https://www.mozilla.org/security/announce/ MFSA 2013-28 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer MFSA 2013-27 Phishing on HTTPS connection through malicious proxy MFSA 2013-26 Use-after-free in nsImageLoadingContent MFSA 2013-25 Privacy leak in JavaScript Workers MFSA 2013-24 Web content bypass of COW and SOW security wrappers MFSA 2013-23 Wrapped WebIDL objects can be wrapped again MFSA 2013-22 Out-of-bounds read in image rendering MFSA 2013-21 Miscellaneous memory safety hazards (rv:19.0 / rv:17.0.3)
All relevant *-bin versions are in the tree now. Enjoy. Source versions will likely follow shortly.
Someone with the appropriate rights might want to link bug #458378 to this one. I tested the source version with the 17.0.2 ebuild and it works so far on AMD64.
*** Bug 458378 has been marked as a duplicate of this bug. ***
CVE-2013-0784 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0784): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 19.0, Thunderbird before 17.0.3, and SeaMonkey before 2.16 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2013-0783 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0783): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2013-0782 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0782): Heap-based buffer overflow in the nsSaveAsCharset::DoCharsetConversion function in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code via unspecified vectors. CVE-2013-0781 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0781): Use-after-free vulnerability in the nsPrintEngine::CommonPrint function in Mozilla Firefox before 19.0, Thunderbird before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. CVE-2013-0780 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0780): Use-after-free vulnerability in the nsOverflowContinuationTracker::Finish function in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted document that uses Cascading Style Sheets (CSS) -moz-column-* properties. CVE-2013-0779 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0779): The nsCodingStateMachine::NextState function in Mozilla Firefox before 19.0, Thunderbird before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via unspecified vectors. CVE-2013-0778 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0778): The ClusterIterator::NextCluster function in Mozilla Firefox before 19.0, Thunderbird before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via unspecified vectors. CVE-2013-0777 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0777): Use-after-free vulnerability in the nsDisplayBoxShadowOuter::Paint function in Mozilla Firefox before 19.0, Thunderbird before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. CVE-2013-0776 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0776): Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allow man-in-the-middle attackers to spoof the address bar by operating a proxy server that provides a 407 HTTP status code accompanied by web script, as demonstrated by a phishing attack on an HTTPS site. CVE-2013-0775 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0775): Use-after-free vulnerability in the nsImageLoadingContent::OnStopContainer function in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code via crafted web script. CVE-2013-0774 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0774): Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 do not prevent JavaScript workers from reading the browser-profile directory name, which has unspecified impact and remote attack vectors. CVE-2013-0773 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0773): The Chrome Object Wrapper (COW) and System Only Wrapper (SOW) implementations in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 do not prevent modifications to a prototype, which allows remote attackers to obtain sensitive information from chrome objects or possibly execute arbitrary JavaScript code with chrome privileges via a crafted web site. CVE-2013-0772 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0772): The RasterImage::DrawFrameTo function in Mozilla Firefox before 19.0, Thunderbird before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and application crash) via a crafted GIF image. CVE-2013-0765 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0765): Mozilla Firefox before 19.0, Thunderbird before 17.0.3, and SeaMonkey before 2.16 do not prevent multiple wrapping of WebIDL objects, which allows remote attackers to bypass intended access restrictions via unspecified vectors.
+*seamonkey-2.16 (21 Feb 2013) + + 21 Feb 2013; Lars Wendler <polynomial-c@gentoo.org> +seamonkey-2.16.ebuild: + Security bump (bug #458390). +
+*firefox-19.0 (22 Feb 2013) +*firefox-17.0.3 (22 Feb 2013) + + 22 Feb 2013; Lars Wendler <polynomial-c@gentoo.org> -firefox-10.0.6.ebuild, + -firefox-10.0.7.ebuild, -firefox-10.0.9.ebuild, -firefox-10.0.10.ebuild, + +firefox-17.0.3.ebuild, +firefox-19.0.ebuild: + Security bump (bug #458390). Removed old. + +*thunderbird-17.0.3 (22 Feb 2013) + + 22 Feb 2013; Lars Wendler <polynomial-c@gentoo.org> + -thunderbird-10.0.6.ebuild, -thunderbird-10.0.7.ebuild, + -thunderbird-10.0.10.ebuild, +thunderbird-17.0.3.ebuild: + Security bump (bug #458390). Removed old. +
Bring in the archs when ready?
Arches please test and mark stable the following packages. mail-client/thunderbird-17.0.3 Target KEYWORDS are: ~alpha amd64 arm ppc ppc64 x86 ~x86-fbsd ~amd64-linux ~x86-linux mail-client/thunderbird-bin-17.0.3 Target KEYWORDS are: amd64 x86 www-client/firefox-17.0.3 Target KEYWORDS are: alpha amd64 arm ia64 ppc ppc64 x86 ~amd64-linux ~x86-linux www-client/firefox-bin-17.0.3 Target KEYWORDS are: amd64 x86 www-client/seamonkey-2.16 Target KEYWORDS are: amd64 ~arm ~ppc ~ppc64 x86 www-client/seamonkey-bin-2.16 Target KEYWORDS are: amd64 x86
ppc stable
ppc64 stable
amd64 stable
x86 stable
amd64/x86 not done at all. I accidentally marked stable seamonkey which fails to compile.
arm stable
alpha and ia64 will continue in bug 458390.
This issue was resolved and addressed in GLSA 201309-23 at http://security.gentoo.org/glsa/glsa-201309-23.xml by GLSA coordinator Chris Reffett (creffett).
