Security Bug With Firefox And Add-on
greets.
tho this is off-topic for this list, it is still a bug that CentOS users along with all users of firefox should be aware of.
due to nature of bug and what is involved, i believe it safer to not go into great details in an open list. never know which ‘hats’ are subscribed to support list. :-D
so my question is just who should i inform of problem?
mozilla.org? author of add-on? cve.mitre.org? all 3?
tia.
5 thoughts on - Security Bug With Firefox And Add-on
What version of CentOS and Firefox?
Author of the add-on would be my first stop.
If it turns out to be a larger bug affecting more than just that add-on, hopefully the add-on author will run it up the chain to Mozilla.
<<>>
Does it affect the latest version of Firefox just released:
firefox-38.7.0-1.el6_7
Is the bug in Firefox or the add-on.
If the bug is in Firefox, then I would report it to Red Hat. CentOS will not fix bugs, security or otherwise, as the policy is to rebuild RHEL, bugs and all.
<<<>>>
The CERT policy for public disclosure is 45 days after the initial report (to the vendor).
<http://www.cert.org/vulnerability-analysis/vul-disclosure.cfm>
Make certain you report the issue to the right person. In the case of a FF add-on, the author and probably Mozilla. RH doesn’t distribute FF add-ons so they aren’t primary on something like this, especially if the bug isn’t OS/RHEL specific.
You might want to check to see if it’s still an issue with the current FF (45), which can be gotten from their release site:
<http://archive.mozilla.org/pub/firefox/releases/>
The linux packages can be unpacked and run from user space, so you don’t impact your your system installed release.