and code patches (audit)
  6. If applicable and relevant, I port patches or write code to mitigate
  7. If critical enough of a vulnerability (severe security breach, etc.) and exploited in the wild, I create a point release (chemspill/uplift). If not critical, the patch will ride the normal release schedule and be in the next normally scheduled release.
Since I'm not given access until a new Firefox is published and I have to wait whatever arbitrary delay there is between my request for access and actually being granted it, things aren't instant. That being said, most vulnerabilities found are not both critical and exploited in the wild, so do not need a 0-day patch.
OK, thanks for the feedback. It puts my mind at ease.

Actually, Basilisk isn't vulnerable to the issues I mentioned since they only affect FF57 and not earlier versions according to the footnote here. That wasn't apparent from the links I posted earier.

Locked