MFSA 2008-48 Image stealing via canvas and HTTP redirect MFSA 2008-50 Crash and remote code execution via __proto__ tampering MFSA 2008-52 Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18) MFSA 2008-55 Crash and remote code execution in nsFrameManager MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation MFSA 2008-58 Parsing error in E4X default namespace MFSA 2008-47 Information stealing via local shortcut files (appears to be Windows-only) MFSA 2008-49 Arbitrary code execution via Flash Player dynamic module unloading MFSA 2008-53 XSS and JavaScript privilege escalation via session restore MFSA 2008-54 Buffer overflow in http-index-format parser MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals MFSA 2008-51 file: URIs inherit chrome privileges when opened from chrome Problems Fixed in: Firefox 3.0.4 Firefox 2.0.0.18 Thunderbird 2.0.0.18 SeaMonkey 1.1.13 Reproducible: Always
www-client/mozilla-firefox-2.0.0.18: Arches: alpha arm amd64 hppa ia64 ppc ppc64 sparc x86 www-client/mozilla-firefox-bin-2.0.0.18: Arches: amd64 x86 www-client/seamonkey-1.1.13: Arches: alpha arm amd64 hppa ia64 ppc ppc64 sparc x86 www-client/seamonkey-bin-1.1.13: Arches: amd64 x86 net-libs/xulrunner-1.8.1.18: Arches: alpha arm amd64 hppa ia64 ppc ppc64 sparc x86 net-libs/xulrunner-bin-1.8.1.18: Arches: amd64 x86 All in the tree, thunderbird will go out on 19th november
*** Bug 246751 has been marked as a duplicate of this bug. ***
ppc64 stable
amd64/x86 stable
alpha/arm/ia64/sparc stable
ppc stable
CVE-2008-5052 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5052): The AppendAttributeValue function in the JavaScript engine in Mozilla Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger memory corruption, as demonstrated by e4x/extensions/regress-410192.js.
Stable for HPPA.
Please stabilize: mail-client/mozilla-thunderbird-2.0.0.18 Arches: alpha amd64 ia64 ppc ppc64 sparc x86 mail-client/mozilla-thunderbird-bin-2.0.0.18 Arches: amd64 x86 Thanks
alpha/ia64/sparc stable
ppc64 done
GLSA request filed, any reason why nobody did this before me?
CVE-2008-6961 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6961): mailnews in Mozilla Thunderbird before 2.0.0.18 and SeaMonkey before 1.1.13, when JavaScript is enabled in mail, allows remote attackers to obtain sensitive information about the recipient, or comments in forwarded mail, via script that reads the (1) .documentURI or (2) .textContent DOM properties.
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle).