multiple vulnerabilities fixed in thunderbird 1.5.0.8 http://www.mozilla.org/security/announce/2006/mfsa2006-65.html Title: Crashes with evidence of memory corruption (rv:1.8.0.8) Impact: Critical Announced: November 7, 2006 Reporter: Mozilla Developers Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 1.5.0.8 Thunderbird 1.5.0.8 SeaMonkey 1.0.6 Description As part of the Firefox 1.5.0.8 release we fixed several bugs to improve the stability of the product. Some of these were crashes that showed evidence of memory corruption and we presume that at least some of these could be exploited to run arbitrary code with enough effort. Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript, such as large images or plugin data. Workaround Upgrade to the fixed versions. Do not enable JavaScript in Thunderbird or the mail portions of SeaMonkey. References Jesse Ruderman and Martijn Wargers reported crashes in the layout engine https://bugzilla.mozilla.org/show_bug.cgi?id=307809 https://bugzilla.mozilla.org/show_bug.cgi?id=310267 https://bugzilla.mozilla.org/show_bug.cgi?id=350370 https://bugzilla.mozilla.org/show_bug.cgi?id=351328 CVE-2006-5464 shutdown demonstrated that a crash in XML.prototype.hasOwnProperty was exploitable https://bugzilla.mozilla.org/show_bug.cgi?id=355569 CVE-2006-5747 Igor Bukanov and Jesse Ruderman reported potential memory corruption in the JavaScript engine https://bugzilla.mozilla.org/show_bug.cgi?id=349527 https://bugzilla.mozilla.org/show_bug.cgi?id=351973 https://bugzilla.mozilla.org/show_bug.cgi?id=353165 https://bugzilla.mozilla.org/show_bug.cgi?id=354145 https://bugzilla.mozilla.org/show_bug.cgi?id=354151 https://bugzilla.mozilla.org/show_bug.cgi?id=350238 https://bugzilla.mozilla.org/show_bug.cgi?id=351116 https://bugzilla.mozilla.org/show_bug.cgi?id=352271 https://bugzilla.mozilla.org/show_bug.cgi?id=352606 https://bugzilla.mozilla.org/show_bug.cgi?id=354924 CVE-2006-5748 * Site Map * Security Updates * Contact Us http://www.mozilla.org/security/announce/2006/mfsa2006-64.html Mozilla Foundation Security Advisory 2006-64 Title: Crashes with evidence of memory corruption (rv:1.8.0.7) Impact: Critical Announced: September 14, 2006 Reporter: Mozilla Developers Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 1.5.0.7 Thunderbird 1.5.0.7 SeaMonkey 1.0.5 Description As part of the Firefox 1.5.0.7 release we fixed several bugs to improve the stability of the product. Some of these were crashes that showed evidence of memory corruption and we presume that at least some of these could be exploited to run arbitrary code with enough effort. We thank Bernd Mielke, Georgi Guninski, Igor Bukanov, Jesse Ruderman, Martijn Wargers, Mats Palmgren, Olli Pettay, shutdown, and Weston Carloss for discovering and reporting these crashes. Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript, such as large images or plugin data. Workaround Upgrade to the fixed versions. Do not enable JavaScript in Thunderbird or the mail portions of SeaMonkey. References CVE-2006-4571 Bernd Mielke and Mats Palmgren reported crashes involving tables https://bugzilla.mozilla.org/show_bug.cgi?id=339130 https://bugzilla.mozilla.org/show_bug.cgi?id=339170 https://bugzilla.mozilla.org/show_bug.cgi?id=339246 https://bugzilla.mozilla.org/show_bug.cgi?id=343087 https://bugzilla.mozilla.org/show_bug.cgi?id=344000 https://bugzilla.mozilla.org/show_bug.cgi?id=346980 Georgi Guninski discovered heap corruption using XSLTProcessor https://bugzilla.mozilla.org/show_bug.cgi?id=348511 Igor Bukanov reported potential memory corruption in the JavaScript engine https://bugzilla.mozilla.org/show_bug.cgi?id=345967 https://bugzilla.mozilla.org/show_bug.cgi?id=346968 https://bugzilla.mozilla.org/show_bug.cgi?id=348532 https://bugzilla.mozilla.org/show_bug.cgi?id=350312 Jesse Ruderman, Martijn Wargers, Mats Palmgren, Olli Pettay, and Weston Carloss reported crashes involving DHTML https://bugzilla.mozilla.org/show_bug.cgi?id=306940 https://bugzilla.mozilla.org/show_bug.cgi?id=307826 https://bugzilla.mozilla.org/show_bug.cgi?id=336999 https://bugzilla.mozilla.org/show_bug.cgi?id=337419 https://bugzilla.mozilla.org/show_bug.cgi?id=337883 https://bugzilla.mozilla.org/show_bug.cgi?id=347355 