How often does Basilisk address security vulnerabilities Topic is solved

[Hitchhiker]

I note that in the latest release of Basilisk the security vulnerabilities mentioned in this article haven't been addressed yet.

Mozilla tends to address these kind of issues within 48 hours as was the case in this particular case, but Basilisk doesn't seem to follow the same pattern, or at least I haven't seen any further updates to date.

So my question is, what's your policy regarding security vulnerabilities.

[Sajadi]

The thing is a browser fork is not as rapid in bugfixes as compared with the "original" project.

But this does not only apply to Pale Moon but also affects Vivaldi, Brave or similar. Also, it is unlikely that every security flaw is exploited everywhere as soon as it is found. So, panic is overrated in most cases

As soon as it is possible to address security issues and as soon as informations about issues are retrieved as soon they are fixed.

[Isengrim]

It also depends on if the weakness is even relevant to Basilisk. The article doesn't specify how far back the vulnerable code was introduced.

[GMforker]

It also depends on if the weakness is even relevant to Basilisk. The article doesn't specify how far back the vulnerable code was introduced.

IMHO: However, better would be a complete list of security vulnerabilities / CVEs:
CVE-2017-7840 - PM 27.6.2
CVE-xxxx-xxxx - not implemented, because...
CVE-2017-7825 - PM 27.5.1
...

[Moonchild]

IMHO: However, better would be a complete list of security vulnerabilities / CVEs:
CVE-2017-7840 - PM 27.6.2
CVE-xxxx-xxxx - not implemented, because...
CVE-2017-7825 - PM 27.5.1

Nobody does this. Nobody in their right mind would want to post a wall of "not implemented, because it doesn't apply to our code" CVEs.
Everything RELEVANT is ALWAYS ported across.

[Moonchild]

Let me sketch the process here for sec bugs in general, because I do sec bugs myself (since I'm a trusted enough party for Mozilla to be granted sec bug access on request):

1. A security-vulnerable bug is found
2. Mozilla fixes it
3. When a new version of Firefox with relevant sec fixes is published, I contact Mozilla's Security team
4. I wait for them to grant me access to the related bugzilla security bugs (this is required to be able to perform the next step)
5. Given the details of the vulnerability and patches, I evaluate applicability of the vulnerability and code patches (audit)
6. If applicable and relevant, I port patches or write code to mitigate
7. If critical enough of a vulnerability (severe security breach, etc.) and exploited in the wild, I create a point release (chemspill/uplift). If not critical, the patch will ride the normal release schedule and be in the next normally scheduled release.

Since I'm not given access until a new Firefox is published and I have to wait whatever arbitrary delay there is between my request for access and actually being granted it, things aren't instant. That being said, most vulnerabilities found are not both critical and exploited in the wild, so do not need a 0-day patch.

[Hitchhiker]

Let me sketch the process here for sec bugs in general, because I do sec bugs myself (since I'm a trusted enough party for Mozilla to be granted sec bug access on request):

1. A security-vulnerable bug is found
2. Mozilla fixes it
3. When a new version of Firefox with relevant sec fixes is published, I contact Mozilla's Security team
4. I wait for them to grant me access to the related bugzilla security bugs (this is required to be able to perform the next step)
5. Given the details of the vulnerability and patches, I evaluate applicability of the vulnerability and code patches (audit)
6. If applicable and relevant, I port patches or write code to mitigate
7. If critical enough of a vulnerability (severe security breach, etc.) and exploited in the wild, I create a point release (chemspill/uplift). If not critical, the patch will ride the normal release schedule and be in the next normally scheduled release.

Since I'm not given access until a new Firefox is published and I have to wait whatever arbitrary delay there is between my request for access and actually being granted it, things aren't instant. That being said, most vulnerabilities found are not both critical and exploited in the wild, so do not need a 0-day patch.

OK, thanks for the feedback. It puts my mind at ease.

Actually, Basilisk isn't vulnerable to the issues I mentioned since they only affect FF57 and not earlier versions according to the footnote here. That wasn't apparent from the links I posted earier.