Firefox 0.9.3 coming...
-
- Posts: 67
- Joined: August 9th, 2003, 8:40 am
- Location: Malaysia
- Contact:
Firefox 0.9.3 coming...
The branch is created.. probably another security fix release...
Go go firefox!
Go go firefox!
- logan
- Posts: 3453
- Joined: May 22nd, 2003, 3:51 pm
- Location: NGC 2403
- Contact:
Not probably, it is for security bits and likely only security bits.
In the works: Mozilla 1.4.3, 1.7.2, and Firefox 0.9.3 (?).
So far, the following have been fixed:
http://bugzilla.mozilla.org/show_bug.cgi?id=249004
http://bugzilla.mozilla.org/show_bug.cgi?id=253121
http://bugzilla.mozilla.org/show_bug.cgi?id=250906
A recent issue was brought up with mastercard and a few other sites, but that's marked as WONTFIX:
http://bugzilla.mozilla.org/show_bug.cgi?id=252185
And the more recent (not really) xul "phishing" bit, which has no resolution:
http://bugzilla.mozilla.org/show_bug.cgi?id=22183
I don't know how long they want to wait for the releases of the aforementioned versions...
--edit--
Looks like there's more than just the security updates, check keywords for:
<a href="http://bugzilla.mozilla.org/buglist.cgi?product=Browser&keywords_type=allwords&keywords=fixed1.7.3&bug_status=RESOLVED&bug_status=VERIFIED&bug_status=CLOSED&resolution=FIXED">fixed1.7.3</a> (23 bugs so far)
<a href="http://bugzilla.mozilla.org/buglist.cgi?product=Browser&keywords_type=allwords&keywords=fixed1.4.3&bug_status=RESOLVED&bug_status=VERIFIED&bug_status=CLOSED&resolution=FIXED">fixed1.4.3</a> (17)
I've not seen any Firefox 0.9.3 keywords attached to these bugs.
In the works: Mozilla 1.4.3, 1.7.2, and Firefox 0.9.3 (?).
So far, the following have been fixed:
http://bugzilla.mozilla.org/show_bug.cgi?id=249004
http://bugzilla.mozilla.org/show_bug.cgi?id=253121
http://bugzilla.mozilla.org/show_bug.cgi?id=250906
A recent issue was brought up with mastercard and a few other sites, but that's marked as WONTFIX:
http://bugzilla.mozilla.org/show_bug.cgi?id=252185
And the more recent (not really) xul "phishing" bit, which has no resolution:
http://bugzilla.mozilla.org/show_bug.cgi?id=22183
I don't know how long they want to wait for the releases of the aforementioned versions...
--edit--
Looks like there's more than just the security updates, check keywords for:
<a href="http://bugzilla.mozilla.org/buglist.cgi?product=Browser&keywords_type=allwords&keywords=fixed1.7.3&bug_status=RESOLVED&bug_status=VERIFIED&bug_status=CLOSED&resolution=FIXED">fixed1.7.3</a> (23 bugs so far)
<a href="http://bugzilla.mozilla.org/buglist.cgi?product=Browser&keywords_type=allwords&keywords=fixed1.4.3&bug_status=RESOLVED&bug_status=VERIFIED&bug_status=CLOSED&resolution=FIXED">fixed1.4.3</a> (17)
I've not seen any Firefox 0.9.3 keywords attached to these bugs.
Last edited by logan on August 2nd, 2004, 8:07 am, edited 4 times in total.
-
- Posts: 230
- Joined: August 25th, 2003, 7:13 pm
Knightley wrote:I'm annoyed. Why can't they just get it right? Grr. Now I have to download the new version. It gets annoying.
No one ever gets software right. It's probably not possible, except in cases like the various Hello World programs, or maybe a simple command line calculator.
<edit>
Security is especially hard. I've heard of someone cracking a password via the following method:
A password field is displayed, and when a button is pressed the password is sent to the computer to be checked if it's correct. The computer checks each letter, and stops if that letter doesn't match the correct password. If all of them are correct, then the password is correct. Simple enough, right?
The hacker measured the amount of time it took the computer to decide each password he tested (via an automated method) was wrong. If it was wrong in the first letter, it would be almost instant since it only checked one letter. If it was wrong in the last letter, it would take a tiny bit longer. By using this method, he could work out the letters of the password one by one.
Obviously it could be fixed by having the computer check all the letters of the password, even if an early one was wrong. The tricky part is thinking of this before it's exploited.
Is this an urban myth? Probably (I have no idea). Does it demonstrate how difficult thinking about security in software is? I think so.
</edit>
Last edited by Catfish_Man on August 1st, 2004, 10:54 pm, edited 1 time in total.
- logan
- Posts: 3453
- Joined: May 22nd, 2003, 3:51 pm
- Location: NGC 2403
- Contact:
-
- Posts: 230
- Joined: August 25th, 2003, 7:13 pm
Knightley wrote:At least they don't release a new version every month!
I've seen several new IE "versions" (aka security patches) in one week before. Perhaps a patching system could cut the download size for updates down... (of course, some of the IE patches are bigger than Firefox, but that's not necessarily something wrong with the patching system)
- steeler_fan
- Posts: 1189
- Joined: June 15th, 2003, 11:00 am
- Location: Pixburgh
- Contact:
Whats the branch name?
Ah, found it. FIREFOX_0_9_3_BRANCH.
Checkins
Better link, Checkins to 1.7.2 branch. This one shows the bug numbers, rather than just "merging changes".
Ah, found it. FIREFOX_0_9_3_BRANCH.
Checkins
Better link, Checkins to 1.7.2 branch. This one shows the bug numbers, rather than just "merging changes".
Neil
- rfrangioni77
- Posts: 1510
- Joined: January 5th, 2004, 1:48 am
- Location: Bumdumbourge, near Totalslava
- Contact:
- gengish
- Posts: 145
- Joined: July 14th, 2004, 2:27 pm
Catfish_Man wrote:Is this an urban myth?
I guess so. I've never heard of a "time based" password cracking method. I mean, it would be a brute-force attack anyway, which means that you have to try each combination of letters, numbers and symbols until you pick the right one; the longer the password, the longer it takes to discover it.
-
- Posts: 198
- Joined: January 11th, 2004, 10:21 pm
Catfish_Man wrote:Knightley wrote:I'm annoyed. Why can't they just get it right? Grr. Now I have to download the new version. It gets annoying.
No one ever gets software right. It's probably not possible, except in cases like the various Hello World programs, or maybe a simple command line calculator.
<edit>
Security is especially hard. I've heard of someone cracking a password via the following method:
A password field is displayed, and when a button is pressed the password is sent to the computer to be checked if it's correct. The computer checks each letter, and stops if that letter doesn't match the correct password. If all of them are correct, then the password is correct. Simple enough, right?
The hacker measured the amount of time it took the computer to decide each password he tested (via an automated method) was wrong. If it was wrong in the first letter, it would be almost instant since it only checked one letter. If it was wrong in the last letter, it would take a tiny bit longer. By using this method, he could work out the letters of the password one by one.
Obviously it could be fixed by having the computer check all the letters of the password, even if an early one was wrong. The tricky part is thinking of this before it's exploited.
Is this an urban myth? Probably (I have no idea). Does it demonstrate how difficult thinking about security in software is? I think so.
</edit>
I have never heard of a password authentication method that worked as you described. First off, given the network latencies there would be absolutely no way of someone being able to differentiate the time it took to compare 5 characters or 6 (this is such a speedy operation, you would have trouble timing this on the local machine). Second, just about any semi-intelligent site will use some form of encryption for their passwords. Just about every encryption algorithm that I know of uses the entire string to create the hashed value so that the encrypted version of "password" looks nothing like "passwor" (and therefore cannot do a single character comparison as described above).