[Replicant] [PATCH 3/5] freedom-privacy-security-issues: Adapt the note about security issues with the webview

Wolfgang Wiedmeyer wreg at wiedmeyer.de
Wed Jun 7 10:18:31 UTC 2017


Hi,

Paul Kocialkowski writes:

> Hi,
>
> Le jeudi 16 mars 2017 à 00:01 +0100, Wolfgang Wiedmeyer a écrit :
>> Signed-off-by: Wolfgang Wiedmeyer <wolfgit at wiedmeyer.de>
>
> Does this mean that the issue was fixed in 4.2 and is still there in 6.0?
> That would be quite surprising!

No, it's not fixed in 4.2. It's a different issue in 6.0, albeit with
the same consequences, as the linked issue explains[1].

> If both version are still affected, we probably should keep mentioning both, as
> Replicant 4.2 is still maintained.

Agreed, especially as long as there are multiple devices for which a
stable 6.0 is not yet available. But I suggest extending the note for
4.2 to make clear that it lacks security updates in general.

>> ---
>>  freedom-privacy-security-issues.php | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>> 
>> diff --git a/freedom-privacy-security-issues.php b/freedom-privacy-security-
>> issues.php
>> index 5c05d62..ceb15a5 100644
>> --- a/freedom-privacy-security-issues.php
>> +++ b/freedom-privacy-security-issues.php
>> @@ -159,7 +159,7 @@
>>  					<li>Using <a href="//www.torproject.o
>> rg/">Tor</a>; to achieve reliable anonymity, for instance with <a href="//www.
>> torproject.org/docs/android.html.en">Orbot</a>; on Replicant.</li>
>>  					<li>Using <a href="https://silence.im
>> /">Silence</a>; to encrypt SMS messages.</li>
>>  					<li>If the device is telephony-
>> enabled, switching the modem to airplane mode or (when possible) turning it
>> off when not in use, to avoid being tracked at all times.</li>
>> -					<li>Browsers using the webview
>> framework (such as the browser shipped with Replicant and <a href="https://git
>> hub.com/anthonycr/Lightning-Browser">Lightning</a>;) are subject to <a href="h
>> ttps://community.rapid7.com/community/metasploit/blog/2015/01/11/google-no-
>> longer-provides-patches-for-webview-jelly-bean-and-prior">various security
>> flaws</a> in Replicant 4.2.</li>
>> +					<li>Browsers using the webview
>> framework (such as the browser shipped with Replicant and <a href="https://git
>> hub.com/anthonycr/Lightning-Browser">Lightning</a>;) are subject to <a
>> href="//redmine.replicant.us/issues/1780">various security flaws</a> in
>> Replicant 6.0.</li>
>>  				</ul>
>>  				In addition, the <a href="//www.fsf.org/">Fre
>> e Software Foundation</a> provides a <a href="//www.fsf.org/campaigns/surveill
>> ance">comprehensive guide to help protect freedom and privacy</a>.
>>  			</p>



[1]  https://redmine.replicant.us/issues/1780

-- 
Website: https://fossencdi.org
OpenPGP: 0F30 D1A0 2F73 F70A 6FEE  048E 5816 A24C 1075 7FC4
Key download: https://wiedmeyer.de/keys/ww.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20170607/a6155dc4/attachment.asc>


More information about the Replicant mailing list