Please be aware if you are using epiphany browser

irvinewade · March 11, 2024, 4:49am

Looks as if a lot of the discussion is going off topic.

Topic: There are a couple of CVEs that are claimed to be reproducible in Epiphany on PureOS, and other CVEs not tested.

Discussion of why web browsers are complex beasts and why it is difficult to write one that has no bugs and how you would write a web browser and what you would change in a web browser and discussion of other web browsers … please fork the topic.

@Moon3 Are you testing on the Librem 5 or on another Librem device or on some other device? What version of Epiphany?

Moon3 · March 11, 2024, 8:30am

you can easily check purism repo here https://source.puri.sm/Librem5/debs/epiphany and see if they have the fixes introduced here Various XSS, including via page titles in about:overview (CVE-2021-45085, CVE-2021-45086, CVE-2021-45087, CVE-2021-45088) (#1612) · Issues · GNOME / Epiphany · GitLab

you need to go down and click on the different commits.

I tested this in a virtual machine, currently the latest version of epiphany browser purism is shipping is 40.2-1pureos2

i don’t think the device matter.

Moon3 · March 15, 2024, 8:43pm

I want to correct something i mentioned in my post regrading firefox esr.

byzantium did have version 115.8.0 which have fixes for the latest disclosed vulnerabilities but not crimson which still ships version 115.7.0

The reason why i made this mistake is because i upgraded from byzantium to crimson then installed firefox esr in crimson and then realized that it doesn’t have version 115.8.0 which currently is the latest version of firefox esr.

My apology for the mistake.

Dlonk · March 15, 2024, 9:38pm

Thank you for the note! I noticed that my phone was on 115.8 when you said the problem was 115.7 but had not investigated the details. Comforting to know that Purism is keeping my phone somewhat secure in that regard.