On September 9th I wrote the following to securityat_private -- START -- I noticed that you have published a list ( http://mozilla.org/releases/mozilla1.0.1/security-fixes-1.0.1.html ) of security issues that have been fixed in Mozilla 1.0.1 I would recommend posting this list to the Bugtraq mailinglist, bugtraqat_private, so that the secinfo industry and the public in general becomes aware of these. This would help raise the awareness of your security efforts, as well as urge users of older versions to upgrade and provide hints to other software products that embed Gecko, or other parts of Mozilla, that they should consider getting fresh sources for their projects. In case you feel that this is not a necessary action, I would like to personally make the list aware of these security fixes in a matter of 5 working days. -- END -- At first I received a reply from Asa Dotzler, which among others mentioned that the list was far from comprehensive and "It would be much better if someone (mitch) updated the real page at http://www.mozilla.org/projects/security/known-vulnerabilities.html" So I forwarded and wrote to Mitch: "May I recommend updating the official list of known vulnerabilities in Mozilla to include the vulnerabilities that have been fixed, such as XMLHTTP and the many on Asas list?" And received a short reply last thursday: "Yes, that page will be updated soon. Thanks for letting me know." Since nothing has happened, I thought I would pass this on to the list. This is a short list of issues fixed between the 1.0 and 1.0.1 version of Mozilla. As Asa mentioned, this list was just put together from some queries on Bugzilla. Undoubtedly, there will be many more vulnerabilities that have been fixed, and it would be a welcome change to let the public know about these. BUG ID Product Component Summary 88183 Browser Plug-ins navigator.plugins leaks path names 104472 Browser Security execution of scripts in the file: protocol from XUL using cgi 125583 Browser Security Disable automatic XLinks in Mail 135267 Browser Security Reading files cross-host using styles 144228 MailNews Security Malicious email breaks POP server connection 146094 Browser Networking Stealing third-party cookies through a proxy 147754 Browser Security XMLSerializer needs same-origin check 148256 Browser XML flawfinder warnings in XML Extras 148269 NSS Libraries flawfinder warnings in mozilla/security 148520 Browser Password Manager window.prompt is returning a saved password instead of prompting. 149777 Browser Security Node cloned from external, untrusted document and appended to chrome document. 149943 Browser Security Princeton-like exploit may be possible 150339 Browser Internationalization huge font crashes X Windows 151933 Browser XML xml:base should not allow setting chrome URLs 152697 Browser Networking no limit on the size of a HTTP header 152725 Browser Cookies Possible cookie stealing using javascript: URLs 154030 Browser Security HTML directory indexer doesn't html-escape url 154240 PSM Client Libraries No warning when redirecting https-http-https at http protocol level 154930 Browser Security document.domain abused to access hosts behind firewall 155222 Browser Security Heap corruption in PNG library 157202 Browser Security Exploitable (?) heap overrun in PNG 157652 Browser JavaScript Engine Crash, possible heap corruption in JS Array.prototype.sort 157845 Browser DOM Events Crash involving document.open() 157989 Browser ImageLib Possible heap corruption with 0-width GIF 161721 Browser Installer install in onkeypress for space key bypasses warning dialog To put it shortly, I do appreciate the efforts put forth by the Mozilla.org team, I just wish they could be more communicative instead of hiding the fact that Mozilla, like most any other software product, has had and will have a long number of security vulnerabilities. Undoubtedly, this gives a different view on the security of Mozilla than one would get by reading the official list of vulnerabilities (listing just 1 vulnerability). Again, the above was just an incomplete list of security issues that were fixed between the minor version change 1.0 to 1.0.1, I have no idea about the amount of issues that remain or that has been fixed so far. Regards Thor Larholm, Security Researcher PivX Solutions, LLC Are You Secure? http://www.PivX.com
This archive was generated by hypermail 2b30 : Wed Sep 18 2002 - 22:00:21 PDT