Your message dated Fri, 16 Dec 2005 21:34:54 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#329664: fixed in mozilla-thunderbird 1.0.2-2.sarge1.0.7
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 22 Sep 2005 15:27:41 +0000
>From [EMAIL PROTECTED] Thu Sep 22 08:27:41 2005
Return-path: <[EMAIL PROTECTED]>
Received: from mail.enyo.de [212.9.189.167]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EISz7-0006i6-00; Thu, 22 Sep 2005 08:27:41 -0700
Received: from deneb.vpn.enyo.de ([212.9.189.177] helo=deneb.enyo.de)
by albireo.enyo.de with esmtp id 1EISz6-0006gy-0d
for [EMAIL PROTECTED]; Thu, 22 Sep 2005 17:27:40 +0200
Received: from fw by deneb.enyo.de with local (Exim 4.52)
id 1EISyp-0000j8-FR; Thu, 22 Sep 2005 17:27:23 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Florian Weimer <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: mozilla-thunderbird --compose executes shell commands
X-Mailer: reportbug 3.15
Date: Thu, 22 Sep 2005 17:27:23 +0200
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Package: mozilla-thunderbird
Version: 1.0.6-3
Severity: grave
Tags: security
The --compose option executes shell commands:
mozilla-thunderbird --compose 'mailto:`df`'
The df output appears in the To: line of the message.
(This is related to the recently disclosed Firefox bug, which does not
seem to affect Debian thanks to a different wrapper script.)
---------------------------------------
Received: (at 329664-close) by bugs.debian.org; 17 Dec 2005 05:38:09 +0000
>From [EMAIL PROTECTED] Fri Dec 16 21:38:09 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
id 1EnUic-0000e2-9f; Fri, 16 Dec 2005 21:34:54 -0800
From: Alexander Sack <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.17 $
Subject: Bug#329664: fixed in mozilla-thunderbird 1.0.2-2.sarge1.0.7
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Fri, 16 Dec 2005 21:34:54 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: mozilla-thunderbird
Source-Version: 1.0.2-2.sarge1.0.7
We believe that the bug you reported is fixed in the latest version of
mozilla-thunderbird, which is due to be installed in the Debian FTP archive:
mozilla-thunderbird-dev_1.0.2-2.sarge1.0.7_i386.deb
to
pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.2-2.sarge1.0.7_i386.deb
mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.7_i386.deb
to
pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.7_i386.deb
mozilla-thunderbird-offline_1.0.2-2.sarge1.0.7_i386.deb
to
pool/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.2-2.sarge1.0.7_i386.deb
mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.7_i386.deb
to
pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.7_i386.deb
mozilla-thunderbird_1.0.2-2.sarge1.0.7.diff.gz
to
pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.7.diff.gz
mozilla-thunderbird_1.0.2-2.sarge1.0.7.dsc
to pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.7.dsc
mozilla-thunderbird_1.0.2-2.sarge1.0.7_i386.deb
to
pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.2-2.sarge1.0.7_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexander Sack <[EMAIL PROTECTED]> (supplier of updated mozilla-thunderbird
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 1 Oct 2005 11:00:00 +0100
Source: mozilla-thunderbird
Binary: mozilla-thunderbird-dev mozilla-thunderbird-inspector
mozilla-thunderbird mozilla-thunderbird-typeaheadfind
mozilla-thunderbird-offline
Architecture: source i386
Version: 1.0.2-2.sarge1.0.7
Distribution: stable-security
Urgency: critical
Maintainer: Alexander Sack <[EMAIL PROTECTED]>
Changed-By: Alexander Sack <[EMAIL PROTECTED]>
Description:
mozilla-thunderbird - Mozilla Thunderbird standalone mail client
mozilla-thunderbird-dev - mozilla thunderbird development files
mozilla-thunderbird-inspector - mozilla thunderbird dom inspector extension
mozilla-thunderbird-offline - mozilla thunderbird offline extension
mozilla-thunderbird-typeaheadfind - mozilla thunderbird typeaheadfind extension
Closes: 329664 329664
Changes:
mozilla-thunderbird (1.0.2-2.sarge1.0.7) stable-security; urgency=critical
.
* following issues are addressed with patches in
debian/patches/tbird.1.0.6-1.0.7-1/. MFSA_2005-59 has a debian specific
patch: debian/mfsa_2005-59.debian.patch.
.
* MFSA-2005-57: IDN heap overrun
Summary: Tom Ferris reported a Firefox crash when processing a domain
name consisting solely of soft-hyphen characters.
Closes: -
CVE-Ids: CAN-2005-2871
Bugzilla: 307259
Issues addressed:
+ CAN-2005-2871 - IDN heap overrun
* MFSA-2005-58: Accumulated vendor advisory for multiple vulnerabilities
Summary: Fixes for multiple vulnerabilities with an overall severity
of "critical" have been released in Mozilla Firefox/Thunderbird
1.0.7 and the Mozilla Suite 1.7.12
Closes: -
CVE-Ids: CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704
CAN-2005-2705 CAN-2005-2706 CAN-2005-2707
Bugzilla: 300936 296134 297078 302263 299518 303213 304754 306261
306804 291178 300853 301180 302100
Issues addressed:
+ CAN-2005-2701 - Heap overrun in XBM image processing, tbird is not
affected
applied anyway to keep source in sync.
+ CAN-2005-2702 - Crash on "zero-width non-joiner" sequence
+ CAN-2005-2703 - XMLHttpRequest header spoofing
+ CAN-2005-2704 - Object spoofing using XBL <implements>
+ CAN-2005-2705 - JavaScript integer overflow
+ CAN-2005-2706 - Privilege escalation using about: scheme
+ CAN-2005-2707 - Chrome window spoofing
+ Regression fixes
* MFSA-2005-59: Command-line handling on Linux allows shell execution
Summary: URLs passed to Linux versions of Firefox on the command-line
are not correctly protected against interpretation by the
shell. As a result a malicious URL can result in the execution
of shell commands with the privileges of the user. If Firefox
is set as the default handler for web URLs then opening a URL
in another program (for example, links in a mail or chat
client) can result in shell command execution.
Closes: 329664,329664
CVE-Ids: CAN-2005-2968
Bugzilla: 307185
Issues addressed:
+ CAN-2005-2968 - Command-line handling on Linux allows shell execution
Files:
303ed28d7dac19a27a47c23819f80bd7 997 mail optional
mozilla-thunderbird_1.0.2-2.sarge1.0.7.dsc
79fbaf89373ea1d4698942f289b556d2 210991 mail optional
mozilla-thunderbird_1.0.2-2.sarge1.0.7.diff.gz
fc8572c0a89b914fc288fd638e224213 11550326 mail optional
mozilla-thunderbird_1.0.2-2.sarge1.0.7_i386.deb
ec039bd40938c0d6bb87874cc8703c25 27286 mail optional
mozilla-thunderbird-offline_1.0.2-2.sarge1.0.7_i386.deb
a90c517acdcaf177b4585cf8f9e35344 140456 mail optional
mozilla-thunderbird-inspector_1.0.2-2.sarge1.0.7_i386.deb
ecf0d09362306bcd6c8a65c2e779f792 81696 mail optional
mozilla-thunderbird-typeaheadfind_1.0.2-2.sarge1.0.7_i386.deb
02fbded3b5e503def6c29f32c34b24d1 3497080 mail optional
mozilla-thunderbird-dev_1.0.2-2.sarge1.0.7_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDQAAMv8pLOKgkuT8RAp6QAKCY/VbjrWCngixYOdu2MQK2URdpsgCeIeBS
gr2DrdhaXYVioWnS4kjhsPs=
=HZnU
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
