Bug 635659 - Firefox at V.3.6.7 has known security bugs, all the while 3 newer versions where released over a period of 54 days.
Summary: Firefox at V.3.6.7 has known security bugs, all the while 3 newer versions wh...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: firefox
Version: 13
Hardware: All
OS: Linux
low
urgent
Target Milestone: ---
Assignee: Martin Stransky
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-09-20 13:16 UTC by Bram...
Modified: 2010-09-23 08:49 UTC (History)
7 users (show)

Fixed In Version: firefox-3.6.10-1.fc13
Clone Of:
Environment:
Last Closed: 2010-09-23 04:56:16 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Bram... 2010-09-20 13:16:16 UTC 
We are stuck with Firefox at 3.6.7 that has known security bugs,  all
the while 3 newer versions where released over a period of 54 days.


v.3.6.10, released September 15th:

Fixed a single stability issue affecting a limited number of users

v.3.6.9, released September 7th, 2010

MFSA 2010-63 Information leak via XMLHttpRequest statusText
MFSA 2010-62 Copy-and-paste or drag-and-drop into designMode document
allows XSS
MFSA 2010-61 UTF-7 XSS by overriding document charset using <object>
type attribute
MFSA 2010-59 SJOW creates scope chains ending in outer object
MFSA 2010-58 Crash on Mac using fuzzed font in data: URL
MFSA 2010-57 Crash and remote code execution in normalizeDocument
MFSA 2010-56 Dangling pointer vulnerability in nsTreeContentView
MFSA 2010-55 XUL tree removal crash and remote code execution
MFSA 2010-54 Dangling pointer vulnerability in nsTreeSelection
MFSA 2010-53 Heap buffer overflow in nsTextFrameUtils::TransformText
MFSA 2010-52 Windows XP DLL loading vulnerability
MFSA 2010-51 Dangling pointer vulnerability using DOM plugin array
MFSA 2010-50 Frameset integer overflow vulnerability
MFSA 2010-49 Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12)

v.3.6.8, released July 23rd, 2010

MFSA 2010-48 Dangling pointer crash regression from plugin parameter
array fix

This should be promptly corrected! 

Bram.
Comment 1 Martin Stransky 2010-09-20 13:50:25 UTC 
It's going to be updated to 3.6.10 soon.
Comment 2 Martin Stransky 2010-09-22 11:32:55 UTC 
https://admin.fedoraproject.org/updates/galeon-2.0.7-33.fc13,firefox-3.6.10-1.fc13,xulrunner-1.9.2.10-1.fc13,gnome-python2-extras-2.25.3-22.fc13,gnome-web-photo-0.9-12.fc13,mozvoikko-1.0-14.fc13,perl-Gtk2-MozEmbed-0.08-6.fc13.17
Comment 3 Fedora Update System 2010-09-22 11:34:17 UTC 
galeon-2.0.7-33.fc13,firefox-3.6.10-1.fc13,xulrunner-1.9.2.10-1.fc13,gnome-python2-extras-2.25.3-22.fc13,gnome-web-photo-0.9-12.fc13,mozvoikko-1.0-14.fc13,perl-Gtk2-MozEmbed-0.08-6.fc13.17 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/galeon-2.0.7-33.fc13,firefox-3.6.10-1.fc13,xulrunner-1.9.2.10-1.fc13,gnome-python2-extras-2.25.3-22.fc13,gnome-web-photo-0.9-12.fc13,mozvoikko-1.0-14.fc13,perl-Gtk2-MozEmbed-0.08-6.fc13.17
Comment 4 Jonathan Rushdoony 2010-09-23 03:06:53 UTC 
Firefox 3.6.9 has been in updates-candidate since 9/8.  While it's good to read here that 3.6.10 will be available soon, Mozilla identified "critical" security vulnerabilities in 3.6.7.  Fedora should have provided Firefox 3.6.9 promptly to Fedora users.  Releasing 3.6.9 and then working on 3.6.10 aren't mutually exclusive.  My thanks to the user who reported this as a bug on 9/20.
Comment 5 Fedora Update System 2010-09-23 04:56:11 UTC 
galeon-2.0.7-33.fc13, firefox-3.6.10-1.fc13, xulrunner-1.9.2.10-1.fc13, gnome-python2-extras-2.25.3-22.fc13, gnome-web-photo-0.9-12.fc13, mozvoikko-1.0-14.fc13, perl-Gtk2-MozEmbed-0.08-6.fc13.17 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.