Bug#908398: firefox-esr: Browsing history leak after 60.2 upgrade

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#908398: firefox-esr: Browsing history leak after 60.2 upgrade

Joonas Kylmälä-2
Package: firefox-esr
Version: 60.2.0esr-1~deb9u2
Severity: important

Dear Maintainer,

I upgraded yesterday the firefox-esr package to version
60.2.0esr-1~deb9u2 and me and another person have both noticed (with
wireshark / firewall logs) that on the first start after the upgrade
the browser re-requested some (quite many actually) websites from our
browsing history. For me this is a problem because somebody monitoring
the network could have easily now made a online profile out of me and
connected the dots. Or if I would have been in somebody elses network
that I don't want to share my browsing history with they would have
gotten it.

Before the upgrade I had also xul-ext-adblock-plus and xul-ext-noscript installed.

-- Package-specific info:


-- Addons package information

-- System Information:
Debian Release: 9.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages firefox-esr depends on:
ii  debianutils               4.8.1.1
ii  fontconfig                2.11.0-6.7+b1
ii  libatk1.0-0               2.22.0-1
ii  libc6                     2.24-11+deb9u3
ii  libcairo-gobject2         1.14.8-1
ii  libcairo2                 1.14.8-1
ii  libdbus-1-3               1.10.26-0+deb9u1
ii  libdbus-glib-1-2          0.108-2
ii  libevent-2.0-5            2.0.21-stable-3
ii  libffi6                   3.2.1-6
ii  libfontconfig1            2.11.0-6.7+b1
ii  libfreetype6              2.6.3-3.2
ii  libgcc1                   1:6.3.0-18+deb9u1
ii  libgdk-pixbuf2.0-0        2.36.5-2+deb9u2
ii  libglib2.0-0              2.50.3-2
ii  libgtk-3-0                3.22.11-1
ii  libjsoncpp1               1.7.4-3
ii  libpango-1.0-0            1.40.5-1
ii  libstartup-notification0  0.12-4+b2
ii  libstdc++6                6.3.0-18+deb9u1
ii  libvpx4                   1.6.1-3+deb9u1
ii  libx11-6                  2:1.6.4-3
ii  libx11-xcb1               2:1.6.4-3
ii  libxcb-shm0               1.12-1
ii  libxcb1                   1.12-1
ii  libxcomposite1            1:0.4.4-2
ii  libxdamage1               1:1.1.4-2+b3
ii  libxext6                  2:1.3.3-1+b2
ii  libxfixes3                1:5.0.3-1
ii  libxrender1               1:0.9.10-1
ii  libxt6                    1:1.1.5-1
ii  procps                    2:3.3.12-3+deb9u1
ii  zlib1g                    1:1.2.8.dfsg-5

Versions of packages firefox-esr recommends:
ii  libavcodec57  7:3.2.12-1~deb9u1

Versions of packages firefox-esr suggests:
ii  fonts-lmodern          2.004.5-3
ii  fonts-stix [otf-stix]  1.1.1-4
ii  libcanberra0           0.30-3
ii  libgssapi-krb5-2       1.15-1+deb9u1
ii  libgtk2.0-0            2.24.31-2

-- no debconf information

Reply | Threaded
Open this post in threaded view
|

Bug#908398: firefox-esr: Browsing history leak after 60.2 upgrade

Tuxicoman-3
Hi,

Do you have any more info ?
This looks related to Firefox rather than Debian. So it should be
reproducible elsewhere. Is there any study on this behavior so that we
can know which part of the code is responsible of this behavior ?

Reply | Threaded
Open this post in threaded view
|

Bug#908398: firefox-esr: Browsing history leak after 60.2 upgrade

Jonas Smedegaard-2
Quoting Tuxicoman (2018-10-01 19:40:23)
> Do you have any more info ?
> This looks related to Firefox rather than Debian. So it should be
> reproducible elsewhere. Is there any study on this behavior so that we
> can know which part of the code is responsible of this behavior ?

This is likely (at least in part) the redesigned start page, driven by
feature addon "Activity Stream".

Upstream consider Activity Streams a feature, not a bug - see e.g.
https://github.com/mozilla/activity-stream/issues/2306

Feature addons are addons shipped with Firefox - again considered a
feature upstream, separable, see https://bugs.debian.org/884600


 - Jonas

--
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc (849 bytes) Download Attachment