SillyDog701

by **Ramona** » Tue 20 Mar, 2007 4:32 am

Download Version 2.0.0.3 at the FTP site

Download Version 1.5.0.11 at the FTP site

At this early hour, these Versions aren't yet available on the Firefox site, however, I'm certain they will be available shortly, along with the Release Notes.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3

by **Mandrake** » Tue 20 Mar, 2007 9:28 am

Thanks Ramona. Downloading now.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2

by **Fulvio** » Tue 20 Mar, 2007 12:00 pm

I have not taken a deep look, but this does not seem to be the final version, as the Firefox sites declares. Also, why is 2.0.0.3 about 7.2 MB larger than 2.0.0.2?
I was doing a custom installation of 2.0.0.2, while 2.0.0.3 was installed on top of what was left of 1.5.0.10, after installation. Well, the plugins folder of 2.0.0.3 is over 6.5 MB, while 2.0.0.2 is about 3.8. Not enough to account for the difference.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3

by **James** » Tue 20 Mar, 2007 2:20 pm

Why the rush to download? Is 2.0.0.2 somehow at risk already? I'm sincerely confused by this constant rush to grab off the latest updates before they even appear on the Firefox site. Can someone explain this to me?

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2

by **Don_HH2K** » Tue 20 Mar, 2007 2:47 pm

James wrote:Why the rush to download? Is 2.0.0.2 somehow at risk already? I'm sincerely confused by this constant rush to grab off the latest updates before they even appear on the Firefox site. Can someone explain this to me?

There's no list of fixes on the 2.0.0.3 Release Notes page yet. There are three of six unpatched vulnerabilities on Secunia, though, so I'd like to assume one or more of those have been fixed in the latest release. As far as regular bugfixes go, I couldn't tell you yet.

Also I assume Antony will be by with a speech on how some people need the latest of everything, as well as "Shame on Firefox" and so on.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.3) Gecko/20070318 BonEcho/2.0.0.3 (ayakawa SSE2-PGU)

by **Antony** » Tue 20 Mar, 2007 2:55 pm

James wrote:Why the rush to download? Is 2.0.0.2 somehow at risk already? I'm sincerely confused by this constant rush to grab off the latest updates before they even appear on the Firefox site. Can someone explain this to me?

Certainly not me, as most of you know that I don't rush for the latest, and I don't get scared by those vulnerabilities reported.

Firefox 2.0.0.2 is not at risk yet, not even the 2.0.0.0 in my honest opinion. Secunia has been noted of over-exaggerating the situation.

This could be the early release for Firefox Community testers, as mentioned in Firefox Community Beta Program (15th March 2007).

UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2

by **Fulvio** » Tue 20 Mar, 2007 4:57 pm

As far as I know, 2.0.0.3 was to fix some regression encountered with 2.0.0.2. 2.0.0.4 is supposed to fix vulnerabilities. Anyway, I got both version installed.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2

by **Don_HH2K** » Tue 20 Mar, 2007 6:24 pm

Antony wrote:Firefox 2.0.0.2 is not at risk yet, not even the 2.0.0.0 in my honest opinion. Secunia has been noted of over-exaggerating the situation.

Should I go over the fact that 2.0 Gold has sixteen open holes, seven of which are marked by The Mozilla Foundation themselves as Critical?

Better yet, should I go over the story of Slammer again?

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.3) Gecko/20070318 BonEcho/2.0.0.3 (ayakawa SSE2-PGU)

by **Ramona** » Tue 20 Mar, 2007 6:52 pm

These are official releases, and available on the Firefox site:

http://www.mozilla.com/en-US/firefox/

http://www.mozilla.com/en-US/firefox/2. ... easenotes/

There is never a rush for installing a new release, however, if the new release is a security release, which is the case for 2.0.0.3 and 1.5.0.11, I see no need to continue to use an insecure browser...

Firefox 1.5.0.11: This version of Firefox will be supported until April 24, 2007 with security and stability updates. We strongly encourage all users to upgrade to Firefox 2.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3

by **Don_HH2K** » Tue 20 Mar, 2007 6:56 pm

Thanks Ramona, the list of fixes and so on wasn't available earlier today.

2.0.0.3 fixes a "Low"-rated hole related to FTP handling. While not particularly important (along with three others in the 2.x series, accounting for four "Low" holes), this does bring the vulnerability count in 2.0 Gold up to 17.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.3) Gecko/20070318 BonEcho/2.0.0.3 (ayakawa SSE2-PGU)

by **Ramona** » Tue 20 Mar, 2007 7:02 pm

This is from the Mozilla Foundation Security Advisories:

Fixed in Firefox 2.0.0.3

MFSA 2007-11 FTP PASV port-scanning

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3

by **Antony** » Wed 21 Mar, 2007 1:10 am

Less than a month ago, [sdt=13042]I was being forced to upgrade[/sdt] to Firefox 2.0.0.2, and I have not seen that offensive dialogue as of now.

UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2

by **Antony** » Wed 21 Mar, 2007 1:46 am

MozInfo701 now has a report on Firefox 2.0.0.3 and 1.5.0.11.

From Mozilla Foundation Security Advisory 2007-11, which is the only minor security fix, it says (with highlight):

The FTP protocol includes the PASV (passive) command which is used by Firefox to request an alternate data port. The specification of the FTP protocol allows the server response to include an alternate server address as well, although this is rarely used in practice.

mark@bindshell.net reported that a malicious web page hosted on a specially-coded FTP server could use this feature to perform a rudimentary port-scan of machines inside the firewall of the victim. By itself this causes no harm, but information about an internal network may be useful to an attacker should there be other vulnerabilities present on the network.

Mozilla clients will now ignore the alternate server address.

Just don't use Firefox to browse (or download from) a untrusted FTP server. In fact, there are good FTP software around, just don't use Firefox for FTP task, and you don't need to rush to download.

UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2

by **Mandrake** » Wed 21 Mar, 2007 3:28 am

Or just download the fix and be happy that you know you're protected from this security flaw. :roll:

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3

by **James** » Wed 21 Mar, 2007 10:09 am

Well, I've downloaded the update only because it appeared at the official site and because the Update Firefox registered an approved update through the Help section of Firefox. I'm hesitant of applying updates before this time just because they've been rushed out to some ftp server. But it appears we're all safe and secure so....

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3

SillyDog701

Firefox 2.0.0.3, and 1.5.0.11 Now Available for Download

Firefox 2.0.0.3, and 1.5.0.11 Now Available for Download

Who is online