Credit to n00b..

From joey at infodrom.org Thu Jun 1 06:56:27 2006 From: joey at infodrom.org (Martin Schulze) Date: Thu Jun 1 06:58:21 2006 Subject: [co296@aol.com: Fire fox dos exploit] Message-ID: <20060601065627.GA28400@finlandia.infodrom.north.de> Hi, not sure if you noticed this one. This is https://bugzilla.mozilla.org/show_bug.cgi?id=239840 It is also referenced CVE-2006-2723 Regards, Joey ----- Forwarded message from co296@aol.com ----- Date: 30 May 2006 12:03:36 -0000 From: co296@aol.com To: bugtraq@securityfocus.com Subject: Fire fox dos exploit X-Folder: bugtraq@lists.infodrom.org I have found a problem which causes denial of service on fire fox browser Creadit:to n00b for finding this bug.. the problem lie's in the html tag uses 100% cpu and crash's the browser.. Following proof of concept available Credit to n00b.. ----- End forwarded message ----- -- If you come from outside of Finland, you live in wrong country. -- motd of irc.funet.fi Please always Cc to me when replying to me on the lists. From mstone at debian.org Sat Jun 3 14:56:29 2006 From: mstone at debian.org (Michael Stone) Date: Sat Jun 3 14:56:46 2006 Subject: Latest firefox vulnerability Message-ID: <20060603145628.GO11420@mathom.us> Has anyone started looking into the latest set of vulnerabilities (the firefox 1.5.0.4 set)? Mike Stone From eric at debian.org Sat Jun 3 16:52:22 2006 From: eric at debian.org (Eric Dorland) Date: Sat Jun 3 16:52:54 2006 Subject: Latest firefox vulnerability In-Reply-To: <20060603145628.GO11420@mathom.us> References: <20060603145628.GO11420@mathom.us> Message-ID: <20060603165222.GA4997@nightcrawler.kuroneko.ca> * Michael Stone (mstone@debian.org) wrote: > Has anyone started looking into the latest set of vulnerabilities (the > firefox 1.5.0.4 set)? I haven't, and I certainly won't have time this weekend. Alexander? -- Eric Dorland ICQ: #61138586, Jabber: hooty@jabber.com 1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+ O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+ G e h! r- y+ ------END GEEK CODE BLOCK------ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20060603/7a22ac37/attachment.pgp From asac at debian.org Mon Jun 5 15:19:53 2006 From: asac at debian.org (Alexander Sack) Date: Mon Jun 5 15:20:29 2006 Subject: Latest firefox vulnerability In-Reply-To: <20060603165222.GA4997@nightcrawler.kuroneko.ca> References: <20060603145628.GO11420@mathom.us> <20060603165222.GA4997@nightcrawler.kuroneko.ca> Message-ID: <20060605151953.GD7039@jwsdot.com> On Sat, Jun 03, 2006 at 12:52:22PM -0400, Eric Dorland wrote: > * Michael Stone (mstone@debian.org) wrote: > > Has anyone started looking into the latest set of vulnerabilities (the > > firefox 1.5.0.4 set)? > > I haven't, and I certainly won't have time this weekend. Alexander? > Yes ... I started to backport stuff, but it *will* take some time. I begin with the most critical ones and send patches for them in advance. I hope to come up with some of them til the end of this week. - Alexander -- GPG messages preferred. | .''`. ** Debian GNU/Linux ** Alexander Sack | : :' : The universal asac@debian.org | `. `' Operating System http://www.asoftsite.org/ | `- http://www.debian.org/ From jmm at inutil.org Tue Jun 6 21:45:56 2006 From: jmm at inutil.org (Moritz Muehlenhoff) Date: Tue Jun 6 21:45:44 2006 Subject: Latest firefox vulnerability In-Reply-To: <20060603145628.GO11420@mathom.us> References: <20060603145628.GO11420@mathom.us> Message-ID: <20060606214556.GE5241@galadriel.inutil.org> Michael Stone wrote: > Has anyone started looking into the latest set of vulnerabilities (the > firefox 1.5.0.4 set)? Is it actually sanely backportable to Sarge? I remember having read about API incompatibilities for Firefox extensions. Support for 1.0.x has stopped with the last round of Firefox issues; they don't provide fixed packages and they don't give us access to the Bugzilla entries describing the problems to even research the status of 1.0.x. We will most definitely again reach the point, where the Woody packages of Mozilla were/are; full of unfixable security problems. Is there any sign that their security procedures will improve with xulrunner? Cheers, Moritz From asac at debian.org Tue Jun 6 22:10:58 2006 From: asac at debian.org (Alexander Sack) Date: Tue Jun 6 22:11:19 2006 Subject: Latest firefox vulnerability In-Reply-To: <20060606214556.GE5241@galadriel.inutil.org> References: <20060603145628.GO11420@mathom.us> <20060606214556.GE5241@galadriel.inutil.org> Message-ID: <20060606221058.GA4808@jwsdot.com> On Tue, Jun 06, 2006 at 11:45:56PM +0200, Moritz Muehlenhoff wrote: > Michael Stone wrote: > > Has anyone started looking into the latest set of vulnerabilities (the > > firefox 1.5.0.4 set)? > > Is it actually sanely backportable to Sarge? I remember having read about > API incompatibilities for Firefox extensions. Uploading 1.5.x should be the last option to consider. IMO, its not an option at all for debian stable. Backporting to 1.0.x branch looks doable for most issues, but definitely will take some time. - Alexander -- GPG messages preferred. | .''`. ** Debian GNU/Linux ** Alexander Sack | : :' : The universal asac@debian.org | `. `' Operating System http://www.asoftsite.org/ | `- http://www.debian.org/ From jmm at inutil.org Tue Jun 6 22:28:09 2006 From: jmm at inutil.org (Moritz Muehlenhoff) Date: Tue Jun 6 22:27:52 2006 Subject: Latest firefox vulnerability In-Reply-To: <20060606221058.GA4808@jwsdot.com> References: <20060603145628.GO11420@mathom.us> <20060606214556.GE5241@galadriel.inutil.org> <20060606221058.GA4808@jwsdot.com> Message-ID: <20060606222809.GC7518@galadriel.inutil.org> Alexander Sack wrote: > On Tue, Jun 06, 2006 at 11:45:56PM +0200, Moritz Muehlenhoff wrote: > > Michael Stone wrote: > > > Has anyone started looking into the latest set of vulnerabilities (the > > > firefox 1.5.0.4 set)? > > > > Is it actually sanely backportable to Sarge? I remember having read about > > API incompatibilities for Firefox extensions. > > Uploading 1.5.x should be the last option to consider. IMO, its not an option > at all for debian stable. Backporting to 1.0.x branch looks doable for most > issues, but definitely will take some time. Do you have access to all Bugzilla entries or are you extracting this from the interdiff? Cheers, Moritz From eric at debian.org Wed Jun 7 00:03:59 2006 From: eric at debian.org (Eric Dorland) Date: Wed Jun 7 00:06:37 2006 Subject: Latest firefox vulnerability In-Reply-To: <20060606222809.GC7518@galadriel.inutil.org> References: <20060603145628.GO11420@mathom.us> <20060606214556.GE5241@galadriel.inutil.org> <20060606221058.GA4808@jwsdot.com> <20060606222809.GC7518@galadriel.inutil.org> Message-ID: <20060607000359.GA23179@nightcrawler.kuroneko.ca> * Moritz Muehlenhoff (jmm@inutil.org) wrote: > Alexander Sack wrote: > > On Tue, Jun 06, 2006 at 11:45:56PM +0200, Moritz Muehlenhoff wrote: > > > Michael Stone wrote: > > > > Has anyone started looking into the latest set of vulnerabilities (the > > > > firefox 1.5.0.4 set)? > > > > > > Is it actually sanely backportable to Sarge? I remember having read about > > > API incompatibilities for Firefox extensions. > > > > Uploading 1.5.x should be the last option to consider. IMO, its not an option > > at all for debian stable. Backporting to 1.0.x branch looks doable for most > > issues, but definitely will take some time. > > Do you have access to all Bugzilla entries or are you extracting this from > the interdiff? He's likely looking at the cvs commits, which give a bit more granularity than interdiff. Didn't someone on the stable security team tell me they had access to the secured bugs in the mozilla bugzilla? Has any distro released a security fix for this? We definitely shouldn't be above borrowing their work. -- Eric Dorland ICQ: #61138586, Jabber: hooty@jabber.com 1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+ O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+ G e h! r- y+ ------END GEEK CODE BLOCK------ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20060606/7c59f79d/attachment.pgp From joey at infodrom.org Wed Jun 7 06:05:40 2006 From: joey at infodrom.org (Martin Schulze) Date: Wed Jun 7 06:08:01 2006 Subject: Latest firefox vulnerability In-Reply-To: <20060607000359.GA23179@nightcrawler.kuroneko.ca> References: <20060603145628.GO11420@mathom.us> <20060606214556.GE5241@galadriel.inutil.org> <20060606221058.GA4808@jwsdot.com> <20060606222809.GC7518@galadriel.inutil.org> <20060607000359.GA23179@nightcrawler.kuroneko.ca> Message-ID: <20060607060540.GA2598@finlandia.infodrom.north.de> Eric Dorland wrote: > Didn't someone on the stable security team tell me they had access to > the secured bugs in the mozilla bugzilla? Has any distro released a > security fix for this? We definitely shouldn't be above borrowing > their work. Mdz was once listed as security contact. However, we tried to move this to either Alexander or a mail alias that goes to him - but that hasn't happened yet iirc. Dunno why. Regards, Joey -- This is GNU/Linux Country. On a quiet night, you can hear Windows reboot. Please always Cc to me when replying to me on the lists. From joey at infodrom.org Wed Jun 7 06:03:29 2006 From: joey at infodrom.org (Martin Schulze) Date: Wed Jun 7 06:09:15 2006 Subject: Latest firefox vulnerability In-Reply-To: <20060605151953.GD7039@jwsdot.com> References: <20060603145628.GO11420@mathom.us> <20060603165222.GA4997@nightcrawler.kuroneko.ca> <20060605151953.GD7039@jwsdot.com> Message-ID: <20060607060329.GZ2598@finlandia.infodrom.north.de> Alexander Sack wrote: > Yes ... I started to backport stuff, but it *will* take some time. > > I begin with the most critical ones and send patches for them in advance. > > I hope to come up with some of them til the end of this week. Wow. That would be great! Regards, Joey -- This is GNU/Linux Country. On a quiet night, you can hear Windows reboot. Please always Cc to me when replying to me on the lists. From joey at infodrom.org Wed Jun 7 06:00:29 2006 From: joey at infodrom.org (Martin Schulze) Date: Wed Jun 7 06:09:18 2006 Subject: Latest firefox vulnerability In-Reply-To: <20060606214556.GE5241@galadriel.inutil.org> References: <20060603145628.GO11420@mathom.us> <20060606214556.GE5241@galadriel.inutil.org> Message-ID: <20060607060029.GY2598@finlandia.infodrom.north.de> Moritz Muehlenhoff wrote: > Michael Stone wrote: > > Has anyone started looking into the latest set of vulnerabilities (the > > firefox 1.5.0.4 set)? > > Is it actually sanely backportable to Sarge? I remember having read about > API incompatibilities for Firefox extensions. > > Support for 1.0.x has stopped with the last round of Firefox issues; they > don't provide fixed packages and they don't give us access to the Bugzilla > entries describing the problems to even research the status of 1.0.x. > > We will most definitely again reach the point, where the Woody packages > of Mozilla were/are; full of unfixable security problems. s/Woody/Sarge/? Regards, Joey -- This is GNU/Linux Country. On a quiet night, you can hear Windows reboot. Please always Cc to me when replying to me on the lists. From asac at debian.org Wed Jun 7 06:39:15 2006 From: asac at debian.org (Alexander Sack) Date: Wed Jun 7 06:40:58 2006 Subject: Latest firefox vulnerability In-Reply-To: <20060607000359.GA23179@nightcrawler.kuroneko.ca> References: <20060603145628.GO11420@mathom.us> <20060606214556.GE5241@galadriel.inutil.org> <20060606221058.GA4808@jwsdot.com> <20060606222809.GC7518@galadriel.inutil.org> <20060607000359.GA23179@nightcrawler.kuroneko.ca> Message-ID: <20060607063915.GA8277@jwsdot.com> On Tue, Jun 06, 2006 at 08:03:59PM -0400, Eric Dorland wrote: > * Moritz Muehlenhoff (jmm@inutil.org) wrote: > > Alexander Sack wrote: > > > On Tue, Jun 06, 2006 at 11:45:56PM +0200, Moritz Muehlenhoff wrote: > > > > Michael Stone wrote: > > > > > Has anyone started looking into the latest set of vulnerabilities (the > > > > > firefox 1.5.0.4 set)? > > > > > > > > Is it actually sanely backportable to Sarge? I remember having read about > > > > API incompatibilities for Firefox extensions. > > > > > > Uploading 1.5.x should be the last option to consider. IMO, its not an option > > > at all for debian stable. Backporting to 1.0.x branch looks doable for most > > > issues, but definitely will take some time. > > > > Do you have access to all Bugzilla entries or are you extracting this from > > the interdiff? > > He's likely looking at the cvs commits, which give a bit more > granularity than interdiff. > > Didn't someone on the stable security team tell me they had access to > the secured bugs in the mozilla bugzilla? Has any distro released a > security fix for this? We definitely shouldn't be above borrowing > their work. I am looking at *bugs* and I am working with other distributors (redhat, suse) to get those fixes backported. - Alexander -- GPG messages preferred. | .''`. ** Debian GNU/Linux ** Alexander Sack | : :' : The universal asac@debian.org | `. `' Operating System http://www.asoftsite.org/ | `- http://www.debian.org/ From jmm at inutil.org Wed Jun 7 07:02:43 2006 From: jmm at inutil.org (Moritz Muehlenhoff) Date: Wed Jun 7 07:04:56 2006 Subject: Latest firefox vulnerability In-Reply-To: <20060607060029.GY2598@finlandia.infodrom.north.de> References: <20060603145628.GO11420@mathom.us> <20060606214556.GE5241@galadriel.inutil.org> <20060607060029.GY2598@finlandia.infodrom.north.de> Message-ID: <20060607070243.GA24404@inutil.org> Martin Schulze wrote: > Moritz Muehlenhoff wrote: > > Michael Stone wrote: > > > Has anyone started looking into the latest set of vulnerabilities (the > > > firefox 1.5.0.4 set)? > > > > Is it actually sanely backportable to Sarge? I remember having read about > > API incompatibilities for Firefox extensions. > > > > Support for 1.0.x has stopped with the last round of Firefox issues; they > > don't provide fixed packages and they don't give us access to the Bugzilla > > entries describing the problems to even research the status of 1.0.x. > > > > We will most definitely again reach the point, where the Woody packages > > of Mozilla were/are; full of unfixable security problems. > > s/Woody/Sarge/? The Sarge Mozilla packages should still be okay (sans the current issues), but Woody hasn't seen a Mozilla update for years, because it's impossible to backport all this to Mozilla 1.0. Cheers, Moritz From eric at debian.org Wed Jun 7 13:31:25 2006 From: eric at debian.org (Eric Dorland) Date: Wed Jun 7 13:32:11 2006 Subject: Latest firefox vulnerability In-Reply-To: <20060607063915.GA8277@jwsdot.com> References: <20060603145628.GO11420@mathom.us> <20060606214556.GE5241@galadriel.inutil.org> <20060606221058.GA4808@jwsdot.com> <20060606222809.GC7518@galadriel.inutil.org> <20060607000359.GA23179@nightcrawler.kuroneko.ca> <20060607063915.GA8277@jwsdot.com> Message-ID: <20060607133124.GM4997@nightcrawler.kuroneko.ca> * Alexander Sack (asac@debian.org) wrote: > On Tue, Jun 06, 2006 at 08:03:59PM -0400, Eric Dorland wrote: > > * Moritz Muehlenhoff (jmm@inutil.org) wrote: > > > Alexander Sack wrote: > > > > On Tue, Jun 06, 2006 at 11:45:56PM +0200, Moritz Muehlenhoff wrote: > > > > > Michael Stone wrote: > > > > > > Has anyone started looking into the latest set of vulnerabilities (the > > > > > > firefox 1.5.0.4 set)? > > > > > > > > > > Is it actually sanely backportable to Sarge? I remember having read about > > > > > API incompatibilities for Firefox extensions. > > > > > > > > Uploading 1.5.x should be the last option to consider. IMO, its not an option > > > > at all for debian stable. Backporting to 1.0.x branch looks doable for most > > > > issues, but definitely will take some time. > > > > > > Do you have access to all Bugzilla entries or are you extracting this from > > > the interdiff? > > > > He's likely looking at the cvs commits, which give a bit more > > granularity than interdiff. > > > > Didn't someone on the stable security team tell me they had access to > > the secured bugs in the mozilla bugzilla? Has any distro released a > > security fix for this? We definitely shouldn't be above borrowing > > their work. > > I am looking at *bugs* and I am working with other distributors (redhat, suse) > to get those fixes backported. So you have access to the restricted bugs? That's good to know. -- Eric Dorland ICQ: #61138586, Jabber: hooty@jabber.com 1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+ O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+ G e h! r- y+ ------END GEEK CODE BLOCK------ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20060607/6102f350/attachment.pgp From joey at infodrom.org Wed Jun 7 14:14:29 2006 From: joey at infodrom.org (Martin Schulze) Date: Wed Jun 7 14:17:57 2006 Subject: Latest firefox vulnerability In-Reply-To: <20060607070243.GA24404@inutil.org> References: <20060603145628.GO11420@mathom.us> <20060606214556.GE5241@galadriel.inutil.org> <20060607060029.GY2598@finlandia.infodrom.north.de> <20060607070243.GA24404@inutil.org> Message-ID: <20060607141429.GD2598@finlandia.infodrom.north.de> Moritz Muehlenhoff wrote: > Martin Schulze wrote: > > Moritz Muehlenhoff wrote: > > > Michael Stone wrote: > > > > Has anyone started looking into the latest set of vulnerabilities (the > > > > firefox 1.5.0.4 set)? > > > > > > Is it actually sanely backportable to Sarge? I remember having read about > > > API incompatibilities for Firefox extensions. > > > > > > Support for 1.0.x has stopped with the last round of Firefox issues; they > > > don't provide fixed packages and they don't give us access to the Bugzilla > > > entries describing the problems to even research the status of 1.0.x. > > > > > > We will most definitely again reach the point, where the Woody packages > > > of Mozilla were/are; full of unfixable security problems. > > > > s/Woody/Sarge/? > > The Sarge Mozilla packages should still be okay (sans the current issues), > but Woody hasn't seen a Mozilla update for years, because it's impossible > to backport all this to Mozilla 1.0. Umh, then why will we reach this state *again*? We've already reached it. I just can't parse the above paragraph. Regards, Joey -- This is GNU/Linux Country. On a quiet night, you can hear Windows reboot. Please always Cc to me when replying to me on the lists. From jmm at inutil.org Wed Jun 7 21:11:08 2006 From: jmm at inutil.org (Moritz Muehlenhoff) Date: Wed Jun 7 21:11:07 2006 Subject: Latest firefox vulnerability In-Reply-To: <20060607141429.GD2598@finlandia.infodrom.north.de> References: <20060603145628.GO11420@mathom.us> <20060606214556.GE5241@galadriel.inutil.org> <20060607060029.GY2598@finlandia.infodrom.north.de> <20060607070243.GA24404@inutil.org> <20060607141429.GD2598@finlandia.infodrom.north.de> Message-ID: <20060607211108.GB5818@galadriel.inutil.org> Martin Schulze wrote: > Moritz Muehlenhoff wrote: > > Martin Schulze wrote: > > > Moritz Muehlenhoff wrote: > > > > Michael Stone wrote: > > > > > Has anyone started looking into the latest set of vulnerabilities (the > > > > > firefox 1.5.0.4 set)? > > > > > > > > Is it actually sanely backportable to Sarge? I remember having read about > > > > API incompatibilities for Firefox extensions. > > > > > > > > Support for 1.0.x has stopped with the last round of Firefox issues; they > > > > don't provide fixed packages and they don't give us access to the Bugzilla > > > > entries describing the problems to even research the status of 1.0.x. > > > > > > > > We will most definitely again reach the point, where the Woody packages > > > > of Mozilla were/are; full of unfixable security problems. > > > > > > s/Woody/Sarge/? > > > > The Sarge Mozilla packages should still be okay (sans the current issues), > > but Woody hasn't seen a Mozilla update for years, because it's impossible > > to backport all this to Mozilla 1.0. > > Umh, then why will we reach this state *again*? We've already reached it. > I just can't parse the above paragraph. I'm not sure if we have already reached it, at least Alexander seems optimistic. But I don't think Firefox and Mozilla will be supportable over the full Sarge support time frame and we should brainstorm about the ramifications for Sarge (e.g. publicly announcing the EOL of security support) and Etch (e.g. contacting Mozilla Foundation about our concerns or adding a note to the release notes, that security support is unpredictable and that alternatives exist (Konqueror has had a better security track record and is professionally managed)). Cheers, Moritz From mstone at debian.org Thu Jun 8 13:50:15 2006 From: mstone at debian.org (Michael Stone) Date: Thu Jun 8 13:50:39 2006 Subject: Latest firefox vulnerability In-Reply-To: <20060606221058.GA4808@jwsdot.com> References: <20060603145628.GO11420@mathom.us> <20060606214556.GE5241@galadriel.inutil.org> <20060606221058.GA4808@jwsdot.com> Message-ID: <20060608135013.GK11420@mathom.us> On Wed, Jun 07, 2006 at 12:10:58AM +0200, Alexander Sack wrote: >Uploading 1.5.x should be the last option to consider. IMO, its not an option >at all for debian stable. Why? I've heard through various sources that people are targeting the vulnerabities in the latest mozilla advisory. The bottom line is that we need to get them patched. If patches can be backported, fine--but it looks as though the mozilla foundation isn't interested in facilitating that. If we can't get backports in a reasonable timeframe, I think we have to consider backporting a supported version before we let the sarge packages get into the state the woody packages reached. Mike Stone From skx at debian.org Thu Jun 8 13:53:07 2006 From: skx at debian.org (Steve Kemp) Date: Thu Jun 8 13:53:05 2006 Subject: Latest firefox vulnerability In-Reply-To: <20060608135013.GK11420@mathom.us> References: <20060603145628.GO11420@mathom.us> <20060606214556.GE5241@galadriel.inutil.org> <20060606221058.GA4808@jwsdot.com> <20060608135013.GK11420@mathom.us> Message-ID: <20060608135307.GA14494@steve.org.uk> On Thu, Jun 08, 2006 at 09:50:15AM -0400, Michael Stone wrote: > If we can't get backports in a reasonable timeframe, I think we > have to consider backporting a supported version before we let the sarge > packages get into the state the woody packages reached. Wouldn't this be an ideal use for the Volatile repository? Steve -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20060608/20e251ce/attachment.pgp From mstone at debian.org Thu Jun 8 13:57:22 2006 From: mstone at debian.org (Michael Stone) Date: Thu Jun 8 13:57:40 2006 Subject: Latest firefox vulnerability In-Reply-To: <20060608135307.GA14494@steve.org.uk> References: <20060603145628.GO11420@mathom.us> <20060606214556.GE5241@galadriel.inutil.org> <20060606221058.GA4808@jwsdot.com> <20060608135013.GK11420@mathom.us> <20060608135307.GA14494@steve.org.uk> Message-ID: <20060608135720.GL11420@mathom.us> On Thu, Jun 08, 2006 at 02:53:07PM +0100, Steve Kemp wrote: >On Thu, Jun 08, 2006 at 09:50:15AM -0400, Michael Stone wrote: >> If we can't get backports in a reasonable timeframe, I think we >> have to consider backporting a supported version before we let the sarge >> packages get into the state the woody packages reached. > > Wouldn't this be an ideal use for the Volatile repository? No. We can't just distribute a version with security problems and tell people to use some other archive if they need security. If we dropped mozilla from the main archive and *only* distributed it from volatile, then it would be ok. But we've given our users an expectation that if they install main & get security updates form security.d.o, they'll be taken care of. We can't just stop doing that. (Although we did it for woody, I'd like to think that's an anomoly rather than our new policy.) Mike Stone From asac at jwsdot.com Thu Jun 8 13:57:58 2006 From: asac at jwsdot.com (Alexander Sack) Date: Thu Jun 8 13:58:15 2006 Subject: Latest firefox vulnerability In-Reply-To: <20060608135013.GK11420@mathom.us> References: <20060603145628.GO11420@mathom.us> <20060606214556.GE5241@galadriel.inutil.org> <20060606221058.GA4808@jwsdot.com> <20060608135013.GK11420@mathom.us> Message-ID: <20060608135758.GD14255@jwsdot.com> On Thu, Jun 08, 2006 at 09:50:15AM -0400, Michael Stone wrote: > On Wed, Jun 07, 2006 at 12:10:58AM +0200, Alexander Sack wrote: > >Uploading 1.5.x should be the last option to consider. IMO, its not an > >option > >at all for debian stable. > > Why? > > I've heard through various sources that people are targeting the > vulnerabities in the latest mozilla advisory. The bottom line is that we If you name the specific mozilla advisories currently exploited in the wild, I will see if I can release patches for those asap. - Alexander -- GPG messages preferred. | .''`. ** Debian GNU/Linux ** Alexander Sack | : :' : The universal asac@jwsdot.com | `. `' Operating System http://www.asoftsite.org | `- http://www.debian.org From jmm at inutil.org Thu Jun 8 14:00:57 2006 From: jmm at inutil.org (Moritz Muehlenhoff) Date: Thu Jun 8 14:01:23 2006 Subject: Latest firefox vulnerability In-Reply-To: <20060608135720.GL11420@mathom.us> References: <20060603145628.GO11420@mathom.us> <20060606214556.GE5241@galadriel.inutil.org> <20060606221058.GA4808@jwsdot.com> <20060608135013.GK11420@mathom.us> <20060608135307.GA14494@steve.org.uk> <20060608135720.GL11420@mathom.us> Message-ID: <20060608140057.GA19221@inutil.org> Michael Stone wrote: > On Thu, Jun 08, 2006 at 02:53:07PM +0100, Steve Kemp wrote: > >On Thu, Jun 08, 2006 at 09:50:15AM -0400, Michael Stone wrote: > >>If we can't get backports in a reasonable timeframe, I think we > >>have to consider backporting a supported version before we let the sarge > >>packages get into the state the woody packages reached. > > > > Wouldn't this be an ideal use for the Volatile repository? > > No. We can't just distribute a version with security problems and tell > people to use some other archive if they need security. If we dropped > mozilla from the main archive and *only* distributed it from volatile, > then it would be ok. But we've given our users an expectation that if > they install main & get security updates form security.d.o, they'll be > taken care of. We can't just stop doing that. (Although we did it for > woody, I'd like to think that's an anomoly rather than our new policy.) I agree it's not an option for Sarge, can we could very well do it for Etch. Cheers, Moritz From joey at infodrom.org Thu Jun 8 14:02:18 2006 From: joey at infodrom.org (Martin Schulze) Date: Thu Jun 8 14:07:20 2006 Subject: Latest firefox vulnerability In-Reply-To: <20060608135307.GA14494@steve.org.uk> References: <20060603145628.GO11420@mathom.us> <20060606214556.GE5241@galadriel.inutil.org> <20060606221058.GA4808@jwsdot.com> <20060608135013.GK11420@mathom.us> <20060608135307.GA14494@steve.org.uk> Message-ID: <20060608140217.GF2598@finlandia.infodrom.north.de> Steve Kemp wrote: > On Thu, Jun 08, 2006 at 09:50:15AM -0400, Michael Stone wrote: > > > If we can't get backports in a reasonable timeframe, I think we > > have to consider backporting a supported version before we let the sarge > > packages get into the state the woody packages reached. > > Wouldn't this be an ideal use for the Volatile repository? Not ideal I'd say, but probably worth considering. Regards, Joey -- All language designers are arrogant. Goes with the territory... -- Larry Wall Please always Cc to me when replying to me on the lists. From mstone at debian.org Fri Jun 9 10:57:17 2006 From: mstone at debian.org (Michael Stone) Date: Fri Jun 9 10:57:57 2006 Subject: Latest firefox vulnerability In-Reply-To: <20060608140057.GA19221@inutil.org> References: <20060603145628.GO11420@mathom.us> <20060606214556.GE5241@galadriel.inutil.org> <20060606221058.GA4808@jwsdot.com> <20060608135013.GK11420@mathom.us> <20060608135307.GA14494@steve.org.uk> <20060608135720.GL11420@mathom.us> <20060608140057.GA19221@inutil.org> Message-ID: <20060609105715.GM11420@mathom.us> On Thu, Jun 08, 2006 at 04:00:57PM +0200, Moritz Muehlenhoff wrote: >I agree it's not an option for Sarge, can we could very well do it >for Etch. I'd love to do it for etch. IIRC, I wanted to do it before the sarge release. :) The trick is making people understand just how impossible it is to support what the mozilla people are doing for an entire relase cycle--at this point they just hear "drop firefox" and freak out. Mike Stone From mh at glandium.org Fri Jun 9 20:08:26 2006 From: mh at glandium.org (Mike Hommey) Date: Fri Jun 9 20:11:06 2006 Subject: Latest firefox vulnerability In-Reply-To: <20060609105715.GM11420@mathom.us> References: <20060603145628.GO11420@mathom.us> <20060606214556.GE5241@galadriel.inutil.org> <20060606221058.GA4808@jwsdot.com> <20060608135013.GK11420@mathom.us> <20060608135307.GA14494@steve.org.uk> <20060608135720.GL11420@mathom.us> <20060608140057.GA19221@inutil.org> <20060609105715.GM11420@mathom.us> Message-ID: <20060609200825.GA10184@glandium.org> On Fri, Jun 09, 2006 at 06:57:17AM -0400, Michael Stone wrote: > On Thu, Jun 08, 2006 at 04:00:57PM +0200, Moritz Muehlenhoff wrote: > >I agree it's not an option for Sarge, can we could very well do it > >for Etch. > > I'd love to do it for etch. IIRC, I wanted to do it before the sarge > release. :) The trick is making people understand just how impossible it > is to support what the mozilla people are doing for an entire relase > cycle--at this point they just hear "drop firefox" and freak out. It would not only be "drop firefox", it would be drop: firefox, thunderbird, mozilla, seamonkey, sunbird, yelp, devhelp, epiphany, kazehakase, galeon, xulrunner, liferea... Mike From jmm at inutil.org Sun Jun 11 20:32:07 2006 From: jmm at inutil.org (Moritz Muehlenhoff) Date: Sun Jun 11 20:31:50 2006 Subject: Latest firefox vulnerability In-Reply-To: <20060609200825.GA10184@glandium.org> References: <20060603145628.GO11420@mathom.us> <20060606214556.GE5241@galadriel.inutil.org> <20060606221058.GA4808@jwsdot.com> <20060608135013.GK11420@mathom.us> <20060608135307.GA14494@steve.org.uk> <20060608135720.GL11420@mathom.us> <20060608140057.GA19221@inutil.org> <20060609105715.GM11420@mathom.us> <20060609200825.GA10184@glandium.org> Message-ID: <20060611203207.GA5701@galadriel.inutil.org> Mike Hommey wrote: > On Fri, Jun 09, 2006 at 06:57:17AM -0400, Michael Stone wrote: > > On Thu, Jun 08, 2006 at 04:00:57PM +0200, Moritz Muehlenhoff wrote: > > >I agree it's not an option for Sarge, can we could very well do it > > >for Etch. > > > > I'd love to do it for etch. IIRC, I wanted to do it before the sarge > > release. :) The trick is making people understand just how impossible it > > is to support what the mozilla people are doing for an entire relase > > cycle--at this point they just hear "drop firefox" and freak out. > > It would not only be "drop firefox", it would be drop: firefox, > thunderbird, mozilla, seamonkey, sunbird, yelp, devhelp, epiphany, > kazehakase, galeon, xulrunner, liferea... This illustrates the infeasibility of stable security support for Mozilla rather well: When backporting new incompatible upstream versions we would need to upgrade all these packages en bloc. Cheers, Moritz From mh at glandium.org Sun Jun 11 20:50:41 2006 From: mh at glandium.org (Mike Hommey) Date: Sun Jun 11 21:11:37 2006 Subject: Latest firefox vulnerability In-Reply-To: <20060611203207.GA5701@galadriel.inutil.org> References: <20060603145628.GO11420@mathom.us> <20060606214556.GE5241@galadriel.inutil.org> <20060606221058.GA4808@jwsdot.com> <20060608135013.GK11420@mathom.us> <20060608135307.GA14494@steve.org.uk> <20060608135720.GL11420@mathom.us> <20060608140057.GA19221@inutil.org> <20060609105715.GM11420@mathom.us> <20060609200825.GA10184@glandium.org> <20060611203207.GA5701@galadriel.inutil.org> Message-ID: <20060611205041.GA9557@glandium.org> On Sun, Jun 11, 2006 at 10:32:07PM +0200, Moritz Muehlenhoff wrote: > Mike Hommey wrote: > > On Fri, Jun 09, 2006 at 06:57:17AM -0400, Michael Stone wrote: > > > On Thu, Jun 08, 2006 at 04:00:57PM +0200, Moritz Muehlenhoff wrote: > > > >I agree it's not an option for Sarge, can we could very well do it > > > >for Etch. > > > > > > I'd love to do it for etch. IIRC, I wanted to do it before the sarge > > > release. :) The trick is making people understand just how impossible it > > > is to support what the mozilla people are doing for an entire relase > > > cycle--at this point they just hear "drop firefox" and freak out. > > > > It would not only be "drop firefox", it would be drop: firefox, > > thunderbird, mozilla, seamonkey, sunbird, yelp, devhelp, epiphany, > > kazehakase, galeon, xulrunner, liferea... > > This illustrates the infeasibility of stable security support for Mozilla > rather well: When backporting new incompatible upstream versions we would > need to upgrade all these packages en bloc. Actually, it's less and less true. Mike From asac at jwsdot.com Wed Jun 14 07:00:19 2006 From: asac at jwsdot.com (Alexander Sack) Date: Wed Jun 14 07:01:46 2006 Subject: please test aviary patches: mfsa2006-31 and mfsa2006-33 TO mfsa2006-43; mfsa2006-32 partially (3 out of 7 parts missing) Message-ID: <20060614070019.GB7717@jwsdot.com> Attached you can find patches for almost all issues (ffox and tbird). Just some mfsa2006-32 issues (only 4 bugs) are missing: mfsa2006-32 (Part 1/7) bz#324918 mfsa2006-32 (Part 2/7) bz#325730, bz#329982 mfsa2006-32 (Part 5/7) bz#327712. Please extensively *test* patches on ffox (and tbird) and report back. If will release mozilla suite specific patches as soon as I have them. - Alexander -- GPG messages preferred. | .''`. ** Debian GNU/Linux ** Alexander Sack | : :' : The universal asac@jwsdot.com | `. `' Operating System http://www.asoftsite.org | `- http://www.debian.org -------------- next part -------------- A non-text attachment was scrubbed... Name: mfsa-2006-31_32parts_33-43.tar.gz Type: application/octet-stream Size: 23817 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20060614/dbfecb3c/mfsa-2006-31_32parts_33-43.tar-0001.obj From eric at kuroneko.ca Wed Jun 14 23:53:19 2006 From: eric at kuroneko.ca (Eric Dorland) Date: Wed Jun 14 23:53:52 2006 Subject: please test aviary patches: mfsa2006-31 and mfsa2006-33 TO mfsa2006-43; mfsa2006-32 partially (3 out of 7 parts missing) In-Reply-To: <20060614070019.GB7717@jwsdot.com> References: <20060614070019.GB7717@jwsdot.com> Message-ID: <20060614235319.GR24534@nightcrawler.kuroneko.ca> * Alexander Sack (asac@jwsdot.com) wrote: > > Attached you can find patches for almost all issues (ffox and tbird). > > Just some mfsa2006-32 issues (only 4 bugs) are missing: > > mfsa2006-32 (Part 1/7) bz#324918 > mfsa2006-32 (Part 2/7) bz#325730, bz#329982 > mfsa2006-32 (Part 5/7) bz#327712. > > Please extensively *test* patches on ffox (and tbird) and report back. > > If will release mozilla suite specific patches as soon as I have > them. Perhaps a silly question, but is there a trick to applying your patches? My patch command doesn't seem to like the ---, +++ lines. -- Eric Dorland ICQ: #61138586, Jabber: hooty@jabber.com 1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20060614/02de2b3a/attachment.pgp From asac at debian.org Thu Jun 15 07:23:14 2006 From: asac at debian.org (Alexander Sack) Date: Thu Jun 15 07:47:10 2006 Subject: please test aviary patches: mfsa2006-31 and mfsa2006-33 TO mfsa2006-43; mfsa2006-32 partially (3 out of 7 parts missing) In-Reply-To: <20060614235319.GR24534@nightcrawler.kuroneko.ca> References: <20060614070019.GB7717@jwsdot.com> <20060614235319.GR24534@nightcrawler.kuroneko.ca> Message-ID: <20060615072314.GA19277@personalfree.com> On Wed, Jun 14, 2006 at 07:53:19PM -0400, Eric Dorland wrote: > * Alexander Sack (asac@jwsdot.com) wrote: > > > > Attached you can find patches for almost all issues (ffox and tbird). > > > > Just some mfsa2006-32 issues (only 4 bugs) are missing: > > > > mfsa2006-32 (Part 1/7) bz#324918 > > mfsa2006-32 (Part 2/7) bz#325730, bz#329982 > > mfsa2006-32 (Part 5/7) bz#327712. > > > > Please extensively *test* patches on ffox (and tbird) and report back. > > > > If will release mozilla suite specific patches as soon as I have > > them. > > Perhaps a silly question, but is there a trick to applying your > patches? My patch command doesn't seem to like the ---, +++ lines. > Maybe try something like cat 0015-mfsa2006-32-Part-4a-7-326931.txt | filterdiff ... this filters the patch only for me - Alexander -- GPG messages preferred. | .''`. ** Debian GNU/Linux ** Alexander Sack | : :' : The universal asac@debian.org | `. `' Operating System http://www.asoftsite.org/ | `- http://www.debian.org/ From mh at glandium.org Thu Jun 15 08:22:13 2006 From: mh at glandium.org (Mike Hommey) Date: Thu Jun 15 08:46:09 2006 Subject: please test aviary patches: mfsa2006-31 and mfsa2006-33 TO mfsa2006-43; mfsa2006-32 partially (3 out of 7 parts missing) In-Reply-To: <20060615072314.GA19277@personalfree.com> References: <20060614070019.GB7717@jwsdot.com> <20060614235319.GR24534@nightcrawler.kuroneko.ca> <20060615072314.GA19277@personalfree.com> Message-ID: <20060615082213.GA21911@glandium.org> On Thu, Jun 15, 2006 at 09:23:14AM +0200, Alexander Sack wrote: > Maybe try something like > > cat 0015-mfsa2006-32-Part-4a-7-326931.txt | filterdiff Oh a useless use of cat ! ;) Mike From asac at debian.org Thu Jun 15 10:18:38 2006 From: asac at debian.org (Alexander Sack) Date: Thu Jun 15 10:19:13 2006 Subject: please test aviary patches: mfsa2006-31 and mfsa2006-33 TO mfsa2006-43; mfsa2006-32 partially (3 out of 7 parts missing) In-Reply-To: <20060615072314.GA19277@personalfree.com> References: <20060614070019.GB7717@jwsdot.com> <20060614235319.GR24534@nightcrawler.kuroneko.ca> <20060615072314.GA19277@personalfree.com> Message-ID: <20060615101838.GA24544@jwsdot.com> On Thu, Jun 15, 2006 at 09:23:14AM +0200, Alexander Sack wrote: > > Maybe try something like > > cat 0015-mfsa2006-32-Part-4a-7-326931.txt | filterdiff > > ... this filters the patch only for me But anyway, I had no problems dropping those mailbox files in the mozilla debian/patches dir without transforming them first. So I guess plain patch is able to deal with it. - Alexander -- GPG messages preferred. | .''`. ** Debian GNU/Linux ** Alexander Sack | : :' : The universal asac@debian.org | `. `' Operating System http://www.asoftsite.org/ | `- http://www.debian.org/ From eric at debian.org Fri Jun 16 05:12:14 2006 From: eric at debian.org (Eric Dorland) Date: Fri Jun 16 05:18:46 2006 Subject: please test aviary patches: mfsa2006-31 and mfsa2006-33 TO mfsa2006-43; mfsa2006-32 partially (3 out of 7 parts missing) In-Reply-To: <20060615101838.GA24544@jwsdot.com> References: <20060614070019.GB7717@jwsdot.com> <20060614235319.GR24534@nightcrawler.kuroneko.ca> <20060615072314.GA19277@personalfree.com> <20060615101838.GA24544@jwsdot.com> Message-ID: <20060616051214.GV24534@nightcrawler.kuroneko.ca> * Alexander Sack (asac@debian.org) wrote: > On Thu, Jun 15, 2006 at 09:23:14AM +0200, Alexander Sack wrote: > > > > Maybe try something like > > > > cat 0015-mfsa2006-32-Part-4a-7-326931.txt | filterdiff > > > > ... this filters the patch only for me > > But anyway, I had no problems dropping those mailbox files in the mozilla > debian/patches dir without transforming them first. So I guess plain patch > is able to deal with it. Very strange. filterdiff did it but patch doesn't like the raw mailbox files. -- Eric Dorland ICQ: #61138586, Jabber: hooty@jabber.com 1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20060616/d3a80704/attachment.pgp From eric at kuroneko.ca Fri Jun 16 05:08:28 2006 From: eric at kuroneko.ca (Eric Dorland) Date: Fri Jun 16 05:18:50 2006 Subject: please test aviary patches: mfsa2006-31 and mfsa2006-33 TO mfsa2006-43; mfsa2006-32 partially (3 out of 7 parts missing) In-Reply-To: <20060615082213.GA21911@glandium.org> References: <20060614070019.GB7717@jwsdot.com> <20060614235319.GR24534@nightcrawler.kuroneko.ca> <20060615072314.GA19277@personalfree.com> <20060615082213.GA21911@glandium.org> Message-ID: <20060616050828.GU24534@nightcrawler.kuroneko.ca> * Mike Hommey (mh@glandium.org) wrote: > On Thu, Jun 15, 2006 at 09:23:14AM +0200, Alexander Sack wrote: > > Maybe try something like > > > > cat 0015-mfsa2006-32-Part-4a-7-326931.txt | filterdiff > > Oh a useless use of cat ! ;) Cats aren't useless, they're cute, fluffy critters. -- Eric Dorland ICQ: #61138586, Jabber: hooty@jabber.com 1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20060616/5622770d/attachment.pgp From mh at glandium.org Fri Jun 16 19:50:00 2006 From: mh at glandium.org (Mike Hommey) Date: Fri Jun 16 21:15:24 2006 Subject: mozilla security bugs, NMU? In-Reply-To: <1150397896.6625.4.camel@gcs.lsc.hu> References: <1150397896.6625.4.camel@gcs.lsc.hu> Message-ID: <20060616195000.GD27187@glandium.org> On Thu, Jun 15, 2006 at 08:58:15PM +0200, Laszlo Boszormenyi wrote: > Hi, > > This bug is open for almost two months. As Mozilla version 1.7.13 fixes > several security bugs, please package it. If you don't have time, can I > NMU it? Please do. Nobody cares enough for mozilla anymore. It's dead upstream and we're moving away from it. It may even be *not* shipped in etch. See this thread: http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/2006-April/000279.html Mike From asac at debian.org Sat Jun 17 12:16:34 2006 From: asac at debian.org (Alexander Sack) Date: Sat Jun 17 12:17:23 2006 Subject: mozilla security updated (proposed) needs testing. Message-ID: <20060617121634.GA25819@jwsdot.com> Please, test the mozilla suite I just uploaded (2:1.7.8-1sarge7). Keep your eyes open regressions and especially if it breaks any dependents or extensions. You can grab it from here: http://people.debian.org/~asac/security/ The changes are: mozilla (2:1.7.8-1sarge7) stable-security; urgency=critical - added mozilla 1.7.14 patches in debian/patches that fix various security issues: + CVE-2006-2787 : 1_0001-mfsa2006-31-319263-336601-336313.txt + CVE-2006-2786 1/2 : 1_0002-mfsa2006-33-Part-1-2-329746.txt + CVE-2006-2786 2/2 : 1_0003-mfsa2006-33-Part-2-2-330214.txt + CVE-2006-2785 2/2 : 1_0004-mfsa2006-34-Part2-2-329521-suite.txt + CVE-2006-2775 : 1_0005-mfsa2006-35-329677.txt + CVE-2006-2784 : 1_0006-mfsa2006-36-330037.txt + CVE-2006-2776 : 1_0007-mfsa2006-37-330773-with-belt-and-braces.txt + CVE-2006-2778 : 1_0008-mfsa2006-38-330897.txt + CVE-2006-1942 : 1_0009-mfsa2006-39-CVE-2006-1942-334341-suite.txt + CVE-2006-2781 : 1_0010-mfsa2006-40-334384.txt + CVE-2006-2782 : 1_0011-mfsa2006-41-334977.txt + CVE-2006-2783 : 1_0012-mfsa2006-42-335816.txt + CVE-2006-2777 : 1_0013-mfsa2006-43-336830.txt + CVE-2006-2779 3/6 : 1_0014-mfsa2006-32-Part-3-7-326501.txt + CVE-2006-2779 4/6 : 1_0015-mfsa2006-32-Part-4a-7-326931.txt + CVE-2006-2785 2/2 : 1_0015-mfsa2006-34-Part-1-2-xpfe-329468-suite.txt + CVE-2006-2779 4/6 : 1_0016-mfsa2006-32-Part-4b-7-329219.txt + CVE-2006-2779 4/6 : 1_0017-mfsa2006-32-Part-4c-7-330818-proper-aviary.txt + CVE-2006-2779 6/6 : 1_0018-mfsa2006-32-Part-6-7-332971.txt + CVE-2006-2780 : 1_0019-js-src-jsstr.c-335535-mfsa2006-32-Part-7-7.txt + CVE-2006-2779 5/6 : 1_0021-mfsa2006-32-Part-5-7-327712.txt - Note: CVE-2006-2779 (mfsa2006-32) is only partially fixed. Missing are tricky parts 1/6 and 2/6 from advisory: 1/6: Removing nested