https://www.mozilla.org/en-US/security/advisories/mfsa2016-16/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-17/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-18/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-19/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-20/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-21/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-22/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-23/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-24/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-25/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-26/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-27/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-28/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-29/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-30/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-31/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-32/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-33/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-34/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-35/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-36/ https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/ Fixed versions: -Firefox 45 -Firefox ESR 38.7 -NSS 3.19.2.3 -NSS 3.21.1
Ebuilds for firefox and firefox-bin 38.7 and 45.0 are in the tree. I pushed firefox-bin-38.7.0 straight to stable already. nss-3.22.2 is already in the tree, and it additionally fixes CVE-2016-1950 which it seems has not yet been made public. Please note that we are awaiting upstream releases of thunderbird and seamonkey that will resolve their vulnerabilities, too. I leave it up to security to CC arches now or wait until thunderbird and seamonkey are available. Arches, please stabilize as follows: =dev-libs/nspr-4.12 stable KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86" (as it is a dependency of dev-libs/nss-3.22.1 and above) =dev-libs/nss-3.22.2 stable KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86" =www-client/firefox-38.7.0 stable KEYWORDS="amd64 hppa ppc ppc64 x86"
@EAPI 6 firefox-45.0.ebuild still contains Xemake within the pgo part. -> Xemake is unsupported in EAPI > 5, please use 'virtx emake ....'
(In reply to Sven B. from comment #2) > @EAPI 6 > firefox-45.0.ebuild still contains Xemake within the pgo part. > > -> Xemake is unsupported in EAPI > 5, please use 'virtx emake ....' Addressed in commit b1eb7522eed2a1a54652fbaf1d5094dd11e9d8f8 , thanks for reporting.
(In reply to Ian Stakenvicius from comment #3) > (In reply to Sven B. from comment #2) > > @EAPI 6 > > firefox-45.0.ebuild still contains Xemake within the pgo part. > > > > -> Xemake is unsupported in EAPI > 5, please use 'virtx emake ....' > > Addressed in commit b1eb7522eed2a1a54652fbaf1d5094dd11e9d8f8 , thanks for > reporting. Sorry that's commit bb040ce5446d633ce0edfe025a5e1ac13bb893ba (--rebase=preserve changed the hash)
mail-client/thunderbird{,-bin}-38.7.0 has now been added to the tree. Final list for stabilization, ATs please stabilize: =dev-libs/nspr-4.12 stable KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86" (as it is a dependency of dev-libs/nss-3.22.1 and above) =dev-libs/nss-3.22.2 stable KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86" =www-client/firefox-38.7.0 stable KEYWORDS="amd64 hppa ppc ppc64 x86" =mail-client/thunderbird-38.7.0 stable KEYWORDS="amd64 ppc ppc64 x86"
CVE-2016-2802 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2802): The graphite2::TtfUtil::CmapSubtable4NextCodepoint function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font. CVE-2016-2801 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2801): The graphite2::TtfUtil::CmapSubtable12Lookup function in TtfUtil.cpp in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font, a different vulnerability than CVE-2016-2797. CVE-2016-2800 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2800): The graphite2::Slot::getAttr function in Slot.cpp in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font, a different vulnerability than CVE-2016-2792. CVE-2016-2799 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2799): Heap-based buffer overflow in the graphite2::Slot::setAttr function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted Graphite smart font. CVE-2016-2798 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2798): The graphite2::GlyphCache::Loader::Loader function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font. CVE-2016-2797 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2797): The graphite2::TtfUtil::CmapSubtable12Lookup function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font, a different vulnerability than CVE-2016-2801. CVE-2016-2796 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2796): Heap-based buffer overflow in the graphite2::vm::Machine::Code::Code function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted Graphite smart font. CVE-2016-2795 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2795): The graphite2::FileFace::get_table_fn function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, does not initialize memory for an unspecified data structure, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted Graphite smart font. CVE-2016-2794 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2794): The graphite2::TtfUtil::CmapSubtable12NextCodepoint function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font. CVE-2016-2793 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2793): CachedCmap.cpp in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font. CVE-2016-2792 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2792): The graphite2::Slot::getAttr function in Slot.cpp in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font, a different vulnerability than CVE-2016-2800. CVE-2016-2791 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2791): The graphite2::GlyphCache::glyph function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font. CVE-2016-2790 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2790): The graphite2::TtfUtil::GetTableInfo function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, does not initialize memory for an unspecified data structure, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted Graphite smart font.
CVE-2016-1979 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1979): Use-after-free vulnerability in the PK11_ImportDERPrivateKeyInfoAndReturnKey function in Mozilla Network Security Services (NSS) before 3.21.1, as used in Mozilla Firefox before 45.0, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted key data with DER encoding. CVE-2016-1978 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1978): Use-after-free vulnerability in the ssl3_HandleECDHServerKeyExchange function in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, allows remote attackers to cause a denial of service or possibly have unspecified other impact by making an SSL (1) DHE or (2) ECDHE handshake at a time of high memory consumption. CVE-2016-1977 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1977): The Machine::Code::decoder::analysis::set_ref function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to execute arbitrary code or cause a denial of service (stack memory corruption) via a crafted Graphite smart font. CVE-2016-1976 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1976): Use-after-free vulnerability in the DesktopDisplayDevice class in the WebRTC implementation in Mozilla Firefox before 45.0 on Windows might allow remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. CVE-2016-1975 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1975): Multiple race conditions in dom/media/systemservices/CamerasChild.cpp in the WebRTC implementation in Mozilla Firefox before 45.0 on Windows might allow remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. CVE-2016-1974 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1974): The nsScannerString::AppendUnicodeTo fynction in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 does not verify that memory allocation succeeds, which allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via crafted Unicode data in an HTML, XML, or SVG document. CVE-2016-1973 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1973): Race condition in the GetStaticInstance function in the WebRTC implementation in Mozilla Firefox before 45.0 might allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via unspecified vectors. CVE-2016-1972 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1972): Race condition in libvpx in Mozilla Firefox before 45.0 on Windows might allow remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via unknown vectors. CVE-2016-1971 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1971): The I420VideoFrame::CreateFrame function in the WebRTC implementation in Mozilla Firefox before 45.0 on Windows omits an unspecified status check, which might allow remote attackers to cause a denial of service (memory corruption) or possibly have other impact via unknown vectors. CVE-2016-1970 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1970): Integer underflow in the srtp_unprotect function in the WebRTC implementation in Mozilla Firefox before 45.0 on Windows might allow remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. CVE-2016-1969 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1969): The setAttr function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.6.1, allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted Graphite smart font. CVE-2016-1968 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1968): Integer underflow in Brotli, as used in Mozilla Firefox before 45.0, allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via crafted data with brotli compression. CVE-2016-1967 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1967): Mozilla Firefox before 45.0 does not properly restrict the availability of IFRAME Resource Timing API times, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via crafted JavaScript code that leverages history.back and performance.getEntries calls after restoring a browser session. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-7207. CVE-2016-1966 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1966): The nsNPObjWrapper::GetNewOrUsed function in dom/plugins/base/nsJSNPRuntime.cpp in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to execute arbitrary code or cause a denial of service (invalid pointer dereference and memory corruption) via a crafted NPAPI plugin. CVE-2016-1965 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1965): Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 mishandle a navigation sequence that returns to the original page, which allows remote attackers to spoof the address bar via vectors involving the history.back method and the location.protocol property. CVE-2016-1964 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1964): Use-after-free vulnerability in the AtomicBaseIncDec function in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging mishandling of XML transformations. CVE-2016-1963 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1963): The FileReader class in Mozilla Firefox before 45.0 allows local users to gain privileges or cause a denial of service (memory corruption) by changing a file during a FileReader API read operation. CVE-2016-1962 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1962): Use-after-free vulnerability in the mozilla::DataChannelConnection::Close function in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to execute arbitrary code by leveraging mishandling of WebRTC data-channel connections. CVE-2016-1961 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1961): Use-after-free vulnerability in the nsHTMLDocument::SetBody function in dom/html/nsHTMLDocument.cpp in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to execute arbitrary code by leveraging mishandling of a root element, aka ZDI-CAN-3574. CVE-2016-1960 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1960): Integer