User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) Build Identifier: Upon visiting http://www.mozilla.org/products/firefox/ the page suggests I download the 10.0.4 British English version rather than a 10.0.5 - Given that 10.0.4 is vulnerable to published security flaws it should not be offered for download ostensibly as the up to date version. Reproducible: Always Steps to Reproduce: 1. Configure Accept-Language to something other than en, e.g. en-GB 2. Visit http://www.mozilla.org/products/firefox/ 3. See the 10.0.4 download prompt Expected Results: Only 10.0.5 versions should've been available.
Summary: Pages suggests I download vulnerable 10.0.4 → Page suggests I download vulnerable 10.0.4
14 years ago
Assignee: nobody → mozilla.webmaster
Component: Product Site → email@example.com
Product: Firefox → mozilla.org
QA Contact: product.site → danielwang
Summary: Page suggests I download vulnerable 10.0.4 → Page suggests I download vulnerable 1.0.4
Version: unspecified → other
It's offering both en-US 1.0.5 and en-GB 1.0.4, right? That's what I intended it to do, anyway. For en-US and en-GB, there might be an argument the other way, but for somebody who doesn't speak English (i.e., for most other cases), we probably do want to offer the 1.0.4. Localized versions should be available soon, anyway.
You should not be offering versions vulnerable to published flaws available for download other than in an archive area full stop. I read about the flaws in bugtraq, I visited the download page, and unless I specifically knew the latest version was 1.0.5, I would've then continued to download the prompted version and felt I was up to date and therefore safe. The continued recommendation of vulnerable versions will leave people unsafe. As you say regionalised versions come along very soon after, so I do not feel users would be overly inconvenienced by not having a version available to them, or have the regionalised version only available after a very strong warning that it is insecure.
What really should happen, IMO, is that we shouldn't publish the security advisories until we have localized versions available for download.
True, that would indeed make sense, and be a perfectly good other approach to fixing the bug - and probably a better one, but given that they have, it would be nice not to have it as a problem.
Well, if someone else wants to make the necessary changes to the script, test them on Gecko, WinIE, Safari, MacIE, Netscape 4.x, and Konqueror, land them, and then back them out in a few days, feel free, but I have no plans to do so.
...and Opera. I knew I was forgetting one.
(In reply to comment #3) > What really should happen, IMO, is that we shouldn't publish the security > advisories until we have localized versions available for download. Please tell that to the people beating down my door because I published them so *late*! Man, can't win.
Summary: Page suggests I download vulnerable 1.0.4 → Page suggests I download vulnerable 1.0.4 (localizations lag)
fixed by dbaron%dbaron.org on 2005-07-19 16:45
Status: UNCONFIRMED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org
You need to log in before you can comment on or make changes to this bug.