Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 147591

Summary: Mozilla products | dev-libs/nss | dev-libs/nspr: Security bumps
Product: Gentoo Security Reporter: Wolf Giesen (RETIRED) <frilled>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: me, mozilla, office
Priority: High    
Version: unspecified   
Hardware: All   
OS: Other   
Whiteboard: A2 [glsa] frilled
Package list:
Runtime testing required: ---
Bug Depends on: 147651, 147652, 147653, 148283, 148284    
Bug Blocks:    

Description Wolf Giesen (RETIRED) gentoo-dev 2006-09-14 10:54:24 UTC 
heise.de sports mozilla bumping FF and TB (not sure about SM) to 1.5.0.7 WRT security fixes. There's nothing on the site as of now, so this is just a placeholder/reminder for us.
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2006-09-14 18:27:59 UTC 
*** Bug 147635 has been marked as a duplicate of this bug. ***
Comment 3 Alexander M. Turek 2006-09-14 18:38:09 UTC 
There's also a new Seamonkey (1.0.5) with nearly the same list of fixes.
Comment 4 Wolf Giesen (RETIRED) gentoo-dev 2006-09-14 23:35:15 UTC 
Thanks for the info; enough in there to get the machine rollling IMHO.


<deep breath>

Ok, folks, let's once again share the excitement of brushing up Mozilla!

...  o_O  ...


After last time's chaos I'm turning this into a tracker, please see the three separate bugs for individual products.

Thanks in advance!
Comment 5 Jakub Moc (RETIRED) gentoo-dev 2006-09-15 01:24:04 UTC 
*** Bug 147648 has been marked as a duplicate of this bug. ***
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-19 06:36:00 UTC 
[15:32] <gustavoz> jaervosz: on a side note if they bump nspr/nss to stable it would be good to do ff/tb at the same time since it usually breaks ABI
[15:33] <gustavoz> so if you upgrade nspr/nss after building ff it breaks
Comment 7 Wolf Giesen (RETIRED) gentoo-dev 2006-09-19 22:02:05 UTC 
Updating to include dev-libs/spr and dev-libs/nss.
Comment 8 Carsten Lohrke (RETIRED) gentoo-dev 2006-09-22 11:57:47 UTC 
OpenOffice includes nss, nspr and several other Mozilla libraries...
Comment 9 Gergan Penkov 2006-09-23 04:54:18 UTC 
(In reply to comment #6)
> [15:32] <gustavoz> jaervosz: on a side note if they bump nspr/nss to stable it
> would be good to do ff/tb at the same time since it usually breaks ABI
> [15:33] <gustavoz> so if you upgrade nspr/nss after building ff it breaks
> 

if this is the case (nobody knows for sure with mozilla-people) the gentoo ABI-versioning patches should be bumped, which will make this be handled from revdep-rebuild. Normally they don't change the ABI with minor version bumps...
Comment 10 Matthias Geerdsen (RETIRED) gentoo-dev 2006-09-28 08:55:45 UTC 
pauldv, suka: could you please comment on comment #8
Does OOo include (vulnerable) versions of mozillas nss?
Comment 11 Andreas Proschofsky (RETIRED) gentoo-dev 2006-09-28 09:31:24 UTC 
(In reply to comment #10)
> pauldv, suka: could you please comment on comment #8
> Does OOo include (vulnerable) versions of mozillas nss?
> 

Mozilla is indeed included in the source, but nobody is using that, including us. Instead we are using firefox, nss and nspr from the system to build the mozilla connectivity. So the source-based builds should be safe.

Regarding the binary-version: The mozilla stuff is only used for two things: Enabling to access the Mozilla adress book as a data source and building a browser plugin for OOo. But right: There is a libnss and libnspr in the tarball, so no clue if that is security relevant. As I'm no security expert, I guess I let someone else do the judging. Just might point out, that I've never heard about an OOo security bump anywhere (for instance this would also be relevant for windows) because of a mozilla problem. But who knows...
Comment 12 Wolf Giesen (RETIRED) gentoo-dev 2006-10-17 13:27:13 UTC 
Closing with a headshot. Thanks everyone for sharing tha pain.