Bug 799072 - Firefox 10.0.1 has a critical vulnerability patched in 10.0.2
Firefox 10.0.1 has a critical vulnerability patched in 10.0.2
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: firefox (Show other bugs)
16
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Gecko Maintainer
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-01 12:44 EST by John D. Ramsdell
Modified: 2012-03-05 02:43 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-02 01:46:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John D. Ramsdell 2012-03-01 12:44:13 EST
Description of problem:

Firfoxe 10.0.1 has a critical vulnerability described here:

https://www.mozilla.org/security/known-vulnerabilities/firefox.html

MFSA 2012-11 libpng integer overflow 

Please upgrade to 10.0.2.

Version-Release number of selected component (if applicable):

10.0.1-1.fc16

How reproducible:

See URL.

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Jan Horak 2012-03-02 01:46:39 EST
We fixed that with release of xulrunner-10.0.1-3. See changelog:
http://koji.fedoraproject.org/koji/buildinfo?buildID=299915
it's a bit confusing that version is not 10.0.2 but we started to do test builds with fix sooner than mozilla put official source tarballs to their ftp. We did that because we wanted to deliver fix ASAP to Fedora users.

Thanks for keeping and eye on us.
Comment 2 Martin Stransky 2012-03-02 01:49:11 EST
The update is here:

https://admin.fedoraproject.org/updates/FEDORA-2012-1856
Comment 3 John D. Ramsdell 2012-03-02 07:17:36 EST
This fix is very bad for me.  My company's firewall blocks access to the internet from Firefox browsers that identify themselves as 10.0.1 due the to the critical vulnerability.  Therefore, I am currently without a usable browser when on Fedora.
Comment 4 Martin Stransky 2012-03-02 07:29:15 EST
Firefox 10.0.3 is going to ship on Mar/13. You can use upstream binary from mozilla.org or build your own firefox rpm package from sources from ftp://ftp.mozilla.org/pub/firefox/releases/10.0.2/source/ until that.
Comment 5 John D. Ramsdell 2012-03-02 09:11:46 EST
(In reply to comment #4)

Thanks for your quick reply.  I tried to use the binary from Mozilla yesterday, but found it requires 32-bit libraries.  I'm running a pure 64-bit system.  I'll try building Firefox from sources soon, but for now, I browse the Internet on Windows and transfer downloads via pscp.  It works.  That being said, in the future, please ensure Firefox correctly self identifies so this doesn't happen again.
Comment 6 Jan Horak 2012-03-05 02:43:21 EST
We understand your problem. Mozilla makes x86_64 builds too, see:
ftp://ftp.mozilla.org/pub/firefox/releases/10.0.2/linux-x86_64/

Note You need to log in before you can comment on or make changes to this bug.