-
icedove (2.0.0.24-0lenny1) stable-security; urgency=low
* New upstream security/stability update (v2.0.0.23/v2.0.0.24)
* MFSA 2009-42 aka CVE-2009-2408: Compromise of SSL-protected communication
* MFSA 2009-43 aka CVE-2009-2404: Heap overflow in certificate regexp parsing
* MFSA 2009-49 aka CVE-2009-3077: TreeColumns dangling pointer vulnerability
* MFSA 2009-59 aka CVE-2009-0689: Heap buffer overflow in string to number conversion
* MFSA 2009-62 aka CVE-2009-3376: Download filename spoofing with RTL override
* MFSA 2009-68 aka CVE-2009-3983: NTLM reflection vulnerability
* MFSA 2010-07 aka
- CVE-2009-2463: Integer overflow in a base64 decoding function
- CVE-2009-3072: Crash in the BinHex decoder
- CVE-2009-3075: Crash in the JavaScript engine
- CVE-2010-0163: Crash indexing some messages with attachments
* adjust patches for new upstream
- update debian/patches/18_kbsd_nspr.dpatch
- update debian/patches/autoconf2.13-rerun
- update debian/patches/ubuntu-mail-app-xre-name
-- Christoph Goehre <email address hidden> Sat, 27 Mar 2010 12:06:44 +0100
-
icedove (2.0.0.22-0lenny1) stable-security; urgency=low
* New upstream security/stability update (v2.0.0.21/v2.0.0.22) (Closes: 535124)
* MFSA 2009-33: Crash viewing multipart/alternative message with text/enhanced part
* MFSA 2009-32 aka CVE-2009-1841: JavaScript chrome privilege escalation
* MFSA 2009-29 aka CVE-2009-1838: Arbitrary code execution using event listeners
attached to an element whose owner document is null
* MFSA 2009-27 aka CVE-2009-1836: SSL tampering via non-200 responses to proxy
CONNECT requests
* MFSA 2009-24 aka CVE-2009-1832+CVE-2009-1831: Crashes with evidence of memory
corruption (rv:1.9.0.11)
* MFSA 2009-17 aka CVE-2009-1307: Same-origin violations when Adobe Flash loaded
via view-source: scheme
* MFSA 2009-14 aka CVE-2009-1303+CVE-2009-1302: Crashes with evidence of memory
corruption (rv:1.9.0.9)
* MFSA 2009-15 aka CVE-2009-0652: URL spoofing with box drawing character
* MFSA 2009-10 aka CVE-2009-0040: Upgrade PNG library to fix memory safety hazards
* MFSA 2009-09 aka CVE-2009-0776: XML data theft via RDFXMLDataSource and cross-domain
redirect
* MFSA 2009-07 aka CVE-2009-0771,-0772,-0773,-0774: Crashes with evidence of memory
corruption (rv:1.9.0.7)
* MFSA 2009-01 aka CVE-2009-0352,CVE-2009-0353 Crashes with evidence of memory
corruption (rv:1.9.0.6)
* adjust patches to changed codebase
- update debian/patches/ubuntu-mail-app-xre-name
* take back Maintainer: field in debian/control
-- Alexander Sack <email address hidden> Sun, 05 Jul 2009 13:49:04 +0200
-
icedove (2.0.0.19-1) unstable; urgency=medium
* New upstream security/stability update (v.2.0.0.18/2.0.0.19) Closes: 505563
2.0.0.18:
* MFSA 2008-48 aka CVE-2008-5012 - Image stealing via canvas and HTTP
redirect
* MFSA 2008-50 aka CVE-2008-5014 - Crash and remote code execution via
__proto__ tampering
* MFSA 2008-52 aka CVE-2008-5017 - Crashes with evidence of memory
corruption (rv:1.9.0.4/1.8.1.18); Browser engine crash in "Firefox 2
and 3"
* MFSA 2008-52 aka CVE-2008-5018 - Crashes with evidence of memory
corruption (rv:1.9.0.4/1.8.1.18); JavaScript engine crash - "Firefox 2
and 3"
* MFSA 2008-55 aka CVE-2008-5021 - Crash and remote code execution in
nsFrameManager
* MFSA 2008-56 aka CVE-2008-5022 - nsXMLHttpRequest::NotifyEventListeners()
same-origin violation
* MFSA 2008-58 aka CVE-2008-5024 - Parsing error in E4X default namespace
* MFSA 2008-59 aka CVE-2008-4582 - Script access to .documentURI and
.textContent in mail
2.0.0.19:
* MFSA 2008-60 aka CVE-2008-5500 - Crashes with evidence of memory
corruption (rv:1.9.0.5/1.8.1.19); Layout engine crashes - Firefox 2 and 3
* MFSA 2008-61 aka CVE-2008-5503 - Information stealing via
loadBindingDocument
