bugzilla.mozilla.org has resumed normal operation. Attachments prior to 2014 will be unavailable for a few days. This is tracked in Bug 1475801.
Please report any other irregularities here.

Update known security vulnerabilities page

VERIFIED FIXED

Status

www.mozilla.org
General
VERIFIED FIXED
16 years ago
6 years ago

People

(Reporter: Frank Hecker, Assigned: Frank Hecker)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Assignee)

Description

16 years ago
The Mozilla security vulnerabilities page needs to be updated to include the
recent XMLHttpRequest bug as well as any other bugs for which an entry is
warranted. I myself will take responsibility for writing the entries and
updating the page, until such time as someone else can take over this task.

I am going to keep this bug public, so please do not include comments in this
bug  discussing vulnerabilities that are not yet public. (In other words, don't
include discussions of bugs still marked as security-sensitive.) I'll use the
security-group mailing list to discuss exactly which vulnerabilities should have
an entry on the known vulnerabilities page, and what exactly should be included
in those entries.

However there *is* something I'd like to discuss in this bug: As proposed by
Mitch, the vulnerability entries should contain some indication of the severity
of the problem. I myself am having a hard time deciding exactly how we should
indicate severity; in particular, I think that just using "minor" vs. "major"
isn't fine-grained enough. Can anyone offer suggestions on what sort of
"severity scale" we should use? Can anyone provide useful examples of "severity
scales" from other projects or from security advisory services like CERT or Bugtraq?

Comment 1

16 years ago
this should be in the webmaster@ component...
Component: Miscellaneous → webmaster@mozilla.org
QA Contact: mitchell → imajes

Comment 2

16 years ago
Frank, I'd include what is at risk: local file read? write? cross-domain reads?
Then how likely it is or in which circumstances the bugs appears (without making
it easily findable). The severity is then more a summary of that.
(Assignee)

Comment 3

16 years ago
I just checked in a change to known-vulnerabilities.html to add an entry for the
XMLHttpRequest vulnerability; it should show up on the live site in a while. I'm
leaving the bug open for further work as needed. (Also, I accepted the bug,
which I forgot to do previously.)
Status: NEW → ASSIGNED

Comment 4

16 years ago
are we still using this bug to try and keep on top of this? 
http://www.mozilla.org/projects/security/known-vulnerabilities.html is still
missing stuff :( 
http://www.mozilla.org/releases/mozilla1.0.1/security-fixes-1.0.1.html lists
bugs that aren't on the above page.  and bug 169982 isn't mentioned on either
list.  apparently it isn't public, yet, but its existence was already made
public at https://rhn.redhat.com/errata/RHSA-2002-192.html

anyway, OS and Hardware probably need to become "All".

fwiw,
marc

Comment 5

16 years ago
*** Bug 174511 has been marked as a duplicate of this bug. ***

Comment 6

15 years ago
there have been 4 updates this year -> fixed
Status: ASSIGNED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED

Updated

14 years ago
Status: RESOLVED → VERIFIED

Comment 7

14 years ago
OS and Hardware should still be changed to "all"

also, i still see the following bugs listed at
http://www.mozilla.org/releases/mozilla1.0.1/security-fixes-1.0.1.html that
aren't listed at
http://www.mozilla.org/projects/security/known-vulnerabilities.html :
bug 88183
bug 104472
bug 125583
bug 135267
bug 148256
bug 148269
bug 148520
bug 149943
bug 150339
bug 151933
bug 152697
bug 152725
bug 154030
bug 154240
bug 154930
bug 157202
bug 157652
bug 157845

bug 74320 mights also be a candidate for the page....

frank: can you reopen the bug and change OS and Hardware to?

tia,
marc

Comment 8

14 years ago
while we're at it, bug 223062 is a candidate

Comment 9

13 years ago
further updates to the page are being tracked in bug 295841.
Product: mozilla.org → Websites
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org
You need to log in before you can comment on or make changes to this bug.