Firefox 1.03?
nocturn
ulist at gs1.ubuntuforums.org
Fri Apr 29 08:01:18 UTC 2005
Shawn Christopher Wrote:
> Daniel Robitaille wrote:
>
> Daniel,
> Thanks for the clarification...however I think the big issue now is
>
> the fact of informing the community that this is happening. Is there a
>
> way to post on the front page of the Ubuntu site or put a news heading
>
> that this is happening. Just a basic "A few users have noticed that
> Firefox is at 1.0.3 because of security updates, however Ubuntu has
> Firefox 1.0.2. The reason this is the case is because instead of
> changing our versioning number we have backported the security update
> from 1.0.3 into Ubuntu Firefox 1.0.2.
>
> I hope this will help aliveiate the concerns that are being
> expressed by the community. Thank You.
>
The point is that they haven't backported all the fixes from 1.0.3, the
javascript vuln (which is very serious) is still there (there is a
bugreport on this).
The scope of the vuln is that an arbitrary site can write files in your
homedirectory without your knowledge.
If such file is .bashrc or .profile, they can execute code at the next
login.
This is a very serious hole.
--
nocturn
More information about the ubuntu-users
mailing list