Summary: | <www-client/firefox{,-bin}-3.6.16, <www-client/icecat-3.6.16, <www-client/seamonkey{,-bin}-2.0.13, <net-libs/xulrunner-1.9.2.16: Security Update to Block Invalid Certificates | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Tim Sammut (RETIRED) <underling> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | alexanderyt, n-roeser | ||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | https://www.mozilla.org/security/announce/2011/mfsa2011-11.html | ||||||
Whiteboard: | A4 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Tim Sammut (RETIRED)
2011-03-23 05:14:29 UTC
www-client/seamonkey{,-bin}-2.0.13 bumped please bump also icecat, is available ;) net-libs/xulrunner-1.9.2.16 and www-client/icecat-3.6.16 bumped Thanks, folks. Are we able to bump firefox too? (In reply to comment #4) > Thanks, folks. Are we able to bump firefox too? Dunno what Anarchy plans for firefox now that ff-4 is available. I bumped icecat-3.6 because there's only a rc1 available of icecat-4. I'd say let's wait for Anarchy's input :) 13:33:00 < Anarchy> Poly-C_atwork, go ahead with firefox-3.6.16 I am not ready for firefox-4 to go stable by any means. www-client/firefox{,-bin}-3.6.16 bumped. Sorry for the delay. (In reply to comment #6) > > www-client/firefox{,-bin}-3.6.16 bumped. Sorry for the delay. Thanks, and np. Arches, please test and mark stable: =www-client/firefox-3.6.16 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" =www-client/firefox-bin-3.6.16 Target keywords : "amd64 x86" =www-client/icecat-3.6.16 Target keywords : "amd64 ppc ppc64 x86" =www-client/seamonkey-2.0.13 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" =www-client/seamonkey-bin-2.0.13 Target keywords : "amd64 x86" =net-libs/xulrunner-1.9.2.16 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" amd64 ok amd64 done, thanks Agostino Created attachment 267261 [details] build.log XULRunner Fails here with all USE flags enabled, will build with other combinations: Portage 2.1.9.42 (default/linux/x86/10.0/desktop, gcc-4.4.5, glibc-2.11.3-r0, 2.6.36-gentoo-r5 i686) ================================================================= System uname: Linux-2.6.36-gentoo-r5-i686-AMD_Athlon-tm-_X2_Dual_Core_Processor_BE-2400-with-gentoo-1.12.14 Timestamp of tree: Fri, 25 Mar 2011 23:00:01 +0000 distcc 3.1 i686-pc-linux-gnu [disabled] ccache version 2.4 [enabled] app-shells/bash: 4.1_p9 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.6.6-r2, 3.1.3-r1 dev-util/ccache: 2.4-r9 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 1.12.14-r1 sys-apps/sandbox: 2.4 sys-devel/autoconf: 2.13, 2.65-r1 sys-devel/automake: 1.4_p6-r1, 1.5-r1, 1.6.3-r1, 1.7.9-r2, 1.8.5-r4, 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.3.4, 4.4.5 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.10 sys-devel/make: 3.81-r2 virtual/os-headers: 2.6.36.1 (sys-kernel/linux-headers) ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="*" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=athlon-xp -pipe -msse3" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /opt/openjms/config /usr/lib/fax /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa /var/bind /var/lib/hsqldb /var/qmail/alias /var/qmail/control /var/spool/fax/etc /var/spool/torque /var/vpopmail/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/games/angband/edit/ /etc/gconf /etc/php/apache2-php5.2/ext-active/ /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.2/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.2/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -march=athlon-xp -pipe -msse3" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs ccache distlocks fixlafiles fixpackages metadata-transfer news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv" FFLAGS="" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="de_DE.utf8" LC_ALL="de_DE.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu" LINGUAS="de" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X a52 aac aiglx alsa applet artworkextra asf astribank audiofile bash-completion berkdb bidi bluetooth bogofilter bootsplash branding bzip2 cairo ccache cdda cddb cdparanoia cdr cli compat console consolekit cracklib crypt css cups curl custom-cflags cxx dbus deskbar dga directfb divx4linux dri dts dvd dvdr dvdread dvi emacs emboss encode evince exif extensions fam fat fbcon fbcondecor fdftk ffmpeg fontconfig foomaticdb fortran ftp gb gcj gdbm gdu gif glitz gphoto2 gpm gsf gtk gtk2 gtkhtml hal howl iconv icq icu idn imagemagick imlib ipv6 java javascript jpeg jpeg2k kde kpathsea libnotify libotf lm_sensors mad matroska melt mikmod mime mjpeg mmx mmxext mng modules mp3 mp4 mpeg mpeg2 mudflap mule mysql ncurses networking nforce2 nls noaudio nocardbus novideo nowebdav nptl nptlonly nss objc objc++ objc-gc ocamlopt offensive ogg opengl openmp pam pango passwordsave pcre pdf perl plotutils pmu png policykit ppds pppd prediction preview-latex print publishers python qt-static qt3support qt4 readline reports run-as-root samba sdk sdl secure-delete semantic-desktop session slang smp spell sse ssl startup-notification static-analyzer svg svga sysfs t1lib tcpd theora threads thumbnailing tiff tk toolkit-scroll-bars totem truetype truetype-fonts type1-fonts udev unicode usb userlocales vcd videos vorbis win32codecs wmf wxwindows x264 x86 xcb xface xft xml xorg xosd xpm xulrunner xv xvid zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de" LIRC_DEVICES="atiusb" NGINX_MODULES_HTTP="perl" PHP_TARGETS="php5-3 php5-2" RUBY_TARGETS="jruby ruby18 ree18" USERLAND="GNU" VIDEO_CARDS="radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS (In reply to comment #10) > Created attachment 267261 [details] > build.log XULRunner > > Fails here with all USE flags enabled, will build with other combinations: > > > Portage 2.1.9.42 (default/linux/x86/10.0/desktop, gcc-4.4.5, glibc-2.11.3-r0, > 2.6.36-gentoo-r5 i686) > ================================================================= > System uname: > Linux-2.6.36-gentoo-r5-i686-AMD_Athlon-tm-_X2_Dual_Core_Processor_BE-2400-with-gentoo-1.12.14 > Timestamp of tree: Fri, 25 Mar 2011 23:00:01 +0000 > distcc 3.1 i686-pc-linux-gnu [disabled] > ccache version 2.4 [enabled] > app-shells/bash: 4.1_p9 > dev-java/java-config: 2.1.11-r3 > dev-lang/python: 2.6.6-r2, 3.1.3-r1 > dev-util/ccache: 2.4-r9 > dev-util/cmake: 2.8.1-r2 > sys-apps/baselayout: 1.12.14-r1 > sys-apps/sandbox: 2.4 > sys-devel/autoconf: 2.13, 2.65-r1 > sys-devel/automake: 1.4_p6-r1, 1.5-r1, 1.6.3-r1, 1.7.9-r2, 1.8.5-r4, 1.9.6-r3, > 1.10.3, 1.11.1 > sys-devel/binutils: 2.20.1-r1 > sys-devel/gcc: 4.3.4, 4.4.5 > sys-devel/gcc-config: 1.4.1 > sys-devel/libtool: 2.2.10 > sys-devel/make: 3.81-r2 > virtual/os-headers: 2.6.36.1 (sys-kernel/linux-headers) > ACCEPT_KEYWORDS="x86" > ACCEPT_LICENSE="*" > CBUILD="i686-pc-linux-gnu" > CFLAGS="-O2 -march=athlon-xp -pipe -msse3" > CHOST="i686-pc-linux-gnu" > CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /opt/openjms/config > /usr/lib/fax /usr/share/config /usr/share/gnupg/qualified.txt > /usr/share/openvpn/easy-rsa /var/bind /var/lib/hsqldb /var/qmail/alias > /var/qmail/control /var/spool/fax/etc /var/spool/torque /var/vpopmail/etc" > CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ > /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/games/angband/edit/ > /etc/gconf /etc/php/apache2-php5.2/ext-active/ > /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.2/ext-active/ > /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.2/ext-active/ > /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/splash > /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d > /etc/texmf/updmap.d /etc/texmf/web2c" > CXXFLAGS="-O2 -march=athlon-xp -pipe -msse3" > DISTDIR="/usr/portage/distfiles" > FEATURES="assume-digests binpkg-logs ccache distlocks fixlafiles fixpackages > metadata-transfer news parallel-fetch protect-owned sandbox sfperms strict > unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv" > FFLAGS="" > GENTOO_MIRRORS="http://distfiles.gentoo.org" > LANG="de_DE.utf8" > LC_ALL="de_DE.utf8" > LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu" > LINGUAS="de" > MAKEOPTS="-j3" > PKGDIR="/usr/portage/packages" > PORTAGE_CONFIGROOT="/" > PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress > --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles > --exclude=/local --exclude=/packages" > PORTAGE_TMPDIR="/var/tmp" > PORTDIR="/usr/portage" > PORTDIR_OVERLAY="/usr/local/portage" > SYNC="rsync://rsync.gentoo.org/gentoo-portage" > USE="3dnow 3dnowext X a52 aac aiglx alsa applet artworkextra asf astribank > audiofile bash-completion berkdb bidi bluetooth bogofilter bootsplash branding > bzip2 cairo ccache cdda cddb cdparanoia cdr cli compat console consolekit > cracklib crypt css cups curl custom-cflags cxx dbus deskbar dga directfb > divx4linux dri dts dvd dvdr dvdread dvi emacs emboss encode evince exif > extensions fam fat fbcon fbcondecor fdftk ffmpeg fontconfig foomaticdb fortran > ftp gb gcj gdbm gdu gif glitz gphoto2 gpm gsf gtk gtk2 gtkhtml hal howl iconv > icq icu idn imagemagick imlib ipv6 java javascript jpeg