Mozilla Security Hole
Tuesday April 30th, 2002
Anonymous reports: "Grey Magic is reporting a minor security hole in Mozilla builds from at least 0.9.2 up to the current trunk and 1.0 branch. A bug has been filed in bugzilla, and will be opened to the public to view once the fix has been made. This also affects Netscape browsers from at least 6.1 on. There are no known uses of the vulnerability at this time." We'll let you know when a patch has been checked in for this.
On a side note, Grey Magic recommends that users "should move to a better performing, less buggy browser," on their vulnerability page. Looking at the open issues for it, IE clearly doesn't seem like the better choice.
UPDATE! A fix has been checked into the trunk, and has been approved for checkin to the 1.0 branch. Expect it to be in nightly builds for both branch and trunk starting tomorrow.
Wednesday May 1st, 2002 10:05 AM
You are replying to this message
>There was a short period of time (hours not days) where those with the skills to fix the problem >had a private discussion, the fix was generated and applied to the trunk and the bug is open and >completely visible.
Because, as you'll see in the bug comments, it was already public.
Yes I'm thankful that, reading the bug report, at least a couple noted the folly of hiding the bug, the security policy page you posted elsewhere in here speaks louder though.
You're right though, there is a sad lack of well-featured, secure browsers around, perhaps you should write one? ;o) Ok, I jest, but I hope your statements about taking security seriously (know any vendor who doesn't say that?) show themselves in the robustness of the browser, as others turn their attention to finding security holes in mozilla. Thus far it'll take more than a promise, sorry.
There's always chroot thankfully.