[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 810-1] New Mozilla packages fix several vulnerabilities

On Tue, Sep 13, 2005 at 02:55:40PM +0200, Martin Schulze wrote:
> --------------------------------------------------------------------------
> Debian Security Advisory DSA 810-1                     security@debian.org
> http://www.debian.org/security/                             Martin Schulze
> September 13th, 2005                    http://www.debian.org/security/faq
> --------------------------------------------------------------------------
> Package        : mozilla
> Vulnerability  : several
> Problem type   : remote
> Debian-specific: no
> CVE IDs        : CAN-2004-0718 CAN-2005-1937 CAN-2005-2260 CAN-2005-2261
>                  CAN-2005-2263 CAN-2005-2265 CAN-2005-2266 CAN-2005-2268
>                  CAN-2005-2269 CAN-2005-2270 
> BugTraq ID     : 14242
> Several problems have been discovered in Mozilla, the we browser of
> the Mozilla suite.  Since the usual praxis of backporting apparently
> does not work for this package, this update is basically version
> 1.7.10 with the version number rolled back, and hence still named
> 1.7.8.

OK.  Can someone please explain to me how this even passes the sanity
check?  Why not just upload it with the correct version number?

I am concerned that a version of Mozilla claiming to be an earlier will
eventually break user-installed extensions.  I know that this is
typically not a concern for point releases.  However, what happens when
version 1.8 (or whatever the next version is) is uploaded and
masquerades as 1.7.8?  It will likely break some extensions.  Some users
will invariably complain to the Mozilla devs, and Debian looks kind of
stupid because of it.

There really has to be a better way.


Roberto C. Sanchez

Attachment: pgpwMeZKR0c2E.pgp
Description: PGP signature

Reply to: