Do the latest batch of Firefox CVEs apply towards Solaris 10 Firefox 10.0.12?
Oracle representatives are pretty adamant that they have fixed all applicable CVEs for their compiled version of Firefox 10.0.12. However, Retina spits out Audit ID 31271 based on a version check. The CVEs say anything before Firefox 25 is affected. Can I get an official statement from Mozilla that states whether or not these CVEs affect Firefox 10.0.12 in any way? CVE-2013-5590 CVE-2013-5591 CVE-2013-5592 CVE-2013-5593 CVE-2013-5595 CVE-2013-5596 CVE-2013-5597 CVE-2013-5598 CVE-2013-5599 CVE-2013-5600 CVE-2013-5601 CVE-2013-5602 CVE-2013-5603 CVE-2013-5604
All Replies (4)
Hello,
I see you're running an older version of Firefox and some plugins are out of date. Please try the following to get your system updated:
- Update Firefox to the latest release
- Go to the Mozilla Plugin Check site.
- Once you're there, the site will check if all your plugins have the latest versions.
- If you see plugins in the list that have a yellow Update button or a red Update now button, please update these immediately.
Please let us know if this helps!
Firefox 10.0.12 is not secure.
All, thank-you for your comments.
SMoziller, I think you have misunderstood the nature of my question. Plugins have nothing to do with the question.
Tylerdowner, I feel the same sentiment, but I need authoritative technical proof from Mozilla that states which CVEs apply so I can publicly inform the Oracle developers that they are doing a disservice to the Solaris community by not providing a secure browser. The statement has to have legal/technical weight.
Perhaps I need to change my question. How do I and what do I examine in the Firefox code built into Solaris to show that the vulnerabilities are still in the code? Is there a way to go through the binaries to find the bad code? What files should I look at and what tools should I use?
Ti ṣàtúnṣe
https://www.mozilla.org/security/known-vulnerabilities/ https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
The old 10.0.12 ESR was released at same time as the less old 17.0.2 ESR version. So 10.0.12 ESR is missing out on security patches ever since 17.0.3 ESR and newer for example.