Re: On Mozilla-* updates
- To: Andreas Barth <aba@not.so.argh.org>
- Cc: debian-security@lists.debian.org
- Subject: Re: On Mozilla-* updates
- From: Moritz Muehlenhoff <jmm@inutil.org>
- Date: Tue, 2 Aug 2005 14:29:51 +0200
- Message-id: <[🔎] 20050802122951.GA11375@informatik.uni-bremen.de>
- In-reply-to: <20050731180920.GA28521@mails.so.argh.org>
- References: <20050729164338.GB1029@finlandia.infodrom.north.de> <42eb820e$0$29974$db0fefd9@news.zen.co.uk> <20050731165828.GV19080@mathom.us> <42ed07db$0$16001$da0feed9@news.zen.co.uk> <20050731174501.GA2758@steve.org.uk> <20050731180920.GA28521@mails.so.argh.org>
In gmane.linux.debian.devel.security, you wrote:
>> Mozilla *appears* to have no interest in supply patches which
>> *only* fix security holes to distributors. Their line is more
>> "upgrade to the newest version". Whilst the new versions do
>> fix the holes, they traditionally also break things built against
>> them, such as extensions, galeon, etc.
>
> I thought some member of the Debian security team has access to the
> hidden bug reports. Can't that member extract the relevant patches then?
If the isolated patches were pulled from Mozilla Bugzilla by Matt Zimmermann
(who appears to be Debian's Mozilla security delegate) and published as part
of a DSA this would point to the core of each vulnerability and make exploit
creation easier than reconstructing this information from the large interdiffs
between their stable releases. This tends towards security through obscurity,
but seems to be Mozilla's policy for bugs with their internal "Critical"
severity.
Cheers,
Moritz
Reply to: