Closed Bug 1289907 Opened 9 years ago Closed 9 years ago

Blocklist LastPass 4.0 to 4.1.20a

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Future

People

(Reporter: david.weir, Assigned: eviljeff)

Details

Last pass has released a security release can you block all of the old addons for last pass and ask them to update to the new version https://blog.lastpass.com/2016/07/lastpass-security-updates.html/
Component: Blocklisting → Security
Product: Toolkit → addons.mozilla.org
Target Milestone: --- → Future
Component: Security → Blocklisting
Product: addons.mozilla.org → Toolkit
According to the report, 4.1.21a fixes the bug and the 3.x branch isn't affected. We should give users a day or two to update, so maybe Friday would be a good day to deploy this. ID: support@lastpass.com
Assignee: nobody → awilliamson
Summary: Last Pass Security Release → Blocklist LastPass 4.0 to 4.1.20a
(In reply to Jorge Villalobos [:jorgev] from comment #1) > We should give users a day or two to update, so maybe Friday The blocklist and add-on updates ping at the same interval. Why wouldn't users update before or at the same time as they pick up the next blocklist? pref("extensions.blocklist.interval", 86400); pref("extensions.update.interval", 86400); If you're worried the two pings are pessimally skewed you could wait 24hrs from when the update was made available (some unspecified time before the blog was pushed) and push the blocklist tonight or tomorrow morning. Worst case if users get the blocklist first is that the add-on stops working, and they either restart Firefox to fix it, or they go to the add-ons dialog and "check for updates" manually. We should not delay longer than necessary: Tavis's tweet ("I took a quick look and can see a bunch of obvious critical problems") could be taken as a challenge to obscure security researchers who want a little fame for publishing the details, or the promise of quick riches to malware authors.
It's not a great experience to get a block for your password manager that disappears shortly with no explanation. If there were a known exploit I would be okay accelerating this. Otherwise I favor letting most users update through the normal mechanism.
blocked: https://addons.mozilla.org/en-US/firefox/blocked/i1261
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.