security issue revealed: CAN-2005-2871
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mozilla (Debian) |
Fix Released
|
Unknown
|
|||
mozilla (Ubuntu) |
Fix Released
|
High
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #327455 http://
In Debian Bug tracker #327455, Alexander Sack (asac) wrote : Re: Bug#327455: security issue revealed: CAN-2005-2871 | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Automatically imported from Debian bug report #327455 http://
Debian Bug Importer (debzilla) wrote : | #3 |
Message-Id: <E1EE1Gb-
Date: Sat, 10 Sep 2005 11:03:21 +0200
From: Alexander Sack <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: security issue revealed: CAN-2005-2871
Package: mozilla
Version: 2:1.7.8-1sarge2
Severity: critical
Tags: security patch
a security issue has been discovered. A workaround fix is available from
the bug report. This applies to the latest and pending sarge and unstable
version of mozilla.
The issue is named: CAN-2005-2871
MFSA id is still missing.
The upstream bug report is: #307259.
A patch for aviary branch and HEAD is attached to the bugzilla bug.
Debian Bug Importer (debzilla) wrote : | #4 |
Message-ID: <email address hidden>
Date: Sat, 10 Sep 2005 11:24:46 +0200
From: Alexander Sack <email address hidden>
To: Alexander Sack <email address hidden>, <email address hidden>
Subject: Re: Bug#327455: security issue revealed: CAN-2005-2871
On Sat, Sep 10, 2005 at 11:03:21AM +0200, Alexander Sack wrote:
> Package: mozilla
> Version: 2:1.7.8-1sarge2
> Severity: critical
> Tags: security patch
>
> a security issue has been discovered. A workaround fix is available from
> the bug report. This applies to the latest and pending sarge and unstable
> version of mozilla.
>
> The issue is named: CAN-2005-2871
>
> MFSA id is still missing.
>
> The upstream bug report is: #307259.
>
> A patch for aviary branch and HEAD is attached to the bugzilla bug.
>
>
Additional info on this issue:
https:/
--
GPG messages preferred. | .''`. ** Debian GNU/Linux **
Alexander Sack | : :' : The universal
<email address hidden> | `. `' Operating System
http://
Matt Zimmerman (mdz) wrote : | #5 |
*** Bug 21336 has been marked as a duplicate of this bug. ***
Sebastien Bacher (seb128) wrote : | #6 |
*** Bug 21268 has been marked as a duplicate of this bug. ***
Sebastien Bacher (seb128) wrote : | #7 |
firefox (1.0.6-1ubuntu12) breezy; urgency=low
.
* netwerk/
- patch from https:/
fix "IDN buffer overflow security issue" (CAN-2005-2871).
Martin Pitt (pitti) wrote : | #8 |
Thunderbird and Mozilla have been fixed in Breezy, too.
stable updates were uploaded, will be released soon.
Martin Pitt (pitti) wrote : | #9 |
(In reply to comment #6)
> stable updates were uploaded, will be released soon.
Done, USN-181-1.
In Debian Bug tracker #327455, Loïc Minier (lool) wrote : Re: Bug#327366: epiphany-browser: Susceptible to mozilla-firefox "Host:" buffer overflow? | #10 |
tags 327366 + upstream fixed-upstream patch
severity 327366 critical
merge 327366 327455
retitle 327366 [CAN-2005-2871] IDN buffer overflow [MFSA 2005-57]
thanks
Hi,
On Fri, Sep 09, 2005, Sam Morris wrote:
> A buffer overflow vulnerability exists within Firefox version 1.0.6 and
> all other prior versions which allows for an attacker to remotely execute
> arbitrary code on an affected host.
When reporting bugs against Epiphany or Galeon, please check whether
Mozilla, their engine, is affected. In the future, the engine of these
browsers might switch from Mozilla to Firefox though.
> The problem seems to be when a hostname which has all dashes causes the
> NormalizeIDN call in nsStandardURL:
> but is sets encHost to an empty string.
This is "fixed" in Mozilla 1.7.12 by disabling IDN and/or installing a
patch as explained at:
<https:/
Bye,
--
Loïc Minier <email address hidden>
Debian Bug Importer (debzilla) wrote : | #11 |
Message-ID: <email address hidden>
Date: Mon, 26 Sep 2005 10:53:07 +0200
From: =?iso-8859-
To: Sam Morris <email address hidden>, <email address hidden>,
<email address hidden>
Subject: Re: Bug#327366: epiphany-browser: Susceptible to mozilla-firefox "Host:" buffer overflow?
tags 327366 + upstream fixed-upstream patch
severity 327366 critical
merge 327366 327455
retitle 327366 [CAN-2005-2871] IDN buffer overflow [MFSA 2005-57]
thanks
Hi,
On Fri, Sep 09, 2005, Sam Morris wrote:
> A buffer overflow vulnerability exists within Firefox version 1.0.6 and=
=20
> all other prior versions which allows for an attacker to remotely execu=
te=20
> arbitrary code on an affected host.
When reporting bugs against Epiphany or Galeon, please check whether
Mozilla, their engine, is affected. In the future, the engine of these
browsers might switch from Mozilla to Firefox though.
> The problem seems to be when a hostname which has all dashes causes the=
=20
> NormalizeIDN call in nsStandardURL:
=20
> but is sets encHost to an empty string.
This is "fixed" in Mozilla 1.7.12 by disabling IDN and/or installing a
patch as explained at:
<https:/
Bye,
--=20
Lo=EFc Minier <email address hidden>
In Debian Bug tracker #327455, Alexander Sack (asac) wrote : Fixed in NMU of mozilla 2:1.7.12-1 | #12 |
tag 318723 + fixed
tag 321644 + fixed
tag 325532 + fixed
tag 327366 + fixed
tag 327455 + fixed
tag 329778 + fixed
tag 332480 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 6 Oct 2005 23:48:00 +0200
Source: mozilla
Binary: mozilla mozilla-calendar mozilla-
Architecture: source i386
Version: 2:1.7.12-1
Distribution: unstable
Urgency: high
Maintainer: Takuo KITAME <email address hidden>
Changed-By: Alexander Sack <email address hidden>
Description:
libnspr-dev - Netscape Portable Runtime library - development files
libnspr4 - Netscape Portable Runtime Library
libnss-dev - Network Security Service Libraries - development
libnss3 - Network Security Service Libraries - runtime
mozilla - The Mozilla Internet application suite - meta package
mozilla-browser - The Mozilla Internet application suite - core and browser
mozilla-calendar - Todo organizer,calendar and reminder,integrated with Mozilla suit
mozilla-chatzilla - Mozilla Web Browser - irc client
mozilla-dev - The Mozilla Internet application suite - development files
mozilla-
mozilla-
mozilla-mailnews - The Mozilla Internet application suite - mail and news support
mozilla-psm - The Mozilla Internet application suite - Personal Security Manage
Closes: 318723 321644 325532 327366 327455 329778 332480
Changes:
mozilla (2:1.7.12-1) unstable; urgency=high
.
* NMU: fixing several security issues and most important RC bugs.
(Closes: 332480)
* new upstream version 1.7.12 fixes:
+ [CAN-2005-2871] IDN buffer overflow [MFSA 2005-57] (Closes: 327366)
+ security issue revealed: CAN-2005-2871 (Closes: 327455)
+ mozilla: Multiple security issues fixed in 1.7.12 (Closes: 329778)
+ javascript crasher - unsure about this ... have to test.
(Closes: 318723)
+ mozilla 1.7.10 version crashes almost immediately (Closes: 321644)
* applied patch by Steve Langasek <email address hidden> to make mozilla
build on arm and other archs. (Closes: 325532)
Files:
766dea59ec7f68
6b5e421f09fef7
0f7b83c1b25d5a
ad6d4571732982
79c50292a9d41f
d5b7b50bc5dd19
fdb59d0a9868df
58cb2343e9d24d
b1e4b565ff92d5
b57fa3506af263
Debian Bug Importer (debzilla) wrote : | #13 |
Message-Id: <email address hidden>
Date: Sun, 09 Oct 2005 13:32:45 -0700
From: Alexander Sack <email address hidden>
To: <email address hidden>
Cc: Alexander Sack <email address hidden>, Takuo KITAME <email address hidden>
Subject: Fixed in NMU of mozilla 2:1.7.12-1
tag 318723 + fixed
tag 321644 + fixed
tag 325532 + fixed
tag 327366 + fixed
tag 327455 + fixed
tag 329778 + fixed
tag 332480 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 6 Oct 2005 23:48:00 +0200
Source: mozilla
Binary: mozilla mozilla-calendar mozilla-
Architecture: source i386
Version: 2:1.7.12-1
Distribution: unstable
Urgency: high
Maintainer: Takuo KITAME <email address hidden>
Changed-By: Alexander Sack <email address hidden>
Description:
libnspr-dev - Netscape Portable Runtime library - development files
libnspr4 - Netscape Portable Runtime Library
libnss-dev - Network Security Service Libraries - development
libnss3 - Network Security Service Libraries - runtime
mozilla - The Mozilla Internet application suite - meta package
mozilla-browser - The Mozilla Internet application suite - core and browser
mozilla-calendar - Todo organizer,calendar and reminder,integrated with Mozilla suit
mozilla-chatzilla - Mozilla Web Browser - irc client
mozilla-dev - The Mozilla Internet application suite - development files
mozilla-
mozilla-
mozilla-mailnews - The Mozilla Internet application suite - mail and news support
mozilla-psm - The Mozilla Internet application suite - Personal Security Manage
Closes: 318723 321644 325532 327366 327455 329778 332480
Changes:
mozilla (2:1.7.12-1) unstable; urgency=high
.
