[Secure-testing-team] Some mozilla security bug updates

Fri Mar 23 23:33:39 UTC 2007

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Mike,

Mike Hommey wrote:
> 
> I just discovered http://security-tracker.debian.net/tracker/ (shame on
> me not to have known it earlier) and have some comments for some bugs
> affecting mozilla-based packages.
> 
> CVE-2006-6506 doesn't apply to iceape
> CVE-2007-1116 also applies to xulrunner, and is reported as debian bugs
> #415919, #415944 and #415945.
> CVE-2006-6507 does apply neither to iceape nor to xulrunner
> CVE-2006-0496 also affects iceape and xulrunner

I made these changes, thanks.

> CVE-2007-0801 also affects iceape and xulrunner, but, according to
> https://bugzilla.mozilla.org/show_bug.cgi?id=369428, is fixed since
> iceweasel 2.0.0.2, iceape 1.0.8 and xulrunner 1.8.0.10.

In this case, I put:

        - iceweasel 2.0.0.2+dfsg-1 (low)
        - iceape 1.0.8-1 (low)
        - xulrunner 1.8.0.10-1 (low)

Meaning those were the debian packages this was fixed in, please correct
me if I am wrong.

> I guess CVE-2007-1004 affects iceape, and *may* affect browsers based on
> xulrunner.
> CVE-2007-1084 may affect iceape and browsers based on xulrunner.

Ok, I'll add iceape, let us know if you determine otherwise. Also, you
say that it may affect browsers based on xulrunner, I guess I am noting
that xulrunner is affected then? What other browsers use xulrunner embeded?

> 
> I can't reproduce CVE-2006-4561 with xulrunner. Neither in 1.8.0.10-3
> nor in earlier (I tried 1.8.0.5-4) version... Anyways, if firefox indeed
> got fixed in 1.5.0.7, then it means xulrunner was fixed in 1.8.0.7-1.
> And if the fix was really done in mozilla code base 1.8.0.7, then iceape
> was never exposed.

Noted xulrunner as fixed in 1.8.0.7-1.

Thanks for the updates!
Micah
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGBFXC9n4qXRzy1ioRAuSvAJ4um+e4+CaXCOmN5l0vudadxBL91wCgkMBI
nVPAD4M5eKfQe+br6620qQM=
=1g8Q
-----END PGP SIGNATURE-----