LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Ubuntu (https://www.linuxquestions.org/questions/ubuntu-63/)
-   -   why does ubuntu take so long to update firefox? (https://www.linuxquestions.org/questions/ubuntu-63/why-does-ubuntu-take-so-long-to-update-firefox-514535/)

win32sux 12-29-2006 02:32 AM
why does ubuntu take so long to update firefox?
 
first of all, this isn't a rant... i'm just really curious as to why this is the case... BTW, i am speaking only of ubuntu 6.06 LTS as it's the only one i run at the moment...

other distros have firefox security updates out the door only a few days (at most) after mozilla publicly releases them... yet on ubuntu it sometimes takes WEEKS... what exactly is the deal here?? i mean, ubuntu is leaving us vulnerable to known exploits for a seriously considerable amount of time... :confused:

craigevil 12-29-2006 03:11 AM
Probably not "super-vulnerable":
Fixed in Firefox 2.0.0.1
MFSA 2006-76 XSS using outer window's Function object
MFSA 2006-75 RSS Feed-preview referrer leak
MFSA 2006-73 Mozilla SVG Processing Remote Code Execution
MFSA 2006-72 XSS by setting img.src to javascript: URI
MFSA 2006-71 LiveConnect crash finalizing JS objects
MFSA 2006-70 Privilege escallation using watch point
MFSA 2006-69 CSS cursor image buffer overflow (Windows only)
MFSA 2006-68 Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1)

There are a lot of posts asking the same thing. Debian had 2.0.0.1 in less than a week after the official Mozilla release of Firefox 2.0.0.1.

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1) Gecko/20061205 Iceweasel/2.0.0.1 (Debian-2.0.0.1+dfsg-1)

Perhaps one of the Ubuntu mailing lists or the ubuntu forum would result in a reasonable answer to what take them so long to updated it?

Heck I don't get why it is tied into the ubuntu desktop they way it is,seems almost windows like to tie a browser into the OS/desktop.

esaym 12-29-2006 10:36 AM
6.06 does not have ff2 in it. Could you elaborate on how you installed it? From what I understood, if one installs ff2 on 6.06 then you will not get automatic updates...

win32sux 12-29-2006 10:41 AM
Quote:
Originally Posted by esaym
6.06 does not have ff2 in it. Could you elaborate on how you installed it? From what I understood, if one installs ff2 on 6.06 then you will not get automatic updates...
i think he was just illustrating... keep in mind that 2.0.0.1 and 1.5.0.9 address basically the same security issues... AFAIK the 2.0.0.1 package hasn't been released for ubuntu 6.10 yet either (no notice at USN or email alert at the time of this post)...

win32sux 01-02-2007 09:09 PM
got a USN email in my box 30 minutes ago...

looks like the fix has been released, at least for Ubuntu 6.10's Firefox 2.x.y.z:
Code:
===========================================================
Ubuntu Security Notice USN-398-1          January 02, 2007
firefox vulnerabilities
CVE-2006-6497, CVE-2006-6498, CVE-2006-6499, CVE-2006-6501,
CVE-2006-6502, CVE-2006-6503, CVE-2006-6504, CVE-2006-6506,
CVE-2006-6507
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.10:
 firefox                                  2.0.0.1+0dfsg-0ubuntu0.6.10
 firefox-dev                              2.0.0.1+0dfsg-0ubuntu0.6.10
 libnspr-dev                              2.0.0.1+0dfsg-0ubuntu0.6.10
 libnspr4                                2.0.0.1+0dfsg-0ubuntu0.6.10
 libnss-dev                              2.0.0.1+0dfsg-0ubuntu0.6.10
 libnss3                                  2.0.0.1+0dfsg-0ubuntu0.6.10

After a standard system upgrade you need to restart Firefox to effect
the necessary changes.

Details follow:

Various flaws have been reported that allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening
a malicious web page containing JavaScript or SVG.  (CVE-2006-6497,
CVE-2006-6498, CVE-2006-6499, CVE-2006-6501, CVE-2006-6502,
CVE-2006-6504)

Various flaws have been reported that allow an attacker to bypass
Firefox's internal XSS protections by tricking the user into opening a
malicious web page containing JavaScript.  (CVE-2006-6503,
CVE-2006-6507)

Jared Breland discovered that the "Feed Preview" feature could leak
referrer information to remote servers.  (CVE-2006-6506)
nothing yet about Ubuntu 6.06 LTS's Firefox 1.5.x.y... :(

win32sux 01-03-2007 02:56 PM
okay, got the USN for 5.10 and 6.06 LTS 10 minutes ago...
Code:
===========================================================
Ubuntu Security Notice USN-398-2          January 03, 2007
firefox vulnerabilities
CVE-2006-6497, CVE-2006-6498, CVE-2006-6499, CVE-2006-6501,
CVE-2006-6502, CVE-2006-6503, CVE-2006-6504
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 5.10
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.10:
 firefox                                  1.5.dfsg+1.5.0.9-0ubuntu0.5.10
 firefox-dev                              1.5.dfsg+1.5.0.9-0ubuntu0.5.10

Ubuntu 6.06 LTS:
 firefox                                  1.5.dfsg+1.5.0.9-0ubuntu0.6.06
 firefox-dev                              1.5.dfsg+1.5.0.9-0ubuntu0.6.06
 libnspr-dev                              1.5.dfsg+1.5.0.9-0ubuntu0.6.06
 libnspr4                                1.5.dfsg+1.5.0.9-0ubuntu0.6.06
 libnss-dev                              1.5.dfsg+1.5.0.9-0ubuntu0.6.06
 libnss3                                  1.5.dfsg+1.5.0.9-0ubuntu0.6.06

After a standard system upgrade you need to restart Firefox to effect
the necessary changes.

Details follow:

USN-398-1 fixed vulnerabilities in Firefox 2.0.  This update provides
the corresponding updates for Firefox 1.5.

Various flaws have been reported that allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening
a malicious web page containing JavaScript or SVG.  (CVE-2006-6497,
CVE-2006-6498, CVE-2006-6499, CVE-2006-6501, CVE-2006-6502,
CVE-2006-6504)

Various flaws have been reported that allow an attacker to bypass
Firefox's internal XSS protections by tricking the user into opening a
malicious web page containing JavaScript.  (CVE-2006-6503)
i have indeed seen many people complain on other sites about how long it's taking ubuntu to update firefox when security vulnerabilities are fixed... one of the reasons i've seen people throw around is that the delay is at mozilla itself, whom needs to approve any patches ubuntu applies in order to protect the "Firefox" trademark...

anyone got any comments on that??

maybe ubuntu should go the way of the IceWeasel, hehe... :)


All times are GMT -5. The time now is 12:58 AM.