Summary: | Mozilla Firefox, Thunderbird, Seamonkey, Xulrunner: ".18" fixes (CVE-2008-{0017,4582,5012,5013,5014,5015,5017,5018,5019,5021,5022,5023,5024,5052,6961}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | stupendoussteve |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | aniyapo, basic, glua |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.mozilla.org/security/announce/ | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
stupendoussteve
2008-11-13 11:57:32 UTC
www-client/mozilla-firefox-2.0.0.18: Arches: alpha arm amd64 hppa ia64 ppc ppc64 sparc x86 www-client/mozilla-firefox-bin-2.0.0.18: Arches: amd64 x86 www-client/seamonkey-1.1.13: Arches: alpha arm amd64 hppa ia64 ppc ppc64 sparc x86 www-client/seamonkey-bin-1.1.13: Arches: amd64 x86 net-libs/xulrunner-1.8.1.18: Arches: alpha arm amd64 hppa ia64 ppc ppc64 sparc x86 net-libs/xulrunner-bin-1.8.1.18: Arches: amd64 x86 All in the tree, thunderbird will go out on 19th november *** Bug 246751 has been marked as a duplicate of this bug. *** ppc64 stable amd64/x86 stable alpha/arm/ia64/sparc stable ppc stable CVE-2008-5052 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5052): The AppendAttributeValue function in the JavaScript engine in Mozilla Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger memory corruption, as demonstrated by e4x/extensions/regress-410192.js. Stable for HPPA. Please stabilize: mail-client/mozilla-thunderbird-2.0.0.18 Arches: alpha amd64 ia64 ppc ppc64 sparc x86 mail-client/mozilla-thunderbird-bin-2.0.0.18 Arches: amd64 x86 Thanks amd64/x86 stable ppc stable alpha/ia64/sparc stable ppc64 done GLSA request filed, any reason why nobody did this before me? CVE-2008-6961 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6961): mailnews in Mozilla Thunderbird before 2.0.0.18 and SeaMonkey before 1.1.13, when JavaScript is enabled in mail, allows remote attackers to obtain sensitive information about the recipient, or comments in forwarded mail, via script that reads the (1) .documentURI or (2) .textContent DOM properties. Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore. This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle). |