LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

March 2012

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS March 2012

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]
Subject:	Re: ETA for critical firefox/thunderbird updates?
From:	Yasha Karant <[log in to unmask]>
Reply To:	Yasha Karant <[log in to unmask]>
Date:	Fri, 16 Mar 2012 02:29:45 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (182 lines)
On 03/16/2012 02:02 AM, g wrote:
>
> On 03/16/2012 05:47 AM, Yasha Karant wrote:
>> On 03/15/2012 02:57 PM, g wrote:
>>> On 03/15/2012 07:39 PM, Stephan Wiesand wrote:
>>>> Dear developers,
>>>>
>>>> I hate being such a PITR, but have to ask: Is there an ETA for those
>>>> updates? What's the problem? Yes it's 3.x ->   10.x, but it has been obvious
>>>> for weeks that this would happen eventually. CentOS got those out 24h ago.
>>>> What about SL? Any chance we'll see rebuilds at least in
>>>> {5,6}rolling/testing tomorrow?
>>> -=-
>>>
>>> before you go jumping into 'latest and greatest' from mozilla,
>>> you should check out their mailing lists and/or news groups.
>>>
>>>
>>> there is nothing 'great' about all the problems i am seeing
>>> on their list.
>>>
>>>
>>
>> Does the above "nothing 'great'" mean that the content on:
>>
>> http://www.mozilla.org/security/known-vulnerabilities/firefox.html
>>
>> and similar URLs for other Mozilla applications, is not anything about
>> which to be concerned?  Have these security updates been backported by
>> TUV into what are nominally earlier releases of the various Mozilla
>> applications?
>>
>> If this is not the case, why are the security concerns not important?
>>
>> Yasha Karant
>>
>
>
> first off, you make no mention of which sl or mozilla releases you are using,
> nor where you pulled them.
>
> from your header, i see that you are using;
>
>    Mozilla/5.0 (X11; Linux i686; rv:10.0.2)
>    Gecko/20120216 Thunderbird/10.0.2
>
> which you may have manually installed in "sl 5.x", or you are using
> "sl 6.x", and it is a fnal.gov "fastbugs" rpm;
>
>    firefox-10.0.1-1.el6_2.i686.rpm       24-Feb-2012 14:53
>    firefox-10.0.1-1.el6_2.x86_64.rpm     24-Feb-2012 14:54
>    thunderbird-10.0.1-3.el6_2.i686.rpm   24-Feb-2012 14:53
>    thunderbird-10.0.1-3.el6_2.x86_64.rpm 24-Feb-2012 14:54
>
> where as the security releases show;
>
>    firefox-3.6.26-1.el6_2.i686.rpm       01-Feb-2012 12:01
>    firefox-3.6.26-1.el6_2.x86_64.rpm     01-Feb-2012 12:01
>    thunderbird-3.1.18-2.el6_2.i686.rpm   16-Feb-2012 16:09
>    thunderbird-3.1.18-2.el6_2.x86_64.rpm 16-Feb-2012 16:09
>
> the above rpms are what are shown in paths below;
>
>    http://ftp.scientificlinux.org/linux/scientific/6x/
>
> so, where you pulled your release, i do not know, nor would i guess.
>
>
> i am running;
>
>    Scientific Linux SL release 5.5 (Boron)
>
> using;
>    Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.26)
>    Gecko/20120216 Red Hat/3.6-1.el5_7 Firefox/3.6.26
>    Thunderbird 2.0.0.24 (X11/20120201)
>
>
> as for security updates, i am current by these notices;
>
> }>  Date: Wed, 1 Feb 2012 14:00:05 -0600
> }>  Message-Id:<[log in to unmask]>
> }>  To: [log in to unmask]
> }>  Subject: Security ERRATA Critical: thunderbird on SL4.x, SL5.x i386/x86_64
> }>  From: [log in to unmask]
> }>
> }>  Issue Date:  2012-02-01
> }>  CVE Numbers: CVE-2012-0442
> }>               CVE-2011-3670
>
>
> }>  Date: Wed, 1 Feb 2012 14:00:29 -0600
> }>  Message-Id:<[log in to unmask]>
> }>  To: [log in to unmask]
> }>  Subject: Security ERRATA Critical: firefox on SL4.x, SL5.x, SL6.x
> }>           i386/x86_64
> }>  From: [log in to unmask]
> }>
> }>  Issue Date:  2012-01-31
> }>  CVE Numbers: CVE-2012-0442
> }>               CVE-2011-3670
> }>               CVE-2012-0449
> }>               CVE-2012-0444
> }>               CVE-2011-3659
>
> so i have little concern about security problems.
>
>
> *now*, lets "separate the apples from the oranges".
>
> i said _problems_ and you bring up _security_. 2 entirely different matters
> of concern.
>
> the 'mailing list'/'news groups' that i made reference to have nothing to
> do with security. they relate to operating problems and i see many problems
> being posted every day.
>
> granted most of the problems are operator related. those that are not,
> stock answer is 'update to latest release'.
>
> also, most of of the post are oos related. a few are mac related. very few
> are linux related.
>
> why this is, i do not know, other than if a linux user has a problem, he/she
> have the intellect to first search for problems had by others and most likely
> find a solution.
>
> oos users do not seem to have this level of intellect and find it easier to
> ask without searching. which is why oos users are just that. users.
>
> mozilla devs are going thru a 'keeping up' phase that started after google
> chrome was released and google started throwing out new releases. there
> was a lot of 'traffic' about this and there has never been a good explanation
> from the devs as to just why they are doing such. also, they are not fixing
> a lot of the bugs in there releases until that have enough built up to put
> out a new release. this is evident if you look are v/r numbers of what is
> being released now compared to v/r that are in versions prior to 4.x
>
> such practices are not found in good linux distribs, other than with fedora,
> as fedora is actually a debugging distrib for redhat enterprise.
>
> so, i maintain my statement. if you want to upgrade to 'latest and greatest',
> go ahead. but do expect *problems*. if you want to deal with *problems*,
> upgrade every time mozilla devs make a new release.
>
> all in all, scientific linux is a very stable distrib and well maintained
> and supported. if is unfortunate that there are not any email clients and
> web browsers that meet the standards of fnal.gov.
>
I do not know if list etiquette on this list allows one to snip, or not. 
  If so, I would have snipped most of the above.

