[CentOS] [OT] security bug with firefox and add-on
Richard
lists-centos at listmail.innovate.net
Thu Mar 10 00:20:07 UTC 2016
> Date: Wednesday, March 09, 2016 17:30:57 -0600
> From: g <geleem at bellsouth.net>
>
> On 03/09/16 14:28, Ned Slider wrote:
>> On 09/03/16 19:11, g wrote:
> <<<>>>
>
>> Does it affect the latest version of Firefox just released:
>>
>> firefox-38.7.0-1.el6_7
>>
>> Is the bug in Firefox or the add-on.
>>
>> If the bug is in Firefox, then I would report it to Red Hat.
>> CentOS will not fix bugs, security or otherwise, as the policy is
>> to rebuild RHEL, bugs and all.
>>
> as it now stands with firefox 38.7.0, bug is still there.
>
> because of what is happening, it _is_ the add-on.
>
> checked mozilla site to see who author is. he is a mozilla program
> developer. which does not surprise me.
>
> after giving much thought to bug and what could result, i am sending
> notice to RHEL, mozilla and CVE.
>
> if bug is not fixed within a very few days, i just might inform some
> of the computer news people and just for fun of it, Homeland
> Security.
>
> why Homeland Security? simple, there are most likely a lot of .gov
> officials using firefox on their oos computers. and we all know how
> easy it is to get into oos. ((GBWG))
The CERT policy for public disclosure is 45 days after the initial
report (to the vendor).
<http://www.cert.org/vulnerability-analysis/vul-disclosure.cfm>
Make certain you report the issue to the right person. In the case of
a FF add-on, the author and probably Mozilla. RH doesn't distribute
FF add-ons so they aren't primary on something like this, especially
if the bug isn't OS/RHEL specific.
You might want to check to see if it's still an issue with the
current FF (45), which can be gotten from their release site:
<http://archive.mozilla.org/pub/firefox/releases/>
The linux packages can be unpacked and run from user space, so you
don't impact your your system installed release.
More information about the CentOS
mailing list