Bug 799072

Summary: Firefox 10.0.1 has a critical vulnerability patched in 10.0.2
Product: [Fedora] Fedora Reporter: John D. Ramsdell <ramsdell>
Component: firefoxAssignee: Gecko Maintainer <gecko-bugs-nobody>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 16CC: gecko-bugs-nobody, jhorak, stransky
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-02 06:46:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description John D. Ramsdell 2012-03-01 17:44:13 UTC 
Description of problem:

Firfoxe 10.0.1 has a critical vulnerability described here:

https://www.mozilla.org/security/known-vulnerabilities/firefox.html

MFSA 2012-11 libpng integer overflow 

Please upgrade to 10.0.2.

Version-Release number of selected component (if applicable):

10.0.1-1.fc16

How reproducible:

See URL.

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Jan Horak 2012-03-02 06:46:39 UTC 
We fixed that with release of xulrunner-10.0.1-3. See changelog:
http://koji.fedoraproject.org/koji/buildinfo?buildID=299915
it's a bit confusing that version is not 10.0.2 but we started to do test builds with fix sooner than mozilla put official source tarballs to their ftp. We did that because we wanted to deliver fix ASAP to Fedora users.

Thanks for keeping and eye on us.
Comment 2 Martin Stransky 2012-03-02 06:49:11 UTC 
The update is here:

https://admin.fedoraproject.org/updates/FEDORA-2012-1856
Comment 3 John D. Ramsdell 2012-03-02 12:17:36 UTC 
This fix is very bad for me.  My company's firewall blocks access to the internet from Firefox browsers that identify themselves as 10.0.1 due the to the critical vulnerability.  Therefore, I am currently without a usable browser when on Fedora.
Comment 4 Martin Stransky 2012-03-02 12:29:15 UTC 
Firefox 10.0.3 is going to ship on Mar/13. You can use upstream binary from mozilla.org or build your own firefox rpm package from sources from ftp://ftp.mozilla.org/pub/firefox/releases/10.0.2/source/ until that.
Comment 5 John D. Ramsdell 2012-03-02 14:11:46 UTC 
(In reply to comment #4)

Thanks for your quick reply.  I tried to use the binary from Mozilla yesterday, but found it requires 32-bit libraries.  I'm running a pure 64-bit system.  I'll try building Firefox from sources soon, but for now, I browse the Internet on Windows and transfer downloads via pscp.  It works.  That being said, in the future, please ensure Firefox correctly self identifies so this doesn't happen again.
Comment 6 Jan Horak 2012-03-05 07:43:21 UTC 
We understand your problem. Mozilla makes x86_64 builds too, see:
ftp://ftp.mozilla.org/pub/firefox/releases/10.0.2/linux-x86_64/