| Summary: | www-client/mozilla-firefox[-bin]: Security bump to 1.5.0.7 | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Wolf Giesen (RETIRED) <frilled> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | basic, ghepeu, gpp666_999, me, mozilla |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Other | ||
| Whiteboard: | A2 [glsa] frilled | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 147591 | ||
|
Description
Wolf Giesen (RETIRED)
2006-09-14 23:35:32 UTC
Paperwork change. firefox-bin bumped Arches please test and mark stable. Target keywords are: mozilla-firefox-bin-1.5.0.7.ebuild:KEYWORDS="-* amd64 x86" mozilla-firefox-bin-1.5.0.7 x86: Works nice(this does not compile, since it's a bin package :)). Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-gentoo-r7 i686) ================================================================= System uname: 2.6.17-gentoo-r7 i686 AMD Athlon(tm) Processor Gentoo Base System version 1.12.5 Last Sync: Thu, 14 Sep 2006 17:50:01 +0000 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r5 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=athlon-tbird -mtune=athlon-tbird -O2 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=athlon-tbird -mtune=athlon-tbird -O2 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="ftp://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ " LINGUAS="" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.belnet.be/packages/gentoo-portage" USE="x86 X bitmap-fonts bzip2 cairo cdr cli crypt dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode fam firefox fortran gif gpm gstreamer gtk hal input_devices_evdev input_devices_keyboard input_devices_mouse isdnlog jpeg kernel_linux ldap libg++ mad mikmod mp3 mpeg ncurses nptl nptlonly ogg opengl pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl ssl tcpd truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_vesa vorbis win32codecs xml xorg xv zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS I assume that the non bin package will be coming a bit later and thus I'm leaving us on this til that appears..however the -bin is stable with the testing assistance of armin76 on x86 ^.^ - emerges fine on amd64 - passes multilib-strict - passes collision-test - works Portage 2.1.1 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-ck1-r3 x86_64) ================================================================= System uname: 2.6.17-ck1-r3 x86_64 AMD Athlon(tm) 64 Processor 3000+ Gentoo Base System version 1.12.5 Last Sync: Fri, 15 Sep 2006 18:50:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.6-r1, 2.0.28-r1 dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=k8 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-test distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ " LANG="en_US.ISO8859-1" LC_ALL="en_US.ISO8859-1" LINGUAS="" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/overlay" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="amd64 X a52 aac acpi alsa amr avi berkdb bitmap-fonts branding bzip2 cairo cdinstall cdparanoia cdr cli crypt cups dbus divx dlloader dri dvd dvdr dvdread elibc_glibc emboss encode expat fam firefox fortran gdbm gif glut gpm gstreamer gtk gtk2 hal imagemagick input_devices_evdev input_devices_keyboard isdnlog jpeg kernel_linux lcms ldap libg++ lirc lirc_devices_inputlirc mad mikmod mng mp3 mpeg musicbrainz ncurses nls nptl nptlonly ogg opengl pam pcre pdflib php png ppds pppd quicktime readline reflection sdl session socks5 spl ssl svg tcpd tiff truetype truetype-fonts type1-fonts udev unicode userland_GNU v4l v4l2 video_cards_fglrx vorbis wmp x264 xine xinerama xml xorg xv xvid zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS the -bin is stable on amd64 too.. waiting for non-bin ebuild Mozilla Foundation Security Advisory 2006-60 (http://www.mozilla.org/security/announce/2006/mfsa2006-60.html) seems to suggest that NSS 3.11.2 is the culprit of the vulnerability. Since Gentoo builds firefox/thunderbird/seamonkey with the system copy of NSS, I think that you should bump the library to release 3.11.3 as well. (In reply to comment #8) > Mozilla Foundation Security Advisory 2006-60 > (http://www.mozilla.org/security/announce/2006/mfsa2006-60.html) seems to > suggest that NSS 3.11.2 is the culprit of the vulnerability. Since Gentoo > builds firefox/thunderbird/seamonkey with the system copy of NSS, I think that > you should bump the library to release 3.11.3 as well. > yes http://secunia.com/advisories/21903/ and probably nspr should be bumped also to 4.6.3 thanks. nspr-4.6.3 and nss-3.11.3 bumped. (In reply to comment #10) > thanks. nspr-4.6.3 and nss-3.11.3 bumped. > Maybe nss-3.11.3 should depend on nspr-4.6.3. The nss ebuild has still NSPR_VER="4.6.2". Bumping the nspr version would automatically pull 4.6.3, when nss is updated mozilla-firefox (non-bin) is stable on amd64, leaving us on the bug as i expect we have to mark some nspr version too later on (In reply to comment #10) > thanks. nspr-4.6.3 and nss-3.11.3 bumped. > any reason you marked nspr directly stable for ia64? because I missed that it was stable there :( And repoman did not warn me of course. the stable marking of the previous version was also a mistake btw and should be reverted but no one one is reacting, it is sad: http://bugs.gentoo.org/show_bug.cgi?id=134798#c8 The new nss/nspr should probably also be stabled, I think. anyway I reverted my erroneous ia64 stabling and changed the nss dep to 4.6.3, thanks walter nspr: 1) emerges fine 2) passes collision test nss: 1) emerges fine 2) passes collision test firefox (non bin): 1) emerges fine on both libraries above so far dodoc: LEGAL does not exist 2) passes collision test 3) works with both updated versions of above libraries Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-gentoo-r8 i686) ================================================================= System uname: 2.6.17-gentoo-r8 i686 AMD Athlon(tm) XP 2500+ Gentoo Base System version 1.12.5 Last Sync: Sun, 17 Sep 2006 07:20:01 +0000 app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.2.11-r1 dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r5 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-O2" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/" LANG="de_DE@euro" LC_ALL="de_DE@euro" LINGUAS="de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage" USE="x86 3dnow 3dnowext X Xaw3d a52 alsa arts artworkextra asf audiofile bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds elibc_glibc emacs emboss encode esd evo exif expat fam fat fbcon ffmpeg firefox fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal icq idn imagemagick imap input_devices_keyboard input_devices_mouse ipv6 isdnlog java javascript jikes jpeg jpeg2k kernel_linux ldap leim libg++ linguas_de lm_sensors mad maildir matroska mbox mikmod mime mmx mmxext mng mono mp3 mpeg mpeg2 mule nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia objc ogg opengl pam pcre pdf perl plotutils pmu png ppds pppd preview-latex print python qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd tetex theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb userland_GNU vcd video_cards_fbdev video_cards_radeon video_cards_vesa videos vorbis win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS dev-libs/nspr-4.6.3 1.) emerges fine 2.) passes collision test dev-libs/nss-3.11.3 1.) emerges fine 2.) passes collision test www-client/mozilla-firefox-1.5.0.7 1.) emerges fine (with the newer version of the libraries) 2.) passes collision test 3.) works emerge --info Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17.11 i686) ================================================================= System uname: 2.6.17.11 i686 AMD Athlon(TM) XP1800+ Gentoo Base System version 1.12.5 Last Sync: Sun, 17 Sep 2006 10:50:01 +0000 ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.2.11-r1 dev-lang/python: 2.3.5-r2, 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LANG="en_GB.utf8" LINGUAS="en de en_GB" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/normal /usr/local/portage/testing" SYNC="rsync://192.168.2.1/gentoo-portage" USE="x86 3dnow 3dnowext X a52 aac acpi alsa apache2 bash-completion berkdb bitmap-fonts bzip2 cairo cdr cli crypt css cups dbus divx4linux dlloader dri dts dvd dvdr dvdread elibc_glibc emboss exif fam ffmpeg firefox font-server fortran gdbm gif gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml hal input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kernel_linux ldap libclamav libg++ linguas_de linguas_en linguas_en_GB logitech-mouse mad mikmod mmx mmxext mono mozcalendar mozdevelop mozsvg mp3 mpeg ncurses network nls nptl nptlonly nvidia oav ogg opengl oss pam pcre perl png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl seamonkey session spell spl ssl tcltk tcpd test tetex tiff truetype truetype-fonts type1-fonts udev unicode usb userland_GNU vcd video_cards_none video_cards_nv vorbis win32codecs xine xinerama xml xorg xorg-x11 xprint xv xvg xvid zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS mozilla-firefox-1.5.0.7 USE="gnome ipv6 java -debug -mozdevelop -xinerama -xprint" is working fine for me on x86. x86 marked stable for non bin as well, if there's anything else that needs to be done readd us. If there's something we should stable it helps in most cases to add the arches ;) nspr got its own bug, thus removing amd64 Ehr ... if I messed it up, how did the other slables turn up? :D [re?]calling hppa, sparc, hppa We've (sparc) stabled it before you called us. Yuck :) Now I know what jaervosz meant .-)) ppc stable, hppa is about to follow quite soon. hppa also stable, ready for GLSA. GLSA 200609-19 thanks everyone FYI, Mips stable now |