On Mozilla-* updates

classic Classic list List threaded Threaded
131 messages Options
1234567
Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Alexander Sack-7
Adeodato Simó wrote:

> * Alexander Sack [Mon, 01 Aug 2005 13:25:42 +0200]:
>
>
>>since you are a member of the mozilla security team, what are your experiences?
>>Have you ever tried to work with them to improve their security process? What
>>was the outcome? What were the problems?
>
>
>   Assuming you meant s/mozilla/ubuntu/ above:
>
>     http://lists.debian.org/debian-devel/2005/07/msg01586.html
>     http://lists.debian.org/debian-devel/2005/08/msg00012.html
>

No, I meant Matt is our mozilla security delegate:

http://www.mozilla.org/projects/security/secgrouplist.html

Cheers,
--
 GPG messages preferred.   |  .''`.  ** Debian GNU/Linux **
 Alexander Sack            | : :' :      The  universal
 [hidden email]           | `. `'      Operating System
 http://www.asoftsite.org  |   `-    http://www.debian.org/


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Florian Weimer
In reply to this post by Geoff Crompton
* Geoff Crompton:

>>
>> For these packages, help and/or advice is appreciated.
>>
>
> Can we try to get a DD involved in the mozilla security team? Presumably
> when they become aware of a security issue, there is some discussion
> about the problem and how to fix it. Access at this level may make it
> possible to identify in the code where the problems are.

Maybe the Mozilla Foundation doesn't *want* isolated patches to be
published because they make it easier to understand the bug and write
exploits?  Do we know for sure that they don't publish separate
patches because of lack of time or interest?

(This is not as crazy as it sounds.  Microsoft pushes out additional
code changes along with security updates to make the task for BinDiff
harder.)


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Ben Bucksch
In reply to this post by Joey Schulze
Hi Martin,

thanks for raising this publically. Sorry, if I sound provocive here,
but this discussion has a history for me. As I said since several years,
the only practical way for Debian to stay up-to-date with Mozilla
security updates is to stay current with the latest "stable" release.

For Mozilla SeaMonkey, this means you shipped Mozilla 1.7.6 or whatever
was current with Sarge and by now already distribute Mozilla 1.7.11 debs
on security.debian.org.

Moz 1.7.11 was in cvs since a few days, so enough time to prepare ("a
few days" from patch to end-user is all you get in the security world,
and it's doable). It implies that you keep a close eye on what's
happening at mozilla.org - if you see the announcement at
www.mozilla.org, it's already too late. To faciliate cooperation, I have
invited the Debian security people to the Mozilla security team long
ago, with no result.

I personally maintain 1 or 2 browsers intended for the mass-market on
all platforms based on Mozilla 1.7, and the source code changes in the
releases were indeed very small, and close to (or at) the minimum
possible to fix the security holes. Updates were surprisingly painless.

In one case (1.7.7), they did break some functionality, but that was
inherent to the security update, because the "API" (a certain, obscure
way to use JavaScript in combination with the DOM) was insecure and I
don't think ever intended. As was visible on blogs, the mozilla security
was very much trying to find a solution that wouldn't break things. That
said, I had no problems at all with our code (although I expected lots).
What's more important, everything that *did* break most likely had
security hole itself, so arguably *should* break and not be used anymore.

So, basically, you can't *always* keep things running as they were and
still be secure. What comes to me, the tradeoff is clear: An insecure
system is completely unacceptable, and not usable *at all*. So given the
choice of some extensions breaking and having gapping security holes,
there's IMHO only one choice. What I'm getting at is that you *cannot*
maintain your stance of "we'll never break or change anything noticable
in a stable release for 3 years". If a user wants that, he should cut
all network connections and never update.

I'm speaking mainly about SeaMonkey, I can't speak about Firefox and
Thunderbird, esp. once they hit 1.5. What's hurting you in this case is
the ultra-long release cycle of Debian stable. The problem you are
*then* facing with backporting security fixes is the same that the
mozilla security team would face - very often, it's unjustifiably
time-consuming. As far as I know, caillon from and for Redhat (also a
Mozilla contributor) is doing that, or at least used to, with Mozilla
1.6. Maybe talk to him? But be prepared: this means real work.

But that's not the problem right now. What's wrong with just shipping
Firefox and Thunderbird 1.0.6? Frankly, that's what they are meant for.
The patches *are* backported from the trunk to 1.0.x for you. And using
a different version number only confuses users (who check their
vulnerability) and extensions.

Concretely, I don't understand what you base your introduction on:

> it seems that less than two months after the release of sarge it is
> not possible to support Mozilla, Thunderbird, Firefox ... packages
> anymore. (in terms of fixing security related problems)

What hard reasons are there that prevent you from shipping Firefox 1.0.6
and Mozilla 1.7.11 right now?

In the end, though, you have to drop the idea of keeping the everything
as-is, no user-noticable changes, for 3 years. You have to lose your
current ideas and put security first. (I'm not including freedom etc.
here :-) .)

I am more than willing to help establish cooperation between Debian and
mozilla.org, if there's interest.

--
Ben Bucksch
If replying privately, please remove ".news".


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Matt Zimmerman
In reply to this post by Jan Luehr-10
On Mon, Aug 01, 2005 at 09:55:03AM +0200, Jan Luehr wrote:
> Have I said so? I've tried to point out, that debian is "an universal
> operating system" - as proclaimed on the homepage.
> So at least here is a common consensus for the purpose of debian.

In fact there is a controversy over that label. ;-)

> If I recommend to use another operating system for a more special purpose,
> what's wrong here?

There's nothing wrong with recommending something else, but please be
careful with how you do this.  The message should be "also consider <foo>",
not "don't use Debian because <foo> exists".

(if there is a need to continue this thread, please follow up to a more
appropriate mailing list)

--
 - mdz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Matt Zimmerman
In reply to this post by Alexander Sack-7
On Mon, Aug 01, 2005 at 03:11:05PM +0200, Alexander Sack wrote:

> Adeodato Simó wrote:
> >   Assuming you meant s/mozilla/ubuntu/ above:
> >
> >     http://lists.debian.org/debian-devel/2005/07/msg01586.html
> >     http://lists.debian.org/debian-devel/2005/08/msg00012.html
> >
>
> No, I meant Matt is our mozilla security delegate:
>
> http://www.mozilla.org/projects/security/secgrouplist.html

I am not an official representative, but I am subscribed to the Mozilla
Security Group mailing list.  I do not have any influence over Mozilla's
development processes.  Martin Pitt and Martin Schulze have outlined the
problems there quite well; if someone would collect those points and submit
a statement to Mozilla (if that has not been done already) perhaps we can
find a way to provide for both active Mozilla development and distribution
security support.

It would probably be a good idea to include the Red Hat security team in the
communication, since they seem to have reached the same impasse.

--
 - mdz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Dale Amon
In reply to this post by Stefano Salvi-2
On Mon, Aug 01, 2005 at 09:29:24AM +0200, Stefano Salvi wrote:
> I think that two kinds of people are interested in Debian:
> - Ones who want Security
> - Ones who want Stability

While not an unreasonable part of an analysis, I would
posit these are at least second level criteria for
systems users. The most important factor for anyone
in a corporate environment, (and for many in a home
environment as well), is "Does Debian allow me to get
my work done faster and more efficiently?"

Issues of security, package content, stability and
such are imperfect tradeoffs towards fulfilling that
goal.

--
------------------------------------------------------
   Dale Amon     [hidden email]    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
              "Have Laptop, Will Travel"
------------------------------------------------------

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Thomas Bushnell, BSG-2
In reply to this post by Willi Mann
Willi Mann <[hidden email]> writes:

> IMHO, sloopy security support (by uploading new upstream versions) is
> better than no security support.

Are you prepared to make sure all the packages that depend on mozilla
will have packages ready to enter at once?


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Noah Meyerhans-3
On Mon, Aug 01, 2005 at 04:57:31PM -0700, Thomas Bushnell BSG wrote:
> > IMHO, sloopy security support (by uploading new upstream versions) is
> > better than no security support.
>
> Are you prepared to make sure all the packages that depend on mozilla
> will have packages ready to enter at once?

Are you prepared to kick all packages that depend on mozilla out of
Debian completely?  That's the choice we've got.  Moving them to
backports.org or volatile, which are not carried by the mirror network,
not included in the default apt sources.list, and not getting DSA
announcements, IMHO, counts as "kicking them out of Debian".

noah


signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Stefano Salvi-2
In reply to this post by Michael Stone-2
Michael Stone wrote:

> On Mon, Aug 01, 2005 at 09:29:24AM +0200, Stefano Salvi wrote:
>
>> I think that two kinds of people are interested in Debian:
>> - Ones who want Security
>> - Ones who want Stability
>
>
> I can't even understand this statement. What kind of person is
> interested in "stability" which will get their machine compromised?
> Remember, we're talking about a *web browser* here--the primary purpose
> of which is to connect to web sites on the internet. That seems in my
> mind to be an application which cries out for some level of security.
> And it's not like old versions will disappear forever--if you reall need
> some kind of pedantic stability just put your browser on hold.
For "stability" I mean: "you can install any part od the system without
worrying to break your machine" which is provided by the strong quality
check cycle and very good dependency system.

If you go on reading, I say I whish that "critical" components as
browsers are kept updated AFTER the relase, to keep security optimal.

Remember that security is always expressed in percent: there will never
be 100% security.
It's shure that a server must have a higher security score than a
desktop system, but it also needs different functionalities.
        Stefano


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Nicolas Rachinsky
* Stefano Salvi <[hidden email]> [2005-08-02 09:16 +0200]:
> It's shure that a server must have a higher security score than a
> desktop system, but it also needs different functionalities.

The desktop used to administrate a server needs less security? Weakest
link?

Nicolas


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Stefano Salvi-2
Nicolas Rachinsky wrote:
> * Stefano Salvi <[hidden email]> [2005-08-02 09:16 +0200]:
>
>>It's shure that a server must have a higher security score than a
>>desktop system, but it also needs different functionalities.
>
>
> The desktop used to administrate a server needs less security? Weakest
> link?
I prefer to have no X on the server and administer it from command line
or Web interfaces (command line is better).
I think that if you administer via GUI you have far less security.
Yes, as you say, the GUI administration chain is the weakest link of the
chain?
        Stefano


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Nicolas Rachinsky
* Stefano Salvi <[hidden email]> [2005-08-02 09:38 +0200]:
> Nicolas Rachinsky wrote:
> >The desktop used to administrate a server needs less security? Weakest
> >link?
> I prefer to have no X on the server and administer it from command line
> or Web interfaces (command line is better).
> I think that if you administer via GUI you have far less security.
> Yes, as you say, the GUI administration chain is the weakest link of the
> chain?

If someone takes over this desktop, he also owns the server. But this
is getting too far from the current discussion.

Nicolas


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Importance of browser security (was: On Mozilla-* updates)

Ben Bucksch
In reply to this post by Stefano Salvi-2
Stefano Salvi wrote:

> I prefer to have no X on the server and administer it from command
> line or Web interfaces (command line is better).

