2004-06-15 Trunk builds

  • Fixed: 246448 - A security hole in Firefox, Internet Explorer, and Opera. (The fix made it into Firefox 0.9 as well.)
  • Fixed: 105892 - "Resolving host xyz.foo.bar..." should be "Looking up xyz.foo.bar...".
  • Since June 6: 246419 - Bookmarks file converts ' to ' in bookmark title.
  • Since May 10: 243387 - about:plugins broken.

Windows builds: Official Windows, Official Windows installer (discussion)

All official Linux builds are now gtk2+xft, so I'm going to omit the phrase "gtk2+xft" from build descriptions from now on.

Linux builds: Official Linux, Official Linux installer

Mac builds: MMx2000's

13 Responses to “2004-06-15 Trunk builds”

  1. Cell Says:

    about:plugins WFM, except that it’s not styled nicely.

  2. Jean-Marc Gillet Says:

    Shouldn’t 246448 a reason for releasing a 0.9.1 version ?

  3. tom Says:

    You are not authorized to access bug #246448.

    why is a regular user like me not allowed to see bugs like this one ?!
    is mozilla starting to act like MS ?!
    or what the hell did i do wrong ?
    (i logged in as always and i can access all other bugs).
    what is this bug about ? phishing ?
    when exactly has it been fixed ? (i’m using branch-builds). do i have to update ?
    (i would know all this if i was able to access the bug :D).

  4. Jean-Marc Gillet Says:

    I hadn’t thought of that, i.e. *when* was it fixed. Jesse, do you know if the fix to 246448 made it before 0.9 ?

  5. curious Says:

    my guess is it is a URI obscurification bug… based on current discovery trends… btw mozilla’s security bug handling policy is nothing like MS’s


    Mozilla’s makes sense ;)

  6. Logan Says:

    Tom: This has been Mozilla’s policy on security related bugs for as long as I can remember. Read curious’s link. The first version of that page is from November 2001.

  7. Jesse Ruderman Says:

    0.9 rc1 was vulnerable to bug 246448, but 0.9 is not. If you have a branch build from before 0.9, it is probably vulnerable.

  8. tom Says:

    thank you for the infos curious, Logan and Jesse. i’ve got 0.9 final now.

    i don’t really understand/like the policy. when i click on this bug, i get

    You are not authorized to access bug #246448.

    this is of no help at all. i understand that not every user should get ALL the information about this bug, but it would be better to redirect to a page containing some informations about the bug and containing a warning: update to version xy !

  9. Jerome Says:

    The part of the security policy that obfuscates information about the bug by not making it available to everybody, while the code is open source, and the bug was fixed in CVS, is strange to me.

    You can go to tinderbox and find out when the bug was fixed, with a pointer to the CVS commits, which will tell you almost everything you need to know to exploit the problem.

    I think that as soon as the bug is fixed, the bugzilla bug database should be opened.

    They should at least introduce levels of visibility for the comments, and let logged in users at least see the summary page, while not seeing some or all the comments.

  10. Jesse Ruderman Says:

    Jerome: I agree that it’s strange. If you figure out an exploit based on the public information you mentioned, I’ll open the bug immediately ;) This offer is valid for bug 246448 and for most other security holes I found, but not for bug 162020.

  11. curious Says:

    Not sure if it’s this bug or not:


  12. Scott Johnson Says:

    It doesn’t really matter what you call it. Security through obscurity is never really secure.

  13. Jesse Ruderman Says:

    The only thing protecting users *before* I found the hole was security through obscurity, too!