Re: Firefox Problems

["Steven M. Bellovin" <smb%cs.columbia.edu@localhost>]

On Thu, 10 Jul 2008 17:04:47 -0700 (PDT)
Camilo Reyes <camiloreyes82%yahoo.com@localhost> wrote:

> Hi All, just gave NetBSD a shot and I must say I like the streamlined
> simplicity and flexibility in the design so far. The problem I'm
> having while installing firefox is this error:
> 
> => Bootstrap dependency digest>=20010302: found digest-20080510
> ===> Checking for vulnerabilities in firefox-2.0.0.14
> Package firefox-2.0.0.14 has a remote-system-access vulnerability,
> see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2785
> Package firefox-2.0.0.14 has a memory-corruption vulnerability, see:
> http://www.mozilla.org/security/announce/2008/mfsa2008-21.html
> Package firefox-2.0.0.14 has a arbitrary-code-execution
> vulnerability, see:
> http://www.mozilla.org/security/announce/2008/mfsa2008-25.html
> Package firefox-2.0.0.14 has a arbitrary-code-execution
> vulnerability, see:
> http://www.mozilla.org/security/announce/2008/mfsa2008-33.html ERROR:
> Define ALLOW_VULNERABLE_PACKAGES in mk.conf or IGNORE_URLS in
> audit-packages.conf(5) if this package is absolutely essential. ***
> Error code 1
> 
> Stop.
> make: stopped in /usr/pkgsrc/www/firefox
> 
> It seems Firefox has some built-in holes in it, which makes me think
> twice before installing it. Should I install it anyway? Or find an
> alternative, if so, which one?
> 
Three things...

First -- the latest firefox in pkgsrc is 2.0.0.15, not .14.
Second -- most problems with firefox are not specific to NetBSD; you
run the risks on any platform.
Third -- I can't tell from the commit logs for pkgsrc for 2.0.0.15 fix
the problems or not; the original advisories on 2.0.0.14 were
deliberately vague, because vulnerability info wasn't available.



                --Steve Bellovin, http://www.cs.columbia.edu/~smb