* NMU: fixing several security issues and most important RC bugs.
(Closes: 332480)
* new upstream version 1.7.12 fixes:
+ [CAN-2005-2871] IDN buffer overflow [MFSA 2005-57] (Closes: 327366)
+ security issue revealed: CAN-2005-2871 (Closes: 327455)
+ mozilla: Multiple security issues fixed in 1.7.12 (Closes: 329778)
+ javascript crasher - unsure about this ... have to test.
(Closes: 318723)
+ mozilla 1.7.10 version crashes almost immediately (Closes: 321644)
* applied patch by Steve Langasek <email address hidden> to make mozilla
build on arm and other archs. (Closes: 325532)
Files:
766dea59ec7f68
6b5e421f09fef7
0f7b83c1b25d5a
ad6d4571732982
79c50292a9d41f
d5b7b50bc5dd19
fdb59d0a9868df
In Debian Bug tracker #327455, Alexander Sack (asac) wrote : Fixed in NMU of mozilla 2:1.7.8-1sarge3 | #14 |
tag 321427 + fixed
tag 327366 + fixed
tag 329778 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 27 Sep 2005 13:00:00 +0100
Source: mozilla
Binary: mozilla mozilla-calendar mozilla-
Architecture: source i386
Version: 2:1.7.8-1sarge3
Distribution: stable-security
Urgency: critical
Maintainer: Takuo KITAME <email address hidden>
Changed-By: Alexander Sack <email address hidden>
Description:
libnspr-dev - Netscape Portable Runtime library - development files
libnspr4 - Netscape Portable Runtime Library
libnss-dev - Network Security Service Libraries - development
libnss3 - Network Security Service Libraries - runtime
mozilla - The Mozilla Internet application suite - meta package
mozilla-browser - The Mozilla Internet application suite - core and browser
mozilla-calendar - Todo organizer,calendar and reminder,integrated with Mozilla suit
mozilla-chatzilla - Mozilla Web Browser - irc client
mozilla-dev - The Mozilla Internet application suite - development files
mozilla-
mozilla-
mozilla-mailnews - The Mozilla Internet application suite - mail and news support
mozilla-psm - The Mozilla Internet application suite - Personal Security Manage
Closes: 321427 327366 329778
Changes:
mozilla (2:1.7.8-1sarge3) stable-security; urgency=critical
.
* MFSA-2005-
Summary: Regressions introduced by mozilla 1.7.9 bugfix. There was no
advisory for it (debian/
Closes: 321427
Bugzilla: 294307 301917 300749
Issues addressed:
+ Regressions introduced by mozilla 1.7.9 bugfix.
* MFSA-2005-57: IDN heap overrun
Summary: Tom Ferris reported a Firefox crash when processing a domain
name consisting solely of soft-hyphen characters.
Closes: 327366
CVE-Ids: CAN-2005-2871
Bugzilla: 307259 308281
Issues addressed:
+ CAN-2005-2871 - IDN heap overrun
* MFSA-2005-58: Accumulated vendor advisory for multiple vulnerabilities
Summary: Fixes for multiple vulnerabilities with an overall severity
of "critical" have been released in Mozilla Firefox 1.0.7 and
the Mozilla Suite 1.7.12 (debian/
Closes: 329778
CVE-Ids: CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704
Bugzilla: 300936 296134 297078 302263 299518 303213 304754 306261
306804 291178 300853 301180 302100
Issues addressed:
+ CAN-2005-2701 - Heap overrun in XBM image processing
+ CAN-2005-2702 - Crash on "zero-width non-joiner" sequence
+ CAN-2005-2703 - XMLHttpRequest header spoofing
+ CAN-2005-2704 - Object spoofing using XBL <implements>...
Debian Bug Importer (debzilla) wrote : | #15 |
Message-Id: <email address hidden>
Date: Sat, 12 Nov 2005 01:03:12 -0800
From: Alexander Sack <email address hidden>
To: <email address hidden>
Cc: Alexander Sack <email address hidden>, Takuo KITAME <email address hidden>
Subject: Fixed in NMU of mozilla 2:1.7.8-1sarge3
tag 321427 + fixed
tag 327366 + fixed
tag 329778 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 27 Sep 2005 13:00:00 +0100
Source: mozilla
Binary: mozilla mozilla-calendar mozilla-
Architecture: source i386
Version: 2:1.7.8-1sarge3
Distribution: stable-security
Urgency: critical
Maintainer: Takuo KITAME <email address hidden>
Changed-By: Alexander Sack <email address hidden>
Description:
libnspr-dev - Netscape Portable Runtime library - development files
libnspr4 - Netscape Portable Runtime Library
libnss-dev - Network Security Service Libraries - development
libnss3 - Network Security Service Libraries - runtime
mozilla - The Mozilla Internet application suite - meta package
mozilla-browser - The Mozilla Internet application suite - core and browser
mozilla-calendar - Todo organizer,calendar and reminder,integrated with Mozilla suit
mozilla-chatzilla - Mozilla Web Browser - irc client
mozilla-dev - The Mozilla Internet application suite - development files
mozilla-
mozilla-
mozilla-mailnews - The Mozilla Internet application suite - mail and news support
mozilla-psm - The Mozilla Internet application suite - Personal Security Manage
Closes: 321427 327366 329778
Changes:
mozilla (2:1.7.8-1sarge3) stable-security; urgency=critical
.
* MFSA-2005-
Summary: Regressions introduced by mozilla 1.7.9 bugfix. There was no
advisory for it (debian/
Closes: 321427
Bugzilla: 294307 301917 300749
Issues addressed:
+ Regressions introduced by mozilla 1.7.9 bugfix.
* MFSA-2005-57: IDN heap overrun
Summary: Tom Ferris reported a Firefox crash when processing a domain
name consisting solely of soft-hyphen characters.
Closes: 327366
CVE-Ids: CAN-2005-2871
Bugzilla: 307259 308281
Issues addressed:
+ CAN-2005-2871 - IDN heap overrun
* MFSA-2005-58: Accumulated vendor advisory for multiple vulnerabilities
Summary: Fixes for multiple vulnerabilities with an overall severity
of "critical" have been released in Mozilla Firefox 1.0.7 and
the Mozilla Suite 1.7.12 (debian/
Closes: 329778
CVE-Ids: CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704
Bugzilla: 300936 296134 297078 302263 299518 303213 304754 306261
306804 291178 300853 301180 302...
In Debian Bug tracker #327455, Alexander Sack (asac) wrote : | #16 |
tag 321427 + fixed
tag 327366 + fixed
tag 329778 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 27 Sep 2005 13:00:00 +0100
Source: mozilla
Binary: mozilla mozilla-calendar mozilla-
Architecture: source i386
Version: 2:1.7.8-1sarge3
Distribution: stable-security
Urgency: critical
Maintainer: Takuo KITAME <email address hidden>
Changed-By: Alexander Sack <email address hidden>
Description:
libnspr-dev - Netscape Portable Runtime library - development files
libnspr4 - Netscape Portable Runtime Library
libnss-dev - Network Security Service Libraries - development
libnss3 - Network Security Service Libraries - runtime
mozilla - The Mozilla Internet application suite - meta package
mozilla-browser - The Mozilla Internet application suite - core and browser
mozilla-calendar - Todo organizer,calendar and reminder,integrated with Mozilla suit
mozilla-chatzilla - Mozilla Web Browser - irc client
mozilla-dev - The Mozilla Internet application suite - development files
mozilla-
mozilla-
mozilla-mailnews - The Mozilla Internet application suite - mail and news support
mozilla-psm - The Mozilla Internet application suite - Personal Security Manage
Closes: 321427 327366 329778
Changes:
mozilla (2:1.7.8-1sarge3) stable-security; urgency=critical
.
* MFSA-2005-
Summary: Regressions introduced by mozilla 1.7.9 bugfix. There was no
advisory for it (debian/
Closes: 321427
Bugzilla: 294307 301917 300749
Issues addressed:
+ Regressions introduced by mozilla 1.7.9 bugfix.
