LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

October 2018

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS October 2018

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Firefox "bugfix" wiped out saved passwords - downgrade
From:	Orion Poplawski <[log in to unmask]>
Reply To:	Orion Poplawski <[log in to unmask]>
Date:	Thu, 4 Oct 2018 14:15:16 -0600
Content-Type:	text/plain
Parts/Attachments:	text/plain (50 lines)

On 10/01/2018 11:24 PM, Keith Lofstrom wrote:
>> Subject: Security ERRATA Moderate: firefox on SL7.x x86_64
>>> This update upgrades Firefox to version 60.2.1 ESR.
>>> ...
>>>  Mozilla: Setting a master password post-Firefox 58 does not delete
>>> unencrypted previously stored passwords (CVE-2018-12383)
> 
> On 10/01/2018 11:01 AM, Keith Lofstrom wrote:
>> This "security fix" wiped out ALL my 130+ saved logins.
> 
> On Mon, Oct 01, 2018 at 11:05:05AM -0500, O'Neal, Miles wrote:
>> I switched to Chrome a while back.  ...
> 
> I'm running ancient 32 bit SL6.10 on the laptops, which
> will get upgraded to SL 7.3 Real Soon Now.  Then I will
> upgrade myself to Chromium, preferred over Chrome because
> complete source is available.
>  
> Meanwhile, I restored 60.2.0.esr firefox from a September
> 25 backup to a test laptop, and the .mozilla user files.
> It's a bit annoying that I must do both.  DELETING user
> files with an update?  That's barbaric.  Nyet Kulturni.
> 
> I added "firefox" to the /etc/sysconfig/yum-autoupdate
> exclusions list.  We'll see how that goes.
> 
> I would be hosed without backups.  I thought I needed
> backups for security and for my bonehead mistakes, not
> for protection from mozilla bonehead programmer mistakes.

I suspect this is an unexpected interaction between Mozilla assuming that NSS
would have updated user db files to the newer sqlite format and RHEL's NSS
library which is still configured to use the old format.  Some more details
are still being worked out in bug reports:

 https://urldefense.proofpoint.com/v2/url?u=https-3A__bugzilla.redhat.com_show-5Fbug.cgi-3Fid-3D1633932&d=DwICaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=Ohd3LJTuLnfcQyaRa-48fG2Vlowxl2Dn9QM1IZf9M_E&s=JWnnHe-sXVSb3Ead62rCI-yJ8gdEgZUUMPId-Vu4MYE&e=
https://urldefense.proofpoint.com/v2/url?u=https-3A__bugzilla.mozilla.org_show-5Fbug.cgi-3Fid-3D1475775&d=DwICaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=Ohd3LJTuLnfcQyaRa-48fG2Vlowxl2Dn9QM1IZf9M_E&s=FUTiBdD6gXzRMSFV97smCEcndT_7RrbTefwOVHK7sk0&e=

Looks like restoring key3.db is all that is needed.  Another fun fact is that
the first time you run 60.2.1 it's okay, but the second time will fail because
it has removed key3.db.


-- 
Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       [log in to unmask]
Boulder, CO 80301                 https://urldefense.proofpoint.com/v2/url?u=https-3A__www.nwra.com_&d=DwICaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=Ohd3LJTuLnfcQyaRa-48fG2Vlowxl2Dn9QM1IZf9M_E&s=Ys_SR8Y78vBFkdie8HPi-CQEGdrz9DfFX8oE_JsY__Q&e=

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV