Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 360055 - <www-client/firefox{,-bin}-3.6.16, <www-client/icecat-3.6.16, <www-client/seamonkey{,-bin}-2.0.13, <net-libs/xulrunner-1.9.2.16: Security Update to Block Invalid Certificates
Summary: <www-client/firefox{,-bin}-3.6.16, <www-client/icecat-3.6.16, <www-client/sea...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.mozilla.org/security/anno...
Whiteboard: A4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-03-23 05:14 UTC by Tim Sammut (RETIRED)
Modified: 2013-01-08 01:04 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
build.log XULRunner (build.log,227.56 KB, text/plain)
2011-03-26 11:03 UTC, Christian Faulhammer (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-03-23 05:14:29 UTC
From $URL:

Title: Update to HTTPS certificate blacklist
Impact: High
Announced: March 22, 2011
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.6.16
  Firefox 3.5.18
  SeaMonkey 2.0.13
Description

Several invalid HTTPS certificates were placed on the certificate blacklist to prevent their misuse.
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2011-03-23 06:29:16 UTC
www-client/seamonkey{,-bin}-2.0.13 bumped
Comment 2 Agostino Sarubbo gentoo-dev 2011-03-24 18:03:40 UTC
please bump also icecat, is available ;)
Comment 3 Lars Wendler (Polynomial-C) gentoo-dev 2011-03-25 06:39:30 UTC
net-libs/xulrunner-1.9.2.16 and www-client/icecat-3.6.16 bumped
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-03-25 07:18:37 UTC
Thanks, folks. Are we able to bump firefox too?
Comment 5 Lars Wendler (Polynomial-C) gentoo-dev 2011-03-25 07:36:46 UTC
(In reply to comment #4)
> Thanks, folks. Are we able to bump firefox too?

Dunno what Anarchy plans for firefox now that ff-4 is available. I bumped icecat-3.6 because there's only a rc1 available of icecat-4.
I'd say let's wait for Anarchy's input :)
Comment 6 Lars Wendler (Polynomial-C) gentoo-dev 2011-03-25 15:04:52 UTC
13:33:00 < Anarchy> Poly-C_atwork, go ahead with firefox-3.6.16 I am not ready for firefox-4 to go stable by any means.

www-client/firefox{,-bin}-3.6.16 bumped. Sorry for the delay.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-03-25 16:09:35 UTC
(In reply to comment #6)
>
> www-client/firefox{,-bin}-3.6.16 bumped. Sorry for the delay.

Thanks, and np.

Arches, please test and mark stable:
=www-client/firefox-3.6.16
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

=www-client/firefox-bin-3.6.16
Target keywords : "amd64 x86"

=www-client/icecat-3.6.16
Target keywords : "amd64 ppc ppc64 x86"

=www-client/seamonkey-2.0.13
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

=www-client/seamonkey-bin-2.0.13
Target keywords : "amd64 x86"

=net-libs/xulrunner-1.9.2.16
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 8 Agostino Sarubbo gentoo-dev 2011-03-25 17:46:22 UTC
amd64 ok
Comment 9 Christoph Mende (RETIRED) gentoo-dev 2011-03-25 18:11:02 UTC
amd64 done, thanks Agostino
Comment 10 Christian Faulhammer (RETIRED) gentoo-dev 2011-03-26 11:03:40 UTC
Created attachment 267261 [details]
build.log XULRunner

Fails here with all USE flags enabled, will build with other combinations:


Portage 2.1.9.42 (default/linux/x86/10.0/desktop, gcc-4.4.5, glibc-2.11.3-r0, 2.6.36-gentoo-r5 i686)
=================================================================
System uname: Linux-2.6.36-gentoo-r5-i686-AMD_Athlon-tm-_X2_Dual_Core_Processor_BE-2400-with-gentoo-1.12.14
Timestamp of tree: Fri, 25 Mar 2011 23:00:01 +0000
distcc 3.1 i686-pc-linux-gnu [disabled]
ccache version 2.4 [enabled]
app-shells/bash:     4.1_p9
dev-java/java-config: 2.1.11-r3
dev-lang/python:     2.6.6-r2, 3.1.3-r1
dev-util/ccache:     2.4-r9
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 1.12.14-r1
sys-apps/sandbox:    2.4
sys-devel/autoconf:  2.13, 2.65-r1
sys-devel/automake:  1.4_p6-r1, 1.5-r1, 1.6.3-r1, 1.7.9-r2, 1.8.5-r4, 1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.3.4, 4.4.5
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.36.1 (sys-kernel/linux-headers)
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="*"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=athlon-xp -pipe -msse3"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /opt/openjms/config /usr/lib/fax /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa /var/bind /var/lib/hsqldb /var/qmail/alias /var/qmail/control /var/spool/fax/etc /var/spool/torque /var/vpopmail/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/games/angband/edit/ /etc/gconf /etc/php/apache2-php5.2/ext-active/ /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.2/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.2/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -march=athlon-xp -pipe -msse3"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs ccache distlocks fixlafiles fixpackages metadata-transfer news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv"
FFLAGS=""
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="de_DE.utf8"
LC_ALL="de_DE.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu"
LINGUAS="de"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext X a52 aac aiglx alsa applet artworkextra asf astribank audiofile bash-completion berkdb bidi bluetooth bogofilter bootsplash branding bzip2 cairo ccache cdda cddb cdparanoia cdr cli compat console consolekit cracklib crypt css cups curl custom-cflags cxx dbus deskbar dga directfb divx4linux dri dts dvd dvdr dvdread dvi emacs emboss encode evince exif extensions fam fat fbcon fbcondecor fdftk ffmpeg fontconfig foomaticdb fortran ftp gb gcj gdbm gdu gif glitz gphoto2 gpm gsf gtk gtk2 gtkhtml hal howl iconv icq icu idn imagemagick imlib ipv6 java javascript jpeg jpeg2k kde kpathsea libnotify libotf lm_sensors mad matroska melt mikmod mime mjpeg mmx mmxext mng modules mp3 mp4 mpeg mpeg2 mudflap mule mysql ncurses networking nforce2 nls noaudio nocardbus novideo nowebdav nptl nptlonly nss objc objc++ objc-gc ocamlopt offensive ogg opengl openmp pam pango passwordsave pcre pdf perl plotutils pmu png policykit ppds pppd prediction preview-latex print publishers python qt-static qt3support qt4 readline reports run-as-root samba sdk sdl secure-delete semantic-desktop session slang smp spell sse ssl startup-notification static-analyzer svg svga sysfs t1lib tcpd theora threads thumbnailing tiff tk toolkit-scroll-bars totem truetype truetype-fonts type1-fonts udev unicode usb userlocales vcd videos vorbis win32codecs wmf wxwindows x264 x86 xcb xface xft xml xorg xosd xpm xulrunner xv xvid zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de" LIRC_DEVICES="atiusb" NGINX_MODULES_HTTP="perl" PHP_TARGETS="php5-3 php5-2" RUBY_TARGETS="jruby ruby18 ree18" USERLAND="GNU" VIDEO_CARDS="radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 11 Jory A. Pratt gentoo-dev 2011-03-26 12:56:04 UTC
(In reply to comment #10)
> Created attachment 267261 [details]
> build.log XULRunner
> 
> Fails here with all USE flags enabled, will build with other combinations:
> 
> 
> Portage 2.1.9.42 (default/linux/x86/10.0/desktop, gcc-4.4.5, glibc-2.11.3-r0,
> 2.6.36-gentoo-r5 i686)
> =================================================================
> System uname:
> Linux-2.6.36-gentoo-r5-i686-AMD_Athlon-tm-_X2_Dual_Core_Processor_BE-2400-with-gentoo-1.12.14
> Timestamp of tree: Fri, 25 Mar 2011 23:00:01 +0000
> distcc 3.1 i686-pc-linux-gnu [disabled]
> ccache version 2.4 [enabled]
> app-shells/bash:     4.1_p9
> dev-java/java-config: 2.1.11-r3
> dev-lang/python:     2.6.6-r2, 3.1.3-r1
> dev-util/ccache:     2.4-r9
> dev-util/cmake:      2.8.1-r2
> sys-apps/baselayout: 1.12.14-r1
> sys-apps/sandbox:    2.4
> sys-devel/autoconf:  2.13, 2.65-r1
> sys-devel/automake:  1.4_p6-r1, 1.5-r1, 1.6.3-r1, 1.7.9-r2, 1.8.5-r4, 1.9.6-r3,
> 1.10.3, 1.11.1
> sys-devel/binutils:  2.20.1-r1
> sys-devel/gcc:       4.3.4, 4.4.5
> sys-devel/gcc-config: 1.4.1
> sys-devel/libtool:   2.2.10
> sys-devel/make:      3.81-r2
> virtual/os-headers:  2.6.36.1 (sys-kernel/linux-headers)
> ACCEPT_KEYWORDS="x86"
> ACCEPT_LICENSE="*"
> CBUILD="i686-pc-linux-gnu"
> CFLAGS="-O2 -march=athlon-xp -pipe -msse3"
> CHOST="i686-pc-linux-gnu"
> CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /opt/openjms/config
> /usr/lib/fax /usr/share/config /usr/share/gnupg/qualified.txt
> /usr/share/openvpn/easy-rsa /var/bind /var/lib/hsqldb /var/qmail/alias
> /var/qmail/control /var/spool/fax/etc /var/spool/torque /var/vpopmail/etc"
> CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/
> /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/games/angband/edit/
> /etc/gconf /etc/php/apache2-php5.2/ext-active/
> /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.2/ext-active/
> /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.2/ext-active/
> /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/splash
> /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d
> /etc/texmf/updmap.d /etc/texmf/web2c"
> CXXFLAGS="-O2 -march=athlon-xp -pipe -msse3"
> DISTDIR="/usr/portage/distfiles"
> FEATURES="assume-digests binpkg-logs ccache distlocks fixlafiles fixpackages
> metadata-transfer news parallel-fetch protect-owned sandbox sfperms strict
> unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv"
> FFLAGS=""
> GENTOO_MIRRORS="http://distfiles.gentoo.org"
> LANG="de_DE.utf8"
> LC_ALL="de_DE.utf8"
> LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu"
> LINGUAS="de"
> MAKEOPTS="-j3"
> PKGDIR="/usr/portage/packages"
> PORTAGE_CONFIGROOT="/"
> PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
> --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles
> --exclude=/local --exclude=/packages"
> PORTAGE_TMPDIR="/var/tmp"
> PORTDIR="/usr/portage"
> PORTDIR_OVERLAY="/usr/local/portage"
> SYNC="rsync://rsync.gentoo.org/gentoo-portage"
> USE="3dnow 3dnowext X a52 aac aiglx alsa applet artworkextra asf astribank
> audiofile bash-completion berkdb bidi bluetooth bogofilter bootsplash branding
> bzip2 cairo ccache cdda cddb cdparanoia cdr cli compat console consolekit
> cracklib crypt css cups curl custom-cflags cxx dbus deskbar dga directfb
> divx4linux dri dts dvd dvdr dvdread dvi emacs emboss encode evince exif
> extensions fam fat fbcon fbcondecor fdftk ffmpeg fontconfig foomaticdb fortran
> ftp gb gcj gdbm gdu gif glitz gphoto2 gpm gsf gtk gtk2 gtkhtml hal howl iconv
> icq icu idn imagemagick imlib ipv6 java javascript jpeg jpeg2k kde kpathsea
> libnotify libotf lm_sensors mad matroska melt mikmod mime mjpeg mmx mmxext mng
> modules mp3 mp4 mpeg mpeg2 mudflap mule mysql ncurses networking nforce2 nls
> noaudio nocardbus novideo nowebdav nptl nptlonly nss objc objc++ objc-gc
> ocamlopt offensive ogg opengl openmp pam pango passwordsave pcre pdf perl
> plotutils pmu png policykit ppds pppd prediction preview-latex print publishers
> python qt-static qt3support qt4 readline reports run-as-root samba sdk sdl
> secure-delete semantic-desktop session slang smp spell sse ssl
> startup-notification static-analyzer svg svga sysfs t1lib tcpd theora threads
> thumbnailing tiff tk toolkit-scroll-bars totem truetype truetype-fonts
> type1-fonts udev unicode usb userlocales vcd videos vorbis win32codecs wmf
> wxwindows x264 x86 xcb xface xft xml xorg xosd xpm xulrunner xv xvid zlib"
> ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop
> empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul
> mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions
> alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file
> authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user
> autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires
> ext_filter file_cache filter headers include info log_config logio mem_cache
> mime mime_magic negotiation rewrite setenvif speling status unique_id userdir
> usertrack vhost_alias" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load
> memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm
> earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip
> navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing
> tsip tripmate tnt ubx" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux"
> LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses
> text" LINGUAS="de" LIRC_DEVICES="atiusb" NGINX_MODULES_HTTP="perl"
> PHP_TARGETS="php5-3 php5-2" RUBY_TARGETS="jruby ruby18 ree18" USERLAND="GNU"
> VIDEO_CARDS="radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2
> ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal
> rawnat logmark ipmark dhcpmac delude chaos account" 
> Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK,
> PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS,
> PORTAGE_RSYNC_EXTRA_OPTS

Something is wrong with your nspr install, once you fix it you will fix the undefines.
Comment 12 Brent Baude (RETIRED) gentoo-dev 2011-03-26 14:48:07 UTC
ppc and ppc64 done
Comment 13 Christian Faulhammer (RETIRED) gentoo-dev 2011-03-26 16:57:41 UTC
(In reply to comment #11)
> (In reply to comment #10)
> > Created attachment 267261 [details]
> > build.log XULRunner
> > 
> > Fails here with all USE flags enabled, will build with other combinations:
[...]
> Something is wrong with your nspr install, once you fix it you will fix the
> undefines.

 It fails with USE=debug on XULRunner only.  Even if nspr is built with USE=debug.
Comment 14 Alex Buell 2011-03-28 15:58:25 UTC
Tested on SPARC. If I remove the following

 # very ugly hack to make firefox not sigbus on sparc
    use sparc && { sed -e 's/Firefox/FirefoxGentoo/g' \
                     -i "${ED}/${MOZILLA_FIVE_HOME}/application.ini" || \
                     die "sparc sed failed"; }

I find that firefox works most of the time. It's a big improvement on previous versions but it's not quite there yet. If it crashes on trying to load a page, I find pressing ESCAPE just before it laods the page prevents the crash. 

I'm of the opinion that the fugly hack really isn't necessary, and with the hack in place it can't load its default home page on start up, nor access thr add-ons/extensions either.
Comment 15 Jeroen Roovers gentoo-dev 2011-04-02 17:38:49 UTC
Seeing a slight delay here on HPPA as inexplicably, an imporant exception to the optimisation logic got recently removed without approval:

@@ -82,9 +125,7 @@
 	####################################
 
 	# Set optimization level
-	if [[ ${ARCH} == hppa ]]; then
-		mozconfig_annotate "more than -O0 causes segfaults on hppa" --enable-optimize=-O0
-	elif [[ ${ARCH} == x86 ]]; then
+	if [[ ${ARCH} == x86 ]]; then

Having put that back, I am now building and testing again.
Comment 16 Jeroen Roovers gentoo-dev 2011-04-04 00:57:38 UTC
Stable for HPPA.
Comment 17 Andreas Schürch gentoo-dev 2011-04-05 04:49:49 UTC
I do not get any errors anymore here on x86.

BTW: Current stable is broken right now, as firefox 3.5.15 got removed from releases.mozilla.org!
Comment 18 Markus Meier gentoo-dev 2011-04-05 05:31:16 UTC
arm stable
Comment 19 Stefan Lucke 2011-04-08 17:00:05 UTC
Which test are required to get firefox-bin-3.6.16 stable on x86 platform??
Security fix is publish by vendor on 2011-03-22:
https://developer.mozilla.org/devnews/index.php/2011/03/22/firefox-3-6-16-and-3-5-18-security-updates-now-available/
Comment 20 Thomas Kahle (RETIRED) gentoo-dev 2011-04-08 21:25:47 UTC
x86 stable b/c it is urgent.  Thanks everyone
Comment 21 Raúl Porcel (RETIRED) gentoo-dev 2011-04-10 11:29:52 UTC
alpha/ia64/sparc stable, for sparc i haven't done xulrunner/firefox since it sigbuses...
Comment 22 Tim Sammut (RETIRED) gentoo-dev 2011-04-10 14:25:18 UTC
Thanks, folks. GLSA Vote: yes.
Comment 23 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:06:30 UTC
Vote: YES. Added to pending GLSA request.
Comment 24 Jory A. Pratt gentoo-dev 2011-10-31 21:54:51 UTC
mozilla team is out of here.
Comment 25 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:04:36 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).