SUMware
Premium
join:2002-05-21
| Firefox 3.0.2 Released
Fixed in Firefox 3.0.2
MFSA 2008-44 resource: traversal vulnerabilities
MFSA 2008-43 BOM characters stripped from JavaScript before execution
MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
MFSA 2008-40 Forced mouse drag |
|
DrModem
Premium
join:2006-10-19
USA | Hopefully this will fix those annoying crashes that wipe my cache all the time. |
|
JTM1051
Premium,MVM
join:2000-07-08
Moorpark, CA
| reply to SUMware
Re: Firefox 3.0.2 & 2.0.0.17 Released
Also Fx 2.0.0.17 released:
Vulnerabilities Fixed
MFSA 2008-45 XBM image uninitialized memory reading
MFSA 2008-44 resource: traversal vulnerabilities
MFSA 2008-43 BOM characters stripped from JavaScript before execution
MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
MFSA 2008-40 Forced mouse drag
MFSA 2008-39 Privilege escalation using feed preview page and XSS flaw
MFSA 2008-38 nsXMLDocument::OnChannelRedirect() same-origin violation
MFSA 2008-37 UTF-8 URL stack buffer overflow
Fx 2.x Download Page |
|
avd706
insert annoying animated gif here
Premium
join:2003-02-06
Union, NJ | reply to SUMware
Re: Firefox 3.0.2 Released
3.0.2 build 6 |
|
roc5955
Premium
join:2005-11-26
Rosendale, NY | reply to SUMware
Strange, as I was reading this message, I decided to see what version I have, and ver. 3.02 is downloading itself, as I type this!
--
"Understanding is a three-edged sword." |
|
GOLFnSUN
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ
 ·Sprint Mobile Broa..
 ·Comcast
| reply to JTM1051
Re: Firefox 3.0.2 & 2.0.0.17 Released
More English like description of the security vulnerabilities that were patched.
»news.cnet.com/8301-1009_3-100499···1_3-0-20 |
|
JTM1051
Premium,MVM
join:2000-07-08
Moorpark, CA
| Just a FYI, at the Vulnerabilities Fixed, the links (e.g., "MFSA 2008-45) have more detailed descriptions -- IMHO looks like CNET basically used the same descriptions.  |
|
SUMware
Premium
join:2002-05-21
| reply to SUMware
Firefox 3.0.3 required and underway
From mozilla.dev.planning
From: Mike Beltzner
Date: Wed, 24 Sep 2008 21:38:37 -0400
Local: Wed, Sep 24 2008 9:38 pm
Subject: Firefox 3.0.3 required and underway
Hey everyone,
Shortly after releasing Firefox 3.0.2 our QA and Support teams began seeing reports of problems certain users were having with the Firefox Password Manager. This was being caused by non-ASCII data (in domains, logins or passwords) saved as something other than UTF-8 failing to convert back to Unicode (see bug 454708) which was a regression from a fix to make the Password Manager work on IDN sites with characters over U+0100 (see bug 451155).
The symptom is that users who have password data stores with non-ASCII data saved as something other than UTF-8 (more common for people who have saved passwords on IDN domains or non en-US domains) will not be able to access their saved passwords or create any new saved passwords. There is no permanent dataloss, the saved data is just inaccessible. While this doesn't affect all Firefox users, it is a significant regression and has triggered a fast-release Firefox 3.0.3 which will contain a single fix for this issue. Once released, this will restore the functionality for all users.
The fix has been landed and tested, and builds are coming out and being delivered to QA today. We hope to be releasing updates on the beta channel by early next week and issuing a release soon thereafter.
cheers,
mike |
|
jdong
Eat A Beaver, Save A Tree.
Premium
join:2002-07-09
Rochester, MI
clubs:  
| reply to SUMware
Re: Firefox 3.0.2 Released
quote:
Mozilla developer Paul Nickerson reported a variant of a click-hijacking vulnerability discovered in Internet Explorer by Liu Die Yu. The vulnerability allowed an attacker to move the content window while the mouse was being clicked, causing an item to be dragged rather than clicked-on. This issue could potentially be used to force a user to download a file or perform other drag-and-drop actions.
Am I the only one that finds some of the vulnerability scenarios these days to be a stretch to the point that they're funny?
--
Ubuntu MOTU Developer and Forums Council |
|
Kayrac
Premium
join:2001-09-29
Rochester, NH
| said by jdong  : quote:
Mozilla developer Paul Nickerson reported a variant of a click-hijacking vulnerability discovered in Internet Explorer by Liu Die Yu. The vulnerability allowed an attacker to move the content window while the mouse was being clicked, causing an item to be dragged rather than clicked-on. This issue could potentially be used to force a user to download a file or perform other drag-and-drop actions.
Am I the only one that finds some of the vulnerability scenarios these days to be a stretch to the point that they're funny? a stretch maybe, but alot of stupid users, and alot of smart bad guys these days |
|
jdong
Eat A Beaver, Save A Tree.
Premium
join:2002-07-09
Rochester, MI
clubs:
| Indeed it's good to patch up all of these holes, but also this means that when reading stats on number of discovered vulnerabilities, one needs to keep in mind the severity of those discovered too.... Being able to fool someone into dragging their mouse is not quite the same as a drive-by download and execution vulnerability.
--
Ubuntu MOTU Developer and Forums Council |
|
chachazz
Premium
join:2003-12-14
1 edit | reply to jdong
Re: Firefox 3.0.2 Released
The candidate builds are already 'ready for testing':
Firefox 3.0.3: »ftp://ftp.mozilla.org/pub/firefox/nigh···/build1/
quote:
Please hammer on this build mercilessly to make sure that your stuff works with it! If you notice things that worked in Firefox 3 or Firefox 2.0.0.17 and do not work in this release, we would like to know about it right away.
Read the Release Notes:
Firefox 3.0.3: »en-us.www.mozilla.com/en-US/fire···senotes/
Bugs specifically addressed in this build:
# bug 451155 - Password manager does not work correctly on IDN site whose name contains any character over U+0100
# bug 454708 - storage-Legacy can throw when calling ConvertToUnicode
(email)
marcia, on behalf of
Team Mozilla QA
--
Gladiator Security Forum: www.gladiator-antivirus.com/
|
|
