On Sun, Apr 23, 2006 at 11:35:52PM -0400, Eric Dorland wrote:
> * Jean Tourrilhes ([EMAIL PROTECTED]) wrote:
> > Package: mozilla-firefox
> > Version: 1.0.4-2sarge
> > Severity: critical
> >
> > Hi,
> >
> > I'm using the very latest version of Debian, which is 3.1r2
> > (Sarge + all security updates). The IT people at work here are bugging
> > me because the version of firefox installed on my system contains
> > multiple vulnerabilities.
> >
> > http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox
> >
> > I don't always agree with our IT people, but it seems to my
> > that Firefox 1.0.8 fixes quite a lot of remote vulnerabilities. I
> > usually don't care about local exploit, and I usually don't care much
> > about the security of package I rarely use, as I'm the only user of
> > that box, but remote vulnerabilities in my browser scare me. It seems
> > to me that nowadays the browser is one of the main vector of attacks.
> > In other words, if there is only one package on that box that
> > should be up to date, that should be Firefox.
>
> The way Debian does security for stable releases is to port just the
> security fixes into stable. The Firefox point releases contain other
> miscellaneous bug fixes that we don't want. And they don't make it
> easy for us, they purposefully lock out the bugzilla for security
> related bugs, even after they've released fixes.
>
> Alexander Sack has done a fantastic job porting the security fixes
> found in 1.0.8 into the sarge version of the package, and I'll be
> building it tonight and passing it on to the security folks so it
> shouldn't be too much longer.
Yes, I know that you guys do a job I personally consider
impossible. Congrats on that.
Thanks for the positive answer !
Jean
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
