a related security problem was reported in http://sourceforge.net/tracker/index.php?func=detail&aid=1543623&group_id=87005&atid=581684

and is now fixed in upstream cvs, so I'll close this when this is in the tarballs and unmasked.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) 2006-09-14 16:03:05 UTC

Reassigning to security.

Note to reporter: non security devs are not able to access the bug when you restrict it to the security group.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) 2006-09-26 09:31:44 UTC

Micheal please advise.

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) 2006-11-24 12:42:35 UTC

Micheal please advise.

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) 2007-03-25 11:54:31 UTC

Pulling in new maintainer to advise.

Comment 6 Daniel Gryniewicz (RETIRED) 2007-03-26 17:06:15 UTC

According to that upstream bug, the fix went into 1.1.2; 1.2.x has been in the tree for a long time, but it can't go stable until xulrunner is stable (ppc64 and sparc holding out there).  I was planning on submitting 1.2.7 for stable relatively soon, pending that xulrunner issue.

I don't know a whole lot about javascript vulnerabilites.  Are they important?  I had thought (possibly erroniously) that javascript was fairly safe to have enabled.  Is a feed reader a serious potential attach vector?  Yes, it's poll, but the user has to specifically subscribe to feeds.

I guess security's opinion here should matter.

Comment 7 Raphael Marichez (Falco) (RETIRED) 2007-03-30 20:34:48 UTC

i don't think that is serious until there is another vulnerability. BTW, is javascript in liferea really useful??

Comment 8 Pierre-Yves Rofes (RETIRED) 2007-08-24 14:32:34 UTC

Daniel, do you have any updates about the xulrunner issue which was blocking stabilization of 1.2.x? btw I agree with falco, Javascript issues are not very serious in general, though that issue should be fixed anyway.

Comment 9 Daniel Gryniewicz (RETIRED) 2007-08-24 18:59:24 UTC

xulrunner is now okay; the current blocker is networkmanager.  No version of it is stable.

Comment 10 Christian Faulhammer (RETIRED) 2007-09-08 22:33:01 UTC

(In reply to comment #9)
> xulrunner is now okay; the current blocker is networkmanager.  No version of it
> is stable.

 networkmanager is stable on all needed arches, so I propose to call arches here on 1.2.23 prematurely.

Comment 11 Sune Kloppenborg Jeppesen (RETIRED) 2007-09-10 06:20:23 UTC

Daniel is 1.2.3 ready for stable marking?

Comment 12 Daniel Gryniewicz (RETIRED) 2007-09-10 13:37:25 UTC

1.2.23 is fine.  I apparently accidentally committed amd64 stable by accident, so you can leave amd64 out.

FTR, repoman and pcheck still complain about x86-fbsd and repoman.

Comment 13 Sune Kloppenborg Jeppesen (RETIRED) 2007-09-10 16:19:52 UTC

Thx Daniel. Arches please test and mark stable. Target keywords are:

liferea-1.2.23.ebuild:KEYWORDS="amd64 ppc ppc64 sparc x86"

Note:amd64 is already stable but cc'ing arch team so they can actually test:-)

Comment 14 Christian Faulhammer (RETIRED) 2007-09-10 17:08:04 UTC

x86 stable

Comment 15 Daniel Gryniewicz (RETIRED) 2007-09-10 17:13:57 UTC

(FTR, I'm a member of the amd64 team and have, in fact, tested on amd64...  I believe this should be sufficient.)

Comment 16 Sune Kloppenborg Jeppesen (RETIRED) 2007-09-10 17:43:33 UTC

Then let's remove amd64. Though it was not obvious from your first comment that you had actually tested:-)

Comment 17 Tobias Scherbaum (RETIRED) 2007-09-10 18:03:06 UTC

ppc stable

Comment 18 Jose Luis Rivero (yoswink) (RETIRED) 2007-09-12 09:09:09 UTC

seems to work fine in sparc. Stable!

Comment 19 Markus Rothe (RETIRED) 2007-09-13 11:32:57 UTC

ppc64 stable

(uhmm.. late again. sorry.)

Comment 20 Robert Buchholz (RETIRED) 2007-09-13 11:57:51 UTC

Voting time!

Comment 21 Pierre-Yves Rofes (RETIRED) 2007-09-13 13:23:42 UTC

I vote NO.

Comment 22 Sune Kloppenborg Jeppesen (RETIRED) 2007-09-24 16:48:02 UTC

Voting NO and closing.