Keeping up with Firefox
 

Hello, everyone.

I start playing with Slackware and I am amazed about its endless possibilities. :Pengy:

There is a security advisory for Firefox and 4.0.1 must be installed.
Do I need to compile my own FF 4.0.1 build?

Or, instead of inventing the wheel, could Slackware's Firefox 4.0.1 package be pulled from somewhere?

Sorry, if my question sounds naive, just trying to get to the point and catch up with security issues.

Thanks in advance.


M.

Just comment out the appropriate mirror in /etc/slackpkg/mirrors. Then as root do "slackpkg update" and "slackpkg upgrade-all". This will provide you with all the security updates

Wow, I was getting a nuke to blow the open door.
 

Thanks!
I previously got some obsolete info about Slackware and naturally, no repositories.

Everything is fine now.

Thanks again!

It is quite rare, but, on occasion new packages are introduced to the stable branch of Slackware. I generally run these commands when updating my Slackware boxes.

# slackpkg update

# slackpkg install-new

# slackpkg upgrade-all

This is a good guide on how to use slackpkg: slackpkg

Thanks, hitest!
:hattip:

As much as you should definitely be updating security patches with the details hitest gives, I personally allow Firefox and Thunderbird to update themselves. This not only keeps me up to date with patches faster than Pat can package them, but it also allows me to stay with my own language build (en_gb) rather than the default shipped en_us.

The only change you need to make is to give your user account write privileges to the firefox install directory e.g. /usr/lib{,64}/firefox-4.{0,1} and then the Firefox's own "Help -> Check for Updates" fuinctionality will work fine.

If you do this then you ought to blacklist firefox (and thunderbird) from slackpkg updates so you don't overwrite it with Pat's patches.

You guys are just great!

Thanks again.

This is what I had just come to the forum to ask. Firefox has been bugging me for a week to update, but I thought I would have to download the new FF 4.0.1 binary, but I went into the 'About Firefox' tab 'check for updates', and it updated to 4.0.1, and everything seems ok.

I was going to say the same, since FF and TB are not modified in any way by slackware their built in auto update works fine.

Except Mozilla doesn't produce 64-bit versions.

Cheers.

Which means that Firefox itself has write access to its own binaries. Which means scripts on web pages have write access to the Firefox binaries. I honestly wonder, how are you not pwned?

I'm not sure that there are so many exploits out there targeting to modify the Firefox binary itself. Still, that's a valid point. One can try running Firefox as root and doing the update that way (of course, you should use the root account only for that purpose, not for daily browsing use).

Take it up with Mozilla. Any user on any system allowed to use the update functionality must by implication have write access to the firefox install directory.

The whole concept of applications updating themselves. I don't recall ever seeing that before Windows (and I've been computing since about 1982).

The Unix model is that regular users (and hence applications they invoke) do not have write access to files which affect the the system globally.

The Linux model of software updating is for root to compile from source, or else for root to invoke the package manager which updates binaries on her behalf.

Do we really want to adopt the Windows way of maintaining our systems?

I don't want to criticize any Linux administrator's methods. Rather I want to understand what other administrators do, and thus learn better methods for my own purposes. As a Kubuntu 8.04 Hardy Heron administrator, I too am faced with the Firefox update problem.

Also, I don't want to drag the thread off topic, especially since it is marked solved. It just seems to me that OP stated his desire for updating was based on security interest. Thus I do believe these questions are relevant to the topic.

They started releasing pre-compiled 64-bit versions with the 4.x series.

ftp://ftp.mozilla.org/pub/firefox/re...-x86_64/en-US/

Pat V. used to re-package the 32-bit pre-compiled version as a Slackware package and build from source the 64-bit version. However, in 13.37, he's started building both from source.

Turning off SOLVED
 

I truly appreciate Telengard's point of view.

Some of us ( myself included ) run away from Windoze into the Linux world just because it's more secure.
It doesn't make any sense to me if I set a firewall, close idle services "LISTEN" ports, you name it, and in the end just giving out my root to the web? :cry:

I am turning this thread off "SOLVED" and hopefully more profound thoughts about proper Linux's security techniques would come out.


Thanks for great input.

Please understand that I was only addressing the suggestion to allow write access to the Firefox directory.

The solutions offered by Hannes Worst and hitest look promising. I simply don't know enough about Slackware to say much more.

You'll have to judge for yourself which solution best suits your needs. Knowing what I do about Linux, there are undoubtedly many more possible solutions.

You misunderstand the implications I think.

Worst case, something compromises Firefox and can create/execute binaries as the user Firefox is running as. i.e. your user account. This is how Linux does security. It's up to you to ensure your user account doesn't have sufficient rights to break or root your system.

As an example, you should never run an IRC client as root. This is in case someone exploits your client in a way that might provide access to your system. So long as the client is running as a non-privileged user the damage that can be done is very limited.

What we're talking about here is not equivalent to running Firefox as root. That *would* be dangerous. We're simply talking about giving Firefox privileges in its own install directory. Not privileges to any other part of the system. If Firefox were to be compromised without this write access the implications are exactly the same as with this access, except the attack could also break/compromise Firefox. Should this happen, re-installing Firefox is the least of your worries and the only extra required step.

It's really interesting about Linux that the damage could be limited and done only to a client/app ( as in your example ) to Firefox.

So, thinking about consequences in this particular case, I can continue running even compromised Firefox as long as I don't do, say, online banking and logging/saving other passwords which I consider important, right? :twocents:

Difficult to say. Generally: Compromised == Bad. I see what you're saying and you're pretty much right - but technically the scope would extend to anything you do in your account and anything your account has access to. e.g. it could set up a mail spam bot sending out mail from your account, and would be able to access all data your user account can - that type of thing.

@cfdisk - Do you run Firefox with the NoScript extension installed? If not, then I strongly suggest you do so. By only allowing Javascript from sites you trust, you add a significant barrier to the intrusion of malware.
My personal habit when accessing on online banking is to shut down all browsers then start a browser session to do only the online banking then shutdown the browser again. This protects against any caching memory information leakage.

Thanks for taking care, allend.

Sure, I install NoScript right after opening a Firefox for the first time. ;)
I also disable preinstalled Java plugin upon firing up FF for the first time as well.

I used to use private browsing for all my banking that way nothing is left behind, but the after installing alienbob's latest kde that option went away.
I like to keep the internet facing apps up to date as much as possible, therefore I do let ff and thunderbird check for updates rather than me checking for the official slackware updates for them as I don't check often enough myself.

Mozilla needs something like Microsoft's WSUS where I can have one server check for updates, and point all my workstations at my server.

Just in case, one fresh event passed almost unnoticed. ( at least for me :rolleyes: )

Mozilla quietly killed FF 4.0.x branch. Yesterday's crucial security updates didn't get applied to FF 4, but FF 3.6.18 and FF 5 got patched.

In other words, FF 4 support is dead.
It's not a big deal, I assume that Slackware team will update FF very soon.

Meantime, I dropped FF 5 binary into my /home/user and run FF 5 as ~/firefox/firefox :twocents:

Mozilla has become caught up with the "higher version number is better" scheme. With the minor changes under the hood, Firefox 5 should have been released as 4.0.2. They're too concerned about what Google is doing with Chrome...

And as normal I just hit the "Update Firefox" button :)

Lucky you! :cool:

It didn't work for me on June 21 and it doesn't work as we speak.
It still reads "Firefox 4.0.1 is up to date".

If you are only interested in security updates, then you can find them in:

I've written a convinient script that uses lftp to sync any updates. You need to tell it what version of Slack you are running, whether it's 32 or 64-bit, and what's the mirror.

This will simply download the patches, it will not install them. Out of personal preferrance, I use another (scrawl) script to do this:

What Mozilla needs is a central update service. Dare I say it but similar to Microsoft Windows Software Update Services. You instal the update service on one server and it goes to the internet and downloads all the updates and then you can approve or decline them and then you point all your client servers or pc's to your server and they scan for and prompt for updates just like if they went out to the internet.

That has disaster written all over it.

Very well said.
I do agree with you. Applications that updates by themselves are indeed evil thing. Imagine elderly people for instance, my friends grandmother almost got heart attack when her Firefox 3.6.18 became Firefox 4! Poor woman, just sits there doing regular uploading of photos, and then bam! Pop up comes up, she just press ok, and then suddenly ff becomes a mess, she can't use it at all, everything is different. She came downstairs screaming. And that is just one person, one story.

I am a computer technician, and i have some regular base of clients, for which i had customized operating systems, and the practice is, i get tons of phone calls from desperate people, who had their software updated aether automatically or by accidentally pressing ok. So when I am reinstalling windows, I now disable all the auto updating "features" I can find. And only update software on next reinstall, because then, I am there in person to show people what is new and how to get along with new features and so on.

I tell you, programs updating themselves is a real nightmare. That is the main reason I like Slackware a lot. Everything here happens only when I need/want to happen. And it is really sad to see how some programs are still want to update themselves even on Linux systems. This has to stop. Really, I have not even started on how much system resources those updates-per-every-application waste!

What did I miss with FF 5.0.1?
 

Hello,

On July 11 Mozilla released FF 5.0.1 to bring increased compatibility with Mac OS X Lion. They said:
Just today I noticed that FF 5.0.1 for Linux and Windows are available.

Yet I can't find any credible information on the Internet what's all about. "Security Advisories for Firefox" and "Mozilla Foundation Security Advisories" pages offering no clue.

Does anyone know for sure what's a new Mozilla milestone we are just passing by? :doh:

Thanks in advance.

It drives me crazy when I use a windows machine, dozens of apps saying there is a newer version available, I will look for updates when I am ready thank you, not when I am trying to get my work done. Grrr. Linux should never ever go this way.

Not true. Firefox creates user-specific profile directories and there store settings & update is made not in install directory itself. Try it out yourself - update from one Windows account then switch to other and other one won't be updated at first launch.

To find this page, I had to guess its URL. :scratch:

@qweasd

I was wondering that Mozilla didn't say why Linux and Windows users need FF 5.0.1

You just proved that I am right, didn't you?

I am not sure what you are asking, cfdisk. But it seems that this update was intended for Mac OS users only. My local Linux firefox would not self-update to 5.0.1, for example, and the release notes are mysteriously burried. I also use icecat, and I noticed that Giuseppe is ignoring 5.0.1 as well. :D Anyhow, it seems that Slackware (along with other non-OS-X) users can safely skip this update.

Thanks, qweasd.
I was thinking just like you think

until yesterday when I got Slackware Security Advisories emails about libpng, dhcpcd, and samba.

http://www.slackware.com/security/li...ecurity&y=2011

Guess what? While running upgrade I noticed that firefox 5.0.1 appeared on the list. Naturally, not having any previous news about FF 5.0.1 for Linux and even Windows I got curious about that particular FF release but I am still unable to pull any info.

Keep in mind neither http://www.slackware.com/security/li...ecurity&y=2011 nor http://www.us-cert.gov/current/index.atom got any words about FF 5.0.1 for Linux, not to mention Mozilla pages which you already found.

Do you follow me, don't you?

From ChangeLog:
"I guess this is only a fix for Mac OS X, but it's still 0.0.1 better. ;-)"

So this update has no effect on Linux, except version bump.

You are wrong. Fortunately, Firefox doesn't keep the program binary in the profile directory, only addons and themes. Those are what are being updated when you switch accounts - under any OS.

Since you are talking of Windows, you might be thinking of Chrome as that is how it misbehaves and why I won't install it under Windows. But that is a different subject.