Bug 23100 - Iceape: Multiple security updates in seamonkey 2.49.3
Summary: Iceape: Multiple security updates in seamonkey 2.49.3
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: mga6-64-ok has_procedure mga6-32-ok
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-05-30 17:09 CEST by Bill Wilkinson
Modified: 2018-08-15 17:46 CEST (History)
8 users (show)

See Also:
Source RPM:
CVE:
Status comment:


Attachments

Description Bill Wilkinson 2018-05-30 17:09:50 CEST
Multiple security updates in seamonkey 2.49.3
Comment 1 Marja Van Waes 2018-05-31 19:23:18 CEST
Assigning to the registered maintainer, who is probably already working on it (he pushed iceape-2.49.3-1.mga7 to cauldron some hours ago).

QA Contact: (none) => security
Component: RPM Packages => Security
Whiteboard: (none) => MGA5TOO
CC: (none) => marja11
Assignee: bugsquad => cjw

Comment 2 Christiaan Welvaart 2018-07-05 23:27:35 CEST
updated packages are available for testing:

SRPM:
iceape-2.49.3-1.mga6.src.rpm
RPMS:
iceape-2.49.3-1.mga6.i586.rpm
iceape-2.49.3-1.mga6.x86_64.rpm
iceape-2.49.3-1.mga6.armv5tl.rpm
iceape-2.49.3-1.mga6.armv7hl.rpm



Advisory:



Updated iceape packages include security fixes from upstream Seamonkey and Firefox:

Multiple flaws were found in the way Iceape 2.49.1 processes various types of web content, where loading a web page containing malicious content could cause Iceape to crash, execute arbitrary code, or disclose sensitive information. (CVE-2018-5089,CVE-2018-5091,CVE-2018-5095,CVE-2018-5096,CVE-2018-5097,CVE-2018-5098,CVE-2018-5099,CVE-2018-5102,CVE-2018-5103,CVE-2018-5104,CVE-2018-5117,CVE-2018-5125,CVE-2018-5127,CVE-2018-5129,CVE-2018-5130,CVE-2018-5131,CVE-2018-5144,CVE-2018-5145,CVE-2018-5148,CVE-2018-5150,CVE-2018-5154,CVE-2018-5155,CVE-2018-5157,CVE-2018-5158,CVE-2018-5159,CVE-2018-5168,CVE-2018-5178,CVE-2018-5183,CVE-2018-6126)


References:


https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-10/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-12/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-14/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5091
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5099
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5104
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5117
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5125
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5127
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5129
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5130
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5131
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5144
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5145
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5148
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5150
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5154
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5155
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5157
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5158
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5159
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5168
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5178
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6126

CC: (none) => cjw
Assignee: cjw => qa-bugs

Comment 3 Bill Wilkinson 2018-07-07 03:43:14 CEST
Tested mga6-64:
Browser:
general browsing, jetstream, acid3 (99%, same as Firefox, not surprisingly), youtube video, javatester for plugin, all OK

email:
Send/recieve/move/delete under SMTP/IMAP all OK.

Whiteboard: MGA5TOO => MGA5TOO mga6-64-ok has_procedure
CC: (none) => wrw105

Comment 4 Bill Wilkinson 2018-07-09 19:02:58 CEST
tested mga6-32 as above under virtualbox. All OK

Whiteboard: MGA5TOO mga6-64-ok has_procedure => MGA5TOO mga6-64-ok has_procedure mga6-32-ok

Comment 5 Thomas Andrews 2018-07-10 05:31:05 CEST
On the basis of Bill Wilkinson's tests, this update could be validated for MGA6. 

But, the packages for MGA5 are still needed before validation can take place.

CC: (none) => andrewsfarm

Comment 6 Len Lawrence 2018-07-11 09:13:08 CEST
Mageia 5, x86_64

Updated all repositories but MageiaUpdate could not find Iceape.
Commandline search failed also.
# urpmi --search-media Testing iceape
No package named iceape
The latest version for mga5 appears to be 2.49.1.3:
# urpmq -i iceape | grep mga5
[...]
Release     : 1.mga5
Source RPM  : iceape-2.46-1.mga5.src.rpm
Release     : 1.mga5
Source RPM  : iceape-2.48-1.mga5.src.rpm
Release     : 3.mga5
Source RPM  : iceape-2.49.1-3.mga5.src.rpm

rpmfind agrees.

Not pushed to updates testing yet?

CC: (none) => tarazed25

Comment 7 Dave Hodgins 2018-07-11 22:47:03 CEST
Re-assigning back to Christiaan.

Please reassign back to qa when the mga5 update has been pushed, or remove the
mga5too whiteboard tag.

CC: (none) => davidwhodgins
Assignee: qa-bugs => cjw

Comment 8 Christiaan Welvaart 2018-08-14 00:27:27 CEST
Sorry, I did not notice the mga5 tag (obviously).

Anyway, I now removed the MGA5TOO whiteboard tag since I can't get this package to build on the build system for i586 mga5.

Whiteboard: MGA5TOO mga6-64-ok has_procedure mga6-32-ok => mga6-64-ok has_procedure mga6-32-ok
Assignee: cjw => qa-bugs

Comment 9 Thomas Andrews 2018-08-14 04:43:59 CEST
As the MGATOO tag has been removed, this update can now be validated for Mageia 6.

Suggested advisory in Comment 2.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2018-08-15 17:14:18 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 10 Mageia Robot 2018-08-15 17:46:38 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0338.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.