Bug 98855 - mail-client/mozilla-thunderbird{-bin}: 1.0.5 fixes multiple vulnerabilities
Bug#: 98855 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: major Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: koon@gentoo.org
Component: Vulnerabilities
URL:  http://www.mozilla.org/projects/security/known-vulnerabilities.html#Thunderbird
Summary: mail-client/mozilla-thunderbird{-bin}: 1.0.5 fixes multiple vulnerabilities
Keywords:  
Status Whiteboard: A2 [glsa] koon
Opened: 2005-07-13 01:04 0000
Description:   Opened: 2005-07-13 01:04 0000 
Thunderbird 1.0.5 will fix the following vulnerability :
MFSA 2005-46  XBL scripts ran even when Javascript disabled

------- Comment #1 From Sune Kloppenborg Jeppesen 2005-07-14 01:41:15 0000 ------- 
1.0.5 released, mozilla please bump.  
 
Note there is still no entry the security page: 
http://www.mozilla.org/projects/security/known-vulnerabilities.html

------- Comment #2 From Thierry Carrez (RETIRED) 2005-07-14 03:52:51 0000 ------- 
Fixed in TB 1.0.5 :

MFSA 2005-56 Code execution through shared function objects
MFSA 2005-55 XHTML node spoofing
MFSA 2005-52 Same origin violation: frame calling top.focus()
MFSA 2005-50 Possibly exploitable crash in InstallVersion.compareTo()
MFSA 2005-46 XBL scripts ran even when Javascript disabled
MFSA 2005-44 Privilege escalation via non-DOM property overrides
MFSA 2005-41 Privilege escalation via DOM property overrides
MFSA 2005-40 Missing Install object instance checks
MFSA 2005-33 Javascript "lambda" replace exposes memory contents

------- Comment #3 From Jory A. Pratt 2005-07-14 09:21:03 0000 ------- 
mail-client/thunderbird{-bin}: 1.0.5 are in the tree.

------- Comment #4 From Thierry Carrez (RETIRED) 2005-07-14 10:17:33 0000 ------- 
Thx Anarchy, arches please test and mark stable :

mozilla-thunderbird target KEYWORDS="alpha amd64 ia64 ppc sparc x86"
mozilla-thunderbird-bin target KEYWORDS="~amd64 x86"

------- Comment #5 From Jory A. Pratt 2005-07-14 10:40:51 0000 ------- 
Hold the stable please it is still masked until Aron looks at it and makes a
call on enigmail support. Sorry I should have announced it when I put it up that
they were in the tree.

------- Comment #6 From Thierry Carrez (RETIRED) 2005-07-14 10:44:34 0000 ------- 
Waiting for a more definitive ebuild for TB.
x86 can still test TB-bin though.

------- Comment #7 From Simon Stelling (RETIRED) 2005-07-14 10:51:00 0000 ------- 
i guess amd64 too, right? :)

------- Comment #8 From Jory A. Pratt 2005-07-14 11:22:25 0000 ------- 
Aight we have made our finall changes to thunderbird-1.0.5 we can go ahead with
marking stable.

------- Comment #9 From Thierry Carrez (RETIRED) 2005-07-14 11:30:29 0000 ------- 
Calling back arches...
Anarchy will test for ppc.

blubb: TB-bin is ~amd64 so you don't really need to mark it stable... But you
need to mark TB-not-bin amd64 :)

------- Comment #10 From Carsten Lohrke 2005-07-14 11:58:25 0000 ------- 
*** Bug 99031 has been marked as a duplicate of this bug. ***

------- Comment #11 From Jory A. Pratt 2005-07-14 12:26:31 0000 ------- 
PPC is stable you will need to stabilize mozilla-launcher 0.34 before you can
stablize thunderbird this is fine. Aron and Myself has already discussed this
and do not see any problems.

------- Comment #12 From Gustavo Felisberto 2005-07-14 12:43:55 0000 ------- 
I was actually thinking of marking the -bin stable on amd64 as it works very
well. I've already tested the 1.0.5 ond amd64 but i needed that a non ~amd64
user would test and report.

------- Comment #13 From Gustavo Zacarias (RETIRED) 2005-07-14 12:46:54 0000 ------- 
I can do the amd64 -bin stable test in about 4 hours when i'm home.

------- Comment #14 From Gustavo Zacarias (RETIRED) 2005-07-14 17:57:50 0000 ------- 
sparc stable.
amd64 thunderbird-bin works fine here too (not keywording though since i'm not
on amd64@/authorized/whatever).

------- Comment #15 From Gustavo Felisberto 2005-07-14 18:38:39 0000 ------- 
-bin stable on amd64

------- Comment #16 From Bryan Østergaard (RETIRED) 2005-07-16 16:49:29 0000 ------- 
Stable on alpha and ia64.

------- Comment #17 From Thierry Carrez (RETIRED) 2005-07-17 10:36:46 0000 ------- 
x86, amd64: please test and mark thunderbird and thunderbird-bin stable
(thunderbird-bin is already done for amd64)

------- Comment #18 From Thierry Carrez (RETIRED) 2005-07-17 10:43:23 0000 ------- 
Hmm. Apparently 1.0.5 is quite broken, 1.0.6 should appear early next week.
http://www.mozillazine.org/talkback.html?article=6950

So I would say, stop the stable marking... and waiting for upstream

------- Comment #19 From Richard Freeman 2005-07-17 11:03:34 0000 ------- 
I've been running thunderbird (non-bin, 64-bit-compiled) on amd64 for about 24
hours now without issue.

Oddly enough enigmail seems to be working fine - even though it seems like there
are complaints that it shouldn't.  Enigmail is installed as a user-profile
extension (ie not system-wide).

------- Comment #20 From Jory A. Pratt 2005-07-17 11:12:44 0000 ------- 
mad64 please mark stable as soon as possible I will handle x86 if noone marks
it
by tonight. Enigmail is  NOT suppose to work with thunderbird 1.0.5 but it does
so I do not see this as an issue.

------- Comment #21 From Danny van Dyk (RETIRED) 2005-07-17 11:35:31 0000 ------- 
Stable on amd64.

------- Comment #22 From Jory A. Pratt 2005-07-17 12:51:09 0000 ------- 
both stable

------- Comment #23 From Thierry Carrez (RETIRED) 2005-07-18 00:58:31 0000 ------- 
GLSA 200507-17