On 09/03/16 19:11, g wrote: > > > On 03/09/16 12:46, Mike - st257 wrote: >>> On Wed, Mar 9, 2016 at 1:38 PM, g <geleem at bellsouth.net> wrote: > <<>> > >> What version of CentOS and Firefox? >> > -- > > centos 6.7, firefox 38.6.1. Does it affect the latest version of Firefox just released: firefox-38.7.0-1.el6_7 Is the bug in Firefox or the add-on. If the bug is in Firefox, then I would report it to Red Hat. CentOS will not fix bugs, security or otherwise, as the policy is to rebuild RHEL, bugs and all. > > <<>> > >>> so my question is just who should i inform of problem? >>> >>> mozilla.org? author of add-on? cve.mitre.org? all 3? >> >> Author of the add-on would be my first stop. >> >> If it turns out to be a larger bug affecting more than just that add-on, >> hopefully the add-on author will run it up the chain to Mozilla. >> > -- > > reason in bring this up is if a hacker hacks someone's system and has > knowledge of bug, he most likely will have disassembled add-on and knows > what he needs to know to cause serious problems. > > at first, i thought author. after posting and more thought time, authors > tend to be too lax in testing and slow in fixing. > > as for mozilla.org, their attitude has become 'not fixable, upgrade to > later version', which in many cases is not doable. > > with cve.mitre.org, they just might issue a 'CESA' to remove add-on and > reinstall firefox, do not use add-on until bug is fixed. > >