Re: Cite for print-to-postscript exploit in Mozilla?

[Florian Weimer <fw@deneb.enyo.de>]

* Kevin B. McCarty:

> On 07/10/2004 12:18 PM, Florian Weimer wrote:
>
>> 1.7 incorporates some other security fixes, apparently in the area of
>> cross-domain scripting vulnerabilities.  So you probably should
>> upgrade anyway.
>
> Does anyone know if there is some reason these fixes haven't been
> backported to woody?

There is simply no way to backport them all, you would have to push
the 1.7 branch to woody (even 1.4 is not sufficient because it's
already unsupport upstream AFAIK).

This is quite complicated because Mozilla's upgrades are known to
break profiles, and Debian's mozilla has a few dependencies which you
have to backport, too (Galeon etc.).

All in all, fixing Mozilla for woody isn't particularly rewarding.
Even SuSE doesn't dare to fix Mozilla security bugs, so it's not a
Debian-specific problem at all.