The Seamonkey team has released v. 2.38 with multiple security fixes. Reproducible: Steps to Reproduce:
Status: NEW => ASSIGNEDCC: (none) => cjwAssignee: bugsquad => cjw
iceape 2.38 in cauldron crashes sometimes, or at least it exits suddenly but there is nothing in syslog and so far I have not found anything in a terminal either (I usually start it from the applications menu). It happened with the 2.38 beta release so I hoped it was fixed in the final release but iceape disappeared again after I updated this bugreport. I don't know what triggers it so no idea how to proceed.
Have you tried the usual mozilla disable extensions? The only outstanding freeze bug I'm seeing in their bugzilla is with flash, so maybe start there? And will you be enabling the built in calendar this time? Thanks!
CC: (none) => wrw105
I don't use flash, and the only extension I have installed just adds some menu so should not interfere with page rendering. It looks like I found a page that reliably crashes iceape on cauldron: http://www.howtogeek.com/200897/how-to-use-miracast-screen-mirroring-from-windows-or-android/ This happens in a new user account without any additional extensions installed. The crash is in the "Storage I/O" thread. Maybe it has something to do with sqlite, I don't know much about mozilla code. The same page does not crash iceape 2.38 on mga5. I had already uploaded packages to mga5 updates_testing so maybe I should just continue the update.
As long as the sqlite3 update doesn't cause problems with Firefox, you can go ahead with this. The iceape issues will hopefully get sorted out in Cauldron before Mageia 6 is released.
Packages are ready for testing. MGA5 SRPMS: sqlite3-3.8.10.2-1.1.mga5.src.rpm iceape-2.38-1.mga5.src.rpm RPMS: iceape-2.38-1.mga5.i586.rpm lemon-3.8.10.2-1.1.mga5.i586.rpm libsqlite3_0-3.8.10.2-1.1.mga5.i586.rpm libsqlite3-devel-3.8.10.2-1.1.mga5.i586.rpm libsqlite3-static-devel-3.8.10.2-1.1.mga5.i586.rpm sqlite3-tcl-3.8.10.2-1.1.mga5.i586.rpm sqlite3-tools-3.8.10.2-1.1.mga5.i586.rpm iceape-2.38-1.mga5.x86_64.rpm lemon-3.8.10.2-1.1.mga5.x86_64.rpm lib64sqlite3_0-3.8.10.2-1.1.mga5.x86_64.rpm lib64sqlite3-devel-3.8.10.2-1.1.mga5.x86_64.rpm lib64sqlite3-static-devel-3.8.10.2-1.1.mga5.x86_64.rpm sqlite3-tcl-3.8.10.2-1.1.mga5.x86_64.rpm sqlite3-tools-3.8.10.2-1.1.mga5.x86_64.rpm Proposed advisory: Updated iceape packages fix security issues. The sqlite3 package has been updated as well since the new iceape version requires the SQLITE_ENABLE_DBSTAT_VTAB feature to be enabled in sqlite. This sqlite3 update also enables ICU support, fixing bug #16814 . Use-after-free vulnerability in the MediaStream playback feature in Mozilla Firefox before 40.0 allows remote attackers to execute arbitrary code via unspecified use of the Web Audio API. (CVE-2015-4477) Mozilla Firefox before 40.0 allows man-in-the-middle attackers to bypass a mixed-content protection mechanism via a feed: URL in a POST request. (CVE-2015-4483) The nsCSPHostSrc::permits function in dom/security/nsCSPUtils.cpp in Mozilla Firefox before 40.0 does not implement the Content Security Policy Level 2 exceptions for the blob, data, and filesystem URL schemes during wildcard source-expression matching, which might make it easier for remote attackers to conduct cross-site scripting (XSS) attacks by leveraging unexpected policy-enforcement behavior. (CVE-2015-4490) Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. (CVE-2015-4500) Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 41.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. (CVE-2015-4501) The lut_inverse_interp16 function in the QCMS library in Mozilla Firefox before 41.0 allows remote attackers to obtain sensitive information or cause a denial of service (buffer over-read and application crash) via crafted attributes in the ICC 4 profile of an image. (CVE-2015-4504) The SavedStacks class in the JavaScript implementation in Mozilla Firefox before 41.0, when the Debugger API is enabled, allows remote attackers to cause a denial of service (getSlotRef assertion failure and application exit) or possibly execute arbitrary code via a crafted web site. (CVE-2015-4507) Mozilla Firefox before 41.0, when reader mode is enabled, allows remote attackers to spoof the relationship between address-bar URLs and web content via a crafted web site. (CVE-2015-4508) Race condition in the WorkerPrivate::NotifyFeatures function in Mozilla Firefox before 41.0 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) by leveraging improper interaction between shared workers and the IndexedDB implementation. (CVE-2015-4510) Heap-based buffer overflow in the nestegg_track_codec_data function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allows remote attackers to execute arbitrary code via a crafted header in a WebM video. (CVE-2015-4511) Use-after-free vulnerability in the HTMLVideoElement interface in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allows remote attackers to execute arbitrary code via crafted JavaScript code that modifies the URI table of a media element, aka ZDI-CAN-3176. (CVE-2015-4509) gfx/2d/DataSurfaceHelpers.cpp in