New firefox, thunderbird and seamonkey vulnerabilities disclosed: https://www.mozilla.org/security/announce/2011/mfsa2011-53.html, CVE-2011-3660 https://www.mozilla.org/security/announce/2011/mfsa2011-54.html, CVE-2011-3661 https://www.mozilla.org/security/announce/2011/mfsa2011-55.html, CVE-2011-3658 https://www.mozilla.org/security/announce/2011/mfsa2011-56.html, CVE-2011-3663 https://www.mozilla.org/security/announce/2011/mfsa2011-58.html, CVE-2011-3665 For the record, these two issues appear OSX-specific and do not affect us. https://www.mozilla.org/security/announce/2011/mfsa2011-57.html, CVE-2011-3664 https://www.mozilla.org/security/announce/2011/mfsa2011-59.html, CVE-2011-3666
*** Bug 395617 has been marked as a duplicate of this bug. ***
the firefoxFirefox has released version 9.0.1, insert it in the portage to carry out the testing in order to stabilize it.
All CVE Fixed in: Firefox 9.0 Thunderbird 9.0 SeaMonkey 2.6 Upgrade firefox package to 9.0.1 version i use x86 platform and 9.0.1 version is: STABLE
*** Bug 396285 has been marked as a duplicate of this bug. ***
I just finished syncing and among other things firefox-9.0 was emerged (I keyword firefox ~amd64 to get the newest one). To my surprise Firefox greeted me with: Your Firefox is out of date. For security reasons, we recommend upgrading to the latest and greatest version. as 9.0.1 was released in the meantime. Pretty annoying that both my machines wasted 2 hours emerging an old Firefox, even though Mozilla released a newer version already on Dec 21.
(In reply to comment #5) > I just finished syncing and among other things firefox-9.0 was emerged (I > keyword firefox ~amd64 to get the newest one). To my surprise Firefox greeted > me with: > > Your Firefox is out of date. > For security reasons, we recommend upgrading to the latest > and greatest version. > > as 9.0.1 was released in the meantime. Pretty annoying that both my machines > wasted 2 hours emerging an old Firefox, even though Mozilla released a newer > version already on Dec 21. LMAO, the 9.0.1 was a backout patch only and is included in gentoos patchset already so you did not waste nothing. If you depend on mozilla telling you your firefox is out of date you should use -bin.
Thanks for this nice and sensitive response. ;-) No, I do not "depend" on Mozilla's page, but if the newest Gentoo version of Firefox comes up with a page telling me that it is out of date, then this is not only irritating for me but for most other users, too. I did not have time to look up which patches made 9.0.1 necessary on the Mozilla side and compare this with the Gentoo patchset. I doubt any other user has the time, either. It should be the job of the maintainers to do that and somehow communicate the result to users. A Gentoo-specific firstrun page could help there.
I asked this already in Bug 396285: what is the current state of Thunderbird, and what needs to be done to release the ebuild for 9.0 ? Any help needed ?
(In reply to comment #8) > I asked this already in Bug 396285: what is the current state of Thunderbird, > and what needs to be done to release the ebuild for 9.0 ? Any help needed ? Is already in the tree, security team can take over with calling archs for stable.
Thanks!
(In reply to comment #9) > > Is already in the tree, security team can take over with calling archs for > stable. Alright, please keep me honest here. Arches, please test and mark stable: =www-client/firefox-9.0 Target keywords : "alpha amd64 arm ia64 ppc x86" =www-client/firefox-bin-9.0.1 Target keywords : "amd64 x86" =mail-client/thunderbird-9.0 Target keywords : "alpha amd64 x86" =mail-client/thunderbird-bin-9.0.1 Target keywords : "amd64 x86" =www-client/seamonkey-2.6.1 Target keywords : "alpha amd64 arm ppc x86" =www-client/seamonkey-bin-2.6.1 Target keywords : "amd64 x86"
(In reply to comment #11) > Arches, please test and mark stable: > =www-client/firefox-9.0 > Target keywords : "alpha amd64 arm ia64 ppc x86" > > =www-client/firefox-bin-9.0.1 > Target keywords : "amd64 x86" > > =mail-client/thunderbird-9.0 > Target keywords : "alpha amd64 x86" > > =mail-client/thunderbird-bin-9.0.1 > Target keywords : "amd64 x86" > > =www-client/seamonkey-2.6.1 > Target keywords : "alpha amd64 arm ppc x86" > > =www-client/seamonkey-bin-2.6.1 > Target keywords : "amd64 x86" missing: Arches, please test and mark stable: =dev-libs/nss-3.13.1-r1 Target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
(In reply to comment #12) > > missing: > Thanks, Agostino. I'm trimming your target arches though based on those with the current level of mozilla products keyworded. This bring the current list of packages and arches to: =www-client/firefox-9.0 Target keywords : "alpha amd64 arm ia64 ppc x86" =www-client/firefox-bin-9.0.1 Target keywords : "amd64 x86" =mail-client/thunderbird-9.0 Target keywords : "alpha amd64 x86" =mail-client/thunderbird-bin-9.0.1 Target keywords : "amd64 x86" =www-client/seamonkey-2.6.1 Target keywords : "alpha amd64 arm ppc x86" =www-client/seamonkey-bin-2.6.1 Target keywords : "amd64 x86" =dev-libs/nss-3.13.1-r1 Target KEYWORDS : "alpha amd64 arm ia64 ppc x86"
amd64 ok, except for mail-client/thunderbird-9.0 ( bug 398389 ) emerge --info: Portage 2.1.10.41 (default/linux/amd64/10.0/desktop, gcc-4.5.3, glibc-2.13-r4, 3.1.6-gentoo x86_64) ================================================================= System uname: Linux-3.1.6-gentoo-x86_64-AMD_FX-tm-8150_Eight-Core_Processor-with-gentoo-2.0.3 Timestamp of tree: Tue, 10 Jan 2012 11:45:01 +0000 app-shells/bash: 4.1_p9 dev-lang/python: 2.7.2-r3, 3.1.4-r3 dev-util/cmake: 2.8.6-r4 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.0.3 sys-apps/openrc: 0.9.4 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.68 sys-devel/automake: 1.11.1 sys-devel/binutils: 2.21.1-r1 sys-devel/gcc: 4.5.3-r1 sys-devel/gcc-config: 1.4.1-r1 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r1 sys-kernel/linux-headers: 2.6.39 (virtual/os-headers) sys-libs/glibc: 2.13-r4 Repositories: gentoo ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--with-bdeps y" FEATURES="assume-digests binpkg-logs collision-protect distlocks ebuild-locks fixlafiles multilib-strict news parallel-fetch protect-owned sandbox sfperms strict test test-fail-continue unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="" GENTOO_MIRRORS="http://mirror.switch.ch/ftp/mirror/gentoo/ ftp://mirror.switch.ch/mirror/gentoo/ " LANG="it_IT.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu" LINGUAS="am fil zh af ca cs da de el es et gl hu nb nl pl pt ro ru sk sl sv uk bg cy en eo fo ga he id ku lt lv mk ms nn sw tn zu ja zh_TW en_GB pt_BR ko zh_CN ar en_CA fi kk oc sr tr fa wa nds as be bn bn_BD bn_IN en_US es_AR es_CL es_ES es_MX eu fy fy_NL ga_IE gu gu_IN hi hi_IN is ka kn ml mr nn_NO or pa pa_IN pt_PT rm si sq sv_SE ta ta_LK te th vi ast dz km my om sh ug uz ca@valencia sr@ijekavian sr@ijekavianlatin sr@latin csb hne mai se es_LA fr_CA zh_HK br la no es_CR et_EE sr_CS bo hsb hy mn sr@Latn lb ne bs tg uz@cyrillic xh be_BY brx ca_XV dgo en_ZA gd kok ks ky lo mni nr ns pap ps rw sa_IN sat sd ss st sw_TZ ti ts ve mt ia az me tl ak hy_AM lg nso son ur_PK it fr nb nb_NO hr nan ur tk" MAKEOPTS="-j8" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa amd64 berkdb bluetooth branding bzip2 cairo cdda cdr cli consolekit cracklib crypt cups cxx dbus dri dts dvd dvdr emboss encode exif fam firefox flac fortran gdbm gdu gif gpm gtk iconv ipv6 jpeg lcms ldap libnotify mad mmx mng modules mp3 mp4 mpeg mudflap multilib ncurses nls nptl nptlonly ogg opengl openmp pam pango pcre pdf png policykit ppds pppd qt3support qt4 readline sdl session spell sse sse2 ssl startup-notification svg sysfs tcpd tiff truetype udev unicode usb vorbis x264 xcb xml xorg xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="am fil zh af ca cs da de el es et gl hu nb nl pl pt ro ru sk sl sv uk bg cy en eo fo ga he id ku lt lv mk ms nn sw tn zu ja zh_TW en_GB pt_BR ko zh_CN ar en_CA fi kk oc sr tr fa wa nds as be bn bn_BD bn_IN en_US es_AR es_CL es_ES es_MX eu fy fy_NL ga_IE gu gu_IN hi hi_IN is ka kn ml mr nn_NO or pa pa_IN pt_PT rm si sq sv_SE ta ta_LK te th vi ast dz km my om sh ug uz ca@valencia sr@ijekavian sr@ijekavianlatin sr@latin csb hne mai se es_LA fr_CA zh_HK br la no es_CR et_EE sr_CS bo hsb hy mn sr@Latn lb ne bs tg uz@cyrillic xh be_BY brx ca_XV dgo en_ZA gd kok ks ky lo mni nr ns pap ps rw sa_IN sat sd ss st sw_TZ ti ts ve mt ia az me tl ak hy_AM lg nso son ur_PK it fr nb nb_NO hr nan ur tk" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
amd64 stable, thanks Maurizio
i use = www-client/firefox-9.0 = mail-client/thunderbird-9.0 for the x86 platform. STABLE
x86 stable
mozilla team is out, readd if needed.
alpha, arm, ia64, ppc, you will continue in bug 401701
CVE-2011-3665 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3665): Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an Ogg VIDEO element that is not properly handled after scaling. CVE-2011-3663 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3663): Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6 allow remote attackers to capture keystrokes entered on a web page, even when JavaScript is disabled, by using SVG animation accessKey events within that web page. CVE-2011-3661 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3661): YARR, as used in Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted JavaScript. CVE-2011-3660 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3660): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 8.0, Thunderbird 5.0 through 8.0, and SeaMonkey before 2.6 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors that trigger a compartment mismatch associated with the nsDOMMessageEvent::GetData function, and unknown other vectors. CVE-2011-3658 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3658): The SVG implementation in Mozilla Firefox 8.0, Thunderbird 8.0, and SeaMonkey 2.5 does not properly interact with DOMAttrModified event handlers, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via vectors involving removal of SVG elements.
CVE-2011-4688 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4688): Mozilla Firefox 8.0.1 and earlier does not prevent capture of data about the times of Same Origin Policy violations during IFRAME loading attempts, which makes it easier for remote attackers to determine whether a document exists in the browser cache via crafted JavaScript code. CVE-2011-3866 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3866): Mozilla Firefox before 7.0 and SeaMonkey before 2.4 do not properly restrict availability of motion data events, which makes it easier for remote attackers to read keystrokes by leveraging JavaScript code running in a background tab. CVE-2011-3232 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3232): YARR, as used in Mozilla Firefox before 7.0, Thunderbird before 7.0, and SeaMonkey before 2.4, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted JavaScript. CVE-2011-3005 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3005): Use-after-free vulnerability in Mozilla Firefox 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OGG headers in a .ogg file. CVE-2011-3004 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3004): The JSSubScriptLoader in Mozilla Firefox 4.x through 6 and SeaMonkey before 2.4 does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior. CVE-2011-3003 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3003): Mozilla Firefox before 7.0 and SeaMonkey before 2.4 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unspecified WebGL test case that triggers a memory-allocation error and a resulting out-of-bounds write operation. CVE-2011-3002 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3002): Almost Native Graphics Layer Engine (ANGLE), as used in Mozilla Firefox before 7.0 and SeaMonkey before 2.4, does not validate the return value of a GrowAtomTable function call, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger a memory-allocation error and a resulting buffer overflow. CVE-2011-3001 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3001): Mozilla Firefox 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 do not prevent manual add-on installation in response to the holding of the Enter key, which allows user-assisted remote attackers to bypass intended access restrictions via a crafted web site that triggers an unspecified internal error. CVE-2011-3000 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3000): Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 do not properly handle HTTP responses that contain multiple Location, Content-Length, or Content-Disposition headers, which makes it easier for remote attackers to conduct HTTP response splitting attacks via crafted header values. CVE-2011-2999 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2999): Mozilla Firefox before 3.6.23 and 4.x through 5, Thunderbird before 6.0, and SeaMonkey before 2.3 do not properly handle "location" as the name of a frame, which allows remote attackers to bypass the Same Origin Policy via a crafted web site, a different vulnerability than CVE-2010-0170. CVE-2011-2998 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2998): Integer underflow in Mozilla Firefox 3.6.x before 3.6.23 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via JavaScript code containing a large RegExp expression. CVE-2011-2997 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2997): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 6, Thunderbird before 7.0, and SeaMonkey before 2.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2011-2996 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2996): Unspecified vulnerability in the plugin API in Mozilla Firefox 3.6.x before 3.6.23 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2011-2995 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2995): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2011-2372 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2372): Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 do not prevent the starting of a download in response to the holding of the Enter key, which allows user-assisted remote attackers to bypass intended access restrictions via a crafted web site.
CVE-2011-3670 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3670): Mozilla Firefox before 3.6.26 and 4.x through 6.0, Thunderbird before 3.1.18 and 5.0 through 6.0, and SeaMonkey before 2.4 do not properly enforce the IPv6 literal address syntax, which allows remote attackers to obtain sensitive information by making XMLHttpRequest calls through a proxy and reading the error messages.
This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle).