Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Mozilla The Internet Bug Security

Firefox 3.5.1 Released 147

alek writes "A day after Slashdot reports about a self-inflicted vulnerability in Firefox 3.5, Mozilla releases 3.5.1. It addresses that security issue, but also fixes the annoying slow-startup on Windows. Bummer the UNIX wars have subsided, because apparently they also had to fix a problem where Firefox on a Sparc platform would crash when visiting www.hp.com!"
This discussion has been archived. No new comments can be posted.

Firefox 3.5.1 Released

Comments Filter:
  • by Anonymous Coward
    But I need build instructions and test instructions and possibly a youtube video, written/made for a student, not for a programmer that already knows a number of things about firefox. That is the way I feel about most open-source projects. I don't want to contribute in huge quantities, but only bugfixes, in any area and not limited to any particular technology. Sadly, I see such build-instructions missing or the build-instructions are too complicated in major open-source projects that could use bug-fixers
    • by koreaman ( 835838 ) <uman@umanwizard.com> on Friday July 17, 2009 @01:30AM (#28726603)

      You should try fixing some bugs in Sunbird, if Mozilla interests you but the hugeness of Firefox is intimidating. I was able to contribute code (granted, only two lines) to Sunbird that fixed a real live bug, and I was in high school at the time.

    • by EsbenMoseHansen ( 731150 ) on Friday July 17, 2009 @01:39AM (#28726645) Homepage

      Here, let me click on the top link for "firefox build instructions" in google: simple firefox build [mozilla.org]. Looks pretty standard to me. Tests, if there are any, are usually automated or findable by a similar exercise.

      • Re: (Score:3, Interesting)

        That's cute, but missing the point.

        The majority of us use Windows, and will therefore probably want to develop on that platform.

        If you read the Windows section of the page you linked to, the very first line is "Building on 64-bit Windows does not seem to be supported."

        If you read the rest, you get told about using Visual Studio Express Editions and Windows SDKs, but as anyone who's tried it will know, just finding and installing the right SDKs there can be tricky. (Microsoft's own web site had links to an o

        • Re: (Score:3, Insightful)

          by turgid ( 580780 )

          The majority of us use Windows, and will therefore probably want to develop on that platform.

          Right...

          Seriously, if you think this is a "simple" build procedure that's going to get casual volunteers contributing small fixes, you're not part of the solution, you're part of the problem.

          All that proprietary closed-source software required to build Open Source software (any software, really). Difficult to obtain, difficult to install and difficult to configure.

          It sounds like Windows is the problem. All of

          • It sounds like Windows is the problem.

            Bull. I've been developing software on Windows for years, and the build process required for any project I've set up consists of running one script.

            The recurring problem I've encountered is all these "open" projects that have a convenient build process on exactly one platform and require jumping through crazy hoops to build anything else. (For the record, those requiring Cygwin to do anything on Windows are the most tragic cases of this disease.) Volunteers aren't as likely to help such a project as one whe

            • by turgid ( 580780 )

              So you Windows guys need to get together and submit some patches to make building things easier on Windows. The primary development environments for most FOSS projects are on FOSS platforms, not Windows.

              You can't complain when you are given something for free.

              • You can't complain when you are given something for free.

                We seem to have drifted off-track a bit. I'm not complaining about something I'm given for free. I'm just explaining why many volunteers find it difficult to contribute in the manner you suggest.

                The primary development environments for most FOSS projects are on FOSS platforms, not Windows.

                And I imagine that will remain the case as long as the people who set up the projects only value having a good process on the FOSS platforms, which is regrettable given the number of keen folks running on other platforms who might be willing and able to offer help if there wasn't such a high wall to climb first.

    • litmus [mozilla.org]
      mozilla qa [mozilla.org]
      Both seams simple but time consuming but i don't think they need to be done in one sitting (unless you are on the nighties), unfortunately Linux x86_64 only has nighties.

      p.s does anybody know a good way to update firefox (mozilla builds) as launching it as root isn't great and the idea of installing a webbrowser somewhere it can update itself is retarded.

      • Er... what's so bad about installing it to /home/yourusernamehere/bin?

        • Re: (Score:3, Interesting)

          If there is a browser/extention (they run at browser level)/plugin(yes even a flash or adobe exploit) or other program vulnerability they can perminantly modify your firefox binary to execute whatever code they want. In addition to having your user account, where all your data is, completely owned, no OS has a particularly good record on preventing malicious binaries from getting root (ubuntu with sudo is particularly bad as it can just request permisions just after you grant another process root using sudo

    • Presumably you'd need to at least be capable of building software before the maintainers would trust your bugfixed code...

