[Firefox] security update release 2.0.0.8 available from upstream

Bug #154393 reported by disabled.user on 2007-10-19
268
Affects Status Importance Assigned to Milestone
firefox (Ubuntu)
High
Alexander Sack
Dapper
High
Kees Cook
Edgy
High
Kees Cook
Feisty
High
Kees Cook
Gutsy
High
Kees Cook
Hardy
High
Alexander Sack

Bug Description

Binary package hint: firefox

References:
http://www.mozilla-europe.org/de/products/firefox/2.0.0.8/releasenotes/
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.8

An updated version of Firefox, which fixes a number of security vulnerabilities, is available from upstream.

Please provide updated packages for the stable Ubuntu releases as soon as possible.

Alexander Sack (asac) wrote :

already uploaded to security team.

Changed in firefox:
importance: Undecided → Critical
status: New → Fix Committed
status: Fix Committed → In Progress
importance: Undecided → Critical
status: New → Fix Committed
importance: Undecided → Critical
status: New → Fix Committed
importance: Undecided → Critical
status: New → Fix Committed
importance: Undecided → Critical
status: New → Fix Committed

Well, that's great news for sure. Thank you very much!

Strangely, although the bug is marked as fixed (also) for Gutsy, up-to-date installation still have 2.0.0.6:

$ apt-cache show firefox
Package: firefox
Priority: optional
Section: web
Installed-Size: 26008
Maintainer: Alexander Sack <email address hidden>
Architecture: i386
Version: 2.0.0.6+2nobinonly-0ubuntu1

Also checked the apt archive and there is no 2.0.0.8 version present in main or universe repositories.
Could you please clarify ?

fzap (pflaumenmus92) wrote :

Dear maintainers,

before upstreaming for security reasons please consider the gecko rendering engine bug that comes with 2.0.0.8 version:

Firefox 2.0.0.8 - Float Containing/Clearing Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=400469

example: http://www.highresolution.info/webdesign/testcases/ff_floatingbug.htm

I've tested the package (amd64) from
deb http://ppa.launchpad.net/asac/ubuntu dapper main universe
which contains backports from the current Firefox to Dapper's 1.5 branch. It work's fine so far and also doesn't show any broken rendering - the above mentioned example looks just like it does in Konqueror.

Thank you, 2.0.0.8 is availiable via the regular update channel in Gutsy Final.

Check critical webpages (like portal logins, submission pages) for the CSS bug.

Suggested CSS workaround
http://www.456bereastreet.com/archive/200603/new_clearing_method_needed_for_ie7/

Fixed in Firefox 2.0.0.7 & 2.0.0.8
https://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.8

Bugzilla: Bug 391412 – Regression in float layout causing "clear:" to be ignored
https://bugzilla.mozilla.org/show_bug.cgi?id=391412

Bugzilla: Bug 400406 – Layout badly broken in 2.0.0.8, CSS issue with floats or negative margins or display property...
https://bugzilla.mozilla.org/show_bug.cgi?id=400406

By the way, a 2.0.0.9 version will be released next week to fix some of those regressions :

See http://developer.mozilla.org/devnews/index.php/2007/10/22/firefox-2008-update-to-be-updated/

Seen update to 2.0.0.8 in today's updates. Thank you.

Kees Cook (kees) on 2007-10-23
Changed in firefox:
assignee: nobody → keescook
importance: Critical → High
status: Fix Committed → Fix Released
assignee: nobody → keescook
importance: Critical → High
status: Fix Committed → Fix Released
assignee: nobody → keescook
importance: Critical → High
status: Fix Committed → Fix Released
assignee: nobody → keescook
importance: Critical → High
status: Fix Committed → Fix Released
assignee: nobody → asac
importance: Critical → High

firefox appears done in hardy. marking as fix released.

sarah@LongPointyStick:~$ policy firefox
firefox:
  Installed: 2.0.0.8+2nobinonly-0ubuntu3
  Candidate: 2.0.0.8+2nobinonly-0ubuntu3
  Version table:
 *** 2.0.0.8+2nobinonly-0ubuntu3 0
        500 http://mirror.pacific.net.au hardy/main Packages
        500 http://archive.ubuntu.com hardy/main Packages
        100 /var/lib/dpkg/status

Changed in firefox:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.