* MFSA-2005-57: IDN heap overrun
Summary: Tom Ferris reported a Firefox crash when processing a domain
name consisting solely of soft-hyphen characters.
Closes: 327366
CVE-Ids: CAN-2005-2871
Bugzilla: 307259 308281
Issues addressed:
+ CAN-2005-2871 - IDN heap overrun
* MFSA-2005-58: Accumulated vendor advisory for multiple vulnerabilities
Summary: Fixes for multiple vulnerabilities with an overall severity
of "critical" have been released in Mozilla Firefox 1.0.7 and
the Mozilla Suite 1.7.12 (debian/
Closes: 329778
CVE-Ids: CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704
Bugzilla: 300936 296134 297078 302263 299518 303213 304754 306261
306804 291178 300853 301180 302100
Issues addressed:
+ CAN-2005-2701 - Heap overrun in XBM image processing
+ CAN-2005-2702 - Crash on "zero-width non-joiner" sequence
+ CAN-2005-2703 - XMLHttpRequest header spoofing
+ CAN-2005-2704 - Object spoofing using XBL <implements>...
Debian Bug Importer (debzilla) wrote : | #17 |
Message-Id: <email address hidden>
Date: Fri, 16 Dec 2005 21:34:34 -0800
From: Alexander Sack <email address hidden>
To: <email address hidden>
Cc: Alexander Sack <email address hidden>, Takuo KITAME <email address hidden>
Subject: Fixed in NMU of mozilla 2:1.7.8-1sarge3
tag 321427 + fixed
tag 327366 + fixed
tag 329778 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 27 Sep 2005 13:00:00 +0100
Source: mozilla
Binary: mozilla mozilla-calendar mozilla-
Architecture: source i386
Version: 2:1.7.8-1sarge3
Distribution: stable-security
Urgency: critical
Maintainer: Takuo KITAME <email address hidden>
Changed-By: Alexander Sack <email address hidden>
Description:
libnspr-dev - Netscape Portable Runtime library - development files
libnspr4 - Netscape Portable Runtime Library
libnss-dev - Network Security Service Libraries - development
libnss3 - Network Security Service Libraries - runtime
mozilla - The Mozilla Internet application suite - meta package
mozilla-browser - The Mozilla Internet application suite - core and browser
mozilla-calendar - Todo organizer,calendar and reminder,integrated with Mozilla suit
mozilla-chatzilla - Mozilla Web Browser - irc client
mozilla-dev - The Mozilla Internet application suite - development files
mozilla-
mozilla-
mozilla-mailnews - The Mozilla Internet application suite - mail and news support
mozilla-psm - The Mozilla Internet application suite - Personal Security Manage
Closes: 321427 327366 329778
Changes:
mozilla (2:1.7.8-1sarge3) stable-security; urgency=critical
.
* MFSA-2005-
Summary: Regressions introduced by mozilla 1.7.9 bugfix. There was no
advisory for it (debian/
Closes: 321427
Bugzilla: 294307 301917 300749
Issues addressed:
+ Regressions introduced by mozilla 1.7.9 bugfix.
* MFSA-2005-57: IDN heap overrun
Summary: Tom Ferris reported a Firefox crash when processing a domain
name consisting solely of soft-hyphen characters.
Closes: 327366
CVE-Ids: CAN-2005-2871
Bugzilla: 307259 308281
Issues addressed:
+ CAN-2005-2871 - IDN heap overrun
* MFSA-2005-58: Accumulated vendor advisory for multiple vulnerabilities
Summary: Fixes for multiple vulnerabilities with an overall severity
of "critical" have been released in Mozilla Firefox 1.0.7 and
the Mozilla Suite 1.7.12 (debian/
Closes: 329778
CVE-Ids: CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704
Bugzilla: 300936 296134 297078 302263 299518 303213 304754 306261
306804 291178 300853 301180 302...
