254655 - 0.9.3 release notes don't mention serious libpng security issue (bug 251381)

Status: VERIFIED WONTFIX

(www.mozilla.org :: General, defect)

Description

[Marc Bejarano]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2

Firefox 0.9.3 was just released, primarily due to the extremely serious bug 0.9.3.

the current release notes at http://www.mozilla.org/products/firefox/releases/
make NO mention of this bug?!

Reproducible: Always
Steps to Reproduce:

Comment 1

[u88484]

This bug's status should be changed to 'RESOLVED' and resolution to 'WONTFIX'
since 0.9.3 was released over a month ago and the bug# 251381 is now fixed.

Comment 2

[Glenn Randers-Pehrson]

If you follow the link to "The Burning Edge..." and then "security holes"
you find a table on this page with entries talking about this and other security
fixes.

http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3

I agree, resolved==wontfix is appropriate.  The info is only a couple of
clicks away for anyone who needs it.

Comment 3

[Marc Bejarano]

a couple of clicks away is NOT good enough.  we're not trying to hide anything.
 any self-respecting project i've worked with puts information about fixed
security holes in a very visible spot on the release notes.  what could be more
important for the release notes?

i still think the info NEEDS to be there.  people still read through past
release notes when deciding whether or not to upgrade for old versions to the
latest/greatest.

as a policy, all our release notes should contain info on any security bugs that
were fixed.  a prominent link to the page mentioned in comment #2 would suffice,
if we're feeling lazy.

Comment 4

[Steffen Wilberg]

0.9.3 is a bit old, but we should consider this for the future.
-> morphing summary and confirming.

Comment 5

[Asa Dotzler [:asa]]

no longer relevant. We have a security update notice in the release notes. 

Comment 6

[Marc Bejarano]

i think the relevance of the bug as originally reported is debatable.  we're
still serving up old release notes and linking to them all from
http://www.mozilla.org/products/firefox/releases/ .

i think there is value in at least putting a statement at the top of older
release notes saying something like:
===
This is an archived release note.  Note that it failed to provide important
information on the security holes that were fixed with this realease.  Please
refer to http://www.mozilla.org/projects/security/known-vulnerabilities.html for
information on security-related bugs that were fixed with this releaes.
===

small effort.. reasonable reward.

Comment 7

[Daniel Veditz [:dveditz]]

Which bugs were fixed is really only important for the most recent releases. At
this point it doesn't matter what was fixed in 0.9.3. Anyone reading those needs
to know what *wasn't* fixed which we've discovered later was a lot of security
holes.

More recent release notes do contain links to the appropriate section of the
security vulnerability page so this is either "fixed" in general or "wontfix" if
you're hung up on 0.9.3

If this gets reopened please reassign to someone else (probably Asa) as it
wouldn't be appropriate for me to edit the release notes directly.

Comment 8

[Marc Bejarano]

for correctness' sake, i'm reverting the summary from:
"mention security updates in the release notes"
to:
"0.9.3 release notes don't mention serious libpng security issue (bug 251381)"

also changing to WONTFIX

Comment 9

[Reed Loden [:reed]]

--> Websites :: www.mozilla.com so timeless can close out Firefox :: Product Site.