Mozilla Firefox before 41.0 on Linux improperly attempts to use the Cairo library with 32-bit color-depth surface creation followed by 16-bit color-depth surface display, which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) by using a CANVAS element to trigger 2D rendering. (CVE-2015-4512) js/src/proxy/Proxy.cpp in Mozilla Firefox before 41.0 mishandles certain receiver arguments, which allows remote attackers to bypass intended window access restrictions via a crafted web site. (CVE-2015-4502) Mozilla Firefox before 41.0 allows remote attackers to bypass certain ECMAScript 5 (aka ES5) API protection mechanisms and modify immutable properties, and consequently execute arbitrary JavaScript code with chrome privileges, via a crafted web page that does not use ES5 APIs. (CVE-2015-4516) Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allow user-assisted remote attackers to bypass intended access restrictions and discover a redirect's target URL via crafted JavaScript code that executes after a drag-and-drop action of an image into a TEXTBOX element. (CVE-2015-4519) Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allow remote attackers to bypass CORS preflight protection mechanisms by leveraging (1) duplicate cache-key generation or (2) retrieval of a value from an incorrect HTTP Access-Control-* response header. (CVE-2015-4520) NetworkUtils.cpp in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors. (CVE-2015-4517) The ConvertDialogOptions function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors. (CVE-2015-4521) The nsUnicodeToUTF8::GetMaxLength function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors, related to an "overflow." (CVE-2015-4522) The nsAttrAndChildArray::GrowBy function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors, related to an "overflow." (CVE-2015-7174) The XULContentSinkImpl::AddText function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors, related to an "overflow." (CVE-2015-7175) The AnimationThread function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 uses an incorrect argument to the sscanf function, which might allow remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via unknown vectors. (CVE-2015-7176) The InitTextures function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors. (CVE-2015-7177) References: https://bugs.mageia.org/show_bug.cgi?id=16814 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4477 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4483 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4490 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4501 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4502 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4504 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4507 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4508 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4509 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4510 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4511 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4512 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4516 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4517 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4519 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4520 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4521 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4522 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7174 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7175 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7176 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7177 https://www.mozilla.org/en-US/security/advisories/mfsa2015-81/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-86/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-91/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-96/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-98/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-102/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-103/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-104/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-105/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-106/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-107/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-108/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-109/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-110/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-111/ https://www.mozilla.org/en-US/security/advisories/mfsa2015-112/
Assignee: cjw => qa-bugs
Source RPM: (none) => iceape
Tested mga5-64 Browser: General browsing, java plugin, jetstream for javascript, flash video playback in vimeo, acid3, all ok Mail: Send/receive/move/delete over SMTP/IMAP OK Chat: Connected to #mageia-qa All OK.
Whiteboard: (none) => has_procedure mga5-64-ok
Keywords: (none) => validated_updateWhiteboard: has_procedure mga5-64-ok => has_procedure mga5-64-ok advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0414.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
Blocks: (none) => 16814