237789 - Security related bugs should be handled more end user friendly

Status: RESOLVED WORKSFORME

(www.mozilla.org :: General, defect)

Description

[Manuel Reimer]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; de-AT; rv:1.7a) Gecko/20040219
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; de-AT; rv:1.7a) Gecko/20040219

<http://www.mozilla.org/start/1.5/faq/general.html#audience>
says that Mozilla is for everyone. So Mozilla is finally not longer only for
developers. If Mozilla is for users then the most important thing, the security
realated bugs, should be handled more end user friendly.

For example it isn't very easy for end users to find out which security holes
are in which Mozilla Version. There is a list
(<http://www.mozilla.org/projects/security/known-vulnerabilities.html>) but this
is hard to find. I think this list should be linked at an easier to find place
on mozilla.org that end users also can find it without searching for hours.

This list is also *not* up to date. A list of known vulnerabilities doesn't help
if it isn't up to date all the time! For example I can't find the security
related bug <http://bugzilla.mozilla.org/show_bug.cgi?id=227417> on this list. I
think if there is such a list then it should be updated as soon as a security
related bug gets visible in bugzilla.

Now as Firefox an Thunderbird exist there are also two new columns for this
applications needed on the known vulnerabilities page, that end users can also
see which security holes are in which version of this applications.

The third new column is needed for the 1.4 branch since
<http://www.mozilla.org/roadmap.html> says:

4. Maintain the Mozilla 1.4 branch, which has replaced the 1.0 branch as the
"distributor/vendor" branch used by organizations with year-long lead times.

Of course the users of the 1.4 branch also want to know which security holes are
in which version.

Since Mozilla is now for end users I take for granted that sub-versions of the
current stable version get released as soon as a security related bug is visible
in Bugzilla. End users don't download nightlies so if security bugs only get
fixed in nightlies this would be dangerous for the end users which still use
their stables. A better solution would be to share a small zip-file which
contains only the changed files. So the users that already have (for example)
1.6 installed only have to unzip the changed files to get 1.6.1 and don't have
to download the whole suite again.

Reproducible: Always
Steps to Reproduce:

Comment 1

[Benedikt Kantus]

-> webmaster

Shouldn't this be made several bugs?

Comment 2

[Alexander Skwar]

Shouldn't hardware/os be changed to All/All?

Comment 3

[Benedikt Kantus]

Yes.

Comment 4

[Boris 'pi' Piwinger]

You should mention http://cert.uni-stuttgart.de/ticker/article.php?mid=1183
(don't know if there is an English version).

pi

Comment 5

[Manuel Reimer]

> You should mention http://cert.uni-stuttgart.de/ticker/article.php?mid=1183

Yes, you're right.

> (don't know if there is an English version).

I don't think so, but this is better than nothing:

<http://babelfish.altavista.com/babelfish/urltrurl?url=http://cert.uni-stuttgart.de/ticker/article.php?mid=1183&lp=de_en>

Comment 6

[Daniel Wang]

reassign to Chris. Let him decide the severity of this bug

Comment 7

[Ben Bucksch (:BenB)]

> Since Mozilla is now for end users I take for granted that sub-versions of the
> current stable version get released as soon as a security related bug is visible
> in Bugzilla.

See npm.security newsgroup, I posted about that there a month or so ago.

Comment 8

[Daniel Wang]

this is worksforme :-)