From Heise online: "The Mozilla developers have announced the release of version 2.0.0.23 of their popular Thunderbird email client, addressing a vulnerability in the processing of SSL certificates. Previously, inserting a null character in a certificate could trick some applications into treating, for example, the certificate displayed on www.paypal.com\0.thoughtcrime.org as if it belonged to www.paypal.com." Would be nice to get this in the tree. Reproducible: Always
Oops..Cut-and-paste error in the summary corrected
MFSA 2009-42 (CVE-2009-2408): http://www.mozilla.org/security/announce/2009/mfsa2009-42.html MFSA 2009-43 (CVE-2009-2404): Moxie Marlinspike reported a heap overflow vulnerability in the code that handles regular expressions in certificate names. This vulnerability could be used to compromise the browser and run arbitrary code by presenting a specially crafted certificate to the client. This code provided compatibility with the non-standard regular expression syntax historically supported by Netscape clients and servers. With version 3.5 Firefox switched to the more limited industry-standard wildcard syntax instead and is not vulnerable to this flaw.
Mozilla: Can we go stable with .23?
yes
Arches, please test and mark stable: =mail-client/mozilla-thunderbird-2.0.0.23 Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86"
x86 stable
alpha/ia64/sparc stable
amd64 stable
ppc64 done
Now stable on ppc. Security team, I let you close the bug.
mail-client/mozilla-thunderbird-bin-2.0.0.23 is not stable for amd64 and x86
(In reply to comment #11) > mail-client/mozilla-thunderbird-bin-2.0.0.23 is not stable for amd64 and x86 Buy new glasses. :) $ grep KEYWORDS *.ebuild mozilla-thunderbird-1.5.0.14.ebuild:KEYWORDS="~mips" mozilla-thunderbird-2.0.0.22.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc x86 ~x86-fbsd" mozilla-thunderbird-2.0.0.23.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc x86 ~x86-fbsd"
(In reply to comment #12) > (In reply to comment #11) > > mail-client/mozilla-thunderbird-bin-2.0.0.23 is not stable for amd64 and x86 > > Buy new glasses. :) > > $ grep KEYWORDS *.ebuild > mozilla-thunderbird-1.5.0.14.ebuild:KEYWORDS="~mips" > mozilla-thunderbird-2.0.0.22.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc > x86 ~x86-fbsd" > mozilla-thunderbird-2.0.0.23.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc > x86 ~x86-fbsd" > Nah, you should: mozilla-thunderbird-bin-2.0.0.22.ebuild:KEYWORDS="-* amd64 x86" mozilla-thunderbird-bin-2.0.0.23.ebuild:KEYWORDS="-* ~amd64 ~x86" mozilla-thunderbird-bin-3.0_beta4.ebuild:KEYWORDS="-* ~amd64 ~x86" Mega-OWNED!
x86 stable, my revenge will be on you...one day.
amd64 stable, all arches done.
Re-rating A3. No voting here, as the vulnerability is actually in <dev-libs/nss-3.12.3 (#280226) which is used by Firefox, Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger. IMHO voting should take place in 280226; if we decide on on yes there, all the packages will have a GLSA together.
uranus ~ # ls /usr/portage/mail-client/mozilla-thunderbird ChangeLog Manifest mozilla-thunderbird-2.0.0.23.ebuild mozilla-thunderbird-3.0.3-r1.ebuild files metadata.xml mozilla-thunderbird-3.0.3.ebuild uranus ~ # No ebuild matches <mail-client/mozilla-thunderbird-2.0.0.23 any more. This bug does not make sens any more. Please close.
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
security team, please close this bug.
We will, when it's glsa handling is finished. For forther information, please consult http://www.gentoo.org/security/en/vulnerability-policy.xml
This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle).