Mozilla Plans Fix For Critical Firefox Vulnerability In Next Release 140
Trailrunner7 writes "A month after an advisory was published detailing a new vulnerability in Firefox, Mozilla said it has received exploit code for the flaw and is planning to patch the weakness on March 30 in the next release of Firefox. Mozilla officials said Thursday that the vulnerability, which was disclosed February 18 by Secunia, is a critical flaw that could result in remote code execution on a vulnerable machine. The vulnerability is in version 3.6 of Firefox."
Re:1.5 months for a response and release?! (Score:3, Informative)
Re:1.5 months for a response and release?! (Score:3, Informative)
A fix already exists, it's just not in the official release.
Re:What kept them? (Score:4, Informative)
Re:Planning? It's not enough! (Score:0, Informative)
RTFA. The fix is already there in beta version of Firefox 3.6.2. They're QA-ing it.
Re:Someone enlighten me (Score:3, Informative)
QA. New releases need to go through QA anyway to make sure they haven't botched anything up.
Usually the release process for a large piece of software requires a certain degree of human interaction (anywhere from light to extreme), and there's always the possibility that something will mess up, even if the bugfix itself is perfectly trivial or safe.
Re:Planning? It's not enough! (Score:5, Informative)
Are you being intentionally ridiculous?
The fix is in the latest beta release already, that binary is slated to be the release candidate, and if testing goes well, it will be the release.
Re:Planning? It's not enough! (Score:4, Informative)
As someone else already quoted:
Mozilla already has released a beta build of Firefox 3.6.2, which contains the fix for the unpatched vulnerability
You can already go and download that 3.6.2 beta [mozilla.org] if you want, I did.
The 'planning' is about the data of 3.6.2's release, not whether or not it will have this fix included.
Re:1.5 months for a response and release?! (Score:2, Informative)
RTFS
March 30th.
Re:1.5 months for a response and release?! (Score:2, Informative)
1) about:config
2) app.update.channel = beta
And join the beta testers :)
Re:1.5 months for a response and release?! (Score:2, Informative)
If you had taken the trouble to read the fine (and brief) article, you would be aware that the fix is already available in the release candidates.
Re:So this just shows, that you can't relax. (Score:3, Informative)
(And even if your old CPU doesn't support the NX bit, DEP will work for you as they have a software emulation for it in the OS.)
Not true. The DEP code on machines without NX bit support in the page tables will only protect you from a certain category of attack involving Microsoft's Structured Exception Handling system.
Contrast this with the OpenBSD implementation, which uses the x86 segment protection mechanism to enforce W^X when the NX bit is not present.
Re:Someone enlighten me (Score:3, Informative)
Re:fixed... (Score:3, Informative)
The 3.6.2 beta has worked fine for me, but those uncomfortable with that and not willing to wait can avoid the bug by using a 3.5x version. The vulnerability is only in 3.6 series releases.
Re:Updating... how to? (Score:4, Informative)