-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Mon, 05 Jan 2009 23:18:37 +0100 Source: iceape Binary: mozilla iceape-browser mozilla-calendar mozilla-js-debugger iceape iceape-calendar iceape-dom-inspector mozilla-psm mozilla-chatzilla mozilla-mailnews iceape-dbg iceape-gnome-support mozilla-dom-inspector iceape-dev iceape-chatzilla mozilla-browser iceape-mailnews mozilla-dev Architecture: source all amd64 Version: 1.0.13~pre080614i-0etch1 Distribution: stable-security Urgency: low Maintainer: Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org> Changed-By: Alexander Sack <asac@canonical.com> Description: iceape - The Iceape Internet Suite iceape-browser - Iceape Navigator (Internet browser) and Composer iceape-calendar - Iceape Calendar iceape-chatzilla - Iceape Chatzilla IRC client iceape-dbg - Debugging symbols for the Iceape Internet Suite iceape-dev - Development files for the Iceape Internet Suite iceape-dom-inspector - DOM inspector for the Iceape Internet Suite iceape-gnome-support - Gnome support for the Iceape Internet Suite iceape-mailnews - Iceape Mail & Newsgroups and Address Book mozilla - Transition package for the Iceape Internet Suite mozilla-browser - Transition package for Iceape Navigator and Composer mozilla-calendar - Transition package for Iceape Calendar mozilla-chatzilla - Transition package for Iceape Chatzilla IRC client mozilla-dev - Transition package for development file for the Iceape Internet S mozilla-dom-inspector - Transition package for the DOM Inspector for the Iceape Internet mozilla-js-debugger - Transition package for venkman mozilla-mailnews - Transition package for Iceape Mail & Newsgroups and Address Book mozilla-psm - Transition package for Iceape Navigator Closes: 505565 Changes: iceape (1.0.13~pre080614i-0etch1) stable-security; urgency=low . * security/stability update for issues discussed in firefox/thunderbird 2.0.0.15, 2.0.0.16, 2.0.0.17, 2.0.0.18, 2.0.0.19 (details below) - Closes: #505565 - Mozilla SeaMonkey Multiple Vulnerabilities * debian/calendar-1.0.9.tar.bz2.uue,control,rules: add uuencoded calendar/ directory; unpack before patch-stamp in rules; adjust build-deps * debian/patches/99_configure.dpatch: refresh - run autoconf2.13 * debian/patches/{20_visibility,90_bz416282,90_bz419116,90_bz421622, 90_bz425576}.dpatch: drop patches now shipped/superseeded by upstream tarball/patchset * debian/patches/00list: Updated accordingly. . Advisory notes: 2.0.0.15: * MFSA 2008-21 (layout) aka CVE-2008-2798 - Crashes with evidence of memory corruption (rv:1.8.1.15) in layout engine * MFSA 2008-21 (javascript) aka CVE-2008-2799 - Crashes with evidence of memory corruption (rv:1.8.1.15) in the javascript engine * MFSA 2008-22 aka CVE-2008-2800 - XSS through JavaScript same-origin violation * MFSA 2008-23 aka CVE-2008-2801 - Signed JAR tampering * MFSA 2008-24 aka CVE-2008-2802 - Chrome script loading from fastload file * MFSA 2008-25 aka CVE-2008-2803 - Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript() * MFSA 2008-26 aka CVE-2008-0304-followup - Buffer length checks in MIME processing * MFSA 2008-27 aka CVE-2008-2805 - Arbitrary file upload via originalTarget and DOM Range * MFSA 2008-29 aka CVE-2008-2807 - Faulty .properties file results in uninitialized memory being used * MFSA 2008-30 aka CVE-2008-2808 - File location URL in directory listings not escaped properly * MFSA 2008-31 aka CVE-2008-2809 - Peer-trusted certs can use alt names to spoof * MFSA 2008-32 aka CVE-2008-2810 - Remote site run as local file via Windows URL shortcut * MFSA 2008-33 aka CVE-2008-2811 - Crash and remote code execution in block reflow 2.0.0.16: * MFSA 2008-34 aka CVE-2008-2785 - Remote code execution by overflowing CSS reference counter * MFSA 2008-35 aka CVE-2008-2933 - Command-line URLs launch multiple tabs when Firefox not running 2.0.0.17: * MFSA 2008-37 aka CVE-2008-0016 - UTF-8 URL stack buffer overflow * MFSA 2008-38 aka CVE-2008-3835 - nsXMLDocument::OnChannelRedirect() same-origin violation * MFSA 2008-39 aka CVE-2008-3836 - Privilege escalation using feed preview page and XSS flaw * MFSA 2008-40 aka CVE-2008-3837 - Forced mouse drag * MFSA 2008-41 aka CVE-2008-4058 (XPCnativeWrapper pollution bugs), CVE-2008-4059 (XPCnativeWrapper pollution (Firefox 2)), CVE-2008-4060 (Documents without script handling objects) - Privilege escalation via XPCnativeWrapper pollution * MFSA 2008-42 aka CVE-2008-4061 (1.8 layout), CVE-2008-4062 (1.8 javascript) - Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17) * MFSA 2008-43 aka CVE-2008-4065 (Stripped BOM characters) - BOM characters, low surrogates stripped from JavaScript before execution * MFSA 2008-44 aka CVE-2008-4067, CVE-2008-4068 - resource: traversal vulnerabilities * MFSA 2008-45 aka CVE-2008-4069 - [1.8 branch] XBM appears to draw uninitialized memory * MFSA 2008-46 aka CVE-2008-4070 - Heap overflow when canceling newsgroup message 2.0.0.18: * MFSA 2008-48 aka CVE-2008-5012 - Image stealing via canvas and HTTP redirect * MFSA 2008-49 aka CVE-2008-5013 - Arbitrary code execution via Flash Player dynamic module unloading * MFSA 2008-50 aka CVE-2008-5014 - Crash and remote code execution via __proto__ tampering * MFSA 2008-52 aka CVE-2008-5017(1.8 layout), CVE-2008-5018(1.8 javascript) - Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18) * MFSA 2008-54 aka CVE-2008-0017 - Buffer overflow in http-index-format parser * MFSA 2008-55 aka CVE-2008-5021 - Crash and remote code execution in nsFrameManager * MFSA 2008-56 aka CVE-2008-5022 - nsXMLHttpRequest::NotifyEventListeners() same-origin violation * MFSA 2008-58 aka CVE-2008-5024 - Parsing error in E4X default namespace * MFSA 2008-59 aka CVE-2008-4582 - Script access to .documentURI and .textContent in mail 2.0.0.19: * MFSA 2008-60 aka CVE-2008-5500 (layout) - Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19) * MFSA 2008-61 aka CVE-2008-5503 - Information stealing via loadBindingDocument * MFSA 2008-64 aka CVE-2008-5506 - XMLHttpRequest 302 response disclosure * MFSA 2008-65 aka CVE-2008-5507 - Cross-domain data theft via script redirect error message * MFSA 2008-66 aka CVE-2008-5508 - Errors parsing URLs with leading whitespace and control characters (fixed by bz451613) * MFSA 2008-68 aka CVE-2008-5511(XSS via XBL bindings to unloaded document), CVE-2008-5512(JavaScript privilege escalation) - XSS and JavaScript privilege escalation Files: b780c722d772cde416bfbda0e6750e3f 2104 net optional iceape_1.0.13~pre080614i-0etch1.dsc b5f28ad30d5e15dc67efa370c7f9ee59 42978498 net optional iceape_1.0.13~pre080614i.orig.tar.gz fadf6ae5717e05ff353c52b8e90825d0 2033694 net optional iceape_1.0.13~pre080614i-0etch1.diff.gz a508e9e68d99676fd897ecb1095486b7 30676 web optional iceape_1.0.13~pre080614i-0etch1_all.deb aec7efa1351f2f41289ec6edc5d1da6c 3667564 devel optional iceape-dev_1.0.13~pre080614i-0etch1_all.deb 80fcf72ee4e4392b44e32f052ea70456 281076 net optional iceape-chatzilla_1.0.13~pre080614i-0etch1_all.deb dc21b8434b9b72375e8df9fa94a7709d 29222 web optional mozilla_1.8+1.0.13~pre080614i-0etch1_all.deb 3a26ed7bbcdefc06ec0f34256733ad4e 30218 web optional mozilla-browser_1.8+1.0.13~pre080614i-0etch1_all.deb b764c962b7bc3a9fc2a2c6c723b3129c 29358 devel optional mozilla-dev_1.8+1.0.13~pre080614i-0etch1_all.deb 3c5939146bfc6801b54a5e0584dca482 29248 mail optional mozilla-mailnews_1.8+1.0.13~pre080614i-0etch1_all.deb 33e0809ea09959c467e1379206e605ab 29244 net optional mozilla-chatzilla_1.8+1.0.13~pre080614i-0etch1_all.deb ffa20451394a1d05f5da58116f133916 29232 web optional mozilla-psm_1.8+1.0.13~pre080614i-0etch1_all.deb fc07419a1397db4a1f65f42123864c76 29264 web optional mozilla-dom-inspector_1.8+1.0.13~pre080614i-0etch1_all.deb 9f827631e7c410da840ca7ae095ebe2d 29260 devel optional mozilla-js-debugger_1.8+1.0.13~pre080614i-0etch1_all.deb 8027c7b507f7029d558846ad1e38db99 29224 misc optional mozilla-calendar_1.8+1.0.13~pre080614i-0etch1_all.deb aff467dd69f1272dbcc1be14f0d96295 11683136 web optional iceape-browser_1.0.13~pre080614i-0etch1_amd64.deb 62268a914d78526df611190dbab5e6ca 55488 web optional iceape-gnome-support_1.0.13~pre080614i-0etch1_amd64.deb 2c7625187ee32f93a01b0f822face8f7 59742704 devel extra iceape-dbg_1.0.13~pre080614i-0etch1_amd64.deb d25528c803f38c309c74427d5e0769c1 2094958 mail optional iceape-mailnews_1.0.13~pre080614i-0etch1_amd64.deb 45ce3f797e175feff8cbd20526008f7b 612120 misc optional iceape-calendar_1.0.13~pre080614i-0etch1_amd64.deb 50ea3e1f957a8c6ca761f651f25cba39 197202 web optional iceape-dom-inspector_1.0.13~pre080614i-0etch1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAEBAgAGBQJJYpIoAAoJEKBE/gcUDGZkWpEP/05TYAKRJBkAIaVpk/pP13it +g2BFH+7zP6SUjFbaH4hWemB8vlLNOHa2B9GgBdUS5GUqLR1qlv7TZmZCJRSr9KZ 53nb/Owt8Pa9psVCeO2cqapsZpds+s4s2S1I/GFhEyECyU15O9iCCMPchhnJmFNi P43PsMSh8CPm9KKQMRnRBPEE0EvmB5SjJaNIqfGTClbPu40daBJkBOYItXDEJIDm I7lKS2h+7NfKGwqAIVtiipD9wRdgAE4+RwCXvxCywCSIrduqNrP5vmnnVEryo4Ad