[opensuse-factory-mozilla] Fwd: Re: Security issues: How do users, maintainers and developers work together? Second Example: Thunderbird 3.0.6, Firefox 3.6.8
Hello maintainers of Mozilla programs, hello all, there seems to be a 'known' security related bug (potential Cross-Site Scripting Attacks) on several versions of Thunderbird and Firefox. Is it also known to you (pl.)? Regards pistazienfresser http://forums.opensuse.org/english/community/general-chit-chat/445980-securi... -------- Original Message -------- Subject: Re: Security issues: How do users, maintainers and developers work together? Second Example: Thunderbird 3.0.6, Firefox 3.6.8 Date: Fri, 10 Sep 2010 08:00:54 GMT From: pistazienfresser <pistazienfresser@no-mx.forums.opensuse.org> Newsgroups: opensuse.org.no-support.general-chit-chat References: <pistazienfresser.4h11o0@no-mx.forums.opensuse.org> <Chrysantine.4h14fz@no-mx.forums.opensuse.org> [...] @ all: Does anyone how to act to speed up a update related on a (not by personal experience) know security issue without being able to maintain by myself? A fake bugreport? Opera 10.62 of 2010-09-09 seems to fix no security issues at all.[6] But how could I speed things up in a case like my Mozilla Thunderbird 3.0.6 or my Mozilla Firefox 3.6.8?[7][8][9][10] Regards pistazienfresser Footnotes [1a] http://www.opera.com/support/kb/view/966/ [6]http://www.opera.com/docs/changelogs/unix/1062/ [7]http://www.mozilla.org/security/announce/2010/mfsa2010-49.html "Title: Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12) Impact: Critical Announced: September 7, 2010 Reporter: Mozilla developers and community Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 3.6.9 Firefox 3.5.12 Thunderbird 3.1.3 Thunderbird 3.0.7 SeaMonkey 2.0.7" [8] Mozilla Thunderbird Bugs Let Remote Users Conduct Cross-Site Scripting Attacks, Obtain Potentially Sensitive Information, and Execute Arbitrary Code SecurityTracker; SecurityTracker URL: http://securitytracker.com/id?1024403 (2010-09-08) "Impact: A remote user can create a HTML that, when loaded by the target user, will execute arbitrary code on the target user's system. A remote user can access the target user's cookies (including authentication cookies), if any, associated with the target site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. A remote user can obtain potentially sensitive information. Solution: The vendor has issued a fix (3.0.7, 3.1.3). " [9] Mozilla Firefox DLL Loading Error Lets Remote Users Execute Arbitrary Code; SecurityTracker URL: http://securitytracker.com/id?1024406 (2010-09-08) [10] Mozilla Firefox Bugs Let Remote Users Conduct Cross-Site Scripting Attacks, Obtain Potentially Sensitive Information, and Execute Arbitrary Code, SecurityTracker URL: http://securitytracker.com/id?1024401 (2010-09-08) -- To unsubscribe, e-mail: opensuse-factory-mozilla+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-mozilla+help@opensuse.org
Hi, Am 10.09.2010 16:24, schrieb pistazienfresser (see profile):
Hello maintainers of Mozilla programs, hello all,
there seems to be a 'known' security related bug (potential Cross-Site Scripting Attacks) on several versions of Thunderbird and Firefox. Is it also known to you (pl.)?
