© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
(In reply to comment #9)
> I rather find Mozilla's atitude of denying access to older clients
> PLAIN STUPID, once for such an enforcement itself and twice because
> the site can recognize the ubuntu specific build, and could just
> make an exception for that browser or other browsers with backported
> patches.
This deserves some explanation, since I'm the person who set that up. We have
never blocked old versions from the addons site before. We have no choice this
time. The severity of the security vulnerability in question demands it. If
you can get content from a site in Firefox's extension install whitelist loaded
in an IFRAME, you can execute arbitrary code on the user's computer. That's
serious. It would be irresponsible of us NOT to block vulnerable clients from
getting content from that site, since it's included in the default whitelist
that ships with Firefox.
I'm perfectly willing to make an exception for Ubuntu, however, the UserAgent
string in the Ubuntu Firefox doesn't appear to have changed when the security
patches were applied, so we have no way to tell whether the Ubuntu package
you're running has the fix or not. Yes, the UserAgent is a stupid way to check
versions, but it's the only option we have without actually delivering content
to the browser to run a script, which would allow the exploit to work still.
Typically, people who mess with their useragent are better at keeping up with
security updates, or that's the hope anyway.