From $URL: MFSA 2010-84, CVE-2010-3770: XSS hazard in multiple character encodings MFSA 2010-83, CVE-2010-3774: Location bar SSL spoofing using network error page MFSA 2010-82, CVE-2010-3773: Incomplete fix for CVE-2010-0179 MFSA 2010-81, CVE-2010-3767: Integer overflow vulnerability in NewIdArray MFSA 2010-80, CVE-2010-3766: Use-after-free error with nsDOMAttribute MutationObserver MFSA 2010-79, CVE-2010-3775: Java security bypass from LiveConnect loaded via data: URL meta refresh MFSA 2010-78, CVE-2010-3768: Add support for OTS font sanitizer MFSA 2010-77, CVE-2010-3772: Crash and remote code execution using HTML tags inside a XUL tree MFSA 2010-76, CVE-2010-3771: Chrome privilege escalation with window.open and <isindex> element MFSA 2010-75,CVE-2010-3769: Buffer overflow while line breaking after document.write with long string MFSA 2010-74,CVE-2010-3776, CVE-2010-3777, CVE-2010-3778: Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16)
Feel free to bring in the archs, xulrunner-1.9.2.13,firefox{-bin}-3.6.13,thunderbird{-bin}-3.0.7,seamonkey{-bin}-2.0.11 are all in tree, icecat-3.6.13 will be add once avaliable.
Thanks, anarchy and polynomial-c. Arches, please test and mark stable: =net-libs/xulrunner-1.9.2.13 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" =www-client/firefox-3.6.13 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" =www-client/firefox-bin-3.6.13 Target keywords : "amd64 x86" =mail-client/thunderbird-3.1.7 Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86" =mail-client/thunderbird-bin-3.1.7 Target keywords : "amd64 x86" =www-client/seamonkey-2.0.11 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" =www-client/seamonkey-bin-2.0.11 Target keywords : "amd64 x86"
amd64: ok
Stable for PPC.
On my x86 i've tested: =net-libs/xulrunner-1.9.2.13 =www-client/firefox-3.6.13 =mail-client/thunderbird-3.1.7 Ok all, but for thunderbird i've found: QA Notice: Pre-stripped files found: * /usr/lib/thunderbird/extensions/{e2fda1a4-762b-4020-b5ad-a41df1933103}/components/libcalbasecomps.so If it isn't a problem, ignore this.
amd64 done. Thanks Agostino
Tested on SPARC, appears to load OK and run just fine, browsing a few sites seems to be fine. Although I noticed an odd thing in that when run for the first time it seems to have 'gentoo' in the URL for the 'what's new' page on Mozilla, wonder what's causing that as it fails to find the page due to the extra 'gentoo'!
x86 stable, thanks Agostino
arm stable
Stable for HPPA.
ppc64 done
+*icecat-3.6.13 (14 Dec 2010) + + 14 Dec 2010; Lars Wendler <polynomial-c@gentoo.org> + -files/xulrunner-1.9.2-noalsa-fixup.patch, + -files/137-bz460917_reload_new_plugins-gentoo-update-3.6.4.patch, + -icecat-3.6.9.ebuild, -icecat-3.6.9-r1.ebuild, + -files/801-enable-x86_64-tracemonkey.patch, -icecat-3.6.11.ebuild, + +icecat-3.6.13.ebuild, -files/fix_blocklist_support.patch: + Security bump(bug #348316). Removed old. No language packs availabe for + 3.6.13 yet so we gonna use those from 3.6.12 meanwhile. Target keywords for =www-client/icecat-3.6.13: amd64 ppc ppc64 x86 Readded all four arches. As usual, sorry for the inconveniences.
x86 stable
amd64 done
ppc and ppc64 done
Nothing for mozilla team to handle, tree has all appropriate updates.
sorry for the noise just forgot to remove mozilla team from the bug reports.
alpha/ia64 stable for everything, sparc all done except xulrunner and firefox since it sigbuses again...
The original summary for this bug was longer than 255 characters, and so it was truncated when Bugzilla was upgraded. The original summary was: <www-client/firefox{,-bin}-3.6.13, <mail-client/thunderbird{,-bin}-3.1.7, <www-client/seamonkey{,-bin}-2.0.11, <www-client/icecat-3.6.13, <net-libs/xulrunner-1.9.2.13: Multiple Vulnerabilities (CVE-2010-{3766,3767,3768,3769,3770,3771,3772,3773,3775,3774,3776,3777,3778})
CVE-2010-3778 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3778): Unspecified vulnerability in Mozilla Firefox 3.5.x before 3.5.16, Thunderbird before 3.0.11, and SeaMonkey before 2.0.11 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2010-3777 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3777): Unspecified vulnerability in Mozilla Firefox 3.6.x before 3.6.13 and Thunderbird 3.1.x before 3.1.7 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2010-3776 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3776): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, Thunderbird before 3.0.11 and 3.1.x before 3.1.7, and SeaMonkey before 2.0.11 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2010-3775 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3775): Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, does not properly handle certain redirections involving data: URLs and Java LiveConnect scripts, which allows remote attackers to start processes, read arbitrary local files, and establish network connections via vectors involving a refresh value in the http-equiv attribute of a META element, which causes the wrong security principal to be used. CVE-2010-3774 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3774): The NS_SecurityCompareURIs function in netwerk/base/public/nsNetUtil.h in Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, does not properly handle (1) about:neterror and (2) about:certerror pages, which allows remote attackers to spoof the location bar via a crafted web site. CVE-2010-3773 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3773): Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, when the XMLHttpRequestSpy module in the Firebug add-on is used, does not properly handle interaction between the XMLHttpRequestSpy object and chrome privileged objects, which allows remote attackers to execute arbitrary JavaScript via a crafted HTTP response. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-0179. CVE-2010-3772 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3772): Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, does not properly calculate index values for certain child content in a XUL tree, which allows remote attackers to execute arbitrary code via vectors involving a DIV element within a treechildren element. CVE-2010-3771 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3771): Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, does not properly handle injection of an ISINDEX element into an about:blank page, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via vectors related to redirection to a chrome: URI. CVE-2010-3770 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3770): Multiple cross-site scripting (XSS) vulnerabilities in the rendering engine in Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, allow remote attackers to inject arbitrary web script or HTML via (1) x-mac-arabic, (2) x-mac-farsi, or (3) x-mac-hebrew characters that may be converted to angle brackets during rendering. CVE-2010-3769 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3769): The line-breaking implementation in Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, Thunderbird before 3.0.11 and 3.1.x before 3.1.7, and SeaMonkey before 2.0.11 on Windows does not properly handle long strings, which allows remote attackers to execute arbitrary code via a crafted document.write call that triggers a buffer over-read. CVE-2010-3768 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3768): Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, Thunderbird before 3.0.11 and 3.1.x before 3.1.7, and SeaMonkey before 2.0.11 do not properly validate downloadable fonts before use within an operating system's font implementation, which allows remote attackers to execute arbitrary code via vectors related to @font-face Cascading Style Sheets (CSS) rules. CVE-2010-3767 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3767): Integer overflow in the NewIdArray function in Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, allows remote attackers to execute arbitrary code via a JavaScript array with many elements. CVE-2010-3766 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3766): Use-after-free vulnerability in Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, allows remote attackers to execute arbitrary code via vectors involving a change to an nsDOMAttribute node.
sparc keywords have been dropped in subsequent versions, proceeding with advisory
This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle).