Red Hat Bugzilla – Bug 799072
Firefox 10.0.1 has a critical vulnerability patched in 10.0.2
Last modified: 2012-03-05 02:43:21 EST
Description of problem:
Firfoxe 10.0.1 has a critical vulnerability described here:
MFSA 2012-11 libpng integer overflow
Please upgrade to 10.0.2.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
We fixed that with release of xulrunner-10.0.1-3. See changelog:
it's a bit confusing that version is not 10.0.2 but we started to do test builds with fix sooner than mozilla put official source tarballs to their ftp. We did that because we wanted to deliver fix ASAP to Fedora users.
Thanks for keeping and eye on us.
The update is here:
This fix is very bad for me. My company's firewall blocks access to the internet from Firefox browsers that identify themselves as 10.0.1 due the to the critical vulnerability. Therefore, I am currently without a usable browser when on Fedora.
Firefox 10.0.3 is going to ship on Mar/13. You can use upstream binary from mozilla.org or build your own firefox rpm package from sources from ftp://ftp.mozilla.org/pub/firefox/releases/10.0.2/source/ until that.
(In reply to comment #4)
Thanks for your quick reply. I tried to use the binary from Mozilla yesterday, but found it requires 32-bit libraries. I'm running a pure 64-bit system. I'll try building Firefox from sources soon, but for now, I browse the Internet on Windows and transfer downloads via pscp. It works. That being said, in the future, please ensure Firefox correctly self identifies so this doesn't happen again.
We understand your problem. Mozilla makes x86_64 builds too, see: