2004-06-15 Trunk builds
- Fixed: 246448 - A security hole in Firefox, Internet Explorer, and Opera. (The fix made it into Firefox 0.9 as well.)
- Fixed: 105892 - "Resolving host xyz.foo.bar..." should be "Looking up xyz.foo.bar...".
- Since June 6: 246419 - Bookmarks file converts ' to ' in bookmark title.
- Since May 10: 243387 - about:plugins broken.
Official Windows,
Official Windows installer
(discussion)
All official Linux builds are now gtk2+xft, so I'm going to omit the phrase "gtk2+xft" from build descriptions from now on.
June 15th, 2004 at 4:28 pm
about:plugins WFM, except that it’s not styled nicely.
June 16th, 2004 at 1:21 am
Shouldn’t 246448 a reason for releasing a 0.9.1 version ?
June 16th, 2004 at 2:26 am
You are not authorized to access bug #246448.
why is a regular user like me not allowed to see bugs like this one ?!
is mozilla starting to act like MS ?!
or what the hell did i do wrong ?
(i logged in as always and i can access all other bugs).
what is this bug about ? phishing ?
when exactly has it been fixed ? (i’m using branch-builds). do i have to update ?
(i would know all this if i was able to access the bug :D).
June 16th, 2004 at 4:39 am
I hadn’t thought of that, i.e. *when* was it fixed. Jesse, do you know if the fix to 246448 made it before 0.9 ?
June 16th, 2004 at 4:58 am
my guess is it is a URI obscurification bug… based on current discovery trends… btw mozilla’s security bug handling policy is nothing like MS’s
http://www.mozilla.org/projects/security/security-bugs-policy.html
Mozilla’s makes sense ;)
June 16th, 2004 at 8:24 am
Tom: This has been Mozilla’s policy on security related bugs for as long as I can remember. Read curious’s link. The first version of that page is from November 2001.
June 16th, 2004 at 9:36 am
0.9 rc1 was vulnerable to bug 246448, but 0.9 is not. If you have a branch build from before 0.9, it is probably vulnerable.
June 16th, 2004 at 10:37 am
thank you for the infos curious, Logan and Jesse. i’ve got 0.9 final now.
i don’t really understand/like the policy. when i click on this bug, i get
You are not authorized to access bug #246448.
this is of no help at all. i understand that not every user should get ALL the information about this bug, but it would be better to redirect to a page containing some informations about the bug and containing a warning: update to version xy !
June 17th, 2004 at 3:03 am
The part of the security policy that obfuscates information about the bug by not making it available to everybody, while the code is open source, and the bug was fixed in CVS, is strange to me.
You can go to tinderbox and find out when the bug was fixed, with a pointer to the CVS commits, which will tell you almost everything you need to know to exploit the problem.
I think that as soon as the bug is fixed, the bugzilla bug database should be opened.
They should at least introduce levels of visibility for the comments, and let logged in users at least see the summary page, while not seeing some or all the comments.
June 17th, 2004 at 3:26 am
Jerome: I agree that it’s strange. If you figure out an exploit based on the public information you mentioned, I’ll open the bug immediately ;) This offer is valid for bug 246448 and for most other security holes I found, but not for bug 162020.
June 17th, 2004 at 10:07 am
Not sure if it’s this bug or not:
http://www.securityfocus.com/bid/10532/discussion/
June 17th, 2004 at 3:34 pm
It doesn’t really matter what you call it. Security through obscurity is never really secure.
June 17th, 2004 at 5:32 pm
The only thing protecting users *before* I found the hole was security through obscurity, too!