Firefox version

bitlord · March 21, 2013, 11:22am

Hello,
I'm trying to find the version of Firefox that is on my server. Normally I do this.

> firefox -version
Mozilla Firefox 10.0.7

The issue is that this version of Firefox, is Firefox ESR 10.0.7. I need to be able to see, from the command line, the version of Firefox and if it is a ESR version.

Thanks

jim_mcnamara · March 21, 2013, 10:25pm

Did you try what:

what /usr/bin/firefox

assuming /usr/bin is the location of the executable

hanson44 · March 21, 2013, 11:07pm

What? Isn't "what" in very limited use? I never heard of it before.

-------------------------

What output do you get from firefox -v command?

If you can't figure it out, maybe just uninstall and reinstall with ESR. It should not take long to install.

Or look in directories where it is installed. Could well be a readme file with the needed information.

alister · March 21, 2013, 11:42pm

From within firefox, you can just check if app.update.channel in about:config is set to "esr". I'm not aware of any way to query about:config settings from the command line, but perhaps you do.

Regards,
Alister

bitlord · March 22, 2013, 10:14am

Thank you for replying.

jim mcnamara,
what is not a command on my system

hanson44,
I have provided the the output from firefox -version. I didn't see any read me file.

alister,
The point is to do this on the command line.

Anyway, the reason I want to do this, is so I can wright a script to see what version of Firefox is running. This is because I do a lot of server hardening and to fix certain CVE hits you need to upgrade to a certain version of Firefox.

For example to fix CVE-2013-0787 you need to have Firefox updated to one of the versions below.
Firefox 19.0.2 or later
Firefox ESR 17.0.4 or later

I'm sure you can now see my issue.

alister · March 22, 2013, 10:22am

Yes, I gathered that and even mentioned it in my post. I shared the information about app.update.channel in case you knew how to query about:config from the command line but were not aware of that particular setting.

Regards,
Alister

RudiC · March 22, 2013, 10:43am

What about trying this:

$ grep -r "app.update.channel" /usr/lib/firefox
/usr/lib/firefox/defaults/pref/channel-prefs.js:pref("app.update.channel", "release");

?

alister · March 22, 2013, 10:47am

I don't see any reason why you need to specifically detect the string "ESR" in the version. There is no 17.0.4 non-ESR version. What that CVE identifier means is that the Firefox version must be a version 17 release with minor.point release version of at least 0.4. Or, the version must be 19.0.2 or greater, which includes 20.x.y, 21.x.y, etc. Note that this means that there is no version 18.x.y which satisfies this condition.

If you wanted to check this programatically, the following pseudo code would do it:

major, minor, micro = split(firefox version string)

# All releases of version 20 or newer are safe
if major > 19
    return safe

# In the 19 branch, only .0.2 and newer are safe
if major == 19
    if minor > 0
        return safe
    if minor == 0
        if micro >= 2
            return safe

# There are no patched versions in the 18 branch.

# In the 17 branch, only .0.4 and newer are safe
if major == 17
    if minor > 0
        return safe
    if minor == 0
        if micro >= 4
            return safe

# Everything else is vulnerable
return vulnerable

http://en.wikipedia.org/wiki/Firefox\_release_history

Regards,
Alister

bitlord · March 22, 2013, 11:49am

RudiC,
This the result of the commands you gave me.
SLES 11 SP2

> grep -r "app.update.channel" /usr/local/bin/firefox
>

Solaris 10

> grep "app.update.channel"/usr/lib/firefox
>

---------- Post updated at 11:49 AM ---------- Previous update was at 11:36 AM ----------

alister,
Thank you for looking at this. The links provided are helpful. It looks like later point versions of Firefox are ESR. I guess that will have to do.