In Debian Bug tracker #327455, Adam D. Barratt (debian-bts-adam-barratt) wrote : Bugs fixed in NMU, documenting versions | #18 |
# Hi,
#
# These bugs were fixed in an NMU, but have not been acknowledged by the
# maintainers. With version tracking in the Debian BTS, it is important
# to know which version of a package fixes each bug so that they can be
# tracked for release status, so I'm closing these bugs with the
#relevant version information now
close 271427 8.14+v8.11+urw-0.1
close 314698 0.35-2.1
close 325635 0.35-2.1
close 328017 0.35-2.1
close 320115 2.0-4.2
close 320284 1.11
close 320899 11.4.1870-7.1
close 327078 11.4.1870-7.1
close 327349 11.4.1870-7.1
close 320903 1:0.71-1.2
close 327946 1:0.71-1.2
close 320941 2.0.3-1.1
close 321126 2.6.3.2
close 321545 0.1.3b-1.1
close 341341 0.1.3b-1.1
close 321553 0.1.12-2.2
close 321644 2:1.7.12-1.1
close 346013 2:1.7.12-1.1
close 321816 2.61-2.1
close 321967 4.0.0-2.1
close 330024 4.0.0-2.1
close 321998 0.9.21-0.1
close 322583 0.3.8.1-4
close 322853 0.7.1-3.1
close 356739 0.7.1-3.1
close 322961 0.4.3.1.dfsg-0.1
close 322972 9.4.2-2.4
close 323084 0.4.5+cvs200308
close 323160 0.1.10-0.1
close 323355 1.2.11-0.2
close 323725 0.18.2-10.1
close 323942 0.4.0-4.1
close 324371 4.3-18.1
close 324553 2.9.5.0.37.5.2
close 324558 1.2-release-2.1
close 324579 1.11-6.2
close 324606 1.2-release-2.2
close 324908 0.12.4-4.1
close 325210 2.6.0-1.1
close 325490 0.7.1-1.1
close 325514 0.8.6-1.1
close 326468 0.8.6-1.1
close 325532 2:1.7.12-1
close 327366 2:1.7.12-1
close 329778 2:1.7.12-1
close 332480 2:1.7.12-1
close 325635 0.35-2.1
close 328017 0.35-2.1
close 325835 0.1.12-7.1
close 325851 2:1.7.8-1sarge2
close 325938 0.9.8beta2-4.1
close 327930 0.9.8beta2-4.1
close 326285 0.99.3-5.1
close 326295 0.8.2-5.1
close 373110 0.8.2-5.1
close 379331 0.8.2-5.1
close 379334 0.8.2-5.1
close 326298 0.2.12-2.1
close 326311 0.3.5-1pre1.1
close 326355 2.1.8-2.1
close 326362 0.6-7.2
close 326371 0.90beta1-10.1
close 326372 1.0-0.1
close 326378 0.1.17-4.3
close 326466 6.3.2-2.1
close 347129 6.3.2-2.1
close 347205 6.3.2-2.1
close 326489 0.3.7-2.1
close 326756 1.0.9-1.1
close 365518 1.0.9-1.1
close 327429 1.2-1.1
close 350429 1.2-1.1
close 327911 2.3.5-1.1
close 327718 0.6.0-8.2
close 327933 0.9.2-1.1
close 327936 0.8.5-1.1
close 327970 0.5.1-2.1
close 327984 1.3-2.1
close 327986 0.2.36-4.1
close 291328 0.2.36-4.1
close 327996 1.0-1.1
close 328002 1.0.0-9.1
close 328018 2.1.3-2.1
close 328039 1.18A-2.1
close 328172 1.002-0.2
close 328333 4.1.2-1.1
close 328334 1.34-7.1
close 328335 0.8.2-2.1
close 328352 0.13-3.1
close 328364 0.4.0-test5-2.1
close 329467 1.3.1
close 330446 0.1.83
close 333857 0.1.83
close 330666 6:6.2.4.5-0.2
close 330938 0.5.1-2.2
Changed in mozilla: | |
status: | Fix Committed → Fix Released |
On Sat, Sep 10, 2005 at 11:03:21AM +0200, Alexander Sack wrote:
> Package: mozilla
> Version: 2:1.7.8-1sarge2
> Severity: critical
> Tags: security patch
>
> a security issue has been discovered. A workaround fix is available from
> the bug report. This applies to the latest and pending sarge and unstable
> version of mozilla.
>
> The issue is named: CAN-2005-2871
>
> MFSA id is still missing.
>
> The upstream bug report is: #307259.
>
> A patch for aviary branch and HEAD is attached to the bugzilla bug.
>
>
Additional info on this issue:
https:/ /addons. mozilla. org/messages/ 307259. html
-- www.asoftsite. org | `- http:// www.debian. org
GPG messages preferred. | .''`. ** Debian GNU/Linux **
Alexander Sack | : :' : The universal
<email address hidden> | `. `' Operating System
http://