Multiple vulnerabilities discovered in mozilla products. http://www.mozilla.org/security/announce/2012/mfsa2012-01.html http://www.mozilla.org/security/announce/2012/mfsa2012-02.html http://www.mozilla.org/security/announce/2012/mfsa2012-03.html http://www.mozilla.org/security/announce/2012/mfsa2012-04.html http://www.mozilla.org/security/announce/2012/mfsa2012-05.html http://www.mozilla.org/security/announce/2012/mfsa2012-06.html http://www.mozilla.org/security/announce/2012/mfsa2012-07.html http://www.mozilla.org/security/announce/2012/mfsa2012-08.html Fixed in: Firefox 10.0 Thunderbird 10.0 SeaMonkey 2.7 Icecat 10.0
you can update the ebuild of firefox from 9.0 to 10.0? otherwise the test as you can do?
All these will be added once the mozlinguas.eclass RFC on gentoo-dev ML is complete. Should be just 24 hrs from now. In the meantime, they can be found in the mozilla overlay.
ebuilds are in the tree, please add archs, also lets stabilize nss-3.13.1-r2 at the same time. This will resolve alot of problems with people using ca certs in mozilla products.
(In reply to comment #3) > ebuilds are in the tree, please add archs, also lets stabilize nss-3.13.1-r2 at > the same time. This will resolve alot of problems with people using ca certs in > mozilla products. Missing still: =mail-client/thunderbird-10 =www-client/seamonkey-2.7 Missing also icecat but is not your fault, upstream has not yet relased
(In reply to comment #4) > (In reply to comment #3) > > ebuilds are in the tree, please add archs, also lets stabilize nss-3.13.1-r2 at > > the same time. This will resolve alot of problems with people using ca certs in > > mozilla products. > > Missing still: > > =mail-client/thunderbird-10 > =www-client/seamonkey-2.7 > > Missing also icecat but is not your fault, upstream has not yet relased tb-10, is avaliable, seamonkey will be a bit as we are having to work out a few major regressions, icecat will follow as soon as an official release is made, if one is not made soon will p.mask for removal.
Arches, please stabilize: =www-client/firefox-10.0 Target keywords : "alpha amd64 arm ia64 ppc x86" =www-client/firefox-bin-10.0 Target keywords : "amd64 x86" =mail-client/thunderbird-10.0 Target keywords : "alpha amd64 x86" =mail-client/thunderbird-bin-10.0 Target keywords : "amd64 x86" =dev-libs/nss-3.13.1-r2 Target KEYWORDS : "alpha amd64 arm ia64 ppc x86"
x86 result: firefox{-bin)-10.0: ok thunderbird unknown (I tested now)
(In reply to comment #6) > Arches, please stabilize: > > =www-client/firefox-10.0 > Target keywords : "alpha amd64 arm ia64 ppc x86" > > =www-client/firefox-bin-10.0 > Target keywords : "amd64 x86" > > =mail-client/thunderbird-10.0 > Target keywords : "alpha amd64 x86" > > =mail-client/thunderbird-bin-10.0 > Target keywords : "amd64 x86" > > =dev-libs/nss-3.13.1-r2 > Target KEYWORDS : "alpha amd64 arm ia64 ppc x86" dev-libs/nss-3.13.1-r2: x86 stable www-client/firefox-10.0: x86 stable mail-client/thunderbird-10.0: x86 stable
(In reply to comment #6) > Arches, please stabilize: > > =www-client/firefox-10.0 > Target keywords : "alpha amd64 arm ia64 ppc x86" amd64 ok. > =www-client/firefox-bin-10.0 > Target keywords : "amd64 x86" amd64 ok. > =dev-libs/nss-3.13.1-r2 > Target KEYWORDS : "alpha amd64 arm ia64 ppc x86" amd64 ok.
(In reply to comment #6) > Arches, please stabilize: > > =mail-client/thunderbird-10.0 > Target keywords : "alpha amd64 x86" amd64 ok. > =mail-client/thunderbird-bin-10.0 > Target keywords : "amd64 x86" amd64 ok.
amd64: =www-client/firefox-bin-10.0 pass
Bug 391889 is still present
Maurizio, that applies to thunderbird 9.0, yes?
@Aaron Bauman it's the same problem since version 8.0, and it's still present in version 10.0
and it's still present also Bug 398389 thunderbird fail to compile with use debug enabled. just to inform, I know that this kind of problem won't block a stabilization for security bugs ;)
(In reply to comment #6) > Arches, please stabilize: > > =www-client/firefox-10.0 > Target keywords : "alpha amd64 arm ia64 ppc x86" > > =www-client/firefox-bin-10.0 > Target keywords : "amd64 x86" > > =mail-client/thunderbird-10.0 > Target keywords : "alpha amd64 x86" > > =mail-client/thunderbird-bin-10.0 > Target keywords : "amd64 x86" > > =dev-libs/nss-3.13.1-r2 > Target KEYWORDS : "alpha amd64 arm ia64 ppc x86" apart the two little problem reported above, for everything else amd64 is ok for all
Icecat released.
arches, this is a complete list: =www-client/firefox-10.0 Target keywords : "alpha amd64 arm ia64 ppc x86" =www-client/firefox-bin-10.0 Target keywords : "amd64 x86" =mail-client/thunderbird-10.0 Target keywords : "alpha amd64 x86" =mail-client/thunderbird-bin-10.0 Target keywords : "amd64 x86" =dev-libs/nss-3.13.1-r2 Target KEYWORDS : "alpha amd64 arm ia64 ppc x86" =www-client/seamonkey-2.7 Target keywords : "alpha amd64 arm ppc x86" =www-client/seamonkey-bin-2.7 Target keywords : "amd64 x86" =media-libs/libvpx-0.9.7-r1 Target keywords : "alpha amd64 arm ia64 ppc x86" =www-client/icecat-10.0 Target keywords : "amd64 ppc x86"
(In reply to comment #18) > =www-client/icecat-10.0 > Target keywords : "amd64 ppc x86" amd64 ok.
hold the stabilizations, we are rolling 10.0.1 which will address security issues.
Arches, we will continue in bug 403183
CVE-2012-0449 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0449): Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a malformed XSLT stylesheet that is embedded in a document. CVE-2012-0446 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0446): Multiple cross-site scripting (XSS) vulnerabilities in Mozilla Firefox 4.x through 9.0, Thunderbird 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to inject arbitrary web script or HTML via a (1) web page or (2) Firefox extension, related to improper enforcement of XPConnect security restrictions for frame scripts that call untrusted objects. CVE-2012-0445 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0445): Mozilla Firefox 4.x through 9.0, Thunderbird 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to bypass the HTML5 frame-navigation policy and replace arbitrary sub-frames by creating a form submission target with a sub-frame's name attribute. CVE-2012-0444 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0444): Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 do not properly initialize nsChildView data structures, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Ogg Vorbis file. CVE-2012-0443 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0443): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 9.0, Thunderbird 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2011-3659 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3659): Use-after-free vulnerability in Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 might allow remote attackers to execute arbitrary code via vectors related to incorrect AttributeChildRemoved notifications that affect access to removed nsDOMAttribute child nodes.
CVE-2012-0450 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0450): Mozilla Firefox 4.x through 9.0 and SeaMonkey before 2.7 on Linux and Mac OS X set weak permissions for Firefox Recovery Key.html, which might allow local users to read a Firefox Sync key via standard filesystem operations.
CVE-2012-0442 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0442): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle).