ports/opt (2.4): [notify] firefox: updated to 3.0.1.
commit d26eeec41f7ff4edb3ae4eeacc63e1ec23dd1a12 Author: Tilman Sauerbeck <tilman@crux.nu> Date: Thu Jul 17 19:37:09 2008 +0200 [notify] firefox: updated to 3.0.1. http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox... diff --git a/firefox/.md5sum b/firefox/.md5sum index b510355..1fd4574 100644 --- a/firefox/.md5sum +++ b/firefox/.md5sum @@ -1,3 +1,3 @@ -4210ae0801df2eb498408533010d97c1 firefox-3.0-source.tar.bz2 +406d67174f8f74ab154a1b17d0881b27 firefox-3.0.1-source.tar.bz2 c276fd7680746e8477ad34d26f04e024 mozconfig 62530844efda8b387e518162b7922f2f xulrunner.patch diff --git a/firefox/Pkgfile b/firefox/Pkgfile index f49ffb1..25d6045 100644 --- a/firefox/Pkgfile +++ b/firefox/Pkgfile @@ -4,7 +4,7 @@ # Depends on: xulrunner name=firefox -version=3.0 +version=3.0.1 release=1 source=(http://releases.mozilla.org/pub/mozilla.org/$name/releases/$version/source/$... mozconfig xulrunner.patch)
On Thu, 17 Jul 2008 19:38:03 +0200 crux@crux.nu wrote:
commit d26eeec41f7ff4edb3ae4eeacc63e1ec23dd1a12 Author: Tilman Sauerbeck <tilman@crux.nu> Date: Thu Jul 17 19:37:09 2008 +0200
[notify] firefox: updated to 3.0.1.
http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox...
diff --git a/firefox/.md5sum b/firefox/.md5sum index b510355..1fd4574 100644 --- a/firefox/.md5sum +++ b/firefox/.md5sum @@ -1,3 +1,3 @@ -4210ae0801df2eb498408533010d97c1 firefox-3.0-source.tar.bz2 +406d67174f8f74ab154a1b17d0881b27 firefox-3.0.1-source.tar.bz2 c276fd7680746e8477ad34d26f04e024 mozconfig 62530844efda8b387e518162b7922f2f xulrunner.patch diff --git a/firefox/Pkgfile b/firefox/Pkgfile index f49ffb1..25d6045 100644 --- a/firefox/Pkgfile +++ b/firefox/Pkgfile @@ -4,7 +4,7 @@ # Depends on: xulrunner
name=firefox -version=3.0 +version=3.0.1 release=1 source=(http://releases.mozilla.org/pub/mozilla.org/$name/releases/$version/source/$... mozconfig xulrunner.patch) _______________________________________________ CRUX mailing list CRUX@lists.crux.nu http://lists.crux.nu/mailman/listinfo/crux
You bumped the wrong component. The point of separating firefox and xulrunner was so that engine bugs (I.E. this one) could be fixed by bumping xulrunner, not firefox. In essence, CRUX is still vulnerable to the "fixed" vulnerability because we're still using the 3.0 engine/internals, with the 3.0.1 interface. -- ~predatorfreak GnuPG Public key: http://pred.dcaf-security.org/dcafsec-pub-gpgkey.asc
On Fri, 18 Jul 2008 18:15:02 -0400 Brett Goulder wrote:
On Thu, 17 Jul 2008 19:38:03 +0200 crux@crux.nu wrote:
commit d26eeec41f7ff4edb3ae4eeacc63e1ec23dd1a12 Author: Tilman Sauerbeck <tilman@crux.nu> Date: Thu Jul 17 19:37:09 2008 +0200
[notify] firefox: updated to 3.0.1.
http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox...
diff --git a/firefox/.md5sum b/firefox/.md5sum index b510355..1fd4574 100644 --- a/firefox/.md5sum +++ b/firefox/.md5sum @@ -1,3 +1,3 @@ -4210ae0801df2eb498408533010d97c1 firefox-3.0-source.tar.bz2 +406d67174f8f74ab154a1b17d0881b27 firefox-3.0.1-source.tar.bz2 c276fd7680746e8477ad34d26f04e024 mozconfig 62530844efda8b387e518162b7922f2f xulrunner.patch diff --git a/firefox/Pkgfile b/firefox/Pkgfile index f49ffb1..25d6045 100644 --- a/firefox/Pkgfile +++ b/firefox/Pkgfile @@ -4,7 +4,7 @@ # Depends on: xulrunner
name=firefox -version=3.0 +version=3.0.1 release=1 source=(http://releases.mozilla.org/pub/mozilla.org/$name/releases/$version/source/$... mozconfig xulrunner.patch) _______________________________________________ CRUX mailing list CRUX@lists.crux.nu http://lists.crux.nu/mailman/listinfo/crux
You bumped the wrong component. The point of separating firefox and xulrunner was so that engine bugs (I.E. this one) could be fixed by bumping xulrunner, not firefox.
In essence, CRUX is still vulnerable to the "fixed" vulnerability because we're still using the 3.0 engine/internals, with the 3.0.1 interface.
As a follow-up to this, an interesting thing that I ran into today with my own Firefox/Xulrunner ports is that the Firefox application.ini sets the min/maxversion's to exactly what it was built against, when in reality, you should the max version to some insanely-high patch value of 1.9.0.100 or something. In my ports, I've set the minversion to 1.9 and the maxversion to 1.9.0.25, so as to avoid needing to rebuild Firefox in the future, so that I can just rebuild Xulrunner and have all the fixed internals without rebuilding the (unchanged) interface. As a general suggestion, it'd be a good idea to "ghost bump" Firefox's source code URL whenever Xulrunner is bumped, without actually bumping the Firefox port, so that if people install Firefox, they don't need to download the source twice, but they won't have to needlessly rebuild the Firefox port when only xulrunner changed. -- ~predatorfreak GnuPG Public key: http://pred.dcaf-security.org/dcafsec-pub-gpgkey.asc
Brett Goulder [2008-07-18 18:15]:
On Thu, 17 Jul 2008 19:38:03 +0200 crux@crux.nu wrote:
commit d26eeec41f7ff4edb3ae4eeacc63e1ec23dd1a12 [...]
You bumped the wrong component. The point of separating firefox and xulrunner was so that engine bugs (I.E. this one) could be fixed by bumping xulrunner, not firefox.
Gnnn, how very misleading that Mozilla didn't decide to put up a new xulrunner tarball :x It's fixed now, thanks for the heads-up. Regards, Tilman -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail?
On Sat, 19 Jul 2008 16:14:17 +0200 Tilman Sauerbeck wrote:
Brett Goulder [2008-07-18 18:15]:
On Thu, 17 Jul 2008 19:38:03 +0200 crux@crux.nu wrote:
commit d26eeec41f7ff4edb3ae4eeacc63e1ec23dd1a12 [...]
You bumped the wrong component. The point of separating firefox and xulrunner was so that engine bugs (I.E. this one) could be fixed by bumping xulrunner, not firefox.
Gnnn, how very misleading that Mozilla didn't decide to put up a new xulrunner tarball :x
It's fixed now, thanks for the heads-up.
Regards, Tilman
Perhaps the most annoying thing about their current way of packaging their source-code is the lack of xulrunner-only and firefox-only tarballs, which would be very nice. P.S. I did file a bug about this (now resolved) issue as well as the general bad-setup that comes with Firefox by default, FS#334. I suppose it can be closed, but I think the problems pertaining to Firefox's retarded application.ini should be discussed, in my experience, using a 3.0 frontend (Firefox) with xulrunner 1.9.0.1 works fine. However, some may wish to have both rebuilt every time you do a minor patch-release bump to xulrunner, I don't, so I'm hacking the application.ini in my firefox 3 repo, so as to resolve their idiocy. -- ~predatorfreak GnuPG Public key: http://pred.dcaf-security.org/dcafsec-pub-gpgkey.asc
participants (3)
-
Brett Goulder -
crux@crux.nu -
Tilman Sauerbeck