Debian Bug report logs - #351442
firefox: Serveral security vulnerabilities fixed in Firefox 1.5.0.1

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Santiago José Ruano Rincón <santiago@unicauca.edu.co>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: firefox: Serveral security vulnerabilities fixed in Firefox 1.5.0.1

Date: Sat, 04 Feb 2006 16:53:26 -0500

Package: firefox
Version: 1.5.dfsg-4
Severity: grave
Tags: security
Justification: user security hole


Please, package the new firefox's version, it fix these vulnerabilities
besides some other improvements:

MFSA 2006-08  "AnyName" entrainment and access control hazard
MFSA 2006-07 Read beyond buffer while parsing XML
MFSA 2006-06 Integer overflows in E4X, SVG and Canvas
MFSA 2006-05 Localstore.rdf XML injection through XULDocument.persist()
MFSA 2006-04 Memory corruption via QueryInterface on Location, Navigator objects
MFSA 2006-03 Long document title causes startup denial of Service
MFSA 2006-02 Changing postion:relative to static corrupts memory
MFSA 2006-01 JavaScript garbage-collection hazards

One of them is "critical".

Thanks for your work,

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.13
Locale: LANG=es_CO, LC_CTYPE=es_CO (charmap=ISO-8859-1)

Versions of packages firefox depends on:
ii  debianutils            2.8.4             Miscellaneous utilities specific t
ii  fontconfig             2.3.1-2           generic font configuration library
ii  libatk1.0-0            1.10.3-1          The ATK accessibility toolkit
ii  libc6                  2.3.5-7           GNU C Library: Shared libraries an
ii  libcairo2              1.0.2-3           The Cairo 2D vector graphics libra
ii  libfontconfig1         2.3.1-2           generic font configuration library
ii  libfreetype6           2.1.7-2.4         FreeType 2 font engine, shared lib
ii  libgcc1                1:4.0.2-2         GCC support library
ii  libglib2.0-0           2.8.6-1           The GLib library of C routines
ii  libgtk2.0-0            2.8.10-1          The GTK+ graphical user interface 
ii  libidl0                0.8.5-1           library for parsing CORBA IDL file
ii  libjpeg62              6b-10             The Independent JPEG Group's JPEG 
ii  libpango1.0-0          1.10.2-1          Layout and rendering of internatio
ii  libpng12-0             1.2.8rel-5        PNG library - runtime
ii  libstdc++6             4.0.2-5           The GNU Standard C++ Library v3
ii  libx11-6               4.3.0.dfsg.1-14   X Window System protocol client li
ii  libxcursor1            1.1.3-1           X cursor management library
ii  libxext6               4.3.0.dfsg.1-14   X Window System miscellaneous exte
ii  libxft2                2.1.7-1           FreeType-based font drawing librar
ii  libxi6                 4.3.0.dfsg.1-14   X Window System Input extension li
ii  libxinerama1           6.9.0.dfsg.1-4    X Window System multi-head display
ii  libxp6                 4.3.0.dfsg.1-14   X Window System printing extension
ii  libxrandr2             6.9.0.dfsg.1-4    X Window System Resize, Rotate and
ii  libxrender1            1:0.9.0.2-1       X Rendering Extension client libra
ii  libxt6                 4.3.0.dfsg.1-14   X Toolkit Intrinsics
ii  psmisc                 21.5-1            Utilities that use the proc filesy
ii  zlib1g                 1:1.2.2-4.sarge.2 compression library - runtime

firefox recommends no packages.

-- no debconf information

Message #10 received at 351442-close@bugs.debian.org (full text, mbox, reply):

From: Eric Dorland <eric@debian.org>

To: 351442-close@bugs.debian.org

Subject: Bug#351442: fixed in firefox 1.5.dfsg+1.5.0.1-1

Date: Mon, 06 Feb 2006 22:17:19 -0800

Source: firefox
Source-Version: 1.5.dfsg+1.5.0.1-1

We believe that the bug you reported is fixed in the latest version of
firefox, which is due to be installed in the Debian FTP archive:

firefox-dom-inspector_1.5.dfsg+1.5.0.1-1_i386.deb
  to pool/main/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.1-1_i386.deb
firefox-gnome-support_1.5.dfsg+1.5.0.1-1_i386.deb
  to pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.1-1_i386.deb
firefox_1.5.dfsg+1.5.0.1-1.diff.gz
  to pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.1-1.diff.gz
firefox_1.5.dfsg+1.5.0.1-1.dsc
  to pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.1-1.dsc
firefox_1.5.dfsg+1.5.0.1-1_i386.deb
  to pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.1-1_i386.deb
firefox_1.5.dfsg+1.5.0.1.orig.tar.gz
  to pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.1.orig.tar.gz
mozilla-firefox-dom-inspector_1.5.dfsg+1.5.0.1-1_all.deb
  to pool/main/f/firefox/mozilla-firefox-dom-inspector_1.5.dfsg+1.5.0.1-1_all.deb
mozilla-firefox-gnome-support_1.5.dfsg+1.5.0.1-1_all.deb
  to pool/main/f/firefox/mozilla-firefox-gnome-support_1.5.dfsg+1.5.0.1-1_all.deb
mozilla-firefox_1.5.dfsg+1.5.0.1-1_all.deb
  to pool/main/f/firefox/mozilla-firefox_1.5.dfsg+1.5.0.1-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 351442@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eric Dorland <eric@debian.org> (supplier of updated firefox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon,  6 Feb 2006 23:10:29 -0500
Source: firefox
Binary: firefox-gnome-support firefox-dom-inspector mozilla-firefox mozilla-firefox-gnome-support mozilla-firefox-dom-inspector firefox
Architecture: source all i386
Version: 1.5.dfsg+1.5.0.1-1
Distribution: unstable
Urgency: low
Maintainer: Eric Dorland <eric@debian.org>
Changed-By: Eric Dorland <eric@debian.org>
Description: 
 firefox    - lightweight web browser based on Mozilla
 firefox-dom-inspector - tool for inspecting the DOM of pages in Mozilla Firefox
 firefox-gnome-support - Support for Gnome in Mozilla Firefox
 mozilla-firefox - Transition package for firefox rename
 mozilla-firefox-dom-inspector - Transition package for firefox rename
 mozilla-firefox-gnome-support - Transition package for firefox rename
Closes: 338716 344888 345112 348069 348375 348451 348699 348902 349624 349946 350571 350608 350611 350621 350788 351442
Changes: 
 firefox (1.5.dfsg+1.5.0.1-1) unstable; urgency=low
 .
   * The "those Ubuntu guys are great after all" release.
   * New upstream release. (Closes: #351442)
 .
   [ Mike Hommey ]
   * debian/presubj: Added indications to try to reproduce without extensions
     before actually filing a bug, and a hint to the safe mode.
   * debian/firefox.install: added the reporter chrome files. (Closes: #344888)
   * widget/src/gtk2/nsWindow.cpp: Revert additional stale patch for
     extended mouse buttons support.
   * debian/firefox.postinst, debian/firefox.prerm: unbashified.
     (Closes: #349946)
   * debian/control, debian/firefox-gnome-support.postinst,
     debian/firefox-gnome-support.prerm: Let the firefox-gnome-support
     package provide gnome-www-browser and handle a gnome-www-browser
     alternative. Thanks Loïc Minier. (Closes: #350788)
   * debian/firefox-runner: Enable Pango support by default. The
     MOZ_ENABLE_PANGO environment variable is now useless. (Closes: #338716)
   * debian/README.Debian: Change the paragraph about Pango to hint about
     the MOZ_DISABLE_PANGO variable.
 .
   [ Eric Dorland ]
   * content/events/src/nsEventStateManager.cpp,
     modules/libpref/src/init/all.js, widget/public/nsGUIEvent.h: Apply
     patch from Ian Jackson to revert a stale patch for multiple mouse
     button support that was fixed in a different way in 1.5
     (Closes: #348375)
   * debian/firefox.preinst: Check md5sum's of old conffiles before cp'ing
     them on upgrade. This won't stop all unnecessary conffile prompting in
     all situations (especially from really old versions), but should
     definitely should work for upgrading from testing or stable. (Closes:
     #345112)
   * debian/firefox.install:
     - Remove run-mozilla.sh. (Closes: #348902)
     - Reorganize things a bit.
     - Move profile into /etc/firefox here, instead of in the rules file.
   * debian/firefox.install, debian/firefox.preinst, debian/firefox.links,
     debian/firefox.dirs, debian/rules: Move chrome, defaults, greprefs
     into /usr/share/firefox for more FHS goodnesss.
   * debian/firefox.1: Document -new-tab and -new-window options, and
     remove deprecated -remote option. (Closes: #348699)
   * debian/firefox-runner: Apply patch to properly URL escape local
     files. Thanks Morita Sho. (Closes: #348451)
   * browser/app/profile/firefox.js:
     - Reallow 40-bit ciphers, since now firefox warns people who
       use them. (Closes: #349624)
     - Enable bidi UI elements for our bi-directional friends.
       (Closes: #348069)
   * debian/rules: Remove glob pattern from dh_install invocation. Thanks
     Ian Jackson. (Closes: #350571)
   * browser/base/content/aboutDialog.xul: Fix spurious scrollbar in the
     about dialog box. Thanks Ian Jackson. (Closes: #350608)
   * js/src/fdlibm/fdlibm.h: Patch to fix little endianess of
     mipsel. Thanks Ian Jackson and Thiemo Seufer. (Closes: #350621)
   * browser/base/content/search.xml: Patch from Ian Jackson to remove
     misleading Clear option from search box context menu. (Closes: #350611)
   * debian/watch: Fix regex to actually find the upstream tarballs.
   * modules/libpref/src/init/all.js: Cope better with printers with spaces
     in the name. Thanks Ian Jackson.
   * toolkit/components/passwordmgr/base/nsPasswordManager.cpp: Take patch
     from bz#235336 as suggested by Ian Jackson to allow password manager
     to work with sites that only have a password field, no username.
Files: 
 84b1d39411786d9c5aec5bdfab161954 1071 web optional firefox_1.5.dfsg+1.5.0.1-1.dsc
 333e28821a59e3aee5aabc5a11f05b0b 42205429 web optional firefox_1.5.dfsg+1.5.0.1.orig.tar.gz
 9b885de8399ac22fbb5ca6c5c7ddf345 120265 web optional firefox_1.5.dfsg+1.5.0.1-1.diff.gz
 bdf1fa1009e71fa6bb5c7bbe4a50ede9 8049118 web optional firefox_1.5.dfsg+1.5.0.1-1_i386.deb
 e2f70fc7f206f4cb7a12bf7c1cae734b 208150 web optional firefox-dom-inspector_1.5.dfsg+1.5.0.1-1_i386.deb
 5fb6ca9c5d0a241a2832c2fb452c11ac 69484 web optional firefox-gnome-support_1.5.dfsg+1.5.0.1-1_i386.deb
 668cf6016928d1e1f1ac0537d390b796 43628 web optional mozilla-firefox_1.5.dfsg+1.5.0.1-1_all.deb
 5de00a89e5c5807ab4bdcdf7c57653cd 42824 web optional mozilla-firefox-dom-inspector_1.5.dfsg+1.5.0.1-1_all.deb
 47e5a14f99b69aa930cfe68ab61cfa8b 42824 web optional mozilla-firefox-gnome-support_1.5.dfsg+1.5.0.1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD6DO3YemOzxbZcMYRArfLAKCAdV2LsNjuZtnIqE3MedhOudHjVACdFTVA
f1DGXV88KELDxxqboXCjcOM=
=QyN0
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.