On 09/07/2012 08:23 PM, David E. Ross wrote: > On 9/7/12 5:42 PM, NoOp wrote: >> On 09/07/2012 04:46 PM, David E. Ross wrote: >>> On 9/7/12 3:30 PM, Chris Ilias wrote: >>>> On 12-09-07 9:34 AM, hawker wrote: >>>>> I see Google has a new map sytem called MapsGL. >>>>> >>>>> When I try to use it in Seamonky 2.11 it says my browser is not >>>>> supported. Under supported browsers it lists Firefox going back a ways >>>>> (version 8) so Seamonkey should work as well. >>>>> >>>>> I understand Seamonkey now advertises itself as Firefox, so can anyone >>>>> tell me why this is not working and what to do to make it work? >>>> >>>> MapsGL uses WebGL, which requires support from both the browser and your >>>> graphics card. >>>> WebGL support was added in SeaMonkey 2.1. >>>> We can get more info about your graphics card and whether or it supports >>>> WebGL if you post your Troubleshooting Information. Go to >>>> Help-->Troubleshooting_Information, then click [Copy all to Clipboard]. >>>> Open a reply to this post, and go to Edit-->Paste to paste the info from >>>> your Troubleshooting Information page. >>>> >>> >>> From US-CERT at >>> <http://www.us-cert.gov/current/archive/2011/05/19/archive.html#web_users_warned_to_turn>: >>> >>>> WebGL Security Risks added May 11, 2011 at 01:50 pm | updated May 16, >>>> 2011 at 10:20 am >>>> >>>> US-CERT is aware of reports indicating that WebGL contains multiple >>>> significant security issues. The impact of these issues includes >>>> denial of service, and cross-domain attacks. WebGL is a new web >>>> standard that is enabled by default in Firefox 4 and Google Chrome >>>> and is included in Safari. >>>> >>>> US-CERT encourages users and administrators to review the Context >>>> report and update their systems as necessary to help mitigate the risks. >>> ["Context report is at <http://www.contextis.com/resources/blog/webgl/>] >>> >>> Thus, I disabled WebGL. I have seen no notice of this vulnerability >>> being fixed. >>> >> >> You might want to ad this url: >> <https://www.mozilla.org/security/announce/2012/mfsa2012-62.html> >> Title: WebGL use-after-free and memory corruption >> Impact: Critical >> Announced: August 28, 2012 >> Reporter: miaubiz >> Products: Firefox, Thunderbird, SeaMonkey >> >> Fixed in: Firefox 15 >> Firefox ESR 10.0.7 >> Thunderbird 15 >> Thunderbird ESR 10.0.7 >> SeaMonkey 2.12 >> >> Perhaps 'hawker' will consider upgrading to SeaMonkey 2.12 from 2.11 - >> at least for the WebGL security fix? >> >> >> > > Mozilla Foundation Security Advisory 2012-62 is not the same as the > vulnerability cited by US-CERT.
Not it's not. I was simply pointing you to a recent announcement regarding webGL by Mozilla and the corresponding CVE's. > > Advisory 2012-62 says: >> The first issue is a use-after-free when WebGL shaders are called >> after being destroyed. The second issue exposes a problem with Mesa >> drivers on Linux, leading to a potentially exploitable crash. > It refers to two CVEs (CVE-2012-3967 and CVE-2012-3968) that were both > submitted to the Common Vulnerabilities and Exposures List within the > past two months. > > The US-CERT vulnerability was reported more than a year ago and deals > with denial of service through crashes and cross-domain attacks. These > appear to be CVE-2011-2366 (fixed with bug #655987) and > CVE-2011-2367 (fixed with bug #656752). > > Despite the fix of the vulnerabilities noted by US-CERT and those noted > in Advisory 2012-62, there remain 214 open WebGL bugs, 29 of them > Critical and 7 of them Major. Thus, I will continue to disable WebGL. > I hope that you realize that CVE's et al are sponsored by the same source (US Homeland Security). <http://web.nvd.nist.gov/view/vuln/search-results?query=mozilla&search_type=all&cves=on> <http://web.nvd.nist.gov/view/vuln/search-results?query=webgl&search_type=all&cves=on> Further, I wasn't recommending that you keep WebGL enabled. I only have two machines that are 'new' enough to run it & those are sandboxed for any testing anyway. _______________________________________________ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
