On Fri, 18 Aug 2017, ToddAndMargo wrote:
> On 08/17/2017 01:03 PM, David Sommerseth wrote:
>> On 17/08/17 18:33, ToddAndMargo wrote:
>>> On 08/17/2017 09:23 AM, ToddAndMargo wrote:
>>>> Mozilla Firefox 55 source tarball
>>>
>>> The latest is 52 in sl-testing:
>>>
>>> firefox-52.3.0-2.el7_4.i686 : Mozilla Firefox Web browser
>>> Repo : sl-testing
>>>
>>>
>>> I have to be up to date, especially with me doing PCI
>>> (credit card) consulting.
>>>
>>> SL has really become a bad match for what I am doing.
>>> I really should be on a Kaisen OS not a an
>>> anti-Kaisen OS, but I can not afford the
>>> cost of an upgrade to Fedora at the due to the
>>> never ending recession. So I mumble a lot.
>>
>> You do realise that firefox-52 packaged for SL7 is the Firefox ESR edition?
>> <https://www.mozilla.org/en-US/firefox/organizations/faq/>
>
> Yes I do. All bugs and security flaws frozen in place for those
> that don't like to upgrade their software and those that get
> tired of having to respin an RPM every month or so due
> to the rapid pace of Firefox's development. EL Linux
> is an anti-Kaisen OS and Red Hat gets CRABBY about having
> to update things and often does not.
Red Hat are fairly quick at releasing the six-weekly updates to ESR
- IIRC 2 days after Mozilla for 52.3 (SL took almost a week after that).
>> Even though it's a while since I've looked at the PCI-DSS stuff; but I
>> do not ever recall it requiring specific versions of software.
>
> I required that you be up to date on all your software.
> On the Windows side, I run Kaspersky's "vulnerability Scan"
> which looks at all your installed software and lets you know
> what is out of date (Acrobat Reader, Java, Firefox, Java,
> etc.). Without Kaspersky. I'd have to go through each
> program one at a time, which is pain in the neck.
>
>> I do
>> remember it saying something about running up-to-date OS and
>> applications though. Firefox ESR releases are the browser equivalent to
>> "Enterprise Linux". So ESR releases should really fit the bill for
>> PCI-DSS.
>
> On an EL Linux install only. On Windows, no one will put up
> with all the bugs and missing features. This is why I have
> to stay current.
>
> The ESR would probably get you off the hook liability wise,
> but since PCI is not about security, but rather about liability
> shifting, if you get hacked, the lawyers could make a case that
> you knowingly used a version of Firefox with know security flaws.
>
> The lawyers are trying to make the case that you should have to
> pick up the financial liability for all the costs of the breach.
> It could be argued back that the ESR slipstreams security
> patches into its release, but it would be counter argues that
> in reality, they seldom do.
https://www.mozilla.org/en-US/security/advisories/mfsa2017-19/
lists 17 security fixes in ESR 52.3
(OK, the equivalent page for firefox 55 lists more fixes
but they may be fixing bug in new code.)
More generally compare the advisories listed in
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
and
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/
If you need to worry that much about the lawyers,
shouldn't you be paying Red Hat and keeping uptodate with their
recommendations.
More significantly, perhaps you shouldn't run a browser (or a mail
reader) on the same machine as the credit-card handling ...
> Until I get this figured out, I have been using weird old Midori.
> Maybe I will go to the dark side and install Chromium
>
> Do you know anyway to uninstall the recent updates that
> caused this?
I'd try
yum downgrade firefox-52.2.0
or
yum downgrade firefox-45.8.0
- just like yum update but it works even when a newer version is
currently installed.
|
