Firefox 10 will be skipped! (Secunia discussion)

Talk about code development, features, specific bugzilla bugs, enhancements, patches, and other highly technical things.

Moderator: satrow

Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific referenced Bugzilla bugs, mercurial, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Most "bug reports" do not belong in this board and should initially be posted in Community Support or other relevant support boards.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
bladerunner

Firefox 10 will be skipped! (Secunia discussion)

Unread post by bladerunner » 2012-02-04, 17:34

Problem is that highly critical multiple vulnerabilities has been detected in Pale Moon 9.x (and in FF 9.x version as well, of course. Thunderbird 9.x is affected too ) as reported from Secunia advisory SA47816 http://secunia.com/advisories/47816/ .

These vulnerabilitise has been fixed in Pale Moon 9.1 or specific update is required (Pale Moon 9.2 for example...) ?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 23448
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Firefox 10 will be skipped!

Unread post by Moonchild » 2012-02-04, 23:46

Secunia is a bunch of hooey - they don't check ANYTHING themselves, just mindlessly regurgitate what Mozilla has posted in their security notes. Also they are WAY behind, their recent report is about 9.0.1, and their advice is "upgrade to 9.1" which is correct.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne

bladerunner

Re: Firefox 10 will be skipped!

Unread post by bladerunner » 2012-02-05, 01:08

Well, I'm not interested in a discussion about Secunia...I can tell you just this: the same Kaspersky vulnerabilities database itself is totally based on the Secunia one (that is absolutely huge...).

About the report you are talking about I think you are right: you are talking about report SA47751 http://secunia.com/advisories/47751 ,that is specific for Pale Moon vulnerabilities, and the suggested solution is to update to version 9.1.That means you are correct.

The problem is in the way Secunia works: I had to check manually on the web the Secunia report about Pale Moon. If I run a Secunia scanning, it shows me the report about Firefox 9.x vulnerabilities (SA47816), that suggests as solution to update to FF 10. It looks like Secunia detects Pale Moon as if it is Firefox... Secunia has got the correct Pale Moon advisorie but the software shows the Firefox one.To get correct information I have to run a manual search on the web ...I'l report this on Secunia forum

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 23448
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Firefox 10 will be skipped!

Unread post by Moonchild » 2012-02-05, 08:58

Look, it is well-known that vulnerabilities are discovered in pieces of software that connect to the Internet all the time, especially things as complex as the Firefox code base.
It is also well-known that critical and essential vulnerabilities (i.e. ones that are more than just theoretical or a cleanup of code for proper allocation/deallocation, or a fix for a crash that MAY leave a piece of memory corrupted and could THEORETICALLY be abused) are always addressed with a "0-day patch" @Mozilla, and that Pale Moon closely follows those developments if they are applicable.

Quote: "Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 9.0, Thunderbird 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors"
Kind of vague and arbitrary. Certainly not an abuse scenario.

Also, Secunia simply copies the Firefox report, which may not even apply to Pale Moon. See for example the designator "9.x" there, which would be valid for Firefox, but not for Pale Moon, to begin with, since 9.1, also a 9.x version, fixes the critical vulnerabilities with patches taken from Firefox 10 development. Secunia has lumped Pale Moon together with Firefox which is not always correct. e.g. a vulnerability in the accessibility module is not applicable, nor is a vulnerability that would only be present when compiled with VS2005.

I don't care how big of an aggragator they are. Or who bases their version checking upon it (Kaspersky got lazy if they are doing that now). Like I said I'm well-aware of critical issues that need addressed, and I won't let Secunia reports rush me or divert from my release plans, no matter how many paranoid people shout about it.

I'm also splitting this sub topic off from announcements to a different board as it has less to do with skipping v10 than it has to do with general browser code security. => Development.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne

Locked