243060 – www-client/opera <9.61 Multiple vulnerabilities (CVE-2008-{4696,4697,4698})

Bug 243060 - www-client/opera <9.61 Multiple vulnerabilities (CVE-2008-{4696,4697,4698})

Summary: www-client/opera <9.61 Multiple vulnerabilities (CVE-2008-{4696,4697,4698})

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor
Assignee:	Gentoo Security

URL:	http://www.opera.com/docs/changelogs/...
Whiteboard:	B4 [glsa]
Keywords:

Duplicates (1):	243182 (view as bug list)
Depends on:
Blocks:

Reported:	2008-10-21 14:57 UTC by Robert Buchholz (RETIRED)
Modified:	2008-11-03 19:01 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
opera 9.61 ebuild first stab (opera-9.61.ebuild,7.27 KB, text/plain) 2008-10-22 06:30 UTC, George Wu	no flags	Details
updated opera 9.61 ebuild (opera-9.61.ebuild,7.38 KB, text/plain) 2008-10-22 17:57 UTC, George Wu	no flags	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2008-10-21 14:57:06 UTC

Opera 9.61 for Linux Changelog
Release Notes

Opera 9.61 is a recommended security upgrade. Please see the Security section.

Opera 9.61 incorporates the Opera Presto 2.1.1 user agent engine.
Changes since Opera 9.6
User Interface

    * Fixed an issue with Opera Link which could generate duplicate bookmarks during the synchronization process
    * The image toggle button on the status bar is now a normal button, and does not have a menu

Security

    * Fixed an issue where History Search could be used to reveal browsing history, as reported by Roberto Suggi Liverani of Security-Assessment.com; see our advisory
    * Fast Forward can no longer allow cross-site scripting, as reported by David Bloom; see our advisory
    * Prevented news feed preview from revealing the contents of unrelated news feeds, as reported by David Bloom; see our advisory

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2008-10-21 14:58:18 UTC

jer is currently .away, i wonder if someone else wants to bump.

Comment 2 George Wu 2008-10-22 06:30:35 UTC

Created attachment 169368 [details]
opera 9.61 ebuild first stab

had to remove x86-fbsd (hasn't hit mirrors yet?)

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2008-10-22 09:27:17 UTC

*** Bug 243182 has been marked as a duplicate of this bug. ***

Comment 4 George Wu 2008-10-22 17:57:05 UTC

Created attachment 169450 [details]
updated opera 9.61 ebuild

readded keywords, fbsd link

Comment 5 George Wu 2008-10-22 18:01:58 UTC

tested working on x86,
is there a reason why gentoo/freebsd users use the freebsd 5/opera build when there's a freebsd 7/opera build available?

Comment 6 Robert Buchholz (RETIRED) gentoo-dev

2008-10-22 18:04:17 UTC

 CVE-2008-4696 History Search infoleak by insufficient escaping
 CVE-2008-4697 Fast Forward XSS
 CVE-2008-4698 improper script blocking for unrelated news feeds

Comment 7 Robert Buchholz (RETIRED) gentoo-dev

2008-10-22 19:02:07 UTC

(In reply to comment #4)
> Created an attachment (id=169450) [edit]
> updated opera 9.61 ebuild

Bumped, thank you. I will wait a day to add arches to see if anything problematic comes up.

Comment 8 Robert Buchholz (RETIRED) gentoo-dev

2008-10-24 10:02:14 UTC

Arches, please test and mark stable:
=www-client/opera-9.61
Target keywords : "amd64 ppc x86"

Comment 9 Tobias Heinlein (RETIRED) gentoo-dev

2008-10-24 17:54:34 UTC

amd64 stable

Comment 10 Jeroen Roovers (RETIRED) gentoo-dev

2008-10-24 22:06:16 UTC

(In reply to comment #5)
> tested working on x86,
> is there a reason why gentoo/freebsd users use the freebsd 5/opera build when
> there's a freebsd 7/opera build available?

It's a good question, but please file a separate bug to figure that out.

Comment 11 Markus Meier gentoo-dev

2008-10-24 22:59:28 UTC

x86 stable

Comment 12 Jeroen Roovers (RETIRED) gentoo-dev

2008-10-29 06:37:19 UTC

@ppc: ping

Comment 13 Jeroen Roovers (RETIRED) gentoo-dev

2008-10-30 18:25:02 UTC

@ppc: Please focus on bug #244980 now, so that opera-9.61 can be removed from the tree as well as opera-9.60.

Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev

2008-10-30 19:18:49 UTC

(In reply to comment #13)
> @ppc: Please focus on bug #244980 now, so that opera-9.61 can be removed from
> the tree as well as opera-9.60.
> 

9.62 is stable for ppc, un'ccing

Comment 15 Tobias Heinlein (RETIRED) gentoo-dev

2008-10-31 21:38:13 UTC

GLSA together with bug 244980.

Comment 16 Tobias Heinlein (RETIRED) gentoo-dev

2008-11-03 19:01:48 UTC

GLSA 200811-01, thanks everyone and sorry about the delay.