Let's say

   1. You use Mozilla from sarge
   2. Somebody cracks you through known holes in that old Mozilla,
      either a mass exploit or an enemy of you specifically targetting
      you. Which is probably the easiest way to attack you, through all
      firewalls. So much for browser/email security.
   3. He controls your desktop
   4. He downloads all your local mail and photos/images, including your
      confidental company mail, private mail and nude photos of your
      girlfriend. He posts it on the Internet, your company's billboard,
      and your supermarket's billboard.
   5. He also installs a keyboard sniffer and downloads your private SSH
      keys.
   6. He logs into all servers and other computers that you have access
      to. Including those desktops of your friends, which you remote
      administrate or use the password that they use for your server.
      And the attacker goes on from there. So much for desktop/server
      security.
   7. One of your friends did things which are strictly legal, but your
      boss didn't like it at all, and fired him. Another one happened to
      be a dissident and gets in jail or maybe shot. So much for
      efficiency (this has nothing to do with efficiency).
   8. Because all this costs some time, the attacker needs to live, too.
      He drafts your bank accounts and those of your friends as a fair
      compensation. The Half Life 2 source code got indeed stolen via
      desktop compromitation, too. But all that is insignificant in
      comparison to your dead friend.

That's what's at stake here.

I don't care, if a Mozilla security update breaks some badly written
extensions. And if it breaks Galeon's print function, so be it, you can
still use Mozilla in this rare case. But there's *no* recovery from a
bad breakin.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Importance of browser security

Stefano Salvi-2
Ben Bucksch wrote:

> Stefano Salvi wrote:
>
>> I prefer to have no X on the server and administer it from command
>> line or Web interfaces (command line is better).
>
>
> Let's say
>
>   1. You use Mozilla from sarge
>   ... CUT ...
>   Description of an exploit
>
> That's what's at stake here.
>
> I don't care, if a Mozilla security update breaks some badly written
> extensions. And if it breaks Galeon's print function, so be it, you can
> still use Mozilla in this rare case. But there's *no* recovery from a
> bad breakin.
>
I completly agree with you.
My point was:
- server software needs strict security and less functionality; a long
release cycle is welcome; it is preferred to stick to some releases of
the software.
- desktop software needs good security, but also new features; you
prefer to get the latest release of a software.

My choice is to stick on woody (I'll rebulid now with Sarge, now) for
the server and use Sid on the desktop, upgrading it regularly.

I think this gives me strong security on the server and good security
AND features on the desktop.

The difference is that I didn't install an old browser on the server and
keep the browser updated constantly on the desktop.

Using this policy, from time to time my desktop has some problems (I'm
using unstable).

I would be very happy if there was a "stable branch" that keeps software
updated AND tracks security.

        Stefano


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Jeff-27
In reply to this post by Joey Schulze
>
> it seems that less than two months after the release of sarge it is
> not possible to support Mozilla, Thunderbird, Firefox (and probably
> Galeon) packages anymore.  (in terms of fixing security related
> problems)
>
> Unfortunately the Mozilla Foundation does not provide dedicated and
> clean patches for security updates but only releases new versions that
> fix tons of security related problems and other stuff that is or may
> be irrelevant for security updates.  As a result, it is extremely
> difficult to get security patches extracted and backported.  This is
> an utter disaster for security teams and distributions that try to
> support their releases.
>

Joey,

Working from the following assumptions:
* it possible to include Mozilla in Debian stable,
* extracting security patches from upstream is not practical,

and ignoring the interesting, but extraneous threads,

What exactly breaks if the update to v1.06 is applied, as upstream
recommends?

I realise you are seeking a general solution. I believe that we need
case specific information. This will enable us to evaluate any proposed
general solutions, with the illumination of real facts.

Regards
Jeff


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Jeff-27
> Joey,
>
> Working from the following assumptions:
> * it possible to include Mozilla in Debian stable,
> * extracting security patches from upstream is not practical,
>
> and ignoring the interesting, but extraneous threads,
>
> What exactly breaks if the update to v1.06 is applied, as upstream
> recommends?
>
> I realise you are seeking a general solution. I believe that we need
> case specific information. This will enable us to evaluate any proposed
> general solutions, with the illumination of real facts.
>

Actually, I see that I am echoing the unanswered question from Ben in
his email of 1-Aug:

What hard reasons are there that prevent you from shipping Firefox 1.0.6
and Mozilla 1.7.11 right now?


Once we know what breaks when this is attempted, we can look at working
out a general solution.

Regards
Jeff


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Moritz Mühlenhoff-2
In reply to this post by Andreas Barth
In gmane.linux.debian.devel.security, you wrote:
>>   Mozilla *appears* to have no interest in supply patches which
>>  *only* fix security holes to distributors.  Their line is more
>>  "upgrade to the newest version".  Whilst the new versions do
>>  fix the holes, they traditionally also break things built against
>>  them, such as extensions, galeon, etc.
>
> I thought some member of the Debian security team has access to the
> hidden bug reports. Can't that member extract the relevant patches then?

If the isolated patches were pulled from Mozilla Bugzilla by Matt Zimmermann
(who appears to be Debian's Mozilla security delegate) and published as part
of a DSA this would point to the core of each vulnerability and make exploit
creation easier than reconstructing this information from the large interdiffs
between their stable releases. This tends towards security through obscurity,
but seems to be Mozilla's policy for bugs with their internal "Critical"
severity.

Cheers,
        Moritz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Moritz Mühlenhoff-2
In reply to this post by Joey Schulze
In gmane.linux.debian.devel.security, you wrote:
> Looking at how 1.0.5 was binary-incompatible with 1.0.4 I can only
> assert that the community has failed already.

Although I'm not sure how an "accidential API change" can slip through
any kind of Mozilla QA, it has at least been corrected in 1.0.6 and
was not intentional.

>> Whatever solution we choose, I believe it is very important for us to do
>> it within Debian and not rely on backports or some other unofficial
>> channels.  As Debian developers, it is our duty to solve this problem,
>> and simply kicking the packages out of Debian or ignoring them from the
>> point of view of updates and security is really no solution at all.
>
> Be prepared for reality, in half a year or in one year, there won't be
> 1.0.x Mozilla Firefox packages anymore that build on Debian stable.
> At least that's what I anticipate.

Judging from their road map the stable series will move to 1.1, which
will incorporate major new features like SVG support. And there seem
to be changes in the freetype API that will pose further problems if
they bump their API requirements for 1.1 (see #314243).

Cheers,
        Moritz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Willi Mann
In reply to this post by Thomas Bushnell, BSG-2
[Thomas, I'm not sure if you are on the debian-security list, so I'm CCing you]

> Are you prepared to make sure all the packages that depend on mozilla
> will have packages ready to enter at once?

This would only be necessary in case of an API/ABI change, right? The
mozilla people have shown to care about the API. See the warnings about the
1.0.5 release, the issues were soon after corrected by 1.0.6.

And in the case of a new major upstream version, which should only be an
issue 1 or 2 times while the Debian release cycle, I think it's doable.

To make that easier, I propose to set up security testing scripts, where we
upload the new upstream versions (and related packages if neccessary) as
soon as they are available (so we can fix build issues, etc.), but wait with
the release to the offical security repository until they are necessary.
That way, we minimize the needed time and work until security updates can be
released, and the new major new upstream versions can be tested by a wide
audience.

Willi


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: On Mozilla-* updates

Matt Zimmerman
In reply to this post by Moritz Mühlenhoff-2
On Tue, Aug 02, 2005 at 02:29:51PM +0200, Moritz Muehlenhoff wrote:

> If the isolated patches were pulled from Mozilla Bugzilla by Matt Zimmermann
> (who appears to be Debian's Mozilla security delegate) and published as part
> of a DSA this would point to the core of each vulnerability and make exploit
> creation easier than reconstructing this information from the large interdiffs
> between their stable releases. This tends towards security through obscurity,
> but seems to be Mozilla's policy for bugs with their internal "Critical"
> severity.

Getting access to the patches is not a significant obstacle; the issue is
that they often don't apply to versions which are a few months old.

--
 - mdz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

1234567