Ubuntu

Seamonkey 1.1.14 security upgrade

Reported by markor on 2008-12-19
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
seamonkey (Ubuntu)
Critical
John Vivirito
Hardy
Critical
John Vivirito
Intrepid
Critical
John Vivirito

Bug Description

Binary package hint: seamonkey

Seamonkey 1.1.13 security update 1.1.13 is availble.

Security Advisories for Seamonkey 1.1.14:
http://www.mozilla.org/security/known-vulnerabilities/seamonkey11.html#seamonkey1.1.14
We need packaging for Ubuntu Hardy, Interpid, and Jaunty/Testing)

Package Seamonkey is on Hardy/LTS in version 1.1.12
so, since In the meantime 1.1.13 is made available for Jaunty,
(https://bugs.launchpad.net/ubuntu/hardy/+source/seamonkey/+bug/297789)
it would be good moment to jump to 1.1.14 for LTS, 8.10 and 9.04

markor (markoresko) wrote :

There is Iceape 1.1.14 available for Debian.

John Vivirito (gnomefreak) wrote :

I working on latest release for Jaunty at this time.

Changed in seamonkey:
assignee: nobody → gnomefreak
status: New → Triaged
John Vivirito (gnomefreak) wrote :

we dont get mozilla related packages from debian, we use upstream.

John Vivirito (gnomefreak) wrote :

Pushing hardy's to my PPA at this time and will give you links sometime today.

I have to fix my intrepid branch before that can be delt with

Alexander Sack (asac) on 2009-02-11
Changed in seamonkey:
importance: Undecided → Critical
status: New → Triaged
assignee: nobody → gnomefreak
assignee: nobody → gnomefreak
importance: Undecided → Critical
status: New → Triaged
importance: Undecided → Critical
John Vivirito (gnomefreak) wrote :

seems i ran out of room in my PPA so i requested more room so i can finish uploading the packages. but all work and build fine.

John Vivirito (gnomefreak) wrote :

These are all done and pushed to PPA and branches are all fixed. Waiting for ack.

FrancisT (mas-gramondou) wrote :

Suggest upgrade to 1.1.15 in the next day or two as this is just being released to patch some other critical issues

On 03/06/2009 03:47 AM, FrancisT wrote:
> Suggest upgrade to 1.1.15 in the next day or two as this is just being
> released to patch some other critical issues
>
I have already prepared to start this. I will get to it next week. To
file bugs against new versions of Mozilla apps really isnt needed but
they are fine. We are on top of Mozilla apps, however there are only 3
of us that are packaging the main Mozilla apps at this time. Seamonkey
1.1.15 will be in my PPA sometime next week barring any delay in
release. I am unable to work this weekend from what i know at this time
but that may change. I will keep track of when it is released as always. :)

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

"How can i get lost, if i have no where to go"
    -- Metallica from Unforgiven III

John Vivirito (gnomefreak) wrote :

it seems final 1.1.15 has not yet been released. Once it is i will know and start on it as soon as i can

John Vivirito (gnomefreak) wrote :

Sorry yeah i was working on it the other day. Here are the link to PPA for testing:
https://launchpad.net/~gnomefreak/+archive/ppa

Alexander can you push this, i have tested on jaunty and its ready at this time i am unable to test with Intrepid or Hardy here are the branches:
https://code.launchpad.net/~gnomefreak/seamonkey/seamonkey-1.1.x-dev
https://code.launchpad.net/~gnomefreak/seamonkey/seamonkey-1.1.x.hardy
https://code.launchpad.net/~gnomefreak/seamonkey/seamonkey-1.1.x.intrepid

The targets do not have -security in them yet
I already updated branches for version number

John Vivirito (gnomefreak) wrote :

