Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 214816 - mozilla-firefox <2.0.0.13, mozilla-thunderbird <2.0.0.14, seamonkey <1.1.9, xulrunner <1.8.1.13 Multiple vulnerabilites (CVE-2007-4879, CVE-2008-{1233,1234,1235,1236,1237,1238,1240,1241})
Summary: mozilla-firefox <2.0.0.13, mozilla-thunderbird <2.0.0.14, seamonkey <1.1.9, ...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.mozilla.org/projects/secur...
Whiteboard: A2 [glsa]
Keywords:
: 219983 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-03-26 01:51 UTC by Robert Buchholz (RETIRED)
Modified: 2008-05-20 21:20 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-03-26 01:51:10 UTC
Firefox 2.0.0.13 is out, security fixes as usual.
Comment 1 Michael Schachtebeck 2008-03-26 09:36:30 UTC
2.0.0.13 fixes (among others) 2 critical vulnerabilities, see http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.13.
Comment 2 Raúl Porcel (RETIRED) gentoo-dev 2008-03-26 13:54:30 UTC
=www-client/mozilla-firefox[-bin]-2.0.0.13
=net-libs/xulrunner-1.8.1.13
=www-client/seamonkey[-bin]-1.1.9

in the tree
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-03-26 20:49:56 UTC
Arches, please test and mark stable:
=www-client/mozilla-firefox-2.0.0.13
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86"

=www-client/mozilla-firefox-bin-2.0.0.13
Target keywords : "amd64 release x86"

=www-client/seamonkey-1.1.9
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86"

=www-client/seamonkey-bin-1.1.9
Target keywords : "amd64 release x86"

=net-libs/xulrunner-1.8.1.13
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86"
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-03-26 20:51:53 UTC
Raul, please note that as long as it's not p.masked, xulrunner-bin also needs to be upgraded.
Comment 5 Markus Meier gentoo-dev 2008-03-27 00:03:23 UTC
amd64/x86 stable
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-03-27 02:12:05 UTC
(In reply to comment #4)
> Raul, please note that as long as it's not p.masked, xulrunner-bin also needs
> to be upgraded.

*xulrunner-bin-1.8.1.13 (26 Mar 2008)

  26 Mar 2008; Raúl Porcel <armin76@gentoo.org>
  xulrunner-bin-1.8.1.12.ebuild, +xulrunner-bin-1.8.1.13.ebuild:
  Version bump
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2008-03-27 12:26:22 UTC
alpha/ia64/sparc stable
Comment 8 Brent Baude (RETIRED) gentoo-dev 2008-03-27 16:42:07 UTC
ppc and ppc64 done
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-03-27 20:46:18 UTC
Description:
CVE-2008-1233 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1233):
  Unspecified vulnerability in Mozilla Firefox before 2.0.0.13, Thunderbird
  before 2.0.0.13, and SeaMonkey before 1.1.9 allows remote attackers to
  execute arbitrary code via "XPCNativeWrapper pollution."

CVE-2008-1234 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1234):
  Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0.0.13,
  Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allows remote
  attackers to inject arbitrary web script or HTML via event handlers, aka
  "Universal XSS using event handlers."

CVE-2008-1235 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1235):
  Unspecified vulnerability in Mozilla Firefox before 2.0.0.13, Thunderbird
  before 2.0.0.13, and SeaMonkey before 1.1.9 allows remote attackers to
  execute arbitrary code via unknown vectors that cause JavaaScript to execute
  with the wrong principal, aka "Privilege escalation via incorrect principals."

CVE-2008-1236 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1236):
  Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.13,
  Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allow remote
  attackers to cause a denial of service (crash) and possibly execute arbitrary
  code via unknown vectors related to the layout engine.

CVE-2008-1237 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1237):
  Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.13,
  Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allow remote
  attackers to cause a denial of service (crash) and possibly execute arbitrary
  code via unknown vectors related to the JavaScript engine.

CVE-2008-1238 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1238):
  Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9, when generating
  the HTTP Referer header, does not list the entire URL when it contains Basic
  Authentication credentials without a username, which makes it easier for
  remote attackers to bypass application protection mechanisms that rely on
  Referer headers, such as with some Cross-Site Request Forgery (CSRF)
  mechanisms.

CVE-2008-1241 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1241):
  GUI overlay vulnerability in Mozilla Firefox before 2.0.0.13 and SeaMonkey
  before 1.1.9 allows remote attackers to spoof form elements and redirect user
  inputs via a borderless XUL pop-up window from a background tab.
Comment 10 Jeroen Roovers gentoo-dev 2008-03-28 05:03:21 UTC
Marked stable for HPPA:
  =www-client/mozilla-firefox-2.0.0.13
  =net-libs/xulrunner-1.8.1.13
  =www-client/seamonkey-1.1.9

None of these passes the Acid3 test, btw. ;-)
Comment 11 Peter Volkov (RETIRED) gentoo-dev 2008-03-28 08:09:28 UTC
Fixed in release snapshot.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-03-29 19:48:52 UTC
GLSA is filed, waiting for Thunderbird :-/
Comment 13 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2008-05-01 23:07:25 UTC
*** Bug 219983 has been marked as a duplicate of this bug. ***
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-05-02 09:36:13 UTC
As pointed out in the duplicate (see comment 13), Thunderbird 2.0.0.14 has been released.
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2008-05-02 14:28:43 UTC
mail-client/mozilla-thunderbird[-bin]-2.0.0.14 in the tree
Comment 16 Tobias Heinlein (RETIRED) gentoo-dev 2008-05-03 10:47:10 UTC
Arches, please test and mark stable:
=mozilla-thunderbird-2.0.0.14
Target keywords: "alpha amd64 ia64 ppc ppc64 release sparc x86"

=mozilla-thunderbird-bin-2.0.0.14
Target keywords: "amd64 release x86"
Comment 17 Hanno Boeck gentoo-dev 2008-05-03 23:30:21 UTC
CC-in archs for thunderbird stabilization.
Comment 18 Markus Meier gentoo-dev 2008-05-04 13:30:12 UTC
amd64/x86 stable
Comment 19 Raúl Porcel (RETIRED) gentoo-dev 2008-05-04 13:44:16 UTC
alpha/ia64/sparc stable
Comment 20 Markus Rothe (RETIRED) gentoo-dev 2008-05-05 11:48:50 UTC
ppc64 stable
Comment 21 Brent Baude (RETIRED) gentoo-dev 2008-05-05 14:08:11 UTC
ppc done
Comment 22 Robert Buchholz (RETIRED) gentoo-dev 2008-05-20 21:20:14 UTC
GLSA 200805-18, sorry for the delay