Hello Fedora Legacy and Extras folks,

This below RHEL advisory just came out, along with advisories like this for
Thunderbird and for Firefox.  We in Legacy need to get busy on these,
because they are critical bugs, and we haven't updated any Firefox,
Thunderbird, or SeaMonkey (er, Mozilla) packages in a LONG time.

There are some old Bugzilla's that had been open for RHL 7.3, RHL 9, FC 1,
FC 2, and FC 3 for Mozilla.  There has been a running discussion (and no
action -- largely my fault -- sorry!) about how and whether we upgrade
Mozilla to SeaMonkey so that SeaMonkey becomes a Mozilla replacement (Core)
package rather than an Extras package on a Bugzilla ticket for SeaMonkey.
The Bugzilla number is 209167:
<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209167>.

My understanding is that Michal Jaegermann (Fedora Legacy contributor) has
done work on at least one or more previous versions of SeaMonkey, having
created (FC4?) packages that should, once installed, act as a Mozilla
replacement, not unlike what the RHEL packages mentioned in RHSA-2006-0734 do.

The advantage of having SeaMonkey do this is that all other packages (such
as yelp, epiphany, possibly others) will inherit the more secure code from
SeaMonkey, since they tap into the shared-library (.so) files that SeaMonkey
would be providing.  My understanding then also would be that SeaMonkey is
meant to be API compatible with Mozilla, so that other programs that depend
on functions (or objects) in Mozilla's shared-library should continue to
work okay, possibly without recompilation, but probably requiring
recompilation and pushing to updates.

Does anyone have any comments on how you wish the Legacy Project to approach
this?  I favor SeaMonkey as a Mozilla replacement, as it covers all
vulnerabilities in packages that dynamically link to the shared libraries.
But perhaps there are other ideas.

Since Legacy Mozilla/Firefox/Thunderbird security bugs have been open since
June (and not worked on), I also advocate that we in Legacy build SeaMonkey
packages for *all* releases of Fedora Core that we have ever supported
(since older releases were supported at that time) and RHL 7.3 and RHL 9.
Does anyone object to that?

What say ye??

        Regards,
        David Eisenstein



-------- Original Message --------
Subject: [RHSA-2006:0734-01] Critical: seamonkey security update
Date: Wed, 8 Nov 2006 04:48:59 -0500
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]

---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Critical: seamonkey security update
Advisory ID:       RHSA-2006:0734-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2006-0734.html
Issue date:        2006-11-08
Updated on:        2006-11-08
Product:           Red Hat Enterprise Linux
CVE Names:         CVE-2006-5462 CVE-2006-5463 CVE-2006-5464
                   CVE-2006-5747 CVE-2006-5748
---------------------------------------------------------------------

1. Summary:

Updated seamonkey packages that fix several security bugs are now available
for Red Hat Enterprise Linux 2.1, 3, and 4.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

... (RHEL 2.1, RHEL 3, RHEL 4) ...

3. Problem description:

SeaMonkey is an open source Web browser, advanced email and newsgroup
client, IRC chat client, and HTML editor.

Several flaws were found in the way SeaMonkey processes certain malformed
Javascript code. A malicious web page could cause the execution of
Javascript code in such a way that could cause SeaMonkey to crash or
execute arbitrary code as the user running SeaMonkey. (CVE-2006-5463,
CVE-2006-5747, CVE-2006-5748)

Several flaws were found in the way SeaMonkey renders web pages. A
malicious web page could cause the browser to crash or possibly execute
arbitrary code as the user running SeaMonkey. (CVE-2006-5464)

A flaw was found in the way SeaMonkey verifies RSA signatures. For RSA keys
with exponent 3 it is possible for an attacker to forge a signature that
would be incorrectly verified by the NSS library. SeaMonkey as shipped
trusts several root Certificate Authorities that use exponent 3. An
attacker could have created a carefully crafted SSL certificate which be
incorrectly trusted when their site was visited by a victim. This flaw was
previously thought to be fixed in SeaMonkey 1.0.5, however Ulrich Kuehn
discovered the fix was incomplete (CVE-2006-5462)

Users of SeaMonkey are advised to upgrade to these erratum packages, which
contains SeaMonkey version 1.0.6 that corrects these issues.

<<snip>>

-- 
Enterprise-watch-list mailing list
[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/enterprise-watch-list


Attachment: signature.asc
Description: OpenPGP digital signature

--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Reply via email to