Hier, mozillaZine annonçait la release 1.0.1 de FireFox : http://www.mozillazine.org/talkback.html?article=6129

Pas encore disponible dans la totalité des langues de la 1.0, vous pourrez tout de même trouver la version 1.0.1 en Français à l'adresse suivante :
http://www.mozilla.org/products/firefox/all.html

Mais penchons nous un peu plus sur cette release et sur les fixes apportés :
http://www.squarefree.com/burningedge/releases/1.0.1.html

Security hole fixes

  • 22183 - Display hostname in title bar when address bar is hidden, to reduce the impact of the fact that web sites are allowed to spoof address bars.
  • 260560 - Security and download dialogs can be spoofed by covering them partially using popup windows.
  • 262887 - Secunia background tab security issues (SA12712).
  • 273699 - 2 Frame Injection Vulnerabilities (popup blocking race condition & onunload event mis-firing).
  • 275417 - Download dialog source spoofing (SA13599).
  • 279945 - Image drag and drop allows to create executable files.
  • 280056 - When dropping a javascript link to a tab, the script runs in the security context of the site currently displayed in the tab.
  • 280603 - "New Updates Avail" popup in bottom right-hand corner pops up endlessly / excessive hits on update service.
  • 280664 - Using Flash and the -moz-opacity filter you can get access to about:config and make the user silently change values.
  • 282270 - Display IDN URLs as punycode by default (controlled by a hidden pref).

More security holes fixed in Firefox 1.0.1 will be made public after Firefox 1.0.1 is released. The most serious holes will be listed on the known-vulnerabilities page.

Notable bug fixes

  • 229706 - Unattended install asks for installation folder.
  • 233625 - Uninstalling deleted non-Firefox folders (after installing to C:\Program Files\).
  • 98564 - Caret overlaps the last character in textfield (if positioned after the last char).
  • 271473 - Decouple services on update.mozilla.org.
  • 280603 - "New Updates Avail" popup in bottom right-hand corner pops up endlessly / excessive hits on update service.
  • 236596 - Form element cannot get focus when loaded by XML/XSLT page.
  • 262822 - FIPS can't be enabled.
  • 261934 - Regression: network.standard-url.encode.utf8 and network.enableIDN prefs are ignored.
  • 242845 - [Mac] Firefox disk image should use .dmg internal zlib-compression, not .dmg.gz.
  • 180309 - [Linux] Crash while loading page with MS .fon font.

Je suis content de constater que le spoofing des Download Dialog Box a été fixé mais je reste perplexe quant à l'annonce faite sur la divulgation des autres bugs de sécurité une fois la release effectuée ... ie: "More security holes fixed in Firefox 1.0.1 will be made public after Firefox 1.0.1 is released"

A croire que certaines failles ne doivent pas être dévoilés tant que les 25 Millions d'utilisateurs ayant téléchargés la 1.0 ne passent en 1.0.1 ...

Aurelien
Member of WygTeam