You are not logged in.

#1 2005-09-20 22:32:08

Gullible Jones
Member
Registered: 2004-12-29
Posts: 4,863

[URGENT] Firefox 1.0.6 in CURRENT!

It seems that, of the security vulnerabilities fixed in 1.0.6, one was an extremely critical vulnerabilty affecting UNIX/Linux systems, involving URL shell script injection. This is allows websites to remotely execute code on your machine, and is a huge security risk. Given that the Testing repo is not used by most users, Firefox 1.0.6 should really be included in Current.

(Would someone please put something about this on Flyspray?)

Offline

#2 2005-09-20 22:42:41

phrakture
Arch Overlord
From: behind you
Registered: 2003-10-29
Posts: 7,879
Website

Re: [URGENT] Firefox 1.0.6 in CURRENT!

Gullible Jones wrote:

one was an extremely critical vulnerabilty affecting UNIX/Linux systems, involving URL shell script injection.

Don't run firefox as root? now it's no longer critical... worst case scenario they "rm -rf ~".

Gullible Jones wrote:

(Would someone please put something about this on Flyspray?)

Because your fingers broke?

Offline

#3 2005-09-21 01:10:51

Gullible Jones
Member
Registered: 2004-12-29
Posts: 4,863

Re: [URGENT] Firefox 1.0.6 in CURRENT!

Phrakture wrote:

Don't run firefox as root? now it's no longer critical... worst case scenario they "rm -rf ~".

Okay, so it's downgraded from critical to critically annoying. And don't forget that it would probably be possible to stick in a rootkit.

Because your fingers broke?

No, because I like to remain anonymous, and on Flyspray you can't.

Offline

#4 2005-09-21 01:14:08

T-Dawg
Forum Fellow
From: Charlotte, NC
Registered: 2005-01-29
Posts: 2,736

Re: [URGENT] Firefox 1.0.6 in CURRENT!

Gullible Jones wrote:

No, because I like to remain anonymous, and on Flyspray you can't.

Why?

Offline

#5 2005-09-21 01:26:34

Gullible Jones
Member
Registered: 2004-12-29
Posts: 4,863

Re: [URGENT] Firefox 1.0.6 in CURRENT!

Huh? You've registered on bugs.archlinux.org haven't you? Real name is required...

(On second though... If I put in "anonymous", would it veto my registration?)

Offline

#6 2005-09-21 04:47:04

alexmat
Member
Registered: 2004-12-31
Posts: 100

Re: [URGENT] Firefox 1.0.6 in CURRENT!

guys, this is serious. I rely on arch linux to be a secure os. I don't care if a machine gets hosed with a rootkit (30min max reinstall), but if I lose my data I am behind a day or two (which is roughly how often I run backups). And in general for regular users (like friends I've recommended arch to), their data is more important than their system (and many don't run backups).

Yes I know I can build a package myself or use testing, but I feel like one of the best parts of arch (easy frequent updates) has been lagging. I know libtool slay is going on, but alot of packages like lighttpd are bing built for both current and testing. I imagine Firefox is used by many more people then lighttpd, please.. please give us an update. It's been over a month now since 1.0.6 is out.

I've held off bitching about this for a long time because I understand how hard it is to switch to gcc 4.0 and the libtool stuff, but I really hope this is resolved sooner than later.


I hope this isn't coming off as a flame. I love arch and respect the time and commitment of all the developers and TUs.

<3  big_smile

Offline

#7 2005-09-21 05:36:36

murkus
Member
From: Europe/Helsinki
Registered: 2004-03-19
Posts: 254

Re: [URGENT] Firefox 1.0.6 in CURRENT!

phrakture wrote:

Don't run firefox as root? now it's no longer critical... worst case scenario they "rm -rf ~".

alexmat wrote:

guys, this is serious. [snip] And in general for regular users (like friends I've recommended arch to), their data is more important than their system (and many don't run backups).

Hear, hear!

This is the single most annoying thing in conversations regarding linux security. Reinstall isn't nearly as frustrating as losing all your data. I would hazard a guess that most users don't regularly backup theirs.

.murkus

Offline

#8 2005-09-21 06:56:56

elasticdog
Member
From: Washington, USA
Registered: 2005-05-02
Posts: 995
Website

Re: [URGENT] Firefox 1.0.6 in CURRENT!

Yarrr...it's hard to keep up!  Firefox version 1.0.7 has now been officially released.  It's a security and stability release with one especially important update for Archers:

"Fix to prevent URLs passed from external programs from being parsed by the shell (Linux only)"

Offline

#9 2005-09-21 08:40:38

alexmat
Member
Registered: 2004-12-31
Posts: 100

Re: [URGENT] Firefox 1.0.6 in CURRENT!

Yarrr...it's hard to keep up!

But it shouldn't be! 1.0.6 was released around July 23rd, it's now Sept 23rd. Two full months since the 1.0.6 release and current still has 1.0.4. Is there any good explination why such a heavily used app has not been updated, especially when the updates include security patches? Not trying to be a smart ass, but it's kind of a let down for a distro as agile as Arch.

