new version
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox1.5.0.5 vulnerabilities fixed: MFSA 2006-56 chrome: scheme loading remote content MFSA 2006-55 Crashes with evidence of memory corruption (rv:1.8.0.5) MFSA 2006-54 XSS with XPCNativeWrapper(window).Function(...) MFSA 2006-53 UniversalBrowserRead privilege escalation MFSA 2006-52 PAC privilege escalation using Function.prototype.call MFSA 2006-51 Privilege escalation using named-functions and redefined "new Object()" MFSA 2006-50 JavaScript engine vulnerabilities MFSA 2006-48 JavaScript new Function race condition MFSA 2006-47 Native DOM methods can be hijacked across domains MFSA 2006-46 Memory corruption with simultaneous events MFSA 2006-45 Javascript navigator Object Vulnerability MFSA 2006-44 Code execution through deleted frame reference
A USE flag for spatial navigation would be appreciated. http://www.mozilla.org/access/keyboard/snav/
Judging from the bugs security might want to grab this one...
The other products have been updates too, of course.
Mozilla, would you please provide new ebuilds for firefox/thunderbird-1.5.0.5 and seamonkey-1.0.3, respectively? (and bear with me should I mess this one up, not comfortable with this yet .-)
I don't want to be rude, but is the Mozilla Team highly short-staffed? This seems a long response time for an incremental update which fixes 'Highly Critical' security issues, according to Secunia.
You might want to hurry up with this one. Someone just posted working exploit code for one of the security holes: http://browserfun.blogspot.com/2006/07/mobb-28-mozilla-navigator-object.html
seems to be a new trend to make PoCs for gentoo systems ... not sure if i like or hate that
Seamonkey-1.0.3 is in cvs now. Thunderbird and firefox should follow soon.
Thunderbird and firefox bumped in cvs as well.
Don't forget: www-client/mozilla-firefox-bin mail-client/mozilla-thunderbird-bin
-bin packages bumped.
Calling arches with a plea to make this urgent. Thank you!
To recap, this a collection of www-client/seamonkey www-client/mozilla-firefox www-client/mozilla-firefox-bin mail-client/mozilla-thunderbird mail-client/mozilla-thunderbird-bin
As discussed in Bug 142064 (which probably should me merged with this one), the language packs for firefox-1.5.0.5 found on gentoo mirrors only contain the output of wget downloading the language packs, *not* the actual language packs :) Building the new firefox with something in LINGUAS thus won't work.
*** Bug 142064 has been marked as a duplicate of this bug. ***
Sorry guys (about the xpi screwup) - it's fixed in cvs now.
ppc stable
x86 www-client/mozilla-firefox: emerged cleanly with lingua ES www-client/seamonkey: emerged cleanly (not tried crypt) mail-client/mozilla-thunderbird: emerged cleanly (not tried crypt) Later I'll test the bin versions. I tried to emerge the bin versions (--pretend) without removing the nobin ones and I didn't get any block. Should not this be disallowed?
Info Regression: Windows MediaPlayer plugin stopped working on specific website with FF 1.5.0.5 (mms) (FF/SM) http://groups.google.com/group/mozilla.dev.apps.seamonkey/browse_thread/thread/ab95c20c9f1239fc/90bc682fdadfd209#90bc682fdadfd209 https://bugzilla.mozilla.org/show_bug.cgi?id=346167 There will be Version FF 1.5.0.6 and SM 1.0.4 next week.
So my computer has its Firefox weeks...only compiling one app 24/7! After some hours :) I am able to write this entry with the Firefox to be stabled. 1) emerges fine so far dodoc: LEGAL does not exist 2) passes collision test 3) works fine so far (have not tested streaming) with some sites with a lot of scripting... Thunderbird and Seamonkey, plus the two bin versions will follow... Portage 2.1-r1 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.17-gentoo-r4 i686) ================================================================= System uname: 2.6.17-gentoo-r4 i686 AMD Athlon(tm) XP 2500+ Gentoo Base System version 1.6.15 app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-O2" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/" LANG="de_DE@euro" LC_ALL="de_DE@euro" LINGUAS="de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage" USE="x86 3dnow 3dnowext X Xaw3d a52 alsa arts artworkextra asf audiofile avi bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds emacs emboss encode esd evo exif expat fam fat fbcon fdftk ffmpeg firefox foomaticdb fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal icq idn imagemagick imap imlib ipv6 isdnlog java javascript jikes jpeg jpeg2k ldap leim libg++ libwww lm_sensors mad maildir matroska mbox mikmod mime mmx mmxext mng mono motif mp3 mpeg mpeg2 mule nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia objc ogg opengl pam pcre pdf pdflib perl plotutils pmu png ppds pppd preview-latex print python qt qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb vcd videos vorbis win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib elibc_glibc input_devices_mouse input_devices_keyboard kernel_linux linguas_de userland_GNU video_cards_radeon video_cards_vesa video_cards_fbdev" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
You wanted Thunderbird, you will get it... 1) emerges fine 2) passes collision test 3) fetched email, sent email, encrypted email, decrypted email, only POP/SMTP
seamonkey is hit by bug #139704 on my system...I will test some USE flag combinations, but that will take some time. USE="mozcalendar" has no effect up to now.
firefox-bin 1) emerges fine so far, but lib-compat as dependency is upset by its emerge...it states that it should not be used. 2) passes collision test 3) works (currently are writing this report with it)
thunderbird-bin 1) emerges fine (though lib-compat complains again) 2) passes collision test 3) works fine
I've got my O2 building firefox-1.5.0.5 as I type this. I'll let you all know how it goes. This said, it's only recently that Firefox gained a ~mips keyword, so it may be some time before we can reasonably mark any release stable. A heads-up... this release (1.5.0.5) seems to have broken handling of mms:// and rm:// streams with external plugins, which may affect plugins such as Mozplugger & MPlayer that provide a Windows Media Player implementation on Linux. There's a patch already applied upstream that fixes this, and I've put this patch into the set for 1.5.0.5, but it's not presently in the ebuilds yet. Apparently, 1.5.0.6 is due out in the next fortnight or so to fix this (and probably other) issue, so I'm at two minds whether to push this fix now, or whether to wait and see. The updated patchset is already in distfiles-local on woodpecker, and I'll update the ebuild appropriately if the issue arises. :-)
seamonkey builds without USE="crypt" perfectly fine, so I add the corresponding bug as a dependency. Also an old bug marked as WORKSFORME for version 1.0.1 (so maintainers have more data) is added, this problem seems to persist since long and should be no blocker for this security stabilisation. 1.0.3 passes collision test and works fine for me, tested web, mail, IRC and composer Galeon 2.0.1-r2 (unstable) emerged fine on seamonkey.
firefox and thunderbird are stable on SPARC. seamonkey 1.0.3 is unfortunately still quite crash happy.
>>> checking firefox-en-GB-1.5.0.5.xpi !!! Digest verification failed: !!! /usr/portage/distfiles/firefox-en-GB-1.5.0.5.xpi !!! Reason: Failed on MD5 verification !!! Got: 9477ebb359db57e77ca75422dc50dc65 !!! Expected: 6ef752816f72918a8b3fec432c4f7dbb I tried the file from a couple of mirrors, including distfiles.gentoo.org.
firefox and thunderbird are marked stable on amd64 seamonkey, firefox-bin and thunderbird-bin remain
It fails on spanish translation on AMD64, too: -------- >>> Emerging (1 of 3) www-client/mozilla-firefox-1.5.0.5 to / >>> checking ebuild checksums ;-) >>> checking auxfile checksums ;-) >>> checking miscfile checksums ;-) >>> checking firefox-1.5.0.5-source.tar.bz2 ;-) >>> checking mozilla-firefox-1.5.0.5-patches-0.1.tar.bz2 ;-) >>> checking firefox-es-ES-1.5.0.5.xpi !!! Digest verification failed: !!! /usr/portage/distfiles/firefox-es-ES-1.5.0.5.xpi !!! Reason: Failed on MD5 verification !!! Got: 65b06d6db94fe449c51d47fb80a79274 !!! Expected: ed94386b270ab386f5b845084de1199 ---------------------
(In reply to comment #26) > The updated patchset is already in distfiles-local on woodpecker, and I'll > update the ebuild appropriately if the issue arises. :-) Please update the ebuild, as there's no way we can wait up to 14 days with regards to the release. Thanks...
stable on hppa
x86 I tested today thunderbird and seamonkey with the crypt flag enabled without any problem. I send an encrypted mail with both. I am not able to reproduce Bug 135646 nor Bug 139704 BTW and again, shouldn't the bin version be blocked but the normal ones and the same in the other way?
(In reply to comment #34) > BTW and again, shouldn't the bin version be blocked but the normal ones and the > same in the other way? Why? They can both be installed on the same system quite safely. It's not like they provide the same files, as the source-based versions install to /usr and the bin install to /opt...
seamonkey-1.0.3 stable on alpha. firefox and thunderbird remain in default-linux/alpha/package.mask, see Bug #128777 and Bug #131359.
firefox and thunderbird are all done on x86, I've not gotten to seamonkey yet though I'll try to get to it tonight.
So far we whats seems to be left is firefox: arm i64 x86 firefox-bin: x86 thunderbird: i64 (sparc) x86 (sparc said ready, not seeing it yet) thunderbird-bin: x86 seamonkey: alpha amd64 x86 The vulnerability shows about half of the bugs not affecting the 1.0 branch of ff/tb; the other half has no mention about that (mfsa2006-50/51/52/53/55/56), which makes me wonder whether we should mask 1.0.x out this time (unfortunately leaving Alpha with only Seamonkey). Rest of SecTeam, comments? I'm also a little irritated - my understandig was we switched from mozilla to seamonkey (anarchy's last work, as it seems) because of sec problems with mozilla, but it's still there. Are we still building gnome against the vulnerable mozilla, then? As a last note, I seem to remember a (short) glorious time when new firefox builds would not overwrite my searchplugins that I painstakingly have to put there again and again now ... could we bring those golden days back sometime?
After failing to compile seamonkey twice with USE="crypt", I successfully build it without it. After that I could not reproduce the error anymore....I hate that. So, _everything_ works for me now.
(In reply to comment #38) > So far we whats seems to be left is > > firefox: arm i64 x86 > firefox-bin: x86 > thunderbird: i64 (sparc) x86 (sparc said ready, not seeing it yet) > thunderbird-bin: x86 > seamonkey: alpha amd64 x86 > > The vulnerability shows about half of the bugs not affecting the 1.0 branch of > ff/tb; the other half has no mention about that (mfsa2006-50/51/52/53/55/56), > which makes me wonder whether we should mask 1.0.x out this time (unfortunately > leaving Alpha with only Seamonkey). Rest of SecTeam, comments? > > I'm also a little irritated - my understandig was we switched from mozilla to > seamonkey (anarchy's last work, as it seems) because of sec problems with > mozilla, but it's still there. Are we still building gnome against the > vulnerable mozilla, then? > Don't forget that seamonkey fails pretty quickly on sparc; Please review Bug 137198 and especially Comments 4, 22 on that bug, as well as the accompanying strace of the failure. Note also Weeve's Comment #28 on this bug. Thus, on sparc at least, seamonkey in its current state cannot be a mozilla replacement. > As a last note, I seem to remember a (short) glorious time when new firefox > builds would not overwrite my searchplugins that I painstakingly have to put > there again and again now ... could we bring those golden days back sometime? >
(In reply to comment #38) > So far we whats seems to be left is > seamonkey: alpha amd64 x86 Alpha has 1.0.3 stable. See comment #36. Is their more we have to do? > which makes me wonder whether we should mask 1.0.x out this time > (unfortunately leaving Alpha with only Seamonkey). alpha already has only Seamonkey. We've had firefox masked in default-linux/alpha/package.mask since June 5th. Don't let us hold you up from removing 1.0.x.
Unfortunately I obviously lag behind with packages.g.o New grid of 'open' things from what I see: seamonkey: amd64 x86 firefox: arm i64 thunderbird: ia64 [sparc] sparc said ready on tb, still not seeing it yet ia64: your opinion about masking 1.0 branch? That would leave you without seamonkey and an (IMHO) vulnerable mozilla only. Starting to look good ...
Seamonkey complete on x86. Thanks to the x86 AT's for testing.
Forgive me guys, for being so penetrant, but given the assumed number of installed mozilla packages we feel this is a little pressing. We still need some feedback from amd64 [seamonkey], ia64 [ff, tb] and arm [ff]. Sparc, your thunderbird still does not show up as stable on p.g.o for me, can you recheck? Thanks for your patience bearing with me!
seamonkey-1.0.3 on amd64 compiles fine and seems to be working ok... emerge --info Portage 2.1-r1 (default-linux/amd64/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.17-suspend2-r3-Dudebox-Edition x86_64) ================================================================= System uname: 2.6.17-suspend2-r3-Dudebox-Edition x86_64 unknown Gentoo Base System version 1.6.15 ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe -msse3" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=k8 -O2 -pipe -msse3" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/" LINGUAS="de" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://server/gentoo-portage" USE="amd64 X alsa arts avi berkdb bitmap-fonts cli crypt cups dlloader dri eds emboss encode foomaticdb fortran gif gnome gpm gstreamer gtk gtk2 imlib ipv6 isdnlog jpeg kde kdeenablefinal lzw lzw-tiff mp3 mpeg ncurses nls nptl opengl pam pcre pdflib perl png pppd python qt qt3 qt4 quicktime readline reflection sdl session spell spl ssl tcpd tiff truetype-fonts type1-fonts unicode usb userlocales xorg xpm xv zlib elibc_glibc input_devices_keyboard input_devices_mouse input_devices_evdev kernel_linux linguas_de userland_GNU video_cards_dummy" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
thanks, amd64 is done here
seamonkey, tb-bin and ff-bin are ready for GLSA thunderbird is still missing sparc keyword
thunderbird sparc stable.
Ready for GLSA.
New versions for Firefox (1.5.0.6) and Seamonkey(1.0.4) have been released today. :-)
(In reply to comment #26) > Apparently, 1.5.0.6 is due out in the next fortnight or so to fix this (and I've been watching this bug and I find it kind of comical that this was ALMOST pushed out before the new version came out.. 1.5.0.6 is out now. See: ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.5.0.6/ Just FYI and keep up the good work! =)
1.5.0.6 / 1.0.4 do not fix security related bugs, though, just the regression mentioned in #20.
seamonkey done in GLSA 200608-02
firefox done as GLSA 200608-03
and TB as GLSA 200608-04
Thanks everyone for enduring the pain.
Does not affect current (2008.0) release. Removing release.