Mozilla has released nine advisories affecting these packages. MFSA 2010-72 CVE-2010-3173 Low Insecure Diffie-Hellman key exchange MFSA 2010-71 CVE-2010-3182 Critical Unsafe library loading vulnerabilities MFSA 2010-70 CVE-2010-3170 Moderate SSL wildcard certificate matching IP addresses MFSA 2010-69 CVE-2010-3178 High Cross-site information disclosure via modal calls MFSA 2010-68 CVE-2010-3177 High XSS in gopher parser when parsing hrefs MFSA 2010-67 CVE-2010-3183 Critical Dangling pointer vulnerability in LookupGetterOrSetter MFSA 2010-66 CVE-2010-3180 Critical Use-after-free error in nsBarProp MFSA 2010-65 CVE-2010-3179 Critical Buffer overflow and memory corruption using document.write MFSA 2010-64 CVE-2010-3176, CVE-2010-3175, CVE-2010-3174 Critical Miscellaneous memory safety hazards (rv:1.9.2.11/ 1.9.1.14)
Lets keep all these together, one glsa will satisfy all of them. thunderbird{-bin}-3.1.5, xulrunner-1.9.2.11, firefox{-bin}-3.6.11 are all in tree, seamonkey and icecat will follow very shortly.
*** Bug 341825 has been marked as a duplicate of this bug. ***
*** Bug 341823 has been marked as a duplicate of this bug. ***
seamonkey-{,-bin}-2.0.9 are now in the tree.
(In reply to comment #1) > Lets keep all these together, one glsa will satisfy all of them. > thunderbird{-bin}-3.1.5, xulrunner-1.9.2.11, firefox{-bin}-3.6.11 are all in > tree, seamonkey and icecat will follow very shortly. Just to refrain from opening a new bug, thunderbird-3.1.5 fails to configure with the following error: checking for sqlite3 >= 3.7.1... Requested 'sqlite3 >= 3.7.1' but version of SQLite is 3.6.23.1 configure: error: Library requirements (sqlite3 >= 3.7.1) not met; consider adjusting the PKG_CONFIG_PATH environment variable if your libraries are in a nonstandard prefix so pkg-config can find them. configure: error: ./configure failed for mozilla I guess the Thunderbird 3.1.5 ebuild is missing the proper >=dev-db/sqlite-3.7.1 dependency.
(In reply to comment #5) > Just to refrain from opening a new bug, thunderbird-3.1.5 fails to configure > with the following error: > > checking for sqlite3 >= 3.7.1... Requested 'sqlite3 >= 3.7.1' but version of > SQLite is 3.6.23.1 > configure: error: Library requirements (sqlite3 >= 3.7.1) not met; consider > adjusting the PKG_CONFIG_PATH environment variable if your libraries are in a > nonstandard prefix so pkg-config can find them. > configure: error: ./configure failed for mozilla > > I guess the Thunderbird 3.1.5 ebuild is missing the proper > >=dev-db/sqlite-3.7.1 dependency. + 21 Oct 2010; Lars Wendler <polynomial-c@gentoo.org> + thunderbird-3.1.5.ebuild: + Fixed sqlite dependency (reported by Jaak Ristioja in bug #341821).
Security team feel free to bring the archs in so they can start to stabilize. Lets stabilize nss-3.12.8 at the same time.
(In reply to comment #7) > Security team feel free to bring the archs in so they can start to stabilize. > Lets stabilize nss-3.12.8 at the same time. > Will there be an updated icecat too?
(In reply to comment #8) > (In reply to comment #7) > > Security team feel free to bring the archs in so they can start to stabilize. > > Lets stabilize nss-3.12.8 at the same time. > > > > Will there be an updated icecat too? > As soon as it is available, I will be emailed and make the bump in the tree. I can not confirm when it will be available but soon as it is the bump will happen, that is less then a 2 minute merge tho so I say get xul/ff/tb/sea all done as these are the main packages our users are using.
Arches, please test and mark stable: =net-libs/xulrunner-1.9.2.11 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" =mail-client/thunderbird-3.1.5 Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86" =mail-client/thunderbird-bin-3.1.5 Target keywords : "amd64 x86" =www-client/firefox-3.6.11 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" =www-client/firefox-bin-3.6.11 Target keywords : "amd64 x86" =www-client/seamonkey-2.0.9 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" =www-client/seamonkey-bin-2.0.9 Target keywords : "amd64 x86" =dev-libs/nss-3.12.8 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
USE="system-sqlite" (thunderbird) requires >=dev-db/sqlite-3.7.1 and it is ~ How we should proceed?
(In reply to comment #11) > USE="system-sqlite" (thunderbird) requires >=dev-db/sqlite-3.7.1 and it is ~ > > How we should proceed? Arfrever, Betelgeuse, any comments on this?
(In reply to comment #11) > USE="system-sqlite" (thunderbird) requires >=dev-db/sqlite-3.7.1 and it is ~ > > How we should proceed? > To tell the truth, the packages that make use of the USE="system-sqlite" are: Firefox, SeaMonkey, XULRunner, and Thunderbird. Anyway I reported the bugs about their :) bug 342035 bug 342051 bug 342057
I think we can ignore the ignored LDFLAGS for now since this a security issue so it gets higher priority than the QA one. However I wanted to see them fixed sooner or later. Please open a new bug about sqlite. Thanks
(In reply to comment #14) > I think we can ignore the ignored LDFLAGS for now since this a security issue > so it gets higher priority than the QA one. However I wanted to see them fixed > sooner or later. Please open a new bug about sqlite. Thanks > that's for sure! I put only aware of the bugs found, even if they do not affect the stabilization :)
(In reply to comment #14) > Please open a new bug about sqlite. Maintainers of SQLite are already in cc of this bug here.
x86 is tested and fine, as soon as there is a decision on the SQLite issue, anybody can mark x86 stable...for the case that nobody from x86 team is around.
Stable for HPPA.
all ok on amd64 for me
(In reply to comment #12) > (In reply to comment #11) > > USE="system-sqlite" (thunderbird) requires >=dev-db/sqlite-3.7.1 and it is ~ > > > > How we should proceed? > > Arfrever, Betelgeuse, any comments on this? dev-db/sqlite-3.7.2 will be stabilized in bug #342323.
amd64 done
At the request of Anarchy, firefox-bin marked stable on x86 since it doesn't fall into the need sqlite category. Need to finish the stabilization of sqlite before the rest of these can be marked stable for x86. I will try to get to this today.
Thanks c1pher. All SQLite depending packages built fine, but I can reproduce the test failure reported on bug 342469.
(In reply to comment #23) > Thanks c1pher. All SQLite depending packages built fine, but I can reproduce > the test failure reported on bug 342469. > I have use flag combination tests running already. With the depending packages good to go as well (assuming I don't hit any issues outside of USE="icu") do we want to go ahead and stable it and mark these as well?
x86 stable
Alright, icecat-3.6.11 is in the tree. Target keywords are: amd64 ppc ppc64 x86 Readded amd64 and x86 (sorry guys ;))
(In reply to comment #26) > Alright, icecat-3.6.11 is in the tree. > > Target keywords are: amd64 ppc ppc64 x86 > > Readded amd64 and x86 (sorry guys ;)) > Np, amd64 well also for icecat
amd64 done. Thanks Agostino
Removing arch teams here in favor of bug #342847
GLSA with other mozilla bugs.
Nothing for mozilla team to handle, tree has all appropriate updates.
sorry for the noise just forgot to remove mozilla team from the bug reports.
CVE-2010-3183 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3183): The LookupGetterOrSetter function in js3250.dll in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 does not properly support window.__lookupGetter__ function calls that lack arguments, which allows remote attackers to execute arbitrary code or cause a denial of service (incorrect pointer dereference and application crash) via vectors involving a "dangling pointer" and the JS_ValueToId function. CVE-2010-3182 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3182): A certain application-launch script in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 on Linux places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory. CVE-2010-3180 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3180): Use-after-free vulnerability in the nsBarProp function in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 allows remote attackers to execute arbitrary code by accessing the locationbar property of a closed window. CVE-2010-3179 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3179): Stack-based buffer overflow in the text-rendering functionality in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a long argument to the document.write method. CVE-2010-3178 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3178): Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 do not properly handle certain modal calls made by javascript: URLs in circumstances related to opening a new window and performing cross-domain navigation, which allows remote attackers to bypass the Same Origin Policy via a crafted HTML document. CVE-2010-3177 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3177): Multiple cross-site scripting (XSS) vulnerabilities in the Gopher parser in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, and SeaMonkey before 2.0.9, allow remote attackers to inject arbitrary web script or HTML via a crafted name of a (1) file or (2) directory on a Gopher server. CVE-2010-3176 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3176): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.5.x before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2010-3175 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3175): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.6.x before 3.6.11 and Thunderbird 3.1.x before 3.1.5 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2010-3174 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3174): Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.14, Thunderbird before 3.0.9, and SeaMonkey before 2.0.9 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2010-3173 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3173): The SSL implementation in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 does not properly set the minimum key length for Diffie-Hellman Ephemeral (DHE) mode, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. CVE-2010-3170 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3170): Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 recognize a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle).