Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 305789 - www-client/seamonkey has security issues
Summary: www-client/seamonkey has security issues
Status: RESOLVED DUPLICATE of bug 31264
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Gentoo Security
URL: http://www.mozilla.org/security/annou...
Whiteboard:
Keywords:
Depends on: 300408 314009 324735
Blocks:
  Show dependency tree
 
Reported: 2010-02-18 18:05 UTC by Andrew A. Gill
Modified: 2011-01-02 02:51 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew A. Gill 2010-02-18 18:05:23 UTC 
Mozilla has released security advisories 2010-01 to 2010-05.  Most of these are fixed in ebuilds that Gentoo already has, but Thunderbird is affected by two critical ones, namely <a href="http://www.mozilla.org/security/announce/2010/mfsa2010-01.html">2010-01</a> and <a href="http://www.mozilla.org/security/announce/2010/mfsa2010-03.html">2010-03</a>, which require Thunderbird 3.0.2, which is not yet in Portage.

Seamonkey is affected by 2010-01, 2010-03, as well as <a href="http://www.mozilla.org/security/announce/2010/mfsa2010-02.html">2010-02</a>, <a href="http://www.mozilla.org/security/announce/2010/mfsa2010-04.html">2010-04</a>, and <a href="http://www.mozilla.org/security/announce/2010/mfsa2010-05.html">2010-05</a>.

I notice that Seamonkey doesn't seem to get much support on Gentoo, so I'm not expecting much on that side, but I'd like to see an ebuild of Thunderbird 3.0.2.

Reproducible: Always

Steps to Reproduce:
Comment 1 Jory A. Pratt gentoo-dev 2010-02-20 20:47:30 UTC 
When there is a bump avaliable for tb-3.0.2 it will be made avaliable not a minute sooner. The release is expected to be made the 28 of this month. We are well aware of the security issues.
Comment 2 Nikos Chantziaras 2010-03-04 15:47:41 UTC 
(In reply to comment #1)
> When there is a bump avaliable for tb-3.0.2 it will be made avaliable not a
> minute sooner.

But many minutes later, I guess :P

Upstream is now at Thunderbird 3.0.3.
Comment 3 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-04 15:52:13 UTC 
(In reply to comment #2)
> But many minutes later, I guess :P
> 
> Upstream is now at Thunderbird 3.0.3.

The package has been bumped and is in stabilization. As Jory replied on bug 307045, we'll use that one for thunderbird and this one for seamonkey only.
Comment 4 Martin Mokrejš 2010-03-15 01:02:03 UTC 
> bug #300408#c1
> Further explanation: I'm planing to remove seamonkey-1* as soon as seamonkey-2
> has a stable version in tree.

I was one of the testers of seamonkey-2 and reported some issues on profile migration from 1.x to 2.x format. It included crashes, "lost" emails, incompatible "stale" entries in Preferences ("about:config") fooling the migration wizard ... There were many reports like this in the past (see mozilla's bugzilla). Please expect that some users will not be keen on moving quickly to seamonkey-2.0. Myself had no time to re-test. In summary, place einfo() to advice the transcition but please keep seamonkey-1.x in the tree. It keeps data in different locations to version 2 so they can both coexist.
Comment 5 Tomás Touceda (RETIRED) gentoo-dev 2010-04-08 13:36:04 UTC 
It seems that seamonkey has been mentioned in the advisory 2010-06:

http://www.mozilla.org/security/announce/2010/mfsa2010-06.html
Comment 6 Tobias Heinlein (RETIRED) gentoo-dev 2010-04-08 13:41:49 UTC 
Just for reference, there's now also bug 312649.
Comment 7 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:42:17 UTC 
Nothing for mozilla team to do here, none of the affected versions/packages are
in-tree anymore.

Cumulative fixed in:

Firefox 3.6
Seamonkey 2.0.3
Thunderbird 3.0.2
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 02:51:02 UTC 

*** This bug has been marked as a duplicate of bug 31264 ***