MozillaZine

Firefox 10.0.2 chemspill to be released on Friday

Discussion of general topics about Mozilla Firefox
Tony-E

User avatar
 
Posts: 8778
Joined: November 5th, 2004, 11:28 am

Post Posted February 16th, 2012, 12:00 pm

A chemspill release to address a security issue will be released tomorrow.

As well as Firefox 10.0.2, there will be updates to Firefox ESR 10.0.2, Firefox 3.6.27, beta builds & mobile builds.

makaiguy

User avatar
 
Posts: 16869
Joined: November 18th, 2002, 6:44 pm
Location: Somewhere in SE USA

Post Posted February 16th, 2012, 12:29 pm

Will this be needed for Thunderbird, too?
Doug Wilson, "The Makai Guy"
Win10 (64bit): FF 81.0.1 (64bit), TB 68.12.1n (32-bit) ║ Android 10/7.1.1: FF Mobile 81.1.2, No TB for Android available, dammit!
What a fool believes he sees, no wise man has the power to reason away - Doobie Brothers

Tony-E

User avatar
 
Posts: 8778
Joined: November 5th, 2004, 11:28 am

Post Posted February 16th, 2012, 12:32 pm

makaiguy wrote:Will this be needed for Thunderbird, too?

Yes

WaltS48

User avatar
 
Posts: 4415
Joined: May 7th, 2010, 9:38 am
Location: Pennsylvania, USA

Post Posted February 16th, 2012, 4:12 pm

What is the security issue that is being fixed?

I didn't see any mention of a chemspill release in the recent meeting notes.

https://wiki.mozilla.org/Firefox/Planning/2012-02-15
Linux Desktop - AMD Athlon(tm) II X3 455 3.3GHz | 8.0GB RAM | GeForce GT 630
Windows Notebook - AMD A8 7410 2.2GHz | 6.0GB RAM | AMD Radeon R5

Chris Wood

User avatar
 
Posts: 33
Joined: May 20th, 2004, 3:44 pm
Location: New Zealand

Post Posted February 16th, 2012, 11:40 pm


michaell522
 
Posts: 2417
Joined: November 4th, 2002, 4:47 pm
Location: London, UK

Post Posted February 17th, 2012, 3:07 am

Chris Wood wrote:http://techdows.com/2012/02/firefox-10-0-2-released.html


Hrm... not sure where they got that information from - the linked bugs seem to have been fixed in 10.0.0.

The only change between 10.0.1 and 10.0.2 is a security fix for an integer overflow in libpng - bug 727401 (currently restricted). The problem means that it's possible for memory to get overwritten by a malformed PNG file, which could be exploited to execute code with the privileges of the browser.

As the bug is in libpng, this also affects other software - Chrome and various Linux distros also have patches out. It's CVE-2011-3026. Mozilla will presumably publish an advisory shortly.

WLS wrote:I didn't see any mention of a chemspill release in the recent meeting notes.

Looks like the details of the vulnerability were published on Wednesday afternoon, after that meeting.

Chris Wood

User avatar
 
Posts: 33
Joined: May 20th, 2004, 3:44 pm
Location: New Zealand

Post Posted February 17th, 2012, 3:28 am

They linked to https://www.mozilla.org/en-US/mobile/10 ... easenotes/ and talked as if it applied to desktop as well?

michaell522
 
Posts: 2417
Joined: November 4th, 2002, 4:47 pm
Location: London, UK

Post Posted February 17th, 2012, 3:34 am

Chris Wood wrote:They linked to https://www.mozilla.org/en-US/mobile/10 ... easenotes/ and talked as if it applied to desktop as well?

Well, yes, but if you look at the 10.0.0 notes https://www.mozilla.org/en-US/mobile/10.0/releasenotes/ you can see that everything is already there, except the security fixes.

WaltS48

User avatar
 
Posts: 4415
Joined: May 7th, 2010, 9:38 am
Location: Pennsylvania, USA

Post Posted February 17th, 2012, 7:04 am

Thanks for the info.

I get skeptical when someone reports it without a link to supporting information.
Linux Desktop - AMD Athlon(tm) II X3 455 3.3GHz | 8.0GB RAM | GeForce GT 630
Windows Notebook - AMD A8 7410 2.2GHz | 6.0GB RAM | AMD Radeon R5

michaell522
 
Posts: 2417
Joined: November 4th, 2002, 4:47 pm
Location: London, UK

Post Posted February 17th, 2012, 10:15 am

Mozilla has now posted the advisory:
http://blog.mozilla.com/security/2012/0 ... 2011-3026/

The libpng graphics library, used by Firefox and Thunderbird as well as many other software packages, contains an exploitable integer overflow bug. An attacker could craft malicious images which exploit this bug, and deliver them to users through websites or email messages.

This bug is remotely exploitable and can lead to arbitrary code execution. Firefox, Thunderbird and Seamonkey users could be attacked simply by displaying a maliciously crafted image.


(If you'd like your software to be remotely exploited via any webpage or email, then you don't have to update... I think I will)

Kevin McFarlane
 
Posts: 581
Joined: November 10th, 2009, 3:47 am

Post Posted February 17th, 2012, 10:35 am

lithopsian wrote:My Linux install cannot update itself automatically even if it tried because it doesn't have sufficient permissions. root and all that ...


Ditto Win 7 as standard user.

LoudNoise
New Member

User avatar
 
Posts: 40048
Joined: October 18th, 2007, 1:45 pm
Location: Next door to the west

Post Posted February 17th, 2012, 1:08 pm

Locking temp for surgery
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."

LoudNoise
New Member

User avatar
 
Posts: 40048
Joined: October 18th, 2007, 1:45 pm
Location: Next door to the west

Post Posted February 17th, 2012, 1:15 pm

I split all the off topic stuff to here: viewtopic.php?f=7&t=2430305

Opinions about frequency of updates should continue there.

Reopened
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."

Frank Lion

User avatar
 
Posts: 20814
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted February 17th, 2012, 1:23 pm

10.0.2 is now out on Firefox 10 ESR.
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

Return to Firefox General


Who is online

Users browsing this forum: No registered users and 2 guests