On 03/21/2009 10:44 AM, John Vivirito wrote:
> Sorry yeah i was working on it the other day. Here are the link to PPA for testing:
> https://launchpad.net/~gnomefreak/+archive/ppa
>
> Alexander can you push this, i have tested on jaunty and its ready at this time i am unable to test with Intrepid or Hardy here are the branches:
> https://code.launchpad.net/~gnomefreak/seamonkey/seamonkey-1.1.x-dev
> https://code.launchpad.net/~gnomefreak/seamonkey/seamonkey-1.1.x.hardy
> https://code.launchpad.net/~gnomefreak/seamonkey/seamonkey-1.1.x.intrepid
>
> The targets do not have -security in them yet
> I already updated branches for version number
>
I fixed branches and PPA packages to use *-security

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

"How can i get lost, if i have no where to go"
    -- Metallica from Unforgiven III

There is a new round in the game... Critical Mozilla bug 485217 has just been fixed and is on the list for SeaMonkey 1.1.16 (Firefox 3.0.8 next week as well). Currently there is no release date for SeaMonkey 1.1.16 but maybe this comes soon? Worth waiting? - Regards Wolfgang

See...
https://bugzilla.mozilla.org/show_bug.cgi?id=485217
http://dev.seamonkey.at/ (Bug Radar)

> Critical Mozilla bug 485217 has...

Please don't get confused by this autolink put in by launchpad. This is an invalid link.

John Vivirito (gnomefreak) wrote :

On 2.1.16 there is nothing i can do with it at this time. I will know when the Mozilla packages are released and i in Seamonkeys case i get it done within a day or 2 unless problems with it. The problem i keep running into is getting them into archives but that is something i plan on working on today.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package seamonkey - 1.1.15+nobinonly-0ubuntu1

---------------
seamonkey (1.1.15+nobinonly-0ubuntu1) jaunty; urgency=low

  * New security upstream release: 1.1.15 (LP: #309655)
    - CVE-2009-0040: Upgrade PNG library to fix memory safety hazard
    - CVE-2009-0352: Crashes with evidence of memory corruption (rv:1.9.0.6)
    - CVE-2009-0357: XMLHttpRequest allows reading HTTPOnly cookies
    - CVE-2009-0771: Crashes with evidence of memory corruption (rv:1.9.0.7)
    - CVE-2009-0776: XML data theft via RDFXMLDataSource and cross-domain redirect

seamonkey (1.1.14+nobinonly-0ubuntu1) jaunty; urgency=low

  [ Alexander Sack ]
  * New security upstream release: 1.1.14 (LP: #309655)
    - CVE-2008-5511: XSS and JavaScript privilege escalation
    - CVE-2008-5510: Escaped null characters ignored by CSS parser
    - CVE-2008-5508: Errors parsing URLs with leading whitespace and controlcharacters
    - CVE-2008-5507: Cross-domain data theft via script redirect error message
    - CVE-2008-5506: XMLHttpRequest 302 response disclosure
    - CVE-2008-5503: Information stealing via loadBindingDocument
    - CVE-2008-5501..5500: Crashes with evidence of memory corruption
      (rv:1.9.0.5/1.8.1.19)
  * drop patches applied upstream
    - delete debian/patches/35_zip_cache.patch
    - update debian/patches/series

 -- John Vivirito <email address hidden> Sat, 21 Mar 2009 11:26:47 -0400

Changed in seamonkey:
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package seamonkey - 1.1.15+nobinonly-0ubuntu0.8.04.2

---------------
seamonkey (1.1.15+nobinonly-0ubuntu0.8.04.2) hardy-security; urgency=low

