Page 1 of 1

How often does Basilisk address security vulnerabilities

Posted: 2017-12-10, 16:43
by Hitchhiker
I note that in the latest release of Basilisk the security vulnerabilities mentioned in this article haven't been addressed yet.

Mozilla tends to address these kind of issues within 48 hours as was the case in this particular case, but Basilisk doesn't seem to follow the same pattern, or at least I haven't seen any further updates to date.

So my question is, what's your policy regarding security vulnerabilities.

Re: How often does Basilisk address security vulnerabilities

Posted: 2017-12-10, 18:50
by Sajadi
The thing is a browser fork is not as rapid in bugfixes as compared with the "original" project.

But this does not only apply to Pale Moon but also affects Vivaldi, Brave or similar. Also, it is unlikely that every security flaw is exploited everywhere as soon as it is found. So, panic is overrated in most cases ;)

As soon as it is possible to address security issues and as soon as informations about issues are retrieved as soon they are fixed.

Re: How often does Basilisk address security vulnerabilities

Posted: 2017-12-10, 19:08
by Isengrim
It also depends on if the weakness is even relevant to Basilisk. The article doesn't specify how far back the vulnerable code was introduced.

Re: How often does Basilisk address security vulnerabilities

Posted: 2017-12-10, 20:19
by GMforker
Isengrim wrote:It also depends on if the weakness is even relevant to Basilisk. The article doesn't specify how far back the vulnerable code was introduced.
IMHO: However, better would be a complete list of security vulnerabilities / CVEs:
CVE-2017-7840 - PM 27.6.2
CVE-xxxx-xxxx - not implemented, because...
CVE-2017-7825 - PM 27.5.1
...

Re: How often does Basilisk address security vulnerabilities

Posted: 2017-12-11, 09:24
by Moonchild
GMforker wrote:IMHO: However, better would be a complete list of security vulnerabilities / CVEs:
CVE-2017-7840 - PM 27.6.2
CVE-xxxx-xxxx - not implemented, because...
CVE-2017-7825 - PM 27.5.1
Nobody does this. Nobody in their right mind would want to post a wall of "not implemented, because it doesn't apply to our code" CVEs.
Everything RELEVANT is ALWAYS ported across.

Re: How often does Basilisk address security vulnerabilities

Posted: 2017-12-11, 09:41
by Moonchild
Let me sketch the process here for sec bugs in general, because I do sec bugs myself (since I'm a trusted enough party for Mozilla to be granted sec bug access on request):
  1. A security-vulnerable bug is found
  2. Mozilla fixes it
  3. When a new version of Firefox with relevant sec fixes is published, I contact Mozilla's Security team
  4. I wait for them to grant me access to the related bugzilla security bugs (this is required to be able to perform the next step)
  5. Given the details of the vulnerability and patches, I evaluate applicability of the vulnerability and code patches (audit)
  6. If applicable and relevant, I port patches or write code to mitigate
  7. If critical enough of a vulnerability (severe security breach, etc.) and exploited in the wild, I create a point release (chemspill/uplift). If not critical, the patch will ride the normal release schedule and be in the next normally scheduled release.
Since I'm not given access until a new Firefox is published and I have to wait whatever arbitrary delay there is between my request for access and actually being granted it, things aren't instant. That being said, most vulnerabilities found are not both critical and exploited in the wild, so do not need a 0-day patch.

Re: How often does Basilisk address security vulnerabilities

Posted: 2017-12-11, 13:52
by Hitchhiker
Moonchild wrote:Let me sketch the process here for sec bugs in general, because I do sec bugs myself (since I'm a trusted enough party for Mozilla to be granted sec bug access on request):
  1. A security-vulnerable bug is found
  2. Mozilla fixes it
  3. When a new version of Firefox with relevant sec fixes is published, I contact Mozilla's Security team
  4. I wait for them to grant me access to the related bugzilla security bugs (this is required to be able to perform the next step)
  5. Given the details of the vulnerability and patches, I evaluate applicability of the vulnerability and code patches (audit)
  6. If applicable and relevant, I port patches or write code to mitigate
  7. If critical enough of a vulnerability (severe security breach, etc.) and exploited in the wild, I create a point release (chemspill/uplift). If not critical, the patch will ride the normal release schedule and be in the next normally scheduled release.
Since I'm not given access until a new Firefox is published and I have to wait whatever arbitrary delay there is between my request for access and actually being granted it, things aren't instant. That being said, most vulnerabilities found are not both critical and exploited in the wild, so do not need a 0-day patch.
OK, thanks for the feedback. It puts my mind at ease.

Actually, Basilisk isn't vulnerable to the issues I mentioned since they only affect FF57 and not earlier versions according to the footnote here. That wasn't apparent from the links I posted earier.