On Fri, 18 Aug 2017, ToddAndMargo wrote:
On 08/17/2017 01:03 PM, David Sommerseth wrote:
On 17/08/17 18:33, ToddAndMargo wrote:
On 08/17/2017 09:23 AM, ToddAndMargo wrote:
Mozilla Firefox 55 source tarball
The latest is 52 in sl-testing:
firefox-52.3.0-2.el7_4.i686 : Mozilla Firefox Web browser
Repo : sl-testing
I have to be up to date, especially with me doing PCI
(credit card) consulting.
SL has really become a bad match for what I am doing.
I really should be on a Kaisen OS not a an
anti-Kaisen OS, but I can not afford the
cost of an upgrade to Fedora at the due to the
never ending recession. So I mumble a lot.
You do realise that firefox-52 packaged for SL7 is the Firefox ESR edition?
<https://www.mozilla.org/en-US/firefox/organizations/faq/>
Yes I do. All bugs and security flaws frozen in place for those
that don't like to upgrade their software and those that get
tired of having to respin an RPM every month or so due
to the rapid pace of Firefox's development. EL Linux
is an anti-Kaisen OS and Red Hat gets CRABBY about having
to update things and often does not.
Red Hat are fairly quick at releasing the six-weekly updates to ESR
- IIRC 2 days after Mozilla for 52.3 (SL took almost a week after that).
Even though it's a while since I've looked at the PCI-DSS stuff; but I
do not ever recall it requiring specific versions of software.
I required that you be up to date on all your software.
On the Windows side, I run Kaspersky's "vulnerability Scan"
which looks at all your installed software and lets you know
what is out of date (Acrobat Reader, Java, Firefox, Java,
etc.). Without Kaspersky. I'd have to go through each
program one at a time, which is pain in the neck.
I do
remember it saying something about running up-to-date OS and
applications though. Firefox ESR releases are the browser equivalent to
"Enterprise Linux". So ESR releases should really fit the bill for
PCI-DSS.
On an EL Linux install only. On Windows, no one will put up
with all the bugs and missing features. This is why I have
to stay current.
The ESR would probably get you off the hook liability wise,
but since PCI is not about security, but rather about liability
shifting, if you get hacked, the lawyers could make a case that
you knowingly used a version of Firefox with know security flaws.
The lawyers are trying to make the case that you should have to
pick up the financial liability for all the costs of the breach.
It could be argued back that the ESR slipstreams security
patches into its release, but it would be counter argues that
in reality, they seldom do.
https://www.mozilla.org/en-US/security/advisories/mfsa2017-19/
lists 17 security fixes in ESR 52.3
(OK, the equivalent page for firefox 55 lists more fixes
but they may be fixing bug in new code.)
More generally compare the advisories listed in
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
and
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/
If you need to worry that much about the lawyers,
shouldn't you be paying Red Hat and keeping uptodate with their
recommendations.
More significantly, perhaps you shouldn't run a browser (or a mail
reader) on the same machine as the credit-card handling ...
Until I get this figured out, I have been using weird old Midori.
Maybe I will go to the dark side and install Chromium
Do you know anyway to uninstall the recent updates that
caused this?
I'd try
yum downgrade firefox-52.2.0
or
yum downgrade firefox-45.8.0
- just like yum update but it works even when a newer version is
currently installed.
