Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 381245 - www-client/firefox{,-bin}, www-client/seamonkey{,-bin}, www-client/icecat, mail-client/thunderbird{,-bin}: Fraudulent DigiNotar certificates
Summary: www-client/firefox{,-bin}, www-client/seamonkey{,-bin}, www-client/icecat, ma...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.mozilla.org/security/anno...
Whiteboard: B4 [glsa]
Keywords:
: 382543 382567 384679 384955 385085 385629 388083 389335 389899 (view as bug list)
Depends on: 360427 380411
Blocks: 390771
  Show dependency tree
 
Reported: 2011-08-31 02:00 UTC by Tim Sammut (RETIRED)
Modified: 2013-01-08 01:04 UTC (History)
22 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
mozilla-release602.diff.tar.bz2 (mozilla-release602.diff.tar.bz2,24.12 KB, application/octet-stream)
2011-09-06 11:16 UTC, Carsten Lohrke (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-08-31 02:00:36 UTC
From Mozilla's (harsh) advisory at $URL:

Google Chrome user alibo encountered an active "man in the middle" (MITM) attack on secure SSL connections to Google servers. The fraudulent certificate was mis-issued by DigiNotar, a Dutch Certificate Authority. DigiNotar has reported evidence that other fraudulent certificates were issued and in active use but the full extent of the compromise is not known.

For the protection of our users Mozilla has removed the DigiNotar root certificate. Sites using certificates issued by DigiNotar will need to seek another certificate vendor.

Mozilla thanks Google, Inc. for reporting this issue to us. We also thank Marien Zwart (Mozilla Localization), Ot van Daalen (Bits of Freedom), and Erik de Jong (GovCERT) for their help.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-08-31 02:05:53 UTC
Apologies for the spam. The list of fixed software from the advisory:

Fixed in: Firefox 6.0.1
  Firefox 3.6.21
  Thunderbird 6.0.1
  Thunderbird 3.1.13
  SeaMonkey 2.3.2
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2011-08-31 09:38:26 UTC
+*xulrunner-1.9.2.21 (31 Aug 2011)
+
+  31 Aug 2011; Lars Wendler <polynomial-c@gentoo.org>
+  -xulrunner-1.9.2.18.ebuild, +xulrunner-1.9.2.21.ebuild:
+  Security bump. Removed old.
+

+*firefox-3.6.21 (31 Aug 2011)
+
+  31 Aug 2011; Lars Wendler <polynomial-c@gentoo.org> -firefox-3.6.18.ebuild,
+  +firefox-3.6.21.ebuild:
+  Security bump. Removed old.
+

+*icecat-3.6.16-r4 (31 Aug 2011)
+
+  31 Aug 2011; Lars Wendler <polynomial-c@gentoo.org> -icecat-3.6.16-r2.ebuild,
+  +icecat-3.6.16-r4.ebuild:
+  Security bump. Removed old.
+
Please note that icecat-3.6.16-r4 has the same fixes like firefox-3.6.21

I will do the thunderbird bumps later this day and seamonkey-2.3.2 still isn't released yet.
Comment 3 Nirbheek Chauhan (RETIRED) gentoo-dev 2011-08-31 19:45:40 UTC
+*firefox-bin-3.6.21 (31 Aug 2011)
+
+  31 Aug 2011; Nirbheek Chauhan <nirbheek@gentoo.org>
+  firefox-bin-3.6.17.ebuild, firefox-bin-3.6.18.ebuild,
+  firefox-bin-3.6.20.ebuild, +firefox-bin-3.6.21.ebuild:
+  Bump to 3.6.21, certificate blacklisting security release. Fix SRC_URI, bug
+  375197.
+
Comment 4 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2011-08-31 21:14:39 UTC
+*seamonkey-2.3.2 (31 Aug 2011)
+
+  31 Aug 2011; Lars Wendler <polynomial-c@gentoo.org> seamonkey-2.3.1.ebuild,
+  +seamonkey-2.3.2.ebuild, metadata.xml:
+  Security bump. Added ipc USE flag as requested in bug #381191.
+

+*thunderbird-3.1.13 (31 Aug 2011)
+
+  31 Aug 2011; Lars Wendler <polynomial-c@gentoo.org>
+  -thunderbird-3.1.11.ebuild, +thunderbird-3.1.13.ebuild:
+  Security bump. Removed old.
+
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-09-04 14:47:24 UTC
@mozilla, thanks for the new ebuilds. Once there is a new thunderbird-bin we can move forward with stabilization (without seamonkey-bin).
Comment 6 Carsten Lohrke (RETIRED) gentoo-dev 2011-09-06 11:16:55 UTC
Created attachment 285697 [details]
mozilla-release602.diff.tar.bz2

About to be released 6.02 and corresponding other releases contain even more code to deal with this wonderful world of supposed 3rd party trust.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-09-06 22:17:12 UTC
This is getting silly...

https://www.mozilla.org/security/announce/2011/mfsa2011-35.html

@mozilla, unless you object, we can use this bug to track the new versions listed in the advisory.

Fixed in: Firefox 6.0.2
  Firefox Mobile 6.0.2
  Firefox 3.6.22
  Thunderbird 6.0.2
  Thunderbird 3.1.14
  SeaMonkey 2.3.3

Thanks (and sorry...)
Comment 8 Agostino Sarubbo gentoo-dev 2011-09-10 19:34:24 UTC
*** Bug 382543 has been marked as a duplicate of this bug. ***
Comment 9 Agostino Sarubbo gentoo-dev 2011-09-11 12:51:25 UTC
*** Bug 382567 has been marked as a duplicate of this bug. ***
Comment 10 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2011-09-26 16:12:07 UTC
seamonkey-2.3.3-r1, firefox-6.0.2 and thunderbird-{3.1.14,6.0.2} are now in the tree. firefox-3.6.22/xulrunner-1.2.9.22 were already added in september 9th.

seamonkey-2.3.3-r1 might be problematic to stabilize on some arches but there's no other choice than stabilizing this version. The old 2.0/2.1/2.2 series are all outdated and discontinued.

I will take care of icecat-3.6.16-r5 (next stable candidate with all patches from firefox-3.6.22) as soon as I find some time to mangle the patch so that it applies cleanly (*sigh*).

It's really sad that there seems to be very few activity from other mozilla-herd members :-/
Comment 11 Agostino Sarubbo gentoo-dev 2011-09-27 22:43:42 UTC
@Lars


missing {firefox,thunderbird,seamonkey}-bin
Comment 12 Agostino Sarubbo gentoo-dev 2011-09-28 11:26:29 UTC
@mozilla

New target:

Firefox-7.0
Firefox-3.6.23
Thunderbird-7.0
Thunderbird-3.1.15
Xulrunner-1.9.2.23
Comment 13 Agostino Sarubbo gentoo-dev 2011-09-28 11:28:47 UTC
*** Bug 384679 has been marked as a duplicate of this bug. ***
Comment 14 Jory A. Pratt gentoo-dev 2011-09-28 14:26:29 UTC
(In reply to comment #12)
> @mozilla
> 
> New target:
> 
> Firefox-7.0
> Firefox-3.6.23
> Thunderbird-7.0
> Thunderbird-3.1.15
> Xulrunner-1.9.2.23

We are gonna take 7.0 stable for all archs that we can. If an arch can not go stable they will be requested to drop there keywords. I will make the bump for thunderbird and firefox TONIGHT.
Comment 15 Agostino Sarubbo gentoo-dev 2011-09-28 16:27:30 UTC
*** Bug 384799 has been marked as a duplicate of this bug. ***
Comment 16 Agostino Sarubbo gentoo-dev 2011-09-29 17:16:10 UTC
*** Bug 384955 has been marked as a duplicate of this bug. ***
Comment 17 Jory A. Pratt gentoo-dev 2011-09-30 02:54:56 UTC
(In reply to comment #14)
> (In reply to comment #12)
> > @mozilla
> > 
> > New target:
> > 
> > Firefox-7.0
> > Firefox-3.6.23
> > Thunderbird-7.0
> > Thunderbird-3.1.15
> > Xulrunner-1.9.2.23
> 
> We are gonna take 7.0 stable for all archs that we can. If an arch can not go
> stable they will be requested to drop there keywords. I will make the bump for
> thunderbird and firefox TONIGHT.

