Closed
Bug 300840
Opened 20 years ago
Closed 19 years ago
Page suggests I download vulnerable 1.0.4 (localizations lag)
Categories
(www.mozilla.org :: General, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jim, Unassigned)
References
()
Details
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Build Identifier:
Upon visiting http://www.mozilla.org/products/firefox/ the page suggests I
download the 10.0.4 British English version rather than a 10.0.5 - Given that
10.0.4 is vulnerable to published security flaws it should not be offered for
download ostensibly as the up to date version.
Reproducible: Always
Steps to Reproduce:
1. Configure Accept-Language to something other than en, e.g. en-GB
2. Visit http://www.mozilla.org/products/firefox/
3. See the 10.0.4 download prompt
Expected Results:
Only 10.0.5 versions should've been available.
Summary: Pages suggests I download vulnerable 10.0.4 → Page suggests I download vulnerable 10.0.4
|
||
Updated•20 years ago
|
Assignee: nobody → mozilla.webmaster
Component: Product Site → webmaster@mozilla.org
Product: Firefox → mozilla.org
QA Contact: product.site → danielwang
Summary: Page suggests I download vulnerable 10.0.4 → Page suggests I download vulnerable 1.0.4
Version: unspecified → other
It's offering both en-US 1.0.5 and en-GB 1.0.4, right? That's what I intended
it to do, anyway.
For en-US and en-GB, there might be an argument the other way, but for somebody
who doesn't speak English (i.e., for most other cases), we probably do want to
offer the 1.0.4. Localized versions should be available soon, anyway.
You should not be offering versions vulnerable to published flaws available for
download other than in an archive area full stop.
I read about the flaws in bugtraq, I visited the download page, and unless I
specifically knew the latest version was 1.0.5, I would've then continued to
download the prompted version and felt I was up to date and therefore safe.
The continued recommendation of vulnerable versions will leave people unsafe.
As you say regionalised versions come along very soon after, so I do not feel
users would be overly inconvenienced by not having a version available to them,
or have the regionalised version only available after a very strong warning
that it is insecure.
What really should happen, IMO, is that we shouldn't publish the security
advisories until we have localized versions available for download.
True, that would indeed make sense, and be a perfectly good other approach to
fixing the bug - and probably a better one, but given that they have, it would
be nice not to have it as a problem.
Well, if someone else wants to make the necessary changes to the script, test
them on Gecko, WinIE, Safari, MacIE, Netscape 4.x, and Konqueror, land them, and
then back them out in a few days, feel free, but I have no plans to do so.
...and Opera. I knew I was forgetting one.
|
||
Comment 7•20 years ago
|
||
(In reply to comment #3)
> What really should happen, IMO, is that we shouldn't publish the security
> advisories until we have localized versions available for download.
Please tell that to the people beating down my door because I published them so
*late*!
Man, can't win.
|
||
Updated•19 years ago
|
Summary: Page suggests I download vulnerable 1.0.4 → Page suggests I download vulnerable 1.0.4 (localizations lag)
|
||
Comment 8•19 years ago
|
||
fixed by dbaron%dbaron.org on 2005-07-19 16:45
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
||
Updated•17 years ago
|
Product: mozilla.org → Websites
|
|
||
Updated•12 years ago
|
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org
You need to log in
before you can comment on or make changes to this bug.
Description
•