underflow in the nsHtml5TreeBuilder class in the HTML5 string parser in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) by leveraging mishandling of end tags, as demonstrated by incorrect SVG processing, aka ZDI-CAN-3545. CVE-2016-1959 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1959): The ServiceWorkerManager class in Mozilla Firefox before 45.0 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read and memory corruption) via unspecified use of the Clients API. CVE-2016-1958 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1958): browser/base/content/browser.js in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to spoof the address bar via a javascript: URL. CVE-2016-1957 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1957): Memory leak in libstagefright in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to cause a denial of service (memory consumption) via an MPEG-4 file that triggers a delete operation on an array. CVE-2016-1956 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1956): Mozilla Firefox before 45.0 on Linux, when an Intel video driver is used, allows remote attackers to cause a denial of service (memory consumption or stack memory corruption) by triggering use of a WebGL shader. CVE-2016-1955 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1955): Mozilla Firefox before 45.0 allows remote attackers to bypass the Same Origin Policy and obtain sensitive information by reading a Content Security Policy (CSP) violation report that contains path information associated with an IFRAME element. CVE-2016-1954 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1954): The nsCSPContext::SendReports function in dom/security/nsCSPContext.cpp in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 does not prevent use of a non-HTTP report-uri for a Content Security Policy (CSP) violation report, which allows remote attackers to cause a denial of service (data overwrite) or possibly gain privileges by specifying a URL of a local file. CVE-2016-1953 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1953): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 45.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to js/src/jit/arm/Assembler-arm.cpp, and unknown other vectors. CVE-2016-1952 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1952): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2016-1950 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1950): Heap-based buffer overflow in Mozilla Network Security Services (NSS) before 3.19.2.3 and 3.20.x and 3.21.x before 3.21.1, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to execute arbitrary code via crafted ASN.1 data in an X.509 certificate.
Added to existing GLSA. Stabilization and cleanup on all CC'ed arches is critical. This will ensure multiple bugs with vulnerabilities are addressed due to missing stabilization on older packages. Thanks all.
(In reply to Ian Stakenvicius from comment #1) > Ebuilds for firefox and firefox-bin 38.7 and 45.0 are in the tree. I pushed > firefox-bin-38.7.0 straight to stable already. > > nss-3.22.2 is already in the tree, and it additionally fixes CVE-2016-1950 > which it seems has not yet been made public. > > Please note that we are awaiting upstream releases of thunderbird and > seamonkey that will resolve their vulnerabilities, too. I leave it up to > security to CC arches now or wait until thunderbird and seamonkey are > available. > > > Arches, please stabilize as follows: > > =dev-libs/nspr-4.12 stable KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k > ppc ppc64 s390 sh sparc x86" > (as it is a dependency of dev-libs/nss-3.22.1 and above) > > =dev-libs/nss-3.22.2 stable KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k > ppc ppc64 s390 sh sparc x86" > > =www-client/firefox-38.7.0 stable KEYWORDS="amd64 hppa ppc ppc64 x86" We will wait until Seamonkey is released as well to close out the bug.
(In reply to Aaron Bauman from comment #9) > > We will wait until Seamonkey is released as well to close out the bug. Please don't wait -- a seamonkey release could be weeks to months away, and at this point their next release will still be against mozilla43 rather than mozilla45, so that's two security-bug cohorts behind.
(In reply to Ian Stakenvicius from comment #10) > (In reply to Aaron Bauman from comment #9) > > > > We will wait until Seamonkey is released as well to close out the bug. > > Please don't wait -- a seamonkey release could be weeks to months away, and > at this point their next release will still be against mozilla43 rather than > mozilla45, so that's two security-bug cohorts behind. Thank you for the information, Ian. I will adjust the GLSA accordingly and we can proceed.
amd64 stable
x86 stable
(In reply to Ian Stakenvicius from comment #10) > a seamonkey release could be weeks to months away, > and at this point their next release will still be > against mozilla43 rather than mozilla45, so that's > two security-bug cohorts behind. I understand the upstream SM team is plugging away as fast as they can to catch up, but in the meantime shouldn't all the seamonkeys in gentoo's tree be masked?
(In reply to boxcars from comment #14) > (In reply to Ian Stakenvicius from comment #10) > > > a seamonkey release could be weeks to months away, > > and at this point their next release will still be > > against mozilla43 rather than mozilla45, so that's > > two security-bug cohorts behind. > > I understand the upstream SM team is plugging away as fast as they can to > catch up, but in the meantime shouldn't all the seamonkeys in gentoo's tree > be masked? @Ian, is it typical for the release cycle on SeaMonkey to be several months? This may be something for the security team to decide on considering the revolving door that is Firefox vulnerabilities.
