LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Ubuntu
User Name
Password
Ubuntu This forum is for the discussion of Ubuntu Linux.

Notices


Reply
  Search this Thread
Old 12-29-2006, 02:32 AM   #1
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Question why does ubuntu take so long to update firefox?


first of all, this isn't a rant... i'm just really curious as to why this is the case... BTW, i am speaking only of ubuntu 6.06 LTS as it's the only one i run at the moment...

other distros have firefox security updates out the door only a few days (at most) after mozilla publicly releases them... yet on ubuntu it sometimes takes WEEKS... what exactly is the deal here?? i mean, ubuntu is leaving us vulnerable to known exploits for a seriously considerable amount of time...

Last edited by win32sux; 12-29-2006 at 03:17 AM. Reason: changed "super-vulnerable" to "vulnerable" cuz craigevil has a point... =)
 
Old 12-29-2006, 03:11 AM   #2
craigevil
Senior Member
 
Registered: Apr 2005
Location: Heaven
Distribution: Debian Sid/RPIOS
Posts: 4,917
Blog Entries: 29

Rep: Reputation: 541Reputation: 541Reputation: 541Reputation: 541Reputation: 541Reputation: 541
Probably not "super-vulnerable":
Fixed in Firefox 2.0.0.1
MFSA 2006-76 XSS using outer window's Function object
MFSA 2006-75 RSS Feed-preview referrer leak
MFSA 2006-73 Mozilla SVG Processing Remote Code Execution
MFSA 2006-72 XSS by setting img.src to javascript: URI
MFSA 2006-71 LiveConnect crash finalizing JS objects
MFSA 2006-70 Privilege escallation using watch point
MFSA 2006-69 CSS cursor image buffer overflow (Windows only)
MFSA 2006-68 Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1)

There are a lot of posts asking the same thing. Debian had 2.0.0.1 in less than a week after the official Mozilla release of Firefox 2.0.0.1.

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1) Gecko/20061205 Iceweasel/2.0.0.1 (Debian-2.0.0.1+dfsg-1)

Perhaps one of the Ubuntu mailing lists or the ubuntu forum would result in a reasonable answer to what take them so long to updated it?

Heck I don't get why it is tied into the ubuntu desktop they way it is,seems almost windows like to tie a browser into the OS/desktop.
 
Old 12-29-2006, 10:36 AM   #3
esaym
Member
 
Registered: Nov 2006
Distribution: Lots of Debian
Posts: 165

Rep: Reputation: 32
6.06 does not have ff2 in it. Could you elaborate on how you installed it? From what I understood, if one installs ff2 on 6.06 then you will not get automatic updates...
 
Old 12-29-2006, 10:41 AM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by esaym
6.06 does not have ff2 in it. Could you elaborate on how you installed it? From what I understood, if one installs ff2 on 6.06 then you will not get automatic updates...
i think he was just illustrating... keep in mind that 2.0.0.1 and 1.5.0.9 address basically the same security issues... AFAIK the 2.0.0.1 package hasn't been released for ubuntu 6.10 yet either (no notice at USN or email alert at the time of this post)...
 
Old 01-02-2007, 09:09 PM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
got a USN email in my box 30 minutes ago...

looks like the fix has been released, at least for Ubuntu 6.10's Firefox 2.x.y.z:
Code:
===========================================================
Ubuntu Security Notice USN-398-1           January 02, 2007
firefox vulnerabilities
CVE-2006-6497, CVE-2006-6498, CVE-2006-6499, CVE-2006-6501,
CVE-2006-6502, CVE-2006-6503, CVE-2006-6504, CVE-2006-6506,
CVE-2006-6507
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.10:
 firefox                                  2.0.0.1+0dfsg-0ubuntu0.6.10
 firefox-dev                              2.0.0.1+0dfsg-0ubuntu0.6.10
 libnspr-dev                              2.0.0.1+0dfsg-0ubuntu0.6.10
 libnspr4                                 2.0.0.1+0dfsg-0ubuntu0.6.10
 libnss-dev                               2.0.0.1+0dfsg-0ubuntu0.6.10
 libnss3                                  2.0.0.1+0dfsg-0ubuntu0.6.10

After a standard system upgrade you need to restart Firefox to effect
the necessary changes.

Details follow:

Various flaws have been reported that allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening
a malicious web page containing JavaScript or SVG.  (CVE-2006-6497,
CVE-2006-6498, CVE-2006-6499, CVE-2006-6501, CVE-2006-6502,
CVE-2006-6504)

Various flaws have been reported that allow an attacker to bypass
Firefox's internal XSS protections by tricking the user into opening a
malicious web page containing JavaScript.  (CVE-2006-6503,
CVE-2006-6507)

Jared Breland discovered that the "Feed Preview" feature could leak
referrer information to remote servers.  (CVE-2006-6506)
nothing yet about Ubuntu 6.06 LTS's Firefox 1.5.x.y...

Last edited by win32sux; 01-03-2007 at 03:00 PM.
 
Old 01-03-2007, 02:56 PM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
okay, got the USN for 5.10 and 6.06 LTS 10 minutes ago...
Code:
===========================================================
Ubuntu Security Notice USN-398-2           January 03, 2007
firefox vulnerabilities
CVE-2006-6497, CVE-2006-6498, CVE-2006-6499, CVE-2006-6501,
CVE-2006-6502, CVE-2006-6503, CVE-2006-6504
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 5.10
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.10:
 firefox                                  1.5.dfsg+1.5.0.9-0ubuntu0.5.10
 firefox-dev                              1.5.dfsg+1.5.0.9-0ubuntu0.5.10

Ubuntu 6.06 LTS:
 firefox                                  1.5.dfsg+1.5.0.9-0ubuntu0.6.06
 firefox-dev                              1.5.dfsg+1.5.0.9-0ubuntu0.6.06
 libnspr-dev                              1.5.dfsg+1.5.0.9-0ubuntu0.6.06
 libnspr4                                 1.5.dfsg+1.5.0.9-0ubuntu0.6.06
 libnss-dev                               1.5.dfsg+1.5.0.9-0ubuntu0.6.06
 libnss3                                  1.5.dfsg+1.5.0.9-0ubuntu0.6.06

After a standard system upgrade you need to restart Firefox to effect
the necessary changes.

Details follow:

USN-398-1 fixed vulnerabilities in Firefox 2.0.  This update provides
the corresponding updates for Firefox 1.5.

Various flaws have been reported that allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening
a malicious web page containing JavaScript or SVG.  (CVE-2006-6497,
CVE-2006-6498, CVE-2006-6499, CVE-2006-6501, CVE-2006-6502,
CVE-2006-6504)

Various flaws have been reported that allow an attacker to bypass
Firefox's internal XSS protections by tricking the user into opening a
malicious web page containing JavaScript.  (CVE-2006-6503)
i have indeed seen many people complain on other sites about how long it's taking ubuntu to update firefox when security vulnerabilities are fixed... one of the reasons i've seen people throw around is that the delay is at mozilla itself, whom needs to approve any patches ubuntu applies in order to protect the "Firefox" trademark...

anyone got any comments on that??

maybe ubuntu should go the way of the IceWeasel, hehe...

Last edited by win32sux; 01-03-2007 at 03:00 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Ubuntu Dapper: Ready for the long haul LXer Syndicated Linux News 0 06-11-2006 04:33 PM
FC5: Firefox Takes Too Long to Load... sancho Fedora 6 05-02-2006 10:09 PM
Firefox 1.5 -- How Long Til It's Added to Repositories? Trip in VA Fedora 10 12-10-2005 05:07 PM
Firefox pauses when scrolling long distances Charred Slackware 5 07-15-2005 02:04 PM
Firefox - Script takes a long time to go away Irving Linux - Software 1 05-05-2004 09:42 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Ubuntu

All times are GMT -5. The time now is 07:22 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration