Slashdot Mirror
Mozilla Plans Fix For Critical Firefox Vulnerability In Next Release
Trailrunner7 writes "A month after an advisory was published detailing a new vulnerability in Firefox, Mozilla said it has received exploit code for the flaw and is planning to patch the weakness on March 30 in the next release of Firefox. Mozilla officials said Thursday that the vulnerability, which was disclosed February 18 by Secunia, is a critical flaw that could result in remote code execution on a vulnerable machine. The vulnerability is in version 3.6 of Firefox."
The flaw was disclosed to Mozilla only recently (perhaps just a few days ago), and there is already a patched build available.
What a fool believes, he sees, no wise man has the power to reason away.
A fix already exists, it's just not in the official release.
Sigs are too short to say anything truly profound so read the above post instead.
Because the vulnerability was not disclosed to Mozilla at first.
What a fool believes, he sees, no wise man has the power to reason away.
RTFA. The fix is already there in beta version of Firefox 3.6.2. They're QA-ing it.
QA. New releases need to go through QA anyway to make sure they haven't botched anything up.
Usually the release process for a large piece of software requires a certain degree of human interaction (anywhere from light to extreme), and there's always the possibility that something will mess up, even if the bugfix itself is perfectly trivial or safe.
Are you being intentionally ridiculous?
The fix is in the latest beta release already, that binary is slated to be the release candidate, and if testing goes well, it will be the release.
Nerd rage is the funniest rage.
As someone else already quoted:
Mozilla already has released a beta build of Firefox 3.6.2, which contains the fix for the unpatched vulnerability
You can already go and download that 3.6.2 beta if you want, I did.
The 'planning' is about the data of 3.6.2's release, not whether or not it will have this fix included.
RTFS
March 30th.
1) about:config
2) app.update.channel = beta
And join the beta testers :)
There is someone, somewhere that would likely fix it and recompile.
If you had taken the trouble to read the fine (and brief) article, you would be aware that the fix is already available in the release candidates.
(And even if your old CPU doesn't support the NX bit, DEP will work for you as they have a software emulation for it in the OS.)
Not true. The DEP code on machines without NX bit support in the page tables will only protect you from a certain category of attack involving Microsoft's Structured Exception Handling system.
Contrast this with the OpenBSD implementation, which uses the x86 segment protection mechanism to enforce W^X when the NX bit is not present.
I am TheRaven on Soylent News
If the vulnerability were publicly (fully) disclosed, perhaps Mozilla would rush a fix out the door. As far as I know, there has been limited disclosure of the vulnerability to only a few parties, and I haven't heard that the vulnerability is being exploited.
What a fool believes, he sees, no wise man has the power to reason away.
The 3.6.2 beta has worked fine for me, but those uncomfortable with that and not willing to wait can avoid the bug by using a 3.5x version. The vulnerability is only in 3.6 series releases.
When I go to mozilla.com, a big green button offers me a .tar.bz2 with a distro-agnostic Firefox binary. Isn't that what you mean?