Our policy is not to publicly discuss vulnerabilities that aren't
publicly known already until major vendors (Netscape being the primary
one) have shipped fixed versions. Other than the XMLHttpRequest bug, the
only Mozilla bug I'm aware of that was publicly disclosed was the cookie
vulnerability that was published to Bugtraq yesterday. We can see about
adding this one to the vulnerabilities page if you like. Aside from
that, I will be removing the security flag from a bunch of bugs and
adding them to that page *after* we ship NS7.
-Mitch
Boris Zbarsky wrote:
> I was just looking at the known vulnerabilities page[1] to see what it
> had on it.... And the only thing it has is the XMLHttpRequest
> vulnerability that was such a big deal this past spring. At the time,
> there were promises made to actually update this page with security
> vulnerabilities when those became known and whatnot....
>
> Now I know for a fact that there have been security vulnerabilities
> identified and fixes since then. Some of these have been publicly
> reported on BugTraq and the like. So my question is, "Why are these
> security vulnerabilities not listed on the security vulnerabilities
> page?"
>
> I feel that we are doing a grave disservice to our users, who may want
> to know if there is a security vulnerability in 1.1a, say, that is
> fixed in 1.1b.....
>
> [1] http://www.mozilla.org/projects/security/known-vulnerabilities.html
>
--
---------------------
Mitchell Stoltz
Netscape Client Security & Privacy
(650)937-2437
[EMAIL PROTECTED]
PGP Fingerprint:
3164 B077 479F 9C5B 17B8
4A2B 6E22 CD7C 35A2 95DD
---------------------
