====================================================== Name: CVE-2013-1701 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1701 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130213 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-63.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=880734 Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=888107 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. ====================================================== Name: CVE-2013-1702 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1702 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130213 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-63.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=844088 Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=854157 Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=855331 Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=858060 Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=861530 Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=862185 Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=870200 Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=874974 Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=878703 Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=879139 Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=893684 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. ====================================================== Name: CVE-2013-1704 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1704 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130213 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-64.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=883313 Use-after-free vulnerability in the nsINode::GetParentNode function in Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption and application crash) via vectors involving a DOM modification at the time of a SetBody mutation event. ====================================================== Name: CVE-2013-1705 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1705 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130213 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-65.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=882865 Heap-based buffer underflow in the cryptojs_interpret_key_gen_type function in Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted Certificate Request Message Format (CRMF) request. ====================================================== Name: CVE-2013-1706 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1706 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130213 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-66.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=888361 Stack-based buffer overflow in maintenanceservice.exe in the Mozilla Maintenance Service in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, and Thunderbird ESR 17.x before 17.0.8 allows local users to gain privileges via a long pathname on the command line. ====================================================== Name: CVE-2013-1707 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1707 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130213 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-66.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=888314 Stack-based buffer overflow in Mozilla Updater in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, and Thunderbird ESR 17.x before 17.0.8 allows local users to gain privileges via a long pathname on the command line to the Mozilla Maintenance Service. ====================================================== Name: CVE-2013-1708 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1708 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130213 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-67.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=879924 Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allow remote attackers to cause a denial of service (application crash) via a crafted WAV file that is not properly handled by the nsCString::CharAt function. ====================================================== Name: CVE-2013-1709 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1709 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130213 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-68.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=848253 Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly handle the interaction between FRAME elements and history, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving spoofing a relative location in a previously visited document. ====================================================== Name: CVE-2013-1710 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1710 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130213 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-69.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=871368 The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allows remote attackers to execute arbitrary JavaScript code or conduct cross-site scripting (XSS) attacks via vectors related to Certificate Request Message Format (CRMF) request generation. ====================================================== Name: CVE-2013-1711 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1711 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130213 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-70.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=843829 The XrayWrapper implementation in Mozilla Firefox before 23.0 and SeaMonkey before 2.20 does not properly address the possibility of an XBL scope bypass resulting from non-native arguments in XBL function calls, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks by leveraging access to an unprivileged object. ====================================================== Name: CVE-2013-1712 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1712 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130213 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-71.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=859072 Multiple untrusted search path vulnerabilities in updater.exe in Mozilla Updater in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, and Thunderbird ESR 17.x before 17.0.8 on Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 allow local users to gain privileges via a Trojan horse DLL in (1) the update directory or (2) the current working directory. ====================================================== Name: CVE-2013-1713 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1713 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130213 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-72.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=887098 Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 use an incorrect URI within unspecified comparisons during enforcement of the Same Origin Policy, which allows remote attackers to conduct cross-site scripting (XSS) attacks or install arbitrary add-ons via a crafted web site. ====================================================== Name: CVE-2013-1714 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1714 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130213 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-73.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=879787 The Web Workers implementation in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 does not properly restrict XMLHttpRequest calls, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via unspecified vectors. ====================================================== Name: CVE-2013-1715 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1715 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130213 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-74.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=883165 Multiple untrusted search path vulnerabilities in the (1) full installer and (2) stub installer in Mozilla Firefox before 23.0 on Windows allow local users to gain privileges via a Trojan horse DLL in the default downloads directory. NOTE: this issue exists because of an incomplete fix for CVE-2012-4206. ====================================================== Name: CVE-2013-1717 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1717 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130213 Category: Reference: CONFIRM:http://www.mozilla.org/security/announce/2013/mfsa2013-75.html Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=406541 Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly restrict local-filesystem access by Java applets, which allows user-assisted remote attackers to read arbitrary files by leveraging a download to a fixed pathname or other predictable pathname. Reproducible: Steps to Reproduce:
http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:210/
URL: (none) => http://lwn.net/Vulnerabilities/562438/Version: 2 => 3Summary: Multiple vulnerabilities in firefox/thunderbird => firefox/thunderbird new security issues fixed in 17.0.8Whiteboard: (none) => MGA2TOO
Source RPM: firefox => firefox, thunderbird
Note that nss and nspr also need to be updated: https://rhn.redhat.com/errata/RHSA-2013-1144.html
I think this was fixed earlier, at least here: http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:050/(In reply to David Walser from comment #2) > Note that nss and nspr also need to be updated: > https://rhn.redhat.com/errata/RHSA-2013-1144.html I think this was fixed earlier, at least here: http://www.mandriva.com/en/support/security/advisories/advisory/MDVA-2013:001/ http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:050/
(In reply to Oden Eriksson from comment #3) > I think this was fixed earlier, at least here: > > http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013: > 050/(In reply to David Walser from comment #2) > > Note that nss and nspr also need to be updated: > > https://rhn.redhat.com/errata/RHSA-2013-1144.html > > I think this was fixed earlier, at least here: > > http://www.mandriva.com/en/support/security/advisories/advisory/MDVA-2013: > 001/ > http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013: > 050/ Yep, fixed in nss 3.14.3 in Bug 9141.
CC: (none) => luigiwalser
I guess we can wait to push the new nspr and nss until ESR 24.
Advisory: ======================== Updated firefox and thunderbird packages fix security vulnerabilities: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code (CVE-2013-1701). Mozilla security researcher moz_bug_r_a4 reported that through an interaction of frames and browser history it was possible to make the browser believe attacker-supplied content came from the location of a previous page in browser history. This allows for cross-site scripting (XSS) attacks by loading scripts from a misrepresented malicious site through relative locations and the potential access of stored credentials of a spoofed site (CVE-2013-1709). Mozilla security researcher moz_bug_r_a4 reported a mechanism to execute arbitrary code or a cross-site scripting (XSS) attack when Certificate Request Message Format (CRMF) request is generated in certain circumstances (CVE-2013-1710). Security researcher Cody Crews reported that some Javascript components will perform checks against the wrong uniform resource identifier (URI) before performing security sensitive actions. This will return an incorrect location for the originator of the call. This could be used to bypass same-origin policy, allowing for cross-site scripting (XSS) or the installation of malicious add-ons from third-party pages (CVE-2013-1713). Mozilla community member Federico Lanusse reported a mechanism where a web worker can violate same-origin policy and bypass cross-origin checks through XMLHttpRequest. This could allow for cross-site scripting (XSS) attacks by web workers (CVE-2013-1714). Security researcher Georgi Guninski reported an issue with Java applets where in some circumstances the applet could access files on the local system when loaded using the a file:/// URI and violate file origin policy due to interaction with the codebase parameter. This affects applets running on the local file system. Mozilla developer John Schoenick later discovered that fixes for this issue were inadequate and allowed the invocation of Java applets to bypass security checks in additional circumstances. This could lead to untrusted Java applets having read-only access on the local files system if used in conjunction with a method to download a file to a known or guessable path (CVE-2013-1717). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1701 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1709 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1710 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1713 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1714 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1717 http://www.mozilla.org/security/announce/2013/mfsa2013-63.html http://www.mozilla.org/security/announce/2013/mfsa2013-68.html http://www.mozilla.org/security/announce/2013/mfsa2013-69.html http://www.mozilla.org/security/announce/2013/mfsa2013-72.html http://www.mozilla.org/security/announce/2013/mfsa2013-73.html http://www.mozilla.org/security/announce/2013/mfsa2013-75.html http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:210/ ======================== Source RPMs: firefox-17.0.8-1.mga2.src.rpm firefox-l10n-17.0.8-1.mga2.src.rpm thunderbird-17.0.8-1.mga2.src.rpm thunderbird-l10n-17.0.8-1.mga2.src.rpm firefox-17.0.8-1.mga3.src.rpm firefox-l10n-17.0.8-1.mga3.src.rpm thunderbird-17.0.8-1.mga3.src.rpm thunderbird-l10n-17.0.8-1.mga3.src.rpm
Assignee: bugsquad => qa-bugs
Full package list: firefox-17.0.8-1.mga2 firefox-devel-17.0.8-1.mga2 firefox-af-17.0.8-1.mga2 firefox-ar-17.0.8-1.mga2 firefox-ast-17.0.8-1.mga2 firefox-be-17.0.8-1.mga2 firefox-bg-17.0.8-1.mga2 firefox-bn_BD-17.0.8-1.mga2 firefox-bn_IN-17.0.8-1.mga2 firefox-br-17.0.8-1.mga2 firefox-bs-17.0.8-1.mga2 firefox-ca-17.0.8-1.mga2 firefox-cs-17.0.8-1.mga2 firefox-cy-17.0.8-1.mga2 firefox-da-17.0.8-1.mga2 firefox-de-17.0.8-1.mga2 firefox-el-17.0.8-1.mga2 firefox-en_GB-17.0.8-1.mga2 firefox-en_ZA-17.0.8-1.mga2 firefox-eo-17.0.8-1.mga2 firefox-es_AR-17.0.8-1.mga2 firefox-es_CL-17.0.8-1.mga2 firefox-es_ES-17.0.8-1.mga2 firefox-es_MX-17.0.8-1.mga2 firefox-et-17.0.8-1.mga2 firefox-eu-17.0.8-1.mga2 firefox-fa-17.0.8-1.mga2 firefox-fi-17.0.8-1.mga2 firefox-fr-17.0.8-1.mga2 firefox-fy-17.0.8-1.mga2 firefox-ga_IE-17.0.8-1.mga2 firefox-gd-17.0.8-1.mga2 firefox-gl-17.0.8-1.mga2 firefox-gu_IN-17.0.8-1.mga2 firefox-he-17.0.8-1.mga2 firefox-hi-17.0.8-1.mga2 firefox-hr-17.0.8-1.mga2 firefox-hu-17.0.8-1.mga2 firefox-hy-17.0.8-1.mga2 firefox-id-17.0.8-1.mga2 firefox-is-17.0.8-1.mga2 firefox-it-17.0.8-1.mga2 firefox-ja-17.0.8-1.mga2 firefox-kk-17.0.8-1.mga2 firefox-kn-17.0.8-1.mga2 firefox-ko-17.0.8-1.mga2 firefox-ku-17.0.8-1.mga2 firefox-lg-17.0.8-1.mga2 firefox-lt-17.0.8-1.mga2 firefox-lv-17.0.8-1.mga2 firefox-mai-17.0.8-1.mga2 firefox-mk-17.0.8-1.mga2 firefox-ml-17.0.8-1.mga2 firefox-mr-17.0.8-1.mga2 firefox-nb_NO-17.0.8-1.mga2 firefox-nl-17.0.8-1.mga2 firefox-nn_NO-17.0.8-1.mga2 firefox-nso-17.0.8-1.mga2 firefox-or-17.0.8-1.mga2 firefox-pa_IN-17.0.8-1.mga2 firefox-pl-17.0.8-1.mga2 firefox-pt_BR-17.0.8-1.mga2 firefox-pt_PT-17.0.8-1.mga2 firefox-ro-17.0.8-1.mga2 firefox-ru-17.0.8-1.mga2 firefox-si-17.0.8-1.mga2 firefox-sk-17.0.8-1.mga2 firefox-sl-17.0.8-1.mga2 firefox-sq-17.0.8-1.mga2 firefox-sr-17.0.8-1.mga2 firefox-sv_SE-17.0.8-1.mga2 firefox-ta-17.0.8-1.mga2 firefox-ta_LK-17.0.8-1.mga2 firefox-te-17.0.8-1.mga2 firefox-th-17.0.8-1.mga2 firefox-tr-17.0.8-1.mga2 firefox-uk-17.0.8-1.mga2 firefox-vi-17.0.8-1.mga2 firefox-zh_CN-17.0.8-1.mga2 