security and routine updates
Bug report QA messages:
* Please use full package qualifiers
(e.g. "sys-apps/portage", not just "portage")
in bug report titles, at the beginning ideally,
in the future. Thank you!
Fixed in Thunderbird 3.0.4
MFSA 2010-24 XMLDocument::load() doesn't check nsIContentPolicy
MFSA 2010-22 Update NSS to support TLS renegotiation indication
MFSA 2010-18 Dangling pointer vulnerability in nsTreeContentView
MFSA 2010-17 Remote code execution with use-after-free in nsTreeSelection
MFSA 2010-16 Crashes with evidence of memory corruption (rv:126.96.36.199/ 188.8.131.52/ 184.108.40.206)
Security team please feel free to bring in the archs, All archs please ensure you mark enigmail-1.0.1-r3 stable at same time.
Arches, please test and mark stable:
Everyone, sorry about the bugspam, I'm training our latest recruit.
(In reply to comment #4)
> Arches, please test and mark stable:
I would like to remark, that spell checking doesn't work for me (amd64).
I'm trying to use myspell-dictionaries. FireFox finds them, Thunderbird 3.0.4 doesn't.
(In reply to comment #6)
> (In reply to comment #4)
> > Arches, please test and mark stable:
> > =mail-client/mozilla-thunderbird-3.0.4
> I would like to remark, that spell checking doesn't work for me (amd64).
> I'm trying to use myspell-dictionaries. FireFox finds them, Thunderbird 3.0.4
Open up a seperate bug report with that info and please provide me with an strace from startup to close.
Testing on x86: Everything fine for me.
stable x86, thanks Thomas
(In reply to comment #3)
> Security team please feel free to bring in the archs, All archs please ensure
> you mark enigmail-1.0.1-r3 stable at same time.
Readding x86 as enigmail is not stabled yet.
I did -bin and enigmail. Please note ALL packages to be stabilised in the cc message.
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Bug added to existing Mozilla GLSA request.
The XMLDocument::load function in Mozilla Firefox before 3.5.9 and 3.6.x
before 3.6.2, Thunderbird before 3.0.4, and SeaMonkey before 2.0.4 does not
perform the expected nsIContentPolicy checks during loading of content by
XML documents, which allows attackers to bypass intended access restrictions
via crafted content.
Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 3.5.9 and 3.6.x before 3.6.2, Thunderbird before 3.0.4, and
SeaMonkey before 2.0.4 allow remote attackers to cause a denial of service
(memory corruption and application crash) or possibly execute arbitrary code
via unknown vectors.
This issue was resolved and addressed in
GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).