Slashdot Mirror
Security-Updated Versions Of Mozilla Released
petabyte writes "As mentioned in this Mozillazine article, there are new versions of the Mozilla Suite (1.7.2), Mozilla Firefox (0.9.3) and Mozilla Thunderbird (0.7.3) available. They address 4 security bugs (linked from the Mozillazine article). Unlike Firefox 0.9.2, these can't be fixed with just a XPI upgrade, so you'll have to download a new binary and install."
Any idea where to get RPM's ?
According to the forum, a libpng vulnerability also just happens to crash IE.
There are a huge number of yeast infections in this county. Probably because we're downriver from the bread factory.
I hod no problems just letting the installer overwrite my old Firefox directory. After it upgraded, all my extensions/bookmarks were still there.
Sorry people, it was just an urge and I feel really stupid now, so I'm sorry!
Anyway, I am really glad to see this. I work at an ISP, and deal with a lot of these ad/mal/viral-ware that gets onto IE despite our best efforts. So, we have been deploying Mozilla Fire(something) and Thunderbird programs - and PEOPLE LOVE IT!
What makes them happy - makes me very happy!
'/dev/wit' is not available.
However, those 3 Firefox holes were fixed faster than the 1 IE hole. Mozilla releases patches as soon as they've fixed the problem. Microsoft? They wait until Wednesday night. If a problem is fixed on a Thursday, and it's something already exploited, then most people affected (the clueless windows users) are basically screwed.
ROMANES EUNT DOMUS
I might be dafter than a regular brick, but I can't see that the FireFox Release Notes mentiones what is actually new in this release?
Oh well... perhaps I'm just weird for wanting to know what's new in this sub-release.
I did the uninstall install routine and everything was borged: I couldn't close tabs, was unable to go back one page and the context menu was gone. Took me really, really long to fix this manually.
i wonder if the people who uncovered these bugs qualified for the $500 payment or if it contributed to them being found.
I use an invisible root window in my application as well. Many applictions use invisible windows, and they do not foul Exposé at all. Exposé will not show an invisible window, nor will it show an offscreen window (which is frustrating to me, as I have several tools that try to remember where windows were last displayed even on smaller monitors).
I really do not know what Mozilla is doing, but it is not that simple.
I'm not sure anyone has said they were all exploits - they are all security bugs.
The false certs thing is a DoS - it can corrupt the local certificate setup so that real certs don't work any more.
Sites being able to spoof the lock icon and present a certificate that belongs to a different site isn't an exploit, but it defeats signing - means the user can't know if they're sending their password or credit card details to the wrong site.
If you install over an old version it's been my experience that the user-agent and other settings don't get updated for whatever reason.
I'll confess, updating should be painless for Firefox/Mozilla, but it's not.
All I know about Bush is I had a good job when Clinton was president.
If it really is necessary to point out to you, then I'm getting sick of comments like: ...and...
"At 5MB for Firefox (on windows), its far smaller than the average IE 'patch', which normally are around 7 MB or so."
"IE catches shit for 2 out of the 4 bugs."
"Anyway, do you think that FF/Moz should take the Windows route and refuse to acknowledge vulnerabilities, and simply hope they pass by with no one else noticing? Please, think a little bit before posting a comment."
Thank you,
Xeon
Real programmers can write assembly code in any language. -- Larry Wall
Does the "Periodically check for updates" feature work in Firefox? It has never in the past informed me of an update, and even now when I manually check by selecting "Check Now" it currently tells me no updates are available.
Still, I was shocked to be getting 80 KB/s... I think they should also consider making bittorrent and/or magnet links available sooner in order to trim unnecessary costs.
The only ways I can see to accomplish a silent install are either:
- rewrite the installer so it actually does work (pain in the ass)
- or use the
.zip version and completely re-implement the install process in a batch script (even more annoying)
This is another one of those "enterprise" necessities that the developers seem not to have figured out.That was what an update should be!
.mozilla directory. The only nit to pick was that search plugins aren't stored in userspace, but copying them over is trivial.
Upgraded from 0.9.1 to 0.9.3. Didn't have to fiddle with turning off extentions or re-downloading them and reconfiguring them this time. Continues to use the same
To-do List: Receive telemarketing call during a tornado warning. Check.
Where are the Changelog? From the website, you only know there is a new version for these three apps, but there is not description of what has been changed since the last version?
I remember that for every release there used to be a link to the Changelog with details on all the new changes since the last minor update (eg v1.6.1 to v1.6.2). Is the new site/design just too "user friendly"?
(After some browsing I did find a link to an *external* website with change details, but can't find it again now... @_@)
Codeala - Just another mindless drone
This version broke something related to the proxy configuration. I can no longer authenticate myself at any website using saved passwords if I use my university proxy server. :(
What I find odd is that despite this release being focused on patching security vulnerabilities there's no noticable mention on the web site of the importance of this update. I leave my home page set to the FireFox page in hopes that there will be a clear message saying if there's a need to upgrade, but the page itself only says 0.9 -- and I'm fairly confident that the average user isn't going to figure out the difference from the front page (which now says 0.9.3, but how many users are aware of what version they're using?) It wasn't until I read slashdot that I was made aware of the release of this security update, and who knows if something could have happened since then?
While I don't expect a windowsupdate.com for Mozilla, being that a main criticism of users is their failure to keep software updated why don't the developers make it more clear that an update is even present?
No but if I still ran Windows I'd love to be able to uninstall that "Browser" you call IE ...
Just tried Moz 1.7.2 and the anti-aliased fonts were gone (maybe build options?). Furthermore, I've faced some segfaults when browsing Slashdot. Reverted to Slack 10's original Moz 1.7.
My 2 cents.
"We are talking about IE here, not 2K."
Yes, you are correct, I pasted the wrong link. I'm sorry about that
"Need me to continue? Or have I proved my point?"
Yes, you have made your point. However, I have a counter point to make. We're comparing two different things I believe. I was talking about individual patches, you're talking about cummulative updates in most of your links here. Even the big single one you show is 1/4th of the size of Firebird. (Mozilla? I keep getting the names confused.) Most of the quick fixes I've installed were tiny, well under a meg. When installing anew, I can download the one big cummulative update. Yeah, big download, but an occasional one. My point? Updating Mozilla via uninstall/reinstall for a simple fix isn't so efficient, never mind the drastically simpler interface IE gives you.
For the record, I'm not an IE zealot. I don't like it really. I'm an Opera zealot. That's a 4 meg install. I hate udpating it for similar reasons.
"Derp de derp."
The main executable for firefox is ~6MB... It would seem to me that this is not a very efficient method for updating the program. Perhaps they'll design the next version with modules that can be updated more efficiently by smaller downloads?
Anyone know why the version information for the file for 0.9.3 lists 0.9.0.0? Right click firefox.exe and then properties then version tab.
IE has an executable of a few KB (WinXP).
During the recent Ject issue, I looked into trying to rip out IE. I have like 120 machines to look after, I don't have the money to active directory, and I have certain limits. I'll use psexec but even so, its a long tedius job maintaining 120 machines.
:shell: made me rather glad I had'nt committed a massive workload in the name of switching to a new bugwridden, secuirty glitched browser.
Now, getting back to IE, yes, I did look at ripping it out. Not so easy on XP Pro as any user who signs in gets linked to the program in default. I could banjax the progam directory, and stop it being used that way, but if I do that, I believe I can still call windowsupdate.com via an explorer window. I presume however, that anyone using the same method uses the same cuplable browsing that impairs IE. Thus I'm not really solving the problem, just fending it off until the users get smart.
In terms of Mozilla and Firefox, sadly I have to say the security failure regarding
Today, I'm told if I had rolled Mozilla, someone's just committed me to a whole sale re-roll out just because they can't patch, they have to fix it in a new install.
I've said it before, I'll say it again, doing this to me just puts me right off even contemplating it. Next week, watch out, the next Mozilla issue will rear its ugly head.
I sadly have to put aside the OSS/MS stuff, because whatever I put out there has to work, and its not about Ideaology, I do not care about Ideaology. Mozilla is a fine effort, but the security side leaves much to be desired. One is hard pushed to claim that its a quantum leap in browser security.
AdmV
We`re all equal
I've once again, run into one of the classic free/open source software problems, that seem to plague even the larger projects like mozilla.
I run Debian linux on a PowerPC mac, and it's not at all easy to find pre-built binaries for my architecture and platform combination. "No worries," I say to myself, I'll just grab the source code and build it myself (which I was able to so successfully for the 1.7 release, and am running at this very moment). Well, the released 1.7.2 code does NOT build, even with the instructions on the project's UNIX build pages. I checked again, but to no avail.
Moz developers, I know you all have quite a bit on your plates, but sometimes it wouldn't hurt to do a clean build, from about-to-be-posted source and instructions, to make sure all that's being released is actually fit to be released...