first critical security leak by firefox 3 - Mozilla

This is a discussion on first critical security leak by firefox 3 - Mozilla ; Q schrieb: > On Fri, 20 Jun 2008 22:00:00 -0500 > Jay Garcia wrote: > >> On 20.06.2008 20:57, Q wrote: >> >>> On Fri, 20 Jun 2008 11:55:33 +0200 >>> squaredancer wrote: >>> >>>> no use waiting for a ...

+ Reply to Thread
Page 3 of 3 FirstFirst 1 2 3
Results 41 to 54 of 54

Thread: first critical security leak by firefox 3

  1. Re: first critical security leak by firefox 3

    Q schrieb:
    > On Fri, 20 Jun 2008 22:00:00 -0500
    > Jay Garcia wrote:
    >
    >> On 20.06.2008 20:57, Q wrote:
    >>
    >>> On Fri, 20 Jun 2008 11:55:33 +0200
    >>> squaredancer wrote:
    >>>
    >>>> no use waiting for a patch - the bug won't be resolved until the
    >>>> next release, as Moz refuses to run patches.
    >>> They've been releasing Firefox patches for years now, ever since
    >>> automatic updating was introduced.

    >> But it's still a full download IIRC. Don't ever remember seeing a 100k
    >> "patch" or the like.

    >
    > They're just globs of binary diff files along with some metadata. The
    > patchset for updating Fx 2.0.0.13 to 2.0.0.14 (en-US) is 269 KB.
    >

    I have heared of this files. But I don't know anybody who can use it to
    update firefox. But I don't like to use the update function. It makes
    only problems. The best thing is to download the new version from the
    server and put it over the old one. That's the best method.

  2. Re: first critical security leak by firefox 3

    On 21.06.2008 00:43, Q wrote:

    --- Original Message ---

    > On Fri, 20 Jun 2008 22:00:00 -0500
    > Jay Garcia wrote:
    >
    >> On 20.06.2008 20:57, Q wrote:
    >>
    >> > On Fri, 20 Jun 2008 11:55:33 +0200
    >> > squaredancer wrote:
    >> >
    >> >> no use waiting for a patch - the bug won't be resolved until the
    >> >> next release, as Moz refuses to run patches.
    >> >
    >> > They've been releasing Firefox patches for years now, ever since
    >> > automatic updating was introduced.

    >>
    >> But it's still a full download IIRC. Don't ever remember seeing a 100k
    >> "patch" or the like.

    >
    > They're just globs of binary diff files along with some metadata. The
    > patchset for updating Fx 2.0.0.13 to 2.0.0.14 (en-US) is 269 KB.
    >


    Interesting, I have NEVER received anything but a full package,
    multi-meg update either automatic OR when clicking "Check Updates".

    --
    Jay Garcia Netscape Champion
    UFAQ - http://www.UFAQ.org

  3. Re: first critical security leak by firefox 3

    On 6/21/08 7:01 AM, _squaredancer_ spoke thusly:
    > On 21.06.2008 03:57, CET - what odd quirk of fate caused Q to
    > generate the following:? :
    >> They've been releasing Firefox patches for years now, ever since
    >> automatic updating was introduced.

    >
    > a genuine patch will d/l and then auto-install OVER the bad code only,
    > on user-instruction (see windows patches)... or, in some cases even
    > auto-install on d/l.
    > The FF / TB updates are *called* updates - not patches - so that the
    > User actually believes that s/he is getting the latest version - and to
    > disprove your point... d/l and installing FF 2.0.0.14 "from scratch" (ie
    > without any Moz previously installed) will d/l and install the *FULL*
    > version... not just 269KB of revised code!


    ftp://releases.mozilla.org/pub/mozil...14.partial.mar
    [269 KB]

    Firefox updates are offered as both: full download or patch to the
    previous version. Patches are offered via the auto-update mechanism
    (Help-->Check for Updates...).

    --
    Chris Ilias
    List-owner: support-firefox, support-thunderbird, test-multimedia

  4. Re: first critical security leak by firefox 3

    On 21.06.2008 17:43, CET - what odd quirk of fate caused Chris Ilias to
    generate the following:? :
    > On 6/21/08 7:01 AM, _squaredancer_ spoke thusly:
    >
    >> On 21.06.2008 03:57, CET - what odd quirk of fate caused Q to
    >> generate the following:? :
    >>
    >>> They've been releasing Firefox patches for years now, ever since
    >>> automatic updating was introduced.
    >>>

    >> a genuine patch will d/l and then auto-install OVER the bad code only,
    >> on user-instruction (see windows patches)... or, in some cases even
    >> auto-install on d/l.
    >> The FF / TB updates are *called* updates - not patches - so that the
    >> User actually believes that s/he is getting the latest version - and to
    >> disprove your point... d/l and installing FF 2.0.0.14 "from scratch" (ie
    >> without any Moz previously installed) will d/l and install the *FULL*
    >> version... not just 269KB of revised code!
    >>

    >
    > ftp://releases.mozilla.org/pub/mozil...14.partial.mar
    > [269 KB]
    >
    >


    tell me do - what the hell is a *.mar file???

    reg
    > Firefox updates are offered as both: full download or patch to the
    > previous version. Patches are offered via the auto-update mechanism
    > (Help-->Check for Updates...).
    >
    >



  5. Re: first critical security leak by firefox 3

    Spiderman wrote:
    > Q schrieb:
    >> On Fri, 20 Jun 2008 22:00:00 -0500
    >> Jay Garcia wrote:
    >>
    >>> On 20.06.2008 20:57, Q wrote:
    >>>
    >>>> On Fri, 20 Jun 2008 11:55:33 +0200
    >>>> squaredancer wrote:
    >>>>
    >>>>> no use waiting for a patch - the bug won't be resolved until the
    >>>>> next release, as Moz refuses to run patches.
    >>>> They've been releasing Firefox patches for years now, ever since
    >>>> automatic updating was introduced.
    >>> But it's still a full download IIRC. Don't ever remember seeing a 100k
    >>> "patch" or the like.

    >>
    >> They're just globs of binary diff files along with some metadata. The
    >> patchset for updating Fx 2.0.0.13 to 2.0.0.14 (en-US) is 269 KB.
    >>

    > I have heared of this files. But I don't know anybody who can use it to
    > update firefox. But I don't like to use the update function. It makes
    > only problems. The best thing is to download the new version from the
    > server and put it over the old one. That's the best method.


    It is, IF you have broadband. Dialup users may disagree.


    --
    Ron Hunter rphunter@charter.net

  6. Re: first critical security leak by firefox 3

    On 6/21/08 12:01 PM, _squaredancer_ spoke thusly:
    > On 21.06.2008 17:43, CET - what odd quirk of fate caused Chris Ilias to
    > generate the following:? :
    >
    >> ftp://releases.mozilla.org/pub/mozil...14.partial.mar
    >> [269 KB]

    >
    > tell me do - what the hell is a *.mar file???


    It's the file extension Mozilla uses for auto-update patches. That's the
    file that gets downloaded.

    --
    Chris Ilias
    List-owner: support-firefox, support-thunderbird, test-multimedia

  7. Re: first critical security leak by firefox 3

    On 21.06.2008 18:25, CET - what odd quirk of fate caused Chris Ilias to
    generate the following:? :
    > On 6/21/08 12:01 PM, _squaredancer_ spoke thusly:
    >
    >> On 21.06.2008 17:43, CET - what odd quirk of fate caused Chris Ilias to
    >> generate the following:? :
    >>
    >>
    >>> ftp://releases.mozilla.org/pub/mozil...14.partial.mar
    >>> [269 KB]
    >>>

    >> tell me do - what the hell is a *.mar file???
    >>

    >
    > It's the file extension Mozilla uses for auto-update patches. That's the
    > file that gets downloaded.
    >
    >


    with a few words of explanatory text, you would have saved on three posts!

    reg

  8. Re: first critical security leak by firefox 3

    On 06/21/2008 07:35 AM, Jay Garcia wrote:
    >
    > Interesting, I have NEVER received anything but a full package,
    > multi-meg update either automatic OR when clicking "Check Updates".
    >


    It seems to me that the auto-update system can only efficiently handle
    upgrading from one minor version to another, e.g. 2.0.0.13 --> 2.0.0.14;
    in my experience, jumps (2.0.0.9 -> 2.0.0.14) don't work (well, they do
    work, but require a full download of FX).

    Evidently, the update system can't figure out that it can upgrade by
    doing several small upgrades in sequence.


  9. Re: first critical security leak by firefox 3

    Mumia Wotse wrote:
    > On 06/21/2008 07:35 AM, Jay Garcia wrote:
    >>
    >> Interesting, I have NEVER received anything but a full package,
    >> multi-meg update either automatic OR when clicking "Check Updates".
    >>

    >
    > It seems to me that the auto-update system can only efficiently handle
    > upgrading from one minor version to another, e.g. 2.0.0.13 --> 2.0.0.14;
    > in my experience, jumps (2.0.0.9 -> 2.0.0.14) don't work (well, they do
    > work, but require a full download of FX).
    >
    > Evidently, the update system can't figure out that it can upgrade by
    > doing several small upgrades in sequence.
    >

    If done, that would probably entail downloading MORE, rather than less,
    and then taking MORE time to do the update.

  10. Re: first critical security leak by firefox 3

    Ron Hunter wrote:
    >...
    >>>
    >>> These are the Bugs that really *get me* - some of them are 5 and more
    >>> years on the list and still in the release version - but of course,
    >>> the release version has LOTS MORE bells and whistles - but do they
    >>> cancel out the bugs??
    >>>
    >>> reg

    >>
    >> I'm guessing there are bugs that can not and will not be fixed, ever,
    >> because they're a fundamental flaw in the core program and can't be
    >> fixed without a major rewrite. Firefox.exe running on after the last
    >> window is closed, as a possible example.
    >> One 'bug'*, apparent to me anyway, in Thunderbird got fixed a couple
    >> releases back so I believe they're fixing those things they can...
    >>
    >> *(I have Thunderbird open 24-7 on my work box. Whenever I had to close
    >> it for a add-on or something, the .exe used to run on for ~10 minutes
    >> after quiting the application. Now it stops immediately.)

    >
    > Some bugs require fixing at the OS level. Others aren't more than an
    > occasional problem, and would be very hard to nail down (like the one
    > you mention, that I strongly suspect is a Windows bug).
    >


    This particular niggle has been around a while. I've seen it on NT4, 2K,
    XP, and read reports of it on 95 and 98... all Windows OS but different
    architecture.
    I would tend to point to Windows as well except I had the Thunderbird
    process run on on my Linux (Ubuntu) box once.
    Then again, that could have been explained by the 'clicking the 'X' to
    close doesn't close the application' Mozilla party line. (which btw, is
    very apparent in Linux apps. If you don't 'quit' the program, only close
    the window 'X', and the application is written to continue to run, it
    will _always_ continue to run.)
    Doesn't explain why clicking the 'X' in Linux closes the Thunderbird
    application 99% of the time.
    ....whatever. Ctrl+q is easier than clicking the 'X' anyway. Only wish it
    were consistent and Firefox closed the same way.

  11. Re: first critical security leak by firefox 3

    clay wrote:
    > Ron Hunter wrote:
    >> ...
    >>>>
    >>>> These are the Bugs that really *get me* - some of them are 5 and
    >>>> more years on the list and still in the release version - but of
    >>>> course, the release version has LOTS MORE bells and whistles - but
    >>>> do they cancel out the bugs??
    >>>>
    >>>> reg
    >>>
    >>> I'm guessing there are bugs that can not and will not be fixed, ever,
    >>> because they're a fundamental flaw in the core program and can't be
    >>> fixed without a major rewrite. Firefox.exe running on after the last
    >>> window is closed, as a possible example.
    >>> One 'bug'*, apparent to me anyway, in Thunderbird got fixed a couple
    >>> releases back so I believe they're fixing those things they can...
    >>>
    >>> *(I have Thunderbird open 24-7 on my work box. Whenever I had to
    >>> close it for a add-on or something, the .exe used to run on for ~10
    >>> minutes after quiting the application. Now it stops immediately.)

    >>
    >> Some bugs require fixing at the OS level. Others aren't more than an
    >> occasional problem, and would be very hard to nail down (like the one
    >> you mention, that I strongly suspect is a Windows bug).
    >>

    >
    > This particular niggle has been around a while. I've seen it on NT4, 2K,
    > XP, and read reports of it on 95 and 98... all Windows OS but different
    > architecture.
    > I would tend to point to Windows as well except I had the Thunderbird
    > process run on on my Linux (Ubuntu) box once.
    > Then again, that could have been explained by the 'clicking the 'X' to
    > close doesn't close the application' Mozilla party line. (which btw, is
    > very apparent in Linux apps. If you don't 'quit' the program, only close
    > the window 'X', and the application is written to continue to run, it
    > will _always_ continue to run.)
    > Doesn't explain why clicking the 'X' in Linux closes the Thunderbird
    > application 99% of the time.
    > ...whatever. Ctrl+q is easier than clicking the 'X' anyway. Only wish it
    > were consistent and Firefox closed the same way.


    Perhaps because 99% of the time you don't have a concurrent task which
    is waiting for something to terminate. It is known that the Windows
    routine that is supposed to close a running streaming video doesn't
    always work. When Firefox seems to have trouble closing, I can use my
    firewall program to close those streams, often taking two tries with
    each, and firefox will terminate. Since I always monitor network
    activity, I can SEE that the streams didn't end, and know what happened.
    I never use the File/Exit method of ending Firefox, or Thunderbird.


    --
    Ron Hunter rphunter@charter.net

  12. Re: first critical security leak by firefox 3

    clay schrieb:
    > Ron Hunter wrote:
    >> ...
    >>>>
    >>>> These are the Bugs that really *get me* - some of them are 5 and
    >>>> more years on the list and still in the release version - but of
    >>>> course, the release version has LOTS MORE bells and whistles - but
    >>>> do they cancel out the bugs??
    >>>>
    >>>> reg
    >>>
    >>> I'm guessing there are bugs that can not and will not be fixed, ever,
    >>> because they're a fundamental flaw in the core program and can't be
    >>> fixed without a major rewrite. Firefox.exe running on after the last
    >>> window is closed, as a possible example.
    >>> One 'bug'*, apparent to me anyway, in Thunderbird got fixed a couple
    >>> releases back so I believe they're fixing those things they can...
    >>>
    >>> *(I have Thunderbird open 24-7 on my work box. Whenever I had to
    >>> close it for a add-on or something, the .exe used to run on for ~10
    >>> minutes after quiting the application. Now it stops immediately.)

    >>
    >> Some bugs require fixing at the OS level. Others aren't more than an
    >> occasional problem, and would be very hard to nail down (like the one
    >> you mention, that I strongly suspect is a Windows bug).
    >>

    >
    > This particular niggle has been around a while. I've seen it on NT4, 2K,
    > XP, and read reports of it on 95 and 98... all Windows OS but different
    > architecture.
    > I would tend to point to Windows as well except I had the Thunderbird
    > process run on on my Linux (Ubuntu) box once.
    > Then again, that could have been explained by the 'clicking the 'X' to
    > close doesn't close the application' Mozilla party line. (which btw, is
    > very apparent in Linux apps. If you don't 'quit' the program, only close
    > the window 'X', and the application is written to continue to run, it
    > will _always_ continue to run.)
    > Doesn't explain why clicking the 'X' in Linux closes the Thunderbird
    > application 99% of the time.
    > ...whatever. Ctrl+q is easier than clicking the 'X' anyway. Only wish it
    > were consistent and Firefox closed the same way.

    try: ALT+F4

  13. Re: first critical security leak by firefox 3

    Ron Hunter schrieb:
    > clay wrote:
    >> Ron Hunter wrote:
    >>> ...
    >>>>>
    >>>>> These are the Bugs that really *get me* - some of them are 5 and
    >>>>> more years on the list and still in the release version - but of
    >>>>> course, the release version has LOTS MORE bells and whistles - but
    >>>>> do they cancel out the bugs??
    >>>>>
    >>>>> reg
    >>>>
    >>>> I'm guessing there are bugs that can not and will not be fixed,
    >>>> ever, because they're a fundamental flaw in the core program and
    >>>> can't be fixed without a major rewrite. Firefox.exe running on after
    >>>> the last window is closed, as a possible example.
    >>>> One 'bug'*, apparent to me anyway, in Thunderbird got fixed a couple
    >>>> releases back so I believe they're fixing those things they can...
    >>>>
    >>>> *(I have Thunderbird open 24-7 on my work box. Whenever I had to
    >>>> close it for a add-on or something, the .exe used to run on for ~10
    >>>> minutes after quiting the application. Now it stops immediately.)
    >>>
    >>> Some bugs require fixing at the OS level. Others aren't more than an
    >>> occasional problem, and would be very hard to nail down (like the one
    >>> you mention, that I strongly suspect is a Windows bug).
    >>>

    >>
    >> This particular niggle has been around a while. I've seen it on NT4,
    >> 2K, XP, and read reports of it on 95 and 98... all Windows OS but
    >> different architecture.
    >> I would tend to point to Windows as well except I had the Thunderbird
    >> process run on on my Linux (Ubuntu) box once.
    >> Then again, that could have been explained by the 'clicking the 'X' to
    >> close doesn't close the application' Mozilla party line. (which btw,
    >> is very apparent in Linux apps. If you don't 'quit' the program, only
    >> close the window 'X', and the application is written to continue to
    >> run, it will _always_ continue to run.)
    >> Doesn't explain why clicking the 'X' in Linux closes the Thunderbird
    >> application 99% of the time.
    >> ...whatever. Ctrl+q is easier than clicking the 'X' anyway. Only wish
    >> it were consistent and Firefox closed the same way.

    >
    > Perhaps because 99% of the time you don't have a concurrent task which
    > is waiting for something to terminate. It is known that the Windows
    > routine that is supposed to close a running streaming video doesn't
    > always work. When Firefox seems to have trouble closing, I can use my
    > firewall program to close those streams, often taking two tries with
    > each, and firefox will terminate. Since I always monitor network
    > activity, I can SEE that the streams didn't end, and know what happened.
    > I never use the File/Exit method of ending Firefox, or Thunderbird.
    >
    >

    Try: ALT+F4.

  14. Re: first critical security leak by firefox 3

    Spiderman wrote:
    > clay schrieb:
    >> Ron Hunter wrote:
    >>> ...
    >>>>>
    >>>>> These are the Bugs that really *get me* - some of them are 5 and
    >>>>> more years on the list and still in the release version - but of
    >>>>> course, the release version has LOTS MORE bells and whistles - but
    >>>>> do they cancel out the bugs??
    >>>>>
    >>>>> reg
    >>>>
    >>>> I'm guessing there are bugs that can not and will not be fixed,
    >>>> ever, because they're a fundamental flaw in the core program and
    >>>> can't be fixed without a major rewrite. Firefox.exe running on after
    >>>> the last window is closed, as a possible example.
    >>>> One 'bug'*, apparent to me anyway, in Thunderbird got fixed a couple
    >>>> releases back so I believe they're fixing those things they can...
    >>>>
    >>>> *(I have Thunderbird open 24-7 on my work box. Whenever I had to
    >>>> close it for a add-on or something, the .exe used to run on for ~10
    >>>> minutes after quiting the application. Now it stops immediately.)
    >>>
    >>> Some bugs require fixing at the OS level. Others aren't more than an
    >>> occasional problem, and would be very hard to nail down (like the one
    >>> you mention, that I strongly suspect is a Windows bug).
    >>>

    >>
    >> This particular niggle has been around a while. I've seen it on NT4,
    >> 2K, XP, and read reports of it on 95 and 98... all Windows OS but
    >> different architecture.
    >> I would tend to point to Windows as well except I had the Thunderbird
    >> process run on on my Linux (Ubuntu) box once.
    >> Then again, that could have been explained by the 'clicking the 'X' to
    >> close doesn't close the application' Mozilla party line. (which btw,
    >> is very apparent in Linux apps. If you don't 'quit' the program, only
    >> close the window 'X', and the application is written to continue to
    >> run, it will _always_ continue to run.)
    >> Doesn't explain why clicking the 'X' in Linux closes the Thunderbird
    >> application 99% of the time.
    >> ...whatever. Ctrl+q is easier than clicking the 'X' anyway. Only wish
    >> it were consistent and Firefox closed the same way.

    > try: ALT+F4


    More of a stretch but that works too.

+ Reply to Thread
Page 3 of 3 FirstFirst 1 2 3