MozillaZine

Mozilla Security Hole

Tuesday April 30th, 2002

Anonymous reports: "Grey Magic is reporting a minor security hole in Mozilla builds from at least 0.9.2 up to the current trunk and 1.0 branch. A bug has been filed in bugzilla, and will be opened to the public to view once the fix has been made. This also affects Netscape browsers from at least 6.1 on. There are no known uses of the vulnerability at this time." We'll let you know when a patch has been checked in for this.

On a side note, Grey Magic recommends that users "should move to a better performing, less buggy browser," on their vulnerability page. Looking at the open issues for it, IE clearly doesn't seem like the better choice.

UPDATE! A fix has been checked into the trunk, and has been approved for checkin to the 1.0 branch. Expect it to be in nightly builds for both branch and trunk starting tomorrow.


#93 Re: maybe Netscape should move a bit faster?

by asa <asa@mozilla.org>

Thursday May 2nd, 2002 11:42 AM

You are replying to this message

When I file a bug in Bugzilla (which would have been the more community spirited thing to do, but I guess greed overrules decency for most people) sometimes I have to wait for a developer to look at the problem. 5 days wait (where two of those days are weekend) isn't out of the ordinary for Bugzilla bugs (with the exception of security sensitive issues or other critical problems). Developers, even those working on security issues are all overloaded with work these days. Welcome to the real world of software development. If Gray Magic would have filed a bug in Bugzilla or sent mail to <security@mozilla.org> (it was a bug in core Mozilla code, not something specific to one vendor's distribution after all) rather than attempting to get a bounty from Netscape he would have had an immediate response and the bug would have been fixed 4 or 5 days earlier.

--Asa