[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Galeon and Mozilla in woody have security issues

Mozilla and Galeon in woody both suffer from some ugly security flaw.
(Displays wrong SSL certification information!)

Here's an excerpt from mozilla changelog:

mozilla (2:1+rc1-3) unstable; urgency=high

  * Fix 'Reading local files in Netscape 6 and Mozilla'
    - debian/patches/bugzilla141061 (closes: #145355)
mozilla (2:1+rc1-2) unstable; urgency=high
  * added patches
    - debian/patches/bugzilla139948 (closes: #144429)
      SSL Tooltip not updated when going from one ssl site to another.
mozilla (2:1+rc1-1) unstable; urgency=high
    - closes: #143219: Views wrong security info

Galeon is affected by probably all of these as well; I think galeon
1.2.1 at least is required to build with mozilla 1+rc1;
Galeon 1.2.3 is required for mozilla rc3; probably galeon 1.2.5 (galeon
1.2.4 was never released; 1.2.5 added viatnamese translation and a few
small bugfixes (no new features!)) and is probably the best choice for
mozilla 1.0 final.

galeon (1.2.3-2) unstable; urgency=high
  * Upstream fixed in 1.2.3 version:
    - image for submit buttons (Closes: #145818) (security fix)
      don't save image file, could trick the user to overwrite any file

We fixed a major security hole here, that might allow tricking the user
into overwriting any file on his disc (i think without questioning...)...
very ugly.

So galeon and mozilla should be updated to at least 1.2.3 / 1+rc3
and i suggest upgrading to 1.2.5 and 1.0 final

(as galeon 1.2.5 changes are only bug fixes, the debian patch should
apply clean and i don't expect new bugs...)


erich@(mucl.de|debian.org)        --        GPG Key ID: 4B3A135C
A polar bear is a rectangular bear after a coordinate transform.
Die kürzeste Verbindung zwischen zwei Menschen ist ein Lächeln.

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: