>>> On 8/1/2012 at 01:07 PM, "Srivastava, Sagar" <[email protected]> wrote: > Good afternoon all, > > We run Nessus security scans on our zLINUX images - SLES11 SP1 and SP2. > Our security team found that we have Firefox old version > (MozillaFirefox-10.0.2-0.4.1) installed with critical security > vulnerabilities. I didn't install Firefox but even on the minimum > install, it gets installed in /usr/lib64/firefox/ as I understand.
That is not correct. If you select one or both of the graphical desktops (along with X11) to be installed, Firefox is part of the default selections for those. (And why would that be done anyway? Waste of CPU, memory, and network bandwidth.) You can still de-select it if that is desired. It is most definitely not part of a minimal install. The minimal install has barely enough packages selected to allow you to keep the system updated, or to install more packages > SLES11 SP1 has MozillaFirefox-10.0.2-0.4.1 (I can erase the package but > don't know of the consequences yet) > > I do notice that it gets upgraded to just MozillaFirefox-10.0.6-0.4.1 > in SLES11 SP2 update and latest patches but that's it. It is far from > the recent version of Firefox v 14.0.1 and vulnerabilities will always > be there on this thus even though we are aggressive on patch updates > through our constantly syncing SMT servers. This is part of the concept of having an Enterprise Linux distribution, and shows the weaknesses of just about every so-called security scanner in existence. As much as possible, package versions are not changed across the life of the platform version. Security fixes and bug fixes are provided to the version included in the distribution. These can be either backported from newer versions of the software, or created by developers within the distribution provider itself. Examination of the package's changelog (rpm -q --changelog) should indicate whether or not a fix has been included. Simply looking at version numbers isn't sufficient, which is all that Nessus and other scanners do. In other words, they're broken as designed. Opening a bug report with the vendor would be in order, except it's most likely a waste of time. (I find it aggravating that this problem has existed since SLES7 and RHEL 3 first came out, and none of the ISVs seem inclined to address it.) > The question is: > > 1) Is Firefox integral is part of OS library ( i.e do they use the SSL > trust cert repository etc for OS etc - my guess) ? No. > 2) can we delete it safely ? Yes, and KDE and GNOME along with it. > 3) any other way to keep it MORE updated without breaking anything? Nope, you're in good shape. Mark Post ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
