Bug 152883
Summary: | Multiple Mozilla vulnerabilities | ||
---|---|---|---|
Product: | [Retired] Fedora Legacy | Reporter: | rob <rob.myers> |
Component: | mozilla | Assignee: | Fedora Legacy Bugs <bugs> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | botsch, deisenst, jpdalbec, marc.deslauriers, michal, mschout, pekkas |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1316 | ||
Whiteboard: | 1, LEGACY, rh73, rh90, 2 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-05-18 20:50:45 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David Lawrence
2005-03-30 23:30:53 UTC
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are new mozilla, galeon and epiphany packages to QA: Changelog 7.3: * Wed Mar 23 2005 Marc Deslauriers <marcdeslauriers> 37:1.4.4-0.73.1.legacy - - Rebuild as a Fedora Legacy update for Red Hat Linux 7.3 - - Fix missing icons in desktop files * Fri Mar 18 2005 Christopher Aillon <caillon> 37:1.4.4-1.2.3 - - Rebuild to fix lock icon not working Changelog 9: * Thu Mar 24 2005 Marc Deslauriers <marcdeslauriers> 37:1.4.4-0.90.1.legacy - - Update to security release 1.4.4 based on RHEL3 update 37:1.4.4-1.3.5 - - Fix for fireflash issue (CAN-2005-0232) - - Fix for GIF overflow issue * Sun Oct 03 2004 Marc Deslauriers <marcdeslauriers> 37:1.4.3-0.9.1.legacy - - Added backported security fixes from mozilla 1.7.3 Changelog fc1: * Wed Mar 23 2005 Marc Deslauriers <marcdeslauriers> 37:1.4.4-1.fc1.1.legacy - - Rebuilt as Fedora Legacy update for Fedora Core 1 - - Changed useragent vendor tag to Fedora * Fri Mar 18 2005 Christopher Aillon <caillon> 37:1.4.4-1.3.5 - - Rebuild to fix lock icon not working 7.3: 7b48ada2d2e579bcd1ba95ccb44212b54e4c843c mozilla-1.4.4-0.73.1.legacy.i386.rpm 6816cfeecc3a6eb97336514004e498dc4be5f385 mozilla-1.4.4-0.73.1.legacy.src.rpm 60b60db43d7ea40d029245a41231536208c7593d mozilla-chat-1.4.4-0.73.1.legacy.i386.rpm 5797fd94739a736ee205592b1ac780bd93df8920 mozilla-devel-1.4.4-0.73.1.legacy.i386.rpm 6b704a5577f6a11a7e793f3eef7a6faf7dcb7961 mozilla-dom-inspector-1.4.4-0.73.1.legacy.i386.rpm eaba6043edd3ec7d9f69b3bda87473d26ea0b20b mozilla-js-debugger-1.4.4-0.73.1.legacy.i386.rpm 645c6971452e18abf0dcad98e1d09544a62479ae mozilla-mail-1.4.4-0.73.1.legacy.i386.rpm 4e508f7629a113f292acb0ee18bfe74b05cf4383 mozilla-nspr-1.4.4-0.73.1.legacy.i386.rpm 21caca91914365d6a531980a03db1477557c12fc mozilla-nspr-devel-1.4.4-0.73.1.legacy.i386.rpm 3c4db702961b595b7b047b9f96e388ab3ae10049 mozilla-nss-1.4.4-0.73.1.legacy.i386.rpm f77656fcfd49c2826f5019a9b49f92e50c0215ee mozilla-nss-devel-1.4.4-0.73.1.legacy.i386.rpm 588edf2a52874ea1fccc06e2dd41e91d2e8fdb5c galeon-1.2.13-0.7.2.legacy.i386.rpm 86388a0658e18291cf6a59c2e5ef67247f994d81 galeon-1.2.13-0.7.2.legacy.src.rpm 9: 93260feba0e5fdb7a444cd762cb473d210dcd4a8 mozilla-1.4.4-0.90.1.legacy.i386.rpm a243d01772bf7def88471705f2cc1c58c6d20c2e mozilla-1.4.4-0.90.1.legacy.src.rpm 3de0c40456c314dc021c9a951f735e7a80ab64ac mozilla-chat-1.4.4-0.90.1.legacy.i386.rpm f67c216fecc8dd65a9718ab2bbe0fb9d14dc8bb4 mozilla-devel-1.4.4-0.90.1.legacy.i386.rpm 767bb0e9aecb98871be367c02c18818dd9c21cc2 mozilla-dom-inspector-1.4.4-0.90.1.legacy.i386.rpm f972f59053f17baf7bb658f6266d050c463e56d4 mozilla-js-debugger-1.4.4-0.90.1.legacy.i386.rpm 4eb9ab7dbe979a48358d005eec4934e12058f984 mozilla-mail-1.4.4-0.90.1.legacy.i386.rpm 2f767c5c9a25033b17f82eae164bc3aa4541a157 mozilla-nspr-1.4.4-0.90.1.legacy.i386.rpm c753102ca29403036e7ccc449121055e4b893c27 mozilla-nspr-devel-1.4.4-0.90.1.legacy.i386.rpm d455e5d2a73a4a39e11d181e8fa2b4eaebdb33fe mozilla-nss-1.4.4-0.90.1.legacy.i386.rpm af00c138f6a4eef08cb9f98aee8d4aabcc1aa969 mozilla-nss-devel-1.4.4-0.90.1.legacy.i386.rpm 9d475ecb0d0192b60412448c7b9aaeb563f91db2 galeon-1.2.13-0.9.3.legacy.i386.rpm 225f6f50356f10748b6b82cf0c9103810a959e0e galeon-1.2.13-0.9.3.legacy.src.rpm 1: fbf4b577547ae68a3c01a3be8d4af6f0828c90cc mozilla-1.4.4-1.fc1.1.legacy.i386.rpm 5646f0f389348c15dfd219ad167ca8970ae96f2a mozilla-1.4.4-1.fc1.1.legacy.src.rpm fc36694f288512bfef88e38c4b5c0021c3fc435a mozilla-chat-1.4.4-1.fc1.1.legacy.i386.rpm d5cfd910c36cba717b399262d56ec620ce3b82ed mozilla-devel-1.4.4-1.fc1.1.legacy.i386.rpm da88d2a2941573b7257a494d338c96fd4bc49642 mozilla-dom-inspector-1.4.4-1.fc1.1.legacy.i386.rpm 6b7f0f43884e3fc76138e5e40cf6594b9ac0219c mozilla-js-debugger-1.4.4-1.fc1.1.legacy.i386.rpm 696131eb5047aad057cdd10c1dd8cdf95a56cf03 mozilla-mail-1.4.4-1.fc1.1.legacy.i386.rpm 056b579a19678c5cc4a7cc285929daf6a49ed6b2 mozilla-nspr-1.4.4-1.fc1.1.legacy.i386.rpm 0413ab531a48aeed1bc9531dba13ff9d166a205f mozilla-nspr-devel-1.4.4-1.fc1.1.legacy.i386.rpm 4491207ea507edbb027a16bc39b657a9952a015d mozilla-nss-1.4.4-1.fc1.1.legacy.i386.rpm 2d351abcaea5df03bdbed723143ef6842e06e607 mozilla-nss-devel-1.4.4-1.fc1.1.legacy.i386.rpm 459b4f8dcea8ecf11e181c2f7b06ef95b3e3c5dc epiphany-1.0.4-2.5.legacy.i386.rpm 9261a3f6aab392be4fb84940ea9f82676fd43395 epiphany-1.0.4-2.5.legacy.src.rpm Source Packages (binaries are in same directory): http://www.infostrategique.com/linuxrpms/legacy/7.3/galeon-1.2.13-0.7.2.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/mozilla-1.4.4-0.73.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/galeon-1.2.13-0.9.3.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/mozilla-1.4.4-0.90.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/epiphany-1.0.4-2.5.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/mozilla-1.4.4-1.fc1.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCS1bKLMAs/0C4zNoRAlx0AJ9nv7zpGltfyBQsUT0oohdnu6APHwCggZfd sWXVX8//1yVbQc2Wo9p2lI4= =R2ji -----END PGP SIGNATURE----- 05.16.29 CVE: CAN-2005-0752 Platform: Cross Platform Title: Mozilla Code Execution, Cross-Site Scripting and Policy Bypass Vulnerabilities Description: Multiple vulnerabilities have been reported in Mozilla Suite, which can be exploited by attackers to conduct cross-site scripting attacks, bypass certain security restrictions, and compromise a user's system. Please check the link below for details on all the issues. Ref: http://www.mozilla.org/security/announce/mfsa2005-35.html http://www.mozilla.org/security/announce/mfsa2005-36.html http://www.mozilla.org/security/announce/mfsa2005-37.html http://www.mozilla.org/security/announce/mfsa2005-38.html http://www.mozilla.org/security/announce/mfsa2005-40.html http://www.mozilla.org/security/announce/mfsa2005-41.html 05.16.33 CVE: CAN-2005-1156, CAN-2005-1157 Platform: Cross Platform Title: Mozilla Firefox Search Plug-In Remote Script Code Execution Vulnerability Description: Mozilla Suite and Firefox are reported to be vulnerable to a remote script code execution issue due to failure of the application to provide secure access validation prior to implementing search plug-ins. Mozilla Browser 1.7.6 and earlier as well as Firefox 1.0.2 and earlier are reported to be vulnerable. Ref: http://www.securityfocus.com/bid/13211 05.16.34 CVE: CAN-2005-1155 Platform: Cross Platform Title: Mozllia Favicon Link Tag Remote Script Code Execution Description: Mozilla Suite and Mozilla Firefox are vulnerable to a remote script code execution. The application will execute arbitrary javascript with a "<LINK rel="icon">" tag due to failing to deny remote unauthorized access to trusted local interfaces. Firefox versions 1.0.3 and Mozilla Suite versions 1.7.7 are not vulnerable. Ref: http://www.mikx.de/firelinking/ 05.16.38 CVE: CAN-2005-1153 Platform: Cross Platform Title: Mozilla Suite/Firefox Blocked Pop-Up Window Remote Script Code Execution Description: Mozilla Suite is affected by a remote script code execution vulnerability. Mozilla Browser versions 1.7.6 and earlier, Firefox versions 1.0.2 and earlier and Netscape versions 7.2 and earlier are known to be vulnerable. Ref: http://www.mozilla.org/security/announce/mfsa2005-35.html 05.16.39 CVE: CAN-2005-1154 Platform: Cross Platform Title: Mozilla Suite And Firefox Global Scope Pollution Cross-Site Scripting Description: A remote cross-site scripting vulnerability affects Mozilla Suite and Mozilla Firefox. An attacker may exploit this issue to execute arbitrary script code in the context of a page that is currently being viewed. This may facilitate the theft of cookie based authentication credentials as well a other attacks. Ref: http://www.mozilla.org/security/announce/mfsa2005-36.html 05.16.41 CVE: CAN-2005-1160 Platform: Cross Platform Title: Mozilla Suite DOM Code Execution Description: Both the Mozilla Suite and Firefox are vulnerable to code execution issue due to the application neglecting to properly verify Document Object Model property values. Firefox version 1.0.3 and Mozilla Suite version 1.7.7 are not vulnerable. Ref: http://www.mozilla.org/security/announce/mfsa2005-41.html -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated mozilla packages to QA for rh73, rh9, fc1 and fc2: rh7.3 Changelog: * Thu Apr 28 2005 Marc Deslauriers <marcdeslauriers> 37:1.7.7-0.73.1.legacy - - Rebuild as a Fedora Legacy update for Red Hat Linux 7.3 - - Fix missing icons in desktop files * Fri Apr 15 2005 Christopher Aillon <caillon> 37:1.7.7-1.1.2.1 - - Update to upstream 1.7.7 security release rh9 Changelog: * Fri Apr 29 2005 Marc Deslauriers <marcdeslauriers> 37:1.7.7-0.90.1.legacy - - Rebuilt as a Fedora Legacy update for Red Hat Linux 9 - - Disabled desktop-file-utils - - Disabled gtk2 - - Added missing BuildRequires - - Force build with gcc296 to remain compatible with plugins - - Added xft font preferences and patch back in - - Removed mozilla-compose.desktop * Wed Apr 27 2005 Christopher Aillon <caillon> 37:1.7.7-1.1.3.4 - - Fix issues with segfaulting on s390x fc1 Changelog: * Sat Apr 30 2005 Marc Deslauriers <marcdeslauriers> 37:1.7.7-1.1.1.legacy - - Rebuilt as Fedora Legacy update for Fedora Core 1 - - Changed useragent vendor tag to Fedora - - Removed Network category from mozilla.desktop * Wed Apr 27 2005 Christopher Aillon <caillon> 37:1.7.7-1.1.3.4 - - Fix issues with segfaulting on s390x fc2 Changelog: * Sat Apr 30 2005 Marc Deslauriers <marcdeslauriers> 37:1.7.7-1.2.1.legacy - - Rebuilt as a Fedora Legacy update to Fedora Core 2 - - Reverted to desktop-file-utils 0.4 - - Removed desktop-update-database - - Disabled pango support * Sat Apr 16 2005 Christopher Aillon <caillon> 37:1.7.7-1.3.1 - - Update to 1.7.7 - - Add nspr-config 64 bit patch from rstrode - - Fix for some more cursor issues in textareas (149991, 150002, 152089) - - Spec file cleanup 7.3: 70a22a90d8099b703b13893c3ce75f4b79c90ec6 mozilla-1.7.7-0.73.1.legacy.src.rpm a8039d5a24af23ad294f3e028e9c349886f20d31 galeon-1.2.14-0.73.1.legacy.src.rpm 9: 52d5a72cf69854e8ed44656f16f5eab377ba1649 mozilla-1.7.7-0.90.1.src.rpm ba5c286326ac87dd7e24501fb7017c8778eab73c galeon-1.2.14-0.90.1.legacy.src.rpm fc1: 1b823514d94c4ea6e7ae2c06ac59a26c003d60a6 mozilla-1.7.7-1.1.1.legacy.src.rpm 57bcb48d4907dba0ef0d3c22b17eac5e4320abc3 epiphany-1.0.8-1.fc1.1.legacy.src.rpm fc2: 03320b935a35d0b408540403fd0ca672ff70c86a mozilla-1.7.7-1.2.1.legacy.src.rpm 2493d87b7ddaa86f5d288233b3878d36946ef91d epiphany-1.2.10-0.2.2.legacy.src.rpm edcc763e24cd6dd58fc205e0e33aacf4a67fda4c devhelp-0.9.1-0.2.6.legacy.src.rpm 7.3: http://www.infostrategique.com/linuxrpms/legacy/7.3/mozilla-1.7.7-0.73.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/galeon-1.2.14-0.73.1.legacy.src.rpm Binaries: http://www.infostrategique.com/linuxrpms/legacy/7.3/ 9: http://www.infostrategique.com/linuxrpms/legacy/9/mozilla-1.7.7-0.90.1.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/galeon-1.2.14-0.90.1.legacy.src.rpm Binaries: http://www.infostrategique.com/linuxrpms/legacy/9/ fc1: http://www.infostrategique.com/linuxrpms/legacy/1/mozilla-1.7.7-1.1.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/epiphany-1.0.8-1.fc1.1.legacy.src.rpm Binaries: http://www.infostrategique.com/linuxrpms/legacy/1/ fc2: http://www.infostrategique.com/linuxrpms/legacy/2/mozilla-1.7.7-1.2.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/epiphany-1.2.10-0.2.2.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/devhelp-0.9.1-0.2.6.legacy.src.rpm Binaries: http://www.infostrategique.com/linuxrpms/legacy/2/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCdG1GLMAs/0C4zNoRArSNAKC00XVQjDBC6Pwtj3VtuqY7lz9PqwCgsWAa Symaged0iwMrG0YODtiYGKg= =OVhg -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: Issues noted: - mozilla-source-1.7.7.tar.bz2 in FC1 package has wrong SHA1 checksum, it appears that this file has been corrupted. OK if replaced with checksum c660db518add97ed54e30a901c1e4e60dbafab3a; otherwise source integrity OK. - Spec file changes are major, and something is probably going to break. But regardless of this, I think this is the only way to go forward -- make the packages as uniform with RHEL as possible, because we don't have resources to do otherwise. OK. "If it's good enough for RHEL, it should be good enough for us." - Changes and patches are mainly OK. Two issues: * in previous version of RHL9 and in RHEL3 there is mozilla-compose.desktop, but it's removed from here. This has been done on purpose but I can't see why? * I couldn't figure out how to verify the mozilla-1.7.7 patch in epiphany 1.0.8. How was it created/where does it come from? Would updating to epiphany 1.2.10 be feasible? - Naming has one forgotten legacy tag and non-incremental numbering (if we want to care about FC<->RHEL or RHL<->RHEL updates; I don't know if that's the case): RHL73 mozilla-1.7.7-0.73.1.legacy.src.rpm RHL9 mozilla-1.7.7-0.90.1.src.rpm <== note, missing ".legacy" !! FC1 mozilla-1.7.7-1.1.1.legacy.src.rpm RHEL2 mozilla-1.7.7-1.1.2.1.src.rpm RHEL3 mozilla-1.7.7-1.1.3.4.src.rpm FC2 mozilla-1.7.7-1.2.1.legacy.src.rpm FC3 