On Tue, Apr 13, 2010 at 11:57:07PM +0200, Mike Hommey wrote:
> On Tue, Apr 13, 2010 at 11:53:42PM +0200, Moritz Muehlenhoff wrote:
> > On Fri, Apr 09, 2010 at 10:37:57AM +0200, Mike Hommey wrote:
> > > On Fri, Apr 09, 2010 at 12:00:35AM +0200, Moritz Muehlenhoff wrote:
> > > > On Mon, Apr 05, 2010 at 09:39:06AM +0200, Mike Hommey wrote:
> > > > > On Sun, Apr 04, 2010 at 05:52:13PM -0400, Michael Gilbert wrote:
> > > > > > package: iceweasel
> > > > > > severity: important
> > > > > > version: 3.0.6-3
> > > > > > tags: security
> > > > > >
> > > > > > hi, iceweasel in lenny is still vulnerable to an address bar
> > > > > > spoofing
> > > > > > vulnerability, that was fixed in an MFSA a while back. this is
> > > > > > probably not worth fixing on its own, but if there are other pending
> > > > > > security backports, it would be useful to fix it. see:
> > > > > >
> > > > > > https://bugzilla.mozilla.org/show_bug.cgi?id=452979
> > > > > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0777
> > > > >
> > > > > Damn.
> > > > >
> > > > > Here is what I wrote in October, with Moritz's answer following:
> > > > >
> > > > > >> Now, wondering on http://security-tracker.debian.org/ I saw that I
> > > > > >> forgot CVE-2009-0777 :( It was fixed on 3.0.7-1 in unstable, but
> > > > > >> maybe
> > > > > >> it was decided to keep it for later, in which case we just forgot
> > > > > >> it,
> > > > > >> later... a bit like #512111.
> > > > > >>
> > > > > >> Maybe we should do an iceweasel security update for this one...
> > > > > >> (it's
> > > > > >> a
> > > > > >> browser issue, not a xulrunner one)
> > > > > >
> > > > > > Hmm, we indeed missed it. But since it's a low severity issue let's
> > > > > > postpone
> > > > > > it for the next round of issues affecting Iceweasel.
> > > > >
> > > > > Unfortunately, there hasn't been a next round of issues affecting
> > > > > Iceweasel only.
> > > >
> > > > I don't think anything has really changed, if there's a more severe
> > > > issue
> > > > we can fix it along, but we don't need a iceweasel update on it's own.
> > >
> > > It is likely there will be no such severe issue in the near future.
> > > OTOH, I'm considering uploading a proposed-update to fix the
> > > safebrowsing support (phishing and malware "detection"), which doesn't
> > > work in stable. Do you think this is something we may want to fix as
> > > part of a DSA ?
> >
> > I don't think this warrants a DSA, we have several open issues which require
> > more attention currently.
>
> On Iceweasel ? Which ones ?
No, open issues in the rest of the archive.
Rumor has it there are still DSAs for packages other then Mozilla :-)
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
