To reproduce: 1. Go to <http://www.mozilla.org/products/firefox/releases/#new>. (For future reference, since that seems like a brittle anchor name, that's the "What's New 1.0.1" [sic] section.) 2. Follow the "security fixes" link, which goes to <http://www.mozilla.org/projects/security/known-vulnerabilities.html>. What should happen: * The link goes directly to a "Firefox 1.0.1" section on that page. * You see a list of security bugs fixed in Firefox 1.0.1. What actually happens: * You see a list of security bugs fixed in everything *except* FF 1.0.1.
Fixed, at least the known vulnerabilities page. Dunno who owns the link.
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
I think Mozilla Foundation shouldn't have disclosed these vulnerabilities information until most of the localized builds and Mozilla 1.7.6 are ready. It's too late.
Yes, I would have especially liked to have gotten 1.7.6 out the door first, but when your release is specifically deemed a "security release" people demand to know what's fixed. With the small number of changes on the shipping branch it's pretty easy to figure out what many of the bugs were from the patches. Keeping quiet only hurt people who didn't know there was a problem, but didn't keep the bad guys from taking advantage. By announcing people have a chance to protect themselves, by using the announced workarounds, keeping vigilant (most of the fixes were spoofs), or using a pre-release or English version if necessary. Every course of action we could take was wrong, we tried to pick the least bad.
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org
You need to log in before you can comment on or make changes to this bug.