Aaron Leventhal wrote: > http://www.us-cert.gov/cas/techalerts/TA04-261A.html > > Is Mozilla 1.8a3 patched?
1.8a3 is (mostly) not patched: it was released (built?) on August 13 and the earliest fix listed on the known-vulnerabilities page is August 16 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3 #87 (bug 256316) was fixed earlier on the trunk by blocking the one known route to the buggy code at a higher level (bug 250900). Possibly there are other ways to get at the bug prior to the fix in bug 256316, but as far as we know 1.8a3 should be safe. The worst half of #86 (bug 226669) was fixed way back in April or May on the trunk, it just missed the 1.7 branch by a few days. We didn't realize until more recently that the bug was exploitable and needed to land on the branch. The rest, including the serious VCard and BMP overflows, which could be used in a mail-based attack, were not fixed in 1.8a3 -Dan Veditz _______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security