Ubuntu Security :: Firefox Security Updates For 8.04 LTS?
Apr 8, 2010
Does anyone know when we'll see Firefox 3.0.19 packaged for 8.04 LTS? I'm still stuck at 3.0.18. And what will happen after this? My understanding is that after .19 Mozilla is dropping support for FF 3.0.
Upgrade policies not withstanding, I find it rather annoying when an "LTS" release doesn't keep up with the most security-critical package in the distro, the browser. 8.04 LTS should have moved to FF 3.5+ a *long* time ago. Now it seems it will be forced to do so or else just forget about browser updates for the last year of 8.04?
I know I can install the current Firefox with ubuntuzilla, I just keep wishing Ubuntu would do it for me.
So yesterday I receive a copy of the SANS @RISK security vulnerability newsletter, and, lo and behold, Mozilla's Firefox and Thunderbird are on it yet again. (Yeah, I know, shocking, isn't it?)So I quickly check what versions I have installed. Yup: Vulnerable.I check whether updates are available.These are pretty serious "remote code execution" vulnerabilities and the status is "vendor confirmed, updates available." So why isn't my 9.10 desktop's update manager telling me updates are available?
I'm new to server admin, so my question is based on what may be a bad assumption. With a server, my assumption is "if it ain't broke, don't fix it". In other words, I'm not really interested in upgrading the software to the latest and greatest if I already have stuff working on the server.
However, the one place where I DO want to constantly have upgrades is for security patches. How do I apply security updates to Ubuntu Server... and ONLY security updates?
With an Ubuntu 10.10 upgraded from 10.04, under Software Sources, Updates, there is a radio button marked "Install security updates without confirmation." I have this radio button marked, but still get "Important security updates" almost daily in my update manager. I don't remember this feature actually ever working.
Firefox 3.5 has a critical java script vulnerability as noted in the recent news. I had to manually update to 3.5.1 using the mozilla tarball because there's still no Firefox 3.5.1 in Fedora Updates or even Fedora Updates Testing repositories. Is this normal? I didn't want to resort to using the mozilla one because now I can't use flash (my system is 64 bit and mozilla only seems to offer a 32bit tar file of Firefox) and having two Firefoxs means dealing with the ProfileManager, separate bookmarks and so on.
I'm trying to find out if I'm just looking in the wrong place, I tried the normal mirrors for "updates" for Fedora 11 and then updates-testing and also the baseurl for "updates" to get rid of the mirror update delay. None of them seem to have 3.5.1 ?
So, it is my understanding that Ubuntu's automatic updates do not install ANY updates that are not "important security updates." For example, it did not upgrade me to Firefox 4 automatically; I had to do it myself (Don't all new browser versions usually contain new security features/patches? Oh well...That is a separate question entirely).
ANYWAY, is there some way to get the latest stable versions of all of my open-source software automatically (or at least all at once, on command), instead of just security updates? It seems silly to have to install new versions for every program manually.
Also, related/side question: Now that I have installed Firefox 4 myself (via apt-get by adding the mozilla-stable PPA), will I stop getting security updates for Firefox through the standard Ubuntu update manager?
Actually, a really thorough explanation of the whole automatic update system (or a link to one) would be great too.
Using slackware 12.2, xfce, Firefox 3.0.16 and for the past few days i have been getting Persistent System Security Window that looks like MS Firewall and you can't click on the X or Cancel because then it activates a so called security analysis with green progress bar. I open a terminal real quick and issue pkill firefox command.I have been trying to get to the basicconfig site to follow tutorial on firefox security update but that window keeps comming back.I emptied out my /tmp files but i am still having same problem and don't know what to do
After doing weekly recommended security update a problem occured, next system boot the network manager applet was missing from panel and I had two volume controls in its place. Logging into other user accounts network manager is there and working. How do I fix this? I have not got a clue! I use a usb hawaweii modem, working fine. Just main user account not net work manager. Im running 9.10 and it has not been a problem before.
Twice this week I've tried to download " Important security updates". Each time the response is:
W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/...u9.5_amd64.deb 404 Not Found [IP: 91.189.88.30 80] W: Failed to fetch http://us.archive.ubuntu.com/ubuntu/...u9.5_amd64.deb 404 Not Found [IP: 91.189.88.30 80]
I recently reported a bug in a package, which was fixed upstream and in the Debian package, but the bug was not security-related. The Debian settings on all of the computers is set to receive only the security updates. The other setting for proposed updates, is currently not enabled
Must Proposed Updates be enabled, in order to receive the non-security updates, including the update to the package in question?
Is there a mailing list or an alert where I can subscribe to, so I know if there's critical or moderate patches I have to apply to my Centos 5 servers.
I installed ubuntu a few days ago, today I got like 250mb of security updates to I let them run, then restarted, now it keeps running in low graphics mode, everything looks rubbish and I have no desktop effects, the sound has also stopped working. Everything was great prior to this, I was beginning to love the switch from ms to ubuntu. The sound/video are both via hdmi so I am imagining its something to do with the graphics. I would wipe the system and start fresh but it took me so long to get my sound and wireless working.
I've recently installed the unattended-upgrades package on a few Ubuntu 9.04 servers, and it's working great to automatically install security upgrades. However, is there a way to have non-security upgrades automatically installed as well? The README for unattended-upgrades says it'll do security ones only.
My main goal is to have all package upgrades be installed unattended except for kernel and libc upgrades (I want to do those manually on my own time). I guess I could write a script that does 'apt-show-versions -u' to get a list of upgradable packages and then do 'apt-get install' on the packages if their names don't match linux-server, linux-image-server, or libc*, but I was hoping there's an easier way to accomplish this.
I've looked at 'aptitude safe-upgrade -y', but I think that'll install kernel and libc upgrades.
What's with todays updates? Webkit librarys and Firefox updates. Was there a security issue that's just recently been fixed? Just wondering, I'm obviously going to install them.
is it normal having several security updates week after week in a 10.04 ubuntu lts server distro? Some of them even need a system restart, which I consider truly bad for a web server...
I'm using Ubuntu Lucid Lynx and every time I search for updates it ask for authentication. I'd like to search and apply updates without confirmation. Is it possible in some manner?
...a malicious individual could damage or take control of your system"See: https://dl-web.dropbox.com/get/Publi...png?w=ae903921and: https://dl-web.dropbox.com/get/Publi...png?w=2c144a02So should I really go ahead and install the updates or what may have gone wrong at the Ubuntu repository?
how safe is it to run Ubuntu updates when I'm connecting via a public network (wireless or wired) from a hotel (or other public settings). I'm not familiar with the internals but is there an additional validation mechanism for the package servers other than the URL ?
In the past i used OpenSUSE for a few months, in OpenSUSE all updates related to security labeled as "Security Update" like updates related to Firefox, unlike OpenSUSE in the Debian i did can't find a way to detect security updates.
I've been looking for an aptitude command to search for security updates. This information is being shown when running the screen. So far I reached to this command: aptitude search '~S ~VCANDIDATE ~Asecurity ~U' It looks like producing the correct results, but I still don't quite understand the how the filter (~S) command works.
My system went for three days w/o a software update... Is this normal(anyone experiencing this?)...?
It seems like to me.. Fedora 13 has a longer update interval than Fedora 12.. I remember back in Fedora 12 I get security updates like every other 12 hrs.. (I know as with security patches the less the "better"(in some way))..
But I am still concerned.. security updates has been slow for me.
I'm using Ubuntu Lucid Lynx and every time I search for updates it ask for authentication. I'd like to search and apply updates without confirmation. Is it possible in some manner?
I've a server, and I want to drop all the traffic going out with other source port than 80 (apache) and 22(ssh). The reason is I want to prevent my machine sending packets I don't know (i.e. my server scanning networks or making DDOS attacks without my knowledge). The problem are the updates. If I do what I've said, the updates will not work. I want to allow updates, so I need to let DNS traffic (port 53) and the traffic of the updates to go out.
The problem is the source port. This traffic uses a dynamic port (I think like HTTP). Is there any way to specify a source port to do this? If a have a static port to do this, I would drop all the traffic going out with other port than 22,53,80 and this port.
I looked at the security adviseries page on slackware.org, and noticed only 1 listing for 2010. I'm currently using alien bob's slackware-current script to make a dvd iso (x86_64.) So is this patch already applied or what? How do I go about maintaining a secure system from here? I've tried to search for clues about this but I'm a little confused (very new to slackware,) so I apologize if this question has been answered many times. Also, when a security advisery arrives, do I need to download the updated package? Or can I simply find a patch from a single source and download / apply them? What would you do concerning this issue? I guess easily applying security updates is where debian shines. I'm really starting to like Slackware though, I must admit.
I have been forbidden to enable automatic updates on our Ubuntu servers, for both security and regular packages.When I log into any of my four Ubuntu servers, the welcome message contains this:
39 packages can be updated. 26 updates are security updates.
However, when I run the Nagios plugin that monitors APT, I get:
% /usr/lib/nagios/plugins/check_apt APT WARNING: 33 packages available for upgrade (0 critical updates).
I need to know how to properly detect that there are pending security updates, and regular updates. Once I can do that, I plan to write a Nagios script that will return WARNING for pending regular updates, and CRITICAL for pending security updates.
