[security] SeaMonkey 1.1.10 and Firefox 2.0.0.15
Manuel Reimer
security releases of the two Mozilla based products "SeaMonkey" and
"Firefox" have been published 2008-07-02 and 2008-07-01 by the project
maintainers.
So far Slackware has *no* patch package! At least one of the holes, in
detail this one: https://bugzilla.mozilla.org/show_bug.cgi?id=419846
seems to be trivial to exploit and will *definetly* allow anyone to run
any code in user context!
Slackware could be so great, if security patches would be published *in*
*time*... :´-(
CU
Manuel
Simon Sibbez
> Slackware could be so great, if security patches would be published
> *in* *time*... :?-(
Yes, I agree.
At the moment patch support SUCKS.
-- Simon
Manuel Reimer
>> Slackware could be so great, if security patches would be published
>> *in* *time*... :?-(
>
> Yes, I agree.
>
> At the moment patch support SUCKS.
If this doesn't finally get better, then there will be even more users
porting over to other distributions. Including myself.
I pretty much like the concept of Slackware, but I definetly would like
to see a bit more security. I still vote for a separate project for
creating patches, but there would be needed several people to help with
that. And unfortunately a separate patch project most probably would
finally mean that a separate, new, slackware-based distribution would
have to be created. Definetly too much work...
CU
Manuel
Martin Schmitz
>> At the moment patch support SUCKS.
>
> If this doesn't finally get better, then there will be even more users
> porting over to other distributions. Including myself.
So, which one do you have in mind? Neither Debian, nor Fedora, nor
Redhat, nor SuSE, nor Ubuntu, nor any other distribution I know of has
updated packages for Firefox and Seamonkey yet.
Martin
Steven J Masta
According to secunia.com redhat updated firefox on July 02
http://secunia.com/advisories/30903/ and seamonkey the next day
http://secunia.com/advisories/30878/
But that was the only distro they showed having updates available.
Steve
Simon Sibbez
The slacking of others is no excuse in my book.
Also, you are wrong:
http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0079.html
http://archives.neohapsis.com/archives/fulldisclosure/2008-07/0016.html
-- Simon
Simon Sibbez
> According to secunia.com redhat updated firefox on July 02
> http://secunia.com/advisories/30903/ and seamonkey the next day
> http://secunia.com/advisories/30878/
>
> But that was the only distro they showed having updates available.
Nope, see my other message ...
-- Simon
Dan C
> security releases of the two Mozilla based products "SeaMonkey" and
> "Firefox" have been published 2008-07-02 and 2008-07-01 by the project
> maintainers.
It's a long holiday weekend here in the USA, which could explain why there
might be a slight delay.
> So far Slackware has *no* patch package! At least one of the holes, in
> detail this one: https://bugzilla.mozilla.org/show_bug.cgi?id=419846
> seems to be trivial to exploit and will *definetly* allow anyone to run
> any code in user context!
Are you *seriously* concerned that this will *actually* happen to your
little home Slackware box? Do you not have *any* firewall between it and
the Internet?
> Slackware could be so great, if security patches would be published *in*
> *time*... :´-(
You could always use another distro, if you'd like. See signature.
--
"Ubuntu" -- an African word, meaning "Slackware is too hard for me".
The Usenet Improvement Project: http://improve-usenet.org
Dan C
>> Slackware could be so great, if security patches would be published
>> *in* *time*... :?-(
> At the moment patch support SUCKS.
At the moment, we're enjoying a long holiday weekend here in the USA.
Patch it yourself, if you're that worried about it.
Bugger off.
Leon Whyte
I am going to show my ignorance but if the flaw is in Firefox etc, then would it
not be up to Mozilla to post the patches? Mozilla sent me a heads up to update
my Firefox because they fixed the flaw in the version I was running.
Why would I expect Slackware to "fix Firefox" ?
--
Leon
A computer without Microsoft is like a chocolate cake without mustard.
< running Linux >
Joost Kremers
> I am going to show my ignorance but if the flaw is in Firefox etc, then would it
> not be up to Mozilla to post the patches? Mozilla sent me a heads up to update
> my Firefox because they fixed the flaw in the version I was running.
> Why would I expect Slackware to "fix Firefox" ?
because slackware provides a firefox package.
--
Joost Kremers joostk...@yahoo.com
Selbst in die Unterwelt dringt durch Spalten Licht
EN:SiS(9)
~kurt
>
> Also, you are wrong:
>
> http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0079.html
This one is for Mandriva back in June - obviously another problem?
> http://archives.neohapsis.com/archives/fulldisclosure/2008-07/0016.html
>
This one was posted on July 2nd, and the patch was not finalized until
the 3rd? Jumping the gun?
Didn't see anything under Debian. Finding the security updates section
for RH was a bitch - looks like they also made the update on the 2nd, despite
the patch being made on the 3rd? Don't see anything for Suse.
No, not an excuse, but the OP over hyped the seriousness of the problem.
It is a bug that doesn't apparently have any concrete examples of a remote
exploit (reading the RH security advisory).
- Kurt
notbob
> If this doesn't finally get better, then there will be even more users
> porting over to other distributions. Including myself.
don't let the 'shutdown -h 0' hit you on the ass on the way out
nb
Jerry Vrooman
Why wait for a patch? Start Firefox. Click on 'Help'. Click on 'Check
For Updates'. Then follow the prompts. Firefox will obligingly upgrade
itself. Much easier than waiting for a patch.
Jerry Vrooman
Manuel Reimer
> Why wait for a patch? Start Firefox. Click on 'Help'. Click on 'Check
> For Updates'. Then follow the prompts. Firefox will obligingly upgrade
> itself. Much easier than waiting for a patch.
I don't use Firefox, I use SeaMonkey.
And even Firefox is unable to update itself, as Firefox runs as regular
user and regular users are unable to write to /usr
CU
Manuel
Jerry Vrooman
Strange, it worked for me. Just lucky I guess.
Roger Brown
Manuel Reimer <mre...@expires-31-07-2008.news-group.org> wrote:
> I don't use Firefox, I use SeaMonkey.
>
> And even Firefox is unable to update itself, as Firefox runs as
> regular user and regular users are unable to write to /usr
Looks its no big problem. Just download Pat's build script for
Slackware plus the supporting files (but not the actual source archive)
from the source/xap section of your local ftp mirror server and put
them in a build folder.
Get the actual source from the mozilla website - put that in the build
folder. Change the version line of Pat's buildscript
seamonkey.SlackBuild to 1.1.10 and run it.
That compiles the source and builds you a package in /tmp ready to
install.
--
Roger Brown
rog...@rogerbrown.no-ip.org
http://rogerbrown.no-ip.org
+Alan Hicks+
Hash: SHA1
On 2008-07-06, Joost Kremers <joostk...@yahoo.com> wrote:
> Leon Whyte wrote:
>> I am going to show my ignorance but if the flaw is in Firefox etc, then would it
>> not be up to Mozilla to post the patches? Mozilla sent me a heads up to update
>> my Firefox because they fixed the flaw in the version I was running.
>> Why would I expect Slackware to "fix Firefox" ?
>
> because slackware provides a firefox package.
The package Slackware provides is nothing more than the binary firefox
download repackaged into tgz form. IIRC, Pat mentioned in the
ChangeLog some time back that this was done this way due to the ruckus
Mozilla was creating about their trademarks and the like.[0] I doubt
Pat is going to feel a pressing need to provide a new Firefox package
until Mozilla itself feels such a need.
In other words, upstream knows best.
[0] This is why Debian ships the re-branded Iceweasel.
- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkhyKP8ACgkQrZS6hX/gvjpbowCdEPLzjXLg1YqrmASZXIleVK3+
epAAoNl7mEwzDyopMNB0/p9fjPFqJ81f
=K1HC
-----END PGP SIGNATURE-----
+Alan Hicks+
Hash: SHA1
On 2008-07-06, notbob <not...@nothome.com> wrote:
>> If this doesn't finally get better, then there will be even more users
>> porting over to other distributions. Including myself.
>
> don't let the 'shutdown -h 0' hit you on the ass on the way out
</modquote>
- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkhyJ5MACgkQrZS6hX/gvjrsrgCghmEFczSA2v/7GYwJjdU3HIf1
VVkAnikYZM2rEn8c4uABoYwZr+imTsIa
=ODrH
-----END PGP SIGNATURE-----
Joost Kremers
> The package Slackware provides is nothing more than the binary firefox
> download repackaged into tgz form.
i know. i didn't realise that this thread was about a patch that mozilla
hadn't actually released themselves...
> I doubt
> Pat is going to feel a pressing need to provide a new Firefox package
> until Mozilla itself feels such a need.
and i totally agree with him. certainly since the debian openssh fiasco,
people should know better than to blindly accept third-party patches...
~kurt
> On Sun, 6 Jul 2008, ~kurt wrote:
>
>> No, not an excuse, but the OP over hyped the seriousness of the problem.
>> It is a bug that doesn't apparently have any concrete examples of a remote
>> exploit (reading the RH security advisory).
>
No idea - I, along with others, just realized the "patch" isn't even officially
integrated into Mozilla yet. So, I wouldn't expect to see it in the Slackware
changelog until an official version of Mozilla is released with this patch.
And, if you look at the current release notes for Seamonkey, you can see this
type of problem is quite common - the reason why you don't go surfing the net
as root with a web browser (and even worse, with Javascript enabled). One of
the latest fixes under the release notes addresses a problem so similar to
the current one, the only reason I could quickly tell they were different was
from the submit date. Crap like this is always happening with web browsers
(not just IE).
I'd suggest the OP move on to another distro if he is looking for one that
immediately updates with every untested unofficial patch.
- Kurt
Manuel Reimer
> Looks its no big problem. Just download Pat's build script for
> Slackware plus the supporting files (but not the actual source archive)
> from the source/xap section of your local ftp mirror server and put
> them in a build folder.
> Get the actual source from the mozilla website - put that in the build
> folder. Change the version line of Pat's buildscript
> seamonkey.SlackBuild to 1.1.10 and run it.
> That compiles the source and builds you a package in /tmp ready to
> install.
Of course, I could try to do so. This would "just" take three or four
hours on my 700MHz PC. I preferred to just download the official tar.gz
package from mozilla.org and untared it to /opt. Then I uninstalled the
official SeaMonkey package and symlinked from /opt/seamonkey/seamonkey
to /usr/bin.
It is *not* my job to create my own packages! If there is a security
hole, then the maintainer of the distribution should publish a patch in
time. Other distributions already did so.
CU
Manuel
Manuel Reimer
> One more thing, the day Pat opens up Slackware patching/development like
> that, is the day I leave Slackware
My idea *was* to create alternative patches in a small team where only
two or three people are allowed to review and publish the final patch
while anyone could publish SlackBuild files (just like slackbuilds.org).
In my opinion Pat himself should finally make the team behind Slackware
a bit bigger, so if Pat is on holidays or ill, the distribution doesn't
get out of date, as someone else in the team is able to publish critical
patches. The community should be allowed to help out with SlackBuild
files and there is at least one more person required that is allowed to
review, compile and sign packages.
> I trust the small team that exists now
> I will not trust it when a bunch of unknowns are granted access to do
> it.
I also trust this "team", but the problem IMHO is, that this team is
more or less just one person. If this person is away, noone publishes
patches. I personally would not use Slackware on a critical server as I
never know if I may still trust the security of my system if the other
distributions patch a hole while nothing happens on the Slackware-side.
IMHO Pat at least has to post a message to the security mailing list,
telling the users that he recognized that other distributions patched
$HOLE but he doesn't publish a patch for $REASON but has a look at the
hole and will publish a patch if it is really required. In the current
situation I may either create my own patches if other distributions do,
or I may just think "all the others are silly" and just try to imagine
that my system is still secure even if the others all patched the hole.
Currently I tend to do the first and create my own patches, as I don't
know how critical the holes really are! I never know if the hole is
non-critical or if the security "team" behind Slackware is just a "bit"
late, again... :-(
CU
Manuel
Manuel Reimer
> I, along with others, just realized the "patch" isn't even officially
> integrated into Mozilla yet. So, I wouldn't expect to see it in the
> Slackware changelog until an official version of Mozilla is released
> with this patch.
It has been released one *week* ago! See:
http://www.mozilla.org/security/announce/2008/mfsa2008-24.html
> I'd suggest the OP move on to another distro if he is looking for one
> that immediately updates with every untested unofficial patch.
The SeaMonkey/Firefox patch is tested by the Mozilla Team! There is
usually no reason to not publish a patch package one or two days after
the official mozilla.org releases!
But if you have a idea for a nice replacement distribution, then please
tell me. I plan to setup a new server and need something stable. So far
I didn't find a good alternative.
CU
Manuel
Manuel Reimer
> The package Slackware provides is nothing more than the binary firefox
> download repackaged into tgz form. IIRC, Pat mentioned in the
> ChangeLog some time back that this was done this way due to the ruckus
> Mozilla was creating about their trademarks and the like.[0] I doubt
> Pat is going to feel a pressing need to provide a new Firefox package
> until Mozilla itself feels such a need.
> In other words, upstream knows best.
They knew best. One week ago:
http://www.mozilla.org/security/announce/2008/mfsa2008-24.html
CU
Manuel
Roger Brown
Manuel Reimer <mre...@expires-31-07-2008.news-group.org> wrote:
> It is *not* my job to create my own packages!
So you would never install anything from SlackBuilds.org?
Manuel Reimer
>> It is *not* my job to create my own packages!
> So you would never install anything from SlackBuilds.org?
Of course, I do, but I exactly know what I've installed on my own and so
I also have a look at possible holes in this software on my own. As I've
just installed about 5 packages via SlackBuilds.org, I can keep them in
view. What I tried to say is that it's not my job to also keep the few
hundred packages, which are official Slackware packages, in view. If I
would like to do so, I would use LFS.
CU
Manuel
Roger Brown
Manuel Reimer <mre...@expires-31-07-2008.news-group.org> wrote:
> What I tried to say is that it's not my job to also keep the few
> hundred packages, which are official Slackware packages
Well that's your call - but by installing the binary version you've
given yourself the task of keeping it updated in future, whereas if you
created a package (as I have done) any future update *should* still be
looked after by Pat.
That said, I have no idea why he hasn't updated Seamonkey - seems to me
to be something that has slipped under the radar. But to be fair. some
other distros have also been slow. Ubuntu still hasn't done so and Arch
did so only a day or so ago - I had already updated that box by
amending their port (build script).
Manuel Reimer
>> The SeaMonkey/Firefox patch is tested by the Mozilla Team! There is
>> usually no reason to not publish a patch package one or two days after
>> the official mozilla.org releases!
> Then off you go to ubuntu or fedora, you do nothing but whinge in here, so
> go there , where they have a guarantee to patch things unapproved by
> upstream, change the code to distro-flavorise and to break your system in
> other ways
So Mozilla is not "upstream" for the Firefox or SeaMonkey browser? Those
patches *are* upstream patches. At least one of them is critical.
CU
Manuel
notbob
> type of problem is quite common - the reason why you don't go surfing the net
> as root with a web browser (and even worse, with Javascript enabled).
While I wholeheartedly agree with the "root" warning, I have no problem
surfing with javascript enabled. I just run noscript, which is an add-on
for mozzy-based browsers. Great application. Prevents all scripts from
running by default, but lets you enable scripts, one-by-one, should you need
to. This is handy not only from a security stand-point, but lets you know
who/what websites are doing. I've seen as many as half dozen scripts on a
single site. Also, it has the added bonus of killing loads of pop-up and
adware scripts, making page loading quicker. Just take your browser to its
add-on/plug-in website and noscript will load itself. Highly recommended.
http://en.wikipedia.org/wiki/NoScript
nb
»Q«
Manuel Reimer <mre...@expires-31-07-2008.news-group.org> wrote:
> But if you have a idea for a nice replacement distribution, then
> please tell me. I plan to setup a new server and need something
> stable.
Slackware 12.1 would be a good choice -- to set up a server, you
wouldn't want to install Firefox or SeaMonkey anyway.
~kurt
> ~kurt wrote:
>> I, along with others, just realized the "patch" isn't even officially
>> integrated into Mozilla yet. So, I wouldn't expect to see it in the
>> Slackware changelog until an official version of Mozilla is released
>> with this patch.
>
> It has been released one *week* ago! See:
> http://www.mozilla.org/security/announce/2008/mfsa2008-24.html
The security notice is a week old. But no update to the release has
been issued. From the above link you posted:
<quote>
Workaround:
Disable JavaScript until a version containing these fixes can be installed.
</quote>
Slackware rarely ever *patches* source and redistributes the resulting
binary. In addition, others already mentioned there are license issues
associated with doing this, and still calling it Seamonkey, or Firefox.
> The SeaMonkey/Firefox patch is tested by the Mozilla Team! There is
> usually no reason to not publish a patch package one or two days after
> the official mozilla.org releases!
Just because a patch is submitted to a development tree doesn't mean it has
gone through all the testing that would result in such a change being
officially part of the next release cycle. You would be surprised what
a simple patch can break. The dialog surrounding the fix didn't exactly
fill me with confidence, either (from what I remember of it).
