Your message dated Wed, 23 Mar 2005 13:32:24 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#297619: fixed in mozilla 2:1.7.6-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 1 Mar 2005 19:57:30 +0000
>From [EMAIL PROTECTED] Tue Mar 01 11:57:30 2005
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [64.62.161.42] (postfix)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1D6DUo-0002K1-00; Tue, 01 Mar 2005 11:57:30 -0800
Received: from dragon.kitenet.net (unknown [66.168.94.177])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id 10EDC181B1
for <[EMAIL PROTECTED]>; Tue, 1 Mar 2005 19:57:29 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id 7ECC36E57F; Tue, 1 Mar 2005 15:00:00 -0500 (EST)
Date: Tue, 1 Mar 2005 14:59:59 -0500
From: Joey Hess <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: CAN-2005-0592 Heap-based buffer overflow in the UTF8ToNewUnicode
function
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="GvXjxJ+pjyke8COw"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--GvXjxJ+pjyke8COw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: mozilla-browser
Version: 2:1.7.5-1
Severity: grave
Tags: security
Please see http://www.mozilla.org/security/announce/mfsa2005-15.html; I
have not verified but since our mozilla is before the 1.7.6 upstream
that fixed this bug, I guess we're vulnerable to it.=20
Please refer to CAN-2005-0592 in any changelog entries regarding this
hole.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=3Den_US.UTF-8, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8)
Versions of packages mozilla-browser depends on:
ii debconf 1.4.46 Debian configuration managemen=
t sy
ii libatk1.0-0 1.8.0-4 The ATK accessibility toolkit
ii libc6 2.3.2.ds1-20 GNU C Library: Shared librarie=
s an
ii libfontconfig1 2.2.3-4 generic font configuration lib=
rary
ii libfreetype6 2.1.7-2.3 FreeType 2 font engine, shared=
lib
ii libgcc1 1:3.4.3-9 GCC support library
ii libglib2.0-0 2.6.3-1 The GLib library of C routines
ii libgtk2.0-0 2.6.2-3 The GTK+ graphical user interf=
ace=20
ii libnspr4 2:1.7.5-1 Netscape Portable Runtime Libr=
ary
ii libpango1.0-0 1.8.0-3 Layout and rendering of intern=
atio
ii libstdc++5 1:3.3.5-8 The GNU Standard C++ Library v3
ii libx11-6 4.3.0.dfsg.1-12.0.1 X Window System protocol clien=
t li
ii libxext6 4.3.0.dfsg.1-12.0.1 X Window System miscellaneous =
exte
ii libxft2 2.1.2-6 FreeType-based font drawing li=
brar
ii libxp6 4.3.0.dfsg.1-12.0.1 X Window System printing exten=
sion
ii libxrender1 0.8.3-7 X Rendering Extension client l=
ibra
ii libxt6 4.3.0.dfsg.1-12.0.1 X Toolkit Intrinsics
ii psmisc 21.5-1 Utilities that use the proc fi=
lesy
ii xlibs 4.3.0.dfsg.1-12 X Keyboard Extension (XKB) con=
figu
ii zlib1g 1:1.2.2-4 compression library - runtime
-- debconf information excluded
--=20
see shy jo
--GvXjxJ+pjyke8COw
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCJMm/d8HHehbQuO8RAjACAKCd3O7uH+EgpqMYxjgO7Mxc8HurIgCfZQLV
8eepr+E4nw95XjrWHN1lCc4=
=2cW+
-----END PGP SIGNATURE-----
--GvXjxJ+pjyke8COw--
---------------------------------------
Received: (at 297619-close) by bugs.debian.org; 23 Mar 2005 19:01:20 +0000
>From [EMAIL PROTECTED] Wed Mar 23 11:01:20 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DEB6V-0005vQ-00; Wed, 23 Mar 2005 11:01:19 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DEAeW-000051-00; Wed, 23 Mar 2005 13:32:24 -0500