(In reply to Aaron Bauman from comment #15) > (In reply to boxcars from comment #14) > > (In reply to Ian Stakenvicius from comment #10) > > > > > a seamonkey release could be weeks to months away, > > > and at this point their next release will still be > > > against mozilla43 rather than mozilla45, so that's > > > two security-bug cohorts behind. > > > > I understand the upstream SM team is plugging away as fast as they can to > > catch up, but in the meantime shouldn't all the seamonkeys in gentoo's tree > > be masked? > > @Ian, is it typical for the release cycle on SeaMonkey to be several months? > > > This may be something for the security team to decide on considering the > revolving door that is Firefox vulnerabilities. At least it underlines that tracking bugs should be used with separate bug reports for each of the mozilla products. But seamonkey is turning out to be a pain to track, can it be masked by no keywords? (unless it is an intermittent situation,and so far it doesn't seem like it.. using p.mask lingering for a long time is bad practice, but if no keyword or removal is out of the option I'm for that as well in this case)
> At least it underlines that tracking bugs should be used with separate bug > reports for each of the mozilla products. But seamonkey is turning out to be > a pain to track, can it be masked by no keywords? (unless it is an > intermittent situation,and so far it doesn't seem like it.. using p.mask > lingering for a long time is bad practice, but if no keyword or removal is > out of the option I'm for that as well in this case) I don't think tracking bugs are really needed here. SM is unique in that it depends on the upstream FF developers to release. Due to that, I would vote that the package is masked by no keywords. I am not a full member of the security team though so let's see how they weigh in...
Also, seamonkey is Poly-C's beast, so it would likely be best to follow his advice on what to do with the package. That said, given the separation of release cycles it does make sense to treat seamonkey uner its own security bugs rather than under the same bugs as firefox and thunderbird.
All individual packages should be tracked in their own bugs in my opinion. It more often than not slows things down anyway. For the time being though we will get a consensus.
I stabilized these on alpha: dev-libs/nspr-4.12 dev-libs/nss-3.22.2 I also accidentall put firefox on stable for alpha, I have reverted that just now.
ppc stable
ppc64 stable
arm stable
commit 1dea92b6891261ca4c0c1b0453683737d44dd393 Author: Ian Stakenvicius <axs@gentoo.org> Date: Thu Mar 17 22:22:44 2016 -0400 www-client/firefox: version bumps for security bug 576864, remove old Version bumps firefox-38.7.1 and firefox-45.0.1 address the graphite2 vulnerabilities by disabling the bundled graphite2 library. Also addressed in firefox-45.0.1 is bug 577298. Old/vulnerable versions 38.5, 38.6.1 and 44.0.2 have been dropped. Package-Manager: portage-2.2.26 So you dropped the stable ebuilds before newer once went stable?
Ones*
sparc stable
ia64 stable
(In reply to Jeroen Roovers from comment #24) > commit 1dea92b6891261ca4c0c1b0453683737d44dd393 > Author: Ian Stakenvicius <axs@gentoo.org> > Date: Thu Mar 17 22:22:44 2016 -0400 > > www-client/firefox: version bumps for security bug 576864, remove old > > Version bumps firefox-38.7.1 and firefox-45.0.1 address the graphite2 > vulnerabilities > by disabling the bundled graphite2 library. > > Also addressed in firefox-45.0.1 is bug 577298. > > Old/vulnerable versions 38.5, 38.6.1 and 44.0.2 have been dropped. > > Package-Manager: portage-2.2.26 > > So you dropped the stable ebuilds before newer once went stable? Uhh....maybe? It was my intention to only drop the ones that already had a newer version stabilized. Seems I was too agressive in dropping 38.6.1, apologies for that. At this point it looks like hppa is the only one left, is it likely that 38.7.0 or 38.7.1 could be stabilized soon enough to address this error, or should I restore 38.6.1 in the meantime?
Stable for HPPA.
Stable arches complete. Pending cleanup for mail-client/thunderbird{-bin} & dev-libs/nss Thanks!
This issue was resolved and addressed in GLSA 201605-06 at https://security.gentoo.org/glsa/201605-06 by GLSA coordinator Yury German (BlueKnight).
