You are not logged in.

Pages: 1

#1 2009-07-18 08:12:54

Gen2ly
Member
From: Sevierville, TN
Registered: 2009-03-06
Posts: 1,529
Website

Firefox 3.5 zero-day exploit

Well, it's happened again to Firefox.  I hate to see this happen.  Firefox is my favorite browser and I really like the work that they are doing - they are making a great browser.  And though people complain at times, I appreciate the work they do in helping bringing it to Linux.  However this is the second time it's happened (one time in 3.0.10(?)) and this is no "you may experience slow-downs on flash site" bug.  This is an exploit that can allow a hacker free access to your system.  I just read about it here:

http://www.linuxtoday.com/news_story.ph … 5-SC-CY-SW

for any that want to see it.  3.5.1 is out now and any that know how might want to use abs to update to the new version.  I updated the pkgver to 3.5.1 and built/installed I'm pretty sure that should be enough.

Just wanted to give everyone a heads-up.

Last edited by Gen2ly (2009-07-18 08:15:43)

Setting Up a Scripting Environment | Proud donor to wikipedia - link

Offline

#2 2009-07-18 08:40:26

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,600
Website

Re: Firefox 3.5 zero-day exploit

3.5.1 doesn't seem to be in [extra] or [testing]...?

http://www.archlinux.org/packages/?sort … =&limit=50

CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#3 2009-07-18 08:46:57

bangkok_manouel
Member
From: indicates a starting point
Registered: 2005-02-07
Posts: 1,556

Re: Firefox 3.5 zero-day exploit

Gen2ly wrote:

for any that want to see it.  3.5.1 is out now and any that know how might want to use abs to update to the new version.  I updated the pkgver to 3.5.1 and built/installed I'm pretty sure that should be enough.

just in case, if you're using ABS, make sure you rebuild xulrunner, not only firefox.

Offline

#4 2009-07-18 10:49:13

Ramses de Norre
Member
From: Leuven - Belgium
Registered: 2007-03-27
Posts: 1,289

Re: Firefox 3.5 zero-day exploit

3.5.1 seems not to be there yet, http://releases.mozilla.org/pub/mozilla … .1/source/ says

Firefox 3.5.1 is coming soon!

Thanks for your interest in the upcoming release of Firefox 3.5.1, but there's still a bit more left to do before we're ready. We're asking for our users and fans to be patient and wait until it appears on the official Firefox website before downloading.

Offline

#5 2009-07-18 11:06:13

bangkok_manouel
Member
From: indicates a starting point
Registered: 2005-02-07
Posts: 1,556

Re: Firefox 3.5 zero-day exploit

Ramses de Norre wrote:

3.5.1 seems not to be there yet, http://releases.mozilla.org/pub/mozilla … .1/source/ says

Firefox 3.5.1 is coming soon!

Thanks for your interest in the upcoming release of Firefox 3.5.1, but there's still a bit more left to do before we're ready. We're asking for our users and fans to be patient and wait until it appears on the official Firefox website before downloading.

ftp://ftp.mozilla.org/pub/firefox/releases/3.5.1/

Offline

#6 2009-07-18 12:49:22

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,600
Website

Re: Firefox 3.5 zero-day exploit

...I was talking about an Arch x86_64 package, not the source smile

CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#7 2009-07-18 23:01:11

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,600
Website

Re: Firefox 3.5 zero-day exploit

Looks like it's there now smile

# pacman -Syu
:: Synchronizing package databases...
 core is up to date
 extra                    377.0K  429.6K/s 00:00:01 [##############################################] 100%
 community                370.0K  271.5K/s 00:00:01 [##############################################] 100%
:: Starting full system upgrade...
resolving dependencies...
looking for inter-conflicts...

Targets (15): brltty-4.0-1  xulrunner-1.9.1.1-1  firefox-3.5.1-1  lib32-glibc-2.10.1-3  
              lib32-e2fsprogs-1.41.8-1  lib32-gcc-libs-4.4.0-5  lib32-libgl-7.4.4-1  lib32-libjpeg-7-1  
              lib32-libxml2-2.7.3-2  lib32-libxt-1.0.6-1  lib32-mesa-7.4.4-1  recode-3.6-3  enca-1.9-4  
              libass-0.9.6-2  vlc-1.0.0-5  

Total Download Size:    41.50 MB
Total Installed Size:   143.15 MB

Proceed with installation? [Y/n]

CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#8 2009-07-18 23:08:46

Ed4
Member
Registered: 2009-07-01
Posts: 2

Re: Firefox 3.5 zero-day exploit

Bad news, there's a second vulnerability that affects firefox 3.5.1, too.  No fix yet. 

http://xforce.iss.net/xforce/xfdb/51729

I recommend NoScript as a workaround for both of these.  Don't allow Javascript from any site you don't have to.

Offline

#9 2009-07-24 11:54:03

Gen2ly
Member
From: Sevierville, TN
Registered: 2009-03-06
Posts: 1,529
Website

Re: Firefox 3.5 zero-day exploit

+1 for NoScript.  Never heard of this before.  It blocks javascript and only allows for sites you tell it to trust.  Very nice!  Also finally got rid of those rollover ads.

Setting Up a Scripting Environment | Proud donor to wikipedia - link

Offline

Pages: 1

Board footer

Powered by FluxBB