283537 - No Firefox 1.0.1 section in "Known vulnerabilities" page

Status: VERIFIED FIXED

(www.mozilla.org :: General, defect)

Description

[Matthew T (active 1999-2002)]

To reproduce:
1.  Go to <http://www.mozilla.org/products/firefox/releases/#new>.
    (For future reference, since that seems like a brittle anchor name,
    that's the "What's New 1.0.1" [sic] section.)
2.  Follow the "security fixes" link, which goes to
    <http://www.mozilla.org/projects/security/known-vulnerabilities.html>.

What should happen:
*   The link goes directly to a "Firefox 1.0.1" section on that page.
*   You see a list of security bugs fixed in Firefox 1.0.1.

What actually happens:
*   You see a list of security bugs fixed in everything *except* FF 1.0.1.

Comment 1

[Daniel Veditz [:dveditz]]

Fixed, at least the known vulnerabilities page. Dunno who owns the link.

Comment 2

[Matthew T (active 1999-2002)]

Verified, thanks.

Comment 3

[u115577]

I think Mozilla Foundation shouldn't have disclosed these vulnerabilities
information until most of the localized builds and Mozilla 1.7.6 are ready. It's
too late.

Comment 4

[Daniel Veditz [:dveditz]]

Yes, I would have especially liked to have gotten 1.7.6 out the door first, but
when your release is specifically deemed a "security release" people demand to
know what's fixed.

With the small number of changes on the shipping branch it's pretty easy to
figure out what many of the bugs were from the patches. Keeping quiet only hurt
people who didn't know there was a problem, but didn't keep the bad guys from
taking advantage. By announcing people have a chance to protect themselves, by
using the announced workarounds, keeping vigilant (most of the fixes were
spoofs), or using a pre-release or English version if necessary.

Every course of action we could take was wrong, we tried to pick the least bad.