Critical Mozilla Vulnerabilities Fixed in New Versions

A security advisory has been issued regarding buffer overflow vulnerabilities in Mozilla, Firefox and Thunderbird. However, the issue has been fixed in the recently released Mozilla 1.7.3, Firefox 1.0PR, Thunderbird 0.8.

Firefox 1.0PR now has a "software update" feature, so if any new vulneribilities are found and fixed, it will notify you about the update.

Coincidently, the Mozilla Foundation had a press release yesterday announcing that the first Security Bug Bounty payments were awarded.

[via /.]

» posted by pinder on September 15, 2004 at 12:36 PM


What do you mean by "the bug has been fixed in 1.7.3"? 1.7.3 was released a few days ago; do you mean the downloadable copy has been updated without a change in the version number (ugh!)? If I download a 1.7.3 binary right now, will I get a fixed version? Thanks.

# posted by phr

He certainly doesn't. This is a vulnerability that was fixed so that it made it into the moz1.7.3 release, the ff1.0PR release, and the tb0.8 release.

One version corresponds to one build - you don't backfit patches into new releases, you make a new release instead.

# posted by liorean

Yeah, my company *did* backfit a patch into a release, once, but only because we knew only one guy had grabbed it in the hour since it Dropped. Still, I was slapping my forehead.

# posted by bish

Thanks for all ;=)

# posted by user

Post a Comment

This discussion has been closed.