There are known security vulnerabilities in <3.0.5 version of thunderbird a new release has been made avaliable. We will not be at liberty to discuss the security concerns until a new release of firefox is made in a few days. I would still prefer we get the arch teams in to handle stabilizing both thunderbird and thunderbird-bin 3.0.5,
Target keywords for tunderbird are: alpha amd64 ia64 ppc ppc64 sparc x86 ~x86-fbsd ~amd64-linux ~x86-linux Target keywords for thunderbird-bin/firefox-bin are: amd64 x86 Target keywords for xulrunner/mozilla-firefox are: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 Target keywords for www-client/seamonkey are: alpha amd64 hppa ia64 ppc ppc64 sparc x86 List of vulnerabilities concerning xulrunner/firefox and derivates: http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.4 List of vulnerabilities concerning thunderbird: http://www.mozilla.org/security/known-vulnerabilities/thunderbird30.html#thunderbird3.0.5 List of vulnerabilities concerning seamonkey: http://www.mozilla.org/security/known-vulnerabilities/seamonkey20.html#seamonkey2.0.5
*** Bug 314009 has been marked as a duplicate of this bug. ***
x86 stable
amd64 stable for thunderbird and firefox non-bin.
amd64 stable
Target keywords for www-client/icecat are: amd64 ~ppc ~ppc64 x86 Readded amd64 and x86. Guys, sorry for the inconvenience, the GNU people simply lagged a bit behind :) @ ppc/pp64 guys: Feel free to stabilize icecat for your arch as well. It would be great if we had at least one version of icecat stable on your arch as well.
x86 done for icecat, too...
*** Bug 314025 has been marked as a duplicate of this bug. ***
alpha/arm/ia64/sparc stable
hppa stable
ppc and ppc64 done
Readding x86 and amd64 for seamonkey-bin-2.0.5 stabilization.
x86 done
amd64 done
GLSA added.
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
CVE-2010-3400 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3400): The js_InitRandom function in the JavaScript implementation in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, uses the current time for seeding of a random number generator, which makes it easier for remote attackers to guess the seed value via a brute-force attack, a different vulnerability than CVE-2008-5913. CVE-2010-3171 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3171): The Math.random function in the JavaScript implementation in Mozilla Firefox 3.5.10 through 3.5.11, 3.6.4 through 3.6.8, and 4.0 Beta1 uses a random number generator that is seeded only once per document object, which makes it easier for remote attackers to track a user, or trick a user into acting upon a spoofed pop-up message, by calculating the seed value, related to a "temporary footprint" and an "in-session phishing attack." NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-5913. CVE-2010-1203 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1203): The JavaScript engine in Mozilla Firefox 3.6.x before 3.6.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors that trigger an assertion failure in jstracer.cpp. CVE-2010-1202 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1202): Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2010-1201 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1201): Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.10, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2010-1200 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1200): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2010-1199 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1199): Integer overflow in the XSLT node sorting implementation in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allows remote attackers to execute arbitrary code via a large text value for a node. CVE-2010-1198 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1198): Use-after-free vulnerability in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, allows remote attackers to execute arbitrary code via vectors involving multiple plugin instances. CVE-2010-1197 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1197): Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, does not properly handle situations in which both "Content-Disposition: attachment" and "Content-Type: multipart" are present in HTTP headers, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an uploaded HTML document. CVE-2010-1196 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1196): Integer overflow in the nsGenericDOMDataNode::SetTextInternal function in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allows remote attackers to execute arbitrary code via a DOM node with a long text value that triggers a heap-based buffer overflow. CVE-2010-1125 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1125): The JavaScript implementation in Mozilla Firefox 3.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, allows remote attackers to send selected keystrokes to a form field in a hidden frame, instead of the intended form field in a visible frame, via certain calls to the focus method. CVE-2010-0183 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0183): Use-after-free vulnerability in the nsCycleCollector::MarkRoots function in Mozilla Firefox 3.5.x before 3.5.10 and SeaMonkey before 2.0.5 allows remote attackers to execute arbitrary code via a crafted HTML document, related to an improper frame construction process for menus. CVE-2010-0179 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0179): Mozilla Firefox before 3.0.19 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, when the XMLHttpRequestSpy module in the Firebug add-on is used, does not properly handle interaction between the XMLHttpRequestSpy object and chrome privileged objects, which allows remote attackers to execute arbitrary JavaScript via a crafted HTTP response.
This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle).