firefox-2.0.0.5 is released, containing security-relevant fixes
*** Bug 185739 has been marked as a duplicate of this bug. ***
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.5 Fixed in Firefox 2.0.0.5 MFSA 2007-25 XPCNativeWrapper pollution MFSA 2007-24 Unauthorized access to wyciwyg:// documents MFSA 2007-23 Remote code execution by launching Firefox from Internet Explorer MFSA 2007-22 File type confusion due to %00 in name MFSA 2007-21 Privilege escallation using an event handler attached to an element not in the document MFSA 2007-20 Frame spoofing while window is loading MFSA 2007-19 XSS using addEventListener and setTimeout MFSA 2007-18 Crashes with evidence of memory corruption
thanks for the report Timo. Mozilla, please advise and bump as necessary.
This affects mozilla-thunderbird and too. No idea if it affects seamonkey or xulrunner, at least the advisories doesn't say that. I guess it affects xulrunner too, unless the bugs fixed are on the program itself and not the codebase. mozilla-firefox[-bin]-2.0.0.5 in the tree, we'll have to wait until they release the other apps.
(In reply to comment #4) > This affects mozilla-thunderbird and too. No idea if it affects seamonkey or > xulrunner, at least the advisories doesn't say that. Robert Kaiser has confirmed that some of the security issues do affect seamonkey (though MFSA 2007-23 doesn't). The seamonkey folks were caught a bit off-guard when fx 2.0.0.5 was rushed out, and Kaiser says they'll release seamonkey 1.1.3 as soon as they can. http://groups.google.com/group/mozilla.support.seamonkey/browse_thread/thread/0871c8f8259be11a
seamonkey-1.1.3 compiles fine with the current gentoo patchset. So the bump should be no big problem...
By the way: # grep HOMEPAGE /usr/portage/www-client/seamonkey/*.ebuild HOMEPAGE="http://www.mozilla.org" # This should be changed either in http://www.mozilla.org/projects/seamonkey/ or http://www.seamonkey-project.org (which redirects to the former URL).
*** Bug 186005 has been marked as a duplicate of this bug. ***
*** Bug 186003 has been marked as a duplicate of this bug. ***
mail-client/mozilla-thunderbird[-bin]-2.0.0.5 and www-client/seamonkey[-bin]-1.1.3, in the tree. xulrunner will have to wait
net-libs/xulrunner-1.8.1.5 in the tree
Arches please do: mail-client/mozilla-thunderbird[-bin]-2.0.0.5 www-client/seamonkey[-bin]-1.1.3 net-libs/xulrunner-1.8.1.5 mozilla-firefox[-bin]-2.0.0.5 Thanks
sparc stable.
(In reply to comment #12) > Arches please do: > > mail-client/mozilla-thunderbird[-bin]-2.0.0.5 Not keyworded for HPPA. > www-client/seamonkey[-bin]-1.1.3 > net-libs/xulrunner-1.8.1.5 > mozilla-firefox[-bin]-2.0.0.5 All three (not www-client/seamonkey-bin) stable for HPPA, but HPPA users should take note of bug #180870 - sadly, GNOME's Epiphany (www-client/epiphany) will work built against either mozilla-firefox or xulrunner, but neither seamonkey nor mozilla-firefox will run "on their own".
stable on ppc64: mail-client/mozilla-thunderbird[-bin]-2.0.0.5 www-client/seamonkey[-bin]-1.1.3 mozilla-firefox[-bin]-2.0.0.5 no stable keyword at all for ppc64: net-libs/xulrunner-1.8.1.5
ppc stable.
www-client/mozilla-firefox-bin-2.0.0.5 USE="-restrict-javascript" www-client/mozilla-firefox-2.0.0.5 USE="ipv6 java -bindist -debug -filepicker -gnome -mozdevelop -moznopango -restrict-javascript -xforms -xinerama -xprint" mail-client/mozilla-thunderbird-2.0.0.5 USE="crypt ipv6 -bindist -debug -gnome -ldap -mozdom -moznopango -replytolist -xinerama -xprint" mail-client/mozilla-thunderbird-bin-2.0.0.5 x11-plugins/enigmail-0.95.1 www-client/seamonkey-bin-1.1.3 www-client/seamonkey-1.1.3 USE="crypt ipv6 java -debug -gnome -ldap -mozdevelop -moznocompose -moznoirc -moznomail -moznopango -moznoroaming -postgres -xforms -xinerama -xprint" 1. All packages emerge on AMD64. 2. No collisions etc. 3. Works. mail-client/mozilla-thunderbird-2.0.0.5 with crypt use-flag needs x11-plugins/enigmail-0.95.1 stabilized as well. x11-plugins/enigmail-0.95.1 is stable on all other arches that have a stable enigmail. x11-plugins/enigmail-0.95.1 have been in the tree for more than a month and none of the enigmail bugs are related to 0.95.1. Suggest we mark all 7 packages stable on AMD64. Portage 2.1.2.9 (default-linux/amd64/2006.1/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.20-gentoo-r8 x86_64) ================================================================= System uname: 2.6.20-gentoo-r8 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz Gentoo Base System release 1.12.9 Timestamp of tree: Fri, 27 Jul 2007 21:50:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.4 [enabled] dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r7 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.23b virtual/os-headers: 2.6.21 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=nocona -O2 -msse3 -pipe -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-march=nocona -O2 -msse3 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict sandbox sfperms strict test" GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://ftp.du.se/pub/os/gentoo http://trumpetti.atm.tut.fi/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ds.thn.htu.se/linux/gentoo" LC_ALL="en_DK.utf8" LINGUAS="da en" MAKEOPTS="-j6" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X a52 aac acpi aiglx alsa amd64 arts atk berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss encode fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2 gpm gstreamer gtk gtk2 hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde libg++ lm_sensors mad midi mikmod mjpeg mozilla mp3 mpeg mplayer msn mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl session spell spl sse3 ssl tcpd test threads tiff truetype truetype-fonts type1-fonts unicode vorbis xcomposite xml xorg xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="da en" USERLAND="GNU" VIDEO_CARDS="radeon" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
amd64 stable, thanks Jonas
Calling a vote despite the policy cause we also have bug 187205, and since we're already late with others glsas, maybe we should combine this one with the other bug. Any opinions on this?
I vote yes for a combined GLSA that points people to 2.0.0.6 - no reason at this point to work with 2.0.0.5 any more.
submitted the combined request.
Combined GLSA 200708-09 with bug 187205, thanks everybody