mozilla-1.7.7-1.3.1.src.rpm All in all, I'd give +PUBLISH for all the mozilla, galeon and devhelp packages (provided that FC1 mozilla .tar.bz2 file is changed to match the abovementioned checksum), but I'd have to understand the epiphany patch more to give publishing it a go.. 70a22a90d8099b703b13893c3ce75f4b79c90ec6 mozilla-1.7.7-0.73.1.legacy.src.rpm 52d5a72cf69854e8ed44656f16f5eab377ba1649 mozilla-1.7.7-0.90.1.src.rpm 1b823514d94c4ea6e7ae2c06ac59a26c003d60a6 mozilla-1.7.7-1.1.1.legacy.src.rpm 03320b935a35d0b408540403fd0ca672ff70c86a mozilla-1.7.7-1.2.1.legacy.src.rpm 57bcb48d4907dba0ef0d3c22b17eac5e4320abc3 epiphany-1.0.8-1.fc1.1.legacy.src.rpm 2493d87b7ddaa86f5d288233b3878d36946ef91d epiphany-1.2.10-0.2.2.legacy.src.rpm edcc763e24cd6dd58fc205e0e33aacf4a67fda4c devhelp-0.9.1-0.2.6.legacy.src.rpm a8039d5a24af23ad294f3e028e9c349886f20d31 galeon-1.2.14-0.73.1.legacy.src.rpm ba5c286326ac87dd7e24501fb7017c8778eab73c galeon-1.2.14-0.90.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCdPObGHbTkzxSL7QRAghXAJ9MVH9HXBd9J9AYanvqKoB7PaumpwCgq4ot fV+/bOduL8mpbRKfZ1DS4eI= =I1p6 -----END PGP SIGNATURE----- Could your download have been corrupted? I re-downloaded the src rpm from the ftp site where I put it and the sha1sum of the mozilla tarball is c660db518add97ed54e30a901c1e4e60dbafab3a. Could you double-check please? mozilla-compose.desktop was removed as the mozilla tarball itself had a "compose mail" desktop file in it. The icon to create a new mail was appearing twice in the menus. I made the epiphany 1.0.8 patch. It was made by looking at the mozilla API, galeon source code, and newer epiphany source code. AFAICT, no other distro has made a patch for epiphany to make it compatible with mozilla-1.7.7, so there's no way to verify it besides try and use epiphany. It quickly tested epiphany after making the patch, and It looks ok...but someone who actually uses epiphany will have to check it out thoroughly as I may have screwed something up. (This can be done once it's built for updates-testing though) Whoops...we'll add the missing legacy tag to the packages when we build them in mach. We usually don't look at the Fedora-RHEL upgrade path as even RH doesn't respect it most of the time. So the actual releases would be: RHL73 mozilla-1.7.7-0.73.1.legacy.src.rpm RHL9 mozilla-1.7.7-0.90.1.src.rpm <== note, missing ".legacy" !! FC1 mozilla-1.7.7-1.1.1.legacy.src.rpm FC2 mozilla-1.7.7-1.2.1.legacy.src.rpm FC3 mozilla-1.7.7-1.3.1.src.rpm You're correct; my download must have been bad because it verifies OK now. I wonder about mozilla-compose, because I don't understand why RHEL3 ships it then; maybe they have double icons then, but that's not our problem so it's OK. I'd really like to find alternative solutions to the epiphany issue. From a quick look, epiphany 1.0.x was designed for gnome 2.4 while epiphany 1.2.x was for gnome 2.6, but I haven't tested; would it be possible to rebuild newer epiphany for FC1? Packages like epiphany are certainly going to cause a lot of maintenance headaches unless we have a better way of dealing with the issues. (Unfortunately this is a more generic issue, because we don't have RHEL versions to use as guidance for FC1/FC2..) That said, if there is no other option, I can give a PUBLISH for all RHL73, RHL9, FC1, and FC2, but I'd really want to avoid having to write our own patches (and hope they work). I removed mozilla-compose because there was an error in the spec file. They removed the icon and the source file, but they forget to remove it from the list of files that is under the conditional include when you don't use desktop-file-utils (which is the case with rh9). I tried rebuilding epiphany 1.2.x, but it uses a bunch of stuff from Gnome 2.6. Unfortunately, the easiest solution was to hack epiphany 1.0.x. FC1 looks to be the only distro that uses epiphant 1.0.x and an updated mozilla, so we can't rely on anyone else to help with this. I don't see any other option...unless someone comes up with something (besides drop epiphany altogether...) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OK, let's hope folks will give epiphany an extra try at VEFIFY. +PUBLISH RHL73,RHL9,FC1,FC2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD4DBQFCdSFMGHbTkzxSL7QRAuEzAJ0QiLgA+aLxz1rMN9FlOGVcPE3ZfQCYs53W 3aP27V1Pw5OHOkg41U3SSQ== =hvC9 -----END PGP SIGNATURE----- Packages were pushed to updates-testing. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA on RHL9: I upgraded mozilla, -mail, -nspr, and -nss; all the the basic things appears to be working OK. The GPG signature is also good. +VERIFY RHL9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCe5UYGHbTkzxSL7QRAuMTAKC0beoJ5LgG/ljlMVlPj7dUpQ5L2wCgkmCT U2JvWEnsZSbB7ptnfC0/+Gc= =wHnx -----END PGP SIGNATURE----- I haven't figured out how to sign one of these reports with a pgp signature (that I have created), so that signature is not presented here. All Mozilla test updates for FC2 were downloaded, signatures checked, and installed on my system without any problems. Composer was opened and closed. Mail and Browser have been used for two days with no apparent problems. (Neither plugins nore Java are installed.) A mix of more than 40 retail outlet, opensource, and Commercial computer support provider sites were visited without observing any behaviors that differed from the previous version of Mozilla installed on this FC2 system. FC2 + verify The wiki is down, unfortunately, it'd have told you to sign using 'gpg --clearsign'. Please also also send a "self-introduction" on the list if you haven't already. There are a couple of examples of this in the list archives. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 7.3 Verify: sha1: 9acd3892e1ec3b272274ed250f630e316e72334c mozilla-1.7.7-0.73.2.legacy.i386.rpm bdf6c767bd8d8a1dc74138e8da7c1672b1934764 mozilla-chat-1.7.7-0.73.2.legacy.i386.rpm 7168b5bfcd5a090b62464f8b7d82d20bff365ba5 mozilla-devel-1.7.7-0.73.2.legacy.i386.rpm 6baa66d77ecbaf4aefcd99e42dbc81dee8b5533b mozilla-dom-inspector-1.7.7-0.73.2.legacy.i386.rpm c8fd69f3e6e3a63554382ec412208f74a48ba8fe mozilla-js-debugger-1.7.7-0.73.2.legacy.i386.rpm 83a181ed9ecade3c9cb3cd3f64ac7cdd5add9057 mozilla-mail-1.7.7-0.73.2.legacy.i386.rpm 904dd59f1b4d5e4426232549848b83a9e407e2ba mozilla-nspr-1.7.7-0.73.2.legacy.i386.rpm 3513150062f0d54dfa14f3d4fc320114b72a95ad mozilla-nspr-devel-1.7.7-0.73.2.legacy.i386.rpm f56ac87aae05c1530cfc49844f59410ac3db82d9 mozilla-nss-1.7.7-0.73.2.legacy.i386.rpm d4a42d185260a6778133dc51beb0098b637306c5 mozilla-nss-devel-1.7.7-0.73.2.legacy.i386.rpm 265ca0a31dd9a66b3de6364b1a8e0bab108ebedc galeon-1.2.14-0.73.2.legacy.i386.rpm signatures: mozilla-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK mozilla-chat-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK mozilla-devel-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK mozilla-dom-inspector-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK mozilla-js-debugger-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK mozilla-mail-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK mozilla-nspr-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK mozilla-nspr-devel-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK mozilla-nss-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK mozilla-nss-devel-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK galeon-1.2.14-0.73.2.legacy.i386.rpm: md5 gpg OK "yum update mozilla\* galeon" completes without errors or warnings. Mozilla appears to be functioning normally. I opened it up and used it to look at several sites to test. +VERIFY RHL7.3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCgR9M+CqvSzp9LOwRAmN1AKCshhxQ0XNT2fzOyBUkOppS7WlCYACeIVdf 9r2WVI/o/TDd/7D32zMEIbM= =rJzn -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 FC1 verify sha1: 57100cb971334d7af508b63786aa08605515ca1c mozilla-1.7.7-1.1.2.legacy.i386.rpm 7132f5a85829789980a6d3e99dcb8b693c2ca2f5 mozilla-mail-1.7.7-1.1.2.legacy.i386.rpm 97fc2ebf5fac4a9db7515d6ce040f69800d4b76f mozilla-nspr-1.7.7-1.1.2.legacy.i386.rpm 013b70581b5719c09d31a3cd642c9508326ee785 mozilla-nss-1.7.7-1.1.2.legacy.i386.rpm signatures: mozilla-1.7.7-1.1.2.legacy.i386.rpm: Header V3 DSA signature: OK, key ID 731002fa Header SHA1 digest: OK (d1bbf4e9d78b295b96385e983dabf2db5f869e1f) MD5 digest: OK (42f884a800b87773b0e8502cd9363c2b) V3 DSA signature: OK, key ID 731002fa mozilla-mail-1.7.7-1.1.2.legacy.i386.rpm: Header V3 DSA signature: OK, key ID 731002fa Header SHA1 digest: OK (eae34a99527f5317bcbf68b0caa7cb7110ee64cf) MD5 digest: OK (0fff34c271173859d1e9a101cf36065c) V3 DSA signature: OK, key ID 731002fa mozilla-nspr-1.7.7-1.1.2.legacy.i386.rpm: Header V3 DSA signature: OK, key ID 731002fa Header SHA1 digest: OK (d0af7b1972a82c707c7ca1371d0ee1009780edc0) MD5 digest: OK (862ab8a90ad75c647308a3f4a766053f) V3 DSA signature: OK, key ID 731002fa mozilla-nss-1.7.7-1.1.2.legacy.i386.rpm: Header V3 DSA signature: OK, key ID 731002fa Header SHA1 digest: OK (5bb9d19ce62c040397b9ebefb9d25a9084f04faa) MD5 digest: OK (e7bcab3724ee92b10d85de3a4542e577) V3 DSA signature: OK, key ID 731002fa packages install with out any errors or warnings. opened mozilla, browsed a few sites. Everything seems normal. Opened mozilla -mail, read some messages in my IMAP account, verified that I can send and delete messages. Everything seems fine. +VERIFY FC1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCgXxM+CqvSzp9LOwRArnYAKDHv/Je+KceQj1EHb2kC6BaHsefeACgjCJ4 8S5Yp9BkeEhqenp22/XNBaw= =MM87 -----END PGP SIGNATURE----- There are three vulnerabilities fixed by 1.7.8 mozilla release. Namely MFSA 2005-44 Privilege escalation via non-DOM property overrides MFSA 2005-43 "Wrapped" javascript: urls bypass security checks MFSA 2005-42 Code execution via javascript: IconURL The first two are marked on http://www.mozilla.org/projects/security/known-vulnerabilities.html as "critical" and the third "high". It does not look like a bit step-up from 1.7.7 with note that source rpm for mozilla-1.7.8-1.3.1 from FC3 has more specs cleanups than predecessor. To enable there pango one need pangp >= 1.5 and this is not satisfied below FC3 so it should not be enabled. These packages were officially released. Please open a new bug for the new issues. |