firefox-zh_TW-17.0.8-1.mga2 firefox-zu-17.0.8-1.mga2 thunderbird-17.0.8-1.mga2 thunderbird-enigmail-17.0.8-1.mga2 nsinstall-17.0.8-1.mga2 thunderbird-ar-17.0.8-1.mga2 thunderbird-ast-17.0.8-1.mga2 thunderbird-be-17.0.8-1.mga2 thunderbird-bg-17.0.8-1.mga2 thunderbird-bn_BD-17.0.8-1.mga2 thunderbird-br-17.0.8-1.mga2 thunderbird-ca-17.0.8-1.mga2 thunderbird-cs-17.0.8-1.mga2 thunderbird-da-17.0.8-1.mga2 thunderbird-de-17.0.8-1.mga2 thunderbird-el-17.0.8-1.mga2 thunderbird-en_GB-17.0.8-1.mga2 thunderbird-es_AR-17.0.8-1.mga2 thunderbird-es_ES-17.0.8-1.mga2 thunderbird-et-17.0.8-1.mga2 thunderbird-eu-17.0.8-1.mga2 thunderbird-fi-17.0.8-1.mga2 thunderbird-fr-17.0.8-1.mga2 thunderbird-fy-17.0.8-1.mga2 thunderbird-ga-17.0.8-1.mga2 thunderbird-gd-17.0.8-1.mga2 thunderbird-gl-17.0.8-1.mga2 thunderbird-he-17.0.8-1.mga2 thunderbird-hu-17.0.8-1.mga2 thunderbird-id-17.0.8-1.mga2 thunderbird-is-17.0.8-1.mga2 thunderbird-it-17.0.8-1.mga2 thunderbird-ja-17.0.8-1.mga2 thunderbird-ko-17.0.8-1.mga2 thunderbird-lt-17.0.8-1.mga2 thunderbird-nb_NO-17.0.8-1.mga2 thunderbird-nl-17.0.8-1.mga2 thunderbird-nn_NO-17.0.8-1.mga2 thunderbird-pa_IN-17.0.8-1.mga2 thunderbird-pl-17.0.8-1.mga2 thunderbird-pt_BR-17.0.8-1.mga2 thunderbird-pt_PT-17.0.8-1.mga2 thunderbird-ro-17.0.8-1.mga2 thunderbird-ru-17.0.8-1.mga2 thunderbird-si-17.0.8-1.mga2 thunderbird-sk-17.0.8-1.mga2 thunderbird-sl-17.0.8-1.mga2 thunderbird-sq-17.0.8-1.mga2 thunderbird-sv_SE-17.0.8-1.mga2 thunderbird-ta_LK-17.0.8-1.mga2 thunderbird-tr-17.0.8-1.mga2 thunderbird-uk-17.0.8-1.mga2 thunderbird-vi-17.0.8-1.mga2 thunderbird-zh_CN-17.0.8-1.mga2 thunderbird-zh_TW-17.0.8-1.mga2 firefox-17.0.8-1.mga3 firefox-devel-17.0.8-1.mga3 firefox-af-17.0.8-1.mga3 firefox-ar-17.0.8-1.mga3 firefox-ast-17.0.8-1.mga3 firefox-be-17.0.8-1.mga3 firefox-bg-17.0.8-1.mga3 firefox-bn_BD-17.0.8-1.mga3 firefox-bn_IN-17.0.8-1.mga3 firefox-br-17.0.8-1.mga3 firefox-bs-17.0.8-1.mga3 firefox-ca-17.0.8-1.mga3 firefox-cs-17.0.8-1.mga3 firefox-cy-17.0.8-1.mga3 firefox-da-17.0.8-1.mga3 firefox-de-17.0.8-1.mga3 firefox-el-17.0.8-1.mga3 firefox-en_GB-17.0.8-1.mga3 firefox-en_ZA-17.0.8-1.mga3 firefox-eo-17.0.8-1.mga3 firefox-es_AR-17.0.8-1.mga3 firefox-es_CL-17.0.8-1.mga3 firefox-es_ES-17.0.8-1.mga3 firefox-es_MX-17.0.8-1.mga3 firefox-et-17.0.8-1.mga3 firefox-eu-17.0.8-1.mga3 firefox-fa-17.0.8-1.mga3 firefox-fi-17.0.8-1.mga3 firefox-fr-17.0.8-1.mga3 firefox-fy-17.0.8-1.mga3 firefox-ga_IE-17.0.8-1.mga3 firefox-gd-17.0.8-1.mga3 firefox-gl-17.0.8-1.mga3 firefox-gu_IN-17.0.8-1.mga3 firefox-he-17.0.8-1.mga3 firefox-hi-17.0.8-1.mga3 firefox-hr-17.0.8-1.mga3 firefox-hu-17.0.8-1.mga3 firefox-hy-17.0.8-1.mga3 firefox-id-17.0.8-1.mga3 firefox-is-17.0.8-1.mga3 firefox-it-17.0.8-1.mga3 firefox-ja-17.0.8-1.mga3 firefox-kk-17.0.8-1.mga3 firefox-kn-17.0.8-1.mga3 