Firefox 3.0.2 Released in Security

Firefox 3.0.2 Released in Security http://www.dslreports.com/forum/r21160263 en Mon, 14 Dec 2009 18:35:40 EDT Mon, 14 Dec 2009 18:35:40 EDT Re: Firefox 3.0.2 Released http://www.dslreports.com/forum/remark,21173591 chachazz : The candidate builds are already 'ready for testing':
Firefox 3.0.3: »ftp://ftp.mozilla.org/pub/firefox/nigh···/build1/

quote:
Please hammer on this build mercilessly to make sure that your stuff works with it! If you notice things that worked in Firefox 3 or Firefox 2.0.0.17 and do not work in this release, we would like to know about it right away.

Read the Release Notes:
Firefox 3.0.3: »en-us.www.mozilla.com/en-US/fire···senotes/

Bugs specifically addressed in this build:
# bug 451155 - Password manager does not work correctly on IDN site whose name contains any character over U+0100
# bug 454708 - storage-Legacy can throw when calling ConvertToUnicode

(email)
marcia, on behalf of
Team Mozilla QA

--
Gladiator Security Forum: www.gladiator-antivirus.com/
]]> http://www.dslreports.com/forum/remark,21173591 Fri, 26 Sep 2008 14:57:38 EDT Re: Firefox 3.0.2 Released http://www.dslreports.com/forum/remark,21165815 jdong : Indeed it's good to patch up all of these holes, but also this means that when reading stats on number of discovered vulnerabilities, one needs to keep in mind the severity of those discovered too.... Being able to fool someone into dragging their mouse is not quite the same as a drive-by download and execution vulnerability.
--
Ubuntu MOTU Developer and Forums Council]]> http://www.dslreports.com/forum/remark,21165815 Thu, 25 Sep 2008 09:15:02 EDT Re: Firefox 3.0.2 Released http://www.dslreports.com/forum/remark,21165801 Kayrac :

said by jdong

quote:
Mozilla developer Paul Nickerson reported a variant of a click-hijacking vulnerability discovered in Internet Explorer by Liu Die Yu. The vulnerability allowed an attacker to move the content window while the mouse was being clicked, causing an item to be dragged rather than clicked-on. This issue could potentially be used to force a user to download a file or perform other drag-and-drop actions.

Am I the only one that finds some of the vulnerability scenarios these days to be a stretch to the point that they're funny?

a stretch maybe, but alot of stupid users, and alot of smart bad guys these days]]> http://www.dslreports.com/forum/remark,21165801 Thu, 25 Sep 2008 09:11:51 EDT Re: Firefox 3.0.2 Released http://www.dslreports.com/forum/remark,21165719 jdong :

quote:
Mozilla developer Paul Nickerson reported a variant of a click-hijacking vulnerability discovered in Internet Explorer by Liu Die Yu. The vulnerability allowed an attacker to move the content window while the mouse was being clicked, causing an item to be dragged rather than clicked-on. This issue could potentially be used to force a user to download a file or perform other drag-and-drop actions.

Am I the only one that finds some of the vulnerability scenarios these days to be a stretch to the point that they're funny?
--
Ubuntu MOTU Developer and Forums Council]]> http://www.dslreports.com/forum/remark,21165719 Thu, 25 Sep 2008 08:52:22 EDT Firefox 3.0.3 required and underway http://www.dslreports.com/forum/remark,21165694 SUMware : From mozilla.dev.planning

From: Mike Beltzner
Date: Wed, 24 Sep 2008 21:38:37 -0400
Local: Wed, Sep 24 2008 9:38 pm
Subject: Firefox 3.0.3 required and underway

Hey everyone,

Shortly after releasing Firefox 3.0.2 our QA and Support teams began seeing reports of problems certain users were having with the Firefox Password Manager. This was being caused by non-ASCII data (in domains, logins or passwords) saved as something other than UTF-8 failing to convert back to Unicode (see bug 454708) which was a regression from a fix to make the Password Manager work on IDN sites with characters over U+0100 (see bug 451155).

The symptom is that users who have password data stores with non-ASCII data saved as something other than UTF-8 (more common for people who have saved passwords on IDN domains or non en-US domains) will not be able to access their saved passwords or create any new saved passwords. There is no permanent dataloss, the saved data is just inaccessible. While this doesn't affect all Firefox users, it is a significant regression and has triggered a fast-release Firefox 3.0.3 which will contain a single fix for this issue. Once released, this will restore the functionality for all users.

The fix has been landed and tested, and builds are coming out and being delivered to QA today. We hope to be releasing updates on the beta channel by early next week and issuing a release soon thereafter.

cheers,
mike]]> http://www.dslreports.com/forum/remark,21165694 Thu, 25 Sep 2008 08:46:29 EDT Re: Firefox 3.0.2 & 2.0.0.17 Released http://www.dslreports.com/forum/remark,21162304 JTM1051 :

said by TKJunkMail

:

More English like description of the security vulnerabilities that were patched.

»news.cnet.com/8301-1009_3-100499···1_3-0-20

Just a FYI, at the Vulnerabilities Fixed, the links (e.g., "MFSA 2008-45) have more detailed descriptions -- IMHO looks like CNET basically used the same descriptions. ;)]]> http://www.dslreports.com/forum/remark,21162304 Wed, 24 Sep 2008 16:25:06 EDT Re: Firefox 3.0.2 & 2.0.0.17 Released http://www.dslreports.com/forum/remark,21162011 TKJunkMail : More English like description of the security vulnerabilities that were patched.

»news.cnet.com/8301-1009_3-100499···1_3-0-20]]> http://www.dslreports.com/forum/remark,21162011 Wed, 24 Sep 2008 15:36:32 EDT Re: Firefox 3.0.2 Released http://www.dslreports.com/forum/remark,21161002 roc5955 : Strange, as I was reading this message, I decided to see what version I have, and ver. 3.02 is downloading itself, as I type this!
--
"Understanding is a three-edged sword."]]> http://www.dslreports.com/forum/remark,21161002 Wed, 24 Sep 2008 12:46:24 EDT Re: Firefox 3.0.2 Released http://www.dslreports.com/forum/remark,21160568 avd706 : 3.0.2 build 6]]> http://www.dslreports.com/forum/remark,21160568 Wed, 24 Sep 2008 11:45:19 EDT Re: Firefox 3.0.2 & 2.0.0.17 Released http://www.dslreports.com/forum/remark,21160370 JTM1051 : Also Fx 2.0.0.17 released:

Vulnerabilities Fixed
MFSA 2008-45 XBM image uninitialized memory reading
MFSA 2008-44 resource: traversal vulnerabilities
MFSA 2008-43 BOM characters stripped from JavaScript before execution
MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
MFSA 2008-40 Forced mouse drag
MFSA 2008-39 Privilege escalation using feed preview page and XSS flaw
MFSA 2008-38 nsXMLDocument::OnChannelRedirect() same-origin violation
MFSA 2008-37 UTF-8 URL stack buffer overflow

Fx 2.x Download Page]]> http://www.dslreports.com/forum/remark,21160370 Wed, 24 Sep 2008 11:15:50 EDT Re: Firefox 3.0.2 Released http://www.dslreports.com/forum/remark,21160346 DrModem : Hopefully this will fix those annoying crashes that wipe my cache all the time.]]> http://www.dslreports.com/forum/remark,21160346 Wed, 24 Sep 2008 11:11:54 EDT Firefox 3.0.2 Released http://www.dslreports.com/forum/remark,21160263 SUMware : Fixed in Firefox 3.0.2
MFSA 2008-44 resource: traversal vulnerabilities
MFSA 2008-43 BOM characters stripped from JavaScript before execution
MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
MFSA 2008-40 Forced mouse drag]]> http://www.dslreports.com/forum/remark,21160263 Wed, 24 Sep 2008 10:58:29 EDT