On March 18th RHSA-2004:112-01 advisory showed up about multiple
security vulnerabilities in Mozilla. New release fixes the following:
CAN-2003-0564 ASN.1 troubles with S/MIME
CAN-2003-0594 cookie mishandling with a possibilty of execution
of a malicious code on a browsing machine
CAN-2004-0191 cross-site scripting issues
More details about these bugs can be found on http://cve.mitre.org/.
As for fixes I found some patch for the last problem trawling through
bugzilla.mozilla.org but the other two were fixed by switching to a
version of Mozilla with these bugs fixed and
mozilla-1.4.2-0.9.0.src.rpm does not include _any_ explicit patches.
I tried to look around if somewhere else there is something I could
adapt to mozilla-1.0.2-2.7.3 but I drew blank. One would have
to be intimately familiar with mozilla sources to risk backporting
security fixes to older versions and a time expenditure for something
of that sort would likely be enourmous without any guarantees that
things are indeed correct. Look at this source size.
Instead I decided that recompiling mozilla-1.4.2 will be more
productive. I modified mozilla.spec for the later to be similar to
what was used with mozilla-1.0.2-2.7.3 and it worked on the first
try. :-) As galeon is tied up to a mozilla (libraries) I did the
same thing with the later. So far things seem to work just fine.
I attach diffs, minus '%changelog' entries, for spec files used to
recompile RH9 updates on RH7.3. There is no bugzilla entry for
now (but if somebody feels like doing that... :-)
Despite of a general policy of not changing versions this seems
to me a correct thing to do here. Comments?
Michal
--- SPECS/mozilla.spec~ Mon Mar 8 12:45:27 2004
+++ SPECS/mozilla.spec Fri Mar 19 17:14:12 2004
@@ -2,13 +2,14 @@
%define desktop_file_utils_version 0.2.93
%define _unpackaged_files_terminate_build 0
-%define toolkit_options --disable-freetype2 --enable-xft
+# %define toolkit_options --disable-freetype2 --enable-xft
+%define toolkit_options --disable-freetype2 --enable-old-abi-compat-wrappers
%define builddir %{_builddir}/mozilla
Name: mozilla
Summary: Web browser and mail reader
Version: 1.4.2
-Release: 0.9.0
+Release: 0.7x.legacy
Epoch: 37
License: MPL/NPL/GPL/LGPL
Source0: mozilla-source-1.4.2.tar.bz2
@@ -54,7 +55,7 @@ Buildroot: %{_tmppath}/%{name}-root
Prefix: /usr
Group: Applications/Internet
Provides: webclient
-BuildPrereq: libpng-devel, libjpeg-devel, zlib-devel, zip, perl, indexhtml, libIDL-devel, glib2-devel, gtk2-devel, autoconf213
+BuildPrereq: libpng-devel, libjpeg-devel, zlib-devel, zip, perl, indexhtml, ORBit-devel, glib2-devel, gtk2-devel, autoconf
Prereq: fileutils perl
Prereq: /usr/bin/killall
Requires: mozilla-nspr = %{epoch}:%{version}-%{release}
@@ -247,7 +248,7 @@ if test "x$CPUS" = "x" -o "x$CPUS" = "x0
fi
%ifarch i386
-CC=gcc296 CXX=g++296 \
+CC=gcc CXX=g++ \
CFLAGS=-g CXXFLAGS=-g XCFLAGS=-g \
%endif
BUILD_OFFICIAL=1 MOZILLA_OFFICIAL=1 \
--- SPECS/galeon.spec~ Tue Mar 9 09:49:28 2004
+++ SPECS/galeon.spec Sat Mar 20 11:17:07 2004
@@ -1,7 +1,7 @@
# Note that this is NOT a relocatable package
# DON'T FORGET TO UPDATE THE MOZILLA DEPENDENCY
%define ver 1.2.13
-%define rel 0.9.0
+%define rel 0.7x.legacy
%define prefix /usr
%define sysconfdir /etc
%define moz_required 1.4.2
@@ -63,8 +63,8 @@ Galeon was written to do just one thing
#autoconf
export DONT_BUILD_NAUTILUS_VIEW=1
-export CC=gcc296
-export CXX=g++296
+# export CC=gcc296
+# export CXX=g++296
# if you set the DONT_BUILD_NAUTILUS_VIEW environment variable to something
# else than "" the view won't be built. Otherwise, it will e built if
--
fedora-legacy-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-legacy-list
