Re: On Mozilla-* updates

To: debian-security@lists.debian.org
Subject: Re: On Mozilla-* updates
From: Matt Zimmerman <mdz@debian.org>
Date: Tue, 2 Aug 2005 09:09:02 -0700
Message-id: <[🔎] 20050802160902.GG2508@alcor.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20050802122951.GA11375@informatik.uni-bremen.de>
References: <20050729164338.GB1029@finlandia.infodrom.north.de> <42eb820e$0$29974$db0fefd9@news.zen.co.uk> <20050731165828.GV19080@mathom.us> <42ed07db$0$16001$da0feed9@news.zen.co.uk> <20050731174501.GA2758@steve.org.uk> <20050731180920.GA28521@mails.so.argh.org> <[🔎] 20050802122951.GA11375@informatik.uni-bremen.de>

On Tue, Aug 02, 2005 at 02:29:51PM +0200, Moritz Muehlenhoff wrote:

> If the isolated patches were pulled from Mozilla Bugzilla by Matt Zimmermann
> (who appears to be Debian's Mozilla security delegate) and published as part
> of a DSA this would point to the core of each vulnerability and make exploit
> creation easier than reconstructing this information from the large interdiffs
> between their stable releases. This tends towards security through obscurity,
> but seems to be Mozilla's policy for bugs with their internal "Critical"
> severity.

Getting access to the patches is not a significant obstacle; the issue is
that they often don't apply to versions which are a few months old.

-- 
 - mdz

Reply to:

References:
- Re: On Mozilla-* updates
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Re: On Mozilla-* updates
Next by Date: Re: On Mozilla-* updates
Previous by thread: Re: On Mozilla-* updates
Next by thread: Re: On Mozilla-* updates
Index(es):
- Date
- Thread