Slackware 13 and the recent Firefox vulnerability
As you might have heard, a recent critical vulnerability was discovered in Firefox 3.6.
Any word on a Slackware patch coming soon? I'd prefer to use a Slackware package rather than the actual Mozilla release, but I also don't like browsing the web with a remote code execution bug in my browser. Or is Slackware unaffected by this? Please correct me if I'm wrong. Thanks, Matt |
Hi,
There is a security fix for Slackware 12.2 but that was for FF 3.05. Quote:
I'm not aware of a FF security fix for 13 or -current. :hattip: EDIT: I don't see a 'remote code execution bug' at http://www.mozilla.org/security/know...firefox36.html EDIT2: WOFF heap corruption due to integer overflow is the bug the OP is speaking of. |
It's this one Gary:
http://www.mozilla.org/security/anno...sa2010-08.html And yes, it's quite nasty and has been out there for about a month. The bug is in the parser for downloadable fonts, so I believe that going into about:config and changing gfx.downloadable_fonts.enable to false will help mitigate the risk until the team have had time to put a new package together. I downloaded the sources and built my own 3.6.2 package yesterday as I didn't want to wait. |
Hi,
Thanks! I wasn't aware of it. I just looked at the changelogs but did not notice a problem. Again thanks for the link, heads up and temporary fix. :hattip: |
Thanks a lot for the suggestions! Hopefully they can get a patch out soon.
|
Quote:
|
Where would I find a Slackbuild for FireFox?
|
Quote:
|
Thanks!
|
Quote:
Depending on your Slackware version, here's a starting point (Your mileage may vary, I'm running -current and it runs great, but it's up to you make sure it will work with the version you're running. You should have at least a minimal understanding of the way a Slackbuild works. Sbo is a different proyect (No support for this particular unofficial customization) but their How-To may help getting started using slackbuilds. Good luck! |
Found it.
Thanks! |
Sorry to hijack thread, but:
Code:
ARCH=${ARCH:-i686} Once again sorry for the hijack, but i am trying to get FF 3.6.2 and this seems like a very relevant thread. Cheers, Tom |
It should work. What processor have you got? Post the results of uname -a.
|
Super fast reply. Cheers, i'll post output when i get home from work tonight!
Thanks again, Tom |
Hi all,
While it is possible (and frankly easy) to roll my own updated Firefox using a new source file and the SlackBuild script in the sources, it would be nice to have an official update. Has anyone had any word? Regards, |
I haven't no, but I haven't checked Slackpkg update yet for today (I assume you have checked something like this, or your last post would be different :p).. Maybe something could be gleaned from lurking in the IRC channel? I'm not big on IRC so I for one will wait patiently.
Sasha |
Quote:
Regards, |
Quote:
And, the Slackbuild will do everything *except* install the finished package. It will terminate with something like: Code:
Package /some/output/path/blah-version-arch-123.tgz created. Code:
installpkg /some/output/path/blah-version-arch-123.tgz |
Quote:
|
Quote:
Eric |
Not yet...patience :)
|
The number of hits on the changelog's server is probably preventing update at this point!
|
The sync out to the mirrors is not yet complete, it will take a while to become visible I guess.
Eric |
OK now. ChangeLogs changed. Your patience has been rewarded. :)
|
Spoke too soon. Not on mirrors yet. :redface:
|
Updated on my mirror is complete!
|
And mine (tds).
|
Hello,
Am I the only one, but when I check Changelog for -current 32-bits on slackware site, there is no mention of any change since 16th March? ftp://ftp.osuosl.org/pub/slackware/s.../ChangeLog.txt |
Says 31st March here. Try force refreshing the page. (shift-refresh or ctrl-F5 in firefox)
|
Strange, I emptied my cache in Firefox and also force refresh and still no update from "official" slackware changelog.
However I can see the updated changelogs on some random mirrors: ftp://ftp.slackware.org.uk/slackware.../ChangeLog.txt ftp://ftp.slackware.pl/pub/slackware.../ChangeLog.txt ftp://sunsite.icm.edu.pl/pub/Linux/s.../ChangeLog.txt I also came upon mirrors in the process of being updated (at time of writing this post) or for which mirroring was aborted (extra/ is updated on 31st March but other files/directories are not). ftp://mirrors.blueyonder.co.uk/sites/ftp.slackware.com ftp://mirror.switch.ch/mirror/slackw...kware-current/ Maybe it's just that mirroring takes some time. But I'm still wondering why I can't see the "official" updated Changelog file. |
Most ISPs implement a transparent web-proxy/cache these days and they can sometimes deliver out of date information. The osuosl one has definitely been updated, so if it's still delivering the old one to you even after you've cleared your browser cache, then it's probably your ISPs fault. Alternatively, osuosl could be using some sort of round-robin cluster and not all nodes have been updated yet.
|
Thanks GazL for the explanation.
I will check tonight when I'm back home if my usual mirror is updated and if not I'll switch to one where I can see the update. |
I'm all up-to-date again! :D
|
<deleted for use in new thread as it seems more appropriate.>
|
I wondered if, once Firefox was updated, Seamonkey would need an update too. Well, tonight I got a notice from Seamonkey has an update available:
http://www.mozilla.org/security/know...amonkey20.html Version 2.04 is now available. |
Quote:
|
The source for 3.6.3 was released today...
|
Well, darn. So now we start waiting for Firefox 3.6.3 . . .
For those that celebrate it, I hope everyone had a very nice Easter holiday. I certainly did not expect a lot of development/packaging to happen this weekend. :) |
Updated to FF 3.6.3 (and the rest) from tds mirror now.
|
Quote:
|
This one, in the US:
http://slackware.mirrors.tds.net/pub/slackware/ I used to use a UK mirror, but they were always 2 days behind with updates. |
I use mirrorservice.org which is uk based. They sync daily.
|
That was the one I used to use. Strange, they always seemed to be 2 to 3 days behind some of the other mirrors. Maybe things have improved.
|
Time zone can be a factor. If Pat posts updates early morning US time then they might be too late for the daily sync and not turn up till the following day. I've never had to wait more than 1 day though.
My ISP virignmedia have their own mirror, but I've found that one highly unreliable. |
I might give mirrorservice another try for the next updates.
|
Quote:
|
I'm used to getting blame for everything, so that's OK. :)
|
All times are GMT -5. The time now is 12:08 PM. |