Bug 21637 - Iceape: Multiple security updates in seamonkey 2.48
Summary: Iceape: Multiple security updates in seamonkey 2.48
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO mga6-64-ok MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-08-30 10:26 CEST by Christiaan Welvaart
Modified: 2017-09-01 23:11 CEST (History)
5 users (show)

See Also:
Source RPM: iceape-2.46-4.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Christiaan Welvaart 2017-08-30 10:26:14 CEST 
Iceape's upstream released seamonkey 2.48 which fixes several security issues, see https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/ and probably also https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/
Christiaan Welvaart 2017-08-30 10:26:52 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Christiaan Welvaart 2017-08-30 11:10:21 CEST 
Packages are available for testing:

MGA5
SRPM:
iceape-2.48-1.mga5.src.rpm
RPMS:
iceape-2.48-1.mga5.i586.rpm
iceape-2.48-1.mga5.x86_64.rpm

MGA6
SRPM:
iceape-2.48-1.mga6.src.rpm
RPMS:
iceape-2.48-1.mga6.i586.rpm
iceape-2.48-1.mga6.x86_64.rpm
iceape-2.48-1.mga6.armv7hl.rpm
<armv5tl still building>


Advisory:


Updated Iceape packages include security fixes from upstream Seamonkey:

Multiple flaws were found in the way Iceape 2.46 processes various types of web content, where loading a web page containing malicious content could cause Iceape to crash, execute arbitrary code, or disclose sensitive information. (CVE-2016-5287, CVE-2016-5288, CVE-2016-5289, CVE-2016-5290, CVE-2016-5292, CVE-2016-5297, CVE-2016-9064, CVE-2016-9066, CVE-2016-9067, CVE-2016-9068, CVE-2016-9075, CVE-2016-9077, CVE-2016-5291, CVE-2016-9063, CVE-2016-9070, CVE-2016-9071, CVE-2016-9073, CVE-2016-9076, CVE-2016-9078, CVE-2016-9080, CVE-2016-9893, CVE-2016-9894, CVE-2016-9895, CVE-2016-9896, CVE-2016-9897, CVE-2016-9898, CVE-2016-9899, CVE-2016-9900, CVE-2016-9901, CVE-2016-9902, CVE-2016-9903, CVE-2016-9904, CVE-2017-5373, CVE-2017-5374, CVE-2017-5375, CVE-2017-5376, CVE-2017-5377, CVE-2017-5378, CVE-2017-5379, CVE-2017-5380, CVE-2017-5381, CVE-2017-5382, CVE-2017-5383, CVE-2017-5384, CVE-2017-5385, CVE-2017-5386, CVE-2017-5387, CVE-2017-5388, CVE-2017-5389, CVE-2017-5390, CVE-2017-5391, CVE-2017-5393, CVE-2017-5396)


References:


https://www.mozilla.org/en-US/security/advisories/mfsa2016-87/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-91/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/
https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5287
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5288
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5289
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5290
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5292
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5297
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9064
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9066
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9067
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9068
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9075
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9077
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5291
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9063
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9070
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9071
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9073
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9076
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9078
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9893
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9894
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9895
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9896
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9897
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9898
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9899
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9900
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9901
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9902
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9903
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9904
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5373
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5374
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5375
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5376
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5377
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5378
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5379
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5380
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5381
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5382
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5383
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5385
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5387
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5388
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5390
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5391
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5393
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5396

CC: (none) => cjw
Assignee: cjw => qa-bugs

Comment 2 Bill Wilkinson 2017-08-31 04:04:00 CEST 
Tested mga6-64

Browser:
General browsing
jetstream for javascript
Acid3 for general use
Javatester for plugins
watched a video
all OK

Mail:
Added lightning
Imap/Smtp send/receive/move/delete all OK

chatzilla
connected to freenode

all OK

CC: (none) => wrw105
Whiteboard: MGA5TOO => MGA5TOO mga6-64-ok

Comment 3 PC LX 2017-09-01 15:48:51 CEST 
Installed and tested without issues.

System: Mageia 5, x86_64, Plasma, Intel CPU, nVidia GPU with proprietary driver nvidia340.

For web browsing:
- video, audio, webgl, acid3, java plugin, flash plugin;
- rendering and behaviour of general sites;
- install, remove and use add-ons (e.g. adblock plus);
- enable language packs.

For address book:
- imported and export from/to a vcf file with lots of contacts;
- created, edit and delete contacts.

For email:
- setup SMTP, IMAP and POP accounts;
- view, send, receive, edit, and delete emails;
- sign, encrypt and decrypt with enigmail.

For composer:
- Quick editing.

$ uname -a
Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q iceape
iceape-2.48-1.mga5

Whiteboard: MGA5TOO mga6-64-ok => MGA5TOO mga6-64-ok MGA5-64-OK
CC: (none) => mageia

Comment 4 Lewis Smith 2017-09-01 21:39:24 CEST 
Thank you both, Bill & PCLX, for the tests. Advisory uploaded; validating.

Whiteboard: MGA5TOO mga6-64-ok MGA5-64-OK => MGA5TOO mga6-64-ok MGA5-64-OK advisory
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 5 Mageia Robot 2017-09-01 23:11:27 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0323.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.