[Replicant] [PATCH 3/5] freedom-privacy-security-issues: Adapt the note about security issues with the webview

Paul Kocialkowski contact at paulk.fr
Sun Jun 11 12:18:51 UTC 2017


Hi,

Le mercredi 07 juin 2017 à 12:18 +0200, Wolfgang Wiedmeyer a écrit :
> Paul Kocialkowski writes:
> Le jeudi 16 mars 2017 à 00:01 +0100, Wolfgang Wiedmeyer a écrit :
> > > Signed-off-by: Wolfgang Wiedmeyer <wolfgit at wiedmeyer.de>
> > 
> > Does this mean that the issue was fixed in 4.2 and is still there in 6.0?
> > That would be quite surprising!
> 
> No, it's not fixed in 4.2. It's a different issue in 6.0, albeit with
> the same consequences, as the linked issue explains[1].

I see.

> > If both version are still affected, we probably should keep mentioning both,
> > as
> > Replicant 4.2 is still maintained.
> 
> Agreed, especially as long as there are multiple devices for which a
> stable 6.0 is not yet available. But I suggest extending the note for
> 4.2 to make clear that it lacks security updates in general.

Yes that would be good to have. We don't want to hide the fact that 4.2 is
deprecated security-wise.

Feel free to submit v2 in that direction so that I/GNUtoo can review/merge it.

Thanks!

> > > ---
> > >  freedom-privacy-security-issues.php | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/freedom-privacy-security-issues.php b/freedom-privacy-
> > > security-
> > > issues.php
> > > index 5c05d62..ceb15a5 100644
> > > --- a/freedom-privacy-security-issues.php
> > > +++ b/freedom-privacy-security-issues.php
> > > @@ -159,7 +159,7 @@
> > >  					<li>Using <a href="//www.torproje
> > > ct.o
> > > rg/">Tor</a>; to achieve reliable anonymity, for instance with <a
> > > href="//www.
> > > torproject.org/docs/android.html.en">Orbot</a>; on Replicant.</li>
> > >  					<li>Using <a href="https://silenc
> > > e.im
> > > /">Silence</a>; to encrypt SMS messages.</li>
> > >  					<li>If the device is telephony-
> > > enabled, switching the modem to airplane mode or (when possible) turning
> > > it
> > > off when not in use, to avoid being tracked at all times.</li>
> > > -					<li>Browsers using the webview
> > > framework (such as the browser shipped with Replicant and <a href="https:/
> > > /git
> > > hub.com/anthonycr/Lightning-Browser">Lightning</a>;) are subject to <a
> > > href="h
> > > ttps://community.rapid7.com/community/metasploit/blog/2015/01/11/google-
> > > no-
> > > longer-provides-patches-for-webview-jelly-bean-and-prior">various security
> > > flaws</a> in Replicant 4.2.</li>
> > > +					<li>Browsers using the webview
> > > framework (such as the browser shipped with Replicant and <a href="https:/
> > > /git
> > > hub.com/anthonycr/Lightning-Browser">Lightning</a>;) are subject to <a
> > > href="//redmine.replicant.us/issues/1780">various security flaws</a> in
> > > Replicant 6.0.</li>
> > >  				</ul>
> > >  				In addition, the <a href="//www.fsf.org/"
> > > >Fre
> > > e Software Foundation</a> provides a <a href="//www.fsf.org/campaigns/surv
> > > eill
> > > ance">comprehensive guide to help protect freedom and privacy</a>.
> > >  			</p>
> 
> 
> 
> [1]  https://redmine.replicant.us/issues/1780
> 
-- 
Paul Kocialkowski, developer of free digital technology and hardware support

Website: https://www.paulk.fr/
Coding blog: https://code.paulk.fr/
Git repositories: https://git.paulk.fr/ https://git.code.paulk.fr/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20170611/c79b87a0/attachment.asc>


More information about the Replicant mailing list