214816 2008-03-26 01:51 0000 mozilla-firefox <2.0.0.13, mozilla-thunderbird <2.0.0.14, seamonkey <1.1.9, xulrunner <1.8.1.13 Multiple vulnerabilites (CVE-2007-4879, CVE-2008-{1233,1234,1235,1236,1237,1238,1240,1241}) 2008-05-20 21:20:14 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.13 A2 [glsa] P2 normal --- 1 rbu@gentoo.org security@gentoo.org 7v5w7go9ub0o@gmail.com arm@gentoo.org mozilla@gentoo.org rbu@gentoo.org 2008-03-26 01:51:10 0000 Firefox 2.0.0.13 is out, security fixes as usual. michael.schachtebeck@gmx.de 2008-03-26 09:36:30 0000 2.0.0.13 fixes (among others) 2 critical vulnerabilities, see http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.13. armin76@gentoo.org 2008-03-26 13:54:30 0000 =www-client/mozilla-firefox[-bin]-2.0.0.13 =net-libs/xulrunner-1.8.1.13 =www-client/seamonkey[-bin]-1.1.9 in the tree rbu@gentoo.org 2008-03-26 20:49:56 0000 Arches, please test and mark stable: =www-client/mozilla-firefox-2.0.0.13 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86" =www-client/mozilla-firefox-bin-2.0.0.13 Target keywords : "amd64 release x86" =www-client/seamonkey-1.1.9 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86" =www-client/seamonkey-bin-1.1.9 Target keywords : "amd64 release x86" =net-libs/xulrunner-1.8.1.13 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86" rbu@gentoo.org 2008-03-26 20:51:53 0000 Raul, please note that as long as it's not p.masked, xulrunner-bin also needs to be upgraded. maekke@gentoo.org 2008-03-27 00:03:23 0000 amd64/x86 stable rbu@gentoo.org 2008-03-27 02:12:05 0000 (In reply to comment #4) > Raul, please note that as long as it's not p.masked, xulrunner-bin also needs > to be upgraded. *xulrunner-bin-1.8.1.13 (26 Mar 2008) 26 Mar 2008; Raúl Porcel <armin76@gentoo.org> xulrunner-bin-1.8.1.12.ebuild, +xulrunner-bin-1.8.1.13.ebuild: Version bump armin76@gentoo.org 2008-03-27 12:26:22 0000 alpha/ia64/sparc stable ranger@gentoo.org 2008-03-27 16:42:07 0000 ppc and ppc64 done rbu@gentoo.org 2008-03-27 20:46:18 0000 Description: CVE-2008-1233 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1233): Unspecified vulnerability in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allows remote attackers to execute arbitrary code via "XPCNativeWrapper pollution." CVE-2008-1234 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1234): Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allows remote attackers to inject arbitrary web script or HTML via event handlers, aka "Universal XSS using event handlers." CVE-2008-1235 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1235): Unspecified vulnerability in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allows remote attackers to execute arbitrary code via unknown vectors that cause JavaaScript to execute with the wrong principal, aka "Privilege escalation via incorrect principals." CVE-2008-1236 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1236): Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors related to the layout engine. CVE-2008-1237 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1237): Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors related to the JavaScript engine. CVE-2008-1238 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1238): Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9, when generating the HTTP Referer header, does not list the entire URL when it contains Basic Authentication credentials without a username, which makes it easier for remote attackers to bypass application protection mechanisms that rely on Referer headers, such as with some Cross-Site Request Forgery (CSRF) mechanisms. CVE-2008-1241 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1241): GUI overlay vulnerability in Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9 allows remote attackers to spoof form elements and redirect user inputs via a borderless XUL pop-up window from a background tab. jer@gentoo.org 2008-03-28 05:03:21 0000 Marked stable for HPPA: =www-client/mozilla-firefox-2.0.0.13 =net-libs/xulrunner-1.8.1.13 =www-client/seamonkey-1.1.9 None of these passes the Acid3 test, btw. ;-) pva@gentoo.org 2008-03-28 08:09:28 0000 Fixed in release snapshot. rbu@gentoo.org 2008-03-29 19:48:52 0000 GLSA is filed, waiting for Thunderbird :-/ caster@gentoo.org 2008-05-01 23:07:25 0000 *** Bug 219983 has been marked as a duplicate of this bug. *** rbu@gentoo.org 2008-05-02 09:36:13 0000 As pointed out in the duplicate (see comment 13), Thunderbird 2.0.0.14 has been released. armin76@gentoo.org 2008-05-02 14:28:43 0000 mail-client/mozilla-thunderbird[-bin]-2.0.0.14 in the tree keytoaster@gentoo.org 2008-05-03 10:47:10 0000 Arches, please test and mark stable: =mozilla-thunderbird-2.0.0.14 Target keywords: "alpha amd64 ia64 ppc ppc64 release sparc x86" =mozilla-thunderbird-bin-2.0.0.14 Target keywords: "amd64 release x86" hanno@gentoo.org 2008-05-03 23:30:21 0000 CC-in archs for thunderbird stabilization. maekke@gentoo.org 2008-05-04 13:30:12 0000 amd64/x86 stable armin76@gentoo.org 2008-05-04 13:44:16 0000 alpha/ia64/sparc stable corsair@gentoo.org 2008-05-05 11:48:50 0000 ppc64 stable ranger@gentoo.org 2008-05-05 14:08:11 0000 ppc done rbu@gentoo.org 2008-05-20 21:20:14 0000 GLSA 200805-18, sorry for the delay