Secunia: Some vulnerabilities have been reported in Mozilla Thunderbird, which potentially can be exploited by malicious people to compromise a user's system. 1) Various errors in the browser engine can be exploited to cause a memory corruption. 2) Various errors in the Javascript engine can be exploited to cause a memory corruption. Successful exploitation of these vulnerabilities may allow execution of arbitrary code. Fixed in Thunderbird 2.0.0.8
Mozilla, please advise.
Should we bump the package ourselves? The patches are available without a lot of hassle.
In general we should bump packages if maintainers don't respond in a timely manner. Though we should try to poke them on IRC at least beforehand.
(In reply to comment #3) > In general we should bump packages if maintainers don't respond in a timely > manner. Though we should try to poke them on IRC at least beforehand. Seems I wasn't clear enough. I meant we (Gentoo's mozilla herd) should bump it since Mozilla upstream did not release yet.
Oh, I'm confusing roles here. I won't stand in the way of the herd bumping it's package:)
Where are the patches?
(In reply to comment #6) > Where are the patches? Debian ships some for 1.5 which are pretty much undocumented because of the embargo. Ubuntu released a "pre" snapshot. In light of the other regressions you mentioned we should probably wait for upstream.
In CVS To be done: mail-client/mozilla-thunderbird-2.0.0.9 x11-plugins/enigmail-0.95.3-r1 mail-client/mozilla-thunderbird-bin-2.0.0.9
Arches, please test and mark stable mail-client/mozilla-thunderbird-2.0.0.9. Target keywords : "alpha amd64 ia64 mips ppc ppc64 sparc x86" x11-plugins/enigmail-0.95.5-r1. Target keywords : "alpha amd64 ia64 mips ppc ppc64 sparc x86" mail-client/mozilla-thunderbird-bin-2.0.0.9: Target keywords : "amd64 x86"
compiled and seems to work fine (still testing): genlop -t mozilla-thunderbird * mail-client/mozilla-thunderbird Thu Nov 15 21:17:42 2007 >>> mail-client/mozilla-thunderbird-2.0.0.9 merge time: 18 minutes and 44 seconds. Portage 2.1.3.19 (default-linux/amd64/2007.0, gcc-4.2.2, glibc-2.7-r0, 2.6.23-kamikaze5-amd64 x86_64) ================================================================= System uname: 2.6.23-kamikaze5-amd64 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz Timestamp of tree: Thu, 15 Nov 2007 19:30:01 +0000 app-shells/bash: 3.2_p17-r1 dev-java/java-config: 1.3.7, 2.1.2-r1 dev-lang/python: 2.4.4-r6 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 2.0.0_rc6 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3, 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.22-r2 ACCEPT_KEYWORDS="amd64 ~amd64" CBUILD="x86_64-pc-linux-gnu"
x86 stable
amd64 stable
alpha/ia64/sparc stable i said enigmail-0.95.3-r1, but .5 is fine as well :)
ppc64 stable
ppc stable
GLSA 200711-24