* Fixed an issue where Web page content could display misleading security information; see our advisory[1]. * Fixed an issue which could allow leaking of WAP form content to other sites; see our advisory[2]. * Fixed a high severity issue; details will be disclosed at a later date. * Fixed further high severity issues; details will be disclosed at a later date. [1] http://www.opera.com/support/search/view/977/ [2] http://www.opera.com/support/search/view/979/
Arch teams, please test and mark stable: =www-client/opera-11.00_pre1156 Target KEYWORDS="amd64 x86" Before anyone asks: PPC support was dropped some time ago[1]. [1] http://my.opera.com/desktopteam/blog/2010/08/30/tea
x86 done. Thanks!
What about the final release? Is it identical to this pre-release?
The final release does have "1156" in the version number.
(In reply to comment #4) > The final release does have "1156" in the version number. Correct.
(In reply to comment #3) > What about the final release? Is it identical to this pre-release? This is the final release. Maybe I should switch to a different versioning scheme, as leaving _pre in there also has its downsides.
amd64 ok
amd64 done. Thanks Agostino
(In reply to comment #6) > (In reply to comment #3) > > What about the final release? Is it identical to this pre-release? > > This is the final release. Maybe I should switch to a different versioning > scheme, as leaving _pre in there also has its downsides. > I think leaving _pre${NUM} is confusing. It's stable release and there's little need in messing up upstream versioning. We could keep the SRC_URI the same, of course, but ~arch/Opera users hardly will mind re-unpacking tarballs.
Thanks, folks. GLSA Vote: Yes, because of: * Fixed a high severity issue; details will be disclosed at a later date. * Fixed further high severity issues; details will be disclosed at a later date.
I don't know if this is the right place to complain: It is really bad that 10.63 isnt in portage anymore. There is a huge bug in opera 11 for linux, which let opera crash like every 2 minutes. I allready reported that bug to opera. But for now opera 11 is unusable for users who hit that bug :/
(In reply to comment #11) > I don't know if this is the right place to complain: > > It is really bad that 10.63 isnt in portage anymore. There is a huge bug in > opera 11 for linux, which let opera crash like every 2 minutes. I allready > reported that bug to opera. But for now opera 11 is unusable for users who hit > that bug :/ We would leave the majority of users that do not hit that error with a possible source of error regarding a security vulnerability. You can restore 10.63 in a local overlay if you want.
Thats a good point :) Does anybody know where to get the 10.63 ebuild? I can't find it in the web :/
(In reply to comment #13) > Does anybody know where to get the 10.63 ebuild? I can't find it in the web :/ http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/www-client/opera/ Then click on "Show dead files"
Added to pending glsa.
CVE-2010-4586 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4586): The default configuration of Opera before 11.00 enables WebSockets functionality, which has unspecified impact and remote attack vectors, possibly a related issue to CVE-2010-4508. CVE-2010-4585 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4585): Unspecified vulnerability in the auto-update functionality in Opera before 11.00 allows remote attackers to cause a denial of service (application crash) by triggering an Opera Unite update. CVE-2010-4584 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4584): Opera before 11.00, when Opera Turbo is used, does not properly present information about problematic X.509 certificates on https web sites, which might make it easier for remote attackers to spoof trusted content via a crafted web site. CVE-2010-4583 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4583): Opera before 11.00, when Opera Turbo is enabled, does not display a page's security indication, which makes it easier for remote attackers to spoof trusted content via a crafted web site. CVE-2010-4582 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4582): Opera before 11.00 does not properly handle security policies during updates to extensions, which might allow remote attackers to bypass intended access restrictions via unspecified vectors. CVE-2010-4581 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4581): Unspecified vulnerability in Opera before 11.00 has unknown impact and attack vectors, related to "a high severity issue." CVE-2010-4580 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4580): Opera before 11.00 does not clear WAP WML form fields after manual navigation to a new web site, which allows remote attackers to obtain sensitive information via an input field that has the same name as an input field on a previously visited web site. CVE-2010-4579 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4579): Opera before 11.00 does not properly constrain dialogs to appear on top of rendered documents, which makes it easier for remote attackers to trick users into interacting with a crafted web site that spoofs the (1) security information dialog or (2) download dialog.
This issue was resolved and addressed in GLSA 201206-03 at http://security.gentoo.org/glsa/glsa-201206-03.xml by GLSA coordinator Sean Amoss (ackle).