Re: [OpenIndiana-discuss] Firefox security
On 19 November 2012 00:37, bscuk2 bsc...@gmail.com wrote: Has anyone considered lightspark as a substitute for flash on Oi? If we're looking at incomplete solutions, have you taken a look at: https://github.com/mozilla/shumway ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Firefox security
The latest Firerfox releases do play HTLM 5 format videos without the need for flash perhaps an argument to keep updated on Firerfox. On 19/11/2012 12:48, Jonathan Adams wrote: we're looking at incomplete solutions, have you taken a look at: https://github.com/mozilla/shumway ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Firefox security
Message du 19/11/12 14:25 De : bscuk2 A : Discussion list for OpenIndiana Copie à : Objet : Re: [OpenIndiana-discuss] Firefox security The latest Firerfox releases do play HTLM 5 format videos without the need for flash perhaps an argument to keep updated on Firerfox. Yes latest Firefox releases (not 3.6.X Openindiana one) can play HTML 5 video. In 2014 or 2016 we probably no longer need FlashPlayer. However today a browser without Flash has a broken leg. Oracle recently retired Flash from Solaris 10/11 but Solaris 11.1 Firefox release is 10.0.6esr C.P. On 19/11/2012 12:48, Jonathan Adams wrote: we're looking at incomplete solutions, have you taken a look at: https://github.com/mozilla/shumway ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Firefox security
On Mon, Nov 19, 2012 at 11:57 AM, cpforum cpfo...@orange.fr wrote: However today a browser without Flash has a broken leg. I and a few hundred thousand Bloons players whole-heartedly agree. ;) ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Firefox security
Latest stable extended support release is now 10.0.11esr : ftp://ftp.mozilla.org/pub/firefox/releases/10.0.11esr/contrib/solaris_pkgadd/ for localisation download the Linux xpi extension here : ftp://ftp.mozilla.org/pub/firefox/releases/10.0.11esr/linux-i686/xpi/ You have to activate extension language xx.xpi by using about:config configuration url. For French download Linux fr.xpi, accept the install, restart firefox Then go to about:config menu and change general.useragent.locale vraible from en to fr and restart firefox. If you want latest HTML5 features choose 16.0.2 ftp://ftp.mozilla.org/pub/firefox/releases/16.0.2/contrib/solaris_pkgadd/ for localisation go to Linux : ftp://ftp.mozilla.org/pub/firefox/releases/16.0.2/linux-i686/xpi/ If initial Mozilla planning is maintained, next 17.0.3 release should became the next esr. Message du 19/11/12 21:06 De : Gary A : Discussion list for OpenIndiana Copie à : Objet : Re: [OpenIndiana-discuss] Firefox security On Mon, Nov 19, 2012 at 11:57 AM, cpforum wrote: However today a browser without Flash has a broken leg. I and a few hundred thousand Bloons players whole-heartedly agree. ;) ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Firefox security
Message du 17/11/12 19:39 De : Bob Friesenhahn A : Discussion list for OpenIndiana Copie à : Objet : Re: [OpenIndiana-discuss] Firefox security On Sat, 17 Nov 2012, Gary Driggs wrote: I see this question asked regularly... Generally speaking, the vast majority of browser exploits in the wild target windows browsers or their plugins like Java, Adobe Reader Flash, or ActiveX. So even if you're using one of those plugins with a Unix browser (of those available), you're already protected since the exploits won't run on your OS if they're even triggered in the first place. In my This might be true for x86 binary code but does not seem to apply to JavaScript or any other intepreter/VM embedded in the browser. Even with x86 binary code, it is possible that the code may be able to resolve and invoke a standard C library call (e.g. system()) in a way which works on both Solaris and Linux. The Flash plugin is not maintained for Solaris True : Last Flash is 11.2.202 r223 or Linux any more so security exploits will continue to build up.= Wrong : Linux Flash is frozen to 11.2 (windows and Mac are 11.5 now) but security update for Linux Flash 11.2 are provided and current Linux release is 11.2.202 r 252. Flash Solaris is frozen to r 223. The problem with Openindiana Desktop is the time. OI Desktop is more and more unsecure (no update). Firefox, Java and Thunderbird are very old releases. Gnome Desktop is not maintened and applications like OpenOffice, Flash, Adobe Reader, etc. are 2 or 3 years old with a lot of known security holes. Il you want a fresh Firefox (16.0.2), Thunderbird Java, etc Go to this link (French locale) : http://ossi.pagesperso-orange.fr/OS/openindiana_links.html C.P. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Firefox security
On 2012-11-18 18:00, cpforum wrote: Firefox, Java and Thunderbird are very old releases. Gnome Desktop is not maintened and applications like OpenOffice, Flash, Adobe Reader, etc. are 2 or 3 years old with a lot of known security holes. Speaking of which: some of these projects are opensource, others are proprietary - even if distributed by authors for free. Is there any lineup of such products as Java, Adobe Reader and Flash, OpenOffice or its more current descendants, Mozilla stuff, VirtualBox (GPL half, at least) - what may be redistributed how? For example, whenever a new JDK/JRE comes out, can we publish its files into the OI IPS repo as a new version of the appropriate package, or the license states that the end-user must download the software from original vendor's site (like in VBox PUEL)? I don't think it is a fundamental problem to fire up a repository of third-party software which would suck in and republish as IPS the tarballs and packages made by other projects (like Mozilla, Java, VirtualBox, etc.etc.etc.) - if we know we're not to be sued for making such a repo. Possibly this can be done as part of the existing SFE or SFE-encumbered repos (skipping the manual build part by the repo maintainer)? For projects with well standardized releases, sucking-in of the new versions can be quite automated (similar to spec files or recipes in the userland gate), and end-users would have a simple automated means of receiving the new software in a timely manner... My 2c, //Jim ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Firefox security
Has anyone considered lightspark as a substitute for flash on Oi? On 18/11/2012 18:19, Jim Klimov wrote: On 2012-11-18 18:00, cpforum wrote: Firefox, Java and Thunderbird are very old releases. Gnome Desktop is not maintened and applications like OpenOffice, Flash, Adobe Reader, etc. are 2 or 3 years old with a lot of known security holes. Speaking of which: some of these projects are opensource, others are proprietary - even if distributed by authors for free. Is there any lineup of such products as Java, Adobe Reader and Flash, OpenOffice or its more current descendants, Mozilla stuff, VirtualBox (GPL half, at least) - what may be redistributed how? For example, whenever a new JDK/JRE comes out, can we publish its files into the OI IPS repo as a new version of the appropriate package, or the license states that the end-user must download the software from original vendor's site (like in VBox PUEL)? I don't think it is a fundamental problem to fire up a repository of third-party software which would suck in and republish as IPS the tarballs and packages made by other projects (like Mozilla, Java, VirtualBox, etc.etc.etc.) - if we know we're not to be sued for making such a repo. Possibly this can be done as part of the existing SFE or SFE-encumbered repos (skipping the manual build part by the repo maintainer)? For projects with well standardized releases, sucking-in of the new versions can be quite automated (similar to spec files or recipes in the userland gate), and end-users would have a simple automated means of receiving the new software in a timely manner... My 2c, //Jim ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Firefox security
I see this question asked regularly... Generally speaking, the vast majority of browser exploits in the wild target windows browsers or their plugins like Java, Adobe Reader Flash, or ActiveX. So even if you're using one of those plugins with a Unix browser (of those available), you're already protected since the exploits won't run on your OS if they're even triggered in the first place. In my experience, I've seen some malware for Android and OS X but there have been maybe a handful of barely mentionable Linux malware over the years. So your choice of OS alone has drastically limited your risk footprint. In my mind, the most compelling reason for maintaining current versions of Firefox on Solaris Illumos/OI derivatives is for feature parity. -Gary ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Firefox security
On Sat, 17 Nov 2012, Gary Driggs wrote: I see this question asked regularly... Generally speaking, the vast majority of browser exploits in the wild target windows browsers or their plugins like Java, Adobe Reader Flash, or ActiveX. So even if you're using one of those plugins with a Unix browser (of those available), you're already protected since the exploits won't run on your OS if they're even triggered in the first place. In my This might be true for x86 binary code but does not seem to apply to JavaScript or any other intepreter/VM embedded in the browser. Even with x86 binary code, it is possible that the code may be able to resolve and invoke a standard C library call (e.g. system()) in a way which works on both Solaris and Linux. The Flash plugin is not maintained for Solaris or Linux any more so security exploits will continue to build up. There is little doubt that the chance of being exploited is much less with Solaris since the desktop user base is so small, it is not cost effective to target it. Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer,http://www.GraphicsMagick.org/ ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Firefox security
On Nov 17, 2012, at 10:39 AM, Bob Friesenhahn bfrie...@simple.dallas.tx.us wrote: Even with x86 binary code, it is possible that the code may be able to resolve and invoke a standard C library call (e.g. system()) in a way which works on both Solaris and Linux. I've not seen any code that bothers. Most JavaScript lately tends to be for delivering a payload to v ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Firefox security
On Nov 17, 2012, at 10:39 AM, Bob Friesenhahn bfrie...@simple.dallas.tx.us wrote: Even with x86 binary code, it is possible that the code may be able to resolve and invoke a standard C library call (e.g. system()) in a way which works on both Solaris and Linux. The JavaScript I've seen most of lately is designed to iteratively check for vulnerable plugins deliver a payload based on what's available. OS X Android are the biggest unix targets to date as their user populations are much bigger and less savvy. -Gary ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
