[HTTPS-Everywhere] New bugfix release 2018.6.21
William Budington
bill at eff.org
Thu Jun 21 16:38:57 PDT 2018
There is a new release for HTTPS Everywhere out today. This release fixes a serious vulnerability, first discovered by davtur19 via the Tor Project's HackerOne bug bounty program, which allows a remote site to freeze the browser via a maliciously crafted URL.[1] This only affects the 2018.6.13 release, older releases are not vulnerable. No private information is disclosed as a result of this vulnerability.
From the changelog:
2018.6.21
* Fix: URLs with a hostname of '.' cause endless loop to be triggered
* Bundled ruleset updates
Releases are available for Firefox (both the extension hosted on EFF.org and through addons.mozilla.org) and Chromium. Your browser should automatically download the updates within 24 hours, but we recommend manually downloading to receive the update quicker:
Firefox:
1. Navigate to "about:addons"
2. Click the gear icon at the top-right corner
3. Click "Check for Updates"
Chrome:
1. Navigate to "chrome://extensions/"
2. In the top-right corner, switch the "Devloper Mode" slider to the "on" position, if it is not there already
3. Click the "Update" link that appears at the top
1. https://trac.torproject.org/projects/tor/ticket/26451
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20180621/872aacb9/attachment.sig>
More information about the HTTPS-Everywhere
mailing list