Age | Commit message (Collapse) | Author | Files | Lines |
|
security update for firefox
Revisions pulled up:
- pkgsrc/www/firefox/Makefile-firefox.common 1.49
- pkgsrc/www/firefox/distinfo 1.70
- pkgsrc/www/firefox/patches/patch-ac 1.10
- pkgsrc/www/firefox-bin/Makefile 1.35
- pkgsrc/www/firefox-bin/distinfo 1.33, 1.34, 1.35
Module Name: pkgsrc
Committed By: ghen
Date: Fri Oct 19 08:59:56 UTC 2007
Modified Files:
pkgsrc/www/firefox: Makefile-firefox.common distinfo
pkgsrc/www/firefox-bin: Makefile distinfo
pkgsrc/www/firefox/patches: patch-ac
Log Message:
Update firefox, firefox-bin and firefox-gtk1 to 2.0.0.8.
Security fixes in this version:
MFSA 2007-36 URIs with invalid %-encoding mishandled by Windows
MFSA 2007-35 XPCNativeWrapper pollution using Script object
MFSA 2007-34 Possible file stealing through sftp protocol
MFSA 2007-33 XUL pages can hide the window titlebar
MFSA 2007-32 File input focus stealing vulnerability
MFSA 2007-31 Browser digest authentication request splitting
MFSA 2007-30 onUnload Tailgating
MFSA 2007-29 Crashes with evidence of memory corruption (rv:1.8.1.8)
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.8/releasenotes/
---
Module Name: pkgsrc
Committed By: ghen
Date: Fri Oct 19 19:47:43 UTC 2007
Modified Files:
pkgsrc/www/firefox-bin: distinfo
Log Message:
Add distinfo entries for Solaris {8,10}/{i386,sparc} as well.
Noted by dmcmahill.
---
Module Name: pkgsrc
Committed By: ghen
Date: Sat Oct 20 10:42:37 UTC 2007
Modified Files:
pkgsrc/www/firefox-bin: distinfo
Log Message:
Remove empty lines to get rid of warnings in weekly pkgsrc checks on babylon5.
Suggested by veego.
|
|
This version only fixes a Windows-specific security issue, but update
nevertheless so we start the freeze with the latest available version.
(People will start asking about this update anyway?)
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.7/releasenotes/
|
|
|
|
|
|
Security fixes in this version:
MFSA 2007-27 Unescaped URIs passed to external programs
MFSA 2007-26 Privilege escalation through chrome-loaded about:blank windows
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.6/releasenotes/
|
|
Security fixes in this version:
MFSA 2007-25 XPCNativeWrapper pollution
MFSA 2007-24 Unauthorized access to wyciwyg:// documents
MFSA 2007-23 Remote code execution by launching Firefox from Internet Explorer
MFSA 2007-22 File type confusion due to %00 in name
MFSA 2007-21 Privilege escalation using an event handler attached to an element not in the document
MFSA 2007-20 Frame spoofing while window is loading
MFSA 2007-19 XSS using addEventListener and setTimeout
MFSA 2007-18 Crashes with evidence of memory corruption
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.5/releasenotes/
|
|
PR/31481.
|
|
|
|
mozilla browsers. This is now useful again to those of use who require
multiple profiles.
|
|
|
|
|
|
Security fixes in this version:
MFSA 2007-17 XUL Popup Spoofing
MFSA 2007-16 XSS using addEventListener
MFSA 2007-14 Path Abuse in Cookies
MFSA 2007-13 Persistent Autocomplete Denial of Service
MFSA 2007-12 Crashes with evidence of memory corruption
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.4/releasenotes/
|
|
and change notes). Firefox 1.5.0.x will be maintained in www/firefox15*,
as discussed on tech-pkg.
|
|
|
|
firefox and seamonkey to make user profiles writable. Bump PKGREVISION for
firefox2(-gtk1) and seamonkey(-gtk1). Fixes PR#35596.
|
|
* Security update: MFSA 2007-11 (FTP PASV port-scanning) has been fixed.
* Website Compatibility: Fixed various web compatibility regressions.
For more info, see http://www.mozilla.com/en-US/firefox/releases/1.5.0.11.html
|
|
|
|
the exact names of the freebl libraries depends on the platform and they
have a habit of changing even on minor releases. This causes these mozilla
packages to be broken quite a lot on platforms other than NetBSD/i386.
Hopefully this fix will last longer than previous ones. pkgrevision bumps
all around.
|
|
Fixed in Firefox 1.5.0.10
MFSA 2007-07 Embedded nulls in location.hostname confuse same-domain checks
MFSA 2007-06 Mozilla Network Security Services (NSS) SSLv2 buffer overflow
MFSA 2007-05 XSS and local file access by opening blocked popups
MFSA 2007-04 Spoofing using custom cursor and CSS3 hotspot
MFSA 2007-03 Information disclosure through cache collisions
MFSA 2007-02 Improvements to help protect against Cross-Site Scripting attacks
MFSA 2007-01 Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2)
For more info, see http://www.mozilla.com/en-US/firefox/releases/1.5.0.10.html
|
|
|
|
firefox2.
|
|
two issues. The PLIST was incorrect and since the PLIST is used by
the "moz-install" script, anything missing from the PLIST is never
installed even when building from source. When libfreebl* were not
installed it caused the clients to fail to load the security component
and fail with "The browser failed to load its security component".
The second issue is that many installations of solaris-2.9 include
various glib/gtk/gnome libraries in /usr/lib. This causes failures
because the pkgsrc ones were used at link time and the /usr/lib ones
at run time. Work around this by setting a LD_LIBRARY_PATH that includes
the pkgsrc lib directory first.
pkgrevision bumps all around.
|
|
in single quoted strings compared to version 3.80 and older
|
|
and PR/33583. See also https://bugzilla.mozilla.org/show_bug.cgi?id=77788
for a discussion of this.
|
|
|
|
or USE_X11BASE set, but don't include mk/x11.buildlink3.mk directly or
via buildlink3.mks
- introduce BUILDLINK_PREFIX.libXpm as alias for BUILDLINK_PREFIX.xpm
in the !modular case
- fix some cases where the check for libX11 couldn't work at all by using
C++ for compilation without including the proper headers
Verified using a full X11_TYPE=xorg bulk build without additional
breakage. Discussed with salo@, wiz@ and send to packages@ for feedback.
|
|
MFSA 2006-75 RSS Feed-preview referrer leak
MFSA 2006-73 Mozilla SVG Processing Remote Code Execution
MFSA 2006-72 XSS by setting img.src to javascript: URI
MFSA 2006-71 LiveConnect crash finalizing JS objects
MFSA 2006-70 Privilege escallation using watch point
MFSA 2006-68 Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1)
For more info, see http://www.mozilla.com/en-US/firefox/releases/1.5.0.9.html
|
|
packages with the modular Xorg equivalent. Those are falling back
to the old location by default, so this commmit doesn't change
dependencies.
graphics/xpm ==> x11/libXpm
fonts/Xft2 ==> x11/libXft
x11/Xfixes ==> x11/libXfixes
x11/xcursor ==> x11/libXcursor
x11/Xrender ==> x11/libXrender
x11/Xrandr ==> libXrandr
|
|
MFSA 2006-67 Running Script can be recompiled
MFSA 2006-66 RSA signature forgery (variant)
MFSA 2006-65 Crashes with evidence of memory corruption (rv:1.8.0.8)
For more info, see http://www.mozilla.com/en-US/firefox/releases/1.5.0.8.html
|
|
|
|
talking to ipv4 addresses using ipv6 addresses isn't allowed, which is
the default on NetBSD. Patch to use a v4 socket when talking to an ipv4
ldap server. Fixes my PR 33511.
seamonkey/firefox/sunbird have the same code so make the same patch.
OKed ghen. Bump PKGREVISION.
|
|
structure multiple times. Bump PKGREVISION.
|
|
|
|
|
|
MFSA 2006-64 Crashes with evidence of memory corruption (rv:1.8.0.7)
MFSA 2006-62 Popup-blocker cross-site scripting (XSS)
MFSA 2006-61 Frame spoofing using document.open()
MFSA 2006-60 RSA Signature Forgery
MFSA 2006-59 Concurrency-related vulnerability
MFSA 2006-58 Auto-Update compromise through DNS and SSL spoofing
MFSA 2006-57 JavaScript Regular Expression Heap Corruption
For more info, see http://www.mozilla.com/firefox/releases/1.5.0.7.html
|
|
|
|
Just one change:
- Fixed an issue with playing Windows Media content
|
|
(Don't bump because this must have never been built since 1.5.0.5 update.)
|
|
security problems with 1.5.0.4. No functional changes at all in the
package -- this is purely a security update.
See CERT advisory TA06-208A (last revised July 27) for details.
|
|
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the buildlink3.mk files included as well as the depth at
which they are included.
For example, "make show-buildlink3" in fonts/Xft2 displays:
zlib
fontconfig
iconv
zlib
freetype2
expat
freetype2
Xrender
renderproto
|
|
of the order in which buildlink3.mk files are (recursively) included
by a package Makefile.
|
|
the pkglint warning:
As {INSTALL,DEINSTALL}_TEMPLATE is modified using "+=", its name
should indicate plural.
This does make the variables a bit more suggestive of the fact that they
hold lists of values.
|
|
bumping PKGREVISION for.
|
|
mail/thunderbird-gtk1 to 1.5.0.4, and www/seamonkey, www/seamonkey-gtk1
and www/seamonkey-bin to 1.0.2 (salo has already updated www/firefox-bin).
Note that thunderbird skipped one release number (again) to stay on par
with firefox.
These updates provide:
* improvements to product stability,
* several important security fixes (see below).
Fixed in Firefox 1.5.0.4:
MFSA 2006-43 Privilege escalation using addSelectionListener
MFSA 2006-42 Web site XSS using BOM on UTF-8 pages
MFSA 2006-41 File stealing by changing input type (variant)
MFSA 2006-39 "View Image" local resource linking (Windows)
MFSA 2006-38 Buffer overflow in crypto.signText()
MFSA 2006-37 Remote compromise via content-defined setter on object prototypes
MFSA 2006-36 PLUGINSPAGE privileged JavaScript execution 2
MFSA 2006-35 Privilege escalation through XUL persist
MFSA 2006-34 XSS viewing javascript: frames or images from context menu
MFSA 2006-33 HTTP response smuggling
MFSA 2006-32 Fixes for crashes with potential memory corruption
MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig, Greasemonkey)
Fixed in Thunderbird 1.5.0.4:
MFSA 2006-42 Web site XSS using BOM on UTF-8 pages
MFSA 2006-40 Double-free on malformed VCard
MFSA 2006-38 Buffer overflow in crypto.signText()
MFSA 2006-37 Remote compromise via content-defined setter on object prototypes
MFSA 2006-35 Privilege escalation through XUL persist
MFSA 2006-33 HTTP response smuggling
MFSA 2006-32 Fixes for crashes with potential memory corruption
MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig, Greasemonkey)
Fixed in SeaMonkey 1.0.2:
MFSA 2006-43 Privilege escalation using addSelectionListener
MFSA 2006-42 Web site XSS using BOM on UTF-8 pages
MFSA 2006-41 File stealing by changing input type (variant)
MFSA 2006-40 Double-free on malformed VCard
MFSA 2006-39 "View Image" local resource linking (Windows)
MFSA 2006-38 Buffer overflow in crypto.signText()
MFSA 2006-37 Remote compromise via content-defined setter on object prototypes
MFSA 2006-35 Privilege escalation through XUL persist
MFSA 2006-34 XSS viewing javascript: frames or images from context menu
MFSA 2006-33 HTTP response smuggling
MFSA 2006-32 Fixes for crashes with potential memory corruption
MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig, Greasemonkey)
|
|
|
|
MESSAGE_SUBST properly. No package should be setting MESSAGE anyway.
|
|
advertized version), so there's no reason to upgrade. :-)
Fixes a denial of service vulnerability (MFSA 2006-30).
|
|
possible code injection, affecting nested iframes.
See https://bugzilla.mozilla.org/show_bug.cgi?id=334515 and
http://www.securident.com/vuln/ff.txt
bump PKGREVISION
|
|
|
|
Firefox 1.5.0.2 offers improved stability, and several security fixes:
MFSA 2006-29 Spoofing with translucent windows (pkgsrc vulnid. 1818)
MFSA 2006-28 Security check of js_ValueToFunctionObject() can be circumvented (vulnid. 1819)
MFSA 2006-25 Privilege escalation through Print Preview (vulnid. 1820)
MFSA 2006-24 Privilege escalation using crypto.generateCRMFRequest (vulnid. 1821)
MFSA 2006-23 File stealing by changing input type (vulnid. 1822)
MFSA 2006-22 CSS Letter-Spacing Heap Overflow Vulnerability (vulnid. 1823)
MFSA 2006-20 Crashes with evidence of memory corruption (rv:1.8.0.2) (vulnid. 1824)
For a detailed ChangeLog, see:
http://www.squarefree.com/burningedge/releases/1.5.0.2.html
|