I received a Firefox ESR vulnerability notice today [1] that basically says some vulnerabilities in libgraphite were fixed in 38.6.1, released today. The digital signature is for the 10th. Some of the issues were first disclosed on Feb 5 [2] which is around Tor Browser 5.5.1 was released. I'm not sure when the other smart font issue was first disclosed.
In the tor browser blog comments on the 10th someone said graphite font rendering is vulnerable [3] but I can't tell if he's talking about in 5.5.1 or before. I cannot find a list of vulnerability notices for Tor Browser (why not? seems like it would be good to have). I assume it somewhat mirrors Firefox ESR. Based on the information about this, which looks exploitable, I would like to know if Tor Browser 5.5.1 is vulnerable. Thanks [1]: https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/ [2]: http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html [3]: https://blog.torproject.org/blog/tor-browser-551-released#comment-155968 -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