There is a slight delay due to addon issues, 7.0.1 is expected to release in next 24 hours or so, soon as it is we will get a bump in tree, we are aware that system dictionaries will not be working at that time, work is being done to bring current patch to a working condition for a revision bump later.
Comment 18 Agostino Sarubbo gentoo-dev 2011-09-30 14:13:42 UTC
*** Bug 385085 has been marked as a duplicate of this bug. ***
Comment 19 Jory A. Pratt gentoo-dev 2011-10-01 02:26:50 UTC
{firefox,thunderbird}-7.0.1 source builds are in tree.
Comment 20 Agostino Sarubbo gentoo-dev 2011-10-04 22:24:07 UTC
*** Bug 385629 has been marked as a duplicate of this bug. ***
Comment 21 Joel 2011-10-20 22:27:11 UTC
Renaming the thunderbird-bin-6.0 ebuild to 7.0.1 works for me.
Comment 22 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-10-22 13:26:02 UTC
*** Bug 388083 has been marked as a duplicate of this bug. ***
Comment 23 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-10-26 21:34:03 UTC
Trying to sum up the situation. We have in ~arch:

firefox-7.0.1-r1
firefox-bin-7.0.1
thunderbird-7.0.1-r1
seamonkey-2.4.1-r1 (stabilization acked by poly-c)

Missing:
thunderbird-bin-7.0.1*

Stabilization blocked:
icecat-7* (bug 380411)

Removal candidate(?):
seamonkey-bin-*

Mozilla team, can we stabilize the packages that are already available? Also, please take care of the thunderbird-bin update and decide what will happen to seamonkey-bin (poly-c has no interest in this as he tells me)
Comment 24 Jory A. Pratt gentoo-dev 2011-10-27 00:39:08 UTC
(In reply to comment #23)
> Trying to sum up the situation. We have in ~arch:
> 
> firefox-7.0.1-r1
> firefox-bin-7.0.1
> thunderbird-7.0.1-r1
> seamonkey-2.4.1-r1 (stabilization acked by poly-c)
> 
> Missing:
> thunderbird-bin-7.0.1*
> 
> Stabilization blocked:
> icecat-7* (bug 380411)
> 
> Removal candidate(?):
> seamonkey-bin-*
> 
> Mozilla team, can we stabilize the packages that are already available? Also,
> please take care of the thunderbird-bin update and decide what will happen to
> seamonkey-bin (poly-c has no interest in this as he tells me)

icecat is not blocked due to flash, plugins are not guaranteed to work with all the changes that icecat brings to plugins.

as far the others feel free to start stabilizing it is more then ready. As for -bin packages they are on the slate for p.mask and removal.
Comment 25 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-10-27 17:07:17 UTC
Arches, please test and mark stable:
=www-client/firefox-7.0.1-r1
=www-client/seamonkey-2.4.1-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

=www-client/firefox-bin-7.0.1
Target keywords : "amd64 x86"

=mail-client/thunderbird-7.0.1-r1
Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86"

The Mozilla team has requested to drop keywords if you cannot stabilize the packages as per bug 360427. Either way, please report back on this bug.
Comment 26 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-10-27 17:18:59 UTC
amd64:

=www-client/firefox-7.0.1-r1 pass, been using it since it got released

=mail-client/thunderbird-7.0.1-r1 pass, but it has problems with enigmail because the system is using an old version of gpg or something. But everything else works fine.
Comment 27 Agostino Sarubbo gentoo-dev 2011-10-28 08:35:03 UTC
> =www-client/firefox-7.0.1-r1
> =www-client/seamonkey-2.4.1-r1
> =www-client/firefox-bin-7.0.1
> =mail-client/thunderbird-7.0.1-r1

All ok on amd64. Please stabilize.
Comment 28 Tony Vroon (RETIRED) gentoo-dev 2011-10-28 08:44:21 UTC
+  28 Oct 2011; Tony Vroon <chainsaw@gentoo.org> firefox-7.0.1-r1.ebuild:
+  Marked stable on AMD64 based on arch testing by Elijah "Armageddon" El
+  Lazkani & Agostino "ago" Sarubbo in security bug #381245.