https://bugzilla.mozilla.org/show_bug.cgi?id=348049 https://bugzilla.mozilla.org/show_bug.cgi?id=205735 https://bugzilla.mozilla.org/show_bug.cgi?id=344291 https://bugzilla.mozilla.org/show_bug.cgi?id=344557 https://bugzilla.mozilla.org/show_bug.cgi?id=348062 https://bugzilla.mozilla.org/show_bug.cgi?id=348729 https://bugzilla.mozilla.org/show_bug.cgi?id=348887 https://bugzilla.mozilla.org/show_bug.cgi?id=321299 https://bugzilla.mozilla.org/show_bug.cgi?id=343457 https://bugzilla.mozilla.org/show_bug.cgi?id=349201 https://bugzilla.mozilla.org/show_bug.cgi?id=348688 shutdown reported it was still possible to corrupt memory via content-implemented tree views despite the fix for bug 326501 https://bugzilla.mozilla.org/show_bug.cgi?id=344085 http://www.mozilla.org/security/announce/2006/mfsa2006-66.htmlMozilla Foundation Security Advisory 2006-66 Title: RSA Signature Forgery (variant) Impact: Critical Announced: November 7, 2006 Reporter: Ulrich Kuehn Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 1.5.0.8 Thunderbird 1.5.0.8 SeaMonkey 1.0.6 Description MFSA 2006-60 reported that RSA digital signatures with a low exponent (typically 3) could be forged. This flaw was corrected in the Mozilla Network Security Services (NSS) library version 3.11.3 used by Firefox 2.0 and current development versions of Mozilla clients. Ulrich Kuehn reported that Firefox 1.5.0.7, which incorporated NSS version 3.10.2, was incompletely patched and remained vulnerable to a variant of this attack. Workaround None, upgrade to a fixed version. References https://bugzilla.mozilla.org/show_bug.cgi?id=356215 CVE-2006-5462 MFSA 2006-60 rgds Daxomatic
Accepting bug.
I *swear* mozilla gives me the creeps. Alright. Sorry for the bugspam. Daxomatic's going to handle it from here.
mozilla team, please advice. br Daxomatic
bin is in the tree x86 and amd64 test and stabilize at your own discreation.
mozilla-thunderbird-bin in x86: Works ok. Portage 2.1.1-r1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-gentoo-r1 i686) ================================================================= System uname: 2.6.18-gentoo-r1 i686 AMD Athlon(tm) Processor Gentoo Base System version 1.12.6 Last Sync: Wed, 08 Nov 2006 09:50:01 +0000 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: [Not Present] dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=athlon-tbird -mtune=athlon-tbird -O2 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=athlon-tbird -mtune=athlon-tbird -O2 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig collision-protect distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="ftp://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ " LANG="en_US.ISO-8859-15" LC_ALL="en_US.ISO-8859-15" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage /usr/portage/local/layman/sunrise" SYNC="rsync://rsync.belnet.be/packages/gentoo-portage" USE="x86 X bitmap-fonts bzip2 cairo cdr cli cracklib crypt dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode fam firefox fortran gif gpm gstreamer gtk hal iconv input_devices_evdev input_devices_keyboard input_devices_mouse isdnlog jpeg kernel_linux ldap libg++ mad mikmod mp3 mpeg ncurses nptl nptlonly ogg opengl pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl ssl tcpd truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_vesa vorbis win32codecs xml xorg xv zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
mail-client/mozilla-thunderbird-bin-1.5.0.8 1. emerges on x86, please note: QA Notice: the following files contain runtime text relocations TEXTREL opt/thunderbird/extensions/talkback@mozilla.org/components/libqfaservices.so 2. passes collision test 3. works Portage 2.1.1-r1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18.1 i686) ================================================================= System uname: 2.6.18.1 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System version 1.12.6 Last Sync: Wed, 08 Nov 2006 20:00:02 +0000 ccache version 2.3 [disabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner" FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kdeenablefinal kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib" Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
bin stable for x86, waiting for non-bin.
Source build in cvs.
hi, Arches, please test & mark stable. for mozilla-thunderbird as well for mozilla-thunderbird-bin please rgds Daxomatic
Can’t you hear the thunderbird raging across the sea Can’t you see the lightning as it races across the sky Can’t you feel the power and the strength of my x86 [Slightly reworked from: Bound For Glory -- Over the Top]
- mail-client/mozilla-thunderbird-1.5.0.8 emerges fine on amd64 - passes collision-test - passes multilib-strict - works # emerge --info Portage 2.1.1-r1 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-gentoo-r1 x86_64) ================================================================= System uname: 2.6.18-gentoo-r1 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ Gentoo Base System version 1.12.6 Last Sync: Thu, 09 Nov 2006 12:20:01 +0000 ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-march=k8 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer multilib-strict sandbox sfperms strict test" GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo " LANG="en_US.ISO8859-1" LC_ALL="en_US.ISO8859-1" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage /usr/portage/local/stuff" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="amd64 7zip X a52 aac aalib addbookmarks alias alsa amarok arts asf avahi bash-completion berkdb bitmap-fonts browserplugin bzip2 c++ cairo calendar caps cdr cdrom cdsound chroot cli cracklib crypt cups cvs dbus de_tvtoday dhcp dlloader dri dvb dvd dvdr dvdread eds elibc_glibc emboss encode esd fam ffmpeg flac fortran gdbm gif gimp gimpprint gnome gpm gsm gstreamer gtk gtk2 gzip hal hald highlight history howl iconv icq imagemagick input_devices_evdev input_devices_keyboard input_devices_mouse irssi isdnlog java javascript jpeg kde kdm kernel_linux kipi lame ldap libg++ live logitech-mouse mad madwifi md5sum mikmod mng mp3 mpeg ncurses nls nptl nptlonly nsplugin nvidia ogg oggvorbis opengl openssh pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rss ruby samba scanner scp sdl session smp speex spell spl sql ssl subversion svg symlink tcl tcltk tcpd tiff tk transcode truetype truetype-fonts type1-fonts udev unicode unzip usb userland_GNU vcd video_cards_nv video_cards_nvidia video_cards_vesa vim visualization vorbis wmf wxwindows x264 xcomposite xine xml xorg xv xvid xvmc zip zlib zvbi" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS
ppc is teh stable
sparc stable.
(In reply to comment #11) > - mail-client/mozilla-thunderbird-1.5.0.8 emerges fine on amd64 ... and keyworded. Keeping us on CC as -bin still needs to be done
-bin also emerges and runs fine on amd64. Portage 2.1.1-r1 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-suspend2-Dudebox-Edition x86_64) ================================================================= System uname: 2.6.18-suspend2-Dudebox-Edition x86_64 AMD Athlon(tm) 64 Processor 3200+ Gentoo Base System version 1.12.6 Last Sync: Wed, 08 Nov 2006 05:00:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -msse3 -Os -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=k8 -msse3 -Os -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/" LDFLAGS="-Wl,-O1" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage_overlay" SYNC="rsync://server/gentoo-portage" USE="amd64 X alsa apache2 berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode esd fam firefox fortran gcj gdbm gif gpm gstreamer gtk gtk2 hal iconv imap input_devices_keyboard input_devices_mouse isdnlog jpeg kde kdeenablefinal kdehiddenvisibility kernel_linux libg++ mad mikmod mp3 mpeg mysql ncurses nls nptl nptlonly objc objc++ ogg oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl sqlite ssl tcpd test truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_radeon vorbis xml xorg xv zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS
-bin also keyworded. amd64 is done
there seems to be a prob with thunderbird 1.5.0.8: https://bugzilla.mozilla.org/show_bug.cgi?id=360409 http://forums.mozillazine.org/viewtopic.php?t=485752 and for the germans amongst us: http://www.heise.de/newsticker/meldung/81529 (basically, it kills mails). Do we really want to use this flawed version in a GLSA?
It does not generally kill mails. The indexer is bugged, though, and you may indeed lose mails if you're using threaded view. Nevertheless that's not our job (which is to get vulnerable stuff out of the way). In this case it means replacing br0ken with differently br0ken, unfortunately. We could be nice and point to the relevant Mozilla bug, warning users about the problem.
GLSA 200612-06