Your message dated Sun, 30 Jan 2011 16:23:06 +0000
with message-id <1296404586.25651.7846.ca...@hathi.jungle.funky-badger.org>
and subject line Re: Bug#610292: unblock: iceowl/1.0~b1+dfsg2-1
has caused the Debian Bug report #610292,
regarding unblock: iceowl/1.0~b1+dfsg2-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
610292: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610292
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Hi,
I've moved iceowl in squeeze from the comm-zentral 3.0.0 codebase (aka
sunbird 1.0b1) to comm-zentral 3.0.11 (thunderbird 3.0.11). This fixes
quiet some security related issues in the mozilla codebase. With this
change made we can security support iceowl by "simply" using the icedove
tarball as a base since both packages are built from the same
comm-central repository. I tried to keep the packaging changes to a
minimum. Any chance we can push this into squeeze:
iceowl (1.0~b1+dfsg2-1) unstable; urgency=low
* [d96a5b0] New upstream version based on icedove 3.0.11 this fixes the
following security bugs:
- MFSA 2010-74 aka CVE-2010-3776, CVE-2010-3778: Miscellaneous memory
safety hazards (rv:1.9.2.13/ 1.9.1.16)
- MFSA 2010-75 aka CVE-2010-3769: Buffer overflow while line breaking
after document.write with long string
- MFSA 2010-78 aka CVE-2010-3768: Add support for OTS font sanitizer
- MFSA 2010-73 aka CVE-2010-3765: Heap buffer overflow mixing
document.write and DOM insertion
- MFSA 2010-64 aka CVE-2010-3174, CVE-2010-3176: Miscellaneous memory
safety hazards (rv:1.9.2.11/ 1.9.1.14)
- MFSA 2010-65 aka CVE-2010-3179: Buffer overflow and memory corruption
using document.write
- MFSA 2010-66 aka CVE-2010-3180: Use-after-free error in nsBarProp
- MFSA 2010-67 aka CVE-2010-3183: Dangling pointer vulnerability in
LookupGetterOrSetter
- MFSA 2010-69 aka CVE-2010-3178: Cross-site information disclosure via
modal calls
- MFSA 2010-71 aka CVE-2010-3182: Unsafe library loading vulnerabilities
- MFSA 2010-49 aka CVE-2010-3169: Miscellaneous memory safety hazards
(rv:1.9.2.9/ 1.9.1.12)
- MFSA 2010-50 aka CVE-2010-2765: Frameset integer overflow vulnerability
- MFSA 2010-51 aka CVE-2010-2767: Dangling pointer vulnerability using DOM
plugin array
- MFSA 2010-53 aka CVE-2010-3166: Heap buffer overflow in
nsTextFrameUtils::TransformText
- MFSA 2010-54 aka CVE-2010-2760: Dangling pointer vulnerability in
nsTreeSelection
- MFSA 2010-55 aka CVE-2010-3168: XUL tree removal crash and remote code
execution
- MFSA 2010-56 ala CVE-2010-3167: Dangling pointer vulnerability in
nsTreeContentView
- MFSA 2010-57 aka CVE-2010-2766: Crash and remote code execution in
normalizeDocument
- MFSA 2010-60 aka CVE-2010-2763: XSS using SJOW scripted function
- MFSA 2010-61 aka CVE-2010-2768: UTF-7 XSS by overriding document charset
using <object> type attribute
- MFSA 2010-62 aka CVE-2010-2769: Copy-and-paste or drag-and-drop into
designMode document allows XSS
- MFSA 2010-63 aka CVE-2010-2764: Information leak via XMLHttpRequest
statusText
- MFSA 2010-34 aka CVE-2010-1211, CVE-2010-1212: Miscellaneous memory
safety hazards (rv:1.9.2.7/ 1.9.1.11)
- MFSA 2010-39 aka CVE-2010-2752: nsCSSValue::Array index integer overflow
- MFSA 2010-40 aka CVE-2010-2753: nsTreeSelection dangling pointer remote
code execution vulnerability
- MFSA 2010-41 aka CVE-2010-1205: Remote code execution using malformed
PNG image
- MFSA 2010-42 aka CVE-2010-1213: Cross-origin data disclosure via Web
Workers and importScripts
- MFSA 2010-46 aka CVE-2010-0654: Cross-domain data theft using CSS
- MFSA 2010-47 aka CVE-2010-2754: Cross-origin data leakage from script
filename in error messages
- MFSA 2010-25 aka CVE-2010-1121: Re-use of freed object due to scope
confusion
- MFSA 2010-26 aka CVE-2010-1200, CVE-2010-1201, CVE-2010-1202: Crashes
with evidence of memory corruption (rv:1.9.2.4/ 1.9.1.10)
- MFSA 2010-29 aka CVE-2010-1196: Heap buffer overflow in
nsGenericDOMDataNode::SetTextInternal
- MFSA 2010-30 aka CVE-2010-1199: Integer Overflow in XSLT Node Sorting
- MFSA 2010-16 aka CVE-2010-0173, CVE-2010-0174: Crashes with evidence of
memory corruption (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19)
- MFSA 2010-17 aka CVE-2010-0175: Remote code execution with
use-after-free in nsTreeSelection
- MFSA 2010-18 aka CVE-2010-0176: Dangling pointer vulnerability in
nsTreeContentView
- MFSA 2010-22 aka CVE-2009-3555: Update NSS to support TLS renegotiation
indication
- MFSA 2010-24 aka CVE-2010-0182: XMLDocument::load() doesn't check
nsIContentPolicy
- MFSA 2010-01 aka CVE-2010-0159: Crashes with evidence of memory
corruption (rv:1.9.1.8/ 1.9.0.18)
- MFSA 2010-03 aka CVE-2009-1571: Use-after-free crash in HTML parser
* [fa7095e] Rebase patches for new upstream version
* [3850d60] New patch Don-t-build-unused-bsdiff.patch: Don't build unused
bsdiff
* [7c49fe4] New patch Revert-post-release-version-bump.patch: Revert post
release version bump, this is still 1.0b1
* [bb9e37e] Don't build against the internal libbz2 copy
* [44898c0] Build depend on python-ply
* [321c9cd] Add preview image taken from icedove to replace the non-free
one.
-- Guido Günther <a...@sigxcpu.org> Sun, 16 Jan 2011 20:27:25 +0100
Sorry for being that late,
-- Guido
-- System Information:
Debian Release: 6.0
APT prefers testing
APT policy: (500, 'testing'), (50, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
On Sun, 2011-01-30 at 16:12 +0100, Guido Günther wrote:
> On Sun, Jan 30, 2011 at 02:30:17PM +0100, Moritz Mühlenhoff wrote:
> > On Sat, Jan 29, 2011 at 07:52:38PM +0100, Guido Günther wrote:
> > > I'm cc'ing Moritz for his opinion on this. With the new version based on
> > > the icedove tarball it would be simple enough to handle the xulrunner
> > > flaws via that path.
> >
> > If iceowl uses the same Mozilla code base branch as the iceweasel source
> > package (which provides the xulrunner libs in Squeeze) and the iceowl
> > maintainers provide packages, we can fix in security updates. Iceweasel
> > updates are an order of a magnitude more critical, though.
>
> We use the icedove tarball[1] not the iceweasel one but the effect is
> the basically the same. We can reuse the security work done for icedove.
> Cheers,
> -- Guido
>
> [1] since both are based on comm-central
Okay; unblocked. Let's hope security updates indeed turn out not to be
too painful.
Regards,
Adam
--- End Message ---