Date: Wednesday, March 09, 2016 17:30:57 -0600 From: g geleem@bellsouth.net
On 03/09/16 14:28, Ned Slider wrote:
On 09/03/16 19:11, g wrote:
<<<>>>
Does it affect the latest version of Firefox just released:
firefox-38.7.0-1.el6_7
Is the bug in Firefox or the add-on.
If the bug is in Firefox, then I would report it to Red Hat. CentOS will not fix bugs, security or otherwise, as the policy is to rebuild RHEL, bugs and all.
as it now stands with firefox 38.7.0, bug is still there.
because of what is happening, it _is_ the add-on.
checked mozilla site to see who author is. he is a mozilla program developer. which does not surprise me.
after giving much thought to bug and what could result, i am sending notice to RHEL, mozilla and CVE.
if bug is not fixed within a very few days, i just might inform some of the computer news people and just for fun of it, Homeland Security.
why Homeland Security? simple, there are most likely a lot of .gov officials using firefox on their oos computers. and we all know how easy it is to get into oos. ((GBWG))
The CERT policy for public disclosure is 45 days after the initial report (to the vendor).
http://www.cert.org/vulnerability-analysis/vul-disclosure.cfm
Make certain you report the issue to the right person. In the case of a FF add-on, the author and probably Mozilla. RH doesn't distribute FF add-ons so they aren't primary on something like this, especially if the bug isn't OS/RHEL specific.
You might want to check to see if it's still an issue with the current FF (45), which can be gotten from their release site:
http://archive.mozilla.org/pub/firefox/releases/
The linux packages can be unpacked and run from user space, so you don't impact your your system installed release.
-
Richard