1 recommendation |
SUMware2
Premium Member
2008-Sep-24 10:58 am
Firefox 3.0.2 ReleasedFixed in Firefox 3.0.2MFSA 2008-44 resource: traversal vulnerabilities MFSA 2008-43 BOM characters stripped from JavaScript before execution MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17) MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution MFSA 2008-40 Forced mouse drag |
|
|
DrModemTrust Your Doctor Premium Member join:2006-10-19 USA |
DrModem
Premium Member
2008-Sep-24 11:11 am
Hopefully this will fix those annoying crashes that wipe my cache all the time. |
|
JTM1051 MVM join:2000-07-08 Terrell, TX |
to SUMware2
Re: Firefox 3.0.2 & 2.0.0.17 ReleasedAlso Fx 2.0.0.17 released: Vulnerabilities FixedMFSA 2008-45 XBM image uninitialized memory reading MFSA 2008-44 resource: traversal vulnerabilities MFSA 2008-43 BOM characters stripped from JavaScript before execution MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17) MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution MFSA 2008-40 Forced mouse drag MFSA 2008-39 Privilege escalation using feed preview page and XSS flaw MFSA 2008-38 nsXMLDocument::OnChannelRedirect() same-origin violation MFSA 2008-37 UTF-8 URL stack buffer overflow Fx 2.x Download Page |
|
AVDRespice, Adspice, Prospice Premium Member join:2003-02-06 Onion, NJ |
to SUMware2
Re: Firefox 3.0.2 Released3.0.2 build 6 |
|
roc5955 Premium Member join:2005-11-26 Rosendale, NY |
to SUMware2
Strange, as I was reading this message, I decided to see what version I have, and ver. 3.02 is downloading itself, as I type this! |
|
FFH5 Premium Member join:2002-03-03 Tavistock NJ
1 recommendation |
to JTM1051
Re: Firefox 3.0.2 & 2.0.0.17 ReleasedMore English like description of the security vulnerabilities that were patched. » news.cnet.com/8301-1009_ ··· 1_3-0-20 |
|
JTM1051 MVM join:2000-07-08 Terrell, TX |
Just a FYI, at the Vulnerabilities Fixed, the links (e.g., " MFSA 2008-45) have more detailed descriptions -- IMHO looks like CNET basically used the same descriptions. |
|
your moderator at work
hidden : hidden :
|
2 recommendations |
SUMware2
Premium Member
2008-Sep-25 8:46 am
Firefox 3.0.3 required and underwayFrom mozilla.dev.planningFrom: Mike Beltzner Date: Wed, 24 Sep 2008 21:38:37 -0400 Local: Wed, Sep 24 2008 9:38 pm Subject: Firefox 3.0.3 required and underway Hey everyone, Shortly after releasing Firefox 3.0.2 our QA and Support teams began seeing reports of problems certain users were having with the Firefox Password Manager. This was being caused by non-ASCII data (in domains, logins or passwords) saved as something other than UTF-8 failing to convert back to Unicode (see bug 454708) which was a regression from a fix to make the Password Manager work on IDN sites with characters over U+0100 (see bug 451155). The symptom is that users who have password data stores with non-ASCII data saved as something other than UTF-8 (more common for people who have saved passwords on IDN domains or non en-US domains) will not be able to access their saved passwords or create any new saved passwords. There is no permanent dataloss, the saved data is just inaccessible. While this doesn't affect all Firefox users, it is a significant regression and has triggered a fast-release Firefox 3.0.3 which will contain a single fix for this issue. Once released, this will restore the functionality for all users. The fix has been landed and tested, and builds are coming out and being delivered to QA today. We hope to be releasing updates on the beta channel by early next week and issuing a release soon thereafter. cheers, mike |
|
jdongEat A Beaver, Save A Tree. Premium Member join:2002-07-09 Rochester, MI |
to SUMware2
Re: Firefox 3.0.2 Releasedquote: Mozilla developer Paul Nickerson reported a variant of a click-hijacking vulnerability discovered in Internet Explorer by Liu Die Yu. The vulnerability allowed an attacker to move the content window while the mouse was being clicked, causing an item to be dragged rather than clicked-on. This issue could potentially be used to force a user to download a file or perform other drag-and-drop actions.
Am I the only one that finds some of the vulnerability scenarios these days to be a stretch to the point that they're funny? |
|
BKayrac Premium Member join:2001-09-29 |
BKayrac
Premium Member
2008-Sep-25 9:11 am
said by jdong:quote: Mozilla developer Paul Nickerson reported a variant of a click-hijacking vulnerability discovered in Internet Explorer by Liu Die Yu. The vulnerability allowed an attacker to move the content window while the mouse was being clicked, causing an item to be dragged rather than clicked-on. This issue could potentially be used to force a user to download a file or perform other drag-and-drop actions.
Am I the only one that finds some of the vulnerability scenarios these days to be a stretch to the point that they're funny? a stretch maybe, but alot of stupid users, and alot of smart bad guys these days |
|
jdongEat A Beaver, Save A Tree. Premium Member join:2002-07-09 Rochester, MI |
jdong
Premium Member
2008-Sep-25 9:15 am
Indeed it's good to patch up all of these holes, but also this means that when reading stats on number of discovered vulnerabilities, one needs to keep in mind the severity of those discovered too.... Being able to fool someone into dragging their mouse is not quite the same as a drive-by download and execution vulnerability. |
|
your moderator at work
hidden : hidden : hidden : hidden :
|
1 edit
1 recommendation |
to jdong
Re: Firefox 3.0.2 ReleasedThe candidate builds are already 'ready for testing': Firefox 3.0.3: » ftp:// ftp.mozilla.org/pub/fire ··· /build1/quote: Please hammer on this build mercilessly to make sure that your stuff works with it! If you notice things that worked in Firefox 3 or Firefox 2.0.0.17 and do not work in this release, we would like to know about it right away.
Read the Release Notes: Firefox 3.0.3: »en-us.www.mozilla.com/en ··· senotes/
Bugs specifically addressed in this build: # bug 451155 - Password manager does not work correctly on IDN site whose name contains any character over U+0100 # bug 454708 - storage-Legacy can throw when calling ConvertToUnicode
(email) marcia, on behalf of Team Mozilla QA
|
|