Your message dated Fri, 14 Aug 2015 19:30:17 +0900 with message-id <20150814103017.ga25...@glandium.org> and subject line Re: Bug#795450: iceweasel: major exploits against current firefox in the wild has caused the Debian Bug report #795450, regarding iceweasel: major exploits against current firefox in the wild to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 795450: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795450 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: iceweasel Version: 38.1.0esr-3 Severity: grave Tags: upstream security Justification: user security hole There are recent reports as of last week on wired magazine homepage under "technology" and "recent hacks while away at defcon" that exploit firefox in major ways.Both windows and Linux users were targeted and information was retrived that should not have been able to be retrieved.Running any less than the experimental build leaves people vulnerable to this issue. More details are on the wired website. Reccomend immeadiate update to experimental build version to fix this. I cant see why depends would break but this needs some testing to see if anything would break with the update. In the meanwhile users can always install firefox latest in a non-root location (home folder) and run it from there.This should in theory work as the debian depends for experimental version are a non issue.I believe the file is pre- compiled binary as released. Anything designed for ubuntu werewolf or less should run just dandy on stretch. As we are open source, we need to patch/update and diseminate(backport) things like this (to mainstream linux community [Fedora/RHEL/Ubuntu/project maintainers]) as they are discovered.We dont have time for major exploits to hit Linux and go unreported. I believe this is an upstream bug. As the exploit has already leaked, Private BTS reporting is moot point.I only discovered the issue as an already "in the wild" bug.Did not discover the exploit myself. -- Package-specific info: -- Extensions information Name: Advanced Cookie Manager Location: ${PROFILE_EXTENSIONS}/cookie...@jayapal.com Status: user-disabled Name: BugMeNot Plugin Location: ${PROFILE_EXTENSIONS}/{987311C6-B504-4aa2-90BF-60CC49808D42}.xpi Status: enabled Name: Default theme Location: /usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd} Package: iceweasel Status: enabled Name: Disable Anti-Adblock Location: ${PROFILE_EXTENSIONS}/{d49a148e-817e-4025-bee3-5d541376de3b}.xpi Status: enabled Name: Disable DHE Location: ${PROFILE_EXTENSIONS}/5aa55fd5-6e61-4896-b186-fdc6f298e...@mozilla.xpi Status: enabled Name: Disconnect Search Location: ${PROFILE_EXTENSIONS}/sea...@disconnect.me.xpi Status: enabled Name: Easy Youtube Video Downloader Express Location: ${PROFILE_EXTENSIONS}/{b9acf540-acba-11e1-8ccb-001fd0e08bd4}.xpi Status: enabled Name: Foobar Location: ${PROFILE_EXTENSIONS}/foo...@unnecessarilylongurl.com.xpi Status: enabled Name: Greasemonkey Location: ${PROFILE_EXTENSIONS}/{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi Status: enabled Name: HTTPS-Everywhere Location: ${PROFILE_EXTENSIONS}/https-everywh...@eff.org Status: enabled Name: Long URL Please Location: ${PROFILE_EXTENSIONS}/longurlple...@darragh.curran.xpi Status: enabled Name: NoSquint Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/nosqu...@urandom.ca Package: xul-ext-nosquint Status: enabled Name: PassIFox Location: ${PROFILE_EXTENSIONS}/passi...@hanhuy.com.xpi Status: enabled Name: Perspectives Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/perspecti...@cmu.edu Package: xul-ext-perspectives Status: enabled Name: Readability Location: ${PROFILE_EXTENSIONS}/readabil...@readability.com.xpi Status: enabled Name: Report Pedophile Location: ${PROFILE_EXTENSIONS}/reportpedoph...@internetpredatortracker.com Status: enabled Name: uBlock Location: ${PROFILE_EXTENSIONS}/{2b10c1c8-a11f-4bad-fe9c-1c11e82cac42}.xpi Status: enabled Name: URL Fixer Location: ${PROFILE_EXTENSIONS}/{0fa2149e-bb2c-4ac2-a8d3-479599819475}.xpi Status: enabled Name: User Agent Overrider Location: ${PROFILE_EXTENSIONS}/useragentoverri...@qixinglu.com.xpi Status: enabled Name: WOT Location: ${PROFILE_EXTENSIONS}/{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} Status: enabled Name: YouTube High Definition Location: ${PROFILE_EXTENSIONS}/{7b1bf0b6-a1b9-42b0-b75d-252036438bdc}.xpi Status: enabled -- Plugins information Name: Gnome Shell Integration Location: /usr/lib/mozilla/plugins/libgnome-shell-browser-plugin.so Package: gnome-shell Status: disabled Name: Skype Buttons for Kopete Location: /usr/lib/mozilla/plugins/skypebuttons.so Package: kopete Status: enabled -- Addons package information ii gnome-shell 3.16.3-1 amd64 graphical shell for the GNOME des ii iceweasel 38.1.0esr-3 amd64 Web browser based on Firefox ii kopete 4:4.14.1-2 amd64 instant messaging and chat applic ii xul-ext-nosqui 2.1.9-3 all control the size of text of websi ii xul-ext-perspe 4.6.2-1 all verify HTTPS sites through notary -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages iceweasel depends on: ii debianutils 4.5.1 ii fontconfig 2.11.0-6.3 ii libasound2 1.0.29-1 ii libatk1.0-0 2.16.0-2 ii libc6 2.19-19 ii libcairo2 1.14.2-2 ii libdbus-1-3 1.8.20-1 ii libdbus-glib-1-2 0.102-1 ii libevent-2.0-5 2.0.21-stable-2 ii libffi6 3.2.1-3 ii libfontconfig1 2.11.0-6.3 ii libfreetype6 2.5.2-4 ii libgcc1 1:5.1.1-14 ii libgdk-pixbuf2.0-0 2.31.5-1 ii libglib2.0-0 2.44.1-1.1 ii libgtk2.0-0 2.24.28-1 ii libhunspell-1.3-0 1.3.3-3 ii libnspr4 2:4.10.8-2 ii libnss3 2:3.19.2-1 ii libpango-1.0-0 1.36.8-3 ii libsqlite3-0 3.8.11.1-1 ii libstartup-notification0 0.12-4 ii libstdc++6 5.1.1-14 ii libvpx2 1.4.0-4 ii libx11-6 2:1.6.3-1 ii libxcomposite1 1:0.4.4-1 ii libxdamage1 1:1.1.4-2+b1 ii libxext6 2:1.3.3-1 ii libxfixes3 1:5.0.1-2+b2 ii libxrender1 1:0.9.8-1+b1 ii libxt6 1:1.1.4-1+b1 ii procps 2:3.3.10-2 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages iceweasel recommends: ii gstreamer1.0-libav 1:1.4.5-dmo1 ii gstreamer1.0-plugins-good 1.4.5-2+b1 Versions of packages iceweasel suggests: pn fonts-mathjax <none> pn fonts-oflb-asana-math <none> pn fonts-stix | otf-stix <none> ii libcanberra0 0.30-2.1 ii libgnomeui-0 2.24.5-3 ii libgssapi-krb5-2 1.13.2+dfsg-2 pn mozplugger <none> -- no debconf information
--- End Message ---
--- Begin Message ---On Thu, Aug 13, 2015 at 10:55:07PM -0500, Richard Jasmin wrote: > Package: iceweasel > Version: 38.1.0esr-3 > Severity: grave > Tags: upstream security > Justification: user security hole > > There are recent reports as of last week on wired magazine homepage under > "technology" and "recent hacks while away at defcon" that exploit firefox in > major ways.Both windows and Linux users were targeted and information was > retrived that should not have been able to be retrieved.Running any less than > the experimental build leaves people vulnerable to this issue. More details > are > on the wired website. Reccomend immeadiate update to experimental build > version > to fix this. I cant see why depends would break but this needs some testing to > see if anything would break with the update. Can't find what you're pointing at on the wired magazine homepage, but from your description, this looks like CVE-2015-4495, which: - did not directly affect version 31.8.0esr in stable - was fixed in version 38.1.1esr in unstable and testing - stable, unstable and testing now all have 38.2.0esr which has the fix for that and other things. Mike
--- End Message ---
