Bug 135257

bug is invalid we will have to backport the patches if we are to fix, as bad as it is we are gonna have to make a major change to seamonkey and remove mozilla from the tree completely. Wait and see what plays out over next few days before we jump the gun on this one tho.

Comment 2 Andreas Proschofsky (RETIRED) 2006-06-04 02:41:29 UTC

So what does this mean for other packages depending on mozilla? Should we all move over to just support firefox? Or would it be possible to use seamonkey as a 1:1 drop-in? (we have both firefox and mozilla use-flags in OpenOffice.org for instance). Also what does this all mean for gecko-sdk?

I really think there is a pressing need for a general guideline to all devs.

Comment 3 Raphael Marichez (Falco) (RETIRED) 2006-06-18 03:13:28 UTC

" The Mozilla Suite is no longer supported and is affected by several known vulnerabilities fixed in newer Mozilla-based products."

i'm afraid we should package.mask it and send a mask glsa, requesting the Mozilla Suite users to switch to one or more other mozilla-based products.
It is annoying since the Mozilla Suite is widely used.

Moz team, your opinion ?

We will not mask mozilla!! I am working with upstream on seamonkey issues that are preventing 1.0.2 from being added to the tree soon as we work these issues out we will move all packages that depend on www-client/mozilla to www-client/seamonkey.

Comment 5 Raphael Marichez (Falco) (RETIRED) 2006-06-18 05:08:57 UTC

ok, we will see. Thanks anarchy

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) 2006-06-18 08:58:41 UTC

Anarchy please provide an ETA for this to be fixed. According to Security policy it should most likely be masked.

Comment 7 Raphael Marichez (Falco) (RETIRED) 2006-06-18 09:16:48 UTC

BTW, some of the advisories [1] deal with remote compromise (by enticing the user to visit a malicious website, sure, but this is still serious, and this software is widely-used so i think we might be cautious with this our users' safety).

[1]
http://www.mozilla.org/security/announce/2006/mfsa2006-37.html and
http://www.mozilla.org/security/announce/2006/mfsa2006-38.html

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) 2006-06-19 23:43:58 UTC

If it is not possible to mark seamonkey stable within a reasonable time we should consider masking Mozilla.

Security what is your opinion?

Comment 9 Wolf Giesen (RETIRED) 2006-06-19 23:51:53 UTC

I Uhm, wouldn't that effectively break every new merge of, say Gnome? I guess that's not really something we can realistically do :| It should be done, but I wouldn't want to be in the way of the sh*t rolling downhill then ...

Comment 10 Sune Kloppenborg Jeppesen (RETIRED) 2006-06-20 00:01:41 UTC

Well that just shows how often I use Gnome.

What a pita:-/

Comment 11 Raphael Marichez (Falco) (RETIRED) 2006-06-20 01:58:50 UTC

Is www-client/mozilla a hard dep of gnome ? that's so silly :/
I can see there is a useflag "firefox" in gnome-extra/yelp, which installs www-client/mozilla-firefox instead of www-client/mozilla. Yet, i have already www-client/mozilla-firefox-bin installed, and "yelp" wants to install mozilla-firefox (without -bin), because of an Rdepend!!!
Well, we're not trying to solve all the problems of gnome. It's not the topic.

mozilla[-bin] has been known to be vulnerable for nearly 3 weeks now, it's time to act.
If it's confirmed that most of gnome users use www-client/mozilla, so this software is more often installed than i thought. This means more vulnerable gentoo boxes... But firstly, gnome-extra/yeld dependencies must be moved from "mozilla" to "mozilla-firefox" or another same replacement of mozilla. That should help a lot. (and it's only the beginning); Good luck

Comment 12 Wolf Giesen (RETIRED) 2006-06-20 05:26:08 UTC

AFAIK it's Nautilus that depends on mozilla.

Comment 13 Wolf Giesen (RETIRED) 2006-06-21 22:47:38 UTC

I guess we really have to make a decision here :|

Comment 14 Wolf Giesen (RETIRED) 2006-06-22 00:03:33 UTC

Seems it's not as bad as I thought. With "firefox" USE flag Gnome (2.12 as well as 2.14) seems to be happy depending on that. So IMHO we could actually mask the suite but would need to tell people to depend on firefox. In a second step we could change dep to seamonkey, giving arches time to stabilize. The only thing I don't know is how to prominently push the info (sadly there's an open GLEP for that).

Comment 15 Raphael Marichez (Falco) (RETIRED) 2006-06-22 03:56:12 UTC

> I guess we really have to make a decision here :|


Obviously, the following dependencies :

        !firefox? ( >=www-client/mozilla-1.7.3 )
        firefox? ( >=www-client/mozilla-firefox-1.0.2-r1 )
        if use firefox; then
                myconf="${myconf} --with-mozilla=firefox"

in yelp (or others) should all been replaced by dependecy on firefox or on seamonkey (?)

There is still more to do, but it is the beginning.
I cc gnome@ on bug 137198 which is used to follow the replacement of the moz suite

Comment 16 Wolf Giesen (RETIRED) 2006-06-22 04:00:23 UTC

It seems Gnome pulls in gecko-sdk (at least when used with "firefox" USEflag). I'd guess the same vuln is in there, too?

Comment 17 solar (RETIRED) 2006-06-24 19:43:59 UTC

(In reply to comment #8)
> If it is not possible to mark seamonkey stable within a reasonable time we
> should consider masking Mozilla.
> 
> Security what is your opinion?

This is a pretty major package. Backporting as needed would be a better option.

Comment 18 Sune Kloppenborg Jeppesen (RETIRED) 2006-06-30 08:53:59 UTC

@solar, do you have any candidates for backporting or have someone else already done it?

Comment 19 Jakub Moc (RETIRED) 2006-09-02 16:06:05 UTC

Uhm.... so, what's going on here? 

Comment 20 Sune Kloppenborg Jeppesen (RETIRED) 2006-09-26 09:21:50 UTC

Any news on this one or is it fixed with the latest versions?

Comment 21 Jakub Moc (RETIRED) 2006-09-26 10:58:09 UTC

(In reply to comment #20)
> Any news on this one or is it fixed with the latest versions?

There won't be any fixes, the thing is dead, burried and unmaintained upstream. Bug 137665 needs to be fixed and this thing p.masked and punted.

Comment 22 Sune Kloppenborg Jeppesen (RETIRED) 2006-09-26 14:03:12 UTC

oh mozilla != mozilla-firefox :-)

Comment 23 Matthias Geerdsen (RETIRED) 2006-10-02 07:42:26 UTC

since this bug has been dead for a while (as well as bug #137665)

i propose to mask mozilla(-bin), maybe give a last (short) deadline and a warning on -dev

Comment 24 Raphael Marichez (Falco) (RETIRED) 2006-10-08 12:47:29 UTC

(In reply to comment #23)
> since this bug has been dead for a while (as well as bug #137665)
> 
> i propose to mask mozilla(-bin), maybe give a last (short) deadline and a
> warning on -dev
> 

now that seamonkey is becoming OK (bug 147651) ( yeah! :D ), we can now consider bug 137665 only. That's a good advance.

Comment 25 Kathryn Kulick (RETIRED) 2006-11-08 19:15:13 UTC

*** Bug 135535 has been marked as a duplicate of this bug. ***

Comment 26 Sune Kloppenborg Jeppesen (RETIRED) 2006-11-24 12:18:00 UTC

Any news on this one?

Comment 27 Jakub Moc (RETIRED) 2007-01-27 08:23:03 UTC

(In reply to comment #26)
> Any news on this one?

Can be finally masked now... ;o)

Comment 28 Raúl Porcel (RETIRED) 2007-01-27 12:16:45 UTC

# Raúl Porcel <armin76@gentoo.org> (27 Jan 2007)
# Masked for removal 26 Feb 2007, bug 135257, security issues
# Replaced by www-client/seamonkey[-bin]
www-client/mozilla
www-client/mozilla-bin

Comment 29 Raúl Porcel (RETIRED) 2007-01-29 16:46:56 UTC

(In reply to comment #28)
> # Raúl Porcel <armin76@gentoo.org> (27 Jan 2007)
> # Masked for removal 26 Feb 2007, bug 135257, security issues
> # Replaced by www-client/seamonkey[-bin]
> www-client/mozilla
> www-client/mozilla-bin
> 
Removal delayed due to apps depending on mozilla which newer versions aren't stable yet. So, mozilla unmasked again but shouldn't be too much until it's masked again :)

Comment 30 solar (RETIRED) 2007-01-29 18:18:19 UTC

Personally I think you should of left it masked. Maintainers have known this was going to be masked many months ago and have had ample time to update pkgs. 
leaving it maked will also keep the fire under asses and force them to move 
faster then a turtle. Anyway hopefully it wont take to long (< 7 days).

Comment 31 Jakub Moc (RETIRED) 2007-01-29 18:56:18 UTC

(In reply to comment #30)
> Personally I think you should of left it masked. Maintainers have known this
> was going to be masked many months ago and have had ample time to update pkgs. 
> leaving it maked will also keep the fire under asses and force them to move 
> faster then a turtle. Anyway hopefully it wont take to long (< 7 days).

+1... this is really getting extremely overdue and people should have cared better to get their stuff fixed and stabilized in time. I don't see any sense in unmasking this junk over and over again.

Comment 32 Raúl Porcel (RETIRED) 2007-01-29 22:12:12 UTC

(In reply to comment #31)
> (In reply to comment #30)
> > Personally I think you should of left it masked. Maintainers have known this
> > was going to be masked many months ago and have had ample time to update pkgs. 
> > leaving it maked will also keep the fire under asses and force them to move 
> > faster then a turtle. Anyway hopefully it wont take to long (< 7 days).
> 
> +1... this is really getting extremely overdue and people should have cared
> better to get their stuff fixed and stabilized in time. I don't see any sense
> in unmasking this junk over and over again.
> 

As soon as amd64 and ppc stabilize mono-tools i'll mask this again, i promise. I'll add the bug 164048 as a dep of this bug.

Comment 33 Raphael Marichez (Falco) (RETIRED) 2007-02-10 21:25:58 UTC

(In reply to comment #30)
> Anyway hopefully it wont take to long (< 7 days).
> 

Failed. (indeed, it's not p.masked)

Comment 34 Raúl Porcel (RETIRED) 2007-02-20 19:24:56 UTC

# Raúl Porcel <armin76@gentoo.org> (20 Feb 2007)
# Masked for removal 19 Mar 2007, bug 135257, security issues
# Replaced by www-client/seamonkey[-bin]
www-client/mozilla
www-client/mozilla-bin

Let's hope this is the good one. Also i've removed the mono-* bug from dependencies, as amd64 finally stabilized the not depending version of mozilla.

Comment 35 Raphael Marichez (Falco) (RETIRED) 2007-02-23 17:38:23 UTC

Thanks everybody, that was hard.

We have to issue a GLSA warning our users to stop using the Mozilla Suite

Comment 36 Raphael Marichez (Falco) (RETIRED) 2007-03-04 00:29:59 UTC

GLSA 200703-05. Finally closing this looong bug! Yeah and thanks to everybody for all your work

Comment 37 Raúl Porcel (RETIRED) 2007-03-19 10:25:56 UTC

Finally removed from the tree.