Summary: | net-www/mozilla*, mail-client/mozilla-thunderbird : new security fixes in latest version | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Carsten Lohrke (RETIRED) <carlo> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | amd64, basic, brodigan, gnome, hanno, mozilla, polynomial-c, sekretarz |
Priority: | Highest | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3 | ||
Whiteboard: | A2 [glsa] koon | ||
Package list: | Runtime testing required: | --- |
Description
Carsten Lohrke (RETIRED)
2004-09-14 07:18:48 UTC
Mozilla team, please provide new ebuilds for : net-www/mozilla net-www/mozilla-bin net-www/mozilla-firefox net-www/mozilla-firefox-bin mail-client/mozilla-thunderbird mail-client/mozilla-thunderbird-bin Gnome team, please check the following ebuilds to see if bumps are needed to make them use the latest Gecko : net-www/epiphany net-www/galeon CC hanno for galeon *** Bug 64095 has been marked as a duplicate of this bug. *** ebumped -bin ebuilds, they Just Work(tm) source ebuilds for firefox and thunderbird require rearrangement of the SRC_URI, someone at mozilla can't decide to call it "source-${PV}" or "${PV}-source" additionally, firefox and thunderbird compiles die unless configured with --enable-single-profile, which effectively clobbers the ability to run concurrent sessions from different profiles. have not yet had the occasion to test moz 1.7.3 build for the same problem In portage now, marked ~arch: net-www/mozilla-1.7.3 net-www/mozilla-bin-1.7.3 net-www/mozilla-firefox-1.0_pre net-www/mozilla-firefox-bin-1.0_pre mail-client/mozilla-thunderbird-0.8 mail-client/mozilla-thunderbird-bin-0.8 Arches, please mark stable : x86,amd64 : mozilla-1.7.3 mozilla-firefox-1.0_pre mozilla-firefox-bin-1.0_pre mozilla-thunderbird ppc : mozilla-1.7.3 mozilla-firefox-1.0_pre sparc,alpha,ia64 : mozilla-1.7.3 mozilla-firefox-1.0_pre mozilla-thunderbird mozilla-bin and mozilla-firefox-bin are there for x86.. (for ppl who want a quick fix) stable on ppc mozilla-1.7.3 sparc stable. FYI, epiphany-1.2.7-r1 and galeon-1.3.17 work just fine in upgrade and rebuild scenarios. Also repoman complains about file.size on: (27K) net-www/mozilla/files/gtk2mozilla_head_patch2 (35K) net-www/mozilla/files/mozilla-1.4-amd64.patch (25K) net-www/mozilla/files/mozilla-1.7-amd64.patch added epiphany-1.2.9-r1 to ~arch with patch to build to & dep on 1.7.3 Updating call for arches to test and mark stable with epiphany. Still needed : x86 : net-www/mozilla-1.7.3 net-www/mozilla-firefox-1.0_pre net-www/epiphany-1.2.9-r1 amd64 : net-www/mozilla-1.7.3 net-www/mozilla-firefox-1.0_pre net-www/mozilla-firefox-bin-1.0_pre net-www/epiphany-1.2.9-r1 ppc : net-www/epiphany-1.2.9-r1 sparc : net-www/mozilla-firefox-1.0_pre net-www/epiphany-1.2.9-r1 alpha, ia64 : net-www/mozilla-1.7.3 net-www/mozilla-firefox-1.0_pre net-www/epiphany-1.2.9-r1 There will be a galeon update to test in the near future. mozilla-firefox-1.0_pre sparc stable. we're looking into some issues with mozilla-thunderbird-0.8 which was keyworded as stable when bumped. more on this later. Hi, tested mozilla-1.7.3 for three days now on two x86 machines. Not one songle crash of mozilla compiled with these useflags: +crypt -debug -gnome +gtk2 +java -ldap -mozcalendar -mozdevelop +moznocompose +moznoirc +moznomail -moznoxft -mozsvg -mozxmlterm +ssl -xinerama +xprint Poly those amd64 patches can be removed if the 1.6 and early 1.7 ebuilds are removed (which they should be) epiphany-1.2.9-r1 sparc stable. epiphany stable on ppc galeon-1.3.17 doesn't need to be rebuild with 1.7.3 and builds fine against it, so imho no need to change anything here. I'll make it dep on >=mozilla-1.7.3 as soon as all archs marked 1.7.3 stable. sparc, ppc: thanks :) Hanno : does it mean you don't need to update galeon to be protected, you just need to update the other packages ? If you need to rebuild galeon to take advantage of the fix, we'll need a revbump to force the upgrade, if not, we're set. Stable still needed on : x86 : net-www/mozilla-1.7.3 net-www/mozilla-firefox-1.0_pre net-www/epiphany-1.2.9-r1 amd64 : net-www/epiphany-1.2.9-r1 alpha, ia64 : net-www/mozilla-1.7.3 net-www/mozilla-firefox-1.0_pre net-www/epiphany-1.2.9-r1 firefox is there for x86.. testing mozilla now.. mozilla 1.7.3 is there for x86.. but epiphany doesnt work with the realplayer8 plug-in.. is that normal ? I get LoadPlugin: failed to initialize shared library /opt/RealPlayer8/rpnp.so [/opt/RealPlayer8/rpnp.so: undefined symbol: __pure_virtual] (I actually get the same error with firefox-bin...) I think you shouldn't stabilize firefox-1.0pr, because it still contains many bugs in UI. You should add 0.9.3-r1 with patches that they'll fix vulnerabilities. Alpha done. epiphany-1.2.9-r1 x86 done all done on x86 *** Bug 64182 has been marked as a duplicate of this bug. *** GLSA ready, blocked by amd64 needing to mark epiphany-1.2.9-r1 stable. stable on amd64 GLSA drafted, security, please review Thx everyone GLSA 200409-26 is out |