Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 152883 - Multiple Mozilla vulnerabilities
Summary: Multiple Mozilla vulnerabilities
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: mozilla
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
Whiteboard: 1, LEGACY, rh73, rh90, 2
Depends On:
TreeView+ depends on / blocked
Reported: 2005-01-13 10:43 UTC by rob
Modified: 2007-04-18 17:22 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-05-18 20:50:45 UTC

Attachments (Terms of Use)

Description David Lawrence 2005-03-30 23:30:53 UTC
see also:

------- Additional Comments From 2005-01-13 18:22:20 ----

Hey Rob - do you think we can tack this on to the end of Bug 2214 instead of
creating a new Bugzilla entry?        -David

------- Additional Comments From 2005-01-13 21:15:18 ----

I suggested previously that we tack this bug onto bug 2214, but it might make
more sense to keep this bug and forward 2214 to here.  I think we can do
something with this bug with the sources from RHEL, plus a couple of the
bugs mentioned in 2214.

For example, we can't do anything about these right now, because there are
no upstream patches available:
  * Bug 2214#0 or 
  * Bug 2214#4 (CAN-2004-1156) 
  * or the second half of Bug 2214#5 (CAN-2004-1200) 

But we likely *can* do something about

  * Bug 2214#3 (by grabbing code from Mozilla's bugzilla #272381,
    Ref:, and

  * the first half of Bug 2214#5 (CAN-2004-0909) (by grabbing code from
    Mozilla's bugzilla #253942,


(ps:  Hope you all don't mind my adding your names to the CC: list, since
you're already on the list for bug 2214.)

------- Additional Comments From 2005-01-14 02:14:44 ----

oops.  i didn't notice 2214 when i created this one.  we could move the info
there and mark this one as a duplicate if you want.  anyone have a preference?

i guess it doesn't matter where we track it as long as the bugs get fixed.  

------- Additional Comments From 2005-01-14 03:03:07 ----

The fewer bug #'s, the better.

------- Additional Comments From 2005-01-24 10:43:35 ----

Source rpm for mozilla-1.4.3-2.1.5, as given in RHSA-2005-038 for RHEL2.1,
recompile on RH7.3 without any changes (beyond a release string and a changelog
entry in specs).  Yes, you would need a matching galeon but galeon-1.2.13-5.2.1
from 2004-Sep-29 is still fine.

------- Additional Comments From 2005-02-26 21:06:25 ----

The key question at this point is -- do we want to create an interim mozilla
update by re-spinning the RHEL packages from January 12 or so? (our last version
is from October -- this only includes the fix for the NNTP issue).

My hunch is that we don't.  If not, we're probably going to have to wait (quite)
a while.  There's a growing pile of Mozilla CAN numbers at least... (there were
a couple of earlier ones listed in the bug #2214).  At least most of these are
already tracked by RHEL, so we'll probably want to follow their lead unless we'd
want to update to 1.7.5..

CAN-2004-1380  Firefox before 1.0 and Mozilla before 1.7.5 allows inactive
(background) tabs to launch dialog boxes, which can allow remote attackers to
spoof the dialog boxes from web sites in other windows and facilitate phishing
attacks, aka the "Dialog Box Spoofing Vulnerability."  

CAN-2004-1381  Firefox before 1.0 and Mozilla before 1.7.5 allow inactive
(background) tabs to focus on input being entered in the active tab, as
originally reported using form fields, which allows remote attackers to steal
sensitive data that is intended for other sites, which could facilitate phishing

CAN-2004-1449  Mozilla before 1.7, Firefox before 0.9, and Thunderbird before
0.7 allows remote attackers to determine the location of files on a user's hard
drive by obscuring a file upload control and tricking the user into dragging
text into that control.  

CAN-2004-1450  Unknown vulnerability in LiveConnect in Mozilla 1.7 beta allows
remote attackers to read arbitrary files in known locations.  

CAN-2004-1451  Mozilla before 1.6 does not display the entire URL in the status
bar when a link contains %00, which could allow remote attackers to trick users
into clicking on unknown or untrusted sites and facilitate phishing attacks.  

CAN-2004-1613  Mozilla allows remote attackers to cause a denial of service
(application crash from null dereference or infinite loop) via a web page that
contains a (1) TEXTAREA, (2) INPUT, (3) FRAMESET or (4) IMG tag followed by a
null character and some trailing characters, as demonstrated by mangleme.  

CAN-2004-1614  Mozilla allows remote attackers to cause a denial of service
(application crash from invalid memory access) via an "unusual combination of
visual elements," including several large MARQUEE tags with large height
parameters, as demonstrated by mangleme.  

CAN-2004-1639  Mozilla Firefox before 0.10, Mozilla 5.0, and Gecko 20040913
allows remote attackers to cause a denial of service (application crash or
memory consumption) via a large binary file with a .html extension.  

CAN-2005-0141  Firefox before 1.0 and Mozilla before 1.7.5 allow remote
attackers to load local files via links "with a custom getter and toString
method" that are middle-clicked by the user to be opened in a new tab.  

CAN-2005-0142  [Mozilla 1.7 before 1.7.5]

CAN-2005-0143  Firefox before 1.0 and Mozilla before 1.7.5 display the SSL lock
icon when an insecure page loads a binary file from a trusted site, which could
facilitate phishing attacks.  

CAN-2005-0144  Firefox before 1.0 and Mozilla before 1.7.5 display the secure
site lock icon when a view-source: URL references a secure SSL site while an
insecure page is being loaded, which could facilitate phishing attacks.  

CAN-2005-0146  Firefox before 1.0 and Mozilla before 1.7.5 allow remote
attackers to obtain sensitive data from the clipboard via Javascript that
generates a middle-click event on systems for which a middle-click performs a
paste operation.  

CAN-2005-0147  Firefox before 1.0 and Mozilla before 1.7.5, when configured to
use a proxy, respond to 407 proxy auth requests from arbitrary servers, which
allows remote attackers to steal NTLM or SPNEGO credentials.  

CAN-2005-0149  [Mozilla 1.7 through 1.7.3]

CAN-2005-0215  Mozilla 1.6 and possibly other versions allows remote attackers
to cause a denial of service (application crash) via a XBM (X BitMap) file with
a large (1) height or (2) width value.  

CAN-2005-0233  The International Domain Name (IDN) support in Firefox 1.0,
Camino .8.5, and Mozilla 1.6 allows remote attackers to spoof domain names using
punycode encoded domain names that are decoded in URLs and SSL certificates in a
way that uses homograph characters from other character sets, which facilitates
phishing attacks.  

------- Additional Comments From 2005-03-01 06:01:57 ----

*** Bug 2214 has been marked as a duplicate of this bug. ***

------- Additional Comments From 2005-03-04 06:43:46 ----

I would vote on just respinning the RHEL 2.1 packages for rh7.3. They compile
and run just fine. We were actually looking at doing this for vulnerabilities
last October. But, I think someone then backported the packages, so that was not

I'm rebuilding the rhel2.1 packages for us, here. And, I can post them if folk
would like (altho, some more CANs have just come out, so, I would expect more
pacakges from redhat, soon).

Mozilla, like the kernel, may be a constant moving target.

------- Additional Comments From 2005-03-04 08:13:26 ----

Sure.. but RHEL's current update only covers _one_ issue, with NNTP urls.  There
are many more on the way.  They already pushed out a firefox update for RHEL4;
I'd guess we could expect a new Mozilla update within a week or two.  That
update could be much more extensive that one rebuilt now.

------- Additional Comments From 2005-03-05 10:34:24 ----

 Daniel de Wildt discovered a memory handling flaw in Mozilla string classes
that could overwrite memory at a fixed location if reallocation fails during
string growth. This could theoretically lead to arbitrary code execution.
Creating the exact conditions for exploitation--including running out of memory
at just the right moment--is unlikely.

------- Additional Comments From 2005-03-11 03:53:21 ----

05.10.25 CVE: CAN-2005-0584
Platform: Cross Platform
Title: Mozilla Suite/Firefox HTTP Authentication Dialogs Tab Focus
Description: Mozilla Suite and Mozilla Firefox are affected by a
vulnerability that may result in the loss of authentication
credentials. Firefox versions 1.0.1 and earlier and Mozilla Suite
versions 1.7.6 and earlier are known to be vulnerable.

