> We run Nessus security scans on our zLINUX images - SLES11 SP1 and SP2. > Our security team found that we have Firefox old version > (MozillaFirefox-10.0.2-0.4.1) installed with critical security > vulnerabilities. I didn't install Firefox but even on the minimum > install, it gets installed in /usr/lib64/firefox/ as I understand.
Have some qualified run and analyse the scans. The questions you are asking indicate to me that you are probably not deploying the correct expertise. > The question is: > > 1) Is Firefox integral is part of OS library ( i.e do they use the SSL > trust cert repository etc for OS etc - my guess) ? > > 2) can we delete it safely ? > > 3) any other way to keep it MORE updated without breaking anything? The question is none of those. The question is 'What CVE numbers are the flaws being logged and does your vendor release have those fixed according to the changelog and their security statements' Don't do security by version numbers, it's broken and anybody who simply says "oh you've got release X it must be busted" isn't properly trained to use the tools IMHO and shouldn't be doing the job. Security is important, doing it right is important. Learning to do the basics right is not that hard. Enterprise vendors add fixes to old versions to minise the risk of other destabilizing changes. That is much of their entire business model. Alan ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
