Closed Bug 300840 Opened 19 years ago Closed 19 years ago

Page suggests I download vulnerable 1.0.4 (localizations lag)

Categories

(www.mozilla.org :: General, defect)

Product:
www.mozilla.org
Component:
General
Platform:
All
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jim, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Build Identifier: 

Upon visiting http://www.mozilla.org/products/firefox/ the page suggests I 
download the 10.0.4 British English version rather than a 10.0.5 - Given that 
10.0.4 is vulnerable to published security flaws it should not be offered for 
download ostensibly as the up to date version.

Reproducible: Always

Steps to Reproduce:
1. Configure Accept-Language to something other than en, e.g. en-GB
2. Visit http://www.mozilla.org/products/firefox/
3. See the 10.0.4 download prompt



Expected Results:  
Only 10.0.5 versions should've been available.
Summary: Pages suggests I download vulnerable 10.0.4 → Page suggests I download vulnerable 10.0.4
Assignee: nobody → mozilla.webmaster
Component: Product Site → webmaster@mozilla.org
Product: Firefox → mozilla.org
QA Contact: product.site → danielwang
Summary: Page suggests I download vulnerable 10.0.4 → Page suggests I download vulnerable 1.0.4
Version: unspecified → other
It's offering both en-US 1.0.5 and en-GB 1.0.4, right?  That's what I intended
it to do, anyway.

For en-US and en-GB, there might be an argument the other way, but for somebody
who doesn't speak English (i.e., for most other cases), we probably do want to
offer the 1.0.4.  Localized versions should be available soon, anyway.
You should not be offering versions vulnerable to published flaws available for 
download other than in an archive area full stop.

I read about the flaws in bugtraq, I visited the download page, and unless I 
specifically knew the latest version was 1.0.5, I would've then continued to 
download the prompted version and felt I was up to date and therefore safe.

The continued recommendation of vulnerable versions will leave people unsafe.

As you say regionalised versions come along very soon after, so I do not feel 
users would be overly inconvenienced by not having a version available to them, 
or have the regionalised version only available after a very strong warning 
that it is insecure.
What really should happen, IMO, is that we shouldn't publish the security
advisories until we have localized versions available for download.
True, that would indeed make sense, and be a perfectly good other approach to 
fixing the bug - and probably a better one, but given that they have, it would 
be nice not to have it as a problem.
Well, if someone else wants to make the necessary changes to the script, test
them on Gecko, WinIE, Safari, MacIE, Netscape 4.x, and Konqueror, land them, and
then back them out in a few days, feel free, but I have no plans to do so.
...and Opera.  I knew I was forgetting one.
(In reply to comment #3)
> What really should happen, IMO, is that we shouldn't publish the security
> advisories until we have localized versions available for download.

Please tell that to the people beating down my door because I published them so
*late*!

Man, can't win.
Summary: Page suggests I download vulnerable 1.0.4 → Page suggests I download vulnerable 1.0.4 (localizations lag)
fixed by dbaron%dbaron.org on 2005-07-19 16:45
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Product: mozilla.org → Websites
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org
You need to log in before you can comment on or make changes to this bug.