bug hiding systems

OtherJoey's latest rant piqued my curiosity. Why would security supporting old versions of mozilla be so hard, surely they have a BTS that receives patches that could be backported, like other free software projects?

Picking a recent mozilla firefox security hole at random from my list of 14, I saw I'd found a nice bug, CAN-2005-2270 arbitrary code execution by remote attackers. Note that this hole has had a mozilla security announcement since mid-July, as well as 6+ separate advisories from third parties.

There were several links to the mozilla bug tracking system, I chose the first:

Access Denied
You are not authorized to access bug #294795. To see this bug, you must first login to an account with the appropriate permissions.

Please press Back and try again.

Amazingly, they want you to get a user account and log in just to see a bug report. This is normally the point where I decide I have something more pressing to attend to, and so will most people. But I really wanted to see this one, and I remembered bugmenot (which incidentially, mozilla has a plugin for).

Login details for bugzilla.mozilla.org

Account #1
anonymous@mailinator.com
digital

Awesome, so I can log in, and...

Access Denied
You are not authorized to access bug #294795.

Please press Back and try again.

That's right, this bug, which is for a security hole that was fixed two weeks ago, is not being dislosed until apparently, August 1st. Same is true for several others of the holes fixed in recent versions. That's two weeks for distibutions that have to backport these fixes to race against black hats to see who can track down the hole in all the other changes in the new mozilla release, and respectively fix and exploit it.

And so Ubuntu has decided to backport the new mozilla versions into their releases instead of backporting fixes, while Debian stable has decided to bow out of the race. Both understandable decisions in their own contexts.

This, IMHO, is a very good reason to find another web browser, both for myself and for those users for whom I maintain stable systems.