Bug#610292: unblock: iceowl/1.0~b1+dfsg2-1
On Sat, Jan 29, 2011 at 07:52:38PM +0100, Guido Günther wrote: On Sat, Jan 29, 2011 at 05:48:43PM +, Adam D. Barratt wrote: On Tue, 2011-01-25 at 09:16 +0100, Guido Günther wrote: On Mon, Jan 24, 2011 at 08:43:38PM +, Adam D. Barratt wrote: The main problem I'm having with looking at this is the size of the diff that gets introduced as a result. Even after ignoring the test suite, the embedded copy of sqlite3 and the autoconf patches, I'm still left with 2061 files changed, 65055 insertions(+), 96419 deletions(-) which isn't particularly fun. :-/ Yes, I agree - updating from 3.0.0 to 3.0.11 sucks but it will allow us to track icedove's security releases from now on with minimal impact. [...] I fully understand that making these changes that late in the release is a bad thing but shipping unpatched xulrunner that reads external calendar data isn't great either. If the changes are too big we should reconsider pulling iceowl from squeeze. We could then come back with a better synched package for wheezy. So, I really should stop procrastinating on this. :-/ Would I be correct in assuming that even with the new upstream tarball the package would still not get official support from the security team and any required security updates would have to go via proposed-updates? I'm cc'ing Moritz for his opinion on this. With the new version based on the icedove tarball it would be simple enough to handle the xulrunner flaws via that path. If iceowl uses the same Mozilla code base branch as the iceweasel source package (which provides the xulrunner libs in Squeeze) and the iceowl maintainers provide packages, we can fix in security updates. Iceweasel updates are an order of a magnitude more critical, though. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#610292: unblock: iceowl/1.0~b1+dfsg2-1
On Sun, Jan 30, 2011 at 02:30:17PM +0100, Moritz Mühlenhoff wrote: On Sat, Jan 29, 2011 at 07:52:38PM +0100, Guido Günther wrote: On Sat, Jan 29, 2011 at 05:48:43PM +, Adam D. Barratt wrote: On Tue, 2011-01-25 at 09:16 +0100, Guido Günther wrote: On Mon, Jan 24, 2011 at 08:43:38PM +, Adam D. Barratt wrote: The main problem I'm having with looking at this is the size of the diff that gets introduced as a result. Even after ignoring the test suite, the embedded copy of sqlite3 and the autoconf patches, I'm still left with 2061 files changed, 65055 insertions(+), 96419 deletions(-) which isn't particularly fun. :-/ Yes, I agree - updating from 3.0.0 to 3.0.11 sucks but it will allow us to track icedove's security releases from now on with minimal impact. [...] I fully understand that making these changes that late in the release is a bad thing but shipping unpatched xulrunner that reads external calendar data isn't great either. If the changes are too big we should reconsider pulling iceowl from squeeze. We could then come back with a better synched package for wheezy. So, I really should stop procrastinating on this. :-/ Would I be correct in assuming that even with the new upstream tarball the package would still not get official support from the security team and any required security updates would have to go via proposed-updates? I'm cc'ing Moritz for his opinion on this. With the new version based on the icedove tarball it would be simple enough to handle the xulrunner flaws via that path. If iceowl uses the same Mozilla code base branch as the iceweasel source package (which provides the xulrunner libs in Squeeze) and the iceowl maintainers provide packages, we can fix in security updates. Iceweasel updates are an order of a magnitude more critical, though. We use the icedove tarball[1] not the iceweasel one but the effect is the basically the same. We can reuse the security work done for icedove. Cheers, -- Guido [1] since both are based on comm-central -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#610292: unblock: iceowl/1.0~b1+dfsg2-1
On Tue, 2011-01-25 at 09:16 +0100, Guido Günther wrote: On Mon, Jan 24, 2011 at 08:43:38PM +, Adam D. Barratt wrote: The main problem I'm having with looking at this is the size of the diff that gets introduced as a result. Even after ignoring the test suite, the embedded copy of sqlite3 and the autoconf patches, I'm still left with 2061 files changed, 65055 insertions(+), 96419 deletions(-) which isn't particularly fun. :-/ Yes, I agree - updating from 3.0.0 to 3.0.11 sucks but it will allow us to track icedove's security releases from now on with minimal impact. [...] I fully understand that making these changes that late in the release is a bad thing but shipping unpatched xulrunner that reads external calendar data isn't great either. If the changes are too big we should reconsider pulling iceowl from squeeze. We could then come back with a better synched package for wheezy. So, I really should stop procrastinating on this. :-/ Would I be correct in assuming that even with the new upstream tarball the package would still not get official support from the security team and any required security updates would have to go via proposed-updates? Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#610292: unblock: iceowl/1.0~b1+dfsg2-1
On Sat, Jan 29, 2011 at 05:48:43PM +, Adam D. Barratt wrote: On Tue, 2011-01-25 at 09:16 +0100, Guido Günther wrote: On Mon, Jan 24, 2011 at 08:43:38PM +, Adam D. Barratt wrote: The main problem I'm having with looking at this is the size of the diff that gets introduced as a result. Even after ignoring the test suite, the embedded copy of sqlite3 and the autoconf patches, I'm still left with 2061 files changed, 65055 insertions(+), 96419 deletions(-) which isn't particularly fun. :-/ Yes, I agree - updating from 3.0.0 to 3.0.11 sucks but it will allow us to track icedove's security releases from now on with minimal impact. [...] I fully understand that making these changes that late in the release is a bad thing but shipping unpatched xulrunner that reads external calendar data isn't great either. If the changes are too big we should reconsider pulling iceowl from squeeze. We could then come back with a better synched package for wheezy. So, I really should stop procrastinating on this. :-/ Would I be correct in assuming that even with the new upstream tarball the package would still not get official support from the security team and any required security updates would have to go via proposed-updates? I'm cc'ing Moritz for his opinion on this. With the new version based on the icedove tarball it would be simple enough to handle the xulrunner flaws via that path. Cheers, -- Guido -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#610292: unblock: iceowl/1.0~b1+dfsg2-1
On Mon, Jan 24, 2011 at 08:43:38PM +, Adam D. Barratt wrote: Hi, Apologies for the delay in getting back to you. On Mon, 2011-01-17 at 09:28 +0100, Guido Günther wrote: I've moved iceowl in squeeze from the comm-zentral 3.0.0 codebase (aka sunbird 1.0b1) to comm-zentral 3.0.11 (thunderbird 3.0.11). This fixes quiet some security related issues in the mozilla codebase. With this change made we can security support iceowl by simply using the icedove tarball as a base since both packages are built from the same comm-central repository. I tried to keep the packaging changes to a minimum. Any chance we can push this into squeeze: The main problem I'm having with looking at this is the size of the diff that gets introduced as a result. Even after ignoring the test suite, the embedded copy of sqlite3 and the autoconf patches, I'm still left with 2061 files changed, 65055 insertions(+), 96419 deletions(-) which isn't particularly fun. :-/ Yes, I agree - updating from 3.0.0 to 3.0.11 sucks but it will allow us to track icedove's security releases from now on with minimal impact. iceowl (1.0~b1+dfsg2-1) unstable; urgency=low * [d96a5b0] New upstream version based on icedove 3.0.11 this fixes the following security bugs: [chomp] How many of those bugs actually affect the version of the package in Squeeze, rather than being introduced as part of the upstream tarball switch? Given that many bugs affect iceowl's own copy of xulrunner they are real issues found in the code we currently ship. I fully understand that making these changes that late in the release is a bad thing but shipping unpatched xulrunner that reads external calendar data isn't great either. If the changes are too big we should reconsider pulling iceowl from squeeze. We could then come back with a better synched package for wheezy. Cheers, -- Guido Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#610292: unblock: iceowl/1.0~b1+dfsg2-1
Hi, Apologies for the delay in getting back to you. On Mon, 2011-01-17 at 09:28 +0100, Guido Günther wrote: I've moved iceowl in squeeze from the comm-zentral 3.0.0 codebase (aka sunbird 1.0b1) to comm-zentral 3.0.11 (thunderbird 3.0.11). This fixes quiet some security related issues in the mozilla codebase. With this change made we can security support iceowl by simply using the icedove tarball as a base since both packages are built from the same comm-central repository. I tried to keep the packaging changes to a minimum. Any chance we can push this into squeeze: The main problem I'm having with looking at this is the size of the diff that gets introduced as a result. Even after ignoring the test suite, the embedded copy of sqlite3 and the autoconf patches, I'm still left with 2061 files changed, 65055 insertions(+), 96419 deletions(-) which isn't particularly fun. :-/ iceowl (1.0~b1+dfsg2-1) unstable; urgency=low * [d96a5b0] New upstream version based on icedove 3.0.11 this fixes the following security bugs: [chomp] How many of those bugs actually affect the version of the package in Squeeze, rather than being introduced as part of the upstream tarball switch? Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#610292: unblock: iceowl/1.0~b1+dfsg2-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, I've moved iceowl in squeeze from the comm-zentral 3.0.0 codebase (aka sunbird 1.0b1) to comm-zentral 3.0.11 (thunderbird 3.0.11). This fixes quiet some security related issues in the mozilla codebase. With this change made we can security support iceowl by simply using the icedove tarball as a base since both packages are built from the same comm-central repository. I tried to keep the packaging changes to a minimum. Any chance we can push this into squeeze: iceowl (1.0~b1+dfsg2-1) unstable; urgency=low * [d96a5b0] New upstream version based on icedove 3.0.11 this fixes the following security bugs: - MFSA 2010-74 aka CVE-2010-3776, CVE-2010-3778: Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16) - MFSA 2010-75 aka CVE-2010-3769: Buffer overflow while line breaking after document.write with long string - MFSA 2010-78 aka CVE-2010-3768: Add support for OTS font sanitizer - MFSA 2010-73 aka CVE-2010-3765: Heap buffer overflow mixing document.write and DOM insertion - MFSA 2010-64 aka CVE-2010-3174, CVE-2010-3176: Miscellaneous memory safety hazards (rv:1.9.2.11/ 1.9.1.14) - MFSA 2010-65 aka CVE-2010-3179: Buffer overflow and memory corruption using document.write - MFSA 2010-66 aka CVE-2010-3180: Use-after-free error in nsBarProp - MFSA 2010-67 aka CVE-2010-3183: Dangling pointer vulnerability in LookupGetterOrSetter - MFSA 2010-69 aka CVE-2010-3178: Cross-site information disclosure via modal calls - MFSA 2010-71 aka CVE-2010-3182: Unsafe library loading vulnerabilities - MFSA 2010-49 aka CVE-2010-3169: Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12) - MFSA 2010-50 aka CVE-2010-2765: Frameset integer overflow vulnerability - MFSA 2010-51 aka CVE-2010-2767: Dangling pointer vulnerability using DOM plugin array - MFSA 2010-53 aka CVE-2010-3166: Heap buffer overflow in nsTextFrameUtils::TransformText - MFSA 2010-54 aka CVE-2010-2760: Dangling pointer vulnerability in nsTreeSelection - MFSA 2010-55 aka CVE-2010-3168: XUL tree removal crash and remote code execution - MFSA 2010-56 ala CVE-2010-3167: Dangling pointer vulnerability in nsTreeContentView - MFSA 2010-57 aka CVE-2010-2766: Crash and remote code execution in normalizeDocument - MFSA 2010-60 aka CVE-2010-2763: XSS using SJOW scripted function - MFSA 2010-61 aka CVE-2010-2768: UTF-7 XSS by overriding document charset using object type attribute - MFSA 2010-62 aka CVE-2010-2769: Copy-and-paste or drag-and-drop into designMode document allows XSS - MFSA 2010-63 aka CVE-2010-2764: Information leak via XMLHttpRequest statusText - MFSA 2010-34 aka CVE-2010-1211, CVE-2010-1212: Miscellaneous memory safety hazards (rv:1.9.2.7/ 1.9.1.11) - MFSA 2010-39 aka CVE-2010-2752: nsCSSValue::Array index integer overflow - MFSA 2010-40 aka CVE-2010-2753: nsTreeSelection dangling pointer remote code execution vulnerability - MFSA 2010-41 aka CVE-2010-1205: Remote code execution using malformed PNG image - MFSA 2010-42 aka CVE-2010-1213: Cross-origin data disclosure via Web Workers and importScripts - MFSA 2010-46 aka CVE-2010-0654: Cross-domain data theft using CSS - MFSA 2010-47 aka CVE-2010-2754: Cross-origin data leakage from script filename in error messages - MFSA 2010-25 aka CVE-2010-1121: Re-use of freed object due to scope confusion - MFSA 2010-26 aka CVE-2010-1200, CVE-2010-1201, CVE-2010-1202: Crashes with evidence of memory corruption (rv:1.9.2.4/ 1.9.1.10) - MFSA 2010-29 aka CVE-2010-1196: Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal - MFSA 2010-30 aka CVE-2010-1199: Integer Overflow in XSLT Node Sorting - MFSA 2010-16 aka CVE-2010-0173, CVE-2010-0174: Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19) - MFSA 2010-17 aka CVE-2010-0175: Remote code execution with use-after-free in nsTreeSelection - MFSA 2010-18 aka CVE-2010-0176: Dangling pointer vulnerability in nsTreeContentView - MFSA 2010-22 aka CVE-2009-3555: Update NSS to support TLS renegotiation indication - MFSA 2010-24 aka CVE-2010-0182: XMLDocument::load() doesn't check nsIContentPolicy - MFSA 2010-01 aka CVE-2010-0159: Crashes with evidence of memory corruption (rv:1.9.1.8/ 1.9.0.18) - MFSA 2010-03 aka CVE-2009-1571: Use-after-free crash in HTML parser * [fa7095e] Rebase patches for new upstream version * [3850d60] New patch Don-t-build-unused-bsdiff.patch: Don't build unused bsdiff * [7c49fe4] New patch Revert-post-release-version-bump.patch: Revert post release version bump, this is still 1.0b1