  * CVE-2009-1044: Arbitrary code execution via XUL tree element
    - add debian/patches/90_181_484320_attachment_368977.patch
    - update debian/patches/series
  * CVE-2009-1169: XSL Transformation vulnerability
    - add 90_181_485217_attachment_369357.patch
    - add debian/patches/90_181_485286_attachment_369457.patch

seamonkey (1.1.15+nobinonly-0ubuntu0.8.04.1) hardy-security; urgency=low

  * New security upstream release: 1.1.15 (LP: #309655)
    - CVE-2009-0040: Upgrade PNG library to fix memory safety hazard
    - CVE-2009-0352: Crashes with evidence of memory corruption (rv:1.9.0.6)
    - CVE-2009-0357: XMLHttpRequest allows reading HTTPOnly cookies
    - CVE-2009-0771: Crashes with evidence of memory corruption (rv:1.9.0.7)
    - CVE-2009-0776: XML data theft via RDFXMLDataSource and cross-domain redirect

seamonkey (1.1.14+nobinonly-0ubuntu0.8.04.1) hardy-security; urgency=low

  * New security upstream release: 1.1.14 (LP: #309655)
    - CVE-2008-5511: XSS and JavaScript privilege escalation
    - CVE-2008-5510: Escaped null characters ignored by CSS parser
    - CVE-2008-5508: Errors parsing URLs with leading whitespace and control ch$
    - CVE-2008-5507: Cross-domain data theft via script redirect error message
    - CVE-2008-5506: XMLHttpRequest 302 response disclosure
    - CVE-2008-5503: Information stealing via loadBindingDocument
    - CVE-2008-5501..5500: Crashes with evidence of memory corruption
      (rv:1.9.0.5/1.8.1.19)
  * drop patches applied upstream
    - delete debian/patches/35_zip_cache.patch
    - update debian/patches/series

 -- Alexander Sack <email address hidden> Tue, 31 Mar 2009 13:21:19 +0200

Changed in seamonkey:
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package seamonkey - 1.1.15+nobinonly-0ubuntu0.8.10.2

---------------
seamonkey (1.1.15+nobinonly-0ubuntu0.8.10.2) intrepid-security; urgency=low

  * CVE-2009-1044: Arbitrary code execution via XUL tree element
    - add debian/patches/90_181_484320_attachment_368977.patch
    - update debian/patches/series
  * CVE-2009-1169: XSL Transformation vulnerability
    - add 90_181_485217_attachment_369357.patch
    - add debian/patches/90_181_485286_attachment_369457.patch

seamonkey (1.1.15+nobinonly-0ubuntu0.8.10.1) intrepid-security; urgency=low

  * New security upstream release: 1.1.15 (LP: #309655)
    - CVE-2009-0040: Upgrade PNG library to fix memory safety hazard
    - CVE-2009-0352: Crashes with evidence of memory corruption (rv:1.9.0.6)
    - CVE-2009-0357: XMLHttpRequest allows reading HTTPOnly cookies
    - CVE-2009-0771: Crashes with evidence of memory corruption (rv:1.9.0.7)
    - CVE-2009-0776: XML data theft via RDFXMLDataSource and cross-domain redirect

seamonkey (1.1.14+nobinonly-0ubuntu0.8.10.1) intrepid-security; urgency=low

  * * New security upstream release: 1.1.14 (LP: #309655)
    - CVE-2008-5511: XSS and JavaScript privilege escalation
    - CVE-2008-5510: Escaped null characters ignored by CSS parser
    - CVE-2008-5508: Errors parsing URLs with leading whitespace and control ch$
    - CVE-2008-5507: Cross-domain data theft via script redirect error message
    - CVE-2008-5506: XMLHttpRequest 302 response disclosure
    - CVE-2008-5503: Information stealing via loadBindingDocument
    - CVE-2008-5501..5500: Crashes with evidence of memory corruption
      (rv:1.9.0.5/1.8.1.19)
  * drop patches applied upstream
    - delete debian/patches/35_zip_cache.patch
    - update debian/patches/series

 -- Alexander Sack <email address hidden> Tue, 31 Mar 2009 13:21:19 +0200

Changed in seamonkey:
status: Triaged → Fix Released
John Vivirito (gnomefreak) wrote :

Marking as a duplicate of bug 356274

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.