Bug#610292: unblock: iceowl/1.0~b1+dfsg2-1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi,
I've moved iceowl in squeeze from the comm-zentral 3.0.0 codebase (aka
sunbird 1.0b1) to comm-zentral 3.0.11 (thunderbird 3.0.11). This fixes
quiet some security related issues in the mozilla codebase. With this
change made we can security support iceowl by "simply" using the icedove
tarball as a base since both packages are built from the same
comm-central repository. I tried to keep the packaging changes to a
minimum. Any chance we can push this into squeeze:
iceowl (1.0~b1+dfsg2-1) unstable; urgency=low
* [d96a5b0] New upstream version based on icedove 3.0.11 this fixes the
following security bugs:
- MFSA 2010-74 aka CVE-2010-3776, CVE-2010-3778: Miscellaneous memory
safety hazards (rv:1.9.2.13/ 1.9.1.16)
- MFSA 2010-75 aka CVE-2010-3769: Buffer overflow while line breaking
after document.write with long string
- MFSA 2010-78 aka CVE-2010-3768: Add support for OTS font sanitizer
- MFSA 2010-73 aka CVE-2010-3765: Heap buffer overflow mixing
document.write and DOM insertion
- MFSA 2010-64 aka CVE-2010-3174, CVE-2010-3176: Miscellaneous memory
safety hazards (rv:1.9.2.11/ 1.9.1.14)
- MFSA 2010-65 aka CVE-2010-3179: Buffer overflow and memory corruption
using document.write
- MFSA 2010-66 aka CVE-2010-3180: Use-after-free error in nsBarProp
- MFSA 2010-67 aka CVE-2010-3183: Dangling pointer vulnerability in
LookupGetterOrSetter
- MFSA 2010-69 aka CVE-2010-3178: Cross-site information disclosure via
modal calls
- MFSA 2010-71 aka CVE-2010-3182: Unsafe library loading vulnerabilities
- MFSA 2010-49 aka CVE-2010-3169: Miscellaneous memory safety hazards
(rv:1.9.2.9/ 1.9.1.12)
- MFSA 2010-50 aka CVE-2010-2765: Frameset integer overflow vulnerability
- MFSA 2010-51 aka CVE-2010-2767: Dangling pointer vulnerability using DOM
plugin array
- MFSA 2010-53 aka CVE-2010-3166: Heap buffer overflow in
nsTextFrameUtils::TransformText
- MFSA 2010-54 aka CVE-2010-2760: Dangling pointer vulnerability in
nsTreeSelection
- MFSA 2010-55 aka CVE-2010-3168: XUL tree removal crash and remote code
execution
- MFSA 2010-56 ala CVE-2010-3167: Dangling pointer vulnerability in
nsTreeContentView
- MFSA 2010-57 aka CVE-2010-2766: Crash and remote code execution in
normalizeDocument
- MFSA 2010-60 aka CVE-2010-2763: XSS using SJOW scripted function
- MFSA 2010-61 aka CVE-2010-2768: UTF-7 XSS by overriding document charset
using <object> type attribute
- MFSA 2010-62 aka CVE-2010-2769: Copy-and-paste or drag-and-drop into
designMode document allows XSS
- MFSA 2010-63 aka CVE-2010-2764: Information leak via XMLHttpRequest
statusText
- MFSA 2010-34 aka CVE-2010-1211, CVE-2010-1212: Miscellaneous memory
safety hazards (rv:1.9.2.7/ 1.9.1.11)
- MFSA 2010-39 aka CVE-2010-2752: nsCSSValue::Array index integer overflow
- MFSA 2010-40 aka CVE-2010-2753: nsTreeSelection dangling pointer remote
code execution vulnerability
- MFSA 2010-41 aka CVE-2010-1205: Remote code execution using malformed
PNG image
- MFSA 2010-42 aka CVE-2010-1213: Cross-origin data disclosure via Web
Workers and importScripts
- MFSA 2010-46 aka CVE-2010-0654: Cross-domain data theft using CSS
- MFSA 2010-47 aka CVE-2010-2754: Cross-origin data leakage from script
filename in error messages
- MFSA 2010-25 aka CVE-2010-1121: Re-use of freed object due to scope
confusion
- MFSA 2010-26 aka CVE-2010-1200, CVE-2010-1201, CVE-2010-1202: Crashes
with evidence of memory corruption (rv:1.9.2.4/ 1.9.1.10)
- MFSA 2010-29 aka CVE-2010-1196: Heap buffer overflow in
nsGenericDOMDataNode::SetTextInternal
- MFSA 2010-30 aka CVE-2010-1199: Integer Overflow in XSLT Node Sorting
- MFSA 2010-16 aka CVE-2010-0173, CVE-2010-0174: Crashes with evidence of
memory corruption (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19)
- MFSA 2010-17 aka CVE-2010-0175: Remote code execution with
use-after-free in nsTreeSelection
- MFSA 2010-18 aka CVE-2010-0176: Dangling pointer vulnerability in
nsTreeContentView
- MFSA 2010-22 aka CVE-2009-3555: Update NSS to support TLS renegotiation
indication
- MFSA 2010-24 aka CVE-2010-0182: XMLDocument::load() doesn't check
nsIContentPolicy
- MFSA 2010-01 aka CVE-2010-0159: Crashes with evidence of memory
corruption (rv:1.9.1.8/ 1.9.0.18)
- MFSA 2010-03 aka CVE-2009-1571: Use-after-free crash in HTML parser
* [fa7095e] Rebase patches for new upstream version
* [3850d60] New patch Don-t-build-unused-bsdiff.patch: Don't build unused
bsdiff
* [7c49fe4] New patch Revert-post-release-version-bump.patch: Revert post
release version bump, this is still 1.0b1
* [bb9e37e] Don't build against the internal libbz2 copy
* [44898c0] Build depend on python-ply
* [321c9cd] Add preview image taken from icedove to replace the non-free
one.
-- Guido Günther <agx@sigxcpu.org> Sun, 16 Jan 2011 20:27:25 +0100
Sorry for being that late,
-- Guido
-- System Information:
Debian Release: 6.0
APT prefers testing
APT policy: (500, 'testing'), (50, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply to: