1.0.5

tongle · Post by **tongle** » June 8th, 2005, 4:08 pm

Since it seems pretty obvious that 1.0.5 will out (due to http://secunia.com/advisories/15601/), will this have any impact on the timeframe in which deer park final is deployed?

Mini-Geek · Post by **Mini-Geek** » June 8th, 2005, 4:53 pm

I don't think so, 1.0.5 will probably be out within a week, I don't think Deer Park will be affected more than a week or two at most, if at all

Post by **BenBasson** » June 8th, 2005, 6:07 pm

The nightlies (trunk at least) already had a patch for this checked in. I don't remember if it's a partial or total fix as of this moment. I still maintain my stance that unless there are other things worth patching, releasing 1.0.5 for this trivial issue is a waste of effort.

dirtyepic · Post by **dirtyepic** » June 8th, 2005, 6:14 pm

i agree. the chances of anyone actually exploiting this is just a bit ridiculous. i had to work at it for a while to even get the step-by-step test page to work.

a;skdjfajf;ak · Post by **a;skdjfajf;ak** » June 8th, 2005, 6:19 pm

I might add again, from another thread, if you have any tab-control extensions where you open stuff all in tabs...your safe from this anyhow it appears.

So, how many Fx'rs are there that dont have some extra tab controls

Rishi M. · Post by **Rishi M.** » June 8th, 2005, 7:01 pm

Cusser wrote:The nightlies (trunk at least) already had a patch for this checked in. I don't remember if it's a partial or total fix as of this moment. I still maintain my stance that unless there are other things worth patching, releasing 1.0.5 for this trivial issue is a waste of effort.

I agree. If there a few other security/stability fixes on deck already, then yes, ship 1.0.5. However, another release on the almost-dead aviary-1.0 branch just for this vulnerability will do nothing but take dev time away from 1.1.

Ordinaryaverageguy04 · Post by **Ordinaryaverageguy04** » June 8th, 2005, 9:59 pm

On the other hand, this vulnerability has been reported everywhere. It would be good to show that Mozilla is dedicated to fixing security issues immediately. Personally, i think it would be a big mistake not to release a 1.0.5 with the patch. For those who don't know much about it still just see it as a security risk. They don't know or care about the severity, just that they aren't vulnerable. Just my opinion =).

Hybrid · Post by **Hybrid** » June 8th, 2005, 10:13 pm

So, what, you just need to actually use the tab feature in FF/Mozilla and you arent vulnerable? This is listed as midly critical why?

Littlemutt, you don't even need tab control extensions...this "threat" is weak.

Gadeiros · Post by **Gadeiros** » June 9th, 2005, 2:25 am

There is some "Windows" bug according to this german heise online article http://www.heise.de/newsticker/meldung/60433 which causes a blue screen, when height and width of images are set to big values in the html code (independant of the browser)

Yet, there seems to be a fix in Deer Park Alpha 1, which prevents this.
This fix would be good to have in 1.0.5 as well, if it isn't already in.

ColdFusion650 · Post by **ColdFusion650** » June 9th, 2005, 5:49 am

my suggestion: for people who are really worried about the security fix, tell them to download deer park. ive been using firefox nightlies since 0.6 and ive never had it crash, so deer park wouldnt be a bad thing atleast for those people who really want that security fix.

Gadeiros · Post by **Gadeiros** » June 9th, 2005, 6:10 am

A known problem which can lead to a blue screen and thus data loss should be fixed as soon as possible.
This "bug" seems to be quite easily "exploitable". FF 1.1 is still some 2 months away...

Fender178 · Post by **Fender178** » June 9th, 2005, 6:21 am

I would release 1.05 just to be on the safe side until 1.1 offically comes out.

According to Yahoo news if you have the mixed tab extension installed then you should be protected.

http://news.yahoo.com/news?tmpl=story&u ... /164301545

michaell522 · Post by **michaell522** » June 9th, 2005, 8:25 am

Cusser wrote:I still maintain my stance that unless there are other things worth patching, releasing 1.0.5 for this trivial issue is a waste of effort.

Looking at the <a href="http://www.squarefree.com/burningedge/2005/06/07/2005-06-07-trunk-builds/">most recent burning edge post</a>, it looks like a couple of other security fixes have gone onto the trunk. Assuming those aren't trunk-only regressions (which isn't very likely), they also exist in 1.0.4 and will need a 1.0.5 to fix them.

Post by **BenBasson** » June 9th, 2005, 8:33 am

You're right, I hadn't spotted those. One of them is bold (I assume that means major) so there must be more at work here than I know about, that's for sure.

Post by **old Neil Parks** » June 9th, 2005, 2:48 pm

ColdFusion650 wrote:my suggestion: for people who are really worried about the security fix, tell them to download deer park.

Deer Park is not an end user product. That's why it isn't called Firefox.

We who are technically minded and can work around the bugs in DP (and find new ones) will benefit from using it. Others should stick to 1.0.4.