MozillaZine

Mozilla Security Hole

Tuesday April 30th, 2002

Anonymous reports: "Grey Magic is reporting a minor security hole in Mozilla builds from at least 0.9.2 up to the current trunk and 1.0 branch. A bug has been filed in bugzilla, and will be opened to the public to view once the fix has been made. This also affects Netscape browsers from at least 6.1 on. There are no known uses of the vulnerability at this time." We'll let you know when a patch has been checked in for this.

On a side note, Grey Magic recommends that users "should move to a better performing, less buggy browser," on their vulnerability page. Looking at the open issues for it, IE clearly doesn't seem like the better choice.

UPDATE! A fix has been checked into the trunk, and has been approved for checkin to the 1.0 branch. Expect it to be in nightly builds for both branch and trunk starting tomorrow.


#55 Re: I beg to differ....

by asa <asa@mozilla.org>

Wednesday May 1st, 2002 9:36 AM

You are replying to this message

>Perhaps time to stop using mozilla until someone other than netscape controls what is and isn't pulled from the bug tree?

Not sure what your're talking about. There was a short period of time (hours not days) where those with the skills to fix the problem had a private discussion, the fix was generated and applied to the trunk and the bug is open and completely visible. If you're concerned about this bug then get today's build where it's no longer a problem. I don't see that kind of turnaround from any other browser on the planet. Mozilla takes browser vulnerabilities very seriously and if this fellow had reported the bug to Mozilla rather than trying to make money off of it then the bug would have been fixed considerably sooner. 9 out of 10 folks that care about Mozilla and browser users in general try to work with the developers on a project to get these things fixed. They do that by contacting _Mozilla_ developers and working with them in Bugzilla to get a fix. This guy decided to go to one particular vender who distributes a Mozilla-based product and try to make money off of his find. I'm glad that his type is in the minority and most people know that working with Mozilla is the best way to affect change in the codebase.

--Asa