|Summary:||www-client/mozilla-firefox[-bin] 1.0.8 fixes 16 security holes|
|Product:||Gentoo Security||Reporter:||ollonois <ollonois>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||major||CC:||gentoo, mozilla, patrizio.bassi, polynomial-c|
|Whiteboard:||A2 [glsa] koon|
|Package list:||Runtime testing required:||---|
Description ollonois 2006-04-14 03:41:40 UTC
Comment 1 Tavis Ormandy (RETIRED) 2006-04-14 04:18:35 UTC
mozilla team, please provide updated ebuilds
Comment 2 Patrizio Bassi 2006-04-14 05:04:30 UTC
maybe it's time to mark 1.5 stable and discard old 1.0.x series
Comment 3 Carsten Lohrke (RETIRED) 2006-04-14 05:08:31 UTC
Firefox 188.8.131.52 and Seamonkey 1.0.1 fix several issues as well. Is the classic Mozilla still supported upstream, security-wise? Otherwise it should be masked/removed from the tree.
Comment 4 Patrizio Bassi 2006-04-14 05:21:05 UTC
if i remember good they told they'll will support mozilla 1.7 for all security problems will be found maybe it will be released some days later..maybe it's not afftect (i doubt), should be checked and asked.
Comment 5 Raphael Marichez (Falco) (RETIRED) 2006-04-14 06:29:53 UTC
hi, it's CVE-2006-1724 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1724 are concerned : www-client/mozilla-firefox[-bin] <184.108.40.206 and <1.0.8 mail-client/mozilla-thunderbird[-bin] <220.127.116.11 and <1.0.8 www-client/mozilla[-bin] <1.7.13 www-client/seamonkey (masked) <1.0.1 status/severity: A2/major (or maybe B2/normal)
Comment 6 Raphael Marichez (Falco) (RETIRED) 2006-04-14 06:39:40 UTC
> it's CVE-2006-1724 sorry, it's all entries from CVE-2006-1724 until CVE-2006-1736 and 1739 to 1742. CVE-2006-1737 and 1738 are not public yet.
Comment 7 Thierry Carrez (RETIRED) 2006-04-14 08:22:17 UTC
(In reply to comment #2) > maybe it's time to mark 1.5 stable and discard old 1.0.x series No it's not. Secruity updates are a bad time to rush stability tests.
Comment 8 Thierry Carrez (RETIRED) 2006-04-14 08:24:27 UTC
*** Bug 121363 has been marked as a duplicate of this bug. ***
Comment 9 Jory A. Pratt 2006-04-14 14:14:41 UTC
mozilla suite can not be removed from tree until seamonkey is ported in as dep instead of mozilla itself. I will get 1.0.8 in the tree a little later tonight first 18.104.22.168 which should be tested by all archs and stablized in case that are possible IMHO.
Comment 10 Jory A. Pratt 2006-04-14 16:40:45 UTC
As most are aware I am the only active mozilla dev we have at the moment. I will provide the ebuild for 1.0.8 as soon as possible. I have to first redo the entire patch tarball as most have been applied upstream. Those who can please stablize 22.214.171.124, I am working with upstream on sparc issue which is only known arch at this time with problems, other then alpha which has mixed output at this time.
Comment 11 Thierry Carrez (RETIRED) 2006-04-15 06:00:07 UTC
Jory: good luck, Jim
Comment 12 Jory A. Pratt 2006-04-15 08:06:44 UTC
Alright 126.96.36.199 source and binary are in the tree. If at all possible mark 188.8.131.52 source stable and binary. If for some reason your unconfortable please mark 1.0.8 binary stable for x86 and amd64 only, soon as I am done with 1.0.8 source is done those who need or wish to continue to hold back 1.5.x branch mark 1.0.8 stable. It will be in tree within the next 3 hours ( 1.0.8 source ). Will add rest of archs when 1.0.8 source is in the tree.
Comment 13 Matthias Langer 2006-04-15 08:16:17 UTC
I'm using mozilla-firefox-184.108.40.206 [-debug +gnome +ipv6 +java -mozdevelop -xinerama -xprint] almost since it has been commtited to the tree on x86. Everthing seems to work fine so far ... Portage 2.0.54 (default-linux/x86/2006.0, gcc-3.4.5, glibc-2.3.5-r3, 2.6.15-gentoo-r5 i686) ================================================================= System uname: 2.6.15-gentoo-r5 i686 AMD Athlon(tm) XP 2400+ Gentoo Base System version 1.6.14 dev-lang/python: 2.3.5-r2, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=athlon-xp -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=athlon-xp -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig collision-protect distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.inode.at/ " LANG="en_US.utf8" LC_ALL="en_US.utf8" LINGUAS="en de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://192.168.0.1/gentoo-portage" USE="x86 3dnow 3dnowext X a52 aalib alsa apm audiofile avi berkdb bitmap-fonts bonobo bzip2 bzlib cairo cdr cli crypt css ctype cups curl dba dbus divx4linux dri dts dv dvd dvdr dvdread emboss encode evo exif expat fam fame fastbuild ffmpeg firefox flac foomaticdb force-cgi-redirect fortran ftp gd gdbm gif glut gmp gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml guile hal idn imagemagick imlib ipv6 isdnlog java jpeg junit lcms libg++ libwww mad memlimit mhash mikmod mmx mmxext mng motif mp3 mpeg nautilus ncurses nls nptl nsplugin nvidia ogg oggvorbis openal opengl pam pcre pdflib perl plotutils png posix pppd python quicktime readline real ruby sdl session simplexml slang soap sockets speex spell spl sqlite sse ssl subtitles svga tcltk tcpd tetex theora tiff tokenizer truetype truetype-fonts type1-fonts udev unicode usb vcd video_cards_nvidia vorbis win32codecs wma xine xml xml2 xmms xsl xv xvid zlib linguas_en linguas_de userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, INSTALL_MASK, LDFLAGS
Comment 14 Jory A. Pratt 2006-04-15 11:13:50 UTC
1.0.8 is in the tree, reminder to mark 220.127.116.11 stable if possible. Any questions find me on irc and I will reply as soon as possible.
Comment 15 Matti Bickel (RETIRED) 2006-04-15 14:35:02 UTC
Firefox-18.104.22.168 and nss-3.11-r1 stable by nixnut
Comment 16 Jason Wever (RETIRED) 2006-04-15 14:59:40 UTC
SPARC'd 1.0.8 (1.5.x series is still crash-happy on SPARC).
Comment 17 Mark Loeser (RETIRED) 2006-04-15 17:09:07 UTC
1.0.8 is stable on x86. We'll look at 1.5.x sometime in the near future.
Comment 18 Thomas Cort (RETIRED) 2006-04-16 07:13:35 UTC
Comment 19 Lars Wendler (Polynomial-C) 2006-04-16 14:55:41 UTC
Hi, seamonkey-1.0.1 builds and works fine on ~x86. I had to drop two patches from seamonkey-1.0-patches-0.4.tar.bz2 which are 065_firefox-1.5-nsStackFrameUnix.patch.bz2 066_firefox-1.5-nsStackFrameUnix.patch.bz2 all other patches applied without any errors. @ Jory: I have created an ebuild for seamonkey-1.0.1 You can find it here: http://polynomial-c.homelinux.net/pub/gentoo/portage/www-client/seamonkey/ Cheers Poly-C
Comment 20 Guy Martin (RETIRED) 2006-04-17 09:12:53 UTC
Okay, I was about to work on this for HPPA but guess what, all the HPPA specific patches were removed from the mozilla-firefox ebuild. That makes a non working firefox since january on hppa... Anarchy, please fix your breakage until I do anything.
Comment 21 Jory A. Pratt 2006-04-18 15:43:47 UTC
(In reply to comment #20) > Okay, I was about to work on this for HPPA but guess what, all the HPPA > specific patches were removed from the mozilla-firefox ebuild. That makes a non > working firefox since january on hppa... > > Anarchy, please fix your breakage until I do anything. > Patches might have been drop'd from 1.5 branch but 1.0.8 bump is based off of az work. Do NOT cc me on a bug report related to mozilla I am already emailed via alias.
Comment 22 Jory A. Pratt 2006-04-18 19:25:48 UTC
(In reply to comment #20) > Okay, I was about to work on this for HPPA but guess what, all the HPPA > specific patches were removed from the mozilla-firefox ebuild. That makes a non > working firefox since january on hppa... > > Anarchy, please fix your breakage until I do anything. > I have done a bit of digging the hppa patch has already been applied upstream in 1.5.x branch if it compiles and runs stable mark it stable. I will check the 1.0.8 branch tomorrow after I get home from work but I imagine it has been applied as well.
Comment 23 Jory A. Pratt 2006-04-18 19:35:01 UTC
Stable on AMD64
Comment 24 Jory A. Pratt 2006-04-19 14:59:41 UTC
(In reply to comment #20) > Okay, I was about to work on this for HPPA but guess what, all the HPPA > specific patches were removed from the mozilla-firefox ebuild. That makes a non > working firefox since january on hppa... > > Anarchy, please fix your breakage until I do anything. > Patch is already been applied upstream as well for 1.0.8 for hppa, I would suggest ya test before you open mouth and insert foot!!
Comment 25 Thierry Carrez (RETIRED) 2006-04-21 09:53:46 UTC
x86, hppa, ia64: please test and mark 22.214.171.124 stable or explain why you can't x86: don't forget the -bin version
Comment 26 Chris Gianelloni (RETIRED) 2006-04-21 11:53:38 UTC
1.5.x isn't needed for this bug. We've already marked 1.0.8 stable. Removing x86.
Comment 27 Thomas Cort (RETIRED) 2006-04-21 12:36:38 UTC
(In reply to comment #18) The problems I was having were due to downgrading from 126.96.36.199. After fixing the permissions firefox-1.0.8 works fine for me. It works well for ferdy too. alpha stable.
Comment 28 Thierry Carrez (RETIRED) 2006-04-21 13:33:39 UTC
x86 was already done, sorry for the noise
Comment 29 Thierry Carrez (RETIRED) 2006-04-22 03:03:48 UTC
Waiting on hppa for GLSA release.
Comment 30 Guy Martin (RETIRED) 2006-04-22 10:05:11 UTC
Stable on hppa. Sorry Anarchy for this missunderstanding.
Comment 31 Thierry Carrez (RETIRED) 2006-04-22 10:59:49 UTC
Ready for GLSA
Comment 32 Sune Kloppenborg Jeppesen 2006-04-23 13:02:26 UTC
Comment 33 Matt McHenry 2006-04-23 15:00:37 UTC
I was searching through the bug database to see if I could find any explanation for why firefox 1.5 hasn't been marked stable on x86 so long after it's release, and this bug and bug 121363 were the only ones I could find. So along the lines of bug 121363 comment 23, I'll just make a note of my experience w/ 1.5: I have been using firefox 188.8.131.52 on my system for about two weeks with no problems (emerge'd on Apr 6). It seems very stable. Let me know if you need more info about my system, or if there is somewhere else that this information should be reported other than this bug.