Firefox critical update released 21 Sept 2016

[OscarTalks]

I think something is definitely wrong if Firefox is telling me I have the latest version when I dont I think Firefox should know that there is a new version no?

I presume this is Slacko, right?
There is what I believe to be a mistake in the way the Firefox browsers are compiled by the Slackware people. The reason why these tell you that you have the latest when in fact you don't is because they have been compiled with the wrong update channel. They are the ESR version of Firefox so they should have been compiled with the ESR update channel, but in fact they have been configured with the "default" update channel which is for the standard (non ESR) Firefox. If Slackware wanted the auto updates to work they should have compiled with the ESR option. If they wanted to force updates to be done only manually then they should have disabled the updater altogether. In some cases this is a valid strategy (preventing auto updates) and that would be the correct way of doing it.

If you want, you can replace the Slackware build of Firefox with the official build from the Mozilla website and then the auto updates will work. These tend to be heavier on your system resources but unless your hardware is puny you should be OK. Otherwise you can use the package updater in Puppy to install latest Slackware versions when they come out. This method will work fine but probably they will still not recognise any future newer versions.

The latest ESR Firefox does not require GTK3 and will have all latest security fixes. One reason not to switch to standard Firefox but again the choice is yours.

[Moat]

Does FF do automatic updates of addons?

By default, yes. But it can easily be toggled off in "about:config" by setting "extensions.update.enabled" to "false" -

https://blog.mozilla.org/addons/how-to- ... n-updates/

Bob

[proebler]

One thing (for firefox specifically) you should religiously do for every browser when first setting it up (puppies and/or large distros) is go to "about:config", head straight to "security", make sure TLS is a minimum is "1" (for financial browsers, the min should be "2") and also all "...rc.4" (there's 4 of them) and the "..ede3" is set to "false", and also set both "ssl_require_safe_negotiation" & "ssl_treat_unsafe_negotiation_as_broken" to true)

belham2,

would you care to elaborate, please.
What do the "...rc.4" do/not do, when set to false ?
ditto with the "..ede3"
and with "ssl_require_safe_negotiation" & "ssl_treat_unsafe_negotiation_as_broken"

In my FF config [38.6.1 ESR] I find 5 "..rc4"
security.tls.unrestricted_rc4_fallback; true
security.ssl3.rsa_rc4_128_sha; true
security.ssl3.rsa_rc4_128_md5; true
security.ssl3.ecdhe_rsa_rc4_128_sha; true
security.ssl3.ecdhe_ecdsa_rc4_128_sha; true

and 1 "..ede3"
security.ssl3.rsa_des_ede3_sha; true

TLS is
security.tls.version.min; 1
security.tls.version.max; 3
security.tls.version.fallback-limit; 3

security.ssl.treat_unsafe_negotiation_as_broken; false
security.ssl.require_safe_negotiation; false

thanks
proebler
yes, I realize that 38.6.1 ESR is somewhat old.

[puppy9000]

Thanks to everyone who gave me advice. What OscarTalks said about the update channel made me look deeper into that and I saw it's incorrectly set to the default when it should be set to esr. I've changed it to esr and Firefox was able to detect the update and updated itself. So everything's good now. Firefox can take care of its own updates without losing any settings. Problem solved. Thanks everyone

[belham2]

One thing (for firefox specifically) you should religiously do for every browser when first setting it up (puppies and/or large distros) is go to "about:config", head straight to "security", make sure TLS is a minimum is "1" (for financial browsers, the min should be "2") and also all "...rc.4" (there's 4 of them) and the "..ede3" is set to "false", and also set both "ssl_require_safe_negotiation" & "ssl_treat_unsafe_negotiation_as_broken" to true)

belham2,

would you care to elaborate, please.
What do the "...rc.4" do/not do, when set to false ?
ditto with the "..ede3"
and with "ssl_require_safe_negotiation" & "ssl_treat_unsafe_negotiation_as_broken"

In my FF config [38.6.1 ESR] I find 5 "..rc4"
security.tls.unrestricted_rc4_fallback; true
security.ssl3.rsa_rc4_128_sha; true
security.ssl3.rsa_rc4_128_md5; true
security.ssl3.ecdhe_rsa_rc4_128_sha; true
security.ssl3.ecdhe_ecdsa_rc4_128_sha; true

and 1 "..ede3"
security.ssl3.rsa_des_ede3_sha; true

TLS is
security.tls.version.min; 1
security.tls.version.max; 3
security.tls.version.fallback-limit; 3

security.ssl.treat_unsafe_negotiation_as_broken; false
security.ssl.require_safe_negotiation; false

thanks
proebler
yes, I realize that 38.6.1 ESR is somewhat old.

Hi Proebler,

Take a quick look at this (just read the first 3-4 posts, it'll give you a strong, clear idea what's going on).

https://bugzilla.mozilla.org/show_bug.cgi?id=999544


What you're attempting to do when setting the weak, deperecated ciphers of rc4 to "false" is to not let Firefox accept them. Why? Honestly, you don't want to use any "site" on the Internet (and there are some) that uses rc4. It''s become the swiss-cheese of ciphers, and provides you little to no online security.


For the two settings:
security.ssl.treat_unsafe_negotiation_as_broken; false
security.ssl.require_safe_negotiation; false

...when you set these to "true" (and be aware they will break some sites, sites who should know better & get off their collective butts & know that "ssl" is the here & now, again you are hardening Firefox against servers that do not follow the current protocol (read; up-to-date) during any SSL/TSL handshake between you & that server. Basically what is comes down to is that n 2009, a flaw was discovered in the SSL/TLS protocol which is widely used in Internet applications, for example when accessing web content via an address prefixed with “https

[proebler]

hi belham2
thank you for the additional information.
On your suggestion, I have now toggled the "..rc4", "..ede3" and "security.ssl..._negotiation.." settings.
I have also gone to FF 45.4.0esr.

regards
proebler

[Sailor Enceladus]

Thanks to everyone who gave me advice. What OscarTalks said about the update channel made me look deeper into that and I saw it's incorrectly set to the default when it should be set to esr. I've changed it to esr and Firefox was able to detect the update and updated itself. So everything's good now. Firefox can take care of its own updates without losing any settings. Problem solved. Thanks everyone

Really? Changing it to esr in firefox/defaults/prefs/channel-prefs.js and about:config didn't let me see the Update button in Help -> About Firefox, so I thought it was baked into the compile... but changing a release one back to default there let me stop it.

[OscarTalks]

I did a quick test in a fresh 32bit Slacko 6.3.0 and editing the channel-prefs.js file to "esr" and restarting did appear to work. No need to modify in about:config as the .js file takes care of that.

To be honest, I don't even know if "default" is a valid value for that string anyway. Maybe it once was but isn't any more and it is a remnant legacy bug in the Slackware build system. The standard Firefox update channel string is currently "release" is it not?

I became aware of the issue with the Slackware Firefox builds some time ago but never tried to fix it. I usually compile Firefox esr from source myself with my own choice of configure options and I noticed that the update channel is one of the options that you can set. I build with updater disabled so if you have no updater the channel doesn't matter but I do set it to "esr" anyway so that everything tallies.

Anyway, this is an issue in several Slacko Puppy releases so it is good to know that there is a simple fix that can be applied if people prefer auto updates. I do reckon though that updated versions will effectively become official builds rather than Slackware builds so some people may still prefer to stick with using the Slackware updates mechanism in Slacko to manually update.

[puppy9000]

Thanks to everyone who gave me advice. What OscarTalks said about the update channel made me look deeper into that and I saw it's incorrectly set to the default when it should be set to esr. I've changed it to esr and Firefox was able to detect the update and updated itself. So everything's good now. Firefox can take care of its own updates without losing any settings. Problem solved. Thanks everyone

Really? Changing it to esr in firefox/defaults/prefs/channel-prefs.js and about:config didn't let me see the Update button in Help -> About Firefox, so I thought it was baked into the compile... but changing a release one back to default there let me stop it.

Yes it worked great for me and OscarTalks tried it too. I don't know why it wouldn't work for you though.

To be honest, I don't even know if "default" is a valid value for that string anyway. Maybe it once was but isn't any more and it is a remnant legacy bug in the Slackware build system. The standard Firefox update channel string is currently "release" is it not?

Yes the "release" setting is to get normal updates. It appears that "default" is used to block updates. Here's the documentation

http://kb.mozillazine.org/App.update.ch ... ir_effects
http://kb.mozillazine.org/Software_Upda ... -_Advanced