(Fixed in Tails 5.1) Serious security vulnerability in Tails 5.0 (2022-05-24)

→ Just to update this thread: →

Tails 5.1 has been released:
Tails 5.1 Has Been Released! (2022-06-04)

Disregard the following (since 5.1 has been released) text, retaining it here for historical value.

hxxps://tails.boum.org/security/prototype_pollution/index.en.html

"Tor Browser in Tails 5.0 and earlier is unsafe to use for sensitive information.

We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.).

A security vulnerability was discovered in the JavaScript engine of Firefox and Tor Browser. See the Mozilla Foundation Security Advisory[1] 2022-19

This vulnerability allows a malicious website to bypass some of the security built in Tor Browser and access information from other websites.

For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session.

This vulnerability doesn’t break the anonymity and encryption of Tor connections.

For example, it is still safe and anonymous to access websites from Tails if you don’t share sensitive information with them.

After Tor Browser has been compromised, the only reliable solution is to restart Tails.

Other applications in Tails are not vulnerable. Thunderbird in Tails is not vulnerable because JavaScript is disabled.

The Safest security level of Tor Browser[2] is not affected because JavaScript is disabled at this security level.

This vulnerability will be fixed in Tails 5.1 (May 31), but our team doesn’t have the capacity to publish an emergency release earlier."

[1] Security Vulnerabilities fixed in Firefox 100.0.2, Firefox for Android 100.3.0, Firefox ESR 91.9.1, Thunderbird 91.9.1 — Mozilla
[2] Tails - Browsing the web with Tor Browser

• Discovered this information at: Serious security vulnerability in Tails 5.0: Tor Browser in Tails 5.0 and earlier is unsafe to use for sensitive information. : tails

Edit: Removed text which was later removed from the first link’s destination above to match

From the original post:

“We recommend that you stop using Tails until the release of 5.1 (May 31)”

…

But according to the Tails site:

https://tails.boum.org/contribute/calendar/

"Calendar

All times are referenced in UTC.

2022 Q2

• 2022-06-03 (hopefully): Release 5.1 (Firefox 91.10) — intrigeri is the RM, nodens is the TR"

…

That being said, I’m not sure when the actual release will happen, but wanted to provide an update here since May 31st has come and gone and no 5.1 release just yet.

Just to update this thread:

• Tails 5.1 has been released:
  Tails 5.1 Has Been Released! (2022-06-04)

This topic was automatically closed 2 hours after the last reply. New replies are no longer allowed.