splitting #129924 in one bug per package for helping handling http://www.mozilla.org/projects/security/known-vulnerabilities.html#Thunderbird Fixed in Thunderbird 1.0.8 MFSA 2006-27 Table Rebuilding Code Execution Vulnerability MFSA 2006-26 Mail Multiple Information Disclosure MFSA 2006-25 Privilege escalation through Print Preview MFSA 2006-24 Privilege escalation using crypto.generateCRMFRequest MFSA 2006-22 CSS Letter-Spacing Heap Overflow Vulnerability MFSA 2006-21 JavaScript execution in mail when forwarding in-line MFSA 2006-19 Cross-site scripting using .valueOf.call() MFSA 2006-18 Mozilla Firefox Tag Order Vulnerability MFSA 2006-17 cross-site scripting through window.controllers MFSA 2006-16 Accessing XBL compilation scope via valueOf.call() MFSA 2006-15 Privilege escalation using a JavaScript function's cloned parent MFSA 2006-14 Privilege escalation via XBL.method.eval MFSA 2006-11 Crashes with evidence of memory corruption (rv:1.8) MFSA 2006-10 JavaScript garbage-collection hazard audit MFSA 2006-09 Cross-site JavaScript injection using event handlers MFSA 2006-05 Localstore.rdf XML injection through XULDocument.persist() MFSA 2006-01 JavaScript garbage-collection hazards
same as the moz-1.0.8 thing (#129924), moz team, please provide a new ebuild mail-client/mozilla-thunderbird-1.0.8
Please keyword 1.5.0.2 were possible, ONLY keyword 1.0.8 for those who can NOT mark 1.5.0.2. AMD64 and X86 DO NOT forget -bin.
(bugzie forced a comment for some minor changes, so here is one to make it happy)
If you keyword 1.5.0.2 please keyword enigmail-0.94.0-r2 as well sorry for not getting it in original post.
(In reply to comment #4) > If you keyword 1.5.0.2 please keyword enigmail-0.94.0-r2 as well sorry for not > getting it in original post. There's no enigmail-0.94.0-r2, I guess we can keyword enigmail-0.94.0-r1?
<@Anarchy> dertobi123, enigmail-0.94.0-r2 is in the tree I forgot to make the commit with all other commits and bumps I am working on so, ppc stable :)
sparc stable.
moz-1.0.8 and moz-bin-1.0.8 stable on x86
amd64 stable 1.5.0.2 !!
alpha team, aware ? something wrong ?
See the bug this one depends on :) - ferdy
oh ok, sorry :) it's worrying. Is #131359 progressing ? ETA ?
We'll probably have to publish the GLSA and say alpha is still affected, and update it when it gets fixed...
A temporary GLSA was sent : GLSA 200605-09 We'll update it once TB reaches stable on alpha
(In reply to comment #12) > it's worrying. Is #131359 progressing ? ETA ? No progress or ETA, so I've masked =mail-client/mozilla-thunderbird-1.0.7* in profiles/default-linux/alpha/package.mask and dropped the ~alpha keyword from thunderbird-1.0.8 as it is badly broken on alpha (Bug #131359) and 1.5 doesn't compile (also Bug #131359). BTW, I only see alpha in the "Status Whiteboard", but it looks ia64 needs to still mark 1.5.X or 1.0.8 stable. Re-add us if you need anything.
> BTW, I only see alpha in the "Status Whiteboard", but it looks ia64 needs to > still mark 1.5.X or 1.0.8 stable. Re-add us if you need anything. > contrary to the "supported" arches [1], ia64 is not obliged to stabilize the ebuilds concerning the security issues before we send a GLSA. [1] http://www.gentoo.org/security/en/vulnerability-policy.xml , part 1, "Scope"
Except for Alpha, every arch is fixed. Concerning Alpha, Alpha will have to keyword the 1.5 branch because 1.0 is not maintained anymore, and 1.0 is affected by several vulnerabilities. I suggest closing this bug as soon as Alpha stabilize 1.5.0.4 in bug 135256.
(In reply to comment #17) > Except for Alpha, every arch is fixed. Concerning Alpha, Alpha will have to > keyword the 1.5 branch because 1.0 is not maintained anymore, and 1.0 is > affected by several vulnerabilities. > I suggest closing this bug as soon as Alpha stabilize 1.5.0.4 in bug 135256. mozilla-thunderbird-1.5.0.4 is also broken on alpha. It uses ~100% of the CPU and the main window never comes up. This is similar to the problem we are having with firefox-1.5 on alpha, see Bug #128777. This bug can probably be closed since it isn't looking like we will be able to mark thunderbird-1.5 stable on alpha and alpha has all affected versions of thunderbird masked in profiles/default-linux/alpha/package.mask. Output of `top`: PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 3593 tcort 20 0 33120 32m 23m R 93.2 10.4 9:52.85 thunderbird-bin
> mozilla-thunderbird-1.5.0.4 is also broken on alpha. OK, so you will have to let thunderbird masked :( you're right, i can close this bug. Same for bug 120485.