[gentoo-user] Firefox 2.0.0.5

[gentoo-user] Firefox 2.0.0.5

[Stratos Psomadakis]

i just did an update,and firefox 2.0.0.5 has been added to the tree(~ 
masked)...
but i just read a post at slashdot.org that says about a password 
vulnerability of 2.0.0.5...
here's the link: http://it.slashdot.org/article.pl?sid=07/07/23/1450224

i just want to ask if it's ok to update to the new firefox,or if it's a 
serious sec problem?... :/

thx...
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Firefox 2.0.0.5

[fire-eyes]

Stratos Psomadakis wrote:
> i just did an update,and firefox 2.0.0.5 has been added to the tree(~ 
> masked)...
> but i just read a post at slashdot.org that says about a password 
> vulnerability of 2.0.0.5...
> here's the link: http://it.slashdot.org/article.pl?sid=07/07/23/1450224
> 
> i just want to ask if it's ok to update to the new firefox,or if it's a 
> serious sec problem?... :/
> 
> thx...

It's okay to update, as far as I know it's 2.0.0.5 and before (aka 
everything...).

Your best bet is to not use the password saving features, install 
noscript (important: WIPE OUT it's whitelist, then selectively add sites 
you trust).
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Firefox 2.0.0.5

[b.n.]

fire-eyes ha scritto:
>> i just want to ask if it's ok to update to the new firefox,or if it's 
>> a serious sec problem?... :/
>>
>> thx...
> 
> It's okay to update, as far as I know it's 2.0.0.5 and before (aka 
> everything...).
> 
> Your best bet is to not use the password saving features, install 
> noscript (important: WIPE OUT it's whitelist, then selectively add sites 
> you trust).

Has the bug been fixed upstream?

m.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Firefox 2.0.0.5

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 943 bytes --]

Am Mittwoch 25 Juli 2007 04:10 schrieb fire-eyes:
> Stratos Psomadakis wrote:
> > i just did an update,and firefox 2.0.0.5 has been added to the tree(~
> > masked)...
> > but i just read a post at slashdot.org that says about a password
> > vulnerability of 2.0.0.5...
> > here's the link: http://it.slashdot.org/article.pl?sid=07/07/23/1450224
> >
> > i just want to ask if it's ok to update to the new firefox,or if it's a
> > serious sec problem?... :/
> >
> > thx...
>
> It's okay to update, as far as I know it's 2.0.0.5 and before (aka
> everything...).
>
> Your best bet is to not use the password saving features, install
> noscript (important: WIPE OUT it's whitelist, then selectively add sites
> you trust).

There is an addon called "Secure Login". I think it solved the original 
problem by preventing Firefox from sending paaswords without the users 
agreement but I'm not sure if it really helps at all. 

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

[gentoo-user] Re: Firefox 2.0.0.5

[»Q«]

In <news:46A70555.3020502@gmail.com>,
"b.n." <brullonulla@gmail.com> wrote:

>fire-eyes ha scritto:
>>> i just want to ask if it's ok to update to the new firefox,or if
>>> it's a serious sec problem?... :/
>>>
>>> thx...
>> 
>> It's okay to update, as far as I know it's 2.0.0.5 and before (aka 
>> everything...).
>> 
>> Your best bet is to not use the password saving features, install 
>> noscript (important: WIPE OUT it's whitelist, then selectively add
>> sites you trust).

At least not use the password manager for sites that essentially let
users host pages on them, e.g. social networking sites.

>Has the bug been fixed upstream?

I don't know -- they restrict access to security-sensitive bug entries
until after an official release with a patch has been put out.  It's
possible they won't fix this one at all;  see the third and fourth
paragraphs at <http://www.heise-security.co.uk/news/93018>, and chase
links if you're really interested.

-- 
»Q«

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Firefox 2.0.0.5

[Stratos Psomadakis]

very interesting article...
hope that a solution will be found soon...
O/H »Q« έγραψε:
> In <news:46A70555.3020502@gmail.com>,
> "b.n." <brullonulla@gmail.com> wrote:
>
>   
>> fire-eyes ha scritto:
>>     
>>>> i just want to ask if it's ok to update to the new firefox,or if
>>>> it's a serious sec problem?... :/
>>>>
>>>> thx...
>>>>         
>>> It's okay to update, as far as I know it's 2.0.0.5 and before (aka 
>>> everything...).
>>>
>>> Your best bet is to not use the password saving features, install 
>>> noscript (important: WIPE OUT it's whitelist, then selectively add
>>> sites you trust).
>>>       
>
> At least not use the password manager for sites that essentially let
> users host pages on them, e.g. social networking sites.
>
>   
>> Has the bug been fixed upstream?
>>     
>
> I don't know -- they restrict access to security-sensitive bug entries
> until after an official release with a patch has been put out.  It's
> possible they won't fix this one at all;  see the third and fourth
> paragraphs at <http://www.heise-security.co.uk/news/93018>, and chase
> links if you're really interested.
>
>   

-- 
gentoo-user@gentoo.org mailing list