> But if you have a idea for a nice replacement distribution, then please
> tell me. I plan to setup a new server and need something stable. So far
> I didn't find a good alternative.
I would suggest doing what you appear to be doing - keeping track of
critical applications and services offered by your server. Slackware
has never been into the business of modifying official releases of
software.
- Kurt
~kurt
>
> They knew best. One week ago:
> http://www.mozilla.org/security/announce/2008/mfsa2008-24.html
OK:
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2802>
"This CVE Identifier has "Candidate" status and must be reviewed and accepted
by the CVE Editorial Board before it can be updated to official "Entry" status
on the CVE List. It may be modified or even rejected in the future."
Like I said before, it isn't an official patch - yet. To throw it in there
without official approval would be very Debian of them... (sorry Deb fans,
couldn't resist).
- Kurt
~kurt
>
> IMHO Pat at least has to post a message to the security mailing list,
> telling the users that he recognized that other distributions patched
> $HOLE but he doesn't publish a patch for $REASON but has a look at the
> hole and will publish a patch if it is really required. In the current
Now this - I think you are on to something - at least when it comes to an
external team. In other words, the external-to-Slackware team you were
speaking of before that might possibly manage patches would instead
submit security advisories (patched and not patched) to a list that would
help sys admins make decisions on software they might want to rebuild and
update. It could even be a Usenet group (although a monitored one to
filter out *anything* that is even remotely OT - use a.o.l.s for discussion).
That would be a very Slackware way of doing it - Pat updates the changelog
with official releases as they are available, and the external team provides
info to the sys admin so they can make their own decisions on patches.
- Kurt
»Q«
~kurt <actino...@earthlink.net> wrote:
> Manuel Reimer <mre...@expires-31-07-2008.news-group.org> wrote:
> > ~kurt wrote:
> >> I, along with others, just realized the "patch" isn't even
> >> officially integrated into Mozilla yet. So, I wouldn't expect to
> >> see it in the Slackware changelog until an official version of
> >> Mozilla is released with this patch.
> >
> > It has been released one *week* ago! See:
> > http://www.mozilla.org/security/announce/2008/mfsa2008-24.html
>
> The security notice is a week old. But no update to the release has
> been issued.
Fixed in Firefox 2.0.0.15, released by Mozilla the same day that MFSA
was issued.
Dan C
>> Then off you go to ubuntu or fedora, you do nothing but whinge in here, so
>> go there , where they have a guarantee to patch things unapproved by
>> upstream, change the code to distro-flavorise and to break your system in
>> other ways
> So Mozilla is not "upstream" for the Firefox or SeaMonkey browser? Those
> patches *are* upstream patches. At least one of them is critical.
Will you just fuck off and leave, you ignorant little whining stooge? Go
use goddam ubuntu or fucking windoze, if you'd rather. Nobody here gives
a rat's ass what you use, just shut the fuck up.
--
"Ubuntu" -- an African word, meaning "Slackware is too hard for me".
The Usenet Improvement Project: http://improve-usenet.org
~kurt
Huh, you are right. I missed one of the updates listed here:
<http://www.mozilla.org/projects/security/known-vulnerabilities.html#seamonkey1.1.10>
I don't understand why they are still listed as "Candidate" status:
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2802>
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2811>
So, it has been a week since an official release from Mozilla has been
made.
- Kurt
Eef Hartman
> security releases of the two Mozilla based products "SeaMonkey" and
> "Firefox" have been published 2008-07-02 and 2008-07-01 by the project
> maintainers.
>
> So far Slackware has *no* patch package! At least one of the holes, in
> detail this one: https://bugzilla.mozilla.org/show_bug.cgi?id=419846
Did anyone notice that this whiner didn't post anything when Pat had
out the 2.0.0.16 (and SeaMonkey 1.1.11) upgrades long before all other
major distributions?
--
*******************************************************************
** Eef Hartman, Delft University of Technology, dept. SSC/ICT **
** e-mail: E.J.M....@tudelft.nl, fax: +31-15-278 7295 **
** snail-mail: P.O. Box 5031, 2600 GA Delft, The Netherlands **
*******************************************************************
Roger Brown
Eef Hartman <E.J.M....@math.tudelft.nl> wrote:
> Did anyone notice that this whiner didn't post anything when Pat had
> out the 2.0.0.16 (and SeaMonkey 1.1.11) upgrades long before all other
> major distributions?
It does pose the question though, why did the first one take so long?
Slipped under the radar perhaps?