Numerous Security vulnerabilities have been fixed in just released Firefox 3.0.5, Firefox 2.0.0.19 and Seamonkey 1.1.14. Thunderbird has not been modified at this time: MFSA 2008-69 XSS vulnerabilities in SessionStore MFSA 2008-68 XSS and JavaScript privilege escalation MFSA 2008-67 Escaped null characters ignored by CSS parser MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters MFSA 2008-65 Cross-domain data theft via script redirect error message MFSA 2008-64 XMLHttpRequest 302 response disclosure MFSA 2008-63 User tracking via XUL persist attribute MFSA 2008-62 Additional XSS attack vectors in feed preview MFSA 2008-61 Information stealing via loadBindingDocument MFSA 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19) Ref: http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.5 http://www.mozilla.org/security/known-vulnerabilities/firefox20.html#firefox2.0.0.19 As an aside, this was also in the announcement: Mozilla is not planning any further security & stability updates for Firefox 2, and recommends that you upgrade to Firefox 3 as soon as possible. It’s free, and your settings and bookmarks will be preserved. Reproducible: Always
Multiple MFSAs reference an issue being fixed in Thunderbird 2.0.0.19, so I would also expect to see a new version forthcoming.
CVE-2008-5500 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5500): The layout engine in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to cause a denial of service (crash) and possibly trigger memory corruption via vectors related to (1) a reahable assertion or (2) an integer overflow. CVE-2008-5501 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5501): The layout engine in Mozilla Firefox 3.x before 3.0.5, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to cause a denial of service via vectors that trigger an assertion failure. CVE-2008-5502 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5502): The layout engine in Mozilla Firefox 3.x before 3.0.5, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to cause a denial of service (crash) via vectors that trigger memory corruption, related to the GetXMLEntity and FastAppendChar functions. CVE-2008-5503 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5503): The loadBindingDocument function in Mozilla Firefox 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 does not perform any security checks related to the same-domain policy, which allows remote attackers to read or access data from other domains via crafted XBL bindings. CVE-2008-5504 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5504): Mozilla Firefox 2.x before 2.0.0.19 allows remote attackers to run arbitrary JavaScript with chrome privileges via vectors related to the feed preview, a different vulnerability than CVE-2008-3836. CVE-2008-5505 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5505): Mozilla Firefox 3.x before 3.0.5 allows remote attackers to bypass intended privacy restrictions by using the persist attribute in an XUL element to create and access data entities that are similar to cookies. CVE-2008-5506 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5506): Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to bypass the same origin policy by causing the browser to issue an XMLHttpRequest to an attacker-controlled resource that uses a 302 redirect to a resource in a different domain, then reading content from the response, aka "response disclosure." CVE-2008-5507 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5507): Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to bypass the same origin policy and access portions of data from another domain via a JavaScript URL that redirects to the target resource, which generates an error if the target data does not have JavaScript syntax, which can be accessed using the window.onerror DOM API. CVE-2008-5508 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5508): Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 does not properly parse URLs with leading whitespace or control characters, which might allow remote attackers to misrepresent URLs and simplify phishing attacks. CVE-2008-5510 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5510): The CSS parser in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 ignores the '\0' escaped null character, which might allow remote attackers to bypass protection mechanisms such as sanitization routines. CVE-2008-5511 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5511): Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote attackers to bypass the same origin policy and conduct cross-site scripting (XSS) attacks via an XBL binding to an "unloaded document." CVE-2008-5512 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5512): Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allow remote attackers to run arbitrary JavaScript with chrome privileges via unknown vectors in which "page content can pollute XPCNativeWrappers." CVE-2008-5513 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5513): Unspecified vulnerability in the session-restore feature in Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19 allows remote attackers to bypass the same origin policy, inject content into documents associated with other domains, and conduct cross-site scripting (XSS) attacks via unknown vectors related to restoration of SessionStore data.
www-client/mozilla-firefox-2.0.0.19: Arches: alpha arm amd64 hppa ia64 ppc ppc64 sparc x86 www-client/mozilla-firefox-bin-2.0.0.19: Arches: amd64 x86 www-client/seamonkey-1.1.14: Arches: alpha arm amd64 hppa ia64 ppc ppc64 sparc x86 www-client/seamonkey-bin-1.1.14: Arches: amd64 x86 net-libs/xulrunner-1.8.1.19: Arches: alpha arm amd64 hppa ia64 ppc ppc64 sparc x86 net-libs/xulrunner-bin-1.8.1.19: Arches: amd64 x86 All in the tree, thunderbird will be out on 5th january
hey raul, I have committed keywords for those ebuilds on ppc64. how do you want to handle tbird, i'm thinking I drop the ppc64 and you add us back in when you commit the tbird ebuild. fair enough?
Stable for HPPA.
amd64/x86 stable
firefox-2.0.0.20 has released a few days after 2.0.0.19
(In reply to comment #7) > firefox-2.0.0.20 has released a few days after 2.0.0.19 > From firefox 2.0.0.20 release notes: "Firefox 2.0.0.20 includes an additional security fix over Firefox 2.0.0.19 for users of the Windows platform.(...)"
ppc done
alpha/arm/ia64/sparc stable
Hi, please do: =mail-client/mozilla-thunderbird-2.0.0.19 Arches: alpha amd64 ia64 ppc ppc64 sparc x86 =x11-plugins/enigmail-0.95.7-r3 Arches: alpha amd64 ia64 ppc ppc64 sparc x86 =mail-client/mozilla-thunderbird-bin-2.0.0.19 Arches: amd64 x86 Thanks
alpha/ia64/sparc/x86 stable :P
amd64 stable
ppc stable
ppc64 done
GLSA together with .18 and .17 fixes.
(In reply to comment #13) > amd64 stable Todays upgrade demanded xulrunner-1.9.1.4. That's what I get afterwards: $ firefox Could not find compatible GRE between version 1.9.1.3 and 1.9.1.3. <-- ".3" ? [I--] [ ~] net-libs/xulrunner-1.9.1.4 (1.9) [I--] [ ~] www-client/mozilla-firefox-3.5.4 (0)
(In reply to comment #17) > (In reply to comment #13) > > > amd64 stable > > Todays upgrade demanded xulrunner-1.9.1.4. > That's what I get afterwards: > This is the wrong bug for this. See bug 280393 > $ firefox > Could not find compatible GRE between version 1.9.1.3 and 1.9.1.3. <-- ".3" ? > You need to rebuild firefox with the new version of xulrunner
(In reply to comment #18) > This is the wrong bug for this. See bug 280393 Sorry - too many tab's open while searching - picked the wrong one ;( > You need to rebuild firefox with the new version of xulrunner Thanks! Do you see a possibility to demand this being done as a Post-condition after upgrading GRE = xulrunner ?
CVE-2009-2535 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2535): Mozilla Firefox before 2.0.0.19 and 3.x before 3.0.5, SeaMonkey, and Thunderbird allow remote attackers to cause a denial of service (memory consumption and application crash) via a large integer value for the length property of a Select object, a related issue to CVE-2009-1692.
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle).