Bugzilla – Bug 88509
VUL-0: CVE-2005-2270: upcoming security release of mozilla 1.7.9 and Firefox 1.0.5
Last modified: 2021-11-10 14:47:52 UTC
there will be mozilla and firefox security releases with fixes for (at least) https://bugzilla.mozilla.org/show_bug.cgi?id=292589 https://bugzilla.mozilla.org/show_bug.cgi?id=292591 https://bugzilla.mozilla.org/show_bug.cgi?id=295457 https://bugzilla.mozilla.org/show_bug.cgi?id=296850
mozilla 1.7.9 and firefox 1.0.5 is near. (as well as Thunderbird 1.0.5 it seems) Is it OK to do the same procedure as every month? :-( Means: - patch mozilla - version upgrade for Firefox (all changes between 1.0.4 and 1.0.5 are security ones)
Please stay with the previous version.
mozilla.org will ship new versions today (planned) Mozilla 1.7.9 Firefox 1.0.5 Thunderbird 1.0.5 At the moment I have no information which security information will be provided. I will prepare update packages ASAP.
Created attachment 41640 [details] mfsa2005-45
Created attachment 41641 [details] mfsa2005-46
Created attachment 41642 [details] mfsa2005-47
Created attachment 41643 [details] mfsa2005-48
Created attachment 41644 [details] mfsa2005-49
Created attachment 41645 [details] mfsa2005-50
Created attachment 41646 [details] mfsa2005-51
Created attachment 41647 [details] mfsa2005-52
Created attachment 41648 [details] mfsa2005-53
Created attachment 41649 [details] mfsa2005-54
Created attachment 41650 [details] mfsa2005-55
Created attachment 41651 [details] mfsa2005-56
Those announcements are not published yet and therefore the naming could be changed again. I will tell you as soon as it is final. Firefox packages are submitted for 9.0, 9.1, 9.2 and 9.3.
swampid: 1773
actually swampid: 1783
Firefox 1.0.5 is released by mozilla.org now. Security announcements are public here: http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox Mozilla and Thunderbird are not released yet but will follow soon.
Firefox updates based on 1.0.6 are now submitted to /work/src/done. mozilla is waiting for upstream approval for another day.
firefox released
I have some questions Will the following packages magically work with the new mozilla? - galeon - epiphany - mozilla-cs,mozilla-deat,mozilla-hu,mozilla-ja,mozilla-ko Did the list of subpackages change in any release? sles9 for example doesn't include the spellchecker.
(In reply to comment #22) > Will the following packages magically work with the new mozilla? > - galeon > - epiphany > - mozilla-cs,mozilla-deat,mozilla-hu,mozilla-ja,mozilla-ko I guess you speak about SLES8, 8.2, 9.0 which will go from 1.6 to 1.7.8(11)? No, not all of those will work with new mozilla. We made an evaluation for SLES8: # whatdependson -D sles8-slec-i386 mozilla Status - evolution (gnome-maintainers@suse.de) rebuild works - galeon (gnome-maintainers@suse.de) 1.2.13 incompatible - gnome-pilot (gnome-maintainers@suse.de) don't see how it depends on mozilla (but it builds anyway against 1.7.8) - kdebindings3 (kde-maintainers@suse.de) rebuild works - mozilla-deat (stark@suse.de) must be updated to SLES9 version # whatdependson -D sles8-i386 mozilla - POS_Image (jhargadon@novell.com) just included in the image - POS_Image-Desktop (jhargadon@novell.com) " - POS_Image-Desktop2 " - POS_Image2 (jhargadon@novell.com) " - saint (mjancar@suse.cz) only need a web browser (no build deps) This was discussed on prjmgr and the only problem is galeon on SLEC. If we can't get it to work easily it will be obsoleted. I've discussed with Marcus to get mozilla checked in and check the missing details before the update is published IIRC. mozilla-deat is already there for checkin to SLEC. For SLES9 we have no problem. We've made already sure that all packages work with mozilla 1.7.8 as SP2 arrived. I'm not sure if we care much about 8.2 and 9.0. We haven't much choice here. > Did the list of subpackages change in any release? sles9 for example doesn't > include the spellchecker. The package already included it IMHO. It's just not in the packagelist of the distribution and it needn't to be now. It's completely optional. We don't have to add any package anywhere.
According to check_patchinfo we need to update the following packages on 9.1 as they depend on mozilla 1.6: mozilla-cs,mozilla-deat,mozilla-hu,mozilla-ja,mozilla-ko,epiphany,epiphany-plugins,galeon On 9.0 the following packages depend on 1.4: mozilla-cs,mozilla-deat,mozilla-hu,epiphany,epiphany-plugins,galeon On 8.2 it's: mozilla-cs,mozilla-deat,mozilla-hu,galeon If any of those breaks we don't need to care I guess as 8.2 is end of life anyways. On NLD the following packages depend on 1.6: mozilla-cs,mozilla-deat,mozilla-hu,mozilla-ja,mozilla-ko,epiphany and on SLES9: mozilla-cs,mozilla-deat,mozilla-hu,mozilla-ja,mozilla-ko That's odd as there is a mozilla 1.7.8 release already, maybe it's not merged back or something. On SLEC the following packages depend on 1.4: galeon,mozilla-deat
released.
CVE-2005-2270 CVE-2005-2269 CVE-2005-2268 CVE-2005-2267 CVE-2005-2266 CVE-2005-1937 CVE-2005-2265 CVE-2005-2264 CVE-2005-2263 CVE-2005-2262 CVE-2005-2261 CVE-2005-2260
CVE-2005-2270: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)