Buried in the fanfare for the 1.0 release of Firefox, were notices that some security holes were fixed from prior versions (up to and including 0.10.1 aka 1.0PR), and that everybody should upgrade to 1.0 gold immediately. A list of the security holes purported to be closed in 1.0 is in the "unofficial changelog": http://www.squarefree.com/burningedge/releases/1.0.html In particular, these two bugs are noted there as being fixed, and both of them point to advisories on secunia.com; both of those advisories state that the remedy is to upgrade to 1.0 gold: https://bugzilla.mozilla.org/show_bug.cgi?id=251297 https://bugzilla.mozilla.org/show_bug.cgi?id=124750 An update to Fedora Core 3 to inclue 1.0 gold should be made ASAP so as to get those holes plugged--or alternatively, if the Debian approach is preferred around here ;), patches should be made to the 1.0PR codebase to fix these vulnerabilities, and an errata release made.
Looking at the changelog for firefox suggestes that b.m.o#124750 has already been fixed: * Fri Oct 08 2004 Christopher Aillon <caillon> 0:0.10.1-1.0PR1.9 - Add patches to fix tab focus stealing issue (b.m.o #124750)
According to the log for b.m.o#124750, the change that was checked in on or around October 8 didn't fix it. The corresponding Secunia advisory says that 0.10.1 is vulnerable. Besides which, this press release says that 0.10.1 was released on October 1: http://www.mozilla.org/press/mozilla-2004-10-01-02.html The final checkin to fix b.m.o#251297 was on October 22. At any rate, double-checking them for the sake of the paranoid is a Good Thing(TM) ;).
This bug should be closed since firefox-1.0 was released as an update for FC3
I see it on FTP, but no announcement has been posted to fedora-announce-list.
Just because no announcement has made does not mean this is not fixed. It is. The announcement is waiting on a few clearances. There is an embargo on some information I want to announce.