Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 564818 - <www-client/firefox{,-bin}-{38.4.0,42.0}: multiple vulnerabilities (CVE-2015-{4513,4514,4515,4518,7187,7188,7189,7193,7194,7195,7196,7197,7198,7199,7181,7182,7183,7200})
Summary: <www-client/firefox{,-bin}-{38.4.0,42.0}: multiple vulnerabilities (CVE-2015-...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa cve]
Depends on:
Reported: 2015-11-03 17:25 UTC by Nikolay Edigaryev
Modified: 2015-12-30 15:53 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2015-11-03 22:01:29 UTC
CVE-2015-4513 (38.4/42)
CVE-2015-4514 (38.4/42)
CVE-2015-4515 (42)
CVE-2015-4518 (42)
CVE-2015-7185 (42)
CVE-2015-7186 (42)
CVE-2015-7187 (42)
CVE-2015-7188 (38.4/42)
CVE-2015-7189 (38.4/42)
CVE-2015-7190 (42)
CVE-2015-7191 (42)
CVE-2015-7192 (42)
CVE-2015-7193 (38.4/42)
CVE-2015-7194 (38.4/42)
CVE-2015-7195 (42)
CVE-2015-7196 (38.4/42)
CVE-2015-7197 (38.4/42)
CVE-2015-7198 (38.4/42)
CVE-2015-7199 (38.4/42)
CVE-2015-7181 (38.4/42)
CVE-2015-7182 (38.4/42)
CVE-2015-7183 (38.4/42)
CVE-2015-7200 (38.4/42)
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-11-03 22:32:38 UTC
Removing some of the android CVE's
Comment 3 tt_1 2015-11-04 22:02:41 UTC
the patch 8011_bug1194520-freetype261_until_moz43.patch has to be removed from the firefox-patches tarball for firefox-38.4.0-esr, because it has been fixed upstream meanwhile. see
Comment 4 Ian Stakenvicius (RETIRED) gentoo-dev 2015-11-05 02:23:32 UTC
www-client/firefox{,-bin}-{38.4,42}.0 are in the tree now (and the unnecessary patch has now been excluded from the 38.4 ebuild as well)

www-client/firefox-bin-38.4.0 can be stabilized right away, but www-client/firefox-38.4.0 requires the stabilization of nspr and nss as per bug 564834.

Thunderbird packages have not yet been rolled/released upstream, and seamonkey is likely delayed similarly.  Will get those into the tree as soon as they are available.
Comment 5 Agostino Sarubbo gentoo-dev 2015-11-06 15:35:40 UTC
amd64/x86 stable

For the remains stabilization:

Arches, please test and mark stable:
Target keywords : "hppa ppc ppc64"
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2015-11-08 11:15:16 UTC
Stable for PPC64.
Comment 7 Agostino Sarubbo gentoo-dev 2015-11-09 08:54:45 UTC
ppc stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2015-11-11 04:44:04 UTC
Stable for HPPA.
Comment 9 Christian Tietz 2015-12-01 23:51:30 UTC
=mail-client/thunderbird-38.4.0 has hit the tree. Please mark stable soon, as this security related as well.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2015-12-02 00:32:53 UTC
Please file a separate bug for Thunderbird, as the stabilization for Firefox is completed.

Arches and Maintainer(s), Thank you for your work.
Added to an existing GLSA Request.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2015-12-02 00:33:59 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2015-12-30 15:53:12 UTC
This issue was resolved and addressed in
 GLSA 201512-10 at
by GLSA coordinator Yury German (BlueKnight).