Security-Updated Versions Of Mozilla Released

← Back to Stories (view on slashdot.org)

Security-Updated Versions Of Mozilla Released

Posted by simoniker on Wednesday August 4, 2004 @11:58AM from the guard-dogs-at-the-ready dept.

petabyte writes "As mentioned in this Mozillazine article, there are new versions of the Mozilla Suite (1.7.2), Mozilla Firefox (0.9.3) and Mozilla Thunderbird (0.7.3) available. They address 4 security bugs (linked from the Mozillazine article). Unlike Firefox 0.9.2, these can't be fixed with just a XPI upgrade, so you'll have to download a new binary and install."

10 of 375 comments (clear)

Min score:

Reason:

Sort:

Re:Grumble Grumble by steeef · 2004-08-04 12:13 · Score: 5, Informative

Installing over the old version often works, but sometimes not.

If not, I usually save my plugins, delete the directory, install, then copy my plugins. My settings, bookmarks, and skins are all in my profile, and I haven't had to delete/recreate that in a while.

It sounds like you're just being too careful.
Re:Does this mean that . . . by NeoThermic · 2004-08-04 12:15 · Score: 5, Informative

Really? His ass must be very correct:

Internet Explorer 6 Service Pack 1

I quote:

Windows Me:
32 MB of RAM minimum
Full install size: 8.7 MB

Windows 2000:
32 MB of RAM minimum
Full install size: 12.0 MB

Windows 98 Second Edition:
16 MB of RAM minimum
Full install size: 12.4 MB

Windows 98:
16 MB of RAM minimum
Full install size: 11.5 MB

Windows NT 4.0 with the high encryption version of Service Pack 6a and higher:
32 MB of RAM minimum
Full install size: 12.7 MB

Windows XP:
32 MB of RAM minimum
Full install size: 12.0 MB

Thats just *one*, and its larger than the 5MB 0.9.3 release.

NeoThermic

--
Use my link above, or to view my server, NeoThermic.com
Try again if 0.9.3 for Windows didn't work earlier by sakyamuni · 2004-08-04 12:16 · Score: 4, Informative

The timestamps in the 0.9.3 release directory show that the Windows binary has been updated.

Got the supposed 0.9.3 for Windows earlier today, which didn't work. Process appeared in task list, but no window came up. Also, any place the version number appeared, it was still listed as 0.9.2. With the caveat that I don't know how those folks do their releases, I'll say that with the proper automation, that oops-i-forgot-to-increase-the-version-number snafu should never happen.
The actual vulnerabilities by Anonymous Coward · 2004-08-04 12:17 · Score: 5, Informative
Copy & Paste, Bugzilla hates us:

http://bugzilla.mozilla.org/buglist.cgi?bug_id=251 381,249004,250906,253121
- Importing false CA certificate leading to error -8182 (perm DoS), especially exploitable by email
- null (%00) in filename fakes extension (ftp, file)
- new libpng buffer overflow vulnerabilities
- lock icon and certificates spoofable with onunload document.write
IE catches shit for 2 out of the 4 bugs.

libpng buffer overflow - a lot of bitching goes on around here with regards to "OH M$ EVEN HAD AN OVERFLOW IN BMP HANDLING IN IE!!!"

null (%00) in filename fakes extension (ftp, file) - Variation of this got IE in trouble...
The four vulnerabilities... by Joey7F · 2004-08-04 12:21 · Score: 4, Informative

249004 Importing false CA certificate leading to error -8182 (pe...

# False certificates aren't really an exploit

250906 null (%00) in filename fakes extension (ftp, file)

# fake extense aren't exploits

251381 new libpng buffer overflow vulnerabilities

# okay that is an exploit

253121 lock icon and certificates spoofable with onunload docume...

# that is not an exploit either

I think they should be more like bugs. I think Mozilla is just trying to play it safe. Ironically by them "being up front" they may end up driving people away from the browser...

--Joey
Linux installer bug by FunkyRat · 2004-08-04 12:27 · Score: 4, Informative

I downloaded the linux installer version (firefox-0.9.3-i686-linux-gtk2+xft-installer.tar.g z)ked from the Firefox page and itself seems to have a little bug:

** (firefox-installer-bin:3120): WARNING **: Invalid UTF8 string passed to pango_layout_set_text()

It winds up with an incomplete installation. However, if you just download the gzipped tarball without the installer from here and untar it over your old firefox directory you should be just fine.
Re:MAC OSX Complains by nxg125 · 2004-08-04 12:39 · Score: 4, Informative

Well, Firefox 1.0 on OS X will be delayed a bit from the other platforms to clean up some issues such as this. The Expose thing you mentioned has been written up in Bugzilla (copy & paste the URL to see the bug.)
Re:Does this mean that . . . by bigberk · 2004-08-04 13:01 · Score: 4, Informative
Trying to download a 4.0 MB file after it's linked to on the front page of Slashdot is never an easy thing, dude.
I'm mirroring a couple of the files. Please verify the md5sums yourself, though.
- FirefoxSetup-0.9.3.exe
- firefox-0.9.3-i686-linux-gtk2+xft.tar.gz
Four and more by tepples · 2004-08-04 13:32 · Score: 4, Informative

The new Mozilla Firefox release fixes four security problems and all the other bugs that have been fixed in the aviary branch. Microsoft, on the other hand, hasn't published fixes to IE's layout engine since 2001.
Re:Mod parent up. by line.at.infinity · 2004-08-04 13:40 · Score: 4, Informative

Try this, which says:

Specifically...
Browse to 'about:config'.
In the filter box type 'update'.
Double click 'update.app.updatesAvailable' and change the value from 'true' to false.
Restart Browser.

Worked for me.