I note that in the latest release of Basilisk the security vulnerabilities mentioned in this article haven't been addressed yet.
Mozilla tends to address these kind of issues within 48 hours as was the case in this particular case, but Basilisk doesn't seem to follow the same pattern, or at least I haven't seen any further updates to date.
So my question is, what's your policy regarding security vulnerabilities.
How often does Basilisk address security vulnerabilities Topic is solved
Moderator: Basilisk-Dev
Re: How often does Basilisk address security vulnerabilities
The thing is a browser fork is not as rapid in bugfixes as compared with the "original" project.
But this does not only apply to Pale Moon but also affects Vivaldi, Brave or similar. Also, it is unlikely that every security flaw is exploited everywhere as soon as it is found. So, panic is overrated in most cases
As soon as it is possible to address security issues and as soon as informations about issues are retrieved as soon they are fixed.
But this does not only apply to Pale Moon but also affects Vivaldi, Brave or similar. Also, it is unlikely that every security flaw is exploited everywhere as soon as it is found. So, panic is overrated in most cases
As soon as it is possible to address security issues and as soon as informations about issues are retrieved as soon they are fixed.
Re: How often does Basilisk address security vulnerabilities
It also depends on if the weakness is even relevant to Basilisk. The article doesn't specify how far back the vulnerable code was introduced.
a.k.a. Ascrod
Linux Mint 19.3 Cinnamon (64-bit), Debian Bullseye (64-bit), Windows 7 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story
Linux Mint 19.3 Cinnamon (64-bit), Debian Bullseye (64-bit), Windows 7 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story
Re: How often does Basilisk address security vulnerabilities
IMHO: However, better would be a complete list of security vulnerabilities / CVEs:Isengrim wrote:It also depends on if the weakness is even relevant to Basilisk. The article doesn't specify how far back the vulnerable code was introduced.
CVE-2017-7840 - PM 27.6.2
CVE-xxxx-xxxx - not implemented, because...
CVE-2017-7825 - PM 27.5.1
...
Re: How often does Basilisk address security vulnerabilities
Nobody does this. Nobody in their right mind would want to post a wall of "not implemented, because it doesn't apply to our code" CVEs.GMforker wrote:IMHO: However, better would be a complete list of security vulnerabilities / CVEs:
CVE-2017-7840 - PM 27.6.2
CVE-xxxx-xxxx - not implemented, because...
CVE-2017-7825 - PM 27.5.1
Everything RELEVANT is ALWAYS ported across.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: How often does Basilisk address security vulnerabilities
Let me sketch the process here for sec bugs in general, because I do sec bugs myself (since I'm a trusted enough party for Mozilla to be granted sec bug access on request):
- A security-vulnerable bug is found
- Mozilla fixes it
- When a new version of Firefox with relevant sec fixes is published, I contact Mozilla's Security team
- I wait for them to grant me access to the related bugzilla security bugs (this is required to be able to perform the next step)
- Given the details of the vulnerability and patches, I evaluate applicability of the vulnerability and code patches (audit)
- If applicable and relevant, I port patches or write code to mitigate
- If critical enough of a vulnerability (severe security breach, etc.) and exploited in the wild, I create a point release (chemspill/uplift). If not critical, the patch will ride the normal release schedule and be in the next normally scheduled release.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: How often does Basilisk address security vulnerabilities
OK, thanks for the feedback. It puts my mind at ease.Moonchild wrote:Let me sketch the process here for sec bugs in general, because I do sec bugs myself (since I'm a trusted enough party for Mozilla to be granted sec bug access on request):Since I'm not given access until a new Firefox is published and I have to wait whatever arbitrary delay there is between my request for access and actually being granted it, things aren't instant. That being said, most vulnerabilities found are not both critical and exploited in the wild, so do not need a 0-day patch.
- A security-vulnerable bug is found
- Mozilla fixes it
- When a new version of Firefox with relevant sec fixes is published, I contact Mozilla's Security team
- I wait for them to grant me access to the related bugzilla security bugs (this is required to be able to perform the next step)
- Given the details of the vulnerability and patches, I evaluate applicability of the vulnerability and code patches (audit)
- If applicable and relevant, I port patches or write code to mitigate
- If critical enough of a vulnerability (severe security breach, etc.) and exploited in the wild, I create a point release (chemspill/uplift). If not critical, the patch will ride the normal release schedule and be in the next normally scheduled release.
Actually, Basilisk isn't vulnerable to the issues I mentioned since they only affect FF57 and not earlier versions according to the footnote here. That wasn't apparent from the links I posted earier.