Firefox 10.0.2 chemspill to be released on Friday

Discussion of general topics about Mozilla Firefox
Post Reply
User avatar
Tony-E
Posts: 8778
Joined: November 5th, 2004, 11:28 am

Firefox 10.0.2 chemspill to be released on Friday

Post by Tony-E »

A chemspill release to address a security issue will be released tomorrow.

As well as Firefox 10.0.2, there will be updates to Firefox ESR 10.0.2, Firefox 3.6.27, beta builds & mobile builds.
User avatar
makaiguy
Posts: 16878
Joined: November 18th, 2002, 6:44 pm
Location: Somewhere in SE USA
Contact:

Re: Firefox 10.0.2 chemspill to be released on Friday

Post by makaiguy »

Will this be needed for Thunderbird, too?
Doug Wilson
Win10 64bit: FF 115.0.02 64bit, TB 102.12.0 32-bit ║ Android 13/10: FF 115.2.0/115.0.1 ║ No TB for Android available, dammit!
What a fool believes he sees, no wise man has the power to reason away - Doobie Brothers
User avatar
Tony-E
Posts: 8778
Joined: November 5th, 2004, 11:28 am

Re: Firefox 10.0.2 chemspill to be released on Friday

Post by Tony-E »

makaiguy wrote:Will this be needed for Thunderbird, too?

Yes
User avatar
WaltS48
Posts: 5141
Joined: May 7th, 2010, 9:38 am
Location: Pennsylvania, USA

Re: Firefox 10.0.2 chemspill to be released on Friday

Post by WaltS48 »

What is the security issue that is being fixed?

I didn't see any mention of a chemspill release in the recent meeting notes.

https://wiki.mozilla.org/Firefox/Planning/2012-02-15
Linux Desktop - AMD Athlon(tm) II X3 455 3.3GHz | 8.0GB RAM | GeForce GT 630
Windows Notebook - AMD A8 7410 2.2GHz | 6.0GB RAM | AMD Radeon R5
michaell522
Posts: 2417
Joined: November 4th, 2002, 4:47 pm
Location: London, UK
Contact:

Re: Firefox 10.0.2 chemspill to be released on Friday

Post by michaell522 »

Chris Wood wrote:http://techdows.com/2012/02/firefox-10-0-2-released.html


Hrm... not sure where they got that information from - the linked bugs seem to have been fixed in 10.0.0.

The only change between 10.0.1 and 10.0.2 is a security fix for an integer overflow in libpng - bug 727401 (currently restricted). The problem means that it's possible for memory to get overwritten by a malformed PNG file, which could be exploited to execute code with the privileges of the browser.

As the bug is in libpng, this also affects other software - Chrome and various Linux distros also have patches out. It's CVE-2011-3026. Mozilla will presumably publish an advisory shortly.

WLS wrote:I didn't see any mention of a chemspill release in the recent meeting notes.

Looks like the details of the vulnerability were published on Wednesday afternoon, after that meeting.
User avatar
Chris Wood
Posts: 33
Joined: May 20th, 2004, 3:44 pm
Location: New Zealand
Contact:

Re: Firefox 10.0.2 chemspill to be released on Friday

Post by Chris Wood »

They linked to https://www.mozilla.org/en-US/mobile/10 ... easenotes/ and talked as if it applied to desktop as well?
michaell522
Posts: 2417
Joined: November 4th, 2002, 4:47 pm
Location: London, UK
Contact:

Re: Firefox 10.0.2 chemspill to be released on Friday

Post by michaell522 »

Chris Wood wrote:They linked to https://www.mozilla.org/en-US/mobile/10 ... easenotes/ and talked as if it applied to desktop as well?

Well, yes, but if you look at the 10.0.0 notes https://www.mozilla.org/en-US/mobile/10.0/releasenotes/ you can see that everything is already there, except the security fixes.
User avatar
WaltS48
Posts: 5141
Joined: May 7th, 2010, 9:38 am
Location: Pennsylvania, USA

Re: Firefox 10.0.2 chemspill to be released on Friday

Post by WaltS48 »

Thanks for the info.

I get skeptical when someone reports it without a link to supporting information.
Linux Desktop - AMD Athlon(tm) II X3 455 3.3GHz | 8.0GB RAM | GeForce GT 630
Windows Notebook - AMD A8 7410 2.2GHz | 6.0GB RAM | AMD Radeon R5
michaell522
Posts: 2417
Joined: November 4th, 2002, 4:47 pm
Location: London, UK
Contact:

Re: Firefox 10.0.2 chemspill to be released on Friday

Post by michaell522 »

Mozilla has now posted the advisory:
http://blog.mozilla.com/security/2012/0 ... 2011-3026/

The libpng graphics library, used by Firefox and Thunderbird as well as many other software packages, contains an exploitable integer overflow bug. An attacker could craft malicious images which exploit this bug, and deliver them to users through websites or email messages.

This bug is remotely exploitable and can lead to arbitrary code execution. Firefox, Thunderbird and Seamonkey users could be attacked simply by displaying a maliciously crafted image.


(If you'd like your software to be remotely exploited via any webpage or email, then you don't have to update... I think I will)
Kevin McFarlane
Posts: 597
Joined: November 10th, 2009, 3:47 am

Re: Firefox 10.0.2 chemspill to be released on Friday

Post by Kevin McFarlane »

lithopsian wrote:My Linux install cannot update itself automatically even if it tried because it doesn't have sufficient permissions. root and all that ...


Ditto Win 7 as standard user.
User avatar
LoudNoise
New Member
Posts: 39900
Joined: October 18th, 2007, 1:45 pm
Location: Next door to the west

Re: Firefox 10.0.2 chemspill to be released on Friday

Post by LoudNoise »

Locking temp for surgery
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."
User avatar
LoudNoise
New Member
Posts: 39900
Joined: October 18th, 2007, 1:45 pm
Location: Next door to the west

Re: Firefox 10.0.2 chemspill to be released on Friday

Post by LoudNoise »

I split all the off topic stuff to here: viewtopic.php?f=7&t=2430305

Opinions about frequency of updates should continue there.

Reopened
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Re: Firefox 10.0.2 chemspill to be released on Friday

Post by Frank Lion »

10.0.2 is now out on Firefox 10 ESR.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
Post Reply