* MFSA 2008-64 aka CVE-2008-5506 - XMLHttpRequest 302 response disclosure
* MFSA 2008-65 aka CVE-2008-5507 - Cross-domain data theft via script
redirect error message
* MFSA 2008-66 aka CVE-2008-5508 - Errors parsing URLs with leading
whitespace and control characters
* MFSA 2008-67 aka CVE-2008-5510 - Escaped null characters ignored by CSS
parser
* apply Maintainers, Uploaders changes done in 2.0.0.17 upload to
debian/control
- update debian/control
* adjust/refresh patches to changed upstream code
- update debian/patches/moz-app-name-as-mail-binary-name
- update debian/patches/autoconf2.13-rerun
-- Alexander Sack <email address hidden> Sat, 03 Jan 2009 16:27:42 +0100
-
icedove (2.0.0.17-1) unstable; urgency=low
* New upstream security/stability update (v.2.0.0.17), Closes: #500721
* MFSA 2008-37 aka CVE-2008-0016 - UTF-8 URL stack buffer overflow
* MFSA 2008-38 aka CVE-2008-3835 - nsXMLDocument::OnChannelRedirect()
same-origin violation
* MFSA 2008-41 aka CVE-2008-4058, CVE-2008-4059, CVE-2008-4060 - Privilege
escalation via XPCnativeWrapper pollution
* MFSA 2008-42 aka CVE-2008-4061, CVE-2008-4062, CVE-2008-4063,
CVE-2008-4064 - Crashes with evidence of memory corruption
(rv:1.9.0.2/1.8.1.17)
* MFSA 2008-43 aka CVE-2008-4065, CVE-2008-4066 - BOM characters, low
surrogates stripped from JavaScript before execution
* MFSA 2008-44 aka CVE-2008-4067, CVE-2008-4068 - resource: traversal
vulnerabilities
* MFSA 2008-46 aka CVE-2008-4070 - Heap overflow when canceling newsgroup
message
[ Michael Casadevall <email address hidden> ]
* debian/control:
- Changed maintainer to Ubuntu Mozillateam
- Added Uploaders to the team
- Set DM-Upload-Allowed
- Bumped standards version to 3.8.0
[ Alexander Sack <email address hidden> ]
* Closes: #497491 - Icedove inappropriately sets file-/MIME-type
associations in .desktop database; we drop the Mime-Type= entry
from debian/icedove.desktop
- update debian/icedove.desktop
-- Michael Casadevall <email address hidden> Sat, 18 Oct 2008 09:07:20 -0400
-
icedove (2.0.0.16-1) unstable; urgency=low
* New upstream security/stability update (v2.0.0.16) fixes:
* MFSA 2008-21 aka CVE-2008-2798 - Crashes with evidence of memory
corruption
* MFSA 2008-21 aka CVE-2008-2799 - Crashes with evidence of memory
corruption
* MFSA 2008-24 aka CVE-2008-2802 - Chrome script loading from fastload file
* MFSA 2008-25 aka CVE-2008-2803 - Arbitrary code execution in
mozIJSSubScriptLoader.loadSubScript()
* MFSA 2008-26 aka CVE-2008-0304 - (followup) Buffer length checks in MIME
processing
* MFSA 2008-29 aka CVE-2008-2807 - Faulty .properties file results in
uninitialized memory being used
* MFSA 2008-31 aka CVE-2008-2809 - Peer-trusted certs can use alt names to
spoof
* MFSA 2008-33 aka CVE-2008-2811 - Crash and remote code execution in block
reflow
* MFSA 2008-34 aka CVE-2008-2785 - Remote code execution by overflowing CSS
reference counter
* Closes: #483938 - add .desktop file translations (contributed by Timo
Jyrinki <email address hidden>)
- update debian/icedove.desktop
(cherry pick rev77 from lp:~mozillateam/thunderbird/thunderbird.dev branch)
* drop patches applied upstream
- drop debian/patches/bz419350_attachment_306066.patch
- update debian/patches/series
(cherry pick rev78 from lp:~mozillateam/thunderbird/thunderbird.dev branch)
* adjust patches diverged upstream
- update debian/patches/ubuntu-look-and-feel-report-a-bug-menuitem
(cherry pick rev80 from lp:~mozillateam/thunderbird/thunderbird.dev branch)
* Closes: #489093 - add explicit -lfontconfig to linker flags used for gfx/ps
module to fix ftbfs in intrepid
- add debian/patches/bzXXX_ftbfs_fontconfig.patch
- update debian/patches/series
-- Alexander Sack <email address hidden> Thu, 24 Jul 2008 17:38:51 +0200