------- Additional Comments From 2005-03-11 18:22:51 ----

FYI- On March 4th, Red Hat has issued RHSA-2005:277-10  : (for RHEL 4)
<>, also

It presents  mozilla-1.7.3-19.EL4.src.rpm.

"Critical: mozilla security update
CVEs (  	CAN-2005-0255


"Updated mozilla packages that fix a buffer overflow issue are now available.

"This update has been rated as having critical security impact by the Red
Hat Security Response Team. ...

"A bug was found in the Mozilla string handling functions. If a malicious
website is able to exhaust a system's memory, it becomes possible to
execute arbitrary code. The Common Vulnerabilities and Exposures project
( has assigned the name CAN-2005-0255 to this issue.

"Please note that other security issues have been found that affect Mozilla.
These other issues have a lower severity, and are therefore planned to be
released as additional security updates in the future.

"Users of Mozilla should upgrade to these updated packages, which contain a
backported patch and are not vulnerable to these issues."

Red Hat Bugzilla:
150124 - CAN-2005-0255 Memory overwrite in string library

------- Additional Comments From 2005-03-18 05:15:07 ----

05.11.12 CVE: Not Available
Platform: Cross Platform
Title: Mozilla Status Bar Spoofing
Description: Mozilla is vulnerable to a URI spoofing weakness due to a
"Save Link As.." function working with nested anchor tags in a table
tag. Mozilla verions 1.7.x are vulnerable.

------- Additional Comments From 2005-03-23 13:23:38 ----

Red Hat's new updated mozilla we can use:

------- Bug moved to this database by 2005-03-30 18:30 -------

This bug previously known as bug 2380 at
Originally filed under the Fedora Legacy product and General component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Marc Deslauriers 2005-03-31 01:49:52 UTC
Hash: SHA1

Here are new mozilla, galeon and epiphany packages to QA:

Changelog 7.3:
* Wed Mar 23 2005 Marc Deslauriers <>
- - Rebuild as a Fedora Legacy update for Red Hat Linux 7.3
- - Fix missing icons in desktop files

* Fri Mar 18 2005 Christopher Aillon <> 37:1.4.4-1.2.3
- - Rebuild to fix lock icon not working

Changelog 9:
* Thu Mar 24 2005 Marc Deslauriers <>
- - Update to security release 1.4.4 based on RHEL3 update 37:1.4.4-1.3.5
- - Fix for fireflash issue (CAN-2005-0232)
- - Fix for GIF overflow issue

* Sun Oct 03 2004 Marc Deslauriers <>
- - Added backported security fixes from mozilla 1.7.3

Changelog fc1:
* Wed Mar 23 2005 Marc Deslauriers <>
- - Rebuilt as Fedora Legacy update for Fedora Core 1
- - Changed useragent vendor tag to Fedora

* Fri Mar 18 2005 Christopher Aillon <> 37:1.4.4-1.3.5
- - Rebuild to fix lock icon not working

7b48ada2d2e579bcd1ba95ccb44212b54e4c843c  mozilla-1.4.4-0.73.1.legacy.i386.rpm
6816cfeecc3a6eb97336514004e498dc4be5f385  mozilla-1.4.4-0.73.1.legacy.src.rpm
60b60db43d7ea40d029245a41231536208c7593d  mozilla-chat-1.4.4-0.73.1.legacy.i386.rpm
5797fd94739a736ee205592b1ac780bd93df8920  mozilla-devel-1.4.4-0.73.1.legacy.i386.rpm
645c6971452e18abf0dcad98e1d09544a62479ae  mozilla-mail-1.4.4-0.73.1.legacy.i386.rpm
4e508f7629a113f292acb0ee18bfe74b05cf4383  mozilla-nspr-1.4.4-0.73.1.legacy.i386.rpm
3c4db702961b595b7b047b9f96e388ab3ae10049  mozilla-nss-1.4.4-0.73.1.legacy.i386.rpm
588edf2a52874ea1fccc06e2dd41e91d2e8fdb5c  galeon-1.2.13-0.7.2.legacy.i386.rpm
86388a0658e18291cf6a59c2e5ef67247f994d81  galeon-1.2.13-0.7.2.legacy.src.rpm

93260feba0e5fdb7a444cd762cb473d210dcd4a8  mozilla-1.4.4-0.90.1.legacy.i386.rpm
a243d01772bf7def88471705f2cc1c58c6d20c2e  mozilla-1.4.4-0.90.1.legacy.src.rpm
3de0c40456c314dc021c9a951f735e7a80ab64ac  mozilla-chat-1.4.4-0.90.1.legacy.i386.rpm
f67c216fecc8dd65a9718ab2bbe0fb9d14dc8bb4  mozilla-devel-1.4.4-0.90.1.legacy.i386.rpm
4eb9ab7dbe979a48358d005eec4934e12058f984  mozilla-mail-1.4.4-0.90.1.legacy.i386.rpm
2f767c5c9a25033b17f82eae164bc3aa4541a157  mozilla-nspr-1.4.4-0.90.1.legacy.i386.rpm
d455e5d2a73a4a39e11d181e8fa2b4eaebdb33fe  mozilla-nss-1.4.4-0.90.1.legacy.i386.rpm
9d475ecb0d0192b60412448c7b9aaeb563f91db2  galeon-1.2.13-0.9.3.legacy.i386.rpm
225f6f50356f10748b6b82cf0c9103810a959e0e  galeon-1.2.13-0.9.3.legacy.src.rpm

fbf4b577547ae68a3c01a3be8d4af6f0828c90cc  mozilla-1.4.4-1.fc1.1.legacy.i386.rpm
5646f0f389348c15dfd219ad167ca8970ae96f2a  mozilla-1.4.4-1.fc1.1.legacy.src.rpm
fc36694f288512bfef88e38c4b5c0021c3fc435a  mozilla-chat-1.4.4-1.fc1.1.legacy.i386.rpm
696131eb5047aad057cdd10c1dd8cdf95a56cf03  mozilla-mail-1.4.4-1.fc1.1.legacy.i386.rpm
056b579a19678c5cc4a7cc285929daf6a49ed6b2  mozilla-nspr-1.4.4-1.fc1.1.legacy.i386.rpm
4491207ea507edbb027a16bc39b657a9952a015d  mozilla-nss-1.4.4-1.fc1.1.legacy.i386.rpm
459b4f8dcea8ecf11e181c2f7b06ef95b3e3c5dc  epiphany-1.0.4-2.5.legacy.i386.rpm
9261a3f6aab392be4fb84940ea9f82676fd43395  epiphany-1.0.4-2.5.legacy.src.rpm

Source Packages (binaries are in same directory):

Version: GnuPG v1.2.6 (GNU/Linux)


Comment 2 John Dalbec 2005-04-25 19:09:42 UTC
05.16.29 CVE: CAN-2005-0752
Platform: Cross Platform
Title: Mozilla Code Execution, Cross-Site Scripting and Policy Bypass
Description: Multiple vulnerabilities have been reported in Mozilla
Suite, which can be exploited by attackers to conduct cross-site
scripting attacks, bypass certain security restrictions, and
compromise a user's system. Please check the link below for details on
all the issues.

05.16.33 CVE: CAN-2005-1156, CAN-2005-1157
Platform: Cross Platform
Title: Mozilla Firefox Search Plug-In Remote Script Code Execution
Description: Mozilla Suite and Firefox are reported to be vulnerable
to a remote script code execution issue due to failure of the
application to provide secure access validation prior to implementing
search plug-ins. Mozilla Browser 1.7.6 and earlier as well as Firefox
1.0.2 and earlier are reported to be vulnerable.

05.16.34 CVE: CAN-2005-1155
Platform: Cross Platform
Title: Mozllia Favicon Link Tag Remote Script Code Execution
Description: Mozilla Suite and Mozilla Firefox are vulnerable to a
remote script code execution. The application will execute arbitrary
javascript with a "<LINK rel="icon">" tag due to failing to deny
remote unauthorized access to trusted local interfaces. Firefox
versions 1.0.3 and Mozilla Suite versions 1.7.7 are not vulnerable.

05.16.38 CVE: CAN-2005-1153
Platform: Cross Platform
Title: Mozilla Suite/Firefox Blocked Pop-Up Window Remote Script Code
Description: Mozilla Suite is affected by a remote script code
execution vulnerability. Mozilla Browser versions 1.7.6 and earlier,
Firefox versions 1.0.2 and earlier and Netscape versions 7.2 and
earlier are known to be vulnerable.

05.16.39 CVE: CAN-2005-1154
Platform: Cross Platform
Title: Mozilla Suite And Firefox Global Scope Pollution Cross-Site
Description: A remote cross-site scripting vulnerability affects
Mozilla Suite and Mozilla Firefox. An attacker may exploit this issue
to execute arbitrary script code in the context of a page that is
currently being viewed. This may facilitate the theft of cookie based
authentication credentials as well a other attacks.

05.16.41 CVE: CAN-2005-1160
Platform: Cross Platform
Title: Mozilla Suite DOM Code Execution
Description: Both the Mozilla Suite and Firefox are vulnerable to code
execution issue due to the application neglecting to properly verify
Document Object Model property values. Firefox version 1.0.3 and
Mozilla Suite version 1.7.7 are not vulnerable.

Comment 3 Marc Deslauriers 2005-05-01 05:49:00 UTC
Hash: SHA1

Here are updated mozilla packages to QA for rh73, rh9, fc1 and fc2:

rh7.3 Changelog:
* Thu Apr 28 2005 Marc Deslauriers <>
- - Rebuild as a Fedora Legacy update for Red Hat Linux 7.3
- - Fix missing icons in desktop files

* Fri Apr 15 2005 Christopher Aillon <> 37:1.7.7-
- - Update to upstream 1.7.7 security release

rh9 Changelog:
* Fri Apr 29 2005 Marc Deslauriers <>
- - Rebuilt as a Fedora Legacy update for Red Hat Linux 9
- - Disabled desktop-file-utils
- - Disabled gtk2
- - Added missing BuildRequires
- - Force build with gcc296 to remain compatible with plugins
- - Added xft font preferences and patch back in
- - Removed mozilla-compose.desktop

* Wed Apr 27 2005 Christopher Aillon <> 37:1.7.7-
- - Fix issues with segfaulting on s390x

fc1 Changelog:
* Sat Apr 30 2005 Marc Deslauriers <>
- - Rebuilt as Fedora Legacy update for Fedora Core 1
- - Changed useragent vendor tag to Fedora
- - Removed Network category from mozilla.desktop

* Wed Apr 27 2005 Christopher Aillon <> 37:1.7.7-
- - Fix issues with segfaulting on s390x

fc2 Changelog:
* Sat Apr 30 2005 Marc Deslauriers <>
- - Rebuilt as a Fedora Legacy update to Fedora Core 2
- - Reverted to desktop-file-utils 0.4
- - Removed desktop-update-database
- - Disabled pango support

* Sat Apr 16 2005 Christopher Aillon <> 37:1.7.7-1.3.1
- - Update to 1.7.7
- - Add nspr-config 64 bit patch from
- - Fix for some more cursor issues in textareas (149991, 150002, 152089)
- - Spec file cleanup

70a22a90d8099b703b13893c3ce75f4b79c90ec6  mozilla-1.7.7-0.73.1.legacy.src.rpm
a8039d5a24af23ad294f3e028e9c349886f20d31  galeon-1.2.14-0.73.1.legacy.src.rpm

52d5a72cf69854e8ed44656f16f5eab377ba1649  mozilla-1.7.7-0.90.1.src.rpm
ba5c286326ac87dd7e24501fb7017c8778eab73c  galeon-1.2.14-0.90.1.legacy.src.rpm

1b823514d94c4ea6e7ae2c06ac59a26c003d60a6  mozilla-1.7.7-1.1.1.legacy.src.rpm
57bcb48d4907dba0ef0d3c22b17eac5e4320abc3  epiphany-1.0.8-1.fc1.1.legacy.src.rpm

03320b935a35d0b408540403fd0ca672ff70c86a  mozilla-1.7.7-1.2.1.legacy.src.rpm
2493d87b7ddaa86f5d288233b3878d36946ef91d  epiphany-1.2.10-0.2.2.legacy.src.rpm
edcc763e24cd6dd58fc205e0e33aacf4a67fda4c  devhelp-0.9.1-0.2.6.legacy.src.rpm





Version: GnuPG v1.2.6 (GNU/Linux)


Comment 4 Pekka Savola 2005-05-01 15:20:59 UTC
Hash: SHA1

QA w/

Issues noted:
 - mozilla-source-1.7.7.tar.bz2 in FC1 package has wrong SHA1 checksum, it
   appears that this file has been corrupted. OK if replaced with
   checksum c660db518add97ed54e30a901c1e4e60dbafab3a; otherwise source
   integrity OK.

 - Spec file changes are major, and something is probably going to break. 
   But regardless of this, I think this is the only way to go forward -- make
   the packages as uniform with RHEL as possible, because we don't have
   resources to do otherwise. OK.  "If it's good enough for RHEL, it should
   be good enough for us."

 - Changes and patches are mainly OK.  Two issues:

  * in previous version of RHL9 and in RHEL3 there is
    mozilla-compose.desktop, but it's removed from here.  This has been done on
    purpose but I can't see why? 

  * I couldn't figure out how to verify the mozilla-1.7.7 patch in epiphany
    1.0.8.  How was it created/where does it come from?  Would updating to
    epiphany 1.2.10 be feasible?

 - Naming has one forgotten legacy tag and non-incremental numbering (if we
   want to care about FC<->RHEL or RHL<->RHEL updates; I don't know if that's
   the case):

RHL73 mozilla-1.7.7-0.73.1.legacy.src.rpm
RHL9  mozilla-1.7.7-0.90.1.src.rpm        <== note, missing ".legacy" !!
FC1   mozilla-1.7.7-1.1.1.legacy.src.rpm
RHEL2 mozilla-1.7.7-
RHEL3 mozilla-1.7.7-
FC2   mozilla-1.7.7-1.2.1.legacy.src.rpm
FC3   mozilla-1.7.7-1.3.1.src.rpm

All in all, I'd give +PUBLISH for all the mozilla, galeon and devhelp
packages (provided that FC1 mozilla .tar.bz2 file is changed to match the
abovementioned checksum), but I'd have to understand the epiphany patch more
to give publishing it a go..

70a22a90d8099b703b13893c3ce75f4b79c90ec6  mozilla-1.7.7-0.73.1.legacy.src.rpm
52d5a72cf69854e8ed44656f16f5eab377ba1649  mozilla-1.7.7-0.90.1.src.rpm
1b823514d94c4ea6e7ae2c06ac59a26c003d60a6  mozilla-1.7.7-1.1.1.legacy.src.rpm
03320b935a35d0b408540403fd0ca672ff70c86a  mozilla-1.7.7-1.2.1.legacy.src.rpm
57bcb48d4907dba0ef0d3c22b17eac5e4320abc3  epiphany-1.0.8-1.fc1.1.legacy.src.rpm
2493d87b7ddaa86f5d288233b3878d36946ef91d  epiphany-1.2.10-0.2.2.legacy.src.rpm
edcc763e24cd6dd58fc205e0e33aacf4a67fda4c  devhelp-0.9.1-0.2.6.legacy.src.rpm
a8039d5a24af23ad294f3e028e9c349886f20d31  galeon-1.2.14-0.73.1.legacy.src.rpm
ba5c286326ac87dd7e24501fb7017c8778eab73c  galeon-1.2.14-0.90.1.legacy.src.rpm
Version: GnuPG v1.0.7 (GNU/Linux)


Comment 5 Marc Deslauriers 2005-05-01 16:05:21 UTC
Could your download have been corrupted? I re-downloaded the src rpm from the
ftp site where I put it and the sha1sum of the mozilla tarball is
c660db518add97ed54e30a901c1e4e60dbafab3a. Could you double-check please?

mozilla-compose.desktop was removed as the mozilla tarball itself had a "compose
mail" desktop file in it. The icon to create a new mail was appearing twice in
the menus.

I made the epiphany 1.0.8 patch. It was made by looking at the mozilla API,
galeon source code, and newer epiphany source code. AFAICT, no other distro has
made a patch for epiphany to make it compatible with mozilla-1.7.7, so there's
no way to verify it besides try and use epiphany. It quickly tested epiphany
after making the patch, and It looks ok...but someone who actually uses epiphany
will have to check it out thoroughly as I may have screwed something up. (This
can be done once it's built for updates-testing though)

Whoops...we'll add the missing legacy tag to the packages when we build them in
mach. We usually don't look at the Fedora-RHEL upgrade path as even RH doesn't
respect it most of the time. So the actual releases would be:

RHL73 mozilla-1.7.7-0.73.1.legacy.src.rpm
RHL9  mozilla-1.7.7-0.90.1.src.rpm        <== note, missing ".legacy" !!
FC1   mozilla-1.7.7-1.1.1.legacy.src.rpm
FC2   mozilla-1.7.7-1.2.1.legacy.src.rpm
FC3   mozilla-1.7.7-1.3.1.src.rpm

Comment 6 Pekka Savola 2005-05-01 17:43:09 UTC
You're correct; my download must have been bad because it verifies OK now.

I wonder about mozilla-compose, because I don't understand why RHEL3 ships it
then; maybe they have double icons then, but that's not our problem so it's OK.

I'd really like to find alternative solutions to the epiphany issue.  From a
quick look, epiphany 1.0.x was designed for gnome 2.4 while epiphany 1.2.x was
for gnome 2.6, but I haven't tested; would it be possible to rebuild newer
epiphany for FC1?

Packages like epiphany are certainly going to cause a lot of maintenance
headaches unless we have a better way of dealing with the issues. 
(Unfortunately this is a more generic issue, because we don't have RHEL versions
to use as guidance for FC1/FC2..)

That said, if there is no other option, I can give a PUBLISH for all RHL73,
RHL9, FC1, and FC2, but I'd really want to avoid having to write our own patches
(and hope they work).

Comment 7 Marc Deslauriers 2005-05-01 18:31:20 UTC
I removed mozilla-compose because there was an error in the spec file. They
removed the icon and the source file, but they forget to remove it from the list
of files that is under the conditional include when you don't use
desktop-file-utils (which is the case with rh9).

I tried rebuilding epiphany 1.2.x, but it uses a bunch of stuff from Gnome 2.6.
Unfortunately, the easiest solution was to hack epiphany 1.0.x. FC1 looks to be
the only distro that uses epiphant 1.0.x and an updated mozilla, so we can't
rely on anyone else to help with this.

I don't see any other option...unless someone comes up with something (besides
drop epiphany altogether...)

Comment 8 Pekka Savola 2005-05-01 18:35:36 UTC
Hash: SHA1

OK, let's hope folks will give epiphany an extra try at VEFIFY.

Version: GnuPG v1.0.7 (GNU/Linux)


Comment 9 Marc Deslauriers 2005-05-06 02:09:58 UTC
Packages were pushed to updates-testing.

Comment 10 Pekka Savola 2005-05-06 16:03:46 UTC
Hash: SHA1
QA on RHL9:
I upgraded mozilla, -mail, -nspr, and -nss; all the the basic things appears
to be working OK.  The GPG signature is also good.
Version: GnuPG v1.0.7 (GNU/Linux)

Comment 11 David Curry 2005-05-08 05:52:39 UTC
I haven't figured out how to sign one of these reports with a pgp signature
(that I have created), so that signature is not presented here.

All Mozilla test updates for FC2 were downloaded, signatures checked, and
installed on my system without any problems.  Composer was opened and closed. 
Mail and Browser have been used for two days with no apparent problems. 
(Neither plugins nore Java are installed.) A mix of more than 40 retail outlet,
opensource, and Commercial computer support provider sites were visited without
observing any behaviors that differed from the previous version of Mozilla
installed on this FC2 system.

FC2 + verify

Comment 12 Pekka Savola 2005-05-08 06:09:52 UTC
The wiki is down, unfortunately, it'd have told you to sign using 'gpg
--clearsign'.  Please also also send a "self-introduction" on the list if you
haven't already.  There are a couple of examples of this in the list archives.

Comment 13 mschout 2005-05-10 20:54:13 UTC
Hash: SHA1

7.3 Verify:

9acd3892e1ec3b272274ed250f630e316e72334c  mozilla-1.7.7-0.73.2.legacy.i386.rpm
bdf6c767bd8d8a1dc74138e8da7c1672b1934764  mozilla-chat-1.7.7-0.73.2.legacy.i386.rpm
7168b5bfcd5a090b62464f8b7d82d20bff365ba5  mozilla-devel-1.7.7-0.73.2.legacy.i386.rpm
83a181ed9ecade3c9cb3cd3f64ac7cdd5add9057  mozilla-mail-1.7.7-0.73.2.legacy.i386.rpm
904dd59f1b4d5e4426232549848b83a9e407e2ba  mozilla-nspr-1.7.7-0.73.2.legacy.i386.rpm
f56ac87aae05c1530cfc49844f59410ac3db82d9  mozilla-nss-1.7.7-0.73.2.legacy.i386.rpm
265ca0a31dd9a66b3de6364b1a8e0bab108ebedc  galeon-1.2.14-0.73.2.legacy.i386.rpm

mozilla-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK
mozilla-chat-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK
mozilla-devel-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK
mozilla-dom-inspector-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK
mozilla-js-debugger-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK
mozilla-mail-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK
mozilla-nspr-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK
mozilla-nspr-devel-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK
mozilla-nss-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK
mozilla-nss-devel-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK
galeon-1.2.14-0.73.2.legacy.i386.rpm: md5 gpg OK

"yum update mozilla\* galeon" completes without errors or warnings.

Mozilla appears to be functioning normally.  I opened it up and used it to look
at several sites to test.

Version: GnuPG v1.4.1 (FreeBSD)


Comment 14 mschout 2005-05-11 03:31:12 UTC
Hash: SHA1

FC1 verify





    Header V3 DSA signature: OK, key ID 731002fa
    Header SHA1 digest: OK (d1bbf4e9d78b295b96385e983dabf2db5f869e1f)
    MD5 digest: OK (42f884a800b87773b0e8502cd9363c2b)
    V3 DSA signature: OK, key ID 731002fa
    Header V3 DSA signature: OK, key ID 731002fa
    Header SHA1 digest: OK (eae34a99527f5317bcbf68b0caa7cb7110ee64cf)
    MD5 digest: OK (0fff34c271173859d1e9a101cf36065c)
    V3 DSA signature: OK, key ID 731002fa
    Header V3 DSA signature: OK, key ID 731002fa
    Header SHA1 digest: OK (d0af7b1972a82c707c7ca1371d0ee1009780edc0)
    MD5 digest: OK (862ab8a90ad75c647308a3f4a766053f)
    V3 DSA signature: OK, key ID 731002fa
    Header V3 DSA signature: OK, key ID 731002fa
    Header SHA1 digest: OK (5bb9d19ce62c040397b9ebefb9d25a9084f04faa)
    MD5 digest: OK (e7bcab3724ee92b10d85de3a4542e577)
    V3 DSA signature: OK, key ID 731002fa

packages install with out any errors or warnings.

opened mozilla, browsed a few sites.  Everything seems normal.

Opened mozilla -mail, read some messages in my IMAP account, verified that I
can send and delete messages.  Everything seems fine.

Version: GnuPG v1.4.1 (FreeBSD)


Comment 15 Michal Jaegermann 2005-05-17 02:51:45 UTC
There are three vulnerabilities fixed by 1.7.8 mozilla release.  Namely

MFSA 2005-44  Privilege escalation via non-DOM property overrides
MFSA 2005-43 "Wrapped" javascript: urls bypass security checks
MFSA 2005-42 Code execution via javascript: IconURL

The first two are marked on
as "critical" and the third "high".

It does not look like a bit step-up from 1.7.7 with note that
source rpm for mozilla-1.7.8-1.3.1 from FC3 has more specs cleanups
than predecessor.

To enable there pango one need pangp >= 1.5 and this is not satisfied
below FC3 so it should not be enabled.

Comment 16 Marc Deslauriers 2005-05-18 20:50:45 UTC
These packages were officially released.

Please open a new bug for the new issues.

Note You need to log in before you can comment on or make changes to this bug.