From Mozilla's (harsh) advisory at $URL: Google Chrome user alibo encountered an active "man in the middle" (MITM) attack on secure SSL connections to Google servers. The fraudulent certificate was mis-issued by DigiNotar, a Dutch Certificate Authority. DigiNotar has reported evidence that other fraudulent certificates were issued and in active use but the full extent of the compromise is not known. For the protection of our users Mozilla has removed the DigiNotar root certificate. Sites using certificates issued by DigiNotar will need to seek another certificate vendor. Mozilla thanks Google, Inc. for reporting this issue to us. We also thank Marien Zwart (Mozilla Localization), Ot van Daalen (Bits of Freedom), and Erik de Jong (GovCERT) for their help.
Apologies for the spam. The list of fixed software from the advisory: Fixed in: Firefox 6.0.1 Firefox 3.6.21 Thunderbird 6.0.1 Thunderbird 3.1.13 SeaMonkey 2.3.2
+*xulrunner-1.9.2.21 (31 Aug 2011) + + 31 Aug 2011; Lars Wendler <polynomial-c@gentoo.org> + -xulrunner-1.9.2.18.ebuild, +xulrunner-1.9.2.21.ebuild: + Security bump. Removed old. + +*firefox-3.6.21 (31 Aug 2011) + + 31 Aug 2011; Lars Wendler <polynomial-c@gentoo.org> -firefox-3.6.18.ebuild, + +firefox-3.6.21.ebuild: + Security bump. Removed old. + +*icecat-3.6.16-r4 (31 Aug 2011) + + 31 Aug 2011; Lars Wendler <polynomial-c@gentoo.org> -icecat-3.6.16-r2.ebuild, + +icecat-3.6.16-r4.ebuild: + Security bump. Removed old. + Please note that icecat-3.6.16-r4 has the same fixes like firefox-3.6.21 I will do the thunderbird bumps later this day and seamonkey-2.3.2 still isn't released yet.
+*firefox-bin-3.6.21 (31 Aug 2011) + + 31 Aug 2011; Nirbheek Chauhan <nirbheek@gentoo.org> + firefox-bin-3.6.17.ebuild, firefox-bin-3.6.18.ebuild, + firefox-bin-3.6.20.ebuild, +firefox-bin-3.6.21.ebuild: + Bump to 3.6.21, certificate blacklisting security release. Fix SRC_URI, bug + 375197. +
+*seamonkey-2.3.2 (31 Aug 2011) + + 31 Aug 2011; Lars Wendler <polynomial-c@gentoo.org> seamonkey-2.3.1.ebuild, + +seamonkey-2.3.2.ebuild, metadata.xml: + Security bump. Added ipc USE flag as requested in bug #381191. + +*thunderbird-3.1.13 (31 Aug 2011) + + 31 Aug 2011; Lars Wendler <polynomial-c@gentoo.org> + -thunderbird-3.1.11.ebuild, +thunderbird-3.1.13.ebuild: + Security bump. Removed old. +
@mozilla, thanks for the new ebuilds. Once there is a new thunderbird-bin we can move forward with stabilization (without seamonkey-bin).
Created attachment 285697 [details] mozilla-release602.diff.tar.bz2 About to be released 6.02 and corresponding other releases contain even more code to deal with this wonderful world of supposed 3rd party trust.
This is getting silly... https://www.mozilla.org/security/announce/2011/mfsa2011-35.html @mozilla, unless you object, we can use this bug to track the new versions listed in the advisory. Fixed in: Firefox 6.0.2 Firefox Mobile 6.0.2 Firefox 3.6.22 Thunderbird 6.0.2 Thunderbird 3.1.14 SeaMonkey 2.3.3 Thanks (and sorry...)
*** Bug 382543 has been marked as a duplicate of this bug. ***
*** Bug 382567 has been marked as a duplicate of this bug. ***
seamonkey-2.3.3-r1, firefox-6.0.2 and thunderbird-{3.1.14,6.0.2} are now in the tree. firefox-3.6.22/xulrunner-1.2.9.22 were already added in september 9th. seamonkey-2.3.3-r1 might be problematic to stabilize on some arches but there's no other choice than stabilizing this version. The old 2.0/2.1/2.2 series are all outdated and discontinued. I will take care of icecat-3.6.16-r5 (next stable candidate with all patches from firefox-3.6.22) as soon as I find some time to mangle the patch so that it applies cleanly (*sigh*). It's really sad that there seems to be very few activity from other mozilla-herd members :-/
@Lars missing {firefox,thunderbird,seamonkey}-bin
@mozilla New target: Firefox-7.0 Firefox-3.6.23 Thunderbird-7.0 Thunderbird-3.1.15 Xulrunner-1.9.2.23
*** Bug 384679 has been marked as a duplicate of this bug. ***
(In reply to comment #12) > @mozilla > > New target: > > Firefox-7.0 > Firefox-3.6.23 > Thunderbird-7.0 > Thunderbird-3.1.15 > Xulrunner-1.9.2.23 We are gonna take 7.0 stable for all archs that we can. If an arch can not go stable they will be requested to drop there keywords. I will make the bump for thunderbird and firefox TONIGHT.
*** Bug 384799 has been marked as a duplicate of this bug. ***
*** Bug 384955 has been marked as a duplicate of this bug. ***
(In reply to comment #14) > (In reply to comment #12) > > @mozilla > > > > New target: > > > > Firefox-7.0 > > Firefox-3.6.23 > > Thunderbird-7.0 > > Thunderbird-3.1.15 > > Xulrunner-1.9.2.23 > > We are gonna take 7.0 stable for all archs that we can. If an arch can not go > stable they will be requested to drop there keywords. I will make the bump for > thunderbird and firefox TONIGHT. There is a slight delay due to addon issues, 7.0.1 is expected to release in next 24 hours or so, soon as it is we will get a bump in tree, we are aware that system dictionaries will not be working at that time, work is being done to bring current patch to a working condition for a revision bump later.
*** Bug 385085 has been marked as a duplicate of this bug. ***
{firefox,thunderbird}-7.0.1 source builds are in tree.
*** Bug 385629 has been marked as a duplicate of this bug. ***
Renaming the thunderbird-bin-6.0 ebuild to 7.0.1 works for me.
*** Bug 388083 has been marked as a duplicate of this bug. ***
Trying to sum up the situation. We have in ~arch: firefox-7.0.1-r1 firefox-bin-7.0.1 thunderbird-7.0.1-r1 seamonkey-2.4.1-r1 (stabilization acked by poly-c) Missing: thunderbird-bin-7.0.1* Stabilization blocked: icecat-7* (bug 380411) Removal candidate(?): seamonkey-bin-* Mozilla team, can we stabilize the packages that are already available? Also, please take care of the thunderbird-bin update and decide what will happen to seamonkey-bin (poly-c has no interest in this as he tells me)
(In reply to comment #23) > Trying to sum up the situation. We have in ~arch: > > firefox-7.0.1-r1 > firefox-bin-7.0.1 > thunderbird-7.0.1-r1 > seamonkey-2.4.1-r1 (stabilization acked by poly-c) > > Missing: > thunderbird-bin-7.0.1* > > Stabilization blocked: > icecat-7* (bug 380411) > > Removal candidate(?): > seamonkey-bin-* > > Mozilla team, can we stabilize the packages that are already available? Also, > please take care of the thunderbird-bin update and decide what will happen to > seamonkey-bin (poly-c has no interest in this as he tells me) icecat is not blocked due to flash, plugins are not guaranteed to work with all the changes that icecat brings to plugins. as far the others feel free to start stabilizing it is more then ready. As for -bin packages they are on the slate for p.mask and removal.
Arches, please test and mark stable: =www-client/firefox-7.0.1-r1 =www-client/seamonkey-2.4.1-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" =www-client/firefox-bin-7.0.1 Target keywords : "amd64 x86" =mail-client/thunderbird-7.0.1-r1 Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86" The Mozilla team has requested to drop keywords if you cannot stabilize the packages as per bug 360427. Either way, please report back on this bug.
amd64: =www-client/firefox-7.0.1-r1 pass, been using it since it got released =mail-client/thunderbird-7.0.1-r1 pass, but it has problems with enigmail because the system is using an old version of gpg or something. But everything else works fine.
> =www-client/firefox-7.0.1-r1 > =www-client/seamonkey-2.4.1-r1 > =www-client/firefox-bin-7.0.1 > =mail-client/thunderbird-7.0.1-r1 All ok on amd64. Please stabilize.
+ 28 Oct 2011; Tony Vroon <chainsaw@gentoo.org> firefox-7.0.1-r1.ebuild: + Marked stable on AMD64 based on arch testing by Elijah "Armageddon" El + Lazkani & Agostino "ago" Sarubbo in security bug #381245. + 28 Oct 2011; Tony Vroon <chainsaw@gentoo.org> seamonkey-2.4.1-r1.ebuild: + Marked stable on AMD64 based on arch testing by Elijah "Armageddon" El + Lazkani & Agostino "ago" Sarubbo in security bug #381245. + 28 Oct 2011; Tony Vroon <chainsaw@gentoo.org> firefox-bin-7.0.1.ebuild: + Marked stable on AMD64 based on arch testing by Elijah "Armageddon" El + Lazkani & Agostino "ago" Sarubbo in security bug #381245. + 28 Oct 2011; Tony Vroon <chainsaw@gentoo.org> thunderbird-7.0.1-r1.ebuild: + Marked stable on AMD64 based on arch testing by Elijah "Armageddon" El + Lazkani & Agostino "ago" Sarubbo in security bug #381245.
HPPA keywording dropped.
Oh wait, there still is www-client/seamonkey.
nothing less for mozilla team, readd if needed.
*** Bug 389335 has been marked as a duplicate of this bug. ***
www-client/firefox-bin-7.0.1 ok on x86. Please stabilize.
*** Bug 389899 has been marked as a duplicate of this bug. ***
I don't know who removed the depend on bug 389793, but this is clearly a regression and the reason why it isn't stabilized yet, at least on x86!
(In reply to comment #36) > I don't know who removed the depend on bug 389793, Check the history.
x86 stable, thanks Stephan
seamonkey worked for ppc; dropped ppc/ppc64 from everywhere else
firefox-9.0.1{-bin} x86 stable
(In reply to comment #40) > firefox-9.0.1{-bin} x86 stable 1)I doubt you have a stable machine to say it. 2)${arch} stable is used when a developer mark stable in CVS; please use a different syntax 3)this is not bug about firefox 9.0.1
apart arm, we have firefox-10.0.11 stable on all arches which have stable keywords, so the arch teams here have anything to do? if no, please unCC them.
This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle).