Your message dated Fri, 13 May 2005 01:03:15 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#308620: fixed in mozilla-firefox 1.0.4-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 11 May 2005 13:49:35 +0000
>From [EMAIL PROTECTED] Wed May 11 06:49:35 2005
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [64.62.161.42] (postfix)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DVrah-0007Dv-00; Wed, 11 May 2005 06:49:35 -0700
Received: from dragon.kitenet.net (dpc6682244174.direcpc.com [66.82.244.174])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id BFDE417FB1
for <[EMAIL PROTECTED]>; Wed, 11 May 2005 13:48:40 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id B35EB6F0B2; Wed, 11 May 2005 09:51:18 -0400 (EDT)
Date: Wed, 11 May 2005 09:51:18 -0400
From: Joey Hess <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: pair of security holes
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="IS0zKkzwUGydFO0o"
Content-Disposition: inline
X-Reportbug-Version: 3.11
User-Agent: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--IS0zKkzwUGydFO0o
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: mozilla-firefox
Version: 1.0.3-2
Severity: grave
Tags: security
I'm sure you already know of these, but for the record, firefox is
vulnerale to a pair of new security holes:
CAN-2005-1477
The install function in Firefox 1.0.3 allows remote web sites on the browse=
r's
whitelist, such as update.mozilla.org or addon.mozilla.org, to execute
arbitrary Javascript with chrome privileges, leading to arbitrary code
execution on the system when combined with vulnerabilities such as
CAN-2005-1476, as demonstrated using a javascript: URL as the package icon =
and
a cross-site scripting (XSS) attack on a vulnerable whitelist site.
CAN-2005-1476
Firefox 1.0.3 allows remote attackers to execute arbitrary Javascript in ot=
her
domains by using an IFRAME and causing the browser to navigate to a previous
javascript: URL, which can lead to arbitrary code execution when combined w=
ith
CAN-2005-1477.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=3Den_US.UTF-8, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8)
Versions of packages mozilla-firefox depends on:
ii debianutils 2.13.2 Miscellaneous utilities specif=
ic t
ii fontconfig 2.3.2-1 generic font configuration lib=
rary
ii libatk1.0-0 1.8.0-4 The ATK accessibility toolkit
ii libc6 2.3.2.ds1-21 GNU C Library: Shared librarie=
s an
ii libfontconfig1 2.3.2-1 generic font configuration lib=
rary
ii libfreetype6 2.1.7-2.4 FreeType 2 font engine, shared=
lib
ii libgcc1 1:3.4.3-13 GCC support library
ii libglib2.0-0 2.6.4-1 The GLib library of C routines
ii libgtk2.0-0 2.6.4-1 The GTK+ graphical user interf=
ace=20
ii libidl0 0.8.5-1 library for parsing CORBA IDL =
file
ii libjpeg62 6b-10 The Independent JPEG Group's J=
PEG=20
ii libkrb53 1.3.6-3 MIT Kerberos runtime libraries
ii libpango1.0-0 1.8.1-1 Layout and rendering of intern=
atio
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libstdc++5 1:3.3.6-3.0.1 The GNU Standard C++ Library v3
ii libx11-6 4.3.0.dfsg.1-12.0.1 X Window System protocol clien=
t li
ii libxext6 4.3.0.dfsg.1-12.0.1 X Window System miscellaneous =
exte
ii libxft2 2.1.7-1 FreeType-based font drawing li=
brar
ii libxp6 4.3.0.dfsg.1-12.0.1 X Window System printing exten=
sion
ii libxt6 4.3.0.dfsg.1-12.0.1 X Toolkit Intrinsics
ii psmisc 21.6-1 Utilities that use the proc fi=
lesy
ii xlibs 4.3.0.dfsg.1-12 X Keyboard Extension (XKB) con=
figu
ii zlib1g 1:1.2.2-4 compression library - runtime
-- no debconf information
--=20
see shy jo
--IS0zKkzwUGydFO0o
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCgg3Vd8HHehbQuO8RAk+wAJoCj2XsPZESSpt8+l9RzTKn9wzLCwCeKSyI
QT73XA3XM72+l+EQbZpvGQ0=
=vnaU
-----END PGP SIGNATURE-----
--IS0zKkzwUGydFO0o--
---------------------------------------
Received: (at 308620-close) by bugs.debian.org; 13 May 2005 05:12:58 +0000
>From [EMAIL PROTECTED] Thu May 12 22:12:58 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DWSTq-0001xk-00; Thu, 12 May 2005 22:12:58 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DWSKR-0005iF-00; Fri, 13 May 2005 01:03:15 -0400
From: Eric Dorland <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#308620: fixed in mozilla-firefox 1.0.4-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Fri, 13 May 2005 01:03:15 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 3
Source: mozilla-firefox
Source-Version: 1.0.4-1
We believe that the bug you reported is fixed in the latest version of
mozilla-firefox, which is due to be installed in the Debian FTP archive:
mozilla-firefox-dom-inspector_1.0.4-1_i386.deb
to pool/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-1_i386.deb
mozilla-firefox-gnome-support_1.0.4-1_i386.deb
to pool/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-1_i386.deb
mozilla-firefox_1.0.4-1.diff.gz
to pool/main/m/mozilla-firefox/mozilla-firefox_1.0.4-1.diff.gz
mozilla-firefox_1.0.4-1.dsc
to pool/main/m/mozilla-firefox/mozilla-firefox_1.0.4-1.dsc
mozilla-firefox_1.0.4-1_i386.deb
to pool/main/m/mozilla-firefox/mozilla-firefox_1.0.4-1_i386.deb
mozilla-firefox_1.0.4.orig.tar.gz
to pool/main/m/mozilla-firefox/mozilla-firefox_1.0.4.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Eric Dorland <[EMAIL PROTECTED]> (supplier of updated mozilla-firefox package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 12 May 2005 22:59:47 -0400
Source: mozilla-firefox
Binary: mozilla-firefox mozilla-firefox-gnome-support
mozilla-firefox-dom-inspector
Architecture: source i386
Version: 1.0.4-1
Distribution: unstable
Urgency: critical
Maintainer: Eric Dorland <[EMAIL PROTECTED]>
Changed-By: Eric Dorland <[EMAIL PROTECTED]>
Description:
mozilla-firefox - lightweight web browser based on Mozilla
mozilla-firefox-dom-inspector - tool for inspecting the DOM of pages in
Mozilla Firefox
mozilla-firefox-gnome-support - Support for Gnome in Mozilla Firefox
Closes: 305968 305983 308620
Changes:
mozilla-firefox (1.0.4-1) unstable; urgency=critical
.
* New upstream release. Fixes CAN-2005-1477 and CAN-2005-1476. (Closes:
#308620)
* debian/update-mozilla-firefox-chrome.8: Patch from A Costa to fix the
spelling of maintenace. (Closes: #305968)
* debian/mozilla-firefox.desktop: Patch from Steinar H. Gunderson to add
a Norwegian translation. (Closes: #305983)
Files:
650a404501f4173b084e998ff871e6a4 990 web optional mozilla-firefox_1.0.4-1.dsc
8e4ba81ad02c7986446d4e54e978409d 40212297 web optional
mozilla-firefox_1.0.4.orig.tar.gz
5a64be4562e17834e80dd1142a44d025 224592 web optional
mozilla-firefox_1.0.4-1.diff.gz
4bb901130e349dfc291cc825b1b7e2e7 8880550 web optional
mozilla-firefox_1.0.4-1_i386.deb
093d75447c1d3e4b75d0e2707733cf09 154736 web optional
mozilla-firefox-dom-inspector_1.0.4-1_i386.deb
710ad8d9162fe3194e1d3000ed63e9cf 52026 web optional
mozilla-firefox-gnome-support_1.0.4-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFChC9dYemOzxbZcMYRAnO6AJ0YuZXwMBMvMMIWc3o5rX95/C5FZwCgifjv
vusrLlpK2L3QlEV5ygC5cxg=
=kc6H
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