firefox-ko-17.0.8-1.mga3 firefox-ku-17.0.8-1.mga3 firefox-lg-17.0.8-1.mga3 firefox-lt-17.0.8-1.mga3 firefox-lv-17.0.8-1.mga3 firefox-mai-17.0.8-1.mga3 firefox-mk-17.0.8-1.mga3 firefox-ml-17.0.8-1.mga3 firefox-mr-17.0.8-1.mga3 firefox-nb_NO-17.0.8-1.mga3 firefox-nl-17.0.8-1.mga3 firefox-nn_NO-17.0.8-1.mga3 firefox-nso-17.0.8-1.mga3 firefox-or-17.0.8-1.mga3 firefox-pa_IN-17.0.8-1.mga3 firefox-pl-17.0.8-1.mga3 firefox-pt_BR-17.0.8-1.mga3 firefox-pt_PT-17.0.8-1.mga3 firefox-ro-17.0.8-1.mga3 firefox-ru-17.0.8-1.mga3 firefox-si-17.0.8-1.mga3 firefox-sk-17.0.8-1.mga3 firefox-sl-17.0.8-1.mga3 firefox-sq-17.0.8-1.mga3 firefox-sr-17.0.8-1.mga3 firefox-sv_SE-17.0.8-1.mga3 firefox-ta-17.0.8-1.mga3 firefox-ta_LK-17.0.8-1.mga3 firefox-te-17.0.8-1.mga3 firefox-th-17.0.8-1.mga3 firefox-tr-17.0.8-1.mga3 firefox-uk-17.0.8-1.mga3 firefox-vi-17.0.8-1.mga3 firefox-zh_CN-17.0.8-1.mga3 firefox-zh_TW-17.0.8-1.mga3 firefox-zu-17.0.8-1.mga3 thunderbird-17.0.8-1.mga3 thunderbird-enigmail-17.0.8-1.mga3 nsinstall-17.0.8-1.mga3 thunderbird-ar-17.0.8-1.mga3 thunderbird-ast-17.0.8-1.mga3 thunderbird-be-17.0.8-1.mga3 thunderbird-bg-17.0.8-1.mga3 thunderbird-bn_BD-17.0.8-1.mga3 thunderbird-br-17.0.8-1.mga3 thunderbird-ca-17.0.8-1.mga3 thunderbird-cs-17.0.8-1.mga3 thunderbird-da-17.0.8-1.mga3 thunderbird-de-17.0.8-1.mga3 thunderbird-el-17.0.8-1.mga3 thunderbird-en_GB-17.0.8-1.mga3 thunderbird-es_AR-17.0.8-1.mga3 thunderbird-es_ES-17.0.8-1.mga3 thunderbird-et-17.0.8-1.mga3 thunderbird-eu-17.0.8-1.mga3 thunderbird-fi-17.0.8-1.mga3 thunderbird-fr-17.0.8-1.mga3 thunderbird-fy-17.0.8-1.mga3 thunderbird-ga-17.0.8-1.mga3 thunderbird-gd-17.0.8-1.mga3 thunderbird-gl-17.0.8-1.mga3 thunderbird-he-17.0.8-1.mga3 thunderbird-hu-17.0.8-1.mga3 thunderbird-id-17.0.8-1.mga3 thunderbird-is-17.0.8-1.mga3 thunderbird-it-17.0.8-1.mga3 thunderbird-ja-17.0.8-1.mga3 thunderbird-ko-17.0.8-1.mga3 thunderbird-lt-17.0.8-1.mga3 thunderbird-nb_NO-17.0.8-1.mga3 thunderbird-nl-17.0.8-1.mga3 thunderbird-nn_NO-17.0.8-1.mga3 thunderbird-pa_IN-17.0.8-1.mga3 thunderbird-pl-17.0.8-1.mga3 thunderbird-pt_BR-17.0.8-1.mga3 thunderbird-pt_PT-17.0.8-1.mga3 thunderbird-ro-17.0.8-1.mga3 thunderbird-ru-17.0.8-1.mga3 thunderbird-si-17.0.8-1.mga3 thunderbird-sk-17.0.8-1.mga3 thunderbird-sl-17.0.8-1.mga3 thunderbird-sq-17.0.8-1.mga3 thunderbird-sv_SE-17.0.8-1.mga3 thunderbird-ta_LK-17.0.8-1.mga3 thunderbird-tr-17.0.8-1.mga3 thunderbird-uk-17.0.8-1.mga3 thunderbird-vi-17.0.8-1.mga3 thunderbird-zh_CN-17.0.8-1.mga3 thunderbird-zh_TW-17.0.8-1.mga3
A quick perusal of securityfocus did not show working PoC for bugs. Tested mga3-64. Firefox: general browsing, sunspider javascript testing, javatester.org test working java, youtube to test flash. All OK Thunderbird: send/recieve/move/delete messages on IMAP servers. All OK.
CC: (none) => wrw105Whiteboard: MGA2TOO => MGA2TOO mga3-64-ok
Testing complete for firefox 17.0.8-1 mga3_32, Ok for me nothing to report. Testing complete for firefox 17.0.8-1 mga3_64, Ok for me nothing to report, too. -firefox-17.0.8-1.mga3 -firefox-fr-17.0.8-1.mga3
CC: (none) => geiger.david68210
Testing complete mga2 32
Whiteboard: MGA2TOO mga3-64-ok => MGA2TOO mga3-64-ok mga2-32-ok mga2-64-ok
Oops thunderbird wasn't tested mga2 64 yet
Whiteboard: MGA2TOO mga3-64-ok mga2-32-ok mga2-64-ok => MGA2TOO mga3-64-ok mga2-32-ok
Severity: normal => critical
Advisory 10946.adv uploaded to svn. Testing shortly.
CC: (none) => davidwhodgins
Having trouble with thunderbird-enigmail. Trying to send a signed, encrypted message is returning Send operation aborted. Error - encryption command failed This is on Mageia 2 i586. As shown below, using gpg to sign/encrypt a file using the same keys, is working, so the keys are there and marked as trusted. I also have the idea plugin installed, and have "load-extension idea" in gpg.conf. [dave@i2v ~]$ gpg -sea -r 98B013E0 -r i2vqatest -r x2vqatest msg You need a passphrase to unlock the secret key for user: "i2vqatest (qa test key) <dave@i2v.hodgins.homeip.net>" 4096-bit RSA key, ID 838ED2F8, created 2013-08-02 [dave@i2v ~]$ gpg msg.asc You need a passphrase to unlock the secret key for user: "i2vqatest (qa test key) <dave@i2v.hodgins.homeip.net>" 4096-bit RSA key, ID FCFECCEB, created 2013-08-02 (main key ID 838ED2F8) gpg: encrypted with 1024-bit ELG-E key, ID 97F8A432, created 2013-08-02 "x2vqatest <dave@x2v.hodgins.homeip.net>" gpg: encrypted with 4096-bit ELG-E key, ID A3B12EFE, created 1998-03-20 "David W. Hodgins <davidwhodgins@gmail.com>" gpg: encrypted with 4096-bit RSA key, ID FCFECCEB, created 2013-08-02 "i2vqatest (qa test key) <dave@i2v.hodgins.homeip.net>" File `msg' exists. Overwrite? (y/N) y gpg: Signature made Sun 11 Aug 2013 08:40:18 PM EDT using RSA key ID 838ED2F8 gpg: Good signature from "i2vqatest (qa test key) <dave@i2v.hodgins.homeip.net> I'll revert to the prior version, to see if this is a regression.
Not a regression. I'll debug/file a bug report for it later.
Testing complete on Mageia 2 and 3, i586 and x86_64. Enigmail is only failing on Mageia 2 i586. On the others, it's working. Could someone from the sysadmin team push 10946.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA2TOO mga3-64-ok mga2-32-ok => MGA2TOO mga3-64-ok mga2-32-ok mga2-64-ok mga3-32-okCC: (none) => sysadmin-bugs
Just fyi, figured out the problem with enigmail on i2 (Mageia 2 i586). Had the wrong key selected as the default, for the account, so it couldn't find the secret key, when trying to sign.
Update pushed: http://advisories.mageia.org/MGASA-2013-0248.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
The update was only pushed for mga2 but not for mga3.
gah, me screwed up again :/ now fixed