Mozilla Privacy Bug
Saturday September 14th, 2002
Yesterday, ZDNet UK News reported that Mozilla has a privacy flaw involving HTTP referers. The flaw can be exploited using the
The bug was filed in Bugzilla as bug 145579 on Sunday 19th May, with the more serious
UPDATE! Bug 145579 has now been made public.
ANOTHER UPDATE! A fix has been checked in to the trunk. A patch for the 1.0 branch will follow shortly.
YET ANOTHER UPDATE! A patch has now been checked in to the 1.0 branch.
#16 Bad policy strikes again
Sunday September 15th, 2002 9:07 PM
You are replying to this message
Go ahead and flame me again Asa, but the security bug policy is shown AGAIN to be bad and unworkable. The policy of restricting access to security bugs keeps people from knowing about a problem, without promoting a timely fix. In the case of bug 145579, the restriction was used as a whitewash. The bug was reported, the access was restrict, and we got TWO major releases (1.0 and 1.1) without a fix.
The only thing that got us a fix in this case was Bugtraq lighting fires under asses. This is exactly the behavior that I expect from some useless software megacorps, but not from the shining flag-bearer of open development.
Finally, I want to say that is is *immoral* to know about security flaws in software without reporting them to your users. It is doubly bad to intentionally hide the problem without making an effort toward fixing it for over four months.