mtutgIR1tZryyRM1kgF9f+eLVEiU28hYaVnMGBWiBnLI+LWWsf9yiNrb5BX2jogX IL8eyzTWNvaP34RUEgaYM+hJ1jyFOFFOc+kUlhemzeckvyRrVSJOyOZLy/WNSi+t ZFxfGaIgCaxuMGRuwsq9A5l10KwBA7oCA6kF6kyaGlTvSwoTXJntwCrqnxBxGPze TfKQ2YR8wGKjwoTu014Aw5A4Jq3csLVbFEYFfs+5itNaJC/XqQVbcbon5ayZT+4x avIX917wM85G8jXHMuEyR4dBfbbMvXmiewjHkAfI8pnt68x3mlYJbnqcOjNyve3y yv6POKCWiq8m5TZ/xeRhXG60fg1xcKQ/71ys6yo8KY/4rYRykMdCmhSR82Ampoal 897p/4uSbWWq2c5jjRoE =Begc -----END PGP SIGNATURE----- Accepted: iceape-browser_1.0.13~pre080614i-0etch1_amd64.deb to pool/main/i/iceape/iceape-browser_1.0.13~pre080614i-0etch1_amd64.deb iceape-calendar_1.0.13~pre080614i-0etch1_amd64.deb to pool/main/i/iceape/iceape-calendar_1.0.13~pre080614i-0etch1_amd64.deb iceape-chatzilla_1.0.13~pre080614i-0etch1_all.deb to pool/main/i/iceape/iceape-chatzilla_1.0.13~pre080614i-0etch1_all.deb iceape-dbg_1.0.13~pre080614i-0etch1_amd64.deb to pool/main/i/iceape/iceape-dbg_1.0.13~pre080614i-0etch1_amd64.deb iceape-dev_1.0.13~pre080614i-0etch1_all.deb to pool/main/i/iceape/iceape-dev_1.0.13~pre080614i-0etch1_all.deb iceape-dom-inspector_1.0.13~pre080614i-0etch1_amd64.deb to pool/main/i/iceape/iceape-dom-inspector_1.0.13~pre080614i-0etch1_amd64.deb iceape-gnome-support_1.0.13~pre080614i-0etch1_amd64.deb to pool/main/i/iceape/iceape-gnome-support_1.0.13~pre080614i-0etch1_amd64.deb iceape-mailnews_1.0.13~pre080614i-0etch1_amd64.deb to pool/main/i/iceape/iceape-mailnews_1.0.13~pre080614i-0etch1_amd64.deb iceape_1.0.13~pre080614i-0etch1.diff.gz to pool/main/i/iceape/iceape_1.0.13~pre080614i-0etch1.diff.gz iceape_1.0.13~pre080614i-0etch1.dsc to pool/main/i/iceape/iceape_1.0.13~pre080614i-0etch1.dsc iceape_1.0.13~pre080614i-0etch1_all.deb to pool/main/i/iceape/iceape_1.0.13~pre080614i-0etch1_all.deb iceape_1.0.13~pre080614i.orig.tar.gz to pool/main/i/iceape/iceape_1.0.13~pre080614i.orig.tar.gz mozilla-browser_1.8+1.0.13~pre080614i-0etch1_all.deb to pool/main/i/iceape/mozilla-browser_1.8+1.0.13~pre080614i-0etch1_all.deb mozilla-calendar_1.8+1.0.13~pre080614i-0etch1_all.deb to pool/main/i/iceape/mozilla-calendar_1.8+1.0.13~pre080614i-0etch1_all.deb mozilla-chatzilla_1.8+1.0.13~pre080614i-0etch1_all.deb to pool/main/i/iceape/mozilla-chatzilla_1.8+1.0.13~pre080614i-0etch1_all.deb mozilla-dev_1.8+1.0.13~pre080614i-0etch1_all.deb to pool/main/i/iceape/mozilla-dev_1.8+1.0.13~pre080614i-0etch1_all.deb mozilla-dom-inspector_1.8+1.0.13~pre080614i-0etch1_all.deb to pool/main/i/iceape/mozilla-dom-inspector_1.8+1.0.13~pre080614i-0etch1_all.deb mozilla-js-debugger_1.8+1.0.13~pre080614i-0etch1_all.deb to pool/main/i/iceape/mozilla-js-debugger_1.8+1.0.13~pre080614i-0etch1_all.deb mozilla-mailnews_1.8+1.0.13~pre080614i-0etch1_all.deb to pool/main/i/iceape/mozilla-mailnews_1.8+1.0.13~pre080614i-0etch1_all.deb mozilla-psm_1.8+1.0.13~pre080614i-0etch1_all.deb to pool/main/i/iceape/mozilla-psm_1.8+1.0.13~pre080614i-0etch1_all.deb mozilla_1.8+1.0.13~pre080614i-0etch1_all.deb to pool/main/i/iceape/mozilla_1.8+1.0.13~pre080614i-0etch1_all.deb