Bugzilla – Bug 88509
VUL-0: CVE-2005-2270: upcoming security release of mozilla 1.7.9 and Firefox 1.0.5
Last modified: 2021-11-10 14:47:52 UTC
there will be mozilla and firefox security releases with fixes for (at least)
mozilla 1.7.9 and firefox 1.0.5 is near.
(as well as Thunderbird 1.0.5 it seems)
Is it OK to do the same procedure as every month? :-(
- patch mozilla
- version upgrade for Firefox
(all changes between 1.0.4 and 1.0.5 are security ones)
Please stay with the previous version.
mozilla.org will ship new versions today (planned)
At the moment I have no information which security information will be provided.
I will prepare update packages ASAP.
Created attachment 41640 [details]
Created attachment 41641 [details]
Created attachment 41642 [details]
Created attachment 41643 [details]
Created attachment 41644 [details]
Created attachment 41645 [details]
Created attachment 41646 [details]
Created attachment 41647 [details]
Created attachment 41648 [details]
Created attachment 41649 [details]
Created attachment 41650 [details]
Created attachment 41651 [details]
Those announcements are not published yet and therefore the naming could be
changed again. I will tell you as soon as it is final.
Firefox packages are submitted for 9.0, 9.1, 9.2 and 9.3.
actually swampid: 1783
Firefox 1.0.5 is released by mozilla.org now.
Security announcements are public here:
Mozilla and Thunderbird are not released yet but will follow soon.
Firefox updates based on 1.0.6 are now submitted to /work/src/done.
mozilla is waiting for upstream approval for another day.
I have some questions
Will the following packages magically work with the new mozilla?
Did the list of subpackages change in any release? sles9 for example doesn't
include the spellchecker.
(In reply to comment #22)
> Will the following packages magically work with the new mozilla?
> - galeon
> - epiphany
> - mozilla-cs,mozilla-deat,mozilla-hu,mozilla-ja,mozilla-ko
I guess you speak about SLES8, 8.2, 9.0 which will go from 1.6 to 1.7.8(11)?
No, not all of those will work with new mozilla.
We made an evaluation for SLES8:
# whatdependson -D sles8-slec-i386 mozilla Status
- evolution (email@example.com) rebuild works
- galeon (firstname.lastname@example.org) 1.2.13 incompatible
- gnome-pilot (email@example.com) don't see how it depends
(but it builds anyway
- kdebindings3 (firstname.lastname@example.org) rebuild works
- mozilla-deat (email@example.com) must be updated to SLES9
# whatdependson -D sles8-i386 mozilla
- POS_Image (firstname.lastname@example.org) just included in the image
- POS_Image-Desktop (email@example.com) "
- POS_Image-Desktop2 "
- POS_Image2 (firstname.lastname@example.org) "
- saint (email@example.com) only need a web browser
(no build deps)
This was discussed on prjmgr and the only problem is galeon on SLEC. If we can't
get it to work easily it will be obsoleted.
I've discussed with Marcus to get mozilla checked in and check the missing
details before the update is published IIRC. mozilla-deat is already there for
checkin to SLEC.
For SLES9 we have no problem. We've made already sure that all packages work
with mozilla 1.7.8 as SP2 arrived.
I'm not sure if we care much about 8.2 and 9.0. We haven't much choice here.
> Did the list of subpackages change in any release? sles9 for example doesn't
> include the spellchecker.
The package already included it IMHO. It's just not in the packagelist of the
distribution and it needn't to be now. It's completely optional. We don't have
to add any package anywhere.
According to check_patchinfo we need to update the following packages on 9.1
as they depend on mozilla 1.6:
On 9.0 the following packages depend on 1.4:
On 8.2 it's:
If any of those breaks we don't need to care I guess as 8.2 is end of life
On NLD the following packages depend on 1.6:
and on SLES9:
That's odd as there is a mozilla 1.7.8 release already, maybe it's not merged
back or something.
On SLEC the following packages depend on 1.4:
CVE-2005-2270: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)