      For example, the linux kernel is a lot easier to compile than contribute to.

  • by asa ( 33102 ) <asa@mozilla.com> on Friday July 17, 2009 @01:19AM (#28726557) Homepage
    Your post says "but also fixes the annoying slow-startup on Windows." which suggests that all Windows users were experiencing slow starts. That's not the case at all. It was only a small fraction of users affected by the now fixed issue. And for the record, the security flaw was already fixed, even before it was lifted from our bug database and turned into a public exploit. It just takes a few days to get everything in order for a release to users.
    • by BadAnalogyGuy ( 945258 ) <BadAnalogyGuy@gmail.com> on Friday July 17, 2009 @01:25AM (#28726587)

      slow start for _some_. Miniature Type-R stickers for others.

    • Was it OS dependent, or hardware dependent?

      I had the issue in winxp 32bit sp3.

      • Was it OS dependent, or hardware dependent?

        I had the issue in winxp 32bit sp3.

        Beats me - but I don't have it on that OS. It still takes 2 seconds to start.

      • Re: (Score:2, Informative)

        by TheSeer2 ( 949925 )

        It was user situation dependent. Firefox was reading all of a user's temp files to seed its RNG or something along those lines so if you had a lot of large temp files your startup time would be quite large.

        Regardless, it still takes 5x Chrome's startup time with the fix so... peh.

        • Regardless, it still takes 5x Chrome's startup time with the fix so... peh.

          It's true. ;-)

        • Re: (Score:3, Insightful)

          by bunratty ( 545641 )
          I have never understood why people make such a big deal over Firefox startup times. It's a few seconds. On my two-year-old laptop, Firefox 3.5.1 starts in two seconds. Granted, Chrome starts in less than one second, but in absolute difference it's about a second.
          • by klui ( 457783 )

            Several seconds is not a problem; I never ran into this because my temp directories and stuff are cleaned up often and the issue seems to occur only after a cold boot (I may be mistaken about this latter part). So my startup times are 5 secs or so since I hardly turn off my machine.

            But others were waiting for minutes, 1-4 minutes for some. Pretty annoying if I were hit with those times. I think these individuals had hundreds of MB for their IE cache and their temp folders were large as well.

      • by klui ( 457783 ) on Friday July 17, 2009 @02:49AM (#28726899)
        OS dependent. They coded for the case where Windows CE/2000 did not have a certain call and they wanted to get good entropy for their RNG in NSS. https://bugzilla.mozilla.org/show_bug.cgi?id=501605 [mozilla.org]
    • Re: (Score:3, Interesting)

      by Toonol ( 1057698 )
      From the link, it appears that files (probably having an excessive amount of files) in the IE cache was slowing down Firefox cache? Isn't the Firefox cache entirely separate? Does it look in the IE cache to try to be friendly and helpful, and if so, can that behavior be turned off?
      • by ahecht ( 567934 ) on Friday July 17, 2009 @01:53AM (#28726689) Homepage

        NSS (Network Security Services) 3.12.3 is using IE temporary internet files to generate seeds. Sounds thoroughly stupid to me, as it means that if you never use Internet Explorer, your cryptographic seeds won't change. How about using the process list or something not Hard Drive dependent to generate the seeds instead?

        • by ahecht ( 567934 ) on Friday July 17, 2009 @02:36AM (#28726835) Homepage

          On further study, it NSS DOES use process IDs and many, many other factors to generate the seeds. Searching the additional file locations ("C:\Documents and Settings\*user*\Local Settings\History", "C:\Documents and Settings\*user*\Local Settings\Temporary Internet Files", "C:\Documents and Settings\*user*\My Recent Documents", "C:\Documents and Settings\*user*\Temp\", "Recycle Bin", and "Network Neighborhood") were added because some older OSs (Win2k and WinCE) didn't have strong enough build-in pseudo-random number generators.

          This patch changed NSS to use the built-in PRNG in Windows XP and up which uses "process ID and thread ID, the system clock, the system time, the system counter, memory status, free disk clusters, andthe hashed user environment block".

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      And what should he have written instead of "It addresses that security issue"? "It contains the security fix that already existed but wasn't until now ready for a release to users"? Ugh.

    • Re: (Score:3, Informative)

      by cratermoon ( 765155 )
      No less a personage than Brendan Eich says the whole issue with slow startup in the NSS module is snake oil that does nothing but "waste users' time at startup pretending to scrape entropy off the filesystem."
  • Good. (Score:5, Insightful)

    by xlotlu ( 1395639 ) on Friday July 17, 2009 @01:22AM (#28726569)
    Now I can re-enable TraceMonkey and slashdot will be fast again... sorta.
    • by Inda ( 580031 )
      It is fast if you use the old layout, block 3rd party images, and Flash. Still looks like a site created in MS Word though. Good job it's not why I come here (still waiting for the meeting-girls-thing I was promised btw).
  • they also had to fix a problem where Firefox on a Sparc platform would crash when visiting www.hp.com!"

    Anyone that sees a downside to not accessing hp.com must not use NoScript.

    • "Now correct me if I'm incorrect, but was I told it's untrue that people in Springfield have no faith? Was I not misinformed?"

    • I have an HP laptop, and I need to visit HP for drivers and such. Luckily, HP's website mostly works without JS most of the time. Some features, however, absolutely require it (like live chat.) Getting HP support through chat is marginally less frustrating than having to do it on the phone in most cases.

  • by sakis ( 84255 ) on Friday July 17, 2009 @02:14AM (#28726749)

    Kind of offtopic, but by upgrading to FF 3.5.1, Google Gears is again disabled. Why did Google allowed it to be compatible with only 3.5.0?!

    • Re: (Score:2, Insightful)

      by Threni ( 635302 )

      Perhaps their time machine isn't working and they couldn't check that future releases worked, and decided it was safer to only support version of Firefox they're sure about. You can always wait, if it's important for you, or upgrade then downgrade again if you didn't want to check first and have to have it working for you. It's better than the alternative - Google allowing what is essentially an untested upgrade.

    • You can unzip the xpi and edit the actual "version identifier" to bump it to 3.5.1 if you're impatient :)

      Nice article on how to do this here [mozillazine.org]
    • Re: (Score:3, Informative)

      by BZ ( 40346 )

      Becuase Gears uses low-level binary hooks (e.g. completely replacing the Firefox HTTP cache with its own) and presumably doesn't want to worry about your browser crashing due to a code change on the Firefox end?

  • will obviously rise the new Desktop OS, the Unix peace will mark year of BSD on desktop!!
    • Isn't that OS X?

      BSD isn't dead heck it has overtaken Linux by strides and is a serious contender to windows. Just just downplay the BSD roots of the OS.

  • Great. Iceweasel 3.5 just entered Debian Experimental... I'll likely have to continue to run with jit off for another month.

    [/ half joking ]

  • problem? (Score:3, Funny)

    by shacky003 ( 1595307 ) on Friday July 17, 2009 @03:38AM (#28727035)
    "...fix a problem where Firefox on a Sparc platform would crash when visiting www.hp.com!" Much like the memory leak to nowhere, It wasn't a problem - it was a feature!
  • Going by previous versions of firefox, shouldn't it be 3.5.0.1 rather than 3.5.1?
    • Re:version numbers (Score:5, Informative)

      by Rhapsody Scarlet ( 1139063 ) on Friday July 17, 2009 @05:05AM (#28727405) Homepage

      Going by previous versions of firefox, shouldn't it be 3.5.0.1 rather than 3.5.1?

      Mozilla decided to simplify that with Firefox 3 (note that the upcoming security release for Firefox 3 is 3.0.12, not 3.0.0.12). Exactly why they used four numbers in the first place is something I don't know, it seems it started with Firefox 1.5. I know that one advantage touted of XPCOM was the ability to easily make incremental updates, so maybe there was a plan for a Firefox 1.5.1 and 1.5.2 (with the final number for each being used for security updates). Of course that would've been complicated and silly, so it seems the plan was abandoned and the version number compacted.

  • First Firefox starts depending on the IE security settings, now this - has it started using the IE temporary internet files as well? I'm starting to wonder if Mozilla are being paid by MS to promote their line that IE and the OS's networking model are one and the same thing.
    • Re: (Score:2, Interesting)

      by thejynxed ( 831517 )

      If you think that is bad enough, just use Process Explorer and click on Firefox.exe in the process list. You'll be extremely saddened by all the IE-specific nonsense that Firefox apparently is now reliant on.

      Firefox even decides to load driver files (.dll files and others) for Windows services I specifically have disabled.

      Firefox, do you honestly need to start winspool.drv, dnsapi.dll, rasadhlp.dll, rasapi32.dll, ieframe.dll, ieframe.dll.mui, etc? Really? Even with the associated services disabled? When the

      • Thanks for mentioning all the Windows .dll's that firefox-3.5+ is now loading. Means I wont be installing it at all and will simply have to suffer from IE8 on Win7-RC.

        As a Gentoo user, I'm even finding that the only time I use Firefox is to access Google and a couple of other sites that have flash games I play, otherwise it's Konqueror all the way for me since it's faster.

  • by Anonymous Coward on Friday July 17, 2009 @06:05AM (#28727661)

    so can anyone tell me why Firefox felt like it had to scan my hard drive in the first place? i had it set to delete history on exit. why then did it feel like it had to go looking in *other* programs' folders for history files?

    • by tepples ( 727027 )

      why then did it feel like it had to go looking in *other* programs' folders for history files?

      So that other programs can't guess the pseudorandom numbers that Firefox uses to set up SSL connections.

  • What Unix war? There is the normal bantering from people saying their version of Unix is better then the rest (Which for the most part is normally the version of Unix they know the best) but a Unix war. I haven't heard anything about it. Other then OS X all the other Unixes are in heavy competition against Linux and Windows for its survival.

    • What Unix war? There is the normal bantering from people saying their version of Unix is better then the rest (Which for the most part is normally the version of Unix they know the best) but a Unix war. I haven't heard anything about it. Other then OS X all the other Unixes are in heavy competition against Linux and Windows for its survival.

      The first rule of the Unix war is nobody talks about the Unix war. The MIB are on their way, please stay calm.

    • Other then OS X all the other Unixes are in heavy competition against Linux and Windows for its survival.

      Linux is UNIX too.

  • by Anonymous Coward on Friday July 17, 2009 @06:42AM (#28727815)
    gpg --verify "Firefox Setup 3.5.1.exe.asc"
    gpg: Signature made 07/15/09 19:56:19 using DSA key ID 17785FE8
    gpg: Good signature from "Mozilla Software Releases <releases@mozilla.org>"
    gpg: Note: This key has expired!
    Primary key fingerprint: 8D6F 1BA4 A340 4DDB 3F2F  D080 7447 4499 8123 47DD
         Subkey fingerprint: 3338 E6BA FF10 3B3D A6A9  E424 B57B 5484 1778 5FE8
  • On the macintosh version at least, the 'check for updates' menu item is in the Help menu. Because that's clearly where it belongs. I only found it because I was just about to search the help for advice on where to find it.

  • I've been using the OS X version of Firefox 3.5 on a Mac Pro and I've experienced a problem where the browser freezes (spinning beach-ball icon) every time I log onto my EasyNews account and do a search or request a list of content in a newsgroup that has a large number of results.

    Typically, it will quickly display the first page full of results, then freeze a second or two after that. If I wait long enough (several minutes or more) and come back to the browser, then sometimes I find it's no longer frozen

    • by Zan Lynx ( 87672 )

      I see that too on my Macbook Pro. I think it is an odd interaction between SQLite and those continuous backup programs that want to be like Time Machine. I'm using one (Memeo Lifeagent) that came with my Seagate external HD. If I put the backup software into "pause" mode Firefox gets a lot more responsive.

    • Sounds like bug 477564 [mozilla.org]. Try the workaround in the first comment.
  • on the Acid3 [acidtests.org] test, lagging both Opera and Safari which have reached 100% on this fun benchmark. About 50% faster on avg when I "thumb in the air" tested it (ran 10X and wrote down the times, then averaged them than Firefox was as little as six months ago, so this release is definitely one to pick up in terms of browser security and performance, though.

  • by Snaller ( 147050 ) on Friday July 17, 2009 @10:26AM (#28730427) Journal

    I mean, I've given up on scaling fonts lager on the fly (as opposed to zoom), but how about 'paste and go' for urls - like opera has had for years (and now chrome)

    • by Kev Vance ( 833 )
      Middle clicking in the document area will paste and go. That probably only works in X, but the same principle should apply on other interfaces.
    • What's wrong with the way it scale text? (You do know that the zoom menu have a "zoom text only" which sound exactly like what you want.

  • So why does the main Mozilla.com page still list 3.5 and not 3.5.1?

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...