From: Takuo KITAME <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#297619: fixed in mozilla 2:1.7.6-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Wed, 23 Mar 2005 13:32:24 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 14
Source: mozilla
Source-Version: 2:1.7.6-1
We believe that the bug you reported is fixed in the latest version of
mozilla, which is due to be installed in the Debian FTP archive:
libnspr-dev_1.7.6-1_i386.deb
to pool/main/m/mozilla/libnspr-dev_1.7.6-1_i386.deb
libnspr4_1.7.6-1_i386.deb
to pool/main/m/mozilla/libnspr4_1.7.6-1_i386.deb
libnss-dev_1.7.6-1_i386.deb
to pool/main/m/mozilla/libnss-dev_1.7.6-1_i386.deb
libnss3_1.7.6-1_i386.deb
to pool/main/m/mozilla/libnss3_1.7.6-1_i386.deb
mozilla-browser_1.7.6-1_i386.deb
to pool/main/m/mozilla/mozilla-browser_1.7.6-1_i386.deb
mozilla-calendar_1.7.6-1_i386.deb
to pool/main/m/mozilla/mozilla-calendar_1.7.6-1_i386.deb
mozilla-chatzilla_1.7.6-1_i386.deb
to pool/main/m/mozilla/mozilla-chatzilla_1.7.6-1_i386.deb
mozilla-dev_1.7.6-1_i386.deb
to pool/main/m/mozilla/mozilla-dev_1.7.6-1_i386.deb
mozilla-dom-inspector_1.7.6-1_i386.deb
to pool/main/m/mozilla/mozilla-dom-inspector_1.7.6-1_i386.deb
mozilla-js-debugger_1.7.6-1_i386.deb
to pool/main/m/mozilla/mozilla-js-debugger_1.7.6-1_i386.deb
mozilla-mailnews_1.7.6-1_i386.deb
to pool/main/m/mozilla/mozilla-mailnews_1.7.6-1_i386.deb
mozilla-psm_1.7.6-1_i386.deb
to pool/main/m/mozilla/mozilla-psm_1.7.6-1_i386.deb
mozilla_1.7.6-1.diff.gz
to pool/main/m/mozilla/mozilla_1.7.6-1.diff.gz
mozilla_1.7.6-1.dsc
to pool/main/m/mozilla/mozilla_1.7.6-1.dsc
mozilla_1.7.6-1_i386.deb
to pool/main/m/mozilla/mozilla_1.7.6-1_i386.deb
mozilla_1.7.6.orig.tar.gz
to pool/main/m/mozilla/mozilla_1.7.6.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Takuo KITAME <[EMAIL PROTECTED]> (supplier of updated mozilla package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 24 Mar 2005 01:34:42 +0900
Source: mozilla
Binary: mozilla mozilla-calendar mozilla-dom-inspector libnspr4
mozilla-js-debugger mozilla-browser libnss3 libnspr-dev mozilla-chatzilla
mozilla-psm mozilla-mailnews libnss-dev mozilla-dev
Architecture: source i386
Version: 2:1.7.6-1
Distribution: unstable
Urgency: low
Maintainer: Takuo KITAME <[EMAIL PROTECTED]>
Changed-By: Takuo KITAME <[EMAIL PROTECTED]>
Description:
libnspr-dev - Netscape Portable Runtime library - development files
libnspr4 - Netscape Portable Runtime Library
libnss-dev - Network Security Service Libraries - development
libnss3 - Network Security Service Libraries - runtime
mozilla - The Mozilla Internet application suite - meta package
mozilla-browser - The Mozilla Internet application suite - core and browser
mozilla-calendar - Todo organizer,calendar and reminder,integrated with
Mozilla suit
mozilla-chatzilla - Mozilla Web Browser - irc client
mozilla-dev - The Mozilla Internet application suite - development files
mozilla-dom-inspector - A tool for inspecting the DOM of pages in Mozilla.
mozilla-js-debugger - JavaScript debugger for use with Mozilla
mozilla-mailnews - The Mozilla Internet application suite - mail and news
support
mozilla-psm - The Mozilla Internet application suite - Personal Security Manage
Closes: 215394 265928 270783 277504 279200 285611 290451 290863 293663 294274
297216 297618 297619 297620 300090 300978
Changes:
mozilla (2:1.7.6-1) unstable; urgency=low
.
* New upstream release
* fix some security issues.
- CAN-2005-0233: IDN support allows domainname spooing (closes: #294274)
- CAN-2005-0592: Heap-based bufer over flow (closes: #297619)
- CAN-2004-1156: secunia window injection vulnerability (closes: #293663)
- MFSA-2005-18: Mozilla Firefox and Mozilla Browser Out Of Memory Heap
Corruption Design Error
- CAN-2005-0593: SSL "secure site" indicator spoofing (closes: #297618)
- CAN-2005-0588: does not restrict xsl:include and xsl:import tags in XSLT
stylesheets to the current domain.
- CAN-2005-0587: allows remote malicious web sites to overwrite arbitrary
files by tricking the user into downloading a .LNK (link) file twice, which
overwrites the file that was referenced in the first .LNK file.
- CAN-2005-0586: allows remote malicious web sites to spoof the extensions
of files to download via the Content-Disposition header
- CAN-2005-0585: truncates long sub-domains or paths for display, which
may allow remote malicious web sites to spoof legitimate sites and facilitate
phishing attacks.
- CAN-2005-0584: when displaying the HTTP Authentication dialog, do not
change the focus to the tab that generated the prompt, which could facilitate
spoofing and phishing attacks. (closes: #297620)
* change binary name to mozilla-suite rom mozilla-VERSION (closes:
#285611,#277504,#215394)
* applied over the spot patch (closes: #290863)
* added debian/po/it.po (closes: #279200)
* added debian/po/nl.po (closes: #270783)
* update debian/po/fi.po (closes: #265928)
* remove run-mozilla.sh (closes: #297216, #300090)
* update xprint dependency (closes: #300978)
* use readlink(1) instead of perl's. (closes: #290451)
Files:
03f9b7cf7250d2bfa894fd264306b6ab 1111 web optional mozilla_1.7.6-1.dsc
800f8d3877193a5d786d9ce4e3d1e400 30587697 web optional
mozilla_1.7.6.orig.tar.gz
15b76e937aa59308670c5afbaba7fd1f 303435 web optional mozilla_1.7.6-1.diff.gz
70e9de0a98277fb0899227bebba665ab 1028 web optional mozilla_1.7.6-1_i386.deb
97f99f437701e242220fa9de5a7c3bdf 10280282 web optional
mozilla-browser_1.7.6-1_i386.deb
8fc77a77186e461c480b8455c9272281 3343978 devel optional
mozilla-dev_1.7.6-1_i386.deb
0d6d79f4b70dd7d3cd58ad69829c4d91 1811052 mail optional
mozilla-mailnews_1.7.6-1_i386.deb
7881b2b481782364b1cb8a30cc454cf5 158318 net optional
mozilla-chatzilla_1.7.6-1_i386.deb
68e7c2c1c5ae79b1ae7bd0efbb75467e 192294 web optional
mozilla-psm_1.7.6-1_i386.deb
6b746476168989818eddd61e2d926acb 116194 web optional
mozilla-dom-inspector_1.7.6-1_i386.deb
f1925702d98df3ae51f28abe8f72c9b8 204124 devel optional
mozilla-js-debugger_1.7.6-1_i386.deb
5684fcb1e872312398fa3572157d8ffd 403270 misc optional
mozilla-calendar_1.7.6-1_i386.deb
db7397110795bc26f3ff049ad5cb0b26 129784 libs optional libnspr4_1.7.6-1_i386.deb
4df0474571e6206ffeb96f1847857598 168060 libdevel optional
libnspr-dev_1.7.6-1_i386.deb
76106353331539e79d10e133498699d4 653648 libs optional libnss3_1.7.6-1_i386.deb
3093fc70ca1754bf1506cc7c000b5106 184920 libdevel optional
libnss-dev_1.7.6-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCQbO+U+WZW1FVMwoRAnxyAJ92vH1aYBcYDcyKE3UaKjHUGTT7fACfaXuH
hsFMT2ZhkOqrng0p3NOEBu0=
=zlfK
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
