Summary: | net-www/mozilla-firefox*: 1.0.1 release includes security fixes | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thierry Carrez (RETIRED) <koon> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | aarni.honka, formula7, jaervosz, mozilla, muchar, taviso, wolf31o2 |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | A3 [glsa] koon | ||
Package list: | Runtime testing required: | --- |
Description
Thierry Carrez (RETIRED)
2005-02-25 00:44:38 UTC
Bugs that /should/ be fixed are : Bug 73870 : Window Injection Vulnerability Bug 76616 : Download Dialog Source Spoofing Bug 81307 : Dragging Multiple vulnerabilities Bug 81011 : Local users can delete the files of mozilla users Bug 81113 : IDN Spoofing Security Issue (CAN-2005-0233) Mozilla known vulnerabilities page is still not updated. Fixed in Firefox 1.0.1 : MFSA 2005-29 Internationalized Domain Name (IDN) homograph spoofing (Gentoo bug 81113) MFSA 2005-28 Unsafe /tmp/plugtmp directory exploitable to erase user's files (Gentoo bug 81011) MFSA 2005-27 Plugins can be used to load privileged content (CAN-2005-0527) (Gentoo bug 81307) MFSA 2005-26 Cross-site scripting by dropping javascript: link on tab (Gentoo bug 81307) MFSA 2005-25 Image drag and drop executable spoofing (Gentoo bug 81307) MFSA 2005-24 HTTP auth prompt tab spoofing MFSA 2005-23 Download dialog source spoofing (Gentoo bug 76616) MFSA 2005-22 Download dialog spoofing using Content-Disposition header MFSA 2005-21 Overwrite arbitrary files downloading .lnk twice MFSA 2005-20 XSLT can include stylesheets from arbitrary hosts MFSA 2005-19 Autocomplete data leak MFSA 2005-18 Memory overwrite in string library MFSA 2005-17 Install source spoofing with user:pass@host MFSA 2005-16 Spoofing download and security dialogs with overlapping windows (Gentoo bug 81307) MFSA 2005-15 Heap overflow possible in UTF8 to Unicode conversion MFSA 2005-14 SSL "secure site" indicator spoofing MFSA 2005-13 Window Injection Spoofing (CAN-2004-1156) (Gentoo bug 73870) *** Bug 73870 has been marked as a duplicate of this bug. *** *** Bug 76616 has been marked as a duplicate of this bug. *** *** Bug 81307 has been marked as a duplicate of this bug. *** *** Bug 81011 has been marked as a duplicate of this bug. *** *** Bug 81113 has been marked as a duplicate of this bug. *** FF 1.0.1 now in CVS. Arches, please test and mark FireFox 1.0.1 stable firefox-1.0.1 stable on sparc. Keeping us in the bug waiting for tb 1.0.1 & moz 1.7.6 ebuilds. *** Bug 83567 has been marked as a duplicate of this bug. *** MFSA 2005-18 is CAN-2005-0255, credit:Ga MFSA 2005-18 is CAN-2005-0255, credit:Gaƫl Delalleau (Gentoo bug 83567) Stable on ppc. *** Bug 83696 has been marked as a duplicate of this bug. *** Shouldn't mozilla-firefox-bin be also marked stable? Good point... I was still hoping Mozilla 1.7.6 would go out soon but we should probably go ahead anyway. amd64, x86: please test and mark mozilla-firefox-bin-1.0.1 stable. firefox-bin and firefox are stable on amd64, waiting for another amd64-dev to test mozilla and thunderbird firefox and -bin are both stable on x86 (marked by Chris White and Brad Laue respectivley) Anyone has a clue of when Moz 1.7.6 and TB 1.0.1 will be out ? I need to know if we should release GLSA now or wait for the others... Creating separate bugs for Mozilla Suite and Thunderbird issues, since they apparently won't be out very soon. Extra CANs (http://secunia.com/advisories/14407/): MFSA 2005-28 --> CAN-2005-0578 MFSA 2005-24 --> CAN-2005-0584 MFSA 2005-20 --> CAN-2005-0588 MFSA 2005-19 --> CAN-2005-0589 MFSA 2005-17 --> CAN-2005-0590 MFSA 2005-15 --> CAN-2005-0592 MFSA 2005-14 --> CAN-2005-0593 GLSA 200503-10 arm: please mark stable to benefit from GLSA |