SeaMonkey-2.13.1 has broken functionality for editing address book contacts. See upstream: <https://bugzilla.mozilla.org/show_bug.cgi?id=801615> Please consider putting version 2.13.2 in test tree, ASAP.
We are gonna highjack this for security issues as well, both issues are just as important. MFSA 2012-90 Fixes for Location object issues MFSA 2012-67 Installer will launch incorrect executable following new installation
CVE-2012-4196 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4196): Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 allow remote attackers to bypass the Same Origin Policy and read the Location object via a prototype property-injection attack that defeats certain protection mechanisms for this object. CVE-2012-4195 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4195): The nsLocation::CheckURL function in Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 does not properly determine the calling document and principal in its return value, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site, and makes it easier for remote attackers to execute arbitrary JavaScript code by leveraging certain add-on behavior. CVE-2012-4194 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4194): Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before 2.13.2 do not prevent use of the valueOf method to shadow the location object (aka window.location), which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving a plugin.
Unfortunately I cannot update seamonkey before November 11th because my dev machine doesn't have internet before that date.
Correction: November 9th (not 11th) does my ISP finally set up internet at my new home :-/
I just committed bumps to the ESR source versions: www-client/firefox-10.0.10 and mail-client/thunderbird-10.0.10
Ebuilds for all versions but seamonkey-2.13.2 are now in the tree (I have to leave that one to when PolyC returns). Arches, please test and mark stable: =www-client/firefox-10.0.10 Target keywords : "alpha amd64 arm ia64 ppc ppc64 x86" =www-client/firefox-bin-10.0.10 Target keywords : "amd64 x86" =mail-client/thunderbird-10.0.10 Target keywords : "amd64 ppc ppc64 x86" =mail-client/thunderbird-bin-10.0.10 Target keywords : "amd64 x86" =www-client/seamonkey-bin-2.13.2 Target keywords : "amd64 x86"
(In reply to comment #6) > Ebuilds for all versions but seamonkey-2.13.2 are now in the tree (I have to > leave that one to when PolyC returns). > > Arches, please test and mark stable: > > =www-client/firefox-10.0.10 > Target keywords : "alpha amd64 arm ia64 ppc ppc64 x86" > > =www-client/firefox-bin-10.0.10 > Target keywords : "amd64 x86" > > =mail-client/thunderbird-10.0.10 > Target keywords : "amd64 ppc ppc64 x86" > > =mail-client/thunderbird-bin-10.0.10 > Target keywords : "amd64 x86" > > =www-client/seamonkey-bin-2.13.2 > Target keywords : "amd64 x86" Seamonkey-2.13.2 will be added tomorrow evening, I will step up and make the bump for polynomial until his return.
seamonkey-2.13.2 has been committed to tree.
Complete and updated list: =www-client/firefox-10.0.10 Target keywords : "alpha amd64 arm ia64 ppc ppc64 x86" =www-client/firefox-bin-10.0.10 Target keywords : "amd64 x86" =mail-client/thunderbird-10.0.10 Target keywords : "amd64 ppc ppc64 x86" =mail-client/thunderbird-bin-10.0.10 Target keywords : "amd64 x86" =www-client/seamonkey-2.13.2 Target keywords : "amd64 x86" =www-client/seamonkey-bin-2.13.2 Target keywords : "amd64 x86" =dev-libs/nspr-4.9.2 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" (amd64, hppa, and x86 are already stable) =dev-libs/nss-3.13.6 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" (amd64, hppa, and x86 are already stable)
amd64: have successfully compiled www-client/firefox-10.0.10 USE="alsa dbus ipc libnotify minimal startup-notification webm" and mail-client/thunderbird-10.0.10 USE="alsa crypt dbus ipc libnotify lightning minimal startup-notification webm" Have successfully tested FF on acid3 tests and thunderbird on my mail boxes. emerge --info: emerge --info Portage 2.1.11.9 (default/linux/amd64/10.0/desktop/kde, gcc-4.5.4, glibc-2.15-r3, 3.4.9-gentoo x86_64) ================================================================= System uname: Linux-3.4.9-gentoo-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q9505_@_2.83GHz-with-gentoo-2.1 Timestamp of tree: Thu, 01 Nov 2012 18:15:01 +0000 ccache version 3.1.7 [enabled] app-shells/bash: 4.2_p37 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.7.3-r2 dev-util/ccache: 3.1.7 dev-util/pkgconfig: 0.27.1 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.9.8.4 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.11.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.5.4 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r3 sys-kernel/linux-headers: 3.4-r2 (virtual/os-headers) sys-libs/glibc: 2.15-r3 Repositories: gentoo x-unklay ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA AdobeFlash-10.3 Q3AEULA PUEL LOKI-EULA skype-4.0.0.7-copyright" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=core2 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/themes/oxygen-gtk/gtk-2.0 /usr/share/vlc/lua/http/.hosts" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=core2 -O2 -pipe" DISTDIR="/home/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs buildpkg ccache config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch parse-eapi-ebuild-head protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="ftp://gentoo.bloodhost.ru/ ftp://mirror.yandex.ru/gentoo-distfiles/" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="ru en ru_RU" MAKEOPTS="-j5" PKGDIR="/home/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/unklay" USE="X a52 aac acl acpi akonadi alsa amd64 amr audiofile bash-completion branding bzip2 cairo cdda cddb cdio cdparanoia cdr cli consolekit cracklib crypt css cups curl cxx dbus declarative device-mapper djvu dri dts dv dvd dvdr emboss encode exif ffmpeg firefox flac fontconfig fortran ftp gd geoip gif gimp gmp gnutls gphoto2 gpm graphviz gsm gstreamer gtk handbook iconv icu id3tag idn imagemagick imap imlib ios iphone ipod ipv6 jabber jbig jingle jpeg jpeg2k kde kipi kontact ladspa lame lcms libass libnotify libsamplerate libwww lm_sensors lzma lzo mac mad matroska mikmod mjpeg mmx mng modplug modules mp3 mp4 mpeg mplayer mudflap multilib musepack musicbrainz ncurses nls nptl ntfs ogg openal openexr opengl openmp pam pango pcre pdf phonon plasma png policykit ppds pppd pulseaudio qt3support qt4 quicktime rar raw rdesktop readline rss rtmp sasl scanner sdl semantic-desktop session sharedext smp sndfile socks5 speex spell sqlite sse sse2 sse3 sse4 ssl ssse3 startup-notification svg symlink syslog taglib theora threads thumbnail tiff truetype udev udisks unicode upower usb video vim-syntax vlc vorbis wavpack webkit wmf wxwidgets x264 xcb xcomposite xface xml xmp xpm xscreensaver xv xvid zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" DRACUT_MODULES="caps lvm" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev wacom" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="ru en ru_RU" PHP_TARGETS="php5-3" PYTHON_TARGETS="python2_7" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON Are such my comments usefull or I'm just annoing serious guys? Gonna make same comment for my x86 boxes tomorrow.
amd64 stable
*** Bug 442704 has been marked as a duplicate of this bug. ***
Why has thunderbird not been updated to 16.0.2? Firefox has been updated, thunderbird-bin has been updated, thunderbird-ESR has been updated, thunderbird is missing?
(In reply to comment #13) > Why has thunderbird not been updated to 16.0.2? > Firefox has been updated, thunderbird-bin has been updated, > thunderbird-ESR has been updated, thunderbird is missing? ...I don't know. Personally, I've been waiting for a fix that upstream should accept "any day now" for bug 439148 (i wanted to avoid the revbump). But since as of now the eta for that is still unknown, I guess I'll commit something when I have access again on Monday.
Arches, please continue in bug 444318.
This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle).