Ubuntu This forum is for the discussion of Ubuntu Linux. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
12-29-2006, 02:32 AM
|
#1
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
why does ubuntu take so long to update firefox?
first of all, this isn't a rant... i'm just really curious as to why this is the case... BTW, i am speaking only of ubuntu 6.06 LTS as it's the only one i run at the moment...
other distros have firefox security updates out the door only a few days (at most) after mozilla publicly releases them... yet on ubuntu it sometimes takes WEEKS... what exactly is the deal here?? i mean, ubuntu is leaving us vulnerable to known exploits for a seriously considerable amount of time... 
Last edited by win32sux; 12-29-2006 at 03:17 AM.
Reason: changed "super-vulnerable" to "vulnerable" cuz craigevil has a point... =)
|
|
|
12-29-2006, 03:11 AM
|
#2
|
Senior Member
Registered: Apr 2005
Location: Heaven
Distribution: Debian Sid/RPIOS
Posts: 4,917
|
Probably not "super-vulnerable":
Fixed in Firefox 2.0.0.1
MFSA 2006-76 XSS using outer window's Function object
MFSA 2006-75 RSS Feed-preview referrer leak
MFSA 2006-73 Mozilla SVG Processing Remote Code Execution
MFSA 2006-72 XSS by setting img.src to javascript: URI
MFSA 2006-71 LiveConnect crash finalizing JS objects
MFSA 2006-70 Privilege escallation using watch point
MFSA 2006-69 CSS cursor image buffer overflow (Windows only)
MFSA 2006-68 Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1)
There are a lot of posts asking the same thing. Debian had 2.0.0.1 in less than a week after the official Mozilla release of Firefox 2.0.0.1.
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1) Gecko/20061205 Iceweasel/2.0.0.1 (Debian-2.0.0.1+dfsg-1)
Perhaps one of the Ubuntu mailing lists or the ubuntu forum would result in a reasonable answer to what take them so long to updated it?
Heck I don't get why it is tied into the ubuntu desktop they way it is,seems almost windows like to tie a browser into the OS/desktop.
|
|
|
12-29-2006, 10:36 AM
|
#3
|
Member
Registered: Nov 2006
Distribution: Lots of Debian
Posts: 165
Rep:
|
6.06 does not have ff2 in it. Could you elaborate on how you installed it? From what I understood, if one installs ff2 on 6.06 then you will not get automatic updates...
|
|
|
12-29-2006, 10:41 AM
|
#4
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
Original Poster
|
Quote:
Originally Posted by esaym
6.06 does not have ff2 in it. Could you elaborate on how you installed it? From what I understood, if one installs ff2 on 6.06 then you will not get automatic updates...
|
i think he was just illustrating... keep in mind that 2.0.0.1 and 1.5.0.9 address basically the same security issues... AFAIK the 2.0.0.1 package hasn't been released for ubuntu 6.10 yet either (no notice at USN or email alert at the time of this post)...
|
|
|
01-02-2007, 09:09 PM
|
#5
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
Original Poster
|
got a USN email in my box 30 minutes ago...
looks like the fix has been released, at least for Ubuntu 6.10's Firefox 2.x.y.z:
Code:
===========================================================
Ubuntu Security Notice USN-398-1 January 02, 2007
firefox vulnerabilities
CVE-2006-6497, CVE-2006-6498, CVE-2006-6499, CVE-2006-6501,
CVE-2006-6502, CVE-2006-6503, CVE-2006-6504, CVE-2006-6506,
CVE-2006-6507
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.10:
firefox 2.0.0.1+0dfsg-0ubuntu0.6.10
firefox-dev 2.0.0.1+0dfsg-0ubuntu0.6.10
libnspr-dev 2.0.0.1+0dfsg-0ubuntu0.6.10
libnspr4 2.0.0.1+0dfsg-0ubuntu0.6.10
libnss-dev 2.0.0.1+0dfsg-0ubuntu0.6.10
libnss3 2.0.0.1+0dfsg-0ubuntu0.6.10
After a standard system upgrade you need to restart Firefox to effect
the necessary changes.
Details follow:
Various flaws have been reported that allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening
a malicious web page containing JavaScript or SVG. (CVE-2006-6497,
CVE-2006-6498, CVE-2006-6499, CVE-2006-6501, CVE-2006-6502,
CVE-2006-6504)
Various flaws have been reported that allow an attacker to bypass
Firefox's internal XSS protections by tricking the user into opening a
malicious web page containing JavaScript. (CVE-2006-6503,
CVE-2006-6507)
Jared Breland discovered that the "Feed Preview" feature could leak
referrer information to remote servers. (CVE-2006-6506)
nothing yet about Ubuntu 6.06 LTS's Firefox 1.5.x.y... 
Last edited by win32sux; 01-03-2007 at 03:00 PM.
|
|
|
01-03-2007, 02:56 PM
|
#6
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
Original Poster
|
okay, got the USN for 5.10 and 6.06 LTS 10 minutes ago...
Code:
===========================================================
Ubuntu Security Notice USN-398-2 January 03, 2007
firefox vulnerabilities
CVE-2006-6497, CVE-2006-6498, CVE-2006-6499, CVE-2006-6501,
CVE-2006-6502, CVE-2006-6503, CVE-2006-6504
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 5.10
Ubuntu 6.06 LTS
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 5.10:
firefox 1.5.dfsg+1.5.0.9-0ubuntu0.5.10
firefox-dev 1.5.dfsg+1.5.0.9-0ubuntu0.5.10
Ubuntu 6.06 LTS:
firefox 1.5.dfsg+1.5.0.9-0ubuntu0.6.06
firefox-dev 1.5.dfsg+1.5.0.9-0ubuntu0.6.06
libnspr-dev 1.5.dfsg+1.5.0.9-0ubuntu0.6.06
libnspr4 1.5.dfsg+1.5.0.9-0ubuntu0.6.06
libnss-dev 1.5.dfsg+1.5.0.9-0ubuntu0.6.06
libnss3 1.5.dfsg+1.5.0.9-0ubuntu0.6.06
After a standard system upgrade you need to restart Firefox to effect
the necessary changes.
Details follow:
USN-398-1 fixed vulnerabilities in Firefox 2.0. This update provides
the corresponding updates for Firefox 1.5.
Various flaws have been reported that allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening
a malicious web page containing JavaScript or SVG. (CVE-2006-6497,
CVE-2006-6498, CVE-2006-6499, CVE-2006-6501, CVE-2006-6502,
CVE-2006-6504)
Various flaws have been reported that allow an attacker to bypass
Firefox's internal XSS protections by tricking the user into opening a
malicious web page containing JavaScript. (CVE-2006-6503)
i have indeed seen many people complain on other sites about how long it's taking ubuntu to update firefox when security vulnerabilities are fixed... one of the reasons i've seen people throw around is that the delay is at mozilla itself, whom needs to approve any patches ubuntu applies in order to protect the "Firefox" trademark...
anyone got any comments on that??
maybe ubuntu should go the way of the IceWeasel, hehe... 
Last edited by win32sux; 01-03-2007 at 03:00 PM.
|
|
|
All times are GMT -5. The time now is 07:22 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|