[Secure-testing-team] Bug#512111: iceweasel: Iceweasel disable Firefox upgrade checks

Sylvain Beucler beuc at beuc.net
Sat Jan 17 13:19:02 UTC 2009 

Package: iceweasel
Version: 3.0.5-1
Severity: grave
Tags: security
Justification: user security hole


Since Debian stable is a "frozen" distro, it's not uncommon to install
the official Firefox binaries when the next version of Firefox is
released, and isn't packaged in stable or backported yet. I've also
also seen that useful to fix browser detection (hotmail) or support
binary extensions (probably to avoid stdlibc++ 5/6 discrepancies).

Anyway, when Iceweasel is started, it silently disables the security
update checks in the configuration.
"about:config" reports that 'app.update.enabled' is set to false. This
is set on startup.

This is a problem, because as I mentioned people may use, concurrently
or later, an official version of Firefox. In this case, Firefox will
disable security update checks as directed, and thus Firefox won't be
upgraded when there's a security fix. People may work several months
without being notified about a security hole in their Firefox.

The fact Iceweasel disables upsteam security update checks is normal,
because Debian (not upstream) provides those. However it's a mistake
to disable that in the configuration, because this impacts other
versions of Firefox that do use those checks.

So please don't alter 'app.update.enabled' and other settings, and
disable Iceweasel upstream security updates checks using another
method (e.g. by not compiling the related code, or by not using
~/.mozilla/firefox to store the iceweasel configuration).

-- System Information:
Debian Release: 5.0
  APT prefers testing
  APT policy: (500, 'testing'), (300, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-vserver-686 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages iceweasel depends on:
ii  debianutils                  2.30        Miscellaneous utilities specific t
ii  fontconfig                   2.6.0-3     generic font configuration library
ii  libc6                        2.7-16      GNU C Library: Shared libraries
ii  libgcc1                      1:4.3.2-1.1 GCC support library
ii  libglib2.0-0                 2.16.6-1    The GLib library of C routines
ii  libgtk2.0-0                  2.12.11-4   The GTK+ graphical user interface 
ii  libnspr4-0d                  4.7.1-4     NetScape Portable Runtime Library
ii  libstdc++6                   4.3.2-1.1   The GNU Standard C++ Library v3
ii  procps                       1:3.2.7-9   /proc file system utilities
ii  psmisc                       22.6-1      Utilities that use the proc filesy
ii  xulrunner-1.9                1.9.0.5-1   XUL + XPCOM application runner

iceweasel recommends no packages.

Versions of packages iceweasel suggests:
pn  latex-xft-fonts       <none>             (no description available)
ii  libkrb53              1.6.dfsg.4~beta1-5 MIT Kerberos runtime libraries
pn  mozplugger            <none>             (no description available)
pn  ttf-mathematica4.1    <none>             (no description available)
pn  xfonts-mathml         <none>             (no description available)
pn  xprint                <none>             (no description available)
ii  xulrunner-1.9-gnome-s 1.9.0.5-1          Support for GNOME in xulrunner app

-- no debconf information

More information about the Secure-testing-team mailing list