You got me during vacation which delayed my answer to that. So let me describe what usually happens with Firefox and Thunderbird updates. The last round of security updates you refer to were published on Sep 7th. Exactly at that day I've published the updates in my buildservice mozilla repository which is used by a lot of people. But those are no official packages as they are just gone through my own "QA" when published. So there is low risk that they are breaking things (which would get fixed fast though). For the official openSUSE updates there is a bigger process to prepare updates. That process can only begin when Mozilla is publishing their updates as before that we cannot be sure that they don't delay them because there are blocker bugs found late. Packages are prepared at the release day, submitted and built against the openSUSE base distribution. They get QA and are released when that is finished. How long this can take varies as for example we needed another patch to compile Firefox on released distributions which wasn't noticed before. There is basically nothing you need to or can do to speed up the release process for the Mozilla apps. The only thing you can do is to include the mozilla repository to your package manager. You will get new versions basically at the same time as Mozilla releases them but you take a little more risk (which should be really only a little) of breaking something for a short period of time. Probably Marcus has more comments on that? Wolfgang -- To unsubscribe, e-mail: opensuse-factory-mozilla+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-mozilla+help@opensuse.org
Hello Wolfgang, hello all, thanks to Wolfgang for the detailed answer. But I have three additional questions (to all): [...]
The last round of security updates you refer to were published on Sep 7th. Exactly at that day I've published the updates in my buildservice mozilla repository which is used by a lot of people. But those are no official packages as they are just gone through my own "QA" when published. So there is low risk that they are breaking things (which would get fixed fast though). For the official openSUSE updates there is a bigger process to prepare updates. [...]
(1) I had added yesterday I added "openSUSE BuildService - Mozilla URL: http://download.opensuse.org/repositories/mozilla/openSUSE_11.2/" just before reading the answer. Is this repo meant (and Wolfgang is the maintainer for that repo) or is there (an other) special RR (Rosenauer Repository)? ;) (2) If I have done nothing wrong in searching there is in all the openSUSE (Community) repositories only Thunderbird 3.1.3 [11] (which I am using to write this mail) and no 3.0.7 [12] - is there planned a change form 3.0.x to 3.1.x for the openSUSE 11.2 main repository?
How long this can take varies as for example we needed another patch to compile Firefox on released distributions which wasn't noticed before.
(3) Do you already know for which distribution versions has to be an additional patch (and for what purpose)? E. g. on my openSUSE 11.2 there is now running a Mozilla Firefox 3.6.9-1.2 (Software Manager says: "Changelog: 26 August 2010 (wr@rosenauer.org): - security update to 3.6.9 [...]") (form the repo mentioned under (1)). Regards Martin (= pistazienfresser) [11] http://software.opensuse.org/search?q=Thunderbird+3.1.3&baseproject=openSUSE%3A11.2&lang=en&exclude_debug=true [12] http://software.opensuse.org/search?q=Thunderbird+3.0.7&baseproject=openSUSE%3A11.2&lang=en&exclude_debug=true -- - openSUSE 11.2 with GNOME 2.28.2 (or KDE 4.3.5) and Kernel Linux 2.6.31.12-0.2-pae (or default, Ubuntu 10.4 LTS 'lucid' 2.6.33-22-genetic, MS Win XP) - Samsung X20 Pentium M 740 (1730 MHz) Intel 915GM 1400x1050 - openSUSE profile: https://users.opensuse.org/show/pistazienfresser -- To unsubscribe, e-mail: opensuse-factory-mozilla+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-mozilla+help@opensuse.org
Am 13.09.2010 11:05, schrieb pistazienfresser (see profile):
(1) I had added yesterday I added "openSUSE BuildService - Mozilla URL: http://download.opensuse.org/repositories/mozilla/openSUSE_11.2/" just before reading the answer. Is this repo meant (and Wolfgang is the maintainer for that repo) or is there (an other) special RR (Rosenauer Repository)? ;)
There are other repositories from me but this is the one you probably want and what I referred to.
(2) If I have done nothing wrong in searching there is in all the openSUSE (Community) repositories only Thunderbird 3.1.3 [11] (which I am using to write this mail) and no 3.0.7 [12] - is there planned a change form 3.0.x to 3.1.x for the openSUSE 11.2 main repository?
Not currently. We'll see how long Mozilla will provide updates to 3.0.x. We only switch major versions if necessary because of security. So more explanation: The "Mozilla" repository always has the latest stable versions which means there is Thunderbird 3.1.x. In some cases I still maintain older major versions in mozilla:legacy. I haven't done this for Thunderbird 3.0.x as it's not a big switch (let alone Gecko 1.9.1 vs. 1.9.2). So currently there are indeed no 3.0.x builds in OBS outside of the official openSUSE:XXX:Update(:Test) repositories.
(3) Do you already know for which distribution versions has to be an additional patch (and for what purpose)?
The problem is that 3.6.9 as it comes doesn't compile against mozilla-nspr which is still used in released openSUSE releases.
E. g. on my openSUSE 11.2 there is now running a Mozilla Firefox 3.6.9-1.2 (Software Manager says: "Changelog: 26 August 2010 (wr@rosenauer.org): - security update to 3.6.9 [...]") (form the repo mentioned under (1)).
You didn't notice (and I didn't earlier) because mozilla-nspr in its latest version is in the mozilla repository as well already. Wolfgang -- To unsubscribe, e-mail: opensuse-factory-mozilla+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-mozilla+help@opensuse.org
-------- Original-Nachricht --------
Datum: Mon, 13 Sep 2010 16:45:12 +0200 Von: Wolfgang Rosenauer <wolfgang@rosenauer.org> An: opensuse-factory-mozilla@opensuse.org Betreff: Re: [opensuse-factory-mozilla] Re: Fwd: Re: Security issues: How do users, maintainers and developers work together? Second Example: Thunderbird 3.0.6, Firefox 3.6.8
Am 13.09.2010 11:05, schrieb pistazienfresser (see profile):
(1) I had added yesterday I added "openSUSE BuildService - Mozilla URL: http://download.opensuse.org/repositories/mozilla/openSUSE_11.2/" [...] (3) Do you already know for which distribution versions has to be an additional patch (and for what purpose)?
The problem is that 3.6.9 as it comes doesn't compile against mozilla-nspr which is still used in released openSUSE releases.
E. g. on my openSUSE 11.2 there is now running a Mozilla Firefox 3.6.9-1.2 (Software Manager says: "Changelog: 26 August 2010 (wr@rosenauer.org): - security update to 3.6.9 [...]") (form the repo mentioned under (1)).
You didn't notice (and I didn't earlier) because mozilla-nspr in its latest version is in the mozilla repository as well already. Hm.
mozilla-nspr 4.8.6-1.1 Changelog: 23 July 2010 ([...]): - update to 4.8.6 ... After having a frozen system and making it worse (problems with Grub2) by rebooting via magic keys [Alt]+[Print]+[b] -> I will be more patient, wait for a stable update of Mozilla software for 11.2 and use Chromium (where the switching of language and spell checking needs about 5-10 clicks and is no password saver with master password...) and on web interface emailing. But thanks anyhow pistazienfresser (Martin) - openSUSE 11.2 with GNOME 2.28.2 (or KDE 4.3.5) and Kernel Linux 2.6.31.12-0.2-pae (or -default, 2.6.31.14-6-desktop, Ubuntu 10.4 LTS 'lucid' 2.6.33-24-genetic, MS Win XP) - openSUSE profile: https://users.opensuse.org/show/pistazienfresser -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome -- To unsubscribe, e-mail: opensuse-factory-mozilla+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-mozilla+help@opensuse.org
Am 15.09.2010 10:45, schrieb pistazienfresser:
You didn't notice (and I didn't earlier) because mozilla-nspr in its latest version is in the mozilla repository as well already. Hm.
mozilla-nspr 4.8.6-1.1 Changelog: 23 July 2010 ([...]): - update to 4.8.6 ...
After having a frozen system and making it worse (problems with Grub2) by rebooting via magic keys [Alt]+[Print]+[b] ->
Sorry, I don't understand what you are trying to say? Your question was what needed to be fixed for the official update, right? The released versions don't have NSPR 4.8.6 but an older version unless you updated it from the mozilla repository.
I will be more patient, wait for a stable update of Mozilla software for 11.2 and use Chromium (where the switching of language and spell checking needs about 5-10 clicks and is no password saver with master password...) and on web interface emailing.
What it an unstable update? Using the mozilla repository is not really unstable but not tested as much as the official updates which take longer because of that. I don't understand your other notes in the sentence above. Wolfgang -- To unsubscribe, e-mail: opensuse-factory-mozilla+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-mozilla+help@opensuse.org
-------- Original-Nachricht --------
Datum: Wed, 15 Sep 2010 10:52:41 +0200 Von: Wolfgang Rosenauer <wolfgang@rosenauer.org> An: opensuse-factory-mozilla@opensuse.org Betreff: Re: [opensuse-factory-mozilla] Re: Fwd: Re: Security issues: How do users, maintainers and developers work together? Second Example: Thunderbird 3.0.6, Firefox 3.6.8
Am 15.09.2010 10:45, schrieb pistazienfresser:
You didn't notice (and I didn't earlier) because mozilla-nspr in its latest version is in the mozilla repository as well already. Hm.
mozilla-nspr 4.8.6-1.1 Changelog: 23 July 2010 ([...]): - update to 4.8.6 ...
After having a frozen system and making it worse (problems with Grub2) by rebooting via magic keys [Alt]+[Print]+[b] ->
Sorry, I don't understand what you are trying to say? Your question was what needed to be fixed for the official update, right? The released versions don't have NSPR 4.8.6 but an older version unless you updated it from the mozilla repository.
I will be more patient, wait for a stable update of Mozilla software for 11.2 and use Chromium (where the switching of language and spell checking needs about 5-10 clicks and is no password saver with master password...) and on web interface emailing.
What it an unstable update? Using the mozilla repository is not really unstable but not tested as much as the official updates which take longer because of that. I don't understand your other notes in the sentence above.
a Mozilla Firefox 3.6.9-1.2
Hello Wolfgang, hello world, (A) I just wanted to correct myself. I had written yesterday that I had been running on form http://download.opensuse.org/repositories/mozilla/openSUSE_11.2/ (instead of Thunderbird 3.0.6, Firefox 3.6.8 from the normal update repository). And as I had written nothing about problems I implicitly included (or I made the conclusion probable) that had had no problems wile running on that new versions. Yesterday (after that - later on that day) I had problems and today as my system was running again I reported that. (B) I was referring to the version of mozilla-nspr in the openSUSE-mozilla-repo. It seems to me that you were explaining why I had seen no problems/could update (I guess that - I could see no other connection to my questions and example). So I also reported also what version of mozilla-nspr I was using (I think the one you had been referring to before). Sorry if that [(1) and (2) and maybe something else] was not easy to understand. Your way of answering leads back to my initial general question (compare the subject line) and so back to an other place (forums, security mailing-list, project mailing-list) or just to do nothing at all. Kind Regards pistazienfresser -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome -- To unsubscribe, e-mail: opensuse-factory-mozilla+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-mozilla+help@opensuse.org
Am 15.09.2010 12:01, schrieb pistazienfresser:
Yesterday (after that - later on that day) I had problems and today as my system was running again I reported that.
Ok, you have grub issues. Not my topic actually ;-) But are there any issues left with Firefox and Thunderbird for you?
Your way of answering leads back to my initial general question (compare the subject line) and so back to an other place (forums, security mailing-list, project mailing-list) or just to do nothing at all.
Is something wrong with my way of answering? Anyway, is there anything left about collaboration between users, maintainers and developers in the mozilla space? Do you feel that something is missing in how we work together? The only thing I need to admit is that I don't read the openSUSE forums usually. I cannot monitor everything so if something is discussed there I'm out which is not very nice but as said above... Wolfgang -- To unsubscribe, e-mail: opensuse-factory-mozilla+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-mozilla+help@opensuse.org
-------- Original-Nachricht --------
Datum: Wed, 15 Sep 2010 12:11:03 +0200 Von: Wolfgang Rosenauer <wolfgang@rosenauer.org> An: opensuse-factory-mozilla@opensuse.org Betreff: Re: [opensuse-factory-mozilla] Re: Fwd: Re: Security issues: How do users, maintainers and developers work together? Second Example: Thunderbird 3.0.6, Firefox 3.6.8
Am 15.09.2010 12:01, schrieb pistazienfresser:
Yesterday (after that - later on that day) I had problems and today as
my system was running again I reported that.
Ok, you have grub issues. Not my topic actually ;-) I doubt that that were grub issues initially - my system froze while surfing while running Firefox and Thunderbird under GNOME - I (with my limited knowledge on informatics) think the GRUB2 was not used on that time. But maybe it was a problem with my kernel - only I had not been having problems like that before the Mozilla updates. But are there any issues left with Firefox and Thunderbird for you?
Your way of answering leads back to my initial general question (compare the subject line) and so back to an other place (forums, security mailing-list, project mailing-list) or just to do nothing at all.
Is something wrong with my way of answering? I got a bit the impression you felt personally injured. E.g. I never wrote "unstable" - but maybe I should have written "longer tested" instead of "stable" (and the question if I personally would have more likely a package not so tested but with a (somewhere else documented) potential security lack - that is just an other thing...)
And the things about the right place was just meant like they were written - not with any hidden critic or non-literal meaning.
Anyway, is there anything left about collaboration between users, maintainers and developers in the mozilla space?
As you are asking: http://en.opensuse.org/Firefox seems to me crying for help with all the (dead) read links. http://en.opensuse.org/Thunderbird has not much information at all. http://en.opensuse.org/openSUSE:Submitting_bug_reports has also only a red link with "How to report a Mozilla / Firefox bug". I think there may be something in the old wiki. Maybe there could be also a in any ******* namespace of this new wiki a (linked) mention how a stupid-on-informatics user like me to give something of information back if someone is using a (relative) stable package that is not from the main repositories and not using factory (but e. g. 11.2 as me).
Do you feel that something is missing in how we work together? Initially I did not want to criticize anything special on Mozilla or even on the Mozilla repository. I just asked a general question with more special examples and got only answers with redirects according to the special examples. So I thought there would be a solid way of working together on versions not already in the main repositories and I would just not be clever enough to see it.
In addition to the points mentioned in the forums was wandering why there is only a security letter published if the mentioned problem is solved and how a user (or even a stupid as I am forums moderator) should know if a security issue is already known to a/the maintainers of a/the different repositories.
The only thing I need to admit is that I don't read the openSUSE forums usually. I cannot monitor everything so if something is discussed there I'm out which is not very nice but as said above... I do not think you would be able to maintain the repository/ies if you would spend your time in active scanning the forums (via HTTP or NNTP) and the ca. 80-100 different mailing groups for potential bugs/difficulties with the maintained programs.
Regards Martin (pistazienfresser) -- Neu: GMX De-Mail - Einfach wie E-Mail, sicher wie ein Brief! Jetzt De-Mail-Adresse reservieren: http://portal.gmx.net/de/go/demail -- To unsubscribe, e-mail: opensuse-factory-mozilla+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-mozilla+help@opensuse.org
P.S. -------- Original-Nachricht --------
Am 15.09.2010 12:01, schrieb pistazienfresser: [...] Anyway, is there anything left about collaboration between users, maintainers and developers in the mozilla space? As you are asking: http://en.opensuse.org/Firefox seems to me crying for help with all the (dead) read links. http://en.opensuse.org/Thunderbird has not much information at all. http://en.opensuse.org/openSUSE:Submitting_bug_reports has also only a red link with "How to report a Mozilla / Firefox bug".
I think there may be something in the old wiki.
http://old-en.opensuse.org/Bugs:mozilla Last real changes from Revision as of 09:27, 9 July 2009 Still actual? Should I import the article in the 'new' wiki? Regards pistazienfresser -- GMX DSL SOMMER-SPECIAL: Surf & Phone Flat 16.000 für nur 19,99 Euro/mtl.!* http://portal.gmx.net/de/go/dsl -- To unsubscribe, e-mail: opensuse-factory-mozilla+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-mozilla+help@opensuse.org
Hi, Am 15.09.2010 19:10, schrieb pistazienfresser:
As you are asking: http://en.opensuse.org/Firefox seems to me crying for help with all the (dead) read links. http://en.opensuse.org/Thunderbird has not much information at all. http://en.opensuse.org/openSUSE:Submitting_bug_reports has also only a red link with "How to report a Mozilla / Firefox bug".
I think there may be something in the old wiki.
http://old-en.opensuse.org/Bugs:mozilla Last real changes from Revision as of 09:27, 9 July 2009
Still actual? Should I import the article in the 'new' wiki?
Yes, please feel free. I'm not a big wiki author. I'm not the maintainer of the wiki pages so everyone is invited to improve the stuff. Technically the bugs page is still valid. I have some additions now that I see that but I can do it once the article is copied over. Thanks, Wolfgang -- To unsubscribe, e-mail: opensuse-factory-mozilla+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-mozilla+help@opensuse.org
Hello, -------- Original-Nachricht --------
Datum: Wed, 15 Sep 2010 19:15:10 +0200 Von: Wolfgang Rosenauer <wolfgang@rosenauer.org> [...] Hi,
Am 15.09.2010 19:10, schrieb pistazienfresser: [...]
I think there may be something in the old wiki.
http://old-en.opensuse.org/Bugs:mozilla Last real changes from Revision as of 09:27, 9 July 2009
Still actual? Should I import the article in the 'new' wiki?
Yes, please feel free. http://en.opensuse.org/index.php?title=openSUSE:Bugreport_Mozilla&oldid=25416
;) Hope I could help the helper helping the helpers helping the helper or help the maitainer to tell the testers who they should make bugreports in a way that speeds up and makes a bit easier for the maintainers and developers to help the users... /;) Kind Regards Martin (pistazienfresser) https://users.opensuse.org/show/pistazienfresser -- Neu: GMX De-Mail - Einfach wie E-Mail, sicher wie ein Brief! Jetzt De-Mail-Adresse reservieren: http://portal.gmx.net/de/go/demail -- To unsubscribe, e-mail: opensuse-factory-mozilla+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-mozilla+help@opensuse.org
Hello Wolfgang, hello openSUSEs, (1.1) thanks a lot to Wolfgang and the other developers and maintainers for the improvement (reactivating Mozilla's own report system) and to Wolfgang for the information about it: http://en.opensuse.org/index.php?title=openSUSE%3ABugreport_Mozilla&diff=25421&oldid=25416 (1.2) I think if the Mozilla programs just freeze without closing itself: the debug-info way may still be of value, or not? Shall be there a remark in the wiki article? And what writing something about a (factual?) search in Mozilla's bugzilla? (2) For you (pl.) information: the automatic made redirect on http://en.opensuse.org/Bugs:mozilla got manually deleted recently: http://en.opensuse.org/Special:Log/delete Hope the search will still easily find the article with the new title after the search index got updated if you are using the argument all: . And be aware that without using the "all:" argument for the search in all namespaces (not only (main) and Portal: ) this article will not be shown at all in the search results, compare: http://en.opensuse.org/index.php?search=Bugs%3Amozilla&ns0=1&ns102=1 Cheers pistazienfresser -- Neu: GMX De-Mail - Einfach wie E-Mail, sicher wie ein Brief! Jetzt De-Mail-Adresse reservieren: http://portal.gmx.net/de/go/demail -- To unsubscribe, e-mail: opensuse-factory-mozilla+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-mozilla+help@opensuse.org
participants (3)
-
pistazienfresser -
pistazienfresser (see profile)
-
Wolfgang Rosenauer