Btw, I'm personally running the testing build of 1.0.6. I'm not complaining for my own sake, but.. THINK OF THE CHILDREN ;P

Offline

#10 2005-09-21 09:24:37

dtw
Forum Fellow
From: UK
Registered: 2004-08-03
Posts: 4,439
Website

Re: [URGENT] Firefox 1.0.6 in CURRENT!

Yeah, gcc and libtool slay are the reason.  I was talking to shadowhand about this last night and we both feel they should have been done separately.  Then at least after the gcc migratyion we'd have some recent pkgs - now we have to wait for both projects to be done before we see ANY new pkgs!

Offline

#11 2005-09-21 10:57:49

Gullible Jones
Member
Registered: 2004-12-29
Posts: 4,863

Re: [URGENT] Firefox 1.0.6 in CURRENT!

Maybe someone could make a PKGBUILD and upload it the AUR, then ask if the package can be transferred to Current?

Offline

#12 2005-09-21 11:32:26

dtw
Forum Fellow
From: UK
Registered: 2004-08-03
Posts: 4,439
Website

Re: [URGENT] Firefox 1.0.6 in CURRENT!

Gullible Jones wrote:

Maybe someone could make a PKGBUILD and upload it the AUR, then ask if the package can be transferred to Current?

Why on earth would that help?  I'm sure the devs are more than capable making the PKGBUILD - my suggestion is file a bug report and then we'll all go over and say "aye!"  People power is the way to go here.

Offline

#13 2005-09-21 15:05:17

ozar
Member
From: USA
Registered: 2005-02-18
Posts: 1,686

Re: [URGENT] Firefox 1.0.6 in CURRENT!

Might as well wait, because 1.0.7 is out now:

http://www.mozilla.org/products/firefox … 1.0.7.html

Edit:  oops... just saw ElasticDog's post!   :oops:   tongue


oz

Offline

#14 2005-09-21 16:42:53

Vardyr
Member
Registered: 2004-04-21
Posts: 9
Website

Re: [URGENT] Firefox 1.0.6 in CURRENT!

I've posted the bug: http://bugs.archlinux.org/index.php?do=details&id=3205

I've included a list of vulnerabilites discovered and patched since 1.0.4, which is the current version in [current], and left out the other bugfixes... meaning my list consists of only the security vulnerabilites patched since 1.0.4.

-Vardyr

Offline

#15 2005-09-21 17:50:42

alexmat
Member
Registered: 2004-12-31
Posts: 100

Re: [URGENT] Firefox 1.0.6 in CURRENT!

Way to go Vardyr and might I add, a very good bug report (I feel a little guilty for not having done it when I first posted).

Hopefully the Mozilla crew fixes the source release issues soon and this will all be better. I checked out bugzilla a few minutes ago and it looks like someone is looking into the bug already.

dibble said it best: "People power is the way to go here."

Offline

#16 2005-09-23 23:17:29

Gullible Jones
Member
Registered: 2004-12-29
Posts: 4,863

Re: [URGENT] Firefox 1.0.6 in CURRENT!

Wait a minute, guys... Is the vulnerability a Gecko thing, or is it Firefox-specific? Could it be avoided by using Galeon?

Offline

#17 2005-09-24 02:21:34

shadowhand
Member
From: MN, USA
Registered: 2004-02-19
Posts: 1,142
Website

Re: [URGENT] Firefox 1.0.6 in CURRENT!

1.0.6 should have been in Current a long time ago (like, within a week or so of it being released), but it's not going to be for a while. Why? Well, that's hard to answer (afaik).

Also, remember that the devs rarely seem to answer/read the forums. At the moment, they are all currently tied up with 0.8 (GCC 4.0 + libtool slay) as Dibble alredy mentioned. I told Dibble I would be more than happy to package 1.0.6, but being able to do it, and actually having it be accepted by the devs are two totally different issues.

For now, I'd say let it rest. If you are honestly worried about it, you can find Firefox 1.5b1 and Opera 8.5 in my repository (look at sig).


·¬»· i am shadowhand, powered by webfaction

Offline

#18 2005-09-24 14:59:19

stonecrest
Member
From: Boulder
Registered: 2005-01-22
Posts: 1,190

Re: [URGENT] Firefox 1.0.6 in CURRENT!

Firefox 1.0.7 has been in testing for a few days, you can use that. I've been using it without any problems (I live on the testing repo wink).


I am a gated community.

Offline

#19 2005-09-24 18:49:25

Gullible Jones
Member
Registered: 2004-12-29
Posts: 4,863

Re: [URGENT] Firefox 1.0.6 in CURRENT!

Yep, Testing repo is quite stable.

(Come to think of it, it was quite stable when I used it last year... What can I say, cutting-edge stuff is more stable than people give it credit for.)

BTW, were there some rendering speed improvements in Firefox 1.0.7?

Offline

Board footer

Powered by FluxBB