Security Alert for Tin Hat 20081025: mozilla-firefox-2.0.0.17
The latest release of Tin Hat came out before some security updates to mozilla-firefox. Tin Hat 20081025 shipped with mozilla-firefox-2.0.0.17 (under the brand name of Bon Echo as required by the Mozilla License). This release is known to have four critical security bugs. Here are the known bugs with the 2.0.0.x branch which is slated to be retired by the end of 2008 in favor of 3.0.x
http://www.mozilla.org/security/known-vulnerabilities/firefox20.html
The release notes can be found here:
Since we compile Firefox from souce with hardened gcc, one of those issues (MFSA 2008-37 UTF-8 URL stack buffer overflow) should be kept in check by the hardened binary. It is unclear what impact the other bugs have in Tin Hat.
The security conscious Tin Hat user can update Firefox by re-introducing portage and emerging, as discussed in the Quickstart. In fact, anyone wanting to keep current with upstream Gentoo may do the same. If you have about 6 GB of RAM or more, then set asside about 5 GB for the filesystem:
mount -o remount,size=5g /
Edit /etc/make.conf and set SYNC and GENTOO MIRROR lines to your values (or just delete them to use the defaults) and then anytime you want to update your system, do
emerge --sync
emerge -uvND world
revdep-rebuild
Happy secure computing!