Hi all Mozilla has released V6.0. It would be realy cool if Gentoo had it in the portage tree. Regards Steps to reproduce: 1. open http://mozilla.com/ Happens: allways
https://www.mozilla.org/security/announce/2011/mfsa2011-33.html https://www.mozilla.org/security/announce/2011/mfsa2011-31.html https://www.mozilla.org/security/announce/2011/mfsa2011-30.html https://www.mozilla.org/security/announce/2011/mfsa2011-29.html https://www.mozilla.org/security/announce/2011/mfsa2011-32.html
Looks like we have fixed ebuilds for firefox 3.6.20, xulrunner 1.9.2.20 and seamonkey 2.3. Please create ebuilds for: firefox-bin seamonkey seamonkey-bin thunderbird thunderbird-bin Thank you.
*** Bug 379613 has been marked as a duplicate of this bug. ***
*** Bug 379605 has been marked as a duplicate of this bug. ***
+*firefox-bin-3.6.20 (17 Aug 2011) + + 17 Aug 2011; Lars Wendler <polynomial-c@gentoo.org> + +firefox-bin-3.6.20.ebuild: + Security bump. + +*icecat-3.6.16-r3 (17 Aug 2011) + + 17 Aug 2011; Lars Wendler <polynomial-c@gentoo.org> +icecat-3.6.16-r3.ebuild: + Security bump. + Please note that =icecat-3.6.16-r3 has the same fixes as firefox-3.6.20 (In reply to comment #2) > Looks like we have fixed ebuilds for firefox 3.6.20, xulrunner 1.9.2.20 and > seamonkey 2.3. > > Please create ebuilds for: > > firefox-bin > seamonkey > seamonkey-bin > thunderbird > thunderbird-bin > > Thank you. Tim, dunno why you listed seamonkey in that list of needed ebuilds as there's already seamonkey-2.3-r1 (which should be preferred over -r0 as it contains enigmail-1.3). There won't be any more seamonkey-2.0.x version so we don't have any other choice than stabilizing seamonkey-2.3-r1.
(In reply to comment #5) > +*firefox-bin-3.6.20 (17 Aug 2011) > +*icecat-3.6.16-r3 (17 Aug 2011) > > Please note that =icecat-3.6.16-r3 has the same fixes as firefox-3.6.20 > Great, thank you. > > Tim, dunno why you listed seamonkey in that list of needed ebuilds as there's > already seamonkey-2.3-r1 (which should be preferred over -r0 as it contains > enigmail-1.3). There won't be any more seamonkey-2.0.x version so we don't have > any other choice than stabilizing seamonkey-2.3-r1. My mistake, sorry about that. Will there be a new seamonkey-bin?
(In reply to comment #6) > > My mistake, sorry about that. Will there be a new seamonkey-bin? I won't do such a big bump (2.0.x -> 2.3). I was never really interested in maintaining seamonkeay-bin and only did minor 2.0.x -> 2.0.x+1 version bumps when no other mozilla herd member was doing it on time. IIRC Anarchy found some volunteer for seamonkey-bin but I never heard from him after his introduction.
*** Bug 379619 has been marked as a duplicate of this bug. ***
*** Bug 380157 has been marked as a duplicate of this bug. ***
seamonkey upstream has released version 2.3.1. This will be the stable candidate for this bug. Arches should keep in mind that in order to get seamonkey-2.3.1 stable you also have to stabilize dev-libs/nss-3.12.10 and dev-libs/nspr-4.8.8
(In reply to comment #10) > seamonkey upstream has released version 2.3.1. This will be the stable > candidate for this bug. Arches should keep in mind that in order to get > seamonkey-2.3.1 stable you also have to stabilize dev-libs/nss-3.12.10 and > dev-libs/nspr-4.8.8 Ok, thanks, Lars. @mozilla, thanks for the updated firefox-bin ebuild. I think we're only waiting on thunderbird{,-bin}-3.1.12. Will there be 3.1.12 ebuild?
+*thunderbird-3.1.12 (28 Aug 2011) + + 28 Aug 2011; Lars Wendler <polynomial-c@gentoo.org> + +thunderbird-3.1.12.ebuild: + Security bump. + +*thunderbird-bin-3.1.12 (28 Aug 2011) + + 28 Aug 2011; Lars Wendler <polynomial-c@gentoo.org> + +thunderbird-bin-3.1.12.ebuild: + Security bump. + Sorry for the long delay. I don't really feel responsible for thunderbird as I don't use it on any of my machines...
Thanks, Lars. Arches, please test and mark stable: =www-client/firefox-3.6.20 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" =www-client/firefox-bin-3.6.20 Target keywords : "amd64 x86" =www-client/icecat-3.6.16-r3 Target keywords : "amd64 ppc ppc64 x86" =mail-client/thunderbird-3.1.12 Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86" =mail-client/thunderbird-bin-3.1.12 Target keywords : "amd64 x86" =www-client/seamonkey-2.3.1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" =dev-libs/nss-3.12.10 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" =dev-libs/nspr-4.8.8 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" =net-libs/xulrunner-1.9.2.20 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" nss and nspr have already been requested in bug 380913.
amd64. all works with default USE. nss and nspr confirmed in bug 380913
amd64 done. Thanks Agostino
firefox/xulrunner are stable for HPPA, but bug #381191 prevents compiling seamonkey, probably for other non-x86/-amd64 arches as well.
*** Bug 381423 has been marked as a duplicate of this bug. ***
ppc done, ppc64 done except seamonkey
(In reply to comment #18) > ppc done, ppc64 done except seamonkey seamonkey will need to be patched for ipc support.
x86 stable
arm stable, except seamonkey
alpha/ia64 stable for xulrunner+firefox, alpha/ia64/sparc stable for thunderbird, and seamonkey skipped
Arches, we continue nss stabilization in bug 388045. Thanks
HPPA keywording dropped.
re-add if needed.
dropped keywords on seamonkey for ppc64
CVE-2011-2991 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2991): The browser engine in Mozilla Firefox 4.x through 5, SeaMonkey 2.x before 2.3, Thunderbird before 6, and possibly other products does not properly implement JavaScript, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. CVE-2011-2990 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2990): The implementation of Content Security Policy (CSP) violation reports in Mozilla Firefox 4.x through 5, SeaMonkey 2.x before 2.3, and possibly other products does not remove proxy-authorization credentials from the listed request headers, which allows attackers to obtain sensitive information by reading a report, related to incorrect host resolution that occurs with certain redirects. CVE-2011-2989 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2989): The browser engine in Mozilla Firefox 4.x through 5, SeaMonkey 2.x before 2.3, Thunderbird before 6, and possibly other products does not properly implement WebGL, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. CVE-2011-2988 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2988): Buffer overflow in an unspecified string class in the WebGL shader implementation in Mozilla Firefox 4.x through 5, Thunderbird before 6, SeaMonkey 2.x before 2.3, and possibly other products allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a long source-code block for a shader. CVE-2011-2987 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2987): Heap-based buffer overflow in Almost Native Graphics Layer Engine (ANGLE), as used in the WebGL implementation in Mozilla Firefox 4.x through 5, Thunderbird before 6, SeaMonkey 2.x before 2.3, and possibly other products might allow remote attackers to execute arbitrary code via unspecified vectors. CVE-2011-2986 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2986): Mozilla Firefox 4.x through 5, Thunderbird before 6, SeaMonkey 2.x before 2.3, and possibly other products, when the Direct2D (aka D2D) API is used on Windows, allows remote attackers to bypass the Same Origin Policy, and obtain sensitive image data from a different domain, by inserting this data into a canvas. CVE-2011-2985 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2985): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 5, Thunderbird before 6, SeaMonkey 2.x before 2.3, and possibly other products allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2011-2984 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2984): Mozilla Firefox before 3.6.20, SeaMonkey 2.x, Thunderbird 3.x before 3.1.12, and possibly other products does not properly handle the dropping of a tab element, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges by establishing a content area and registering for drop events. CVE-2011-2983 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2983): Mozilla Firefox before 3.6.20, Thunderbird 2.x and 3.x before 3.1.12, SeaMonkey 1.x and 2.x, and possibly other products does not properly handle the RegExp.input property, which allows remote attackers to bypass the Same Origin Policy and read data from a different domain via a crafted web site, possibly related to a use-after-free. CVE-2011-2982 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2982): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.20, Thunderbird 2.x and 3.x before 3.1.12, SeaMonkey 1.x and 2.x, and possibly other products allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2011-2981 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2981): The event-management implementation in Mozilla Firefox before 3.6.20, SeaMonkey 2.x, Thunderbird 3.x before 3.1.12, and possibly other products does not properly select the context for script to run in, which allows remote attackers to bypass the Same Origin Policy or execute arbitrary JavaScript code with chrome privileges via a crafted web site. CVE-2011-2980 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2980): Untrusted search path vulnerability in the ThinkPadSensor::Startup function in Mozilla Firefox before 3.6.20, Thunderbird 3.x before 3.1.12, allows local users to gain privileges by leveraging write access in an unspecified directory to place a Trojan horse DLL that is loaded into the running Firefox process. CVE-2011-2378 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2378): The appendChild function in Mozilla Firefox before 3.6.20, Thunderbird 3.x before 3.1.12, SeaMonkey 2.x, and possibly other products does not properly handle DOM objects, which allows remote attackers to execute arbitrary code via unspecified vectors that lead to dereferencing of a "dangling pointer." CVE-2011-2373 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2373): Use-after-free vulnerability in Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14, when JavaScript is disabled, allows remote attackers to execute arbitrary code via a crafted XUL document. CVE-2011-2370 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2370): Mozilla Firefox before 5.0 does not properly enforce the whitelist for the xpinstall functionality, which allows remote attackers to trigger an installation dialog for a (1) add-on or (2) theme via unspecified vectors. CVE-2011-2369 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2369): Cross-site scripting (XSS) vulnerability in Mozilla Firefox 4.x through 4.0.1 allows remote attackers to inject arbitrary web script or HTML via an SVG element containing an HTML-encoded entity. CVE-2011-1712 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1712): The txXPathNodeUtils::getXSLTId function in txMozillaXPathTreeWalker.cpp and txStandaloneXPathTreeWalker.cpp in Mozilla Firefox before 3.5.19, 3.6.x before 3.6.17, and 4.x before 4.0.1, and SeaMonkey before 2.0.14, allows remote attackers to obtain potentially sensitive information about heap memory addresses via an XML document containing a call to the XSLT generate-id XPath function. CVE-2011-0084 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0084): The SVGTextElement.getCharNumAtPosition function in Mozilla Firefox before 3.6.20, and 4.x through 5; Thunderbird 3.x before 3.1.12 and other versions before 6; SeaMonkey 2.x before 2.3; and possibly other products does not properly handle SVG text, which allows remote attackers to execute arbitrary code via unspecified vectors that lead to a "dangling pointer." CVE-2011-0082 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0082): The X.509 certificate validation functionality in Mozilla Firefox 4.0.x through 4.0.1 does not properly implement single-session security exceptions, which might make it easier for user-assisted remote attackers to spoof an SSL server via an untrusted certificate that triggers potentially unwanted local caching of documents from that server. CVE-2010-5074 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-5074): The layout engine in Mozilla Firefox before 4.0, Thunderbird before 3.3, and SeaMonkey before 2.1 executes different code for visited and unvisited links during the processing of Cascading Style Sheets (CSS) token sequences, which makes it easier for remote attackers to obtain sensitive information about visited web pages via a timing attack. CVE-2010-4508 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4508): The WebSockets implementation in Mozilla Firefox 4 through 4.0 Beta 7 does not properly perform proxy upgrade negotiation, which has unspecified impact and remote attack vectors, related to an "inherent problem" with the WebSocket specification. CVE-2002-2437 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2002-2437): The JavaScript implementation in Mozilla Firefox before 4.0, Thunderbird before 3.3, and SeaMonkey before 2.1 does not properly restrict the set of values contained in the object returned by the getComputedStyle method, which allows remote attackers to obtain sensitive information about visited web pages by calling this method. CVE-2002-2436 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2002-2436): The Cascading Style Sheets (CSS) implementation in Mozilla Firefox before 4.0, Thunderbird before 3.3, and SeaMonkey before 2.1 does not properly handle the :visited pseudo-class, which allows remote attackers to obtain sensitive information about visited web pages via a crafted HTML document, a related issue to CVE-2010-2264.
CVE-2011-2993 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2993): The implementation of digital signatures for JAR files in Mozilla Firefox 4.x through 5, SeaMonkey 2.x before 2.3, and possibly other products does not prevent calls from unsigned JavaScript code to signed code, which allows remote attackers to bypass the Same Origin Policy and gain privileges via a crafted web site, a different vulnerability than CVE-2008-2801. CVE-2011-2992 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2992): The Ogg reader in the browser engine in Mozilla Firefox 4.x through 5, SeaMonkey 2.x before 2.3, Thunderbird before 6, and possibly other products allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors.
apart arm, we have firefox-10.0.11 stable on all arches which have stable keywords, so the arch teams here have anything to do? if no, please unCC them.
This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle).