On Fri, Jul 24, 2009 at 11:43:50AM +0200, Mike Hommey wrote: > On Sat, Jan 17, 2009 at 04:06:30PM +0100, Mike Hommey wrote: > > On Sat, Jan 17, 2009 at 02:19:02PM +0100, Sylvain Beucler wrote: > > > Package: iceweasel > > > Version: 3.0.5-1 > > > Severity: grave > > > Tags: security > > > Justification: user security hole > > > > > > > > > Since Debian stable is a "frozen" distro, it's not uncommon to install > > > the official Firefox binaries when the next version of Firefox is > > > released, and isn't packaged in stable or backported yet. I've also > > > also seen that useful to fix browser detection (hotmail) or support > > > binary extensions (probably to avoid stdlibc++ 5/6 discrepancies). > > > > > > Anyway, when Iceweasel is started, it silently disables the security > > > update checks in the configuration. > > > "about:config" reports that 'app.update.enabled' is set to false. This > > > is set on startup. > > > > > > This is a problem, because as I mentioned people may use, concurrently > > > or later, an official version of Firefox. In this case, Firefox will > > > disable security update checks as directed, and thus Firefox won't be > > > upgraded when there's a security fix. People may work several months > > > without being notified about a security hole in their Firefox. > > > > > > The fact Iceweasel disables upsteam security update checks is normal, > > > because Debian (not upstream) provides those. However it's a mistake > > > to disable that in the configuration, because this impacts other > > > versions of Firefox that do use those checks. > > > > > > So please don't alter 'app.update.enabled' and other settings, and > > > disable Iceweasel upstream security updates checks using another > > > method (e.g. by not compiling the related code, or by not using > > > ~/.mozilla/firefox to store the iceweasel configuration). > > > > Are you sure that when running firefox again, the config value doesn't > > go back to true ? Because these are global configurations that are not > > stored in user profile unless you modify them... So while running > > iceweasel would disable app.update.enabled, running firefox should > > re-enable it. Try resetting the config item (right-click -> reset, iirc) > > and try switching between iceweasel and firefox. > > Okay, it appears to be a "feature" of the locked preferences. With > verbatim upstream firefox, the same can happen when using locked prefs. > > I'll dive into the pref code to understand what's going on.
It looks related to https://bugzilla.mozilla.org/show_bug.cgi?id=330590. Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
