Multiple security updates for Iceape in seamonkey 2.17 Reproducible: Steps to Reproduce:
iceape-2.17-1.mga2 is in updates_testing from Funda since yesterday.
CC: (none) => cjw, fundawang, luigiwalser
I see the package (indeed, I'm using it now) but I'm not seeing it in the QA list yet.
CC: (none) => wrw105
No package ready for testing, please remove or revert if you installed some 2.17 package.
Status: NEW => ASSIGNEDAssignee: bugsquad => cjw
Updated packages are ready for testing: Source RPM: iceape-2.17-1.mga2.src.rpm Binary RPMs: iceape-2.17-1.mga2.i586.rpm iceape-2.17-1.mga2.x86_64.rpm For these packages the "Build identifier" in Help->About is 2013040200 . Proposed Advisory: Updated iceape packages fix security issues: Use-after-free vulnerability in the nsEditor::IsPreformatted function in editor/libeditor/base/nsEditor.cpp in Mozilla Firefox before 19.0.2, Firefox ESR 17.x before 17.0.4, Thunderbird before 17.0.4, Thunderbird ESR 17.x before 17.0.4, and SeaMonkey before 2.16.1 allows remote attackers to execute arbitrary code via vectors involving an execCommand call. (CVE-2013-0787) Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird before 17.0.5, Thunderbird ESR 17.x before 17.0.5, and SeaMonkey before 2.17 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. (CVE-2013-0788) Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 20.0 and SeaMonkey before 2.17 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the nsContentUtils::HoldJSObjects function and the nsAutoPtr class, and other vectors. (CVE-2013-0789) The WebGL subsystem in Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird before 17.0.5, Thunderbird ESR 17.x before 17.0.5, and SeaMonkey before 2.17 on Linux does not properly interact with Mesa drivers, which allows remote attackers to execute arbitrary code or cause a denial of service (free of unallocated memory) via unspecified vectors. (CVE-2013-0796) The System Only Wrapper (SOW) implementation in Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird before 17.0.5, Thunderbird ESR 17.x before 17.0.5, and SeaMonkey before 2.17 does not prevent use of the cloneNode method for cloning a protected node, which allows remote attackers to bypass the Same Origin Policy or possibly execute arbitrary JavaScript code with chrome privileges via a crafted web site. (CVE-2013-0795) Mozilla Firefox before 20.0 and SeaMonkey before 2.17 do not prevent origin spoofing of tab-modal dialogs, which allows remote attackers to conduct phishing attacks via a crafted web site. (CVE-2013-0794) Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird before 17.0.5, Thunderbird ESR 17.x before 17.0.5, and SeaMonkey before 2.17 do not ensure the correctness of the address bar during history navigation, which allows remote attackers to conduct cross-site scripting (XSS) attacks or phishing attacks by leveraging control over navigation timing. (CVE-2013-0793) Mozilla Firefox before 20.0 and SeaMonkey before 2.17, when gfx.color_management.enablev4 is used, do not properly handle color profiles during PNG rendering, which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (memory corruption) via a grayscale PNG image. (CVE-2013-0792) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0787 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0788 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0789 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0792 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0793 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0794 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0795 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0796 http://www.mozilla.org/security/announce/2013/mfsa2013-29.html http://www.mozilla.org/security/announce/2013/mfsa2013-30.html http://www.mozilla.org/security/announce/2013/mfsa2013-35.html http://www.mozilla.org/security/announce/2013/mfsa2013-36.html http://www.mozilla.org/security/announce/2013/mfsa2013-37.html http://www.mozilla.org/security/announce/2013/mfsa2013-38.html http://www.mozilla.org/security/announce/2013/mfsa2013-39.html
Assignee: cjw => qa-bugs
Basing CVEs on recent firefox/thunderbird updates, so testing general use. Sunspider and java OK general browsing OK flash video OK--several youtube videos send/receive and move to folders under smtp/imap OK chatzilla for IRC OK
Whiteboard: (none) => MGA2-64-OK
testing mga2-32 sunspider and java OK General browsing OK Flash video OK-several youtube videos Send/receive and move to folders under smtp/imap OK Chatzilla for IRC OK. Validating. Can someone from the sysadmin team please push from core/updates_testing to core updates? Advisory and srpm list in comment 4.
Keywords: (none) => validated_updateWhiteboard: MGA2-64-OK => MGA2-64-OK mga2-32-OKCC: (none) => sysadmin-bugs
Might want to hold this...there's a 2.17.1 available upstream.
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0120
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED