I run FC4 on four (sometimes five), and have just had to re-install it on one I had managed to foul up (another story); so I *think* this is right :
FC4 not only installs Ffx by default, but makes it the default browser; but to update Ffx you have to go through nine yards of tarballs, and things to fierce to mention to MS users, most of whom haven't heard of tarballs and would either fall asleep or climb the walls in panic if you tried to tell them.
Yet apparently Firefox appeals to MS users.
"yum update firefox" certainly doesn't work, at least not with the default configurations on a new install. Nor on any install of mine.
Need these things be?
Is there a way I've missed to make "yum update firefox" work? Is there hope it will in FC5 -- or even FC6?
Or is the trouble something in Firefox itself?
As for me, I use Ffx as little as I conveniently can, just because I can keep Opera -- which has as many bills & whistles, some of them better -- up to snuff so much more readily. It tells me when a new release is available, asks if I want it, and if I tell it yes the worst that can happen is that I have to run an rpm command. And Opera is also cross-platform ....
Beartooth wrote:
I run FC4 on four (sometimes five), and have just had to re-install it on one I had managed to foul up (another story); so I *think* this is right :
FC4 not only installs Ffx by default, but makes it the default browser; but to update Ffx you have to go through nine yards of tarballs, and things to fierce to mention to MS users, most of whom haven't heard of tarballs and would either fall asleep or climb the walls in panic if you tried to tell them.
Yet apparently Firefox appeals to MS users.
"yum update firefox" certainly doesn't work, at least not with the default configurations on a new install. Nor on any install of mine.
Need these things be?
Is there a way I've missed to make "yum update firefox" work? Is there hope it will in FC5 -- or even FC6?
"yum update firefox" works fine for me on FC4.
Is the problem that you are seeing that firefox is not being updated to version 1.5? The reason for that is that no official Fedora package for Firefox 1.5 on FC4 has been released (at least not yet). That's why yum doesn't pick it up.
The MS client uses a completely different upgrade path (it goes directly to the "home" of firefox rather than via the operating system "vendor"), which is why it behaves differently there.
As for why there isn't a Firefox 1.5 upgrade for FC4, I don't know the answer.
Paul.
On Thu, 19 Jan 2006 18:37:44 +0000, Paul Howarth wrote:
Beartooth wrote:
[....]
Need these things be?
Is there a way I've missed to make "yum update firefox" work? Is there hope it will in FC5 -- or even FC6?
"yum update firefox" works fine for me on FC4.
Is the problem that you are seeing that firefox is not being updated to version 1.5? The reason for that is that no official Fedora package for Firefox 1.5 on FC4 has been released (at least not yet). That's why yum doesn't pick it up.
Oho! and also aha! So there *is* hope; I kinda thunkit ... Many thanks! [....]
As for why there isn't a Firefox 1.5 upgrade for FC4, I don't know the answer.
Gee, and I'd've sworn I saw some ballyhoo weeks and weeks ago to the effect that 1.5 was a big security fix. Worse, I *thought* what I read said it wasn't for once just another MS problem, but something *in* Firefox. Maybe I better go on avoiding it a while yet. What I have is 1.0.7. Thanks!
Btw, in case the security hole does depend on MS -- is it worth installing a passel of extensions, and counting on 1.5 when it eventually appears to adopt and update them? If not, and if 1.5 is anywhere near the offing, I'll just wait, and do it after I get that. (I've been running that browser since about phoenix 0.4, and like it -- with lots of extensions; but I've had to go get them over again from scratch at least once, and life is too short to do it again without need.)
Beartooth wrote:
On Thu, 19 Jan 2006 18:37:44 +0000, Paul Howarth wrote:
Beartooth wrote:
[....]
Need these things be?
Is there a way I've missed to make "yum update firefox" work? Is there hope it will in FC5 -- or even FC6?
"yum update firefox" works fine for me on FC4.
Is the problem that you are seeing that firefox is not being updated to version 1.5? The reason for that is that no official Fedora package for Firefox 1.5 on FC4 has been released (at least not yet). That's why yum doesn't pick it up.
Oho! and also aha! So there *is* hope; I kinda thunkit ... Many thanks! [....]
As for why there isn't a Firefox 1.5 upgrade for FC4, I don't know the answer.
Gee, and I'd've sworn I saw some ballyhoo weeks and weeks ago to the effect that 1.5 was a big security fix. Worse, I *thought* what I read said it wasn't for once just another MS problem, but something *in* Firefox. Maybe I better go on avoiding it a while yet. What I have is 1.0.7. Thanks!
Btw, in case the security hole does depend on MS -- is it worth installing a passel of extensions, and counting on 1.5 when it eventually appears to adopt and update them? If not, and if 1.5 is anywhere near the offing, I'll just wait, and do it after I get that. (I've been running that browser since about phoenix 0.4, and like it -- with lots of extensions; but I've had to go get them over again from scratch at least once, and life is too short to do it again without need.)
If there is a real security issue with firefox 1.0.x (I don't know if there is or not), I'd expect an FC4 update that either:
(a) updated to a later version that fixed the problem, or (b) included a backported fix in the existing version
The choice between the two largely depends on what the impact of a significant version upgrade would be on users/other applications that depend on the package. If there are significant plugin incompatibilities between firefox 1.0.x and 1.5.x then I'd expect the second option to be chosen if possible.
Paul.
On Fri, 20 Jan 2006 11:19:59 +0000, Paul Howarth wrote:
Beartooth wrote:
On Thu, 19 Jan 2006 18:37:44 +0000, Paul Howarth wrote:
Beartooth wrote:
Gee, and I'd've sworn I saw some ballyhoo weeks and weeks ago to the effect that 1.5 was a big security fix. Worse, I *thought* what I read said it wasn't for once just another MS problem, but something *in* Firefox. Maybe I better go on avoiding it a while yet. What I have is 1.0.7. Thanks!
[....]
If there is a real security issue with firefox 1.0.x (I don't know if there is or not), I'd expect an FC4 update that either:
(a) updated to a later version that fixed the problem, or (b) included a backported fix in the existing version
The choice between the two largely depends on what the impact of a significant version upgrade would be on users/other applications that depend on the package. If there are significant plugin incompatibilities between firefox 1.0.x and 1.5.x then I'd expect the second option to be chosen if possible.
I've since gotten a CERT alert, available at
http://www.us-cert.gov/cas/techalerts/TA04-261A.html
and it still reads, to me, as if the problem is in (mozilla and) firefox, *not* in M$. Am I missing something, or is this infelicitous wording in the alert, or what? yum update firefox still doesn't get 1.5 -- i.e., 1.5 seems not to be on the repos ....
beartooth wrote:
On Fri, 20 Jan 2006 11:19:59 +0000, Paul Howarth wrote:
Beartooth wrote:
On Thu, 19 Jan 2006 18:37:44 +0000, Paul Howarth wrote:
Beartooth wrote:
Gee, and I'd've sworn I saw some ballyhoo weeks and weeks ago to the effect that 1.5 was a big security fix. Worse, I *thought* what I read said it wasn't for once just another MS problem, but something *in* Firefox. Maybe I better go on avoiding it a while yet. What I have is 1.0.7. Thanks!
[....]
If there is a real security issue with firefox 1.0.x (I don't know if there is or not), I'd expect an FC4 update that either:
(a) updated to a later version that fixed the problem, or (b) included a backported fix in the existing version
The choice between the two largely depends on what the impact of a significant version upgrade would be on users/other applications that depend on the package. If there are significant plugin incompatibilities between firefox 1.0.x and 1.5.x then I'd expect the second option to be chosen if possible.
I've since gotten a CERT alert, available at
Are you sure you have the correct link? That link is for vulnerbilities that existed in the Pre-1.0 Firefox. They are definitely fixed in 1.0.7.
On Thu, 09 Feb 2006 22:06:09 -0500, William Hooper wrote:
beartooth wrote:
[....]
I've since gotten a CERT alert, available at
Are you sure you have the correct link? That link is for vulnerbilities that existed in the Pre-1.0 Firefox. They are definitely fixed in 1.0.7.
Very strange. Sure enough, the latest date I can find there, at the very bottom, is June 2005; but the alert I took it from only came -- to my direct subscription to CERT alerts -- only came on 2/7/2006; what's more, it gives that as its original release date.
So I looked it back up; fortunately, I had kept it. Indeed, that's the wrong URL! My bad. Sorry about that; dunno where I got it.
Anyway the new alert includes the following :
The most recent version of this document can be found at:
http://www.us-cert.gov/cas/techalerts/TA06-038A.html
[....]
III. Solution
Upgrade
Upgrade to Mozilla Firefox 1.5.0.1 or SeaMonkey 1.0. For Mozilla-based products that have no updates available, users are strongly encouraged to disable JavaScript.
It also includes a link to mozilla.org/security/announce, which in turn links to a page which includes the following :
Fixed in Firefox 1.5.0.1 MFSA 2006-08 "AnyName" entrainment and access control hazard MFSA 2006-07 Read beyond buffer while parsing XML MFSA 2006-06 Integer overflows in E4X, SVG and Canvas MFSA 2006-05 Localstore.rdf XML injection through XULDocument.persist() MFSA 2006-04 Memory corruption via QueryInterface on Location, Navigator objects MFSA 2006-03 Long document title causes startup denial of Service MFSA 2006-02 Changing postion:relative to static corrupts memory MFSA 2006-01 JavaScript garbage-collection hazards
Fixed in Firefox 1.0.7 MFSA 2005-59 Command-line handling on Linux allows shell execution MFSA 2005-58 Firefox 1.0.7 / Mozilla Suite 1.7.12 Vulnerability Fixes MFSA 2005-57 IDN heap overrun using soft-hyphens
Fixed in Firefox 1.0.5/1.0.6 MFSA 2005-56 Code execution through shared function objects MFSA 2005-55 XHTML node spoofing MFSA 2005-54 Javascript prompt origin spoofing MFSA 2005-53 Standalone applications can run arbitrary code through the browser MFSA 2005-52 Same origin violation: frame calling top.focus() MFSA 2005-51 The return of frame-injection spoofing MFSA 2005-50 Exploitable crash in InstallVersion.compareTo() MFSA 2005-49 Script injection from Firefox sidebar panel using data: MFSA 2005-48 Same-origin violation with InstallTrigger callback MFSA 2005-47 Code execution via "Set as Wallpaper" MFSA 2005-46 XBL scripts ran even when Javascript disabled MFSA 2005-45 Content-generated event vulnerabilities
Note that MFSA 2006-07, which seems to be the subject of the 2/2006 CERT alert (though it's not marked critical at mozilla.org), is listed under Fixed in Firefox 1.5.0.1 *only*
My poor command of technicalia deserts me here: is this a new vulnerability, or a newly discovered badness of an old one, or ...?
And most important, I still don't see a distinction between M$ mozilla/firefox and linux mozilla/firefox. So are we at risk? Should we be shutting firefox and mozilla down, and keepting them down till 1.5 shows up in a repo??
beartooth wrote:
The most recent version of this document can be found at:
[snip]
That link describes two issues:
CVE-2006-0296 CVE-2006-0295
CVE-2006-0296 is fixed in firefox-1.0.7-1.2.fc4.
[whooper@token i386]$ rpm -qp --changelog firefox-1.0.7-1.2.fc4.i386.rpm | head -4 warning: firefox-1.0.7-1.2.fc4.i386.rpm: V3 DSA signature: NOKEY, key ID 4f2a6fd2 * Sun Jan 29 2006 Christopher Aillon caillon@redhat.com 0:1.0.7-1.2.fc4
- Fix CVE-2005-4134, CVE-2006-0292, CVE-2006-0296
According to Mozilla, version 1.0.x isn't vulnerable to CVE-2006-0295. http://www.mozilla.org/security/announce/mfsa2006-04.html
--- beartooth beartooth@adelphia.net wrote:
I've since gotten a CERT alert, available at
http://www.us-cert.gov/cas/techalerts/TA04-261A.html
and it still reads, to me, as if the problem is in (mozilla and) firefox, *not* in M$. Am I missing something, or is this infelicitous wording in the alert, or what? yum update firefox still doesn't get 1.5 -- i.e., 1.5 seems not to be on the repos ....
I dnloaded firefox 1.5.1 tar.gz several weeks ago, and just stuck it in a directory and created a link /usr/bin/firefox pointing to my directory in /usr/share where i unpacked it and installed it to... works great. I was impatient waiting for an rpm update... so I handled it. <g> Make sure to rpm -e your old firefox packages, which didn't seem to erase my personal files. The newer firefox is also seems to run faster. I like it, plus I can use the newer extensions to adblock and do other nifty stuff. Ric
================================================ My father, Victor Moore (Vic) used to say: "There are two Great Sins in the world... ...the Sin of Ignorance, and ...the Sin of Stupidity. Only the former may be overcome." R.I.P. Dad.
Linux user# 44256 Sign up at: http://counter.li.org/ ================================================
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
-
Beartooth -
Paul Howarth -
Rickey Moore -
William Hooper