98855 2005-07-13 01:04 0000 mail-client/mozilla-thunderbird{-bin}: 1.0.5 fixes multiple vulnerabilities 2005-07-18 00:58:31 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.mozilla.org/projects/security/known-vulnerabilities.html#Thunderbird A2 [glsa] koon P2 major --- 1 koon@gentoo.org security@gentoo.org askwar@digitalprojects.com mozilla@gentoo.org koon@gentoo.org 2005-07-13 01:04:43 0000 Thunderbird 1.0.5 will fix the following vulnerability : MFSA 2005-46 XBL scripts ran even when Javascript disabled jaervosz@gentoo.org 2005-07-14 01:41:15 0000 1.0.5 released, mozilla please bump. Note there is still no entry the security page: http://www.mozilla.org/projects/security/known-vulnerabilities.html koon@gentoo.org 2005-07-14 03:52:51 0000 Fixed in TB 1.0.5 : MFSA 2005-56 Code execution through shared function objects MFSA 2005-55 XHTML node spoofing MFSA 2005-52 Same origin violation: frame calling top.focus() MFSA 2005-50 Possibly exploitable crash in InstallVersion.compareTo() MFSA 2005-46 XBL scripts ran even when Javascript disabled MFSA 2005-44 Privilege escalation via non-DOM property overrides MFSA 2005-41 Privilege escalation via DOM property overrides MFSA 2005-40 Missing Install object instance checks MFSA 2005-33 Javascript "lambda" replace exposes memory contents geekypenguin@gmail.com 2005-07-14 09:21:03 0000 mail-client/thunderbird{-bin}: 1.0.5 are in the tree. koon@gentoo.org 2005-07-14 10:17:33 0000 Thx Anarchy, arches please test and mark stable : mozilla-thunderbird target KEYWORDS="alpha amd64 ia64 ppc sparc x86" mozilla-thunderbird-bin target KEYWORDS="~amd64 x86" geekypenguin@gmail.com 2005-07-14 10:40:51 0000 Hold the stable please it is still masked until Aron looks at it and makes a call on enigmail support. Sorry I should have announced it when I put it up that they were in the tree. koon@gentoo.org 2005-07-14 10:44:34 0000 Waiting for a more definitive ebuild for TB. x86 can still test TB-bin though. blubb@gentoo.org 2005-07-14 10:51:00 0000 i guess amd64 too, right? :) geekypenguin@gmail.com 2005-07-14 11:22:25 0000 Aight we have made our finall changes to thunderbird-1.0.5 we can go ahead with marking stable. koon@gentoo.org 2005-07-14 11:30:29 0000 Calling back arches... Anarchy will test for ppc. blubb: TB-bin is ~amd64 so you don't really need to mark it stable... But you need to mark TB-not-bin amd64 :) carlo@gentoo.org 2005-07-14 11:58:25 0000 *** Bug 99031 has been marked as a duplicate of this bug. *** geekypenguin@gmail.com 2005-07-14 12:26:31 0000 PPC is stable you will need to stabilize mozilla-launcher 0.34 before you can stablize thunderbird this is fine. Aron and Myself has already discussed this and do not see any problems. humpback@gentoo.org 2005-07-14 12:43:55 0000 I was actually thinking of marking the -bin stable on amd64 as it works very well. I've already tested the 1.0.5 ond amd64 but i needed that a non ~amd64 user would test and report. gustavoz@gentoo.org 2005-07-14 12:46:54 0000 I can do the amd64 -bin stable test in about 4 hours when i'm home. gustavoz@gentoo.org 2005-07-14 17:57:50 0000 sparc stable. amd64 thunderbird-bin works fine here too (not keywording though since i'm not on amd64@/authorized/whatever). humpback@gentoo.org 2005-07-14 18:38:39 0000 -bin stable on amd64 kloeri@gentoo.org 2005-07-16 16:49:29 0000 Stable on alpha and ia64. koon@gentoo.org 2005-07-17 10:36:46 0000 x86, amd64: please test and mark thunderbird and thunderbird-bin stable (thunderbird-bin is already done for amd64) koon@gentoo.org 2005-07-17 10:43:23 0000 Hmm. Apparently 1.0.5 is quite broken, 1.0.6 should appear early next week. http://www.mozillazine.org/talkback.html?article=6950 So I would say, stop the stable marking... and waiting for upstream rich0@gentoo.org 2005-07-17 11:03:34 0000 I've been running thunderbird (non-bin, 64-bit-compiled) on amd64 for about 24 hours now without issue. Oddly enough enigmail seems to be working fine - even though it seems like there are complaints that it shouldn't. Enigmail is installed as a user-profile extension (ie not system-wide). geekypenguin@gmail.com 2005-07-17 11:12:44 0000 mad64 please mark stable as soon as possible I will handle x86 if noone marks it by tonight. Enigmail is NOT suppose to work with thunderbird 1.0.5 but it does so I do not see this as an issue. kugelfang@gentoo.org 2005-07-17 11:35:31 0000 Stable on amd64. geekypenguin@gmail.com 2005-07-17 12:51:09 0000 both stable koon@gentoo.org 2005-07-18 00:58:31 0000 GLSA 200507-17