I am using SL 6x (current) on all machines I control, some IA-32 
distribution, some X86-64.  I am using the most current production 
version for Linux that Mozilla provides for thunderbird with lightning, 
firefox, and seamonkey.  I fully understand your issue with stability, 
issues with new features and changes in the internal Mozilla engine, 
etc.  My issue was, and is, very simple in this regard:  if the latest 
production release on the URL listed above for security concerns shows 
that Mozilla claims that the production release addresses a red security 
issue (generally, a compromise that can happen in the normal use of the 
application by an end user, not by a specific "bad" practice and not by 
ignoring warnings of such things as "attack sites"), then I immediately 
upgrade.

Thus, back to my point, that may need to be addressed by either the SL 
developers at Fermilab/CERN or, in principle, by TUV:  if one does not 
use the Mozilla production release, but instead uses the SL RPM that 
typically has a much lower Mozilla release number, are the security 
issues identified by Mozilla, and posted to the URL I listed 
http://www.mozilla.org/security/known-vulnerabilities/firefox.html
and related Mozilla security URL lists for other Mozilla application, 
actually addressed by the SL RPMs of the Mozilla suite?

In other words, by using the SL production (e.g., 6x) RPMs for the 
Mozilla suite, is the environment of the machine still vulnerable to the 
compromises identified and purportedly addressed on the above referenced 
(and regularly updated) Mozilla URLs?  How does the FNAL SL list from 
the email of "g" correspond to the actual Mozilla list?

Yasha Karant
ATOM RSS1 RSS2
LISTSERV.FNAL.GOV