http://bugzilla.opensuse.org/show_bug.cgi?id=1074235 http://bugzilla.opensuse.org/show_bug.cgi?id=1074235#c2 Frank Kruger <fkrueger@mailbox.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fkrueger@mailbox.org --- Comment #2 from Frank Kruger <fkrueger@mailbox.org> --- (In reply to Andreas Stieger from comment #0)

https://www.mozilla.org/en-US/firefox/52.5.3/releasenotes/ https://www.mozilla.org/en-US/firefox/57.0.3/releasenotes/

Firefox was affected by a crash reporting issue that inadvertently sends background tab crash reports to Mozilla without user opt-in

https://bugzilla.mozilla.org/show_bug.cgi?id=1427111 Fixed in 52.5.3 ESR and 57.0.3

May explain some observations alleged in bug 1073399.

Given the above-mentioned bug and the dicussion, e.g., at https://bugzilla.mozilla.org/show_bug.cgi?id=1424781 on datareporting and telemetry, are there any plans on the SUSE security side to re-evaluate possible privacy issues for Firefox and Thunderbird? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1074235 http://bugzilla.opensuse.org/show_bug.cgi?id=1074235#c4 Andreas Stieger <astieger@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #4 from Andreas Stieger <astieger@suse.com> --- (In reply to Frank Kruger from comment #2)

Given the above-mentioned bug and the dicussion, e.g., at https://bugzilla.mozilla.org/show_bug.cgi?id=1424781 on datareporting and telemetry, are there any plans on the SUSE security side to re-evaluate possible privacy issues for Firefox and Thunderbird?

Security team is skeptical but rarely wears tinfoil hats. I do not think that we are likely to evaluate this on general privacy concerns alone, as in the "evil organization" sense. Aspects that we would delegate to the maintainer and the openSUSE project at large to handle: * Differing opinions about whether telemetry features should be allowed * same, on the vendor and it's policies Reasons why we would look into it: * Ineffective transport encryption or certificate chain validation * Generally ineffective user settings (such as this bug) * Attacker triggered transfer of information to an unintended destination, or extraction of unintended information * Without involving an attacker, if information sent differs from the declared content * Behavior is drastically from the user expectations or documentation (e.g. demonstrable trojan) * Anything else that crosses a security boundary I hope that answers your question. I would like to stress that I am in no way entirely dismissive of these concerns. We would just like to start the discussion slightly more refined than the summary of bug 1073399. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1074235 http://bugzilla.opensuse.org/show_bug.cgi?id=1074235#c6 --- Comment #6 from Frank Kruger <fkrueger@mailbox.org> --- (In reply to Andreas Stieger from comment #3)

https://build.opensuse.org/request/show/560624 https://build.opensuse.org/request/show/560625 https://build.opensuse.org/request/show/560783

FYI the links result in an 500 error page. Other requests work fine. -- You are receiving this mail because: You are on the CC list for the bug.