+  28 Oct 2011; Tony Vroon <chainsaw@gentoo.org> seamonkey-2.4.1-r1.ebuild:
+  Marked stable on AMD64 based on arch testing by Elijah "Armageddon" El
+  Lazkani & Agostino "ago" Sarubbo in security bug #381245.

+  28 Oct 2011; Tony Vroon <chainsaw@gentoo.org> firefox-bin-7.0.1.ebuild:
+  Marked stable on AMD64 based on arch testing by Elijah "Armageddon" El
+  Lazkani & Agostino "ago" Sarubbo in security bug #381245.

+  28 Oct 2011; Tony Vroon <chainsaw@gentoo.org> thunderbird-7.0.1-r1.ebuild:
+  Marked stable on AMD64 based on arch testing by Elijah "Armageddon" El
+  Lazkani & Agostino "ago" Sarubbo in security bug #381245.
Comment 29 Jeroen Roovers (RETIRED) gentoo-dev 2011-10-31 00:40:22 UTC
HPPA keywording dropped.
Comment 30 Jeroen Roovers (RETIRED) gentoo-dev 2011-10-31 00:40:58 UTC
Oh wait, there still is www-client/seamonkey.
Comment 31 Jeroen Roovers (RETIRED) gentoo-dev 2011-10-31 12:34:55 UTC
HPPA keywording dropped.
Comment 32 Jory A. Pratt gentoo-dev 2011-10-31 21:37:46 UTC
nothing less for mozilla team, readd if needed.
Comment 33 Jeroen Roovers (RETIRED) gentoo-dev 2011-11-02 16:57:06 UTC
*** Bug 389335 has been marked as a duplicate of this bug. ***
Comment 34 Stephan Litterst 2011-11-05 13:51:47 UTC
www-client/firefox-bin-7.0.1

ok on x86. Please stabilize.
Comment 35 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2011-11-08 17:21:26 UTC
*** Bug 389899 has been marked as a duplicate of this bug. ***
Comment 36 Andreas Schürch gentoo-dev 2011-11-09 15:39:02 UTC
I don't know who removed the depend on bug 389793, but this is clearly a regression and the reason why it isn't stabilized yet, at least on x86!
Comment 37 Agostino Sarubbo gentoo-dev 2011-11-09 17:26:09 UTC
(In reply to comment #36)
> I don't know who removed the depend on bug 389793, 

Check the history.
Comment 38 Markus Meier gentoo-dev 2011-11-13 14:46:44 UTC
x86 stable, thanks Stephan
Comment 39 Mark Loeser (RETIRED) gentoo-dev 2011-12-27 00:16:04 UTC
seamonkey worked for ppc; dropped ppc/ppc64 from everywhere else
Comment 40 KinG-InFeT 2011-12-31 14:36:38 UTC
firefox-9.0.1{-bin} x86 stable
Comment 41 Agostino Sarubbo gentoo-dev 2011-12-31 14:55:35 UTC
(In reply to comment #40)
> firefox-9.0.1{-bin} x86 stable

1)I doubt you have a stable machine to say it.
2)${arch} stable is used when a developer mark stable in CVS; please use a different syntax
3)this is not bug about firefox 9.0.1
Comment 42 Agostino Sarubbo gentoo-dev 2013-01-03 20:41:33 UTC
apart arm, we have firefox-10.0.11 stable on all arches which have stable keywords, so the arch teams here have anything to do? if no, please unCC them.
Comment 43 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:04:57 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).