[security] SeaMonkey 1.1.10 and Firefox 2.0.0.15 - Slackware

This is a discussion on [security] SeaMonkey 1.1.10 and Firefox 2.0.0.15 - Slackware ; +Alan Hicks+ wrote: > The package Slackware provides is nothing more than the binary firefox > download repackaged into tgz form. i know. i didn't realise that this thread was about a patch that mozilla hadn't actually released themselves... > ...

+ Reply to Thread
Page 2 of 3 FirstFirst 1 2 3 LastLast
Results 21 to 40 of 42

Thread: [security] SeaMonkey 1.1.10 and Firefox 2.0.0.15

  1. Re: [security] SeaMonkey 1.1.10 and Firefox 2.0.0.15

    +Alan Hicks+ wrote:
    > The package Slackware provides is nothing more than the binary firefox
    > download repackaged into tgz form.


    i know. i didn't realise that this thread was about a patch that mozilla
    hadn't actually released themselves...

    > I doubt
    > Pat is going to feel a pressing need to provide a new Firefox package
    > until Mozilla itself feels such a need.


    and i totally agree with him. certainly since the debian openssh fiasco,
    people should know better than to blindly accept third-party patches...


    --
    Joost Kremers joostkremers@yahoo.com
    Selbst in die Unterwelt dringt durch Spalten Licht
    EN:SiS(9)

  2. Re: [security] SeaMonkey 1.1.10 and Firefox 2.0.0.15

    Res wrote:
    > On Sun, 6 Jul 2008, ~kurt wrote:
    >
    >> No, not an excuse, but the OP over hyped the seriousness of the problem.
    >> It is a bug that doesn't apparently have any concrete examples of a remote
    >> exploit (reading the RH security advisory).

    >
    > Was the OP not the same one who screamed and jumped up and down a few


    No idea - I, along with others, just realized the "patch" isn't even officially
    integrated into Mozilla yet. So, I wouldn't expect to see it in the Slackware
    changelog until an official version of Mozilla is released with this patch.
    And, if you look at the current release notes for Seamonkey, you can see this
    type of problem is quite common - the reason why you don't go surfing the net
    as root with a web browser (and even worse, with Javascript enabled). One of
    the latest fixes under the release notes addresses a problem so similar to
    the current one, the only reason I could quickly tell they were different was
    from the submit date. Crap like this is always happening with web browsers
    (not just IE).

    I'd suggest the OP move on to another distro if he is looking for one that
    immediately updates with every untested unofficial patch.

    - Kurt

  3. Re: [security] SeaMonkey 1.1.10 and Firefox 2.0.0.15

    Roger Brown wrote:
    > Looks its no big problem. Just download Pat's build script for
    > Slackware plus the supporting files (but not the actual source archive)
    > from the source/xap section of your local ftp mirror server and put
    > them in a build folder.


    > Get the actual source from the mozilla website - put that in the build
    > folder. Change the version line of Pat's buildscript
    > seamonkey.SlackBuild to 1.1.10 and run it.


    > That compiles the source and builds you a package in /tmp ready to
    > install.


    Of course, I could try to do so. This would "just" take three or four
    hours on my 700MHz PC. I preferred to just download the official tar.gz
    package from mozilla.org and untared it to /opt. Then I uninstalled the
    official SeaMonkey package and symlinked from /opt/seamonkey/seamonkey
    to /usr/bin.

    It is *not* my job to create my own packages! If there is a security
    hole, then the maintainer of the distribution should publish a patch in
    time. Other distributions already did so.

    CU

    Manuel


  4. Re: [security] SeaMonkey 1.1.10 and Firefox 2.0.0.15

    Res wrote:
    > One more thing, the day Pat opens up Slackware patching/development like
    > that, is the day I leave Slackware


    My idea *was* to create alternative patches in a small team where only
    two or three people are allowed to review and publish the final patch
    while anyone could publish SlackBuild files (just like slackbuilds.org).

    In my opinion Pat himself should finally make the team behind Slackware
    a bit bigger, so if Pat is on holidays or ill, the distribution doesn't
    get out of date, as someone else in the team is able to publish critical
    patches. The community should be allowed to help out with SlackBuild
    files and there is at least one more person required that is allowed to
    review, compile and sign packages.

    > I trust the small team that exists now
    > I will not trust it when a bunch of unknowns are granted access to do
    > it.


    I also trust this "team", but the problem IMHO is, that this team is
    more or less just one person. If this person is away, noone publishes
    patches. I personally would not use Slackware on a critical server as I
    never know if I may still trust the security of my system if the other
    distributions patch a hole while nothing happens on the Slackware-side.
    IMHO Pat at least has to post a message to the security mailing list,
    telling the users that he recognized that other distributions patched
    $HOLE but he doesn't publish a patch for $REASON but has a look at the
    hole and will publish a patch if it is really required. In the current
    situation I may either create my own patches if other distributions do,
    or I may just think "all the others are silly" and just try to imagine
    that my system is still secure even if the others all patched the hole.
    Currently I tend to do the first and create my own patches, as I don't
    know how critical the holes really are! I never know if the hole is
    non-critical or if the security "team" behind Slackware is just a "bit"
    late, again... :-(

    CU

    Manuel


  5. Re: [security] SeaMonkey 1.1.10 and Firefox 2.0.0.15

    ~kurt wrote:
    > I, along with others, just realized the "patch" isn't even officially
    > integrated into Mozilla yet. So, I wouldn't expect to see it in the
    > Slackware changelog until an official version of Mozilla is released
    > with this patch.


    It has been released one *week* ago! See:
    http://www.mozilla.org/security/anno...sa2008-24.html

    > I'd suggest the OP move on to another distro if he is looking for one
    > that immediately updates with every untested unofficial patch.


    The SeaMonkey/Firefox patch is tested by the Mozilla Team! There is
    usually no reason to not publish a patch package one or two days after
    the official mozilla.org releases!

    But if you have a idea for a nice replacement distribution, then please
    tell me. I plan to setup a new server and need something stable. So far
    I didn't find a good alternative.

    CU

    Manuel


  6. Re: [security] SeaMonkey 1.1.10 and Firefox 2.0.0.15

    +Alan Hicks+ wrote:
    > The package Slackware provides is nothing more than the binary firefox
    > download repackaged into tgz form. IIRC, Pat mentioned in the
    > ChangeLog some time back that this was done this way due to the ruckus
    > Mozilla was creating about their trademarks and the like.[0] I doubt
    > Pat is going to feel a pressing need to provide a new Firefox package
    > until Mozilla itself feels such a need.


    > In other words, upstream knows best.


    They knew best. One week ago:
    http://www.mozilla.org/security/anno...sa2008-24.html

    CU

    Manuel


  7. Re: [security] SeaMonkey 1.1.10 and Firefox 2.0.0.15

    On Tue, 08 Jul 2008 07:13:36 +0200
    Manuel Reimer wrote:

    > It is *not* my job to create my own packages!


    So you would never install anything from SlackBuilds.org?

    --
    Roger Brown
    roger2@rogerbrown.no-ip.org
    http://rogerbrown.no-ip.org


  8. Re: [security] SeaMonkey 1.1.10 and Firefox 2.0.0.15

    Roger Brown wrote:
    >> It is *not* my job to create my own packages!


    > So you would never install anything from SlackBuilds.org?


    Of course, I do, but I exactly know what I've installed on my own and so
    I also have a look at possible holes in this software on my own. As I've
    just installed about 5 packages via SlackBuilds.org, I can keep them in
    view. What I tried to say is that it's not my job to also keep the few
    hundred packages, which are official Slackware packages, in view. If I
    would like to do so, I would use LFS.

    CU

    Manuel


  9. Re: [security] SeaMonkey 1.1.10 and Firefox 2.0.0.15

    On Tue, 08 Jul 2008 08:35:11 +0200
    Manuel Reimer wrote:

    > What I tried to say is that it's not my job to also keep the few
    > hundred packages, which are official Slackware packages


    Well that's your call - but by installing the binary version you've
    given yourself the task of keeping it updated in future, whereas if you
    created a package (as I have done) any future update *should* still be
    looked after by Pat.

    That said, I have no idea why he hasn't updated Seamonkey - seems to me
    to be something that has slipped under the radar. But to be fair. some
    other distros have also been slow. Ubuntu still hasn't done so and Arch
    did so only a day or so ago - I had already updated that box by
    amending their port (build script).

    --
    Roger Brown
    roger2@rogerbrown.no-ip.org
    http://rogerbrown.no-ip.org


  10. Re: [security] SeaMonkey 1.1.10 and Firefox 2.0.0.15

    On Tue, 8 Jul 2008, Manuel Reimer wrote:

    >
    > Res wrote:
    >> One more thing, the day Pat opens up Slackware patching/development like
    >> that, is the day I leave Slackware

    >
    > My idea *was* to create alternative patches in a small team where only two or
    > three people are allowed to review and publish the final patch while anyone
    > could publish SlackBuild files (just like slackbuilds.org).



    There is a small team now, and they are trusted, it's why slackware is so
    reliable and stable, and, if you were part of this team, look what we'd
    have, some UNOFFICAL non-upsteam hack inserted into software, and we all
    know what happens then dont we, so I rest my case!

    >
    > In my opinion Pat himself should finally make the team behind Slackware a bit
    > bigger, so if Pat is on holidays or ill, the distribution doesn't get out of


    It's big enough now with hte few people involved, more people involved
    means more risk of becoming a patch-fest like ****dora and debian and
    ubuntu and so on.


    > less just one person. If this person is away, noone publishes patches. I


    the last time you cried, it was pointd out it did not affect Slackware,
    now you want him patch something that is not supported by upstream, please
    may I suggest you go to ****dora or ubuntu/debain, you'd appear to be well
    at home with them as thats there attitude.


    > personally would not use Slackware on a critical server as I never know if I


    We use nothing but, and its because of that I know I dont have to worry
    about problems.


    --
    Cheers
    Res
    --- Usenet policy, and why I might ignore you ---
    1/ GoogleGroups are UDP'd on my nntp server. If you use them, don't
    waste your time or energy replying to me.

    2/ If only cleanfeed filtered out trolls as well as spam, usenet would be
    a nicer place.

  11. Re: [security] SeaMonkey 1.1.10 and Firefox 2.0.0.15

    On Tue, 8 Jul 2008, Manuel Reimer wrote:

    >
    > ~kurt wrote:
    >> I, along with others, just realized the "patch" isn't even officially
    >> integrated into Mozilla yet. So, I wouldn't expect to see it in the
    >> Slackware changelog until an official version of Mozilla is released
    >> with this patch.

    >
    > It has been released one *week* ago! See:
    > http://www.mozilla.org/security/anno...sa2008-24.html
    >
    >> I'd suggest the OP move on to another distro if he is looking for one
    >> that immediately updates with every untested unofficial patch.

    >
    > The SeaMonkey/Firefox patch is tested by the Mozilla Team! There is usually
    > no reason to not publish a patch package one or two days after the official
    > mozilla.org releases!


    Then off you go to ubuntu or fedora, you do nothing but whinge in here, so
    go there , where they have a guarantee to patch things unapproved by
    upstream, change the code to distro-flavorise and to break your system in
    other ways


    --
    Cheers
    Res
    --- Usenet policy, and why I might ignore you ---
    1/ GoogleGroups are UDP'd on my nntp server. If you use them, don't
    waste your time or energy replying to me.

    2/ If only cleanfeed filtered out trolls as well as spam, usenet would be
    a nicer place.

  12. Re: [security] SeaMonkey 1.1.10 and Firefox 2.0.0.15

    Res wrote:
    >> The SeaMonkey/Firefox patch is tested by the Mozilla Team! There is
    >> usually no reason to not publish a patch package one or two days after
    >> the official mozilla.org releases!


    > Then off you go to ubuntu or fedora, you do nothing but whinge in here, so
    > go there , where they have a guarantee to patch things unapproved by
    > upstream, change the code to distro-flavorise and to break your system in
    > other ways


    So Mozilla is not "upstream" for the Firefox or SeaMonkey browser? Those
    patches *are* upstream patches. At least one of them is critical.

    CU

    Manuel


  13. Re: [security] SeaMonkey 1.1.10 and Firefox 2.0.0.15

    On Tue, 8 Jul 2008, Manuel Reimer wrote:

    >
    > Res wrote:
    >>> The SeaMonkey/Firefox patch is tested by the Mozilla Team! There is
    >>> usually no reason to not publish a patch package one or two days after
    >>> the official mozilla.org releases!

    >
    >> Then off you go to ubuntu or fedora, you do nothing but whinge in here, so
    >> go there , where they have a guarantee to patch things unapproved by
    >> upstream, change the code to distro-flavorise and to break your system in
    >> other ways

    >
    > So Mozilla is not "upstream" for the Firefox or SeaMonkey browser? Those
    > patches *are* upstream patches. At least one of them is critical.
    >
    > CU
    >
    > Manuel


    what are you still doing here? go to ubuntu or ****dora, they are the
    distros that suite you, but of course you have to accpet the risks that
    they patch **** that upstreams reject and will never do, so, you have been
    told by a few people that slackware apparently is not for you, so rahter
    than cry your lil eyes out in here repeatedly why not change, no
    one is holding a gun to your head forcing you to stay here


    --
    Cheers
    Res
    --- Usenet policy, and why I might ignore you ---
    1/ GoogleGroups are UDP'd on my nntp server. If you use them, don't
    waste your time or energy replying to me.

    2/ If only cleanfeed filtered out trolls as well as spam, usenet would be
    a nicer place.

  14. Re: [security] SeaMonkey 1.1.10 and Firefox 2.0.0.15

    On Tue, 08 Jul 2008 07:36:45 +0200
    Manuel Reimer wrote:

    > But if you have a idea for a nice replacement distribution, then
    > please tell me. I plan to setup a new server and need something
    > stable.


    Slackware 12.1 would be a good choice -- to set up a server, you
    wouldn't want to install Firefox or SeaMonkey anyway.

  15. Re: [security] SeaMonkey 1.1.10 and Firefox 2.0.0.15

    Manuel Reimer wrote:
    > ~kurt wrote:
    >> I, along with others, just realized the "patch" isn't even officially
    >> integrated into Mozilla yet. So, I wouldn't expect to see it in the
    >> Slackware changelog until an official version of Mozilla is released
    >> with this patch.

    >
    > It has been released one *week* ago! See:
    > http://www.mozilla.org/security/anno...sa2008-24.html


    The security notice is a week old. But no update to the release has
    been issued. From the above link you posted:


    Workaround:

    Disable JavaScript until a version containing these fixes can be installed.


    Slackware rarely ever *patches* source and redistributes the resulting
    binary. In addition, others already mentioned there are license issues
    associated with doing this, and still calling it Seamonkey, or Firefox.

    > The SeaMonkey/Firefox patch is tested by the Mozilla Team! There is
    > usually no reason to not publish a patch package one or two days after
    > the official mozilla.org releases!


    Just because a patch is submitted to a development tree doesn't mean it has
    gone through all the testing that would result in such a change being
    officially part of the next release cycle. You would be surprised what
    a simple patch can break. The dialog surrounding the fix didn't exactly
    fill me with confidence, either (from what I remember of it).

    > But if you have a idea for a nice replacement distribution, then please
    > tell me. I plan to setup a new server and need something stable. So far
    > I didn't find a good alternative.


    I would suggest doing what you appear to be doing - keeping track of
    critical applications and services offered by your server. Slackware
    has never been into the business of modifying official releases of
    software.

    - Kurt

  16. Re: [security] SeaMonkey 1.1.10 and Firefox 2.0.0.15

    Manuel Reimer wrote:
    >
    > They knew best. One week ago:
    > http://www.mozilla.org/security/anno...sa2008-24.html


    OK:



    "This CVE Identifier has "Candidate" status and must be reviewed and accepted
    by the CVE Editorial Board before it can be updated to official "Entry" status
    on the CVE List. It may be modified or even rejected in the future."

    Like I said before, it isn't an official patch - yet. To throw it in there
    without official approval would be very Debian of them... (sorry Deb fans,
    couldn't resist).

    - Kurt

  17. Re: [security] SeaMonkey 1.1.10 and Firefox 2.0.0.15

    Manuel Reimer wrote:
    >
    > IMHO Pat at least has to post a message to the security mailing list,
    > telling the users that he recognized that other distributions patched
    > $HOLE but he doesn't publish a patch for $REASON but has a look at the
    > hole and will publish a patch if it is really required. In the current


    Now this - I think you are on to something - at least when it comes to an
    external team. In other words, the external-to-Slackware team you were
    speaking of before that might possibly manage patches would instead
    submit security advisories (patched and not patched) to a list that would
    help sys admins make decisions on software they might want to rebuild and
    update. It could even be a Usenet group (although a monitored one to
    filter out *anything* that is even remotely OT - use a.o.l.s for discussion).
    That would be a very Slackware way of doing it - Pat updates the changelog
    with official releases as they are available, and the external team provides
    info to the sys admin so they can make their own decisions on patches.

    - Kurt

  18. Re: [security] SeaMonkey 1.1.10 and Firefox 2.0.0.15

    On Tue, 08 Jul 2008 20:26:01 -0500
    ~kurt wrote:

    > Manuel Reimer wrote:
    > > ~kurt wrote:
    > >> I, along with others, just realized the "patch" isn't even
    > >> officially integrated into Mozilla yet. So, I wouldn't expect to
    > >> see it in the Slackware changelog until an official version of
    > >> Mozilla is released with this patch.

    > >
    > > It has been released one *week* ago! See:
    > > http://www.mozilla.org/security/anno...sa2008-24.html

    >
    > The security notice is a week old. But no update to the release has
    > been issued.


    Fixed in Firefox 2.0.0.15, released by Mozilla the same day that MFSA
    was issued.

  19. Re: [security] SeaMonkey 1.1.10 and Firefox 2.0.0.15

    On Tue, 08 Jul 2008 11:28:58 +0200, Manuel Reimer wrote:

    >> Then off you go to ubuntu or fedora, you do nothing but whinge in here, so
    >> go there , where they have a guarantee to patch things unapproved by
    >> upstream, change the code to distro-flavorise and to break your system in
    >> other ways


    > So Mozilla is not "upstream" for the Firefox or SeaMonkey browser? Those
    > patches *are* upstream patches. At least one of them is critical.


    Will you just **** off and leave, you ignorant little whining stooge? Go
    use goddam ubuntu or ****ing windoze, if you'd rather. Nobody here gives
    a rat's ass what you use, just shut the **** up.


    --
    "Ubuntu" -- an African word, meaning "Slackware is too hard for me".
    The Usenet Improvement Project: http://improve-usenet.org


  20. Re: [security] SeaMonkey 1.1.10 and Firefox 2.0.0.15

    Q wrote:
    > On Tue, 08 Jul 2008 20:26:01 -0500
    > ~kurt wrote:
    >>
    >> The security notice is a week old. But no update to the release has
    >> been issued.

    >
    > Fixed in Firefox 2.0.0.15, released by Mozilla the same day that MFSA
    > was issued.


    Huh, you are right. I missed one of the updates listed here:



    I don't understand why they are still listed as "Candidate" status:




    So, it has been a week since an official release from Mozilla has been
    made.

    - Kurt

+ Reply to Thread
Page 2 of 3 FirstFirst 1 2 3 LastLast