CVE-2006-1942
Alexander Sack
asac at debian.org
Sun Apr 23 14:56:05 UTC 2006
On Sun, Apr 23, 2006 at 10:46:31AM -0400, Micah Anderson wrote:
> Thanks for your hard work in getting all these CVE's wrapped up
> for upload, I'll mark the debian security tracker appropriately.
>
> I noticed one new CVE that has perhaps appeared since you put
> these together, CVE-2006-1942 which applies to 1.5.0.2.
>
> The short description is:
>
> Mozilla Firefox 1.5.0.2 allows user-complicit remote attackers to
> open local files via a web page with an IMG element containing
> a SRC attribute with a non-image file:// URL, then tricking the user
> into selecting View Image for the broken image.
>
> Is this on your radar for this upload?
Not for this release ... anyway, I am tracking those cve's and have added
this issue to the list of fixes I/we need to backport. The point:
mozilla has officially dropped the support for 1.0.x as of the 1.0.8
release ...
in consequence, we have to collaborate with other distributors that
are 'pro long release cycles'. Anyway, it is still unclear how this
collaboration will look like ... e.g. if we can use the mozilla
infrastructure for it, if we coordinate some kind of distributor
release or if we try to release isolated fixes for each single issue
that pops up.
As soon as I know more, I will let this list know.
- Alexander
--
GPG messages preferred. | .''`. ** Debian GNU/Linux **
Alexander Sack | : :' : The universal
asac at debian.org | `. `' Operating System
http://www.asoftsite.org/ | `- http://www.debian.org/
More information about the pkg-mozilla-maintainers
mailing list