Seamonkey 1.1.14 security upgrade

There is Iceape 1.1.14 available for Debian.

I working on latest release for Jaunty at this time.

we dont get mozilla related packages from debian, we use upstream.

Jaunty:
https://code.launchpad.net/~gnomefreak/seamonkey/seamonkey-1.1.x

Intrepid:
https://code.launchpad.net/~gnomefreak/seamonkey/seamonkey-1.1.x.intrepid

Both are on my PPA as well. I haven't started on Hardy yet

Pushing hardy's to my PPA at this time and will give you links sometime today.

I have to fix my intrepid branch before that can be delt with

Waiting for everything to finish building in PPA. I will update this report when done

Jaunty:
https://code.launchpad.net/~gnomefreak/seamonkey/seamonkey-1.1.x-dev

Intrepid:
https://code.launchpad.net/~gnomefreak/seamonkey/seamonkey-1.1.x.intrepid

Hardy:
https://code.launchpad.net/~gnomefreak/seamonkey/seamonkey-1.1.x.hardy

PPA:
https://launchpad.net/~gnomefreak/+archive/ppa

seems i ran out of room in my PPA so i requested more room so i can finish uploading the packages. but all work and build fine.

These are all done and pushed to PPA and branches are all fixed. Waiting for ack.

Suggest upgrade to 1.1.15 in the next day or two as this is just being released to patch some other critical issues

On 03/06/2009 03:47 AM, FrancisT wrote:
> Suggest upgrade to 1.1.15 in the next day or two as this is just being
> released to patch some other critical issues
>
I have already prepared to start this. I will get to it next week. To
file bugs against new versions of Mozilla apps really isnt needed but
they are fine. We are on top of Mozilla apps, however there are only 3
of us that are packaging the main Mozilla apps at this time. Seamonkey
1.1.15 will be in my PPA sometime next week barring any delay in
release. I am unable to work this weekend from what i know at this time
but that may change. I will keep track of when it is released as always. :)

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

"How can i get lost, if i have no where to go"
    -- Metallica from Unforgiven III

it seems final 1.1.15 has not yet been released. Once it is i will know and start on it as soon as i can

Final Seamonkey 1.1.15 is out now.
http://www.seamonkey-project.org/releases/#1.1.15
http://www.mozilla.org/security/known-vulnerabilities/seamonkey11.html#seamonkey1.1.15

Sorry yeah i was working on it the other day. Here are the link to PPA for testing:
https://launchpad.net/~gnomefreak/+archive/ppa

Alexander can you push this, i have tested on jaunty and its ready at this time i am unable to test with Intrepid or Hardy here are the branches:
https://code.launchpad.net/~gnomefreak/seamonkey/seamonkey-1.1.x-dev
https://code.launchpad.net/~gnomefreak/seamonkey/seamonkey-1.1.x.hardy
https://code.launchpad.net/~gnomefreak/seamonkey/seamonkey-1.1.x.intrepid

The targets do not have -security in them yet
I already updated branches for version number

On 03/21/2009 10:44 AM, John Vivirito wrote:
> Sorry yeah i was working on it the other day. Here are the link to PPA for testing:
> https://launchpad.net/~gnomefreak/+archive/ppa
>
> Alexander can you push this, i have tested on jaunty and its ready at this time i am unable to test with Intrepid or Hardy here are the branches:
> https://code.launchpad.net/~gnomefreak/seamonkey/seamonkey-1.1.x-dev
> https://code.launchpad.net/~gnomefreak/seamonkey/seamonkey-1.1.x.hardy
> https://code.launchpad.net/~gnomefreak/seamonkey/seamonkey-1.1.x.intrepid
>
> The targets do not have -security in them yet
> I already updated branches for version number
>
I fixed branches and PPA packages to use *-security

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

"How can i get lost, if i have no where to go"
    -- Metallica from Unforgiven III

There is a new round in the game... Critical Mozilla bug 485217 has just been fixed and is on the list for SeaMonkey 1.1.16 (Firefox 3.0.8 next week as well). Currently there is no release date for SeaMonkey 1.1.16 but maybe this comes soon? Worth waiting? - Regards Wolfgang

See...
https://bugzilla.mozilla.org/show_bug.cgi?id=485217
http://dev.seamonkey.at/ (Bug Radar)

> Critical Mozilla bug 485217 has...

Please don't get confused by this autolink put in by launchpad. This is an invalid link.

On 2.1.16 there is nothing i can do with it at this time. I will know when the Mozilla packages are released and i in Seamonkeys case i get it done within a day or 2 unless problems with it. The problem i keep running into is getting them into archives but that is something i plan on working on today.

This bug was fixed in the package seamonkey - 1.1.15+nobinonly-0ubuntu1

---------------
seamonkey (1.1.15+nobinonly-0ubuntu1) jaunty; urgency=low

  * New security upstream release: 1.1.15 (LP: #309655)
    - CVE-2009-0040: Upgrade PNG library to fix memory safety hazard
    - CVE-2009-0352: Crashes with evidence of memory corruption (rv:1.9.0.6)
    - CVE-2009-0357: XMLHttpRequest allows reading HTTPOnly cookies
    - CVE-2009-0771: Crashes with evidence of memory corruption (rv:1.9.0.7)
    - CVE-2009-0776: XML data theft via RDFXMLDataSource and cross-domain redirect

seamonkey (1.1.14+nobinonly-0ubuntu1) jaunty; urgency=low

  [ Alexander Sack ]
  * New security upstream release: 1.1.14 (LP: #309655)
    - CVE-2008-5511: XSS and JavaScript privilege escalation
    - CVE-2008-5510: Escaped null characters ignored by CSS parser
    - CVE-2008-5508: Errors parsing URLs with leading whitespace and controlcharacters
    - CVE-2008-5507: Cross-domain data theft via script redirect error message
    - CVE-2008-5506: XMLHttpRequest 302 response disclosure
    - CVE-2008-5503: Information stealing via loadBindingDocument
    - CVE-2008-5501..5500: Crashes with evidence of memory corruption
      (rv:1.9.0.5/1.8.1.19)
  * drop patches applied upstream
    - delete debian/patches/35_zip_cache.patch
    - update debian/patches/series

 -- John Vivirito <email address hidden> Sat, 21 Mar 2009 11:26:47 -0400

This bug was fixed in the package seamonkey - 1.1.15+nobinonly-0ubuntu0.8.04.2

---------------
seamonkey (1.1.15+nobinonly-0ubuntu0.8.04.2) hardy-security; urgency=low

  * CVE-2009-1044: Arbitrary code execution via XUL tree element
    - add debian/patches/90_181_484320_attachment_368977.patch
    - update debian/patches/series
  * CVE-2009-1169: XSL Transformation vulnerability
    - add 90_181_485217_attachment_369357.patch
    - add debian/patches/90_181_485286_attachment_369457.patch

seamonkey (1.1.15+nobinonly-0ubuntu0.8.04.1) hardy-security; urgency=low

  * New security upstream release: 1.1.15 (LP: #309655)
    - CVE-2009-0040: Upgrade PNG library to fix memory safety hazard
    - CVE-2009-0352: Crashes with evidence of memory corruption (rv:1.9.0.6)
    - CVE-2009-0357: XMLHttpRequest allows reading HTTPOnly cookies
    - CVE-2009-0771: Crashes with evidence of memory corruption (rv:1.9.0.7)
    - CVE-2009-0776: XML data theft via RDFXMLDataSource and cross-domain redirect

seamonkey (1.1.14+nobinonly-0ubuntu0.8.04.1) hardy-security; urgency=low

  * New security upstream release: 1.1.14 (LP: #309655)
    - CVE-2008-5511: XSS and JavaScript privilege escalation
    - CVE-2008-5510: Escaped null characters ignored by CSS parser
    - CVE-2008-5508: Errors parsing URLs with leading whitespace and control ch$
    - CVE-2008-5507: Cross-domain data theft via script redirect error message
    - CVE-2008-5506: XMLHttpRequest 302 response disclosure
    - CVE-2008-5503: Information stealing via loadBindingDocument
    - CVE-2008-5501..5500: Crashes with evidence of memory corruption
      (rv:1.9.0.5/1.8.1.19)
  * drop patches applied upstream
    - delete debian/patches/35_zip_cache.patch
    - update debian/patches/series

 -- Alexander Sack <email address hidden> Tue, 31 Mar 2009 13:21:19 +0200

This bug was fixed in the package seamonkey - 1.1.15+nobinonly-0ubuntu0.8.10.2

---------------
seamonkey (1.1.15+nobinonly-0ubuntu0.8.10.2) intrepid-security; urgency=low

  * CVE-2009-1044: Arbitrary code execution via XUL tree element
    - add debian/patches/90_181_484320_attachment_368977.patch
    - update debian/patches/series
  * CVE-2009-1169: XSL Transformation vulnerability
    - add 90_181_485217_attachment_369357.patch
    - add debian/patches/90_181_485286_attachment_369457.patch

seamonkey (1.1.15+nobinonly-0ubuntu0.8.10.1) intrepid-security; urgency=low

  * New security upstream release: 1.1.15 (LP: #309655)
    - CVE-2009-0040: Upgrade PNG library to fix memory safety hazard
    - CVE-2009-0352: Crashes with evidence of memory corruption (rv:1.9.0.6)
    - CVE-2009-0357: XMLHttpRequest allows reading HTTPOnly cookies
    - CVE-2009-0771: Crashes with evidence of memory corruption (rv:1.9.0.7)
    - CVE-2009-0776: XML data theft via RDFXMLDataSource and cross-domain redirect

seamonkey (1.1.14+nobinonly-0ubuntu0.8.10.1) intrepid-security; urgency=low

  * * New security upstream release: 1.1.14 (LP: #309655)
    - CVE-2008-5511: XSS and JavaScript privilege escalation
    - CVE-2008-5510: Escaped null characters ignored by CSS parser
    - CVE-2008-5508: Errors parsing URLs with leading whitespace and control ch$
    - CVE-2008-5507: Cross-domain data theft via script redirect error message
    - CVE-2008-5506: XMLHttpRequest 302 response disclosure
    - CVE-2008-5503: Information stealing via loadBindingDocument
    - CVE-2008-5501..5500: Crashes with evidence of memory corruption
      (rv:1.9.0.5/1.8.1.19)
  * drop patches applied upstream
    - delete debian/patches/35_zip_cache.patch
    - update debian/patches/series

 -- Alexander Sack <email address hidden> Tue, 31 Mar 2009 13:21:19 +0200

Marking as a duplicate of bug 356274