PM 27.2.0 not allowing CRITICAL update to LASTPASS Topic is solved

The place to report Pale Moon specific bugs on Linux and other operating systems.
SfdudePM
Fanatic
Fanatic
Posts: 120
Joined: 2015-01-15, 16:06
Location: San Francisco

PM 27.2.0 not allowing CRITICAL update to LASTPASS

Post by SfdudePM » 2017-03-22, 20:08

Latest FIXED VULNERABILITY
LASTPASS Addon version for Firefox:
4.1.36 <== we should all upgrade to this version quickly!

REF:
Important Security Updates for Our Users
https://blog.lastpass.com/2017/03/impor ... 0322190742

Yet, my PM 27.2.0 in Ubuntu 12.04 32-bit,
shows LastPass at version:
3.3.4...

When I try to ugrade LastPass from the official URL above,
it says: ...LASTPASS addon cannot be installed
because it is a JetPack extension...".

Help! :(
What do I do/not do next to upgrade?
LASTPASS is a critical addon to me (and to many PM users...).

User avatar
JustOff
Moon Magic practitioner
Moon Magic practitioner
Posts: 2053
Joined: 2015-09-03, 19:47
Location: UA
Contact:

Re: PM 27.2.0 not allowing CRITICAL update to LASTPASS

Post by JustOff » 2017-03-22, 20:23

As far as I know lastpass 2.x and 3.x doesn't have this vulnerability. Сorrect me if I am wrong.
Here are the add-ons I made in a spare time. That was fun!

SfdudePM
Fanatic
Fanatic
Posts: 120
Joined: 2015-01-15, 16:06
Location: San Francisco

Re: PM 27.2.0 not allowing CRITICAL update to LASTPASS

Post by SfdudePM » 2017-03-22, 20:31

Hi JustOFF -

Nice hearing from you!

Short Answer:
Yes, versions 3.X of LastPass seem to be vulnerable,
according to the Google researchers.

see text under Title:
"Firefox 3.3.2 message-hijacking bug"
in the LastPass Blog link:
https://goo.gl/4lxbJL

SfdudePM
Fanatic
Fanatic
Posts: 120
Joined: 2015-01-15, 16:06
Location: San Francisco

Re: PM 27.2.0 not allowing CRITICAL update to LASTPASS

Post by SfdudePM » 2017-03-22, 20:47

I just read in the LAST PASS Blog,
that even the 3.3.4 version
of the LAST PASS addon ( still working in PM ),
will be retired by the end of March...
REF: https://goo.gl/tMITmX

But LP versions 4.+
will not install in PM 27.2! (JetPack incompatibility, etc).

A solution to this seems critical and urgent, now...

It seems mandatory
to do something about this, my friends.

User avatar
JustOff
Moon Magic practitioner
Moon Magic practitioner
Posts: 2053
Joined: 2015-09-03, 19:47
Location: UA
Contact:

Re: PM 27.2.0 not allowing CRITICAL update to LASTPASS

Post by JustOff » 2017-03-22, 21:15

Try to download 4.1.36a and install it using Moon Tester Tool, but note the warnings and restrictions while doing so! If everything works well I advise you to ask the developers about the official Pale Moon support. All the necessary technical information is here, just add this link to your request.
Here are the add-ons I made in a spare time. That was fun!

SfdudePM
Fanatic
Fanatic
Posts: 120
Joined: 2015-01-15, 16:06
Location: San Francisco

Re: PM 27.2.0 not allowing CRITICAL update to LASTPASS

Post by SfdudePM » 2017-03-22, 21:58

Thanks, JustOff!

Will try your suggestion
after situation stabilizes with LastPass.

Have already left a comment
on the LASTPASS Blog site.
(let's see what they have to say about LP and PM Users...).

SfdudePM
Fanatic
Fanatic
Posts: 120
Joined: 2015-01-15, 16:06
Location: San Francisco

Re: PM 27.2.0 not allowing CRITICAL update to LASTPASS

Post by SfdudePM » 2017-03-22, 22:28

JustOff -
latest LastPass addon v 4.x (non-vulnerable, fixed version)
seems to work ok in PM27.2.0,
using your now world-famous Moon Tester Tool. :clap:

Spent some minutes testing.
So far, so good!

Q:
What will happen when LastPass releases
the NEXT (even minor) version of the LP addon "for Firefox"?

PM will show the newest LP addon version
as a possible update...

Do I just use the Moon Tester Tool
as I just did now?
-OR-
Do I allow PaleMoon to upgrade the version (as is usual w/other addons?)

User avatar
JustOff
Moon Magic practitioner
Moon Magic practitioner
Posts: 2053
Joined: 2015-09-03, 19:47
Location: UA
Contact:

Re: PM 27.2.0 not allowing CRITICAL update to LASTPASS

Post by JustOff » 2017-03-23, 12:43

Moon Tester Tool is for testing and it blocks all updates of installed add-on (that is stated in its description). The only correct way is to ask the developers to support Pale Moon officially.
Here are the add-ons I made in a spare time. That was fun!

