Summary: | <mail-client/thunderbird{,-bin}-17.0.8, <www-client/firefox{,-bin}-17.0.8, <www-client/seamonkey-2.20, <www-client/seamonkey-bin-2.20-r1 : Multiple vulnerabilities (CVE-2013-{1701,1702,1704,1705,1707,1708,1709,1710,1711,1712,1713,1714,1717}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Xu (Hello71) <alex_y_xu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | mozilla |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.mozilla.org/security/announce/ | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Alex Xu (Hello71)
2013-08-06 19:35:04 UTC
+*seamonkey-2.20 (07 Aug 2013) + + 07 Aug 2013; Lars Wendler <polynomial-c@gentoo.org> +seamonkey-2.20.ebuild: + Security bump (bug #479968). + Feel free to proceed, we will need to ensure nss-3.15, Please stabilize 3.15.1 which will require the stabilization of nspr-4.10 at same time. Since the devs seem to have forgotten about the bug... *firefox-17.0.8 (07 Aug 2013) *firefox-23.0 (07 Aug 2013) 07 Aug 2013; <anarchy@gentoo.org> +firefox-17.0.8.ebuild, +firefox-23.0.ebuild, -firefox-21.0.ebuild, -firefox-22.0.ebuild: Security bump, bug #479968 *firefox-bin-23.0 (07 Aug 2013) 07 Aug 2013; <anarchy@gentoo.org> +firefox-bin-23.0.ebuild, -firefox-bin-20.0.1.ebuild, -firefox-bin-21.0.ebuild, -firefox-bin-22.0.ebuild: version bump for security bug #479968 *firefox-bin-17.0.8 (07 Aug 2013) 07 Aug 2013; Ian Stakenvicius <axs@gentoo.org> +firefox-bin-17.0.8.ebuild: version bump for security bug #479968 27 Jun 2013; Agostino Sarubbo <ago@gentoo.org> firefox-bin-17.0.7.ebuild: Stable for x86, wrt bug #474758 *thunderbird-17.0.8 (07 Aug 2013) 07 Aug 2013; <anarchy@gentoo.org> +thunderbird-17.0.8.ebuild: Security bump, bug #479968 *thunderbird-bin-17.0.8 (07 Aug 2013) 07 Aug 2013; Ian Stakenvicius <axs@gentoo.org> +thunderbird-bin-17.0.8.ebuild: version bump for security bug #479968 Unless I'm wrong, seamonkey-bin-2.20 is still missing. It is, however, not relevant to the stabilization. CCing arches, KEYWORDS should be as follows: =www-client/firefox-17.0.7: Target KEYWORDS="amd64 arm ppc ppc64 x86" =www-client/firefox-bin-17.0.7: Target KEYWORDS="amd64 x86" =mail-client/thunderbird-17.0.7: Target KEYWORDS="amd64 arm ppc ppc64 x86" =mail-client/thunderbird-bin-17.0.7: Target KEYWORDS="amd64 x86" Hopefully I'm not making too much of an idiot of myself. (In reply to Alex Xu from comment #3) > Unless I'm wrong, seamonkey-bin-2.20 is still missing. It is, however, not > relevant to the stabilization. CCing arches, KEYWORDS should be as follows: > You are wrong here. Seamonkey-bin-2.20 will need to be stabilized at the same time. Arch teams please stand by before you begin your work. I will update bug with correct info soon as seamonkey-bin-2.20 is added to tree. Oh, I have still made an idiot of myself. anarchy@gentoo.org says nss-3.15.1 and nspr-4.10 are needed, so... =dev-libs/nss-3.15.1: Target KEYWORDS="amd64 arm ppc ppc64 x86" =dev-libs/nspr-4.10: Target KEYWORDS="amd64 arm ppc ppc64 x86" Or perhaps they need to both be "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86", as those are the existing KEYWORDS... /me is confused again (In reply to Jory A. Pratt from comment #4) > (In reply to Alex Xu from comment #3) > > > Unless I'm wrong, seamonkey-bin-2.20 is still missing. It is, however, not > > relevant to the stabilization. CCing arches, KEYWORDS should be as follows: > > > > You are wrong here. Seamonkey-bin-2.20 will need to be stabilized at the > same time. Arch teams please stand by before you begin your work. I will > update bug with correct info soon as seamonkey-bin-2.20 is added to tree. But seamonkey-bin-2.19 is not amd64 x86 stable, and it has critical security issues (according to Mozilla anyways, https://www.mozilla.org/security/known-vulnerabilities/seamonkey.html) too... /me is further confused @mozilla team Please give the full list in an ordered comment. =dev-libs/nss-3.15.1-r1: Target KEYWORDS="amd64 arm ppc ppc64 x86" =dev-libs/nspr-4.10: Target KEYWORDS="amd64 arm ppc ppc64 x86" =www-client/firefox-17.0.8: Target KEYWORDS="amd64 arm ppc ppc64 x86" =www-client/firefox-bin-17.0.9: Target KEYWORDS="amd64 x86" =mail-client/thunderbird-17.0.8: Target KEYWORDS="amd64 arm ppc ppc64 x86" =mail-client/thunderbird-bin-17.0.8: Target KEYWORDS="amd64 x86" =www-client/seamonkey{-bin}-2.20: Target KEYWORDS="amd64 x86" (In reply to Jory A. Pratt from comment #7) > =www-client/firefox-bin-17.0.9: typo? (In reply to Agostino Sarubbo from comment #8) > (In reply to Jory A. Pratt from comment #7) > > =www-client/firefox-bin-17.0.9: > typo? Sorry, it is a type should be firefox-bin-17.0.8 amd64 stable x86 stable ppc64 stable arm stable ppc stable CVE-2013-1717 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1717): Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly restrict local-filesystem access by Java applets, which allows user-assisted remote attackers to read arbitrary files by leveraging a download to a fixed pathname or other predictable pathname. CVE-2013-1714 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1714): The Web Workers implementation in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 does not properly restrict XMLHttpRequest calls, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via unspecified vectors. CVE-2013-1713 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1713): Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 use an incorrect URI within unspecified comparisons during enforcement of the Same Origin Policy, which allows remote attackers to conduct cross-site scripting (XSS) attacks or install arbitrary add-ons via a crafted web site. CVE-2013-1712 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1712): Multiple untrusted search path vulnerabilities in updater.exe in Mozilla Updater in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, and Thunderbird ESR 17.x before 17.0.8 on Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 allow local users to gain privileges via a Trojan horse DLL in (1) the update directory or (2) the current working directory. CVE-2013-1710 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1710): The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allows remote attackers to execute arbitrary JavaScript code or conduct cross-site scripting (XSS) attacks via vectors related to Certificate Request Message Format (CRMF) request generation. CVE-2013-1709 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1709): Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly handle the interaction between FRAME elements and history, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving spoofing a relative location in a previously visited document. CVE-2013-1707 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1707): Stack-based buffer overflow in Mozilla Updater in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, and Thunderbird ESR 17.x before 17.0.8 allows local users to gain privileges via a long pathname on the command line to the Mozilla Maintenance Service. CVE-2013-1701 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1701): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. GLSA request filed. CVE-2013-1711 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1711): The XrayWrapper implementation in Mozilla Firefox before 23.0 and SeaMonkey before 2.20 does not properly address the possibility of an XBL scope bypass resulting from non-native arguments in XBL function calls, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks by leveraging access to an unprivileged object. CVE-2013-1708 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1708): Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allow remote attackers to cause a denial of service (application crash) via a crafted WAV file that is not properly handled by the nsCString::CharAt function. CVE-2013-1705 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1705): Heap-based buffer underflow in the cryptojs_interpret_key_gen_type function in Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted Certificate Request Message Format (CRMF) request. CVE-2013-1704 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1704): Use-after-free vulnerability in the nsINode::GetParentNode function in Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption and application crash) via vectors involving a DOM modification at the time of a SetBody mutation event. CVE-2013-1702 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1702): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. I think that's all of the relevant CVEs. Please disregard CVE-2013-1712, it is Windows-only. @maintainers: please clean affected versions. This issue was resolved and addressed in GLSA 201309-23 at http://security.gentoo.org/glsa/glsa-201309-23.xml by GLSA coordinator Chris Reffett (creffett). |