Red Hat has issued RHSA:2006-0328-01 for Firefox <http://www.redhat.com/archives/enterprise-watch-list/2006-April/msg00002.html> releasing firefox-1.0.8-1.4.1. "Critical: Firefox security update ... "Updated firefox packages that fix several security bugs are now available. "This update has been rated as having critical security impact by the Red Hat Security Response Team. ... "Several bugs were found in the way Firefox processes malformed javascript. A malicious web page could modify the content of a different open web page, possibly stealing sensitive information or conducting a cross-site scripting attack. (CVE-2006-1731, CVE-2006-1732, CVE-2006-1741) "Several bugs were found in the way Firefox processes certain javascript actions. A malicious web page could execute arbitrary javascript instructions with the permissions of 'chrome', allowing the page to steal sensitive information or install browser malware. (CVE-2006-1727, CVE-2006-1728, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1742) "Several bugs were found in the way Firefox processes malformed web pages. A carefully crafted malicious web page could cause the execution of arbitrary code as the user running Firefox. (CVE-2006-0749, CVE-2006-1724, CVE-2006-1730, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739) "A bug was found in the way Firefox displays the secure site icon. If a browser is configured to display the non-default secure site modal warning dialog, it may be possible to trick a user into believing they are viewing a secure site. (CVE-2006-1740) "A bug was found in the way Firefox allows javascript mutation events on 'input' form elements. A malicious web page could be created in such a way that when a user submits a form, an arbitrary file could be uploaded to the attacker. (CVE-2006-1729) "Users of Firefox are advised to upgrade to these updated packages containing Firefox version 1.0.8 which corrects these issues."
Mozilla updates seem to have been pushed out for RHEL as well now.
I'll tackle this if no one else is currently doing it.
Nobody seems to be stepping up... I could probably do publish QA, depending on whether I have net access on travel.
Marc told me this evening that he is building Mozilla and has already built Firefox on his home machine. He said he'd post them here in the next day or so... He also indicated that we will track both Mozilla and Firefox packages here in this bug ticket. Redhat issued RHSA-2006:0329-01 for Mozilla in RHEL's 2.1, 3, & 4. <http://rhn.redhat.com/errata/RHSA-2006-0329.html> I've not seen any Fedora Core packages released yet for Mozilla, and it appears FC's bugs (for Mozilla) are still embargoed. I am writing a note to security-response-team to see if they can open those bugs up, since those vulnerabilities are now public knowledge. I will open a new bug report for the related Mozilla Thunderbird bug.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated firefox, mozilla, galeon, devhelp and epiphany packages to QA: 7.3: 066665153a4f3643327f3107a52064081209456a 7.3/galeon-1.2.14-0.73.6.legacy.src.rpm 22bfc4cc06955ba771ed010e97746b9fb1932f07 7.3/mozilla-1.7.13-0.73.1.legacy.src.rpm 9: eb1ec89fe7e121c788ae9d398d564e546be1fe3a 9/galeon-1.2.14-0.90.6.legacy.src.rpm 3552d71bf822a9ce323700722dea45f60efe4dcb 9/mozilla-1.7.13-0.90.1.legacy.src.rpm fc1: 595447482cb41a3b58d127662a84f17cb4b3b3aa 1/epiphany-1.0.8-1.fc1.6.legacy.src.rpm 6ef86905444692d9280b26f4d165ad782e6d7476 1/mozilla-1.7.13-1.1.1.legacy.src.rpm fc2: 6f3eefef4f197341271c7317056c093f19b81ab9 2/devhelp-0.9.1-0.2.10.legacy.src.rpm e1d4a7372e9ffe1e14669a40f6d742d88602ff1a 2/epiphany-1.2.10-0.2.7.legacy.src.rpm 748cd38b0e47c462802a2bdb92425704f7ae39e0 2/mozilla-1.7.13-1.2.1.legacy.src.rpm fc3: a4318f1b301f5fbf51f4d3b77f03809a4e72e42a 3/devhelp-0.9.2-2.3.7.legacy.src.rpm 8e80c9d6d816cd39d70f621d0ef3933b3edcad72 3/epiphany-1.4.9-1.1.legacy.src.rpm 01005aa6085b0dd308cee01b5d224de59d725ea1 3/firefox-1.0.8-1.1.fc3.1.legacy.src.rpm a98fc53dc8d63604184d55628929e0741519a245 3/mozilla-1.7.13-1.3.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/galeon-1.2.14-0.73.6.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/mozilla-1.7.13-0.73.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/galeon-1.2.14-0.90.6.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/mozilla-1.7.13-0.90.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/epiphany-1.0.8-1.fc1.6.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/mozilla-1.7.13-1.1.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/devhelp-0.9.1-0.2.10.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/epiphany-1.2.10-0.2.7.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/mozilla-1.7.13-1.2.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/3/devhelp-0.9.2-2.3.7.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/3/epiphany-1.4.9-1.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/3/firefox-1.0.8-1.1.fc3.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/3/mozilla-1.7.13-1.3.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFES9vvLMAs/0C4zNoRAokzAKCf5wI6awU55f2mhXF/ENoExzB2zgCfUBiO DRWepikHeqWrKSrm4EFKkRM= =JMzR -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal - patches minimal and OK (when they exist at all, e.g., epiphany) +PUBLISH RHL73, RHL9, FC1, FC2, FC3 Thanks to Marc for the heavy lifting, as usual. 22bfc4cc06955ba771ed010e97746b9fb1932f07 mozilla-1.7.13-0.73.1.legacy.src.rpm 3552d71bf822a9ce323700722dea45f60efe4dcb mozilla-1.7.13-0.90.1.legacy.src.rpm 6ef86905444692d9280b26f4d165ad782e6d7476 mozilla-1.7.13-1.1.1.legacy.src.rpm 748cd38b0e47c462802a2bdb92425704f7ae39e0 mozilla-1.7.13-1.2.1.legacy.src.rpm a98fc53dc8d63604184d55628929e0741519a245 mozilla-1.7.13-1.3.1.legacy.src.rpm 01005aa6085b0dd308cee01b5d224de59d725ea1 firefox-1.0.8-1.1.fc3.1.legacy.src.rpm 358c7ef4ce9b3bc4274dd2437fd17bd4e19a6c06 galeon-1.2.14-0.73.6.legacy.src.rpm eb1ec89fe7e121c788ae9d398d564e546be1fe3a galeon-1.2.14-0.90.6.legacy.src.rpm 595447482cb41a3b58d127662a84f17cb4b3b3aa epiphany-1.0.8-1.fc1.6.legacy.src.rpm e1d4a7372e9ffe1e14669a40f6d742d88602ff1a epiphany-1.2.10-0.2.7.legacy.src.rpm 8e80c9d6d816cd39d70f621d0ef3933b3edcad72 epiphany-1.4.9-1.1.legacy.src.rpm 6f3eefef4f197341271c7317056c093f19b81ab9 devhelp-0.9.1-0.2.10.legacy.src.rpm a4318f1b301f5fbf51f4d3b77f03809a4e72e42a devhelp-0.9.2-2.3.7.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFEV7JVGHbTkzxSL7QRAj3fAJ9m1HXTNHFtOSAl0vW0XOGD4q8WNwCfc34G /zLStcC/dJetzQ/piLD0WOE= =sn8h -----END PGP SIGNATURE-----
Created attachment 128973 [details] Proposed mozilla Test Update Notification Here's a proposed Test Update Notification for Mozilla and its dependents. Needs to have exact package names/SHA1-sums filled in once packages are built and fully ready.
Created attachment 128974 [details] Proposed Test Update Notification for firefox-1.0.8 for FC3 Here's a proposed Test Update Notification for Mozilla Firefox. Needs to have exact package names/SHA1-sums filled in once packages are built and fully ready.
These packages were pushed to updates-testing.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL9. Signature OK, upgrades OK, basic browsing including Java plugin seems to work fine. +VERIFY RHL9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFEacG4GHbTkzxSL7QRAtJ6AJ45/pDeOTcg6fN5Xs8/yTRunVFdIgCcCrU8 b5t9549NhjP4m16YlJbDGCE= =N2Ub -----END PGP SIGNATURE----- Timeout in 2 weeks.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Testing for FC1 versions of mozilla and epiphany: SHA1SUM Package ========================================__========================================= 3d510a0a221fd0af801d32075cfec02b54e07422__mozilla-1.7.13-1.1.1.legacy.i386.rpm fac226fb8ed3c08bd5c38729ca4bdcb7cbfa7155__mozilla-mail-1.7.13-1.1.1.legacy.i386.rpm 50de7263571cfdca103af679b2b4824cf5e4b733__mozilla-nspr-1.7.13-1.1.1.legacy.i386.rpm 231222af647baca7cf8ad3aa70102baf065844ea__mozilla-nss-1.7.13-1.1.1.legacy.i386.rpm 4278190ae02b1ba55ab8f7bff797aa0b7c6367cf__epiphany-1.0.8-1.fc1.6.legacy.i386.rpm * Packages install fine * Packages run fine * Have been running mozilla and mozilla-mail for about a week, no issues to report. VERIFY++ FC1 mozilla and epiphany -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFEdvZ8xou1V/j9XZwRAlBeAKDpLGRlC9ALKW2ZPEAuXBSi1eBtsQCgvgzI vS5xggcwBeqwQXn3c5yiQVM= =5H0C -----END PGP SIGNATURE-----
Timeout shortened to one week, and thus over.
Created attachment 130447 [details] Proposed FLSA for mozilla
Created attachment 130483 [details] Proposed FLSA for firefox
Packages were released to updates.