one or several of them must affect the Moz suite : 1) http://www.mozilla.org/security/announce/2006/mfsa2006-31.html 2) http://www.mozilla.org/security/announce/2006/mfsa2006-32.html 3) http://www.mozilla.org/security/announce/2006/mfsa2006-33.html 4) http://www.mozilla.org/security/announce/2006/mfsa2006-34.html 5) http://www.mozilla.org/security/announce/2006/mfsa2006-35.html 6) http://www.mozilla.org/security/announce/2006/mfsa2006-37.html 7) http://www.mozilla.org/security/announce/2006/mfsa2006-38.html -) http://www.mozilla.org/security/announce/2006/mfsa2006-39.html -) http://www.mozilla.org/security/announce/2006/mfsa2006-40.html -) http://www.mozilla.org/security/announce/2006/mfsa2006-41.html 8) http://www.mozilla.org/security/announce/2006/mfsa2006-42.html 9) http://www.mozilla.org/security/announce/2006/mfsa2006-43.html waiting for an update...
bug is invalid we will have to backport the patches if we are to fix, as bad as it is we are gonna have to make a major change to seamonkey and remove mozilla from the tree completely. Wait and see what plays out over next few days before we jump the gun on this one tho.
So what does this mean for other packages depending on mozilla? Should we all move over to just support firefox? Or would it be possible to use seamonkey as a 1:1 drop-in? (we have both firefox and mozilla use-flags in OpenOffice.org for instance). Also what does this all mean for gecko-sdk? I really think there is a pressing need for a general guideline to all devs.
" The Mozilla Suite is no longer supported and is affected by several known vulnerabilities fixed in newer Mozilla-based products." i'm afraid we should package.mask it and send a mask glsa, requesting the Mozilla Suite users to switch to one or more other mozilla-based products. It is annoying since the Mozilla Suite is widely used. Moz team, your opinion ?
We will not mask mozilla!! I am working with upstream on seamonkey issues that are preventing 1.0.2 from being added to the tree soon as we work these issues out we will move all packages that depend on www-client/mozilla to www-client/seamonkey.
ok, we will see. Thanks anarchy
Anarchy please provide an ETA for this to be fixed. According to Security policy it should most likely be masked.
BTW, some of the advisories [1] deal with remote compromise (by enticing the user to visit a malicious website, sure, but this is still serious, and this software is widely-used so i think we might be cautious with this our users' safety). [1] http://www.mozilla.org/security/announce/2006/mfsa2006-37.html and http://www.mozilla.org/security/announce/2006/mfsa2006-38.html
If it is not possible to mark seamonkey stable within a reasonable time we should consider masking Mozilla. Security what is your opinion?
I Uhm, wouldn't that effectively break every new merge of, say Gnome? I guess that's not really something we can realistically do :| It should be done, but I wouldn't want to be in the way of the sh*t rolling downhill then ...
Well that just shows how often I use Gnome. What a pita:-/
Is www-client/mozilla a hard dep of gnome ? that's so silly :/ I can see there is a useflag "firefox" in gnome-extra/yelp, which installs www-client/mozilla-firefox instead of www-client/mozilla. Yet, i have already www-client/mozilla-firefox-bin installed, and "yelp" wants to install mozilla-firefox (without -bin), because of an Rdepend!!! Well, we're not trying to solve all the problems of gnome. It's not the topic. mozilla[-bin] has been known to be vulnerable for nearly 3 weeks now, it's time to act. If it's confirmed that most of gnome users use www-client/mozilla, so this software is more often installed than i thought. This means more vulnerable gentoo boxes... But firstly, gnome-extra/yeld dependencies must be moved from "mozilla" to "mozilla-firefox" or another same replacement of mozilla. That should help a lot. (and it's only the beginning); Good luck
AFAIK it's Nautilus that depends on mozilla.
I guess we really have to make a decision here :|
Seems it's not as bad as I thought. With "firefox" USE flag Gnome (2.12 as well as 2.14) seems to be happy depending on that. So IMHO we could actually mask the suite but would need to tell people to depend on firefox. In a second step we could change dep to seamonkey, giving arches time to stabilize. The only thing I don't know is how to prominently push the info (sadly there's an open GLEP for that).
> I guess we really have to make a decision here :| Obviously, the following dependencies : !firefox? ( >=www-client/mozilla-1.7.3 ) firefox? ( >=www-client/mozilla-firefox-1.0.2-r1 ) if use firefox; then myconf="${myconf} --with-mozilla=firefox" in yelp (or others) should all been replaced by dependecy on firefox or on seamonkey (?) There is still more to do, but it is the beginning. I cc gnome@ on bug 137198 which is used to follow the replacement of the moz suite
It seems Gnome pulls in gecko-sdk (at least when used with "firefox" USEflag). I'd guess the same vuln is in there, too?
(In reply to comment #8) > If it is not possible to mark seamonkey stable within a reasonable time we > should consider masking Mozilla. > > Security what is your opinion? This is a pretty major package. Backporting as needed would be a better option.
@solar, do you have any candidates for backporting or have someone else already done it?
Uhm.... so, what's going on here?
Any news on this one or is it fixed with the latest versions?
(In reply to comment #20) > Any news on this one or is it fixed with the latest versions? There won't be any fixes, the thing is dead, burried and unmaintained upstream. Bug 137665 needs to be fixed and this thing p.masked and punted.
oh mozilla != mozilla-firefox :-)
since this bug has been dead for a while (as well as bug #137665) i propose to mask mozilla(-bin), maybe give a last (short) deadline and a warning on -dev
(In reply to comment #23) > since this bug has been dead for a while (as well as bug #137665) > > i propose to mask mozilla(-bin), maybe give a last (short) deadline and a > warning on -dev > now that seamonkey is becoming OK (bug 147651) ( yeah! :D ), we can now consider bug 137665 only. That's a good advance.
*** Bug 135535 has been marked as a duplicate of this bug. ***
Any news on this one?
(In reply to comment #26) > Any news on this one? Can be finally masked now... ;o)
# Raúl Porcel <armin76@gentoo.org> (27 Jan 2007) # Masked for removal 26 Feb 2007, bug 135257, security issues # Replaced by www-client/seamonkey[-bin] www-client/mozilla www-client/mozilla-bin
(In reply to comment #28) > # Raúl Porcel <armin76@gentoo.org> (27 Jan 2007) > # Masked for removal 26 Feb 2007, bug 135257, security issues > # Replaced by www-client/seamonkey[-bin] > www-client/mozilla > www-client/mozilla-bin > Removal delayed due to apps depending on mozilla which newer versions aren't stable yet. So, mozilla unmasked again but shouldn't be too much until it's masked again :)
Personally I think you should of left it masked. Maintainers have known this was going to be masked many months ago and have had ample time to update pkgs. leaving it maked will also keep the fire under asses and force them to move faster then a turtle. Anyway hopefully it wont take to long (< 7 days).
(In reply to comment #30) > Personally I think you should of left it masked. Maintainers have known this > was going to be masked many months ago and have had ample time to update pkgs. > leaving it maked will also keep the fire under asses and force them to move > faster then a turtle. Anyway hopefully it wont take to long (< 7 days). +1... this is really getting extremely overdue and people should have cared better to get their stuff fixed and stabilized in time. I don't see any sense in unmasking this junk over and over again.
(In reply to comment #31) > (In reply to comment #30) > > Personally I think you should of left it masked. Maintainers have known this > > was going to be masked many months ago and have had ample time to update pkgs. > > leaving it maked will also keep the fire under asses and force them to move > > faster then a turtle. Anyway hopefully it wont take to long (< 7 days). > > +1... this is really getting extremely overdue and people should have cared > better to get their stuff fixed and stabilized in time. I don't see any sense > in unmasking this junk over and over again. > As soon as amd64 and ppc stabilize mono-tools i'll mask this again, i promise. I'll add the bug 164048 as a dep of this bug.
(In reply to comment #30) > Anyway hopefully it wont take to long (< 7 days). > Failed. (indeed, it's not p.masked)
# Raúl Porcel <armin76@gentoo.org> (20 Feb 2007) # Masked for removal 19 Mar 2007, bug 135257, security issues # Replaced by www-client/seamonkey[-bin] www-client/mozilla www-client/mozilla-bin Let's hope this is the good one. Also i've removed the mono-* bug from dependencies, as amd64 finally stabilized the not depending version of mozilla.
Thanks everybody, that was hard. We have to issue a GLSA warning our users to stop using the Mozilla Suite
GLSA 200703-05. Finally closing this looong bug! Yeah and thanks to everybody for all your work
Finally removed from the tree.
