Seamonkey 2.16 has been released with multiple security updates. http://releases.mozilla.org/pub/mozilla.org/seamonkey/releases/2.16/source/seamonkey-2.16.source.tar.bz2
Component: RPM Packages => SecurityAssignee: bugsquad => cjwSource RPM: (none) => iceape
Updated packages are ready for testing: Source RPM: iceape-2.16-1.mga2.src.rpm Binary RPMs: iceape-2.16-1.mga2.i586.rpm iceape-2.16-1.mga2.x86_64.rpm Proposed advisory: Updated iceape packages fix security issues: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. (CVE-2013-0783) Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 19.0, Thunderbird before 17.0.3, and SeaMonkey before 2.16 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. (CVE-2013-0784) The RasterImage::DrawFrameTo function in Mozilla Firefox before 19.0, Thunderbird before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and application crash) via a crafted GIF image. (CVE-2013-0772) Mozilla Firefox before 19.0, Thunderbird before 17.0.3, and SeaMonkey before 2.16 do not prevent multiple wrapping of WebIDL objects, which allows remote attackers to bypass intended access restrictions via unspecified vectors. (CVE-2013-0765) The Chrome Object Wrapper (COW) and System Only Wrapper (SOW) implementations in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 do not prevent modifications to a prototype, which allows remote attackers to obtain sensitive information from chrome objects or possibly execute arbitrary JavaScript code with chrome privileges via a crafted web site. (CVE-2013-0773) Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 do not prevent JavaScript workers from reading the browser-profile directory name, which has unspecified impact and remote attack vectors. (CVE-2013-0774) Use-after-free vulnerability in the nsImageLoadingContent::OnStopContainer function in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code via crafted web script. (CVE-2013-0775) Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allow man-in-the-middle attackers to spoof the address bar by operating a proxy server that provides a 407 HTTP status code accompanied by web script, as demonstrated by a phishing attack on an HTTPS site. (CVE-2013-0776) Use-after-free vulnerability in the nsDisplayBoxShadowOuter::Paint function in Mozilla Firefox before 19.0, Thunderbird before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. (CVE-2013-0777) The ClusterIterator::NextCluster function in Mozilla Firefox before 19.0, Thunderbird before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2013-0778) The nsCodingStateMachine::NextState function in Mozilla Firefox before 19.0, Thunderbird before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2013-0779) Use-after-free vulnerability in the nsOverflowContinuationTracker::Finish function in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted document that uses Cascading Style Sheets (CSS) -moz-column-* properties. (CVE-2013-0780) Use-after-free vulnerability in the nsPrintEngine::CommonPrint function in Mozilla Firefox before 19.0, Thunderbird before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. (CVE-2013-0781) Heap-based buffer overflow in the nsSaveAsCharset::DoCharsetConversion function in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code via unspecified vectors. (CVE-2013-0782) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0765 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0772 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0773 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0774 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0775 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0776 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0777 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0778 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0779 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0780 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0781 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0782 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0784 http://www.mozilla.org/security/announce/2013/mfsa2013-21.html http://www.mozilla.org/security/announce/2013/mfsa2013-22.html http://www.mozilla.org/security/announce/2013/mfsa2013-23.html http://www.mozilla.org/security/announce/2013/mfsa2013-24.html http://www.mozilla.org/security/announce/2013/mfsa2013-25.html http://www.mozilla.org/security/announce/2013/mfsa2013-26.html http://www.mozilla.org/security/announce/2013/mfsa2013-27.html http://www.mozilla.org/security/announce/2013/mfsa2013-28.html
Status: NEW => ASSIGNEDCC: (none) => cjwAssignee: cjw => qa-bugs
Tested MGA2-64 No PoCs for CVEs not found in FF and TB updates last week. General browsing--good Sunspider for javascript--good Youtube video for flash--good Mail send and receive--good Chatzilla--good java plugin--good MGA2-64 OK
CC: (none) => wrw105Whiteboard: (none) => MGA2-64-OK
testing MGA2-32 General browsing--OK Sunspider for Javascript--OK YOuTube for flash--OK Mail send and receive-OK Java plugin--OK Chatzilla-OK
Whiteboard: MGA2-64-OK => MGA2-64-OK MGA2-32-OK
Validating Please push from core/updates_testing to core/updates Source rpm and advisory in comment 1. Thank you!
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0086
Status: ASSIGNED => RESOLVEDCC: (none) => dmorganecResolution: (none) => FIXED