From Heise online: "The Mozilla developers have announced the release of version 220.127.116.11 of their popular Thunderbird email client, addressing a vulnerability in the processing of SSL certificates. Previously, inserting a null character in a certificate could trick some applications into treating, for example, the certificate displayed on www.paypal.com\0.thoughtcrime.org as if it belonged to www.paypal.com."
Would be nice to get this in the tree.
Oops..Cut-and-paste error in the summary corrected
MFSA 2009-42 (CVE-2009-2408):
MFSA 2009-43 (CVE-2009-2404):
Moxie Marlinspike reported a heap overflow vulnerability in the code that handles regular expressions in certificate names. This vulnerability could be used to compromise the browser and run arbitrary code by presenting a specially crafted certificate to the client. This code provided compatibility with the non-standard regular expression syntax historically supported by Netscape clients and servers. With version 3.5 Firefox switched to the more limited industry-standard wildcard syntax instead and is not vulnerable to this flaw.
Mozilla: Can we go stable with .23?
Arches, please test and mark stable:
Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86"
Now stable on ppc.
Security team, I let you close the bug.
mail-client/mozilla-thunderbird-bin-18.104.22.168 is not stable for amd64 and x86
(In reply to comment #11)
> mail-client/mozilla-thunderbird-bin-22.214.171.124 is not stable for amd64 and x86
Buy new glasses. :)
$ grep KEYWORDS *.ebuild
mozilla-thunderbird-126.96.36.199.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc x86 ~x86-fbsd"
mozilla-thunderbird-188.8.131.52.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc x86 ~x86-fbsd"
(In reply to comment #12)
> (In reply to comment #11)
> > mail-client/mozilla-thunderbird-bin-184.108.40.206 is not stable for amd64 and x86
> Buy new glasses. :)
> $ grep KEYWORDS *.ebuild
> mozilla-thunderbird-220.127.116.11.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc
> x86 ~x86-fbsd"
> mozilla-thunderbird-18.104.22.168.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc
> x86 ~x86-fbsd"
Nah, you should:
mozilla-thunderbird-bin-22.214.171.124.ebuild:KEYWORDS="-* amd64 x86"
mozilla-thunderbird-bin-126.96.36.199.ebuild:KEYWORDS="-* ~amd64 ~x86"
mozilla-thunderbird-bin-3.0_beta4.ebuild:KEYWORDS="-* ~amd64 ~x86"
x86 stable, my revenge will be on you...one day.
amd64 stable, all arches done.
No voting here, as the vulnerability is actually in <dev-libs/nss-3.12.3 (#280226) which is used by Firefox, Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger. IMHO voting should take place in 280226; if we decide on on yes there, all the packages will have a GLSA together.
uranus ~ # ls /usr/portage/mail-client/mozilla-thunderbird
ChangeLog Manifest mozilla-thunderbird-188.8.131.52.ebuild mozilla-thunderbird-3.0.3-r1.ebuild
files metadata.xml mozilla-thunderbird-3.0.3.ebuild
uranus ~ #
No ebuild matches <mail-client/mozilla-thunderbird-184.108.40.206 any more. This bug does not make sens any more. Please close.
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
security team, please close this bug.
We will, when it's glsa handling is finished. For forther information, please consult
This issue was resolved and addressed in
GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).