Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Firefox ESRs

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
CSI

This thread has been marked as locked.
jroysdon Firefox ESRs
Member 19th Nov, 2013 21:21
Ranking: 0
Posts: 3
User Since: 25th Sep, 2012
System Score: N/A
Location: US
Last edited on 19th Nov, 2013 21:30

We need a change such that Firefox ESRs are upgradable before the previous ESR release is EOL.

For instance, released today (built Nov 15, 2013) were:
FF 25.0.1 (no ESR)
FF24.1.1 ESR (there is no non-ESR version)
FF17.0.11 ESR (again, no non-ESR version)

The last release cycle was (built Oct 29, 2013):
FF 25.0 (no ESR)
FF 24.1.0 ESR (there is no non-ESR version)
FF17.0.10 ESR (again, no non-ESR version)

Prior to this there was (built Sept 17, 2013):
FF 24.0
FF 24.0 ESR
FF17.0.9 ESR

I understand that the FF24.0 (non-ESR) is indistingishable from the FF 24.0 ESR release. It is difficult to detect which version is non-ESR and which is, so a determination as to if it should go to FF25.0 or FF24.1.0 ESR cannot be made.

However, as there was only an ESR release of FF 24.1.0, then when this version is detected it should be an ESR release. Therefore, the valid upgrade path should be to FF 24.x ESRs (specifically FF24.1.1 ESR), not FF 25 (non-ESR).

I propose that starting at the second FF ESR release, for which there is only an ESR version (and no non-ESR version), that these second and future FF ESR releases be detected as not EOL until that major ESR release is EOL. Further that those ESR releases be kept on an ESR upgrade path matching the same major ESR version installed, or if that ESR is EOL, to the latest major ESR version.

In other words, if all we ever deploy is FF ESR, then CSI should only ever be trying to upgrade things to FF ESR, and not the non-ESR release path.

FF24.1.0 ESR should be detected as insecure and upgradable to FF24.1.1ESR right now.
FF24.1.1ESR should be detected a secure right now.

Firefox release history source: http://en.wikipedia.org/wiki/Firefox_release_histo...

Anthony Wells RE: Firefox ESRs
Expert Contributor 20th Nov, 2013 18:23
Score: 2384
Posts: 3,280
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi ,

You are correct and it is likely that Support are behind in upgrading their detection rules as previously after some correspondence the platform split was quickly delineated which seems not to be the case atm .

I have also replied to your post here :-

http://secunia.com/community/forum/thread/show/145...

Keep pressing as they can be notably slow/long in responding to certain requests .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
r.danailov RE: Firefox ESRs
Secunia Official 22nd Nov, 2013 13:59
Score: 25
Posts: 129
User Since: 3rd Jan 2012
System Score: N/A
Location: Copenhagen, DK
Last edited on 22nd Nov, 2013 14:01
Hi jroysdon and Anthony,

Thank you for supplying your suggestions and comments to the forum.
Please excuse us to have replied with delay to your post.

I had forwarded an internal 'Request For Information' to the teams responsible for handling detection rules at Secunia.
We requested them to provide us with the current status of the problem discussed in this thread and other threads within the PSI forum.

I made sure to forward your suggestions for a change too. As part of my inquiry, I've included references to the current thread asking my colleagues to take your suggestions under consideration. Kindly, bear with us until we reach back to you with more detailed specific information about ESR releases.

Kind regards / Stay Secure
Rosen Danailov / Security+
Secunia Customer Support
r.danailov RE: Firefox ESRs
Secunia Official 10th Dec, 2013 13:09
Score: 25
Posts: 129
User Since: 3rd Jan 2012
System Score: N/A
Location: Copenhagen, DK
Last edited on 10th Dec, 2013 13:09
Hi,

Please excuse us to have taken more time to answer this thread than initially confirmed. We had to make necessary changes in our detection approach to allow more flexible handling of the Mozilla Firefox ESR versions and more accurate prioritization of patches for this product.

Going forward Mozilla products will receive only 1 package, regardless of whether or not itís the stable release or ESR release. The package will then select the appropriate installer to run, or be forced onto a certain branch by a flag (only available in the CSI 7).

The only time 2 packages will exist, is during the overlap period (first two releases of a new ESR branch), where one package will contain the old ESR installer and another will contain the new ESR installer. Customers will be offered the one applying to the version they already have installed.

Please feel free to comment if you have additional questions.

Kind regards / Stay Secure
Rosen Danailov / Security+
Secunia Customer Support
Anthony Wells RE: Firefox ESRs
Expert Contributor 12th Dec, 2013 16:44
Score: 2384
Posts: 3,280
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi Rosen ,

Thank you for your detailed reply . Obviously this is a CSI thread but as there are (probably) some ESR users with the PSI , as per @GrandDixence @wr on this (locked) thread :-

http://secunia.com/community/forum/thread/show/145...

perhaps you could let us know whether the PSI will also have improved handling of things Mozilla .

Take care

Anthony


--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
r.danailov RE: Firefox ESRs
Secunia Official 17th Dec, 2013 18:55
Score: 25
Posts: 129
User Since: 3rd Jan 2012
System Score: N/A
Location: Copenhagen, DK
Hi Anthony,

We've updated the PSI forum accordingly. Thank you for your feedback and assistance.
Please excuse us for any delayed replies within the CSI forum, we would recommend all existing customers to send emails to csc@secunia.com, should they require faster handling of their case.

Kind regards / Stay Secure,
Rosen Danailov / Security+
Secunia Customer Support
Anthony Wells RE: Firefox ESRs
Expert Contributor 18th Dec, 2013 16:44
Score: 2384
Posts: 3,280
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Thank you , Rosen :))

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability