Critical Mozilla Vulnerabilities Fixed in New Versions
A security advisory has been issued regarding buffer overflow vulnerabilities in Mozilla, Firefox and Thunderbird. However, the issue has been fixed in the recently released Mozilla 1.7.3, Firefox 1.0PR, Thunderbird 0.8.
Firefox 1.0PR now has a "software update" feature, so if any new vulneribilities are found and fixed, it will notify you about the update.
Coincidently, the Mozilla Foundation had a press release yesterday announcing that the first Security Bug Bounty payments were awarded.
What do you mean by "the bug has been fixed in 1.7.3"? 1.7.3 was released a few days ago; do you mean the downloadable copy has been updated without a change in the version number (ugh!)? If I download a 1.7.3 binary right now, will I get a fixed version? Thanks.
He certainly doesn't. This is a vulnerability that was fixed so that it made it into the moz1.7.3 release, the ff1.0PR release, and the tb0.8 release.
One version corresponds to one build - you don't backfit patches into new releases, you make a new release instead.
Yeah, my company *did* backfit a patch into a release, once, but only because we knew only one guy had grabbed it in the hour since it Dropped. Still, I was slapping my forehead.
Thanks for all ;=)