User avatar
troypulk
Fanatic
Fanatic
Posts: 239
Joined: 2014-09-19, 23:53
Location: Washington State, USA

Re: PM 27.2.0 not allowing CRITICAL update to LASTPASS

Post by troypulk » 2017-03-23, 13:19

JustOff wrote:Try to download 4.1.36a and install it using Moon Tester Tool, but note the warnings and restrictions while doing so! If everything works well I advise you to ask the developers about the official Pale Moon support. All the necessary technical information is here, just add this link to your request.
Is the Lasspass version 4.1.36a a nightly?

The latest from Lasspass is 4.1.23

"https://addons.cdn.mozilla.net" is not click-able, what's the URL for 4.1.36a so I can look at the other versions?

Thanks
SolydX EE (64-bit) Xfce 4.12

Pale Moon 28.2.0a1 (64-bit) (2018-11-07)

User avatar
JustOff
Moon Magic practitioner
Moon Magic practitioner
Posts: 2053
Joined: 2015-09-03, 19:47
Location: UA
Contact:

Re: PM 27.2.0 not allowing CRITICAL update to LASTPASS

Post by JustOff » 2017-03-23, 13:57

troypulk wrote:Is the Lasspass version 4.1.36a a nightly?

The latest from Lasspass is 4.1.23

"https://addons.cdn.mozilla.net" is not click-able, what's the URL for 4.1.36a so I can look at the other versions?
When I go to https://lastpass.com and click to "Get LastPass Free" at the top right corner it send me xpi from the link I posted above, this is all I know.
Here are the add-ons I made in a spare time. That was fun!

User avatar
back2themoon
Board Warrior
Board Warrior
Posts: 1838
Joined: 2012-08-19, 20:32

Re: PM 27.2.0 not allowing CRITICAL update to LASTPASS

Post by back2themoon » 2017-03-23, 14:13

LastPass does not officially support Pale Moon (they've stated it numerous times) so if you want to be on the safe side and still use a password manager, switch to another one that supports your browser as soon as possible. Your title is obviously wrong, it's LastPass that does not allow (=support) the update in Pale Moon, not the other way round.

User avatar
troypulk
Fanatic
Fanatic
Posts: 239
Joined: 2014-09-19, 23:53
Location: Washington State, USA

Re: PM 27.2.0 not allowing CRITICAL update to LASTPASS

Post by troypulk » 2017-03-23, 15:37

JustOff wrote:
troypulk wrote:Is the Lasspass version 4.1.36a a nightly?

The latest from Lasspass is 4.1.23

"https://addons.cdn.mozilla.net" is not click-able, what's the URL for 4.1.36a so I can look at the other versions?
When I go to https://lastpass.com and click to "Get LastPass Free" at the top right corner it send me xpi from the link I posted above, this is all I know.
That's funny because when I do that I get an error message that says:
LassPass could not be install because it is a Jetpack/SDK extension which are not supported in PaleMoon 27.2.0
EDIT:

Okay, I had to go to "More ways to get LastPass" and right click on the FF link and click "save as"
Last edited by troypulk on 2017-03-23, 15:59, edited 1 time in total.
SolydX EE (64-bit) Xfce 4.12

Pale Moon 28.2.0a1 (64-bit) (2018-11-07)

SfdudePM
Fanatic
Fanatic
Posts: 120
Joined: 2015-01-15, 16:06
Location: San Francisco

Re: PM 27.2.0 not allowing CRITICAL update to LASTPASS

Post by SfdudePM » 2017-03-23, 15:46

Hi @back2the Moon,

Yes, you are technically right.

It is LastPass which refuses to support PM,
not the other way around.

I left a comment in the LastPass blog,
no response...

But this, our thread, is not about "who is to blame"
but about what to do ref a critical problem (for some of us),
because LastPass is a very good pwd mgr.

What I like most about LastPass
is that when you open a LOGIN page (where I'm already registered),
LastPass will pre-fill the ID and pwd.
I don't need to copy and paste pwds in Login forms...

You mention "switch" to another pwd mgr.,
similar to LastPass?

Any PM-related suggestions and experiences
ref a safe and reliable substitute pwd mgr.
are welcome...
let's share.

Anybody?
Last edited by SfdudePM on 2017-03-23, 16:08, edited 4 times in total.

SfdudePM
Fanatic
Fanatic
Posts: 120
Joined: 2015-01-15, 16:06
Location: San Francisco

Re: PM 27.2.0 not allowing CRITICAL update to LASTPASS

Post by SfdudePM » 2017-03-23, 15:57

@troypulk

Here's how I d/l:
1) Under that big red button "Get LP FREE"
there is a link:
"More ways to Download..."
Click on it!

2) Now, you are in the page:
"More ways to Download..."
It detects you are calling from a LINUX pc...

In the 2nd entry,
LastPass for Firefox (i386 and x64)
far right, there is a link:
"Download"

RIGHT_CLICK on this link
(don't LEFT click!...).
and from the pop up menu,
select:
"SAVE LINK AS".


This will allow you to D/L
the .XPI addon file
you need! :)

Once D/L you can install this .XPI file
as suggested above, by Just Off .

User avatar
back2themoon
Board Warrior
Board Warrior
Posts: 1838
Joined: 2012-08-19, 20:32

Re: PM 27.2.0 not allowing CRITICAL update to LASTPASS

Post by back2themoon » 2017-03-23, 18:14

SfdudePM wrote:I left a comment in the LastPass blog,no response...
Not sure what you expect, they will either not respond or tell you they don't support it. Many of us have already asked them.
SfdudePM wrote:But this, our thread, is not about "who is to blame" but about what to do
Exactly, and my suggestion is to use another password manager. That's the only solution, unless you want to trust your passwords with software that is not meant to work with your browser. I would never take such a risk.
SfdudePM wrote:What I like most about LastPass is that when you open a LOGIN page (where I'm already registered),
LastPass will pre-fill the ID and pwd. I don't need to copy and paste pwds in Login forms...
That's what most password managers do, not just LastPass. They can even log you in automatically, not just auto-fill.
SfdudePM wrote:You mention "switch" to another pwd mgr., similar to LastPass? Any PM-related suggestions and experiences
ref a safe and reliable substitute pwd mgr.are welcome...
I use Sticky Password which is safer than LastPass, supports Pale Moon (PM x86 only for now, and not on Linux), I'm sure others can suggest solutions equal or better than LastPass that can work on Linux, too.

SfdudePM
Fanatic
Fanatic
Posts: 120
Joined: 2015-01-15, 16:06
Location: San Francisco

Re: PM 27.2.0 not allowing CRITICAL update to LASTPASS

Post by SfdudePM » 2017-03-23, 23:53

@back2themoon:
thanks for the recommendation of Sticky Password,
as an alternative to LastPass.

Looks really good.

Unfortunately,
they don't have a Linux version...

According to their Forum posts,
they don't plan to have a Linux version,
any time soon...

User avatar
lightning slinger
Fanatic
Fanatic
Posts: 142
Joined: 2015-07-27, 17:50
Location: England

Re: PM 27.2.0 not allowing CRITICAL update to LASTPASS

Post by lightning slinger » 2017-03-24, 09:35

SfdudePM wrote: Yet, my PM 27.2.0 in Ubuntu 12.04 32-bit,
....
Don't forget 12.04 goes EOL in April!!
Arch Linux Xfce x86_64
Xubuntu 16.04 LTS x86_64

SfdudePM
Fanatic
Fanatic
Posts: 120
Joined: 2015-01-15, 16:06
Location: San Francisco

Re: PM 27.2.0 not allowing CRITICAL update to LASTPASS

Post by SfdudePM » 2017-03-25, 19:15

Thanks @lightning slinger.

Yes!
Planning to upgrade to Ubuntu 14.04 LTS 32-bit
after the US Tax season.
(don't want to "bork" my PC
in case the "upgrade" fails...).

Planning to use the [ upgrade ] button in "Update Mgr"
to version 14.04 LTS.
That's the version it offers there...so I'll go with that.

Why not go directly
from my version 12.04 LTS to 16.04 LTS ?
Because I think that doing it in 2 steps (via 14.04 first),
is safer.

Just my opinion as a non-Linux expert. ;)

twigs
Moongazer
Moongazer
Posts: 10
Joined: 2017-04-05, 09:39

Re: PM 27.2.0 not allowing CRITICAL update to LASTPASS

Post by twigs » 2017-04-05, 11:10

Hi,

Should the 'Known Incompatible Add-Ons' page be updated to include LastPass 4.x? This will be relevant when version 3.x gets retired at the end of 2017

Also on the Incompatible page, the workaround for Dashlane is to use the LastPass Password Manager, so that will need to be changed also.

LastPass not supporting Pale Moon going forward is disappointing, we use LastPass here at work so it looks like I'll have to switch to another browser when they retire 3.x.

I guess it gives us a bit of time to organize some attempt at getting them (and others) to support Pale Moon? A number of people on this page said they posted in the blog but I couldn't find those entries. If we can co-ordinate the user base, perhaps our collective voice may be heard?

User avatar
back2themoon
Board Warrior
Board Warrior
Posts: 1838
Joined: 2012-08-19, 20:32

Re: PM 27.2.0 not allowing CRITICAL update to LASTPASS

Post by back2themoon » 2017-04-05, 14:11

With all the increasing LastPass vulnerability/exploit announcements, I for one am staying away from it and not going back - Pale Moon compatible or not.

Locked