Bug#363935: mozilla-firefox 1.0.4-2sarge has remote vulnerabilities

Sun, 23 Apr 2006 20:52:15 -0700 

* Jean Tourrilhes ([EMAIL PROTECTED]) wrote:
> Package: mozilla-firefox
> Version: 1.0.4-2sarge
> Severity: critical
> 
>       Hi,
> 
>       I'm using the very latest version of Debian, which is 3.1r2
> (Sarge + all security updates). The IT people at work here are bugging
> me because the version of firefox installed on my system contains
> multiple vulnerabilities.
> 
> http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox
> 
>       I don't always agree with our IT people, but it seems to my
> that Firefox 1.0.8 fixes quite a lot of remote vulnerabilities. I
> usually don't care about local exploit, and I usually don't care much
> about the security of package I rarely use, as I'm the only user of
> that box, but remote vulnerabilities in my browser scare me. It seems
> to me that nowadays the browser is one of the main vector of attacks.
>       In other words, if there is only one package on that box that
> should be up to date, that should be Firefox.

The way Debian does security for stable releases is to port just the
security fixes into stable. The Firefox point releases contain other
miscellaneous bug fixes that we don't want. And they don't make it
easy for us, they purposefully lock out the bugzilla for security
related bugs, even after they've released fixes. 

Alexander Sack has done a fantastic job porting the security fixes
found in 1.0.8 into the sarge version of the package, and I'll be
building it tonight and passing it on to the security folks so it
shouldn't be too much longer. 
 
>       I also wonder what will happen in the future. Firefox 1.0.X
> seems to be discontinued by the Mozilla fundation. I hope it doesn't
> mean that users of Stable will be left vulnerable. I hope you will
> find a workable solution, such as putting Firefox 1.5 in stable.
> 
> http://developer.mozilla.org/devnews/index.php/2006/04/12/sunset-announcement-for-fxtb-10x-and-mozilla-suite-17x/

It sucks. We'll do our best. Help is always appreciated. I wish the
Mozilla guys had more open security practices. 

>       Thanks for the good work on the package, and thanks in advance
> for keeping me safe while browsing.

-- 
Eric Dorland <[EMAIL PROTECTED]>
ICQ: #61138586, Jabber: [EMAIL PROTECTED]
1024D/16D970C6 097C 4861 9934 27A0 8E1C  2B0A 61E9 8ECF 16D9 70C6

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+ 
O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+ 
G e h! r- y+ 
------END GEEK CODE BLOCK------

Attachment: signature.asc
Description: Digital signature

Reply via email to