[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#610292: marked as done (unblock: iceowl/1.0~b1+dfsg2-1)

Your message dated Sun, 30 Jan 2011 16:23:06 +0000
with message-id <1296404586.25651.7846.camel@hathi.jungle.funky-badger.org>
and subject line Re: Bug#610292: unblock: iceowl/1.0~b1+dfsg2-1
has caused the Debian Bug report #610292,
regarding unblock: iceowl/1.0~b1+dfsg2-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
610292: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610292
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi,
I've moved iceowl in squeeze from the comm-zentral 3.0.0 codebase (aka
sunbird 1.0b1) to comm-zentral 3.0.11 (thunderbird 3.0.11). This fixes
quiet some security related issues in the mozilla codebase. With this
change made we can security support iceowl by "simply" using the icedove
tarball as a base since both packages are built from the same
comm-central repository. I tried to keep the packaging changes to a
minimum. Any chance we can push this into squeeze:

iceowl (1.0~b1+dfsg2-1) unstable; urgency=low

  * [d96a5b0] New upstream version based on icedove 3.0.11 this fixes the
    following security bugs:
     - MFSA 2010-74 aka CVE-2010-3776, CVE-2010-3778: Miscellaneous memory
       safety hazards (rv:1.9.2.13/ 1.9.1.16)
     - MFSA 2010-75 aka CVE-2010-3769: Buffer overflow while line breaking
       after document.write with long string
     - MFSA 2010-78 aka CVE-2010-3768: Add support for OTS font sanitizer
     - MFSA 2010-73 aka CVE-2010-3765: Heap buffer overflow mixing
       document.write and DOM insertion
     - MFSA 2010-64 aka CVE-2010-3174, CVE-2010-3176: Miscellaneous memory
       safety hazards (rv:1.9.2.11/ 1.9.1.14)
     - MFSA 2010-65 aka CVE-2010-3179: Buffer overflow and memory corruption
       using document.write
     - MFSA 2010-66 aka CVE-2010-3180: Use-after-free error in nsBarProp
     - MFSA 2010-67 aka CVE-2010-3183: Dangling pointer vulnerability in
       LookupGetterOrSetter
     - MFSA 2010-69 aka CVE-2010-3178: Cross-site information disclosure via
       modal calls
     - MFSA 2010-71 aka CVE-2010-3182: Unsafe library loading vulnerabilities
     - MFSA 2010-49 aka CVE-2010-3169: Miscellaneous memory safety hazards
       (rv:1.9.2.9/ 1.9.1.12)
     - MFSA 2010-50 aka CVE-2010-2765: Frameset integer overflow vulnerability
     - MFSA 2010-51 aka CVE-2010-2767: Dangling pointer vulnerability using DOM
       plugin array
     - MFSA 2010-53 aka CVE-2010-3166: Heap buffer overflow in
       nsTextFrameUtils::TransformText
     - MFSA 2010-54 aka CVE-2010-2760: Dangling pointer vulnerability in
       nsTreeSelection
     - MFSA 2010-55 aka CVE-2010-3168: XUL tree removal crash and remote code
       execution
     - MFSA 2010-56 ala CVE-2010-3167: Dangling pointer vulnerability in
       nsTreeContentView
     - MFSA 2010-57 aka CVE-2010-2766: Crash and remote code execution in
       normalizeDocument
     - MFSA 2010-60 aka CVE-2010-2763: XSS using SJOW scripted function
     - MFSA 2010-61 aka CVE-2010-2768: UTF-7 XSS by overriding document charset
       using <object> type attribute
     - MFSA 2010-62 aka CVE-2010-2769: Copy-and-paste or drag-and-drop into
       designMode document allows XSS
     - MFSA 2010-63 aka CVE-2010-2764: Information leak via XMLHttpRequest
       statusText
     - MFSA 2010-34 aka CVE-2010-1211, CVE-2010-1212: Miscellaneous memory
       safety hazards (rv:1.9.2.7/ 1.9.1.11)
     - MFSA 2010-39 aka CVE-2010-2752: nsCSSValue::Array index integer overflow
     - MFSA 2010-40 aka CVE-2010-2753: nsTreeSelection dangling pointer remote
       code execution vulnerability
     - MFSA 2010-41 aka CVE-2010-1205: Remote code execution using malformed
       PNG image
     - MFSA 2010-42 aka CVE-2010-1213: Cross-origin data disclosure via Web
       Workers and importScripts
     - MFSA 2010-46 aka CVE-2010-0654: Cross-domain data theft using CSS
     - MFSA 2010-47 aka CVE-2010-2754: Cross-origin data leakage from script
       filename in error messages
     - MFSA 2010-25 aka CVE-2010-1121: Re-use of freed object due to scope
       confusion
     - MFSA 2010-26 aka CVE-2010-1200, CVE-2010-1201, CVE-2010-1202: Crashes
       with evidence of memory corruption (rv:1.9.2.4/ 1.9.1.10)
     - MFSA 2010-29 aka CVE-2010-1196: Heap buffer overflow in
       nsGenericDOMDataNode::SetTextInternal
     - MFSA 2010-30 aka CVE-2010-1199: Integer Overflow in XSLT Node Sorting
     - MFSA 2010-16 aka CVE-2010-0173, CVE-2010-0174: Crashes with evidence of
       memory corruption (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19)
     - MFSA 2010-17 aka CVE-2010-0175: Remote code execution with
       use-after-free in nsTreeSelection
     - MFSA 2010-18 aka CVE-2010-0176: Dangling pointer vulnerability in
       nsTreeContentView
     - MFSA 2010-22 aka CVE-2009-3555: Update NSS to support TLS renegotiation
       indication
     - MFSA 2010-24 aka CVE-2010-0182: XMLDocument::load() doesn't check
       nsIContentPolicy
     - MFSA 2010-01 aka CVE-2010-0159: Crashes with evidence of memory
       corruption (rv:1.9.1.8/ 1.9.0.18)
     - MFSA 2010-03 aka CVE-2009-1571: Use-after-free crash in HTML parser
  * [fa7095e] Rebase patches for new upstream version
  * [3850d60] New patch Don-t-build-unused-bsdiff.patch: Don't build unused
    bsdiff
  * [7c49fe4] New patch Revert-post-release-version-bump.patch: Revert post
    release version bump, this is still 1.0b1
  * [bb9e37e] Don't build against the internal libbz2 copy
  * [44898c0] Build depend on python-ply
  * [321c9cd] Add preview image taken from icedove to replace the non-free
    one.

 -- Guido Günther <agx@sigxcpu.org>  Sun, 16 Jan 2011 20:27:25 +0100

Sorry for being that late,
 -- Guido

-- System Information:
Debian Release: 6.0
  APT prefers testing
  APT policy: (500, 'testing'), (50, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

--- End Message ---
--- Begin Message --- 
On Sun, 2011-01-30 at 16:12 +0100, Guido Günther wrote:
> On Sun, Jan 30, 2011 at 02:30:17PM +0100, Moritz Mühlenhoff wrote:
> > On Sat, Jan 29, 2011 at 07:52:38PM +0100, Guido Günther wrote:
> > > I'm cc'ing Moritz for his opinion on this. With the new version based on
> > > the icedove tarball it would be simple enough to handle the xulrunner
> > > flaws via that path.
> > 
> > If iceowl uses the same Mozilla code base branch as the iceweasel source
> > package (which provides the xulrunner libs in Squeeze) and the iceowl
> > maintainers provide packages, we can fix in security updates. Iceweasel
> > updates are an order of a magnitude more critical, though.
> 
> We use the icedove tarball[1] not the iceweasel one but the effect is
> the basically the same. We can reuse the security work done for icedove.
> Cheers,
>  -- Guido
> 
> [1] since both are based on comm-central

Okay; unblocked.  Let's hope security updates indeed turn out not to be
too painful.

Regards,

Adam

--- End Message ---
Reply to: