It is mozilla patch-day!

Posted by Anonymous on Thu 3 Aug 2006 at 17:22

... I have backported security fixes recently announced by mozilla for firefox and thunderbird to the old branch which we have in Debian Sarge (stable). Now these packages need more testing.

You can grab the patchset I produced from http://people.debian.org/~asac/patchset_109b.tar.gz.

In it you find patches that fix:

all security flaws whose security advisories had been announced together with firefox/thunderbird 1.5.0.5 - if applicable
a tricky issue that had not been fixed in the last debian stable-security update for mozilla, mozilla-firefox and mozilla-thunderbird (aka mfsa2006-32, Part 2/7).
two regressions introduced in our last stable-security update that broke some extensions.

The good news is that a bunch of critical flaws have been identified to not affect Debian stable, namely:

+ CVE-2006-3801, MFSA 2006-44
+ CVE-2006-3677, MFSA 2006-45
+ CVE-2006-3113, MFSA 2006-46
+ CVE-2006-3802, MFSA 2006-47
+ CVE-2006-3803, MFSA 2006-48
+ CVE-2006-3804, MFSA 2006-49
+ CVE-2006-3810, MFSA 2006-54
+ CVE-2006-3812, MFSA 2006-56

More good news is that MFSA2006-45 - which was recently /.ed with a working exploit is in that list too. So Debian stable users are not affected by that issue.

In order to get feedback and testing I am now preparing packages. Testing this is critical, because upstream has abandoned 1.0.x development. So please help to test and report regressions - otherwise those might go unseen and finally slip through to our users. I will announce new packages available for testing on my site and on the pkg-mozilla-maintainers mailing-list.

Thanks for your support!

This article can be found online at the Debian Administration website at the following bookmarkable URL:

http://www.debian-administration.org/articles/427