Bug 138790 - Security Holes Fixed in Firefox 1.0
Security Holes Fixed in Firefox 1.0
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: firefox (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Christopher Aillon
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-11 01:10 EST by Jason Bucata
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-11-13 17:16:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jason Bucata 2004-11-11 01:10:07 EST
Buried in the fanfare for the 1.0 release of Firefox, were notices
that some security holes were fixed from prior versions (up to and
including 0.10.1 aka 1.0PR), and that everybody should upgrade to 1.0
gold immediately.

A list of the security holes purported to be closed in 1.0 is in the
"unofficial changelog":
     http://www.squarefree.com/burningedge/releases/1.0.html

In particular, these two bugs are noted there as being fixed, and both
of them point to advisories on secunia.com; both of those advisories
state that the remedy is to upgrade to 1.0 gold:
     https://bugzilla.mozilla.org/show_bug.cgi?id=251297
     https://bugzilla.mozilla.org/show_bug.cgi?id=124750

An update to Fedora Core 3 to inclue 1.0 gold should be made ASAP so
as to get those holes plugged--or alternatively, if the Debian
approach is preferred around here ;), patches should be made to the
1.0PR codebase to fix these vulnerabilities, and an errata release made.
Comment 1 Sitsofe Wheeler 2004-11-11 04:28:03 EST
Looking at the changelog for firefox suggestes that b.m.o#124750 has
already been fixed:
* Fri Oct 08 2004 Christopher Aillon <caillon@redhat.com>
0:0.10.1-1.0PR1.9
- Add patches to fix tab focus stealing issue (b.m.o #124750)
Comment 2 Jason Bucata 2004-11-11 11:02:44 EST
According to the log for b.m.o#124750, the change that was checked in
on or around October 8 didn't fix it.  The corresponding Secunia
advisory says that 0.10.1 is vulnerable.  Besides which, this press
release says that 0.10.1 was released on October 1:
     http://www.mozilla.org/press/mozilla-2004-10-01-02.html

The final checkin to fix b.m.o#251297 was on October 22.

At any rate, double-checking them for the sake of the paranoid is a
Good Thing(TM) ;).
Comment 3 petrosyan 2004-11-12 09:28:52 EST
This bug should be closed since firefox-1.0 was released as an update
for FC3
Comment 4 Jason Bucata 2004-11-13 16:56:44 EST
I see it on FTP, but no announcement has been posted to
fedora-announce-list.
Comment 5 Christopher Aillon 2004-11-13 17:16:57 EST
Just because no announcement has made does not mean this is not fixed.
 It is.  The announcement is waiting on a few clearances.  There is an
embargo on some information I want to announce.

Note You need to log in before you can comment on or make changes to this bug.