130888 2006-04-22 14:02 0000 mail-client/mozilla-thunderbird: 1.0.8 fixes several vuln's, included code execution (CVE-2006-0748) 2006-10-15 04:29:18 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.mozilla.org/projects/security/known-vulnerabilities.html#Thunderbird A2 [tempglsa stable+ alpha] Falco P2 major --- 1 falco@gentoo.org security@gentoo.org mozilla@gentoo.org tcort@gentoo.org falco@gentoo.org 2006-04-22 14:02:41 0000 splitting #129924 in one bug per package for helping handling http://www.mozilla.org/projects/security/known-vulnerabilities.html#Thunderbird Fixed in Thunderbird 1.0.8 MFSA 2006-27 Table Rebuilding Code Execution Vulnerability MFSA 2006-26 Mail Multiple Information Disclosure MFSA 2006-25 Privilege escalation through Print Preview MFSA 2006-24 Privilege escalation using crypto.generateCRMFRequest MFSA 2006-22 CSS Letter-Spacing Heap Overflow Vulnerability MFSA 2006-21 JavaScript execution in mail when forwarding in-line MFSA 2006-19 Cross-site scripting using .valueOf.call() MFSA 2006-18 Mozilla Firefox Tag Order Vulnerability MFSA 2006-17 cross-site scripting through window.controllers MFSA 2006-16 Accessing XBL compilation scope via valueOf.call() MFSA 2006-15 Privilege escalation using a JavaScript function's cloned parent MFSA 2006-14 Privilege escalation via XBL.method.eval MFSA 2006-11 Crashes with evidence of memory corruption (rv:1.8) MFSA 2006-10 JavaScript garbage-collection hazard audit MFSA 2006-09 Cross-site JavaScript injection using event handlers MFSA 2006-05 Localstore.rdf XML injection through XULDocument.persist() MFSA 2006-01 JavaScript garbage-collection hazards falco@gentoo.org 2006-04-22 14:05:46 0000 same as the moz-1.0.8 thing (#129924), moz team, please provide a new ebuild mail-client/mozilla-thunderbird-1.0.8 geekypenguin@gmail.com 2006-04-22 20:54:19 0000 Please keyword 1.5.0.2 were possible, ONLY keyword 1.0.8 for those who can NOT mark 1.5.0.2. AMD64 and X86 DO NOT forget -bin. dercorny@gentoo.org 2006-04-22 20:59:49 0000 (bugzie forced a comment for some minor changes, so here is one to make it happy) geekypenguin@gmail.com 2006-04-22 21:01:27 0000 If you keyword 1.5.0.2 please keyword enigmail-0.94.0-r2 as well sorry for not getting it in original post. dertobi123@gentoo.org 2006-04-23 00:22:44 0000 (In reply to comment #4) > If you keyword 1.5.0.2 please keyword enigmail-0.94.0-r2 as well sorry for not > getting it in original post. There's no enigmail-0.94.0-r2, I guess we can keyword enigmail-0.94.0-r1? dertobi123@gentoo.org 2006-04-23 08:26:51 0000 <@Anarchy> dertobi123, enigmail-0.94.0-r2 is in the tree I forgot to make the commit with all other commits and bumps I am working on so, ppc stable :) gustavoz@gentoo.org 2006-04-24 12:53:24 0000 sparc stable. antarus@gentoo.org 2006-04-26 07:02:48 0000 moz-1.0.8 and moz-bin-1.0.8 stable on x86 geekypenguin@gmail.com 2006-04-29 04:36:07 0000 amd64 stable 1.5.0.2 !! falco@gentoo.org 2006-05-05 10:41:03 0000 alpha team, aware ? something wrong ? ferdy@gentoo.org 2006-05-05 10:45:47 0000 See the bug this one depends on :) - ferdy falco@gentoo.org 2006-05-05 11:04:57 0000 oh ok, sorry :) it's worrying. Is #131359 progressing ? ETA ? koon@gentoo.org 2006-05-06 09:18:44 0000 We'll probably have to publish the GLSA and say alpha is still affected, and update it when it gets fixed... koon@gentoo.org 2006-05-08 10:40:31 0000 A temporary GLSA was sent : GLSA 200605-09 We'll update it once TB reaches stable on alpha tcort@gentoo.org 2006-06-02 06:00:57 0000 (In reply to comment #12) > it's worrying. Is #131359 progressing ? ETA ? No progress or ETA, so I've masked =mail-client/mozilla-thunderbird-1.0.7* in profiles/default-linux/alpha/package.mask and dropped the ~alpha keyword from thunderbird-1.0.8 as it is badly broken on alpha (Bug #131359) and 1.5 doesn't compile (also Bug #131359). BTW, I only see alpha in the "Status Whiteboard", but it looks ia64 needs to still mark 1.5.X or 1.0.8 stable. Re-add us if you need anything. falco@gentoo.org 2006-06-02 06:18:05 0000 > BTW, I only see alpha in the "Status Whiteboard", but it looks ia64 needs to > still mark 1.5.X or 1.0.8 stable. Re-add us if you need anything. > contrary to the "supported" arches [1], ia64 is not obliged to stabilize the ebuilds concerning the security issues before we send a GLSA. [1] http://www.gentoo.org/security/en/vulnerability-policy.xml , part 1, "Scope" falco@gentoo.org 2006-06-11 12:03:53 0000 Except for Alpha, every arch is fixed. Concerning Alpha, Alpha will have to keyword the 1.5 branch because 1.0 is not maintained anymore, and 1.0 is affected by several vulnerabilities. I suggest closing this bug as soon as Alpha stabilize 1.5.0.4 in bug 135256. tcort@gentoo.org 2006-06-13 11:40:38 0000 (In reply to comment #17) > Except for Alpha, every arch is fixed. Concerning Alpha, Alpha will have to > keyword the 1.5 branch because 1.0 is not maintained anymore, and 1.0 is > affected by several vulnerabilities. > I suggest closing this bug as soon as Alpha stabilize 1.5.0.4 in bug 135256. mozilla-thunderbird-1.5.0.4 is also broken on alpha. It uses ~100% of the CPU and the main window never comes up. This is similar to the problem we are having with firefox-1.5 on alpha, see Bug #128777. This bug can probably be closed since it isn't looking like we will be able to mark thunderbird-1.5 stable on alpha and alpha has all affected versions of thunderbird masked in profiles/default-linux/alpha/package.mask. Output of `top`: PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 3593 tcort 20 0 33120 32m 23m R 93.2 10.4 9:52.85 thunderbird-bin falco@gentoo.org 2006-06-13 12:58:16 0000 > mozilla-thunderbird-1.5.0.4 is also broken on alpha. OK, so you will have to let thunderbird masked :( you're right, i can close this bug. Same for bug 120485.