Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 98846 - www-client/mozilla{-bin} 1.7.10 fixes multiple vulnerabilities
Summary: www-client/mozilla{-bin} 1.7.10 fixes multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.mozilla.org/projects/secur...
Whiteboard: A2 [glsa] dercorny
Keywords:
: 96682 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-07-12 22:07 UTC by Sune Kloppenborg Jeppesen
Modified: 2005-07-26 12:44 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2005-07-12 22:07:29 UTC
Fixed in Firefox 1.0.5
MFSA 2005-56 Code execution through shared function objects
 MFSA 2005-55 XHTML node spoofing
 MFSA 2005-54 Javascript prompt origin spoofing
 MFSA 2005-53 Standalone applications can run arbitrary code through the browser
 MFSA 2005-52 Same origin violation: frame calling top.focus()
 MFSA 2005-51 The return of frame-injection spoofing
 MFSA 2005-50 Possibly exploitable crash in InstallVersion.compareTo()
 MFSA 2005-49 Script injection from Firefox sidebar panel using data:
 MFSA 2005-48 Same-origin violation with InstallTrigger callback
 MFSA 2005-47 Code execution via "Set as Wallpaper"
 MFSA 2005-46 XBL scripts ran even when Javascript disabled
 MFSA 2005-45 Content-generated event vulnerabilities
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-07-12 22:18:34 UTC
Mozilla please provide updated ebuilds.    
   
MFSA 2005-51 The return of frame-injection spoofing fixes bug #95199   
MFSA 2005-54 Javascript prompt origin spoofing fixes bug #96682   
  
Mozilla Suite is also affected: 
 
 Fixed in Mozilla 1.7.9 
MFSA 2005-56 Code execution through shared function objects 
 MFSA 2005-55 XHTML node spoofing 
 MFSA 2005-54 Javascript prompt origin spoofing 
 MFSA 2005-52 Same origin violation: frame calling top.focus() 
 MFSA 2005-51 The return of frame-injection spoofing 
 MFSA 2005-50 Possibly exploitable crash in InstallVersion.compareTo() 
 MFSA 2005-48 Same-origin violation with InstallTrigger callback 
 MFSA 2005-46 XBL scripts ran even when Javascript disabled 
 MFSA 2005-45 Content-generated event vulnerabilities 
 
And according to one of the advisories some issues apply to Thunderbird as as 
well and is fixed in 1.0.5 (ie MFSA 2005-46) but there it is still not listed 
on the security page. 
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-07-13 01:00:59 UTC
We'll keep this one for Mozila suite only.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-07-13 01:09:33 UTC
*** Bug 96682 has been marked as a duplicate of this bug. ***
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-07-14 03:41:11 UTC
Mozilla team, please bump both mozilla and mozilla-bin to 1.7.9
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-07-14 03:50:44 UTC
Oops. Sorry, apparently it's not out yet. Got confused by their advisories.
Comment 6 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-21 13:14:04 UTC
Mozilla Suite 1.7.10 released. Mozilla team, please bump - thx!
Comment 7 Jory A. Pratt 2005-07-21 14:43:41 UTC
I have commited the ebuild. Aron wants to make some changes before we move
forward so we do not have conflict of files. Soon as that is done will be able
to roll out for stable testing I believe. 
Comment 8 Jory A. Pratt 2005-07-21 18:09:36 UTC
aight this is ready for testing if we can move for ~arch testing for would
appreciate. If all goes well we could call for stable tomorrow morning, after
agriffis, az and anyone else in mozilla herd has had a chance to discuss this.
Comment 9 Chris Gianelloni (RETIRED) gentoo-dev 2005-07-22 06:04:41 UTC
You need to CC the arches that need to test it...

I'm adding them now
Comment 10 Stephen Becker (RETIRED) gentoo-dev 2005-07-22 06:34:02 UTC
mozilla does not work on mips, removing mips from CC
Comment 11 Herbie Hopkins (RETIRED) gentoo-dev 2005-07-22 07:01:12 UTC
It seems mozilla-bin-1.7.10 has not been committed yet.
Comment 12 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-22 07:23:25 UTC
Removing arches, the -bin ebuild is missing and the other one seems, according
to several complaints, be broken. Waiting for someone from mozilla herd to give
the final go-go.
Comment 13 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-22 07:24:35 UTC
ouh yeah, /me dumb....
Comment 14 Jory A. Pratt 2005-07-22 14:59:33 UTC
all major issues resolved -bin is in the tree adding archs back we can stablize
as I was informed by agriffis.

BIN = amd64 x86
SOURCE = ppc amd64 sparc ia64 alpha hppa x86
Comment 15 Jory A. Pratt 2005-07-22 15:04:31 UTC
we are looking for mozilla-launcher 1.39 to be marked stable with this. I will
tell you tho 1.41 is ideal as it has fixed the plugins issues.
Comment 16 Aron Griffis (RETIRED) gentoo-dev 2005-07-22 15:16:07 UTC
alpha, amd64, ia64, x86 finished
mozilla-launcher-1.41 is also marked stable on all arches, so nobody needs to
bother with that.
Comment 17 Jory A. Pratt 2005-07-22 15:58:50 UTC
Stable on ppc
Comment 18 René Nussbaumer (RETIRED) gentoo-dev 2005-07-23 07:11:28 UTC
Stable on hppa
Comment 19 Gustavo Zacarias (RETIRED) gentoo-dev 2005-07-23 11:02:00 UTC
sparc stable.
Comment 20 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-23 11:05:30 UTC
Ready for GLSA.
Comment 21 Sune Kloppenborg Jeppesen gentoo-dev 2005-07-26 12:44:38 UTC
GLSA 200507-24  
 
Thx everyone.