CVE-2009-0771 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0771): The layout engine in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain vectors that trigger memory corruption and assertion failures.
CVE-2009-0772 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0772): The layout engine in Mozilla Firefox 2 and 3 before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to nsCSSStyleSheet::GetOwnerNode, events, and garbage collection, which triggers memory corruption. CVE-2009-0773 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0773): The JavaScript engine in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) a splice of an array that contains "some non-set elements," which causes jsarray.cpp to pass an incorrect argument to the ResizeSlots function, which triggers memory corruption; (2) vectors related to js_DecompileValueGenerator, jsopcode.cpp, __defineSetter__, and watch, which triggers an assertion failure or a segmentation fault; and (3) vectors related to gczeal, __defineSetter__, and watch, which triggers a hang. CVE-2009-0774 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0774): The layout engine in Mozilla Firefox 2 and 3 before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to gczeal, a different vulnerability than CVE-2009-0773. CVE-2009-0775 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0775): Double free vulnerability in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to execute arbitrary code via "cloned XUL DOM elements which were linked as a parent and child," which are not properly handled during garbage collection. CVE-2009-0776 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0776): nsIRDFService in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to bypass the same-origin policy and read XML data from another domain via a cross-domain redirect. CVE-2009-0777 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0777): Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 decodes invisible characters when they are displayed in the location bar, which causes an incorrect address to be displayed and makes it easier for remote attackers to spoof URLs and conduct phishing attacks.
mozilla: there are still some bugs open (for older versions only, as far as I've seen), is it ok to stable yet?
(In reply to comment #2) > mozilla: there are still some bugs open (for older versions only, as far as > I've seen), is it ok to stable yet? > Yes. I don't know when seamonkey-1.1.15 is going to be out and thunderbird is scheduled for march 17-18. So feel free to go ahead
Stabling of Firefox is done in #261585. Let's see when the thunderbird and seamonkey updates are available.
=www-client/seamonkey-1.1.15 Arches: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 =www-client/seamonkey-bin-1.1.15 Arches: amd64 x86 =mail-client/mozilla-thunderbird-2.0.0.21 Arches: alpha amd64 ia64 ppc ppc64 sparc x86 =x11-plugins/enigmail-0.95.7-r4 Arches: alpha amd64 ia64 ppc ppc64 sparc x86 =mail-client/mozilla-thunderbird-bin-2.0.0.21 Arches: amd64 x86
Arches, please test and mark stable.
ppc and ppc64 done
amd64 stable
x86 stable
alpha/arm/ia64/sparc stable
Stable for HPPA.
Alright, already handled in glsamaker.
Nothing for mozilla team to do here, none of the affected versions are in-tree anymore.
This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle).