Ubuntu

[MASTER] Please update seamonkey to version 2.0*

Reported by John Vivirito on 2009-04-06
40
This bug affects 3 people
Affects Status Importance Assigned to Milestone
seamonkey (Ubuntu)
High
Unassigned
Nominated for Dapper by r12056
Declined for Hardy by Alexander Sack
Declined for Intrepid by Alexander Sack
Declined for Karmic by Chris Coulson
Declined for Lucid by Chris Coulson
Jaunty
High
Unassigned

Bug Description

Binary package hint: seamonkey

I'm filing this bug for my own reminder, please do not comment on this as its not needed.
Please mark any other bugs requesting to update to 1.1.17 to this bug.
This security release has not yet been released.
I will start on it within a day or 3 of the final 1.1.17 release.

Thanks and have a nice day :)

Changed in seamonkey (Ubuntu):
status: New → Triaged
importance: Undecided → Critical
assignee: nobody → gnomefreak

Good luck John, 2 minutes ago I opened a similar request as bug 356272, that one may be closed as dup then. Was a cross opening... Regards Wolfgang

Alexander Sack (asac) wrote :

we already have (almost) all the patches from 1.1.16 uploaded in last security round. for jaunty we should still upgrade when it becomes available before release.

Changed in seamonkey (Ubuntu Jaunty):
importance: Critical → High

On 04/06/2009 10:40 AM, Alexander Sack wrote:
> we already have (almost) all the patches from 1.1.16 uploaded in last
> security round. for jaunty we should still upgrade when it becomes
> available before release.
>
> ** Also affects: seamonkey (Ubuntu Jaunty)
> Importance: Critical
> Assignee: John Vivirito (gnomefreak)
> Status: Triaged
>
> ** Changed in: seamonkey (Ubuntu Jaunty)
> Importance: Critical => High
>
ok agreed i forgot that you added the 2 CVE's to intrepid and hardy
1.1.15 release

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

"How can i get lost, if i have no where to go"
    -- Metallica from Unforgiven III

Steve Langasek (vorlon) on 2009-04-09
Changed in seamonkey (Ubuntu Jaunty):
milestone: none → ubuntu-9.04
John Vivirito (gnomefreak) wrote :

On 04/09/2009 06:34 PM, Steve Langasek wrote:
> ** Changed in: seamonkey (Ubuntu Jaunty)
> Milestone: None => ubuntu-9.04
>
We have cherry picked the patches for 1.1.16 in 1.1.15 so we are
skipping 1.1.16 there were only 2 patches as i recall.

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

"How can i get lost, if i have no where to go"
    -- Metallica from Unforgiven III

Canging to make it a 1.1.17 release should be out in ~ a month give or take a week.

Changed in seamonkey (Ubuntu Jaunty):
status: Triaged → Incomplete
description: updated
summary: - [MASTER] Please update seamonkey to latest 1.1.16
+ [MASTER] Please update seamonkey to latest 1.1.17

Alexander thepatches were it they didnt release any more updates in the last week or so.
Moving on to 1.1.17 when its released.

Steve Langasek (vorlon) wrote :

If the security fixes are already in, there doesn't seem to be a reason to update jaunty after release. Declining the jaunty target.

Changed in seamonkey (Ubuntu Jaunty):
milestone: ubuntu-9.04 → none
status: Incomplete → Won't Fix

On 04/18/2009 05:44 PM, Steve Langasek wrote:
> If the security fixes are already in, there doesn't seem to be a reason
> to update jaunty after release. Declining the jaunty target.
>
> ** Changed in: seamonkey (Ubuntu Jaunty)
> Status: Incomplete => Won't Fix
>
> ** Changed in: seamonkey (Ubuntu Jaunty)
> Milestone: ubuntu-9.04 => None
>
Thanks

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

"How can i get lost, if i have no where to go"
    -- Metallica from Unforgiven III

It seems that 1.1.17 is released now.

On 06/25/2009 05:07 AM, Nikola M wrote:
> It seems that 1.1.17 is released now.
>
Im ot for a bit longer ~a month. I sent an email to Alexander
to please update Seamonkey 1.x.x. A little while ago.

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

"How can i get lost, if i have no where to go"
    -- Metallica from Unforgiven III

ok working on this for karmic atm if it all goes well jaunty intrepid hardy to follow

Changed in seamonkey (Ubuntu Jaunty):
status: Won't Fix → Triaged
Changed in seamonkey (Ubuntu):
status: Incomplete → Triaged

On 07/06/2009 09:27 AM, John Vivirito wrote:
> ok working on this for karmic atm if it all goes well jaunty intrepid
> hardy to follow
>
> ** Changed in: seamonkey (Ubuntu Jaunty)
> Status: Won't Fix => Triaged
>
> ** Changed in: seamonkey (Ubuntu)
> Status: Incomplete => Triaged
>
I'm done with 1.1.17 i am uploading to my PPA atm and it will be pushed
to repos tomorrow.
status' will change with upload

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

"How can i get lost, if i have no where to go"
    -- Metallica from Unforgiven III

John Vivirito (gnomefreak) wrote :

On 07/06/2009 09:27 AM, John Vivirito wrote:
> ok working on this for karmic atm if it all goes well jaunty intrepid
> hardy to follow
>
> ** Changed in: seamonkey (Ubuntu Jaunty)
> Status: Won't Fix => Triaged
>
> ** Changed in: seamonkey (Ubuntu)
> Status: Incomplete => Triaged
>
I'm done with 1.1.17 i am uploading to my PPA atm and it will be pushed
to repos tomorrow.
status' will change with upload

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

"How can i get lost, if i have no where to go"
    -- Metallica from Unforgiven III

I downloaded Source code of Seamonkey 1.1.17 from Gnomefreak`s PPA
and made deb`s under Xubuntu 8.04.3/Hardy 64-bit. It works nice for now, :)
so I think it is ready po be pushed in Hardy-updates and other official repos for supported releases.

Nikola M (nikolam) wrote :

Also Alexander, why is Seamonkey 1.1.17 declined for Hardy LTS and/or Interpid?
Security vunerabilities 1.1.17 is fixing:
http://www.mozilla.org/security/known-vulnerabilities/seamonkey11.html#seamonkey1.1.17

MFSA 2009-33 Crash viewing multipart/alternative message with text/enhanced part
MFSA 2009-32 JavaScript chrome privilege escalation
MFSA 2009-29 Arbitrary code execution using event listeners attached to an element whose owner document is null
MFSA 2009-27 SSL tampering via non-200 responses to proxy CONNECT requests
MFSA 2009-26 Arbitrary domain cookie access by local file: resources
MFSA 2009-24 Crashes with evidence of memory corruption (rv:1.9.0.11)
MFSA 2009-21 POST data sent to wrong site when saving web page with embedded frame
MFSA 2009-17 Same-origin violations when Adobe Flash loaded via view-source: scheme

John Vivirito (gnomefreak) wrote :

Alexander can you please reopen them. i wont be back after today 07-19-2009 until the 21st. Im in meetings all day monday

Nikola M (nikolam) wrote :

I am using 1.1.7 i compiled from PPA, I must say, it is working just fine under my Hardy 64-bit. Release time?

John Vivirito (gnomefreak) wrote :

It does work fine i tested this on my system before packaging it for PPA. I have asked Alexander to push this to archives a few times and its on his to do list. Unless im not here for some reason (like this week) i package them the day they are released give or take a day.

John Vivirito (gnomefreak) wrote :

The branches have been merged from mine so it shouldnt be long for them to hit.

John Vivirito (gnomefreak) wrote :

Well at least should have been.

John Vivirito (gnomefreak) wrote :

Eh i didnt see you said on 64bit. i only tested 32bit.

On 07/26/2009 09:22 AM, John Vivirito wrote:
> Well at least should have been.
>
They were merged and sponsored by Alexander so the updates should hit soon.

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

"How can i get lost, if i have no where to go"
    -- Metallica from Unforgiven III

Soo.. I don`t see Sm 1.1.17 on packages.ubuntu.com..
Ordinary users still using old one, I suppose.
What needs to be done for upgrade to "hit" all users, instead only ones that have security repo On?

On 08/04/2009 06:18 PM, Nikola M wrote:
> Soo.. I don`t see Sm 1.1.17 on packages.ubuntu.com..
> Ordinary users still using old one, I suppose.
> What needs to be done for upgrade to "hit" all users, instead only ones that have security repo On?
>
Right now its in Mozilla teams security release PPA it will be pushed
after that. I will ping him again since its been a while

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

"How can i get lost, if i have no where to go"
    -- Metallica from Unforgiven III

We need to see to it, that this process is a bit faster in the future, after all, browser update should be security thing, like it is for Firefox. Me- volunteering to testing.

On 08/05/2009 01:31 PM, Nikola M wrote:
> We need to see to it, that this process is a bit faster in the future,
> after all, browser update should be security thing, like it is for
> Firefox. Me- volunteering to testing.
>
Talked to Alexander yesterday and he forgot about seamonkey
that is why it took so long, so i would think in next day or so it will
be uploaded. right now its in the following PPA:
https://launchpad.net/~ubuntu-mozilla-security/+archive/ppa

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

"How can i get lost, if i have no where to go"
    -- Metallica from Unforgiven III

...
I still don`t see 1.1.17 released and/or on packages.ubuntu.com.
I am truly positive about Seamonkey and *Ubuntu and i am willing to commit my time to see it
upgraded fo all user, faster then this.. Feel free to contact me.

> June 22, 2009
> SeaMonkey 1.1.17 Released
So maybe after 2 months we could push it?

Wladimir Mutel (mwg) wrote :

I think this could only happen after Seamonkey project releases 1.1.18. Too many gears with too much friction are engaged in Ubuntu release processes.

Nikola M (nikolam) wrote :

Somehow I don`t understand.
But if there is some documentation or discussion describing this process and how and why
security-related updateted packages for Firefox could be uploaded to users and Seamonkey can`t.

Artur Rona (ari-tczew) on 2009-08-16
tags: added: upgrade

On 08/15/2009 06:50 AM, Nikola M wrote:
> Somehow I don`t understand.
> But if there is some documentation or discussion describing this process and how and why
> security-related updateted packages for Firefox could be uploaded to users and Seamonkey can`t.
>
Last i talked to Alexander he was busy and would do it ASAP
but i guess he never did it. I just got back i was gone since
friday. I will ping him this morning before i leave and point
him to this bug since he keeps forgetting

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

"How can i get lost, if i have no where to go"
    -- Metallica from Unforgiven III

https://launchpad.net/~ubuntu-mozilla-security/+archive/ppa Has all builds for Seamonkey-1.1.17 can you please test on Hardy.
Seamonkey-1.1.18 should be released next week sometime i will start on it than, should be done in a few days after release, and will do this all over again :) but talking to Alexander right now about SM1.1.17/.18
If i understand him correctly he wants to wait until 1.1.18 is released now since its only a week. so i will build it and push to PPA than ask for merge of branches than ask him to upload

John Vivirito (gnomefreak) wrote :

The above comment about 1.1.18 releasing next week seems to be wrong it has not been tagged for release by Mozilla so we will try to get 1.1.17 in today or tomorrow but still would like testers for at least hardy. I have tested jaunty and karmic so far intrepid isnt really on my worry list but Hardy is since its LTS

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package seamonkey - 1.1.17+nobinonly-0ubuntu0.8.04.1

---------------
seamonkey (1.1.17+nobinonly-0ubuntu0.8.04.1) hardy-security; urgency=low

  * New upstream security release: 1.1.17 (LP: #356274)
    - CVE-2009-1841: JavaScript chrome privilege escalation
    - CVE-2009-1838: Arbitrary code execution using event listeners attached to an element whose owner document is null
    - CVE-2009-1836: SSL tampering via non-200 responses to proxy CONNECT requests
    - CVE-2009-1835: Arbitrary domain cookie access by local file: resources
    - CVE-2009-1392, CVE-2009-1832, CVE-2009-1833: Crashes with evidence of memory corruption (rv:1.9.0.11)
    - CVE-2009-1311: POST data sent to wrong site when saving web page with embedded frame
    - CVE-2009-1307: Same-origin violations when Adobe Flash loaded via view-source: scheme
    - MFSA 2009-33 Crash viewing multipart/alternative message with text/enhanced part
  * removed debian/patches/90_181_484320_attachment_368977.patch
  * removed debian/patches/90_181_485217_attachment_369357.patch
  * removed debian/patches/90_181_485286_attachment_369457.patch
    - update debian/patches/series

 -- John Vivirito <email address hidden> Mon, 06 Jul 2009 13:20:53 -0400

Changed in seamonkey (Ubuntu):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package seamonkey - 1.1.17+nobinonly-0ubuntu0.9.04.1

---------------
seamonkey (1.1.17+nobinonly-0ubuntu0.9.04.1) jaunty-security; urgency=low

  * New upstream security release: 1.1.17 (LP: #356274)
    - CVE-2009-1841: JavaScript chrome privilege escalation
    - CVE-2009-1838: Arbitrary code execution using event listeners attached to an element whose owner document is null
    - CVE-2009-1836: SSL tampering via non-200 responses to proxy CONNECT requests
    - CVE-2009-1835: Arbitrary domain cookie access by local file: resources
    - CVE-2009-1392, CVE-2009-1832, CVE-2009-1833: Crashes with evidence of memory corruption (rv:1.9.0.11)
    - CVE-2009-1311: POST data sent to wrong site when saving web page with embedded frame
    - CVE-2009-1307: Same-origin violations when Adobe Flash loaded via view-source: scheme
    - MFSA 2009-33 Crash viewing multipart/alternative message with text/enhanced part
  * removed debian/patches/90_181_484320_attachment_368977.patch
  * removed debian/patches/90_181_485217_attachment_369357.patch
  * removed debian/patches/90_181_485286_attachment_369457.patch
    - update debian/patches/series

 -- John Vivirito <email address hidden> Mon, 06 Jul 2009 13:20:53 -0400

Changed in seamonkey (Ubuntu Jaunty):
status: Triaged → Fix Released
Nikola M (nikolam) wrote :

I am using 1.1.17 from PPA for a very long time on Hardy 8.04/LTS 64-bit.
It is behaving just fine, as usual.

Sometimes it happens that it starts with its security subsystem disabled, and works fine after start again, but it was happening also in versions before, very rarely
and is no cause for alarm (there is bug report about it).

So since i am using it nearly a month now I think it is safe to publish on 64-bit on Hardy.
Is there any regular testing team with usual participants, that I am not aware of, I can join?

Thanks for Activating 1.1.17 and I would not wait for 1.1.18, since its the same waiting story over
again ;)

John Vivirito (gnomefreak) wrote :

Nikola:
It should have been pushed into Hardy repos as well as all the other ones Hardy -> Karmic

Nikola M (nikolam) wrote :

I see :) it is nice to see that, thanks a lot ;)

ok I up0dated the bug for 1.1.18 it was released yesterday i think, but either way i was gone when it was released. I'm going to try and have this done for Alexander to push

summary: - [MASTER] Please update seamonkey to latest 1.1.17
+ [MASTER] Please update seamonkey to latest 1.1.18
Changed in seamonkey (Ubuntu):
status: Fix Released → In Progress
Changed in seamonkey (Ubuntu Jaunty):
status: Fix Released → In Progress
John Vivirito (gnomefreak) wrote :

Bug #425757 should get fixed when we update to 1.1.18.
The is a slight conflict with pataches for whom ever gets to it before i do.

Changed in seamonkey (Ubuntu):
status: In Progress → Confirmed
Changed in seamonkey (Ubuntu Jaunty):
status: In Progress → Confirmed
Changed in seamonkey (Ubuntu):
assignee: John Vivirito (gnomefreak) → nobody
Changed in seamonkey (Ubuntu Jaunty):
assignee: John Vivirito (gnomefreak) → nobody
Nikola M (nikolam) wrote :

Surprised it still is not released in Ubuntu. (Just came back from a trip ;)
Hmm, I would need to learn this packaging stuff..

On 10/12/2009 06:02 PM, Nikola M wrote:
> Surprised it still is not released in Ubuntu. (Just came back from a trip ;)
> Hmm, I would need to learn this packaging stuff..
>
Sorry i havent had time to work out the errors yet. This late
i will be looking for 1.1.19 to update to. I will update the
bug when i see *.19 released and working on it.

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

"How can i get lost, if i have no where to go"
    -- Metallica from Unforgiven III

Probably updating to 1.1.18 is pointless for the reasons described here:
http://<email address hidden>/msg02588.html

One more reason is Seamonkey 1.x series is pronounced not oldstable anymore but unsupported instead so may be reasonable to start looking into 2.0 because it is the only version treated as adequate currently.

Nikola M (nikolam) wrote :

Great, thanks for clarification, So it seems that Bug #461864 (Seamonkey 2.0) should come into some serious consideration, then.

summary: - [MASTER] Please update seamonkey to latest 1.1.18
+ [MASTER] Please update seamonkey to latest 1.1.19

Yes, there is another (and maybe the last) security release SeaMonkey 1.1.19 to keep up with Thunderbird 2.0.0.24. So if any packaging professional is feeling good, please spend a last update before we all move to 2.x.

http://www.mozilla.org/security/known-vulnerabilities/seamonkey11.html

On 03/19/2010 07:38 PM, Wolfgang Pietsch wrote:
> Yes, there is another (and maybe the last) security release SeaMonkey
> 1.1.19 to keep up with Thunderbird 2.0.0.24. So if any packaging
> professional is feeling good, please spend a last update before we all
> move to 2.x.
>
> http://www.mozilla.org/security/known-vulnerabilities/seamonkey11.html
>
I dont have time to update Seamonkey but yes we should update itfor
<Lucid until 2.0 gets fixed and pushed to Lucid

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

"How can i get lost, if i have no where to go"
    -- Metallica from Unforgiven III

We're likely going to jump straight to 2.0.x.

i like this idea.

On 04/28/2010 11:35 PM, Micah Gersten wrote:
> We're likely going to jump straight to 2.0.x.
>

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

"How can i get lost, if i have no where to go"
    -- Metallica from Unforgiven III

summary: - [MASTER] Please update seamonkey to latest 1.1.19
+ [MASTER] Please update seamonkey to version 2.0*
Changed in seamonkey (Ubuntu Jaunty):
status: Confirmed → Won't Fix
John Vivirito (gnomefreak) wrote :

Can someone please decline the nominations, we will not be needing them.

Updated Title to reflect updated to 2.0.* as Seamonkey will be following in line with firefox thunderbird ect.. from Mozilla

Marked as Triaged since no more info is needed. We will get to this as soon as we can, however with the major changes within Mozilla the Ubuntu-Mozilla-team is still playing catch-up with all packages. We did get Seamonkey-2.0.4+nobinonly-0ubuntu1
Into Lucid and since Lucid is stable LTS it should be fairly safe to upgrade and is pretty much best idea to keep current LTS version

Changed in seamonkey (Ubuntu):
status: Confirmed → Triaged
John Vivirito (gnomefreak) wrote :

This is not going to be included in dapper. Can someone please decline that nomination.

Micah Gersten (micahg) wrote :

Seamonkey 2 now on all supported Ubuntu versions.

Changed in seamonkey (Ubuntu):
status: Triaged → Fix Released
Changed in seamonkey (Ubuntu Jaunty):
status: Won't Fix → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers