-
seamonkey (1.1.17+nobinonly-0ubuntu0.8.10.1) intrepid-security; urgency=low
* New upstream security release: 1.1.17 (LP: #356274)
- CVE-2009-1841: JavaScript chrome privilege escalation
- CVE-2009-1838: Arbitrary code execution using event listeners attached to an element whose owner document is null
- CVE-2009-1836: SSL tampering via non-200 responses to proxy CONNECT requests
- CVE-2009-1835: Arbitrary domain cookie access by local file: resources
- CVE-2009-1392, CVE-2009-1832, CVE-2009-1833: Crashes with evidence of memory corruption (rv:1.9.0.11)
- CVE-2009-1311: POST data sent to wrong site when saving web page with embedded frame
- CVE-2009-1307: Same-origin violations when Adobe Flash loaded via view-source: scheme
- MFSA 2009-33 Crash viewing multipart/alternative message with text/enhanced part
* removed debian/patches/90_181_484320_attachment_368977.patch
* removed debian/patches/90_181_485217_attachment_369357.patch
* removed debian/patches/90_181_485286_attachment_369457.patch
- update debian/patches/series
-- John Vivirito <email address hidden> Mon, 06 Jul 2009 13:20:53 -0400
-
seamonkey (1.1.15+nobinonly-0ubuntu0.8.10.2) intrepid-security; urgency=low
* CVE-2009-1044: Arbitrary code execution via XUL tree element
- add debian/patches/90_181_484320_attachment_368977.patch
- update debian/patches/series
* CVE-2009-1169: XSL Transformation vulnerability
- add 90_181_485217_attachment_369357.patch
- add debian/patches/90_181_485286_attachment_369457.patch
seamonkey (1.1.15+nobinonly-0ubuntu0.8.10.1) intrepid-security; urgency=low
* New security upstream release: 1.1.15 (LP: #309655)
- CVE-2009-0040: Upgrade PNG library to fix memory safety hazard
- CVE-2009-0352: Crashes with evidence of memory corruption (rv:1.9.0.6)
- CVE-2009-0357: XMLHttpRequest allows reading HTTPOnly cookies
- CVE-2009-0771: Crashes with evidence of memory corruption (rv:1.9.0.7)
- CVE-2009-0776: XML data theft via RDFXMLDataSource and cross-domain redirect
seamonkey (1.1.14+nobinonly-0ubuntu0.8.10.1) intrepid-security; urgency=low
* * New security upstream release: 1.1.14 (LP: #309655)
- CVE-2008-5511: XSS and JavaScript privilege escalation
- CVE-2008-5510: Escaped null characters ignored by CSS parser
- CVE-2008-5508: Errors parsing URLs with leading whitespace and control ch$
- CVE-2008-5507: Cross-domain data theft via script redirect error message
- CVE-2008-5506: XMLHttpRequest 302 response disclosure
- CVE-2008-5503: Information stealing via loadBindingDocument
- CVE-2008-5501..5500: Crashes with evidence of memory corruption
(rv:1.9.0.5/1.8.1.19)
* drop patches applied upstream
- delete debian/patches/35_zip_cache.patch
- update debian/patches/series
-- Alexander Sack <email address hidden> Tue, 31 Mar 2009 13:21:19 +0200
-
seamonkey (1.1.12+nobinonly-0ubuntu1) intrepid; urgency=low
* New security upstream release: 1.1.12 (LP: #276437)
- CVE-2008-4070: Heap overflow when canceling newsgroup message
- CVE-2008-4069: XBM image uninitialized memory reading
- CVE-2008-4067..4068: resource: traversal vulnerabilities
- CVE-2008-4065..4066: BOM characters stripped from JavaScript before execution
- CVE-2008-4061..4064: Crashes with evidence of memory corruption
- CVE-2008-4058..4060: Privilege escalation via XPCnativeWrapper pollution
- CVE-2008-3837: Forced mouse drag
- CVE-2008-3835: nsXMLDocument::OnChannelRedirect() same-origin violation
- CVE-2008-0016: UTF-8 URL stack buffer overflow
-- Fabien Tassin <email address hidden> Tue, 30 Sep 2008 00:41:24 +0200
-
seamonkey (1.1.11+nobinonly-0ubuntu1) intrepid; urgency=low
* New security upstream release: 1.1.11 (LP: #218534)
Fixes USN-602-1, USN-619-1, USN-623-1 and USN-629-1
* Refresh diverged patch:
- update debian/patches/80_security_build.patch
* Fix FTBFS with missing -lfontconfig
- add debian/patches/11_fix_ftbfs_with_fontconfig.patch
- update debian/patches/series
* Build with default gcc (hardy: 4.2, intrepid: 4.3)
- update debian/rules
- update debian/control
-- Fabien Tassin <email address hidden> Tue, 29 Jul 2008 21:29:02 +0200
-
seamonkey (1.1.9+nobinonly-0ubuntu1) hardy; urgency=low
* New security upstream release: 1.1.9 (LP: #207461)
* Security fixes:
- MFSA 2008-19 XUL popup spoofing variant (cross-tab popups)
- MFSA 2008-18 Java socket connection to any local port via LiveConnect
- MFSA 2008-17 Privacy issue with SSL Client Authentication
- MFSA 2008-16 HTTP Referrer spoofing with malformed URLs
- MFSA 2008-15 Crashes with evidence of memory corruption
- MFSA 2008-14 JavaScript privilege escalation and arbitrary code execution
* Drop patches applied upstream:
- drop debian/patches/11_bz399589_fix_missing_symbol_with_new_nss.patch
- update debian/patches/series
* Add missing Ubuntu-specific menu items (LP: #190845)
- add debian/patches/85_ubuntu_menu.patch
- update debian/patches/series
Contributed by Andrea Colangelo <email address hidden>
-- Fabien Tassin <email address hidden> Thu, 27 Mar 2008 00:31:02 +0100