Let's get this started... Fixed in Firefox 17.0.8, Thunderbird 17.0.8 MFSA 2013-75 Local Java applets may read contents of local file system MFSA 2013-73 Same-origin bypass with web workers and XMLHttpRequest MFSA 2013-72 Wrong principal used for validating URI for some Javascript components MFSA 2013-71 Further Privilege escalation through Mozilla Updater MFSA 2013-69 CRMF requests allow for code execution and XSS attacks MFSA 2013-68 Document URI misrepresentation and masquerading MFSA 2013-66 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater MFSA 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8) Fixed in SeaMonkey 2.20 MFSA 2013-75 Local Java applets may read contents of local file system MFSA 2013-73 Same-origin bypass with web workers and XMLHttpRequest MFSA 2013-72 Wrong principal used for validating URI for some Javascript components MFSA 2013-70 Bypass of XrayWrappers using XBL Scopes MFSA 2013-69 CRMF requests allow for code execution and XSS attacks MFSA 2013-68 Document URI misrepresentation and masquerading MFSA 2013-67 Crash during WAV audio file decoding MFSA 2013-65 Buffer underflow when generating CRMF requests MFSA 2013-64 Use after free mutating DOM during SetBody MFSA 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)
+*seamonkey-2.20 (07 Aug 2013) + + 07 Aug 2013; Lars Wendler <polynomial-c@gentoo.org> +seamonkey-2.20.ebuild: + Security bump (bug #479968). +
Feel free to proceed, we will need to ensure nss-3.15, Please stabilize 3.15.1 which will require the stabilization of nspr-4.10 at same time.
Since the devs seem to have forgotten about the bug... *firefox-17.0.8 (07 Aug 2013) *firefox-23.0 (07 Aug 2013) 07 Aug 2013; <anarchy@gentoo.org> +firefox-17.0.8.ebuild, +firefox-23.0.ebuild, -firefox-21.0.ebuild, -firefox-22.0.ebuild: Security bump, bug #479968 *firefox-bin-23.0 (07 Aug 2013) 07 Aug 2013; <anarchy@gentoo.org> +firefox-bin-23.0.ebuild, -firefox-bin-20.0.1.ebuild, -firefox-bin-21.0.ebuild, -firefox-bin-22.0.ebuild: version bump for security bug #479968 *firefox-bin-17.0.8 (07 Aug 2013) 07 Aug 2013; Ian Stakenvicius <axs@gentoo.org> +firefox-bin-17.0.8.ebuild: version bump for security bug #479968 27 Jun 2013; Agostino Sarubbo <ago@gentoo.org> firefox-bin-17.0.7.ebuild: Stable for x86, wrt bug #474758 *thunderbird-17.0.8 (07 Aug 2013) 07 Aug 2013; <anarchy@gentoo.org> +thunderbird-17.0.8.ebuild: Security bump, bug #479968 *thunderbird-bin-17.0.8 (07 Aug 2013) 07 Aug 2013; Ian Stakenvicius <axs@gentoo.org> +thunderbird-bin-17.0.8.ebuild: version bump for security bug #479968 Unless I'm wrong, seamonkey-bin-2.20 is still missing. It is, however, not relevant to the stabilization. CCing arches, KEYWORDS should be as follows: =www-client/firefox-17.0.7: Target KEYWORDS="amd64 arm ppc ppc64 x86" =www-client/firefox-bin-17.0.7: Target KEYWORDS="amd64 x86" =mail-client/thunderbird-17.0.7: Target KEYWORDS="amd64 arm ppc ppc64 x86" =mail-client/thunderbird-bin-17.0.7: Target KEYWORDS="amd64 x86" Hopefully I'm not making too much of an idiot of myself.
(In reply to Alex Xu from comment #3) > Unless I'm wrong, seamonkey-bin-2.20 is still missing. It is, however, not > relevant to the stabilization. CCing arches, KEYWORDS should be as follows: > You are wrong here. Seamonkey-bin-2.20 will need to be stabilized at the same time. Arch teams please stand by before you begin your work. I will update bug with correct info soon as seamonkey-bin-2.20 is added to tree.
Oh, I have still made an idiot of myself. anarchy@gentoo.org says nss-3.15.1 and nspr-4.10 are needed, so... =dev-libs/nss-3.15.1: Target KEYWORDS="amd64 arm ppc ppc64 x86" =dev-libs/nspr-4.10: Target KEYWORDS="amd64 arm ppc ppc64 x86" Or perhaps they need to both be "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86", as those are the existing KEYWORDS... /me is confused again (In reply to Jory A. Pratt from comment #4) > (In reply to Alex Xu from comment #3) > > > Unless I'm wrong, seamonkey-bin-2.20 is still missing. It is, however, not > > relevant to the stabilization. CCing arches, KEYWORDS should be as follows: > > > > You are wrong here. Seamonkey-bin-2.20 will need to be stabilized at the > same time. Arch teams please stand by before you begin your work. I will > update bug with correct info soon as seamonkey-bin-2.20 is added to tree. But seamonkey-bin-2.19 is not amd64 x86 stable, and it has critical security issues (according to Mozilla anyways, https://www.mozilla.org/security/known-vulnerabilities/seamonkey.html) too... /me is further confused
@mozilla team Please give the full list in an ordered comment.
=dev-libs/nss-3.15.1-r1: Target KEYWORDS="amd64 arm ppc ppc64 x86" =dev-libs/nspr-4.10: Target KEYWORDS="amd64 arm ppc ppc64 x86" =www-client/firefox-17.0.8: Target KEYWORDS="amd64 arm ppc ppc64 x86" =www-client/firefox-bin-17.0.9: Target KEYWORDS="amd64 x86" =mail-client/thunderbird-17.0.8: Target KEYWORDS="amd64 arm ppc ppc64 x86" =mail-client/thunderbird-bin-17.0.8: Target KEYWORDS="amd64 x86" =www-client/seamonkey{-bin}-2.20: Target KEYWORDS="amd64 x86"
(In reply to Jory A. Pratt from comment #7) > =www-client/firefox-bin-17.0.9: typo?
(In reply to Agostino Sarubbo from comment #8) > (In reply to Jory A. Pratt from comment #7) > > =www-client/firefox-bin-17.0.9: > typo? Sorry, it is a type should be firefox-bin-17.0.8
amd64 stable
x86 stable
ppc64 stable
arm stable
ppc stable
CVE-2013-1717 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1717): Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly restrict local-filesystem access by Java applets, which allows user-assisted remote attackers to read arbitrary files by leveraging a download to a fixed pathname or other predictable pathname. CVE-2013-1714 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1714): The Web Workers implementation in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 does not properly restrict XMLHttpRequest calls, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via unspecified vectors. CVE-2013-1713 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1713): Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 use an incorrect URI within unspecified comparisons during enforcement of the Same Origin Policy, which allows remote attackers to conduct cross-site scripting (XSS) attacks or install arbitrary add-ons via a crafted web site. CVE-2013-1712 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1712): Multiple untrusted search path vulnerabilities in updater.exe in Mozilla Updater in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, and Thunderbird ESR 17.x before 17.0.8 on Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 allow local users to gain privileges via a Trojan horse DLL in (1) the update directory or (2) the current working directory. CVE-2013-1710 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1710): The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allows remote attackers to execute arbitrary JavaScript code or conduct cross-site scripting (XSS) attacks via vectors related to Certificate Request Message Format (CRMF) request generation. CVE-2013-1709 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1709): Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly handle the interaction between FRAME elements and history, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving spoofing a relative location in a previously visited document. CVE-2013-1707 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1707): Stack-based buffer overflow in Mozilla Updater in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, and Thunderbird ESR 17.x before 17.0.8 allows local users to gain privileges via a long pathname on the command line to the Mozilla Maintenance Service. CVE-2013-1701 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1701): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
GLSA request filed.
CVE-2013-1711 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1711): The XrayWrapper implementation in Mozilla Firefox before 23.0 and SeaMonkey before 2.20 does not properly address the possibility of an XBL scope bypass resulting from non-native arguments in XBL function calls, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks by leveraging access to an unprivileged object. CVE-2013-1708 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1708): Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allow remote attackers to cause a denial of service (application crash) via a crafted WAV file that is not properly handled by the nsCString::CharAt function. CVE-2013-1705 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1705): Heap-based buffer underflow in the cryptojs_interpret_key_gen_type function in Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted Certificate Request Message Format (CRMF) request. CVE-2013-1704 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1704): Use-after-free vulnerability in the nsINode::GetParentNode function in Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption and application crash) via vectors involving a DOM modification at the time of a SetBody mutation event. CVE-2013-1702 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1702): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
I think that's all of the relevant CVEs. Please disregard CVE-2013-1712, it is Windows-only.
@maintainers: please clean affected versions.
This issue was resolved and addressed in GLSA 201309-23 at http://security.gentoo.org/glsa/glsa-201309-23.xml by GLSA coordinator Chris Reffett (creffett).