I was just reading the nice article at
http://www.theregister.co.uk/content/55/27934.html and was struck by the
"External Links" section.... I have to wonder: Why exactly are we not
updating the known vulnerabilities page?
Let's look at this carefully:
1) The vulnerabilities in question are listed in the 1.0.1 release
notes.
2) The vulnerabilities in question have been posted on BugTraq.
3) The vulnerabilities in question have been written about in articles
such as this one.
At this point anyone who's actively looking for a hole already knows
about it. As far as I can tell, the only people being affected by the
lack of updates to the known vulnerability are:
A) Distributors considering shipping Mozilla (they have no way to tell
at a glance what bugs were fixed on what branches and for what CVS
tags).
B) Mozilla testers/users
C) Mozilla.org. Our credibility suffers greatly in the current
situation. The Register article is one of the mildest forms of the
ridicule that Mozilla's security has been exposed to lately due to
the perceived (and actual?) attempt to take the ostrich approach and
hide even widely known vulnerabilities.
I've mailed about this before (privately, and once through a post to
this newsgroup) and the responses I've gotten have ranged from complete
silence to "I'll update it once Netscape 7.0 ships". Well, 7.0 has
shipped. Two months ago, was it? I understand that people have time
constraints, but if the people responsible for updating this critical
information page don't have the time to do it, new people should be
found, who will take their responsibilities a bit more seriously.
Well, now I get to see whether this mail gets ignored like all the others...
- Re: Known security vulnerabilities page Boris Zbarsky
- Re: Known security vulnerabilities page Ben Bucksch
- Re: Known security vulnerabilities page Ben Bucksch
- Re: Known security vulnerabilities page Dan Veditz
- Re: Known security vulnerabilities page Ben Bucksch
- Re: Known security vulnerabilities page Thomas Dodd
