Slashdot Mirror
Firefox 1.0.7 Released
hackajar writes "Firefox 1.0.7 has been released today. From the announcement "Fixes are included for the international domain name (IDN) link buffer overflow vulnerability and the Linux command line URL parsing flaw. There are also other security and stability changes, including a fix for a crash experienced when using certain Proxy Auto-Config scripts. In addition, some regressions introduced by previous 1.0.x security updates have been resolved.""
I've been running it for 3 minutes, and I must say... it's VERY stable. Probably more so than ever!
(please understand this is a joke)
...are here here.
Also, from the Mozillazine article, looks like Portable Firefox has been updated as well.
And I'm posting this with 1.0.7, good times...
The Army reading list
Slashdot subscription: $10.00.
Getting to download the next version of Firefox before the site gets Slashdotted: priceless !
That's perfectly fits with yesterday's news about Mozilla foundation being more reactive to security fixes than M$.
And yet again, users of localised build were left in the cold.
Think about your grandpa, who doesn't know english. He can't use non-translated build and is left with vulnerable, older version.
Good work, Firefox developers!
:wq
Download it now if you're impatient, or wait a day or two for it to appear in the browser updates, as usual.
The unix/linux bad-link problem allowing malicious URLs to run shell scripts is a bit nasty. Maybe Symantec wasn't entirely blowing smoke the other day with their warnings about Firefox not really being that much more secure than IE. The patches come out faster, but there sure are some nasty bugs in there yet.
Ok, I'm a geek and all, but this week I just installed 1.5 Beta 1 - so is it now vuln to this, whereas 1.0.7 is not? I understand branches, tags and such, but after awhile this could really confuse joe_user. Is anyone trying out the new Opera since it's now free? I've only tried the Win version, but darnit, it's very nice. Tonight I'll try it on Unbuntu, after updating FF to 1.0.7 of course (I don't run dev software at home, else I"ll hear about it crashing from my wife! ;))
bad_outlook
--
Is this vague enough for you?
I've tried to hammer 1.0.7 and see if I could reproduce the same crashes that happened in 1.0.6 and this issue *seems* to be fixed. Also, upgraded to (ewww!) Flash Player 8. Seems to be an improvement as well. (I say this because the previous issue usually happened on sites with Flash)
Not to take either side on this I have to disagree with your the relavance of your argument. The web has changed drastically since IE was first made.
The british latest is still 1.0.6.
I can't understand why bugfixes, which wont change any of the text shown to the user (other than perhaps the version number), cannot be released for all locals at the same time.
wow, amazing what speeds I saw on that, over 1mbit which is pretty nice. Sure its not a super large file, but nice to see good speed when the server hasnt been /.'d
;-)
Now I wonder if my extensions will crash or act buggy...ah, well....the price was right
Too many regressions caused by security updates, and people will turn off auto-update. That's the very reason that Microsoft moved to a monthly update cycle. Getting updates out quickly is important, but unless the security hole is being actively exploited, it's probably more important to make sure nothing else gets broken by the fix. If you convince people not to install updates, then you're in really big trouble.
Whoever corrects a mocker invites insult;
whoever rebukes a wicked man incurs abuse.
--Proverbs 9:7
Now will it stop using anywheres from 73,788 K to 253,000 K RAM? I thought Firefox was supposed to be small and efficient, but that's the ram usage reported by Task Manager.
C:\>
That is not a problem, it is a feature that has already been explained in this article. Hint: try going to http://download.mozilla.org/?product=firefox-1.0.7 &os=win&lang=en-US
Will middle-clicking to oplen a link in a new tab
ever show up in an official release for OSX? It's really retarded that I must rely on nightly betas in order to use this simple feature, in which case I can't use most of the plugins that made Firefox attractive to me in the first place. Very frustrating.
A sentence you'll never see on an Internet discussion board: "You know what? You're right."
and now after the upgrade none of my extensions work. They are there but none of them are active.
From the trunk, every so often (less frequently in the last two years) branches are cut. These branches are the 1.x branches, and from them the stable releases are created. Currently we have the 1.7 branch as the long-lived stable-branch (MoFo is committed to keeping its builds from this branch updated with security fixes for a while yet, while not changing its functionality). Mozilla 1.7.11 and this release, Firefox 1.0.7, are made from this branch. Also expect upcoming Thunderbird 1.0.7 and Mozilla 1.7.12 releases.
The Aviary 1.0 branch is basically the same as the Mozilla 1.7 branch, but is referred to specifically when talking about Firefox and Thunderbird. (It's more a CVS branch tag than something you should know about.)
Then, only recently, the 1.8 branch was created. A number of must-fix bugs still present on this branch have been identified, and these are currently being worked on. Once that's all done, Firefox 1.5, Thunderbird 1.5 and SeaMonkey 1.0 (the successor to the Mozilla application suite) will be released from it.
Deer Park 1.5 Beta 1 and SeaMonkey 1.0 Alpha were releases from this newly formed 1.8 branch, to show what is being worked toward.
It's likely that version numbers of all products/projects will converge at 2.0 in 1-2 years - although this might come after Mozilla 1.7.11 or thereabouts, depending on the necessary functionality specified for Mozilla/Gecko 2.0 (so based on what the backend needs, not frontend functionality).
Of course, it's just as likely that this won't happen. I'd bet MoFo itself doesn't know yet. They're not all that good at planning ahead.
I've had a problem with Firefox lately (starting around build 1.04, which may just be coincidental with a new malevolent popup technique being invented) on both my Windows and OSX boxes. Specifically, there are certain ads that cause Firefox to crash hard, and they aren't just bad ads from porn sites. I've occasionally gotten them on Blues News and NY Times for example.
In some cases, I'm lucky to get an exception and can restart Firefox. However, in most cases, the application freezes. On OSX, I get the swirling beach ball of death and have to manually force quit Firefox. On windows, I can usually close Firefox, but only the main window closes. I still have to manually kill the process before I can start a new instance.
Since then, I've moved on to 1.5 alpha and it while I don't believe I am currently experiencing those problems, 1.5 alpha has a whole new set of problems all its own.
My question is... have these ad related crashes been fixed (or am I the only experiencing them)? I'd like us to the most stable version possible, but when 1.5 alpha is better than the 1.0x builds, I'm left wondering what went wrong...
If this isn't resolved soon, I just might have to give AdBlock another shot. I'm trying to be a good netizen, but when you're ads kill my browser, you leave me with little choice!
Bryan
http://ftp.mozilla.org/pub/mozilla.org/firefox/re
Mac OS X
http://ftp.mozilla.org/pub/mozilla.org/firefox/re
Windows
http://ftp.mozilla.org/pub/mozilla.org/firefox/re
As usual means you wait up to two weeks before an arrow shows up or if you decide to manually check for updates under Tools>Options>Advanced>Software Updates.
I like Firefox but being forced to wait days -- or longer -- for a security update is utterly pathetic. If I wanted a browser with known exploits that I can't patch I'd use IE.
You want to know who isn't running Firefox 2.x? They spell it "definately" and "rediculous".
Ah. Mozilla has lept upon more discovered holes and promptly fixed them.
And somehow, these fixes make the browser all the less secure in the eyes of the big guys.
>> Standing on head makes smile of frown, but rest of face also upside down.
That's simply unacceptable. Whether the reason is good or bad, and I'm understanding of the bandwidth issue and the costs associated, we're leaving potentially millions of machines open to exploit. Hardly a claim to a more secure future.
I can't wait until 1.5 goes live and we can ditch this stupid unmodular system that we've been 'graced' with.
You want to know who isn't running Firefox 2.x? They spell it "definately" and "rediculous".
So you're saying that Firefox is string 750MB of data it got off the web?
Well, let's see, my DSL is quite fast, it is 6mbits/second actually (lucky me). That means that Firefox is storing the equivalent of 1,000 seconds or about 20 minutes of continuous downloading. For other people it could be easily double that.
Why doesn't that seem entirely correct to me? I'd know if I sat through 20 minutes total downloading.
BTW, IE doesn't soak up as much RAM, and it's pretty damn fast.
Firefox probably needs to look at more memory-efficient caching.
http://lkml.org/lkml/2005/8/20/95
but unless the security hole is being actively exploited, it's probably more important to make sure nothing else gets broken by the fix.
Enter the paradox: If the fix isn't released until a month, the security hole CAN and WILL be actively exploited.
In other words, is it worth to replace a critical bug (security) with a minor bug (annoyance)?
Year your are dreaming, but the girls are cute.
http://www.mozilla.org/mirrors.html
I been searching everywere for a HP-UX port. What I don't understand is that mozilla has builds for OS2 but not for HP-UX. I don't know you guys but I think HP-UX has way more active users than OS2.
I know there is a "official" HP mozilla build. But I like more firefox (slimer and faster). Specialy because my desktop is not that fast (PA8500 400mhz).
BSD licensed software can't be stolen....
For Firefox 1.0.8 to be released
a new feature would have been nice
doesn't give Firefox the right to fix bugs while the Microsofties are distracted and obvlivious ...
-- Tigger warning: This post may contain tiggers! --
If you think it was stable before, you ain't seen NOTHIN' yet! Now it's also barn and silo!!!
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
I noticed some of these too. Quite annoying. Instead of using Adblock or something similar, first try downloading a good hosts file for blocking ads. Info and links
My beliefs do not require that you agree with them.
This Firefox release is an opportunity for me to ask a question I've been thinking a lot about lately: on GNU/Linux, is the web browser a package that's better handled outside of the context of the distribution's package manager? I'm running Gentoo right now, and I love Portage, but there will at least be some delay between the Firefox release and a new ebuild being available. And in order to emerge this new release I'd need to sync my Portage tree again, which I don't have any other particular need to do right now (once or twice emerge sync has caused me problems, usually because it causes me to subsequently update some package that I originally emerged with USE flags set that I neglected to add to my make.conf).
Anyhow, the basic idea is that Firefox is a package that has to be updated at specific times, and I know when those times are, and they aren't necessarily times that my system as a whole needs to be updated.
There are few other packages that depend on Firefox; all I can really think of are plugins and extensions. Plugins don't typically require a specific FF version, and I get my extensions centrally from mozdev. So can you guys think of anything I'd lose by unmerging FF from Portage, installing a stub in its place, and just using the official builds from mozilla.org? Besides the potential optimization? (I would say integration and consistency with the overall system in terms of file placement and stuff, but... that doesn't seem to happen anyway. It's not an easy thing to fit a huge X application into Unix directory conventions based on the concept of many small programs doing one thing well...)
The main other package to which I'd apply this type of thinking is OOo. I wouldn't apply it to KDE or Gnome (though I don't directly use either) because they contain many useful libraries, and I feel that the handling of libraries is a real strength of package management systems. Can you guys think of any other packages that might not be best handled by package management?
That's not such a good idea in general. Installs from the distro are tested and signed (pretty sure not to be infected with viruses) whereas Firefox's update system assumes behavior of crappy OS like Windows that doesn't auto-update all programs as needed. Auto-update is a good idea but they should strive to work with existing update infrastructures when those exist. There is to much conflict between apt/yum/rug/whatever and Firefox's own update system and it does cause bugs and odd behavior sometimes. That doesn't make it a good idea to abandon the update infrastructure provided by your distro. :)
On the other hand I think distros need to recognize the need of users to install software at the user-level and make their packages and package mgmt system work better for that. As it is they tend to make it difficult to install packages just for a single user.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
It doesn't matter what groups you are in (or who owns the directory). Barring things like a suid firefox (which is a sign that someone needs to learn more about how *nix works) and sudo (which is a sign that someone might need to learn more about how *nix works), it runs as the user who launched it.
Heh, a list of many complex actions involving different user ID's, directories and other computer "magic" as seen from a users perspective, followed by:
i s-so-cool-i-kick-your-ass stuff - I know, i use linux and firefox. but that still doesn't make it an easy install. The distro install, incidentally, is pretty easy though, so just wait for the vendor updates mmmkay?
"The install was as easy as anything packaged by Vise or InstallShield"
Can you please pass some of that crack you seem to be smoking? I'm a big linux fan, but installing anything, not in the least a user install from firefox, does not compare with the "double click setup.exe" from vise or installshield.
And before all the fanboys knee-jerk with the security/spyware/virus/whatever-my-linux-kung-fu-
People who think they know everything are a great annoyance to those of us who do.
I see your point, but using stand alone package installers and the like defeats the main purpose of the distribution system over just a plain old bacon and eggs OS like Windows. This is supposed to make the distro system easier to deploy mainly by administrators, but reducing the level of case-by-case support they have to dish out. For the home user, such solutions may work more easily, but it still defeats the whole point of a distro. For example, if a similar update attitude was suddenly adopted by all the dozens of projects used in the modern distro, one can clearly see how soon it would be before the whole thing would just fall apart.
Check your 'about:config' to make sure the 'accessibility.browsewithcaret' setting is set to 'false'
The worst that should ever happen is that you lose any new data (from this morning until now).
The really important data is usually kept inside databases that the user does not have rights to delete.
Wiping out your home directory is only "annoying" (unless you have an important meeting in a few minutes).
Infecting the system is "BAD" because then EVERYONE's data is vulnerable AND you cannot trust last night's backups. You must go back and find out when you were infected and, in some cases, recreate ALL of the data that was in those databases since that point.
Sure, the user might be pissed that his spreadsheet was deleted by the "cool screensaver" that he just tried to download AND he has a meeting with the division president in the next 15 minutes
but that don't mean jack when the CFO notices that none of the numbers match for the last 3 months anymore.It's not a "miracle cure" but it does protect the most important information the company has.
Ideally, the user's home directories will be set to non-execute so that crap they download won't destroy their data.
Even with both of those in place, I still get people who DELETE THEIR OWN FILES and need them restored from the night before.
Security is all about IDENTIFYING the risks and REDUCING them.
I can reduce the risks of everything else to a point below that of regular human stupidity. But nothing will ever save you from that.
As it curently is, Firefox 1.5 beta isn't for everyone. I installed it an ran it when it was launched and I simply can't use it. It just segfaults at startup without warning what caused it.
I don't know if this problem is frequent or if there is a fix for it but at least that little showstopper made it impossible for me to try 1.5.
Slashdot, fix your code or at least hire someone who is competent at it to do it for you.
Now I have a version of Firefox that runs as me instead of running as root, which I'm sure is a lot more secure than the way I had it last time.
I don't think so.
Normally, you install as root, and run as user.
This means, that, as a user, you cannot damage your installation.
Now, you run as the same user that installed it.
This means that you can damage the installation as well.
It seems that certain organizations are trying to hype every vulnerability that can be associated with FireFox. From my point of view they'd be ranked like this:
#1. Remote root access that does NOT require human intervention or other app running.
#2. Remote non-root access that does NOT require human intervention or other app running.
#3. Local root access that does NOT require human intervention or other app running.
#4. Local non-root access that does NOT require human intervention or other app running.
#5. Local root access that requires some human interaction or some combination of apps.
#6. Local non-root access that requires some human interaction or some combination of apps (this is where this exploit is)
#7. Remote OS crash
#8. Remote app crash
#9. Local OS crash
#10. Local app crash
This is MY opinion. Get your own opinion. There is no way this exploit is "critical". It's one step above a stupid DoS attack and would NOT affect ANY of my servers.
Then, as me, I set up a directory called Firefox107. I made a directory under that one called Firefox as the installation area for the install of Firefox 1.0.7. I then downloaded the Linux installer for 1.0.7 directly from mozilla.org. I untarred/gunzipped the installer into the Firefox107 directory. It made a firefox-installer directory under Firefox107 where I then clicked the firefox-installer script to start the install process. Again, I installed as me, not as root.
I don't know about you, but I clicked 'download now', then double-clicked 'Firefox Setup 1.0.7.exe', then I had a lie down, the effort required was just that bit too much for me. Bring on the auto-update, that's what I say!
Someone seriously needs to mod the parent UP. This is a very insightful observation about one of the fundamental, systemic problems with desktop OSes (Linux-based and otherwise).
The fact that it is possible for an application to be installed by any mechanism other than the official method provided by the desktop/OS, thus straying from all standard conventions defined by the desktop/OS, means it's too easy for users to screw up and break things. The fact that an application must come with its own installation executable just illustrates how the desktop/OS is failing to provide the services the application developers need.
The desktop/OS should require a software package to provide a data-based manifest of installation actions it needs (generally similar to Microsoft's MSI/Windows Installer technology, but without the notion of Custom Actions), and the desktop/OS should execute the installation. And that should be the ONLY way for anything to get installed onto the system (unlike the architecture of Windows, where standalone installers such as InstallShield can still bypass the central MSI/Windows Installer way of doing things).
Moderator hint: a comment is neither "Flamebait" nor "Troll" if it is true.
while I am using Opera right now (I downloaded it back when they had the party where they gave away free codes), I doubt I will keep it. While some pages that didn't work for firefox do work for Opera, I have noticed the oposite as well...and the pages that don't work for Opera are more important to me than the ones that don't work for firefox. Opera has also crashed on me several times, and I have never had a problem with firefox crashing.
I honestly don't care about the whole open source thing. I don't have a problem with companies keeping their source private. Hell, they wrote it. However, it seems to me that firefox is simply a better product that either IE or Opera.
This is a pretty serious troll. There is no install on windows, install shield or otherwise that you can install with a double click. The double-click starts the installer, then you answer a series of questions. Afterward, you configure the app manually.
On linux you apt-get install app or select it and then click install in synaptic. Then configure the app manually. For many things you can simply run appname-configure afterward to configure.
In case you haven't noticed, the processes are mostly the same, except that linux does not require you to answer the string of questions.
If you have any extensions installed, try disabling them and see if that fixes the problem.
The shareholder is always right.