Summary: | mail-client/mozilla-thunderbird: 1.0.8 fixes several vuln's, included code execution (CVE-2006-0748) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Raphael Marichez (Falco) (RETIRED) <falco> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | mozilla, tcort |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.mozilla.org/projects/security/known-vulnerabilities.html#Thunderbird | ||
Whiteboard: | A2 [tempglsa stable+ alpha] Falco | ||
Package list: | Runtime testing required: | --- |
Description
Raphael Marichez (Falco) (RETIRED)
2006-04-22 14:02:41 UTC
same as the moz-1.0.8 thing (#129924), moz team, please provide a new ebuild mail-client/mozilla-thunderbird-1.0.8 Please keyword 1.5.0.2 were possible, ONLY keyword 1.0.8 for those who can NOT mark 1.5.0.2. AMD64 and X86 DO NOT forget -bin. (bugzie forced a comment for some minor changes, so here is one to make it happy) If you keyword 1.5.0.2 please keyword enigmail-0.94.0-r2 as well sorry for not getting it in original post. (In reply to comment #4) > If you keyword 1.5.0.2 please keyword enigmail-0.94.0-r2 as well sorry for not > getting it in original post. There's no enigmail-0.94.0-r2, I guess we can keyword enigmail-0.94.0-r1? <@Anarchy> dertobi123, enigmail-0.94.0-r2 is in the tree I forgot to make the commit with all other commits and bumps I am working on so, ppc stable :) sparc stable. moz-1.0.8 and moz-bin-1.0.8 stable on x86 amd64 stable 1.5.0.2 !! alpha team, aware ? something wrong ? See the bug this one depends on :) - ferdy oh ok, sorry :) it's worrying. Is #131359 progressing ? ETA ? We'll probably have to publish the GLSA and say alpha is still affected, and update it when it gets fixed... A temporary GLSA was sent : GLSA 200605-09 We'll update it once TB reaches stable on alpha (In reply to comment #12) > it's worrying. Is #131359 progressing ? ETA ? No progress or ETA, so I've masked =mail-client/mozilla-thunderbird-1.0.7* in profiles/default-linux/alpha/package.mask and dropped the ~alpha keyword from thunderbird-1.0.8 as it is badly broken on alpha (Bug #131359) and 1.5 doesn't compile (also Bug #131359). BTW, I only see alpha in the "Status Whiteboard", but it looks ia64 needs to still mark 1.5.X or 1.0.8 stable. Re-add us if you need anything. > BTW, I only see alpha in the "Status Whiteboard", but it looks ia64 needs to > still mark 1.5.X or 1.0.8 stable. Re-add us if you need anything. > contrary to the "supported" arches [1], ia64 is not obliged to stabilize the ebuilds concerning the security issues before we send a GLSA. [1] http://www.gentoo.org/security/en/vulnerability-policy.xml , part 1, "Scope" Except for Alpha, every arch is fixed. Concerning Alpha, Alpha will have to keyword the 1.5 branch because 1.0 is not maintained anymore, and 1.0 is affected by several vulnerabilities. I suggest closing this bug as soon as Alpha stabilize 1.5.0.4 in bug 135256. (In reply to comment #17) > Except for Alpha, every arch is fixed. Concerning Alpha, Alpha will have to > keyword the 1.5 branch because 1.0 is not maintained anymore, and 1.0 is > affected by several vulnerabilities. > I suggest closing this bug as soon as Alpha stabilize 1.5.0.4 in bug 135256. mozilla-thunderbird-1.5.0.4 is also broken on alpha. It uses ~100% of the CPU and the main window never comes up. This is similar to the problem we are having with firefox-1.5 on alpha, see Bug #128777. This bug can probably be closed since it isn't looking like we will be able to mark thunderbird-1.5 stable on alpha and alpha has all affected versions of thunderbird masked in profiles/default-linux/alpha/package.mask. Output of `top`: PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 3593 tcort 20 0 33120 32m 23m R 93.2 10.4 9:52.85 thunderbird-bin > mozilla-thunderbird-1.5.0.4 is also broken on alpha. OK, so you will have to let thunderbird masked :( you're right, i can close this bug. Same for bug 120485. |