dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1620
share rss forum feed


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS

6 recommendations

Firefox 23.0 release - 13 security fixes

Fixed in Firefox 23

•MFSA 2013-75 Local Java applets may read contents of local file system
•MFSA 2013-74 Firefox full and stub installer DLL hijacking
•MFSA 2013-73 Same-origin bypass with web workers and XMLHttpRequest
•MFSA 2013-72 Wrong principal used for validating URI for some Javascript components
•MFSA 2013-71 Further Privilege escalation through Mozilla Updater
•MFSA 2013-70 Bypass of XrayWrappers using XBL Scopes
•MFSA 2013-69 CRMF requests allow for code execution and XSS attacks
•MFSA 2013-68 Document URI misrepresentation and masquerading
•MFSA 2013-67 Crash during WAV audio file decoding
•MFSA 2013-66 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater
•MFSA 2013-65 Buffer underflow when generating CRMF requests
•MFSA 2013-64 Use after free mutating DOM during SetBody
•MFSA 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)

Full release notes: »www.mozilla.org/en-US/firefox/23···senotes/
Downloads: »www.mozilla.org/en-US/firefox/all/
Mobile: »www.mozilla.org/en-US/firefox/fx/#mobile
--
Gladiator Security Forum


therube

join:2004-11-11
Randallstown, MD

3 recommendations

Also here, dslreports mozilla: Firefox 23.0 Final

redwolfe_98
Premium
join:2001-06-11
kudos:1

1 recommendation

reply to chachazz
thanks chachazz

i have been looking for an update for FF..
Expand your moderator at work


Pentangle
With our thoughts we make the world.
Premium
join:2006-06-01
Vancouver BC
kudos:2

1 recommendation

reply to chachazz

Re: Firefox 23.0 release - 13 security fixes

Thanks chazzy.


Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11

1 recommendation

reply to chachazz
Thanks for the update chachazz See Profile.

Marsman

join:2004-11-10

1 recommendation

reply to chachazz
Cheers c!

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

1 edit

1 recommendation

reply to chachazz
Fx 17.0.8 ESR is available via Internal Update. It is not yet on the main download page for ESR various language users. This is the final point update for Fx 17ESR. Thunderbird 17.0.8 ESR is also available via internal update.

Edit: Mozilla said in ESR listserv that there was a hiccup on the main download page and that's why 17.0.8 was being offered via internal update before showing up via the main download page for ESR version.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

OZO
Premium
join:2003-01-17
kudos:2

1 recommendation

reply to chachazz
Thank you, chachazz See Profile. Downloaded portable package...
--
Keep it simple, it'll become complex by itself...

Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
Reviews:
·TekSavvy DSL
·Shaw
·TELUS
reply to Mele20
said by Mele20:

Fx 17.0.8 ESR is available via Internal Update. It is not yet on the main download page for ESR various language users. This is the final point update for Fx 17ESR. Thunderbird 17.0.8 ESR is also available via internal update.

This ESR version you speak of... its version 17 without all the BS social crap?

I just deleted the contents of the program folder and extracted the files from 17 ESR and it fired up with all my settings and extensions exactly where they were using FF23.
Seems faster....did the internal update and alls well so far, I didn't touch the local or the roaming folder to do it.
All my form data and passwords intact.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

1 recommendation

The ESR versions (10 was the first ESR version and then 17) are supported for approximately one year with bug/stability and security updates only during that time. In September, version 24 ESR will be released on the same day that the regular Fx 24 will be released. However, ESR users can continue to safely use ver 17 UNTIL ver 24 is pushed as an internal update. That will be around the end of Nov/beginning of Dec.

Version 24 ESR has social crap BUT we will avoid for about a YEAR the major GUI changes scheduled for Fx 25. I am very happy about that.

There is a Fx ESR Listserv you can join if you want to talk to others using it including some of the devs.

»www.mozilla.org/en-US/firefox/or···ons/faq/
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


firefox3

@rr.com
reply to chachazz
I just updated and this release also removes the blink tag. No more blinking text.

andyross
Premium,MVM
join:2003-05-04
Schaumburg, IL

1 recommendation

It also removes the option disable Javascript from the menus. It also forces the tab bar on unless you use an add-on.


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:5
Reviews:
·Time Warner Cable
said by andyross:

It also removes the option disable Javascript from the menus. It also forces the tab bar on unless you use an add-on.

I don't like some of these changes. I hope they don't come to SeaMonkey!

Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
Reviews:
·TekSavvy DSL
·Shaw
·TELUS
reply to chachazz
»Feds Are Suspects in New Malware That Attacks Tor Anonymity

Looks like you cant win, either way you get spied on.
Does Firefox 17.0.8 ESR fix those bugs?


La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3
reply to chachazz
FF 17 ESR vulnerable to this malware:

»Feds Are Suspects in New Malware That Attacks Tor Anonymity

FF 23.0 is not.

FF 17.0.8 ESR is not mentioned.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Cartel
It was fixed in Fx 17.0.7. The vulnerability was in Fx 17.0. You don't think IT personnel in businesses would be using Fx ESR on their companies machines if Mozilla never bothered to fix vulnerabilities for the ESR version do you? In fact, it was fixed before public knowledge of it was publicly splashed all over the internet in various articles.

»www.mozilla.org/security/known-v···ESR.html
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
reply to chachazz
^^
Thats good to hear, thanks


Anon users

@anonymouse.org
It's time to ditch 17ESR and move on to 23 :

23 now supports TLS 1.1 & 24 will supports TLS 1.2
23 now supports CSP 1.0

about:config

set security.tls.version.max to 2 (in 23) and to 3 (in 24)
set security.tls.version.min to 1 (to disable SSL3 permanently)

you can check your TLS 1.1 (in 23) status by visiting »cc.dcsec.uni-hannover.de/

ENJOY

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
What do you think Fx 24 ESR will do? It will be released on Sept 16 along with regular Fx 24. I won't get it until Fx 17.0.8 ESR pushes it internally which will not be until around Dec 1.

Some of us CHOOSE to use the ESR version. If you are a fast update junkie, fine, but don't criticize those of us who do not like the silly rapid release schedule Mozilla moved to in order to please ignorant of computers users.

Who the heck uses TSL 1.2....it is still irrelevant at this point.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS
reply to La Luna
said by La Luna:

FF 17 ESR vulnerable to this malware:

»Feds Are Suspects in New Malware That Attacks Tor Anonymity

FF 23.0 is not.

FF 17.0.8 ESR is not mentioned.


@Daniel Veditz - Security Lead at Mozilla

quote:
The vulnerability being exploited by this attack was fixed in Firefox 22 and Firefox ESR 17.0.7.

The vulnerability used is MFSA 2013-53

People who are on the latest supported versions of Firefox are not at risk.

Although the vulnerability affects users of Firefox 21 and below the exploit targets only ESR-17 users.
--
Gladiator Security Forum
Expand your moderator at work


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS
reply to Mele20

Re: Firefox 23.0 release - 13 security fixes

Actually Mele, following the new ESR/rapid release system there should be:

Firefox 24 - Firefox 24 ESR - Firefox 17.0.9 ESR
Firefox 25 - Firefox 24.1 ESR - Firefox 17.0.10 ESR [end of life]

With v24 release, version updates numbering scheme will change to 24.1, 24.2 etc.;

"chemspill" releases will add a digit - 24.1.1, etc.

--
Gladiator Security Forum


Phoenix22
Death From Above
Premium
join:2001-12-11
SOG C&C Nrth

1 recommendation

reply to chachazz
Thanks chaz