UbuntuThis forum is for the discussion of Ubuntu Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
first of all, this isn't a rant... i'm just really curious as to why this is the case... BTW, i am speaking only of ubuntu 6.06 LTS as it's the only one i run at the moment...
other distros have firefox security updates out the door only a few days (at most) after mozilla publicly releases them... yet on ubuntu it sometimes takes WEEKS... what exactly is the deal here?? i mean, ubuntu is leaving us vulnerable to known exploits for a seriously considerable amount of time...
Last edited by win32sux; 12-29-2006 at 03:17 AM.
Reason: changed "super-vulnerable" to "vulnerable" cuz craigevil has a point... =)
6.06 does not have ff2 in it. Could you elaborate on how you installed it? From what I understood, if one installs ff2 on 6.06 then you will not get automatic updates...
6.06 does not have ff2 in it. Could you elaborate on how you installed it? From what I understood, if one installs ff2 on 6.06 then you will not get automatic updates...
i think he was just illustrating... keep in mind that 2.0.0.1 and 1.5.0.9 address basically the same security issues... AFAIK the 2.0.0.1 package hasn't been released for ubuntu 6.10 yet either (no notice at USN or email alert at the time of this post)...
looks like the fix has been released, at least for Ubuntu 6.10's Firefox 2.x.y.z:
Code:
===========================================================
Ubuntu Security Notice USN-398-1 January 02, 2007
firefox vulnerabilities
CVE-2006-6497, CVE-2006-6498, CVE-2006-6499, CVE-2006-6501,
CVE-2006-6502, CVE-2006-6503, CVE-2006-6504, CVE-2006-6506,
CVE-2006-6507
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.10:
firefox 2.0.0.1+0dfsg-0ubuntu0.6.10
firefox-dev 2.0.0.1+0dfsg-0ubuntu0.6.10
libnspr-dev 2.0.0.1+0dfsg-0ubuntu0.6.10
libnspr4 2.0.0.1+0dfsg-0ubuntu0.6.10
libnss-dev 2.0.0.1+0dfsg-0ubuntu0.6.10
libnss3 2.0.0.1+0dfsg-0ubuntu0.6.10
After a standard system upgrade you need to restart Firefox to effect
the necessary changes.
Details follow:
Various flaws have been reported that allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening
a malicious web page containing JavaScript or SVG. (CVE-2006-6497,
CVE-2006-6498, CVE-2006-6499, CVE-2006-6501, CVE-2006-6502,
CVE-2006-6504)
Various flaws have been reported that allow an attacker to bypass
Firefox's internal XSS protections by tricking the user into opening a
malicious web page containing JavaScript. (CVE-2006-6503,
CVE-2006-6507)
Jared Breland discovered that the "Feed Preview" feature could leak
referrer information to remote servers. (CVE-2006-6506)
nothing yet about Ubuntu 6.06 LTS's Firefox 1.5.x.y...
okay, got the USN for 5.10 and 6.06 LTS 10 minutes ago...
Code:
===========================================================
Ubuntu Security Notice USN-398-2 January 03, 2007
firefox vulnerabilities
CVE-2006-6497, CVE-2006-6498, CVE-2006-6499, CVE-2006-6501,
CVE-2006-6502, CVE-2006-6503, CVE-2006-6504
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 5.10
Ubuntu 6.06 LTS
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 5.10:
firefox 1.5.dfsg+1.5.0.9-0ubuntu0.5.10
firefox-dev 1.5.dfsg+1.5.0.9-0ubuntu0.5.10
Ubuntu 6.06 LTS:
firefox 1.5.dfsg+1.5.0.9-0ubuntu0.6.06
firefox-dev 1.5.dfsg+1.5.0.9-0ubuntu0.6.06
libnspr-dev 1.5.dfsg+1.5.0.9-0ubuntu0.6.06
libnspr4 1.5.dfsg+1.5.0.9-0ubuntu0.6.06
libnss-dev 1.5.dfsg+1.5.0.9-0ubuntu0.6.06
libnss3 1.5.dfsg+1.5.0.9-0ubuntu0.6.06
After a standard system upgrade you need to restart Firefox to effect
the necessary changes.
Details follow:
USN-398-1 fixed vulnerabilities in Firefox 2.0. This update provides
the corresponding updates for Firefox 1.5.
Various flaws have been reported that allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening
a malicious web page containing JavaScript or SVG. (CVE-2006-6497,
CVE-2006-6498, CVE-2006-6499, CVE-2006-6501, CVE-2006-6502,
CVE-2006-6504)
Various flaws have been reported that allow an attacker to bypass
Firefox's internal XSS protections by tricking the user into opening a
malicious web page containing JavaScript. (CVE-2006-6503)
i have indeed seen many people complain on other sites about how long it's taking ubuntu to update firefox when security vulnerabilities are fixed... one of the reasons i've seen people throw around is that the delay is at mozilla itself, whom needs to approve any patches ubuntu applies in order to protect the "Firefox" trademark...
anyone got any comments on that??
maybe ubuntu should go the way of the IceWeasel, hehe...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
why does ubuntu take so long to update firefox?