jpeg2k kde kpathsea > libnotify libotf lm_sensors mad matroska melt mikmod mime mjpeg mmx mmxext mng > modules mp3 mp4 mpeg mpeg2 mudflap mule mysql ncurses networking nforce2 nls > noaudio nocardbus novideo nowebdav nptl nptlonly nss objc objc++ objc-gc > ocamlopt offensive ogg opengl openmp pam pango passwordsave pcre pdf perl > plotutils pmu png policykit ppds pppd prediction preview-latex print publishers > python qt-static qt3support qt4 readline reports run-as-root samba sdk sdl > secure-delete semantic-desktop session slang smp spell sse ssl > startup-notification static-analyzer svg svga sysfs t1lib tcpd theora threads > thumbnailing tiff tk toolkit-scroll-bars totem truetype truetype-fonts > type1-fonts udev unicode usb userlocales vcd videos vorbis win32codecs wmf > wxwindows x264 x86 xcb xface xft xml xorg xosd xpm xulrunner xv xvid zlib" > ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop > empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul > mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions > alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file > authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user > autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires > ext_filter file_cache filter headers include info log_config logio mem_cache > mime mime_magic negotiation rewrite setenvif speling status unique_id userdir > usertrack vhost_alias" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load > memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm > earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip > navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing > tsip tripmate tnt ubx" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" > LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses > text" LINGUAS="de" LIRC_DEVICES="atiusb" NGINX_MODULES_HTTP="perl" > PHP_TARGETS="php5-3 php5-2" RUBY_TARGETS="jruby ruby18 ree18" USERLAND="GNU" > VIDEO_CARDS="radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2 > ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal > rawnat logmark ipmark dhcpmac delude chaos account" > Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, > PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, > PORTAGE_RSYNC_EXTRA_OPTS Something is wrong with your nspr install, once you fix it you will fix the undefines. ppc and ppc64 done (In reply to comment #11) > (In reply to comment #10) > > Created attachment 267261 [details] > > build.log XULRunner > > > > Fails here with all USE flags enabled, will build with other combinations: [...] > Something is wrong with your nspr install, once you fix it you will fix the > undefines. It fails with USE=debug on XULRunner only. Even if nspr is built with USE=debug. Tested on SPARC. If I remove the following # very ugly hack to make firefox not sigbus on sparc use sparc && { sed -e 's/Firefox/FirefoxGentoo/g' \ -i "${ED}/${MOZILLA_FIVE_HOME}/application.ini" || \ die "sparc sed failed"; } I find that firefox works most of the time. It's a big improvement on previous versions but it's not quite there yet. If it crashes on trying to load a page, I find pressing ESCAPE just before it laods the page prevents the crash. I'm of the opinion that the fugly hack really isn't necessary, and with the hack in place it can't load its default home page on start up, nor access thr add-ons/extensions either. Seeing a slight delay here on HPPA as inexplicably, an imporant exception to the optimisation logic got recently removed without approval: @@ -82,9 +125,7 @@ #################################### # Set optimization level - if [[ ${ARCH} == hppa ]]; then - mozconfig_annotate "more than -O0 causes segfaults on hppa" --enable-optimize=-O0 - elif [[ ${ARCH} == x86 ]]; then + if [[ ${ARCH} == x86 ]]; then Having put that back, I am now building and testing again. Stable for HPPA. I do not get any errors anymore here on x86. BTW: Current stable is broken right now, as firefox 3.5.15 got removed from releases.mozilla.org! arm stable Which test are required to get firefox-bin-3.6.16 stable on x86 platform?? Security fix is publish by vendor on 2011-03-22: https://developer.mozilla.org/devnews/index.php/2011/03/22/firefox-3-6-16-and-3-5-18-security-updates-now-available/ x86 stable b/c it is urgent. Thanks everyone alpha/ia64/sparc stable, for sparc i haven't done xulrunner/firefox since it sigbuses... Thanks, folks. GLSA Vote: yes. Vote: YES. Added to pending GLSA request. mozilla team is out of here. This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle). |