Bug 4513 - multiple iceape security issues fixed in 2.7
: multiple iceape security issues fixed in 2.7
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 1
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://cve.mitre.org/cgi-bin/cvename....
: MGA1-32-OK mga1-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-02-13 18:36 CET by David Walser
Modified: 2012-07-21 12:53 CEST (History)
6 users (show)

See Also:
Source RPM: iceape-2.0.14-2.mga1.src.rpm
CVE:


Attachments

Description David Walser 2012-02-13 18:36:39 CET
This CVE is fixed in Seamonkey 2.7.  The Cauldron package is also affected.
Comment 1 Manuel Hiebel 2012-02-14 00:09:25 CET
Hi, thanks for reporting this bug.
Assigned to the package maintainer.

(I guess we have a lot of other sec fix missing for iceape)

(Please set the status to 'assigned' if you are working on it)
Comment 2 David Walser 2012-02-14 15:12:41 CET
Florian has notified me that this old version of Iceape is not vulnerable to particular CVE:
https://bugs.mageia.org/show_bug.cgi?id=4512#c4

However, it is vulnerable to others and still should be updated.
Comment 3 Manuel Hiebel 2012-03-06 01:30:57 CET
Ping ?
Comment 4 Manuel Hiebel 2012-05-09 21:18:29 CEST
ping ?
Comment 5 Florian Hubold 2012-05-09 21:46:45 CEST
It may be not susceptible to this particular CVE, but from a short look maybe to 3 or 4 *dozens* of other vulnerabilities. As i've written in my mail about iceape on -dev mailing list, i've updated it locally to the -then-recent version 2.7.2, and attached the svn diff, but didn't commit yet due to the new version causing freezes when closing tabs with middle mouse click, which is what i'd call a serious regression. But also completed the rebranding and fixed some other issues.

I'm available if someone wants help with working on this, also sent my work to Stormi (or was it Remmy?) because he wanted to keep iceape alive, but feared that the package would be too big for him. But we definitely need to find a new maintainer for it who does the updates.

If not, i think i can work on this some more for one update to a current version (debian has iceape-2.7.4, there are also no newer branding patches available, f.ex. for 2.8 or 2.9) but i'd prefer if someone else could continue my work.

Just ping me, then i'll send my tarball or commit my changes if someone wants to build on them.
Comment 6 Christiaan Welvaart 2012-07-03 01:14:31 CEST
Security updates for iceape are not exactly simple since most fixes are only released in new versions. For firefox there's an ESR but this does not exist for seamonkey (upstream name which we can't use due to trademark licensing issues). Debian does update its package this way but I don't see how they get the advisories and any certainty the full codebase was tested. The source for such 2.7.x 'releases' should be in the repository where thunderbird ESRs are tagged.

Since I had no luck with 2.7-2.9 builds (for cauldron), I prepared an iceape 2.10.1 package instead on cauldron and then backported it to mga1. So far I have not encountered any problems[1]. All subpackages are now merged into one big package which is bad for a security update but maybe it can be accepted anyway, since:
- it only removes a bit of choice to not install certain parts, using more disk space, but presumably iceape users appreciate it's an integrated suite
- upstream apparently wants people to upgrade to the latest version
- I'm not aware of any significant UI changes

Differences for the mga1 'backport' compared to my local cauldron package: bundled png, sqlite, and vpx libraries are used instead of system libraries because mga1 does not have the required versions (vpx could be disabled since webm support is a new feature AFAIK). Also, the dictionaries are searched in /usr/share/dict/mozilla instead of the new default /usr/share/hunspell .

Should I try to upload this package to mga1 updates_testing?


[1] the language packs cause a bunch of tabs to open after the upgrade with warnings but AFAIK this is an old issue caused by shipping them as extensions instead of built-in packages
Comment 7 David Walser 2012-07-10 23:20:31 CEST
Update iceape-2.10.1-1.mga1 (from iceape-2.10.1-1.mga1.src.rpm) built by Christiaan.  Thanks Christiaan!

Now we just need an advisory.
Comment 8 Christiaan Welvaart 2012-07-11 00:11:36 CEST
Update ready for testing.
Source RPM: iceape-2.10.1-1.mga1.src.rpm
Binary RPM: iceape-2.10.1-1.mga1

Advisory:
========================
Updated iceape packages fix security vulnerabilities: 

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, and Thunderbird before 3.1.11, allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2011-2374).

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.18 and Thunderbird before 3.1.11 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2011-2376).

Unspecified vulnerability in the browser engine in Mozilla Firefox 3.6.x before 3.6.18 and Thunderbird before 3.1.11 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-2365 (CVE-2011-2364). 

Unspecified vulnerability in the browser engine in Mozilla Firefox 3.6.x before 3.6.18 and Thunderbird before 3.1.11 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-2364 (CVE-2011-2365). 

Use-after-free vulnerability in Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14, when JavaScript is disabled, allows remote attackers to execute arbitrary code via a crafted XUL document (CVE-2011-2373). 

Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a multipart/x-mixed-replace image (CVE-2011-2377). 

Integer overflow in the Array.reduceRight method in Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allows remote attackers to execute arbitrary code via vectors involving a long JavaScript Array object (CVE-2011-2371). 

Use-after-free vulnerability in the nsSVGPathSegList::ReplaceItem function in the implementation of SVG element lists in Mozilla Firefox before 3.6.18, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors involving a user-supplied callback (CVE-2011-0083). 

Use-after-free vulnerability in the nsSVGPointList::AppendElement function in the implementation of SVG element lists in Mozilla Firefox before 3.6.18, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors involving a user-supplied callback (CVE-2011-2363). 

Use-after-free vulnerability in the nsXULCommandDispatcher function in Mozilla Firefox before 3.6.18, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allows remote attackers to execute arbitrary code via a crafted XUL document that dequeues the current command updater (CVE-2011-0085). 

Mozilla Firefox before 3.6.18, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 do not distinguish between cookies for two domain names that differ only in a trailing dot, which allows remote web servers to bypass the Same Origin Policy via Set-Cookie headers (CVE-2011-2362). 

The browser engine in Mozilla Firefox 4.x through 5, SeaMonkey 2.x before 2.3, Thunderbird before 6, and possibly other products does not properly implement JavaScript, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors (CVE-2011-2991). 

The Ogg reader in the browser engine in Mozilla Firefox 4.x through 5, SeaMonkey 2.x before 2.3, Thunderbird before 6, and possibly other products allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors (CVE-2011-2992). 

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 5, Thunderbird before 6, SeaMonkey 2.x before 2.3, and possibly other products allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2011-2985). 

The implementation of digital signatures for JAR files in Mozilla Firefox 4.x through 5, SeaMonkey 2.x before 2.3, and possibly other products does not prevent calls from unsigned JavaScript code to signed code, which allows remote attackers to bypass the Same Origin Policy and gain privileges via a crafted web site, a different vulnerability than CVE-2008-2801 (CVE-2011-2993). 

The SVGTextElement.getCharNumAtPosition function in Mozilla Firefox before 3.6.20, and 4.x through 5; Thunderbird 3.x before 3.1.12 and other versions before 6; SeaMonkey 2.x before 2.3; and possibly other products does not properly handle SVG text, which allows remote attackers to execute arbitrary code via unspecified vectors that lead to a "dangling pointer" (CVE-2011-0084).

The implementation of Content Security Policy (CSP) violation reports in Mozilla Firefox 4.x through 5, SeaMonkey 2.x before 2.3, and possibly other products does not remove proxy-authorization credentials from the listed request headers, which allows attackers to obtain sensitive information by reading a report, related to incorrect host resolution that occurs with certain redirects (CVE-2011-2990). 

Mozilla Firefox before 3.6.23 and 4.x through 5, Thunderbird before 6.0, and SeaMonkey before 2.3 do not properly handle "location" as the name of a frame, which allows remote attackers to bypass the Same Origin Policy via a crafted web site, a different vulnerability than CVE-2010-0170 (CVE-2011-2999). 

Google Chrome user alibo encountered an active "man in the middle" (MITM) attack on secure SSL connections to Google servers. The fraudulent certificate was mis-issued by DigiNotar, a Dutch Certificate Authority. DigiNotar has reported evidence that other fraudulent certificates were issued and in active use but the full extent of the compromise is not known. For the protection of our users Mozilla has removed the DigiNotar root certificate. Sites using certificates issued by DigiNotar will need to seek another certificate vendor (MFSA 2011-34).

As more information has come to light about the attack on the DigiNotar Certificate Authority we have improved the protections added in MFSA 2011-34. The main change is to add explicit distrust to the DigiNotar root certificate and several intermediates. Removing the root as in our previous fix meant the certificates could be considered valid if cross-signed by another Certificate Authority. Importantly this list of distrusted certificates includes the "PKIOverheid" (PKIGovernment) intermediates under DigiNotar's control that did not chain to DigiNotar's root and were not previously blocked (MFSA 2011-35).

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2011-2995). 

Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 do not properly handle HTTP responses that contain multiple Location, Content-Length, or Content-Disposition headers, which makes it easier for remote attackers to conduct HTTP response splitting attacks via crafted header values  (CVE-2011-3000). 

Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 do not prevent the starting of a download in response to the holding of the Enter key, which allows user-assisted remote attackers to bypass intended access restrictions via a crafted web site (CVE-2011-2372). 

Mozilla Firefox before 3.6.26 and 4.x through 6.0, Thunderbird before 3.1.18 and 5.0 through 6.0, and SeaMonkey before 2.4 do not properly enforce the IPv6 literal address syntax, which allows remote attackers to obtain sensitive information by making XMLHttpRequest calls through a proxy and reading the error messages (CVE-2011-3670).

Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding (CVE-2011-3648). 

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 7.0 and Thunderbird 7.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2011-3651). 

Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug (CVE-2011-3650). 

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2012-0442). 

Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 do not properly initialize nsChildView data structures, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Ogg Vorbis file (CVE-2012-0444). 

Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a malformed XSLT stylesheet that is embedded in a document (CVE-2012-0449). 

Integer overflow in libpng, as used in Google Chrome before 17.0.963.56, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that trigger an integer truncation (CVE-2011-3026). 

Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 do not properly restrict drag-and-drop operations on javascript: URLs, which allows user-assisted remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web page, related to a "DragAndDropJacking" issue (CVE-2012-0455). 

The SVG Filters implementation in Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 might allow remote attackers to obtain sensitive information from process memory via vectors that trigger an out-of-bounds read (CVE-2012-0456). 

Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 do not properly restrict setting the home page through the dragging of a URL to the home button, which allows user-assisted remote attackers to execute arbitrary JavaScript code with chrome privileges via a javascript: URL that is later interpreted in the about:sessionrestore context (CVE-2012-0458). 

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2012-0461). 

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4, Thunderbird 5.0 through 11.0, Thunderbird ESR 10.x before 10.0.4, and SeaMonkey before 2.9 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2012-0467). 

Cross-site scripting (XSS) vulnerability in Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4, Thunderbird 5.0 through 11.0, Thunderbird ESR 10.x before 10.0.4, and SeaMonkey before 2.9 allows remote attackers to inject arbitrary web script or HTML via a multibyte character set (CVE-2012-0471). 

Multiple cross-site scripting (XSS) vulnerabilities in Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4, Thunderbird 5.0 through 11.0, Thunderbird ESR 10.x before 10.0.4, and SeaMonkey before 2.9 allow remote attackers to inject arbitrary web script or HTML via the (1) ISO-2022-KR or (2) ISO-2022-CN character set (CVE-2012-0477). 

Chrome before 10.0.648.127 allows remote attackers to bypass the Same Origin Policy via unspecified vectors, related to an "error message leak" (CVE-2011-1187).

jsinfer.cpp in Mozilla Firefox ESR 10.x before 10.0.5 and Thunderbird ESR 10.x before 10.0.5 does not properly determine data types, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via crafted JavaScript code (CVE-2012-1939). 

To prevent this update from being delayed further, all subpackages for the separate components are now included in the main iceape package.

Updated Packages:
iceape-2.10.1-1.mga1

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0083
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0084
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0085
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2362
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2363
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2364
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2365
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2371
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2372
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2373
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2374
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2376
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2377
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2985
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2990
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2991
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2992
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2993
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2995
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2999
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3026
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3648
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3650
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3651
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3670
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0442
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0444
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0449
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0455
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0456
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0458
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0461
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0467
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0471
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0477
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1939
http://www.mozilla.org/security/announce/2011/mfsa2011-34.html
http://www.mozilla.org/security/announce/2011/mfsa2011-35.html

========================

As reported earlier the security issue originally named in this bug does not affect the iceape package in mga1 so I changed the name. Cauldron was fixed by removing the iceape package before mga2 release.
Comment 9 Derek Jennings 2012-07-13 14:20:02 CEST
update validated on x86_64
testing involved general browsing, setting up an email account, connected to irc channel, added contacts, composed email.

All work as expected
Comment 10 Dave Hodgins 2012-07-14 00:02:18 CEST
# urpmi --debug iceape
<snip>
search_packages: found iceape-2.0.14-2.mga1.i586 matching iceape
search_packages: found iceape-2.10.1-1.mga1.i586 matching iceape
found package(s): iceape-2.0.14-2.mga1.i586 iceape-2.10.1-1.mga1.i586
opening rpmdb (root=, write=)
chosen iceape-2.10.1-1.mga1.i586 for iceape|iceape
selecting iceape-2.10.1-1.mga1.i586
installed package eclipse-swt-3.6.2-12.1.mga1.i586 is conflicting with iceape-2.10.1-1.mga1.i586 (Conflicts: mozilla)
set_rejected: eclipse-swt-3.6.2-12.1.mga1.i586
installed tuxguitar-1.2-7.1.mga1.i586 is conflicting because of unsatisfied eclipse-swt
promoting eclipse-swt-3.6.2-12.mga1.i586 because of conflict above
not selecting eclipse-swt-3.6.2-12.mga1.i586 since the more recent eclipse-swt-3.6.2-12.1.mga1.i586 is installed
A requested package cannot be installed:
eclipse-swt-3.6.2-12.mga1.i586 (in order to keep eclipse-swt-3.6.2-12.1.mga1.i586)
Comment 11 David Walser 2012-07-14 01:12:40 CEST
Dave, try uninstalling the eclipse-swt from updates_testing (and installing the previous one) and see if you can install iceape.  If you can, report the issue on Bug 6611.
Comment 12 Christiaan Welvaart 2012-07-14 15:51:57 CEST
The eclipse-swt conflicts problem was fixed for mga2. The workaround is to remove eclipse-swt before installing iceape. Going back to a previous eclipse-swt won't help.

(mozilla was the original name of seamonkey/iceape after netscape communicator was open sourced)
Comment 13 claire robinson 2012-07-16 14:48:44 CEST
Testing mga1 32

Before
------

Spellcheck and java don't seem to work and flash causes a segfault.
Only browser and Composer available.

After
-----

When started it checks addons. Ticked to install en_GB language pack.

When it finished its checks it opened 23 tabs saying "Another program on your computer would like to modify iceape with the following addon, one for each language.

Java works.
Flash causes it to become unresponsive.

email, spellcheck, irc all ok.
Comment 14 claire robinson 2012-07-16 14:54:41 CEST
Christiaan I notice you commented about the 23 tabs in comment 6 so the only issue really is flash causing it to become unresponsive. It doesn't appear to be a regression, in so far as it was a segfault but is now a hang.

Do you wish to look at that?
Comment 15 Christiaan Welvaart 2012-07-16 23:30:36 CEST
@claire thanks for the detailed report. Although I don't really care about flash, the problem you found is most likely the same with videos played through plugins (like totem-mozilla or gecko-mplayer) where iceape does not hang indefinitely but for about a minute. I just ignored it for a long time because I did not see it often (such videos are uncommon on the web I think, most are flash/silverlight or html5 video). I believe it can be 'fixed' by changing a setting:

Type in the address bar:   about:config    (it may ask if you are sure)
look for dom.ipc.plugins.enabled and set it to false.

I'll disable this setting in the defaults and submit a new package.
Comment 16 Dave Hodgins 2012-07-17 03:40:53 CEST
Testing complete on Mageia 1 i586 with the srpm
iceape-2.10.1-2.mga1.src.rpm

Imported my settings from thunderbird.

Email is working (pop3), nntp, flash on youtube and
http://www.adobe.com/software/flash/about/
java applet at a speed test site, and general browsing.

Removing MGA1-64-OK from the whiteboard, as it hasn't been tested
with this version.

I'll test Mageia 2 i586 shortly.
Comment 17 Dave Hodgins 2012-07-17 03:43:49 CEST
Oops.  This is only a Mageia 1 update, so just needs retesting on 64 bit.
Comment 18 claire robinson 2012-07-17 13:21:31 CEST
That fixed it Christiaan. Retested everything else all OK.

Validating

Advisory in comment 8.

SRPM: iceape-2.10.1-2.mga1.src.rpm

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 20 Christiaan Welvaart 2012-07-18 00:08:39 CEST
New update ready for testing:
Source RPM: iceape-2.11-1.mga1.src.rpm
Binary RPM: iceape-2.11-1.mga1

Advisory: see comment 8 (but with 'updated packages' -> iceape-2.11-1.mga1)

AFAICT the security fixes in 2.11 are not reported for the version still in mga1 so we cannot list them as fixed.
Comment 21 David Walser 2012-07-18 00:10:45 CEST
Thanks Christiaan.
Comment 22 Dave Hodgins 2012-07-18 00:26:24 CEST
2.11.1 is still not showing up at
http://twiska.zarb.org/mageia/distrib/1/i586/media/core/updates_testing

Is there a problem with the build system?
Comment 23 Dave Hodgins 2012-07-18 00:27:22 CEST
Never mind.  Misread the time, so thought it had been longer.
Comment 24 Dave Hodgins 2012-07-18 21:51:27 CEST
Testing complete on Mageia 1 i586 for the srpm
iceape-2.11-1.mga1.src.rpm

After installing the 2.11 version, on first start, it asked if I wanted
to install the Traditional Chinese zh-TW and Ukranian UA language packs,
which I allowed.

Tested with email, nntp, general web browsing, flash, and a java applet.
Comment 25 claire robinson 2012-07-20 18:11:40 CEST
Testing complete mga1 x86_64

Advisory in comment 8
SRPM: iceape-2.11-1.mga1

Validating

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 26 Thomas Backlund 2012-07-21 12:53:32 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0176

Note You need to log in before you can comment on or make changes to this bug.