Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 564818

Summary: <www-client/firefox{,-bin}-{38.4.0,42.0}: multiple vulnerabilities (CVE-2015-{4513,4514,4515,4518,7187,7188,7189,7193,7194,7195,7196,7197,7198,7199,7181,7182,7183,7200})
Product: Gentoo Security Reporter: Nikolay Edigaryev <edigaryev>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ap, carlphilippreh, edigaryev, hydrapolic, mozilla
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox42
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---

Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2015-11-03 22:01:29 UTC
CVE-2015-4513 (38.4/42)
CVE-2015-4514 (38.4/42)
CVE-2015-4515 (42)
CVE-2015-4518 (42)
CVE-2015-7185 (42)
CVE-2015-7186 (42)
CVE-2015-7187 (42)
CVE-2015-7188 (38.4/42)
CVE-2015-7189 (38.4/42)
CVE-2015-7190 (42)
CVE-2015-7191 (42)
CVE-2015-7192 (42)
CVE-2015-7193 (38.4/42)
CVE-2015-7194 (38.4/42)
CVE-2015-7195 (42)
CVE-2015-7196 (38.4/42)
CVE-2015-7197 (38.4/42)
CVE-2015-7198 (38.4/42)
CVE-2015-7199 (38.4/42)
CVE-2015-7181 (38.4/42)
CVE-2015-7182 (38.4/42)
CVE-2015-7183 (38.4/42)
CVE-2015-7200 (38.4/42)
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-11-03 22:32:38 UTC
Removing some of the android CVE's
7190
7191
7192
7186
7185
Comment 3 tt_1 2015-11-04 22:02:41 UTC
the patch 8011_bug1194520-freetype261_until_moz43.patch has to be removed from the firefox-patches tarball for firefox-38.4.0-esr, because it has been fixed upstream meanwhile. see https://bugzilla.mozilla.org/show_bug.cgi?id=1194520
Comment 4 Ian Stakenvicius (RETIRED) gentoo-dev 2015-11-05 02:23:32 UTC
www-client/firefox{,-bin}-{38.4,42}.0 are in the tree now (and the unnecessary patch has now been excluded from the 38.4 ebuild as well)

www-client/firefox-bin-38.4.0 can be stabilized right away, but www-client/firefox-38.4.0 requires the stabilization of nspr and nss as per bug 564834.

Thunderbird packages have not yet been rolled/released upstream, and seamonkey is likely delayed similarly.  Will get those into the tree as soon as they are available.
Comment 5 Agostino Sarubbo gentoo-dev 2015-11-06 15:35:40 UTC
amd64/x86 stable


For the remains stabilization:

Arches, please test and mark stable:
=www-client/firefox-38.4.0
Target keywords : "hppa ppc ppc64"
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2015-11-08 11:15:16 UTC
Stable for PPC64.
Comment 7 Agostino Sarubbo gentoo-dev 2015-11-09 08:54:45 UTC
ppc stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2015-11-11 04:44:04 UTC
Stable for HPPA.
Comment 9 Christian Tietz 2015-12-01 23:51:30 UTC
=mail-client/thunderbird-38.4.0 has hit the tree. Please mark stable soon, as this security related as well.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2015-12-02 00:32:53 UTC
Please file a separate bug for Thunderbird, as the stabilization for Firefox is completed.

Arches and Maintainer(s), Thank you for your work.
Added to an existing GLSA Request.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2015-12-02 00:33:59 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2015-12-30 15:53:12 UTC
This issue was resolved and addressed in
 GLSA 201512-10 at https://security.gentoo.org/glsa/201512-10
by GLSA coordinator Yury German (BlueKnight).