Summary: | www-client/opera < 9.20 Cross-Site Scripting (CVE-2007-0995) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Pierre-Yves Rofes (RETIRED) <py> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | axxo, jer |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/24312/ | ||
Whiteboard: | B4 [noglsa] p-y | ||
Package list: | Runtime testing required: | --- |
Description
Pierre-Yves Rofes (RETIRED)
2007-02-26 18:18:55 UTC
Opera "9.20 beta 1"[1], or UNIX build 617 (previously released as a weekly[2]), claims to fix this security vulnerability. I have an ebuild ready, I just don't know whether it is proper to roll out betas of Opera[3]. Please advise: do I commit 617 or is it not unsafe enough so I get to play around with 628+ for a while yet? [1] http://www.opera.com/docs/changelogs/linux/920b/#security [2] http://my.opera.com/desktopteam/blog/ [3] Meanwhile, [2] mentions yet another weekly, UNIX build Jeroen, this issue is really not very serious so I suggest you decide when to commit, we're not going to rush on this one. (In reply to comment #4) > Jeroen, this issue is really not very serious so I suggest you decide when to > commit, we're not going to rush on this one. > I agree, no need to rush and push the beta version into the stable tree. The ~arch tree will be sufficient. still in 9.20-beta, no stable release yet. Opera 9.20 is out ftp://ftp.opera.com/pub/opera/linux/920/final/en/ Upstream says[1] it is fixed. Enjoy Opera 9.20! [1] http://www.opera.com/support/search/view/855/ Thx Jeroen. Please don't close security bugs. Arches please test and mark stable. Target keywords are: opera-9.20.ebuild:KEYWORDS="amd64 ppc sparc x86 ~x86-fbsd" Sparc stable. Seems to work fine for me. emerges fine and works on amd64 Portage 2.1.2.2 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.20-beyond2 x86_64) ================================================================= System uname: 2.6.20-beyond2 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4600+ Gentoo Base System release 1.12.9 Timestamp of tree: Wed, 11 Apr 2007 14:20:02 +0000 ccache version 2.4 [enabled] dev-java/java-config: 1.3.7, 2.0.31-r5 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r6 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -Os -pipe -msse3 -w" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-march=k8 -Os -pipe -msse3 -w" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--quiet" FEATURES="buildsyspkg ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ " LANG="en_US.UTF-8" LC_ALL="en_US.UTF-8" MAKEOPTS="-j3 -l3 -s" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/overlay" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X a52 aac acpi alsa amd64 amr audiofile bitmap-fonts bzip2 cairo cdinstall cdr cli cracklib crypt cups dbus dri dts dvd dvdr dvdread emboss encode exif fam firefox fortran gdbm gif gstreamer gtk gtk2 hal iconv jpeg libg++ logrotate mad midi mikmod minimal mp3 mpeg ncurses nptl nptlonly offensive ogg opengl pam pcre php png ppds pppd quicktime readline reflection sdl session smp spl ssl svg symlink tcpd test tiff truetype truetype-fonts type1-fonts unicode v4l vim vorbis x264 xinerama xorg xv xvid zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="evdev keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIRC_DEVICES="inputlirc" USERLAND="GNU" VIDEO_CARDS="nvidia" Unset: CTARGET, INSTALL_MASK, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS amd64 done ppc stable x86 stable, last arch! Thanks arches. Security, please vote. I tend to vote no. I tend to vote NO as well. closing bug, feel free to reopen if you disagree. |