Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 154448

Summary: mail-client/mozilla-thunderbird[-bin]: security bump to 1.5.0.8
Product: Gentoo Security Reporter: Dax <gentoomail>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: mozilla, sgtphou
Priority: High Flags: gentoomail: Assigned_To+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.mozilla.org/security/announce/2006/mfsa2006-65.html
Whiteboard: A2 [glsa] Daxomatic
Package list:
Runtime testing required: ---

Description Dax 2006-11-08 02:47:40 UTC
multiple vulnerabilities fixed in thunderbird 1.5.0.8

 http://www.mozilla.org/security/announce/2006/mfsa2006-65.html
Title: Crashes with evidence of memory corruption (rv:1.8.0.8)
Impact: Critical
Announced: November 7, 2006
Reporter: Mozilla Developers
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 1.5.0.8
  Thunderbird 1.5.0.8
  SeaMonkey 1.0.6
Description
As part of the Firefox 1.5.0.8 release we fixed several bugs to improve the stability of the product. Some of these were crashes that showed evidence of memory corruption and we presume that at least some of these could be exploited to run arbitrary code with enough effort.

Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript, such as large images or plugin data.
Workaround
Upgrade to the fixed versions. Do not enable JavaScript in Thunderbird or the mail portions of SeaMonkey.
References

Jesse Ruderman and Martijn Wargers reported crashes in the layout engine
https://bugzilla.mozilla.org/show_bug.cgi?id=307809
https://bugzilla.mozilla.org/show_bug.cgi?id=310267
https://bugzilla.mozilla.org/show_bug.cgi?id=350370
https://bugzilla.mozilla.org/show_bug.cgi?id=351328
CVE-2006-5464

shutdown demonstrated that a crash in XML.prototype.hasOwnProperty was exploitable
https://bugzilla.mozilla.org/show_bug.cgi?id=355569
CVE-2006-5747

Igor Bukanov and Jesse Ruderman reported potential memory corruption in the JavaScript engine
https://bugzilla.mozilla.org/show_bug.cgi?id=349527
https://bugzilla.mozilla.org/show_bug.cgi?id=351973
https://bugzilla.mozilla.org/show_bug.cgi?id=353165
https://bugzilla.mozilla.org/show_bug.cgi?id=354145
https://bugzilla.mozilla.org/show_bug.cgi?id=354151
https://bugzilla.mozilla.org/show_bug.cgi?id=350238
https://bugzilla.mozilla.org/show_bug.cgi?id=351116
https://bugzilla.mozilla.org/show_bug.cgi?id=352271
https://bugzilla.mozilla.org/show_bug.cgi?id=352606
https://bugzilla.mozilla.org/show_bug.cgi?id=354924
CVE-2006-5748

    * Site Map
    * Security Updates
    * Contact Us
http://www.mozilla.org/security/announce/2006/mfsa2006-64.html
Mozilla Foundation Security Advisory 2006-64
Title: Crashes with evidence of memory corruption (rv:1.8.0.7)
Impact: Critical
Announced: September 14, 2006
Reporter: Mozilla Developers
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 1.5.0.7
  Thunderbird 1.5.0.7
  SeaMonkey 1.0.5
Description
As part of the Firefox 1.5.0.7 release we fixed several bugs to improve the stability of the product. Some of these were crashes that showed evidence of memory corruption and we presume that at least some of these could be exploited to run arbitrary code with enough effort.

We thank Bernd Mielke, Georgi Guninski, Igor Bukanov, Jesse Ruderman, Martijn Wargers, Mats Palmgren, Olli Pettay, shutdown, and Weston Carloss for discovering and reporting these crashes.

Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript, such as large images or plugin data.
Workaround
Upgrade to the fixed versions. Do not enable JavaScript in Thunderbird or the mail portions of SeaMonkey.
References
CVE-2006-4571

Bernd Mielke and Mats Palmgren reported crashes involving tables
https://bugzilla.mozilla.org/show_bug.cgi?id=339130
https://bugzilla.mozilla.org/show_bug.cgi?id=339170
https://bugzilla.mozilla.org/show_bug.cgi?id=339246
https://bugzilla.mozilla.org/show_bug.cgi?id=343087
https://bugzilla.mozilla.org/show_bug.cgi?id=344000
https://bugzilla.mozilla.org/show_bug.cgi?id=346980

Georgi Guninski discovered heap corruption using XSLTProcessor
https://bugzilla.mozilla.org/show_bug.cgi?id=348511

Igor Bukanov reported potential memory corruption in the JavaScript engine
https://bugzilla.mozilla.org/show_bug.cgi?id=345967
https://bugzilla.mozilla.org/show_bug.cgi?id=346968
https://bugzilla.mozilla.org/show_bug.cgi?id=348532
https://bugzilla.mozilla.org/show_bug.cgi?id=350312

Jesse Ruderman, Martijn Wargers, Mats Palmgren, Olli Pettay, and Weston Carloss reported crashes involving DHTML
https://bugzilla.mozilla.org/show_bug.cgi?id=306940
https://bugzilla.mozilla.org/show_bug.cgi?id=307826
https://bugzilla.mozilla.org/show_bug.cgi?id=336999
https://bugzilla.mozilla.org/show_bug.cgi?id=337419
https://bugzilla.mozilla.org/show_bug.cgi?id=337883
https://bugzilla.mozilla.org/show_bug.cgi?id=347355
https://bugzilla.mozilla.org/show_bug.cgi?id=348049
https://bugzilla.mozilla.org/show_bug.cgi?id=205735
https://bugzilla.mozilla.org/show_bug.cgi?id=344291
https://bugzilla.mozilla.org/show_bug.cgi?id=344557
https://bugzilla.mozilla.org/show_bug.cgi?id=348062
https://bugzilla.mozilla.org/show_bug.cgi?id=348729
https://bugzilla.mozilla.org/show_bug.cgi?id=348887
https://bugzilla.mozilla.org/show_bug.cgi?id=321299
https://bugzilla.mozilla.org/show_bug.cgi?id=343457
https://bugzilla.mozilla.org/show_bug.cgi?id=349201
https://bugzilla.mozilla.org/show_bug.cgi?id=348688

shutdown reported it was still possible to corrupt memory via content-implemented tree views despite the fix for bug 326501
https://bugzilla.mozilla.org/show_bug.cgi?id=344085

http://www.mozilla.org/security/announce/2006/mfsa2006-66.htmlMozilla Foundation Security Advisory 2006-66
Title: RSA Signature Forgery (variant)
Impact: Critical
Announced: November 7, 2006
Reporter: Ulrich Kuehn
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 1.5.0.8
  Thunderbird 1.5.0.8
  SeaMonkey 1.0.6
Description
MFSA 2006-60 reported that RSA digital signatures with a low exponent (typically 3) could be forged. This flaw was corrected in the Mozilla Network Security Services (NSS) library version 3.11.3 used by Firefox 2.0 and current development versions of Mozilla clients.

Ulrich Kuehn reported that Firefox 1.5.0.7, which incorporated NSS version 3.10.2, was incompletely patched and remained vulnerable to a variant of this attack.
Workaround
None, upgrade to a fixed version.
References
https://bugzilla.mozilla.org/show_bug.cgi?id=356215
CVE-2006-5462

MFSA 2006-60


rgds
Daxomatic
Comment 1 Wolf Giesen (RETIRED) gentoo-dev 2006-11-08 02:58:22 UTC
Accepting bug.
Comment 2 Wolf Giesen (RETIRED) gentoo-dev 2006-11-08 03:01:01 UTC
I *swear* mozilla gives me the creeps. Alright. Sorry for the bugspam. Daxomatic's going to handle it from here.
Comment 3 Dax 2006-11-08 10:59:10 UTC
mozilla team, please advice.

br
Daxomatic
Comment 4 Jory A. Pratt 2006-11-08 11:54:06 UTC
bin is in the tree x86 and amd64 test and stabilize at your own discreation.
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2006-11-08 12:32:00 UTC
mozilla-thunderbird-bin in x86:

Works ok.

Portage 2.1.1-r1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-gentoo-r1 i686)
=================================================================
System uname: 2.6.18-gentoo-r1 i686 AMD Athlon(tm) Processor
Gentoo Base System version 1.12.6
Last Sync: Wed, 08 Nov 2006 09:50:01 +0000
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=athlon-tbird -mtune=athlon-tbird  -O2 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=athlon-tbird -mtune=athlon-tbird  -O2 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="ftp://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ "
LANG="en_US.ISO-8859-15"
LC_ALL="en_US.ISO-8859-15"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage /usr/portage/local/layman/sunrise"
SYNC="rsync://rsync.belnet.be/packages/gentoo-portage"
USE="x86 X bitmap-fonts bzip2 cairo cdr cli cracklib crypt dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode fam firefox fortran gif gpm gstreamer gtk hal iconv input_devices_evdev input_devices_keyboard input_devices_mouse isdnlog jpeg kernel_linux ldap libg++ mad mikmod mp3 mpeg ncurses nptl nptlonly ogg opengl pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl ssl tcpd truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_vesa vorbis win32codecs xml xorg xv zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 6 Markus Meier gentoo-dev 2006-11-08 12:35:17 UTC
mail-client/mozilla-thunderbird-bin-1.5.0.8
1. emerges on x86, please note:
QA Notice: the following files contain runtime text relocations
TEXTREL opt/thunderbird/extensions/talkback@mozilla.org/components/libqfaservices.so
2. passes collision test
3. works

Portage 2.1.1-r1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18.1 i686)
=================================================================
System uname: 2.6.18.1 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System version 1.12.6
Last Sync: Wed, 08 Nov 2006 20:00:02 +0000
ccache version 2.3 [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kdeenablefinal kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2006-11-08 12:38:41 UTC
bin stable for x86, waiting for non-bin.
Comment 8 Bryan Østergaard (RETIRED) gentoo-dev 2006-11-08 16:42:57 UTC
Source build in cvs.
Comment 9 Dax 2006-11-09 04:02:13 UTC
hi,
Arches, please test & mark stable.
for mozilla-thunderbird as well for mozilla-thunderbird-bin please
rgds
Daxomatic
Comment 10 Christian Faulhammer (RETIRED) gentoo-dev 2006-11-09 04:08:23 UTC
Can&#8217;t you hear the thunderbird raging across the sea
Can&#8217;t you see the lightning as it races across the sky
Can&#8217;t you feel the power and the strength of my x86
[Slightly reworked from: Bound For Glory -- Over the Top]
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2006-11-09 05:31:32 UTC
- mail-client/mozilla-thunderbird-1.5.0.8 emerges fine on amd64
- passes collision-test
- passes multilib-strict
- works

# emerge --info
Portage 2.1.1-r1 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-gentoo-r1 x86_64)
=================================================================
System uname: 2.6.18-gentoo-r1 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4200+
Gentoo Base System version 1.12.6
Last Sync: Thu, 09 Nov 2006 12:20:01 +0000
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-march=k8 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer multilib-strict sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo "
LANG="en_US.ISO8859-1"
LC_ALL="en_US.ISO8859-1"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage /usr/portage/local/stuff"
SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"
USE="amd64 7zip X a52 aac aalib addbookmarks alias alsa amarok arts asf avahi bash-completion berkdb bitmap-fonts browserplugin bzip2 c++ cairo calendar caps cdr cdrom cdsound chroot cli cracklib crypt cups cvs dbus de_tvtoday dhcp dlloader dri dvb dvd dvdr dvdread eds elibc_glibc emboss encode esd fam ffmpeg flac fortran gdbm gif gimp gimpprint gnome gpm gsm gstreamer gtk gtk2 gzip hal hald highlight history howl iconv icq imagemagick input_devices_evdev input_devices_keyboard input_devices_mouse irssi isdnlog java javascript jpeg kde kdm kernel_linux kipi lame ldap libg++ live logitech-mouse mad madwifi md5sum mikmod mng mp3 mpeg ncurses nls nptl nptlonly nsplugin nvidia ogg oggvorbis opengl openssh pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rss ruby samba scanner scp sdl session smp speex spell spl sql ssl subversion svg symlink tcl tcltk tcpd tiff tk transcode truetype truetype-fonts type1-fonts udev unicode unzip usb userland_GNU vcd video_cards_nv video_cards_nvidia video_cards_vesa vim visualization vorbis wmf wxwindows x264 xcomposite xine xml xorg xv xvid xvmc zip zlib zvbi"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2006-11-09 05:51:45 UTC
ppc is teh stable
Comment 13 Gustavo Zacarias (RETIRED) gentoo-dev 2006-11-09 10:25:31 UTC
sparc stable.
Comment 14 Simon Stelling (RETIRED) gentoo-dev 2006-11-10 01:18:53 UTC
(In reply to comment #11)
> - mail-client/mozilla-thunderbird-1.5.0.8 emerges fine on amd64

... and keyworded. Keeping us on CC as -bin still needs to be done
Comment 15 Michael Weyershäuser 2006-11-10 18:55:18 UTC
-bin also emerges and runs fine on amd64.

Portage 2.1.1-r1 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-suspend2-Dudebox-Edition x86_64)
=================================================================
System uname: 2.6.18-suspend2-Dudebox-Edition x86_64 AMD Athlon(tm) 64 Processor 3200+
Gentoo Base System version 1.12.6
Last Sync: Wed, 08 Nov 2006 05:00:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -msse3 -Os -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -msse3 -Os -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/"
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage_overlay"
SYNC="rsync://server/gentoo-portage"
USE="amd64 X alsa apache2 berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode esd fam firefox fortran gcj gdbm gif gpm gstreamer gtk gtk2 hal iconv imap input_devices_keyboard input_devices_mouse isdnlog jpeg kde kdeenablefinal kdehiddenvisibility kernel_linux libg++ mad mikmod mp3 mpeg mysql ncurses nls nptl nptlonly objc objc++ ogg oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl sqlite ssl tcpd test truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_radeon vorbis xml xorg xv zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 16 Simon Stelling (RETIRED) gentoo-dev 2006-11-11 04:38:58 UTC
-bin also keyworded. amd64 is done
Comment 17 Stefan Cornelius (RETIRED) gentoo-dev 2006-11-27 00:04:44 UTC
there seems to be a prob with thunderbird 1.5.0.8:

https://bugzilla.mozilla.org/show_bug.cgi?id=360409
http://forums.mozillazine.org/viewtopic.php?t=485752

and for the germans amongst us:
http://www.heise.de/newsticker/meldung/81529

(basically, it kills mails). Do we really want to use this flawed version in a GLSA?
Comment 18 Wolf Giesen (RETIRED) gentoo-dev 2006-11-27 02:54:40 UTC
It does not generally kill mails. The indexer is bugged, though, and you may indeed lose mails if you're using threaded view.

Nevertheless that's not our job (which is to get vulnerable stuff out of the way). In this case it means replacing br0ken with differently br0ken, unfortunately. We could be nice and point to the relevant Mozilla bug, warning users about the problem.
Comment 19 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-12-10 11:14:56 UTC
GLSA 200612-06