Bug 23809

Summary: Обновить firefox
Product: Branch p5 Reporter: AEN <aen>
Component: cross-componentAssignee: Nobody's working on this, feel free to take it <nobody>
Status: CLOSED FIXED QA Contact: QA p5 <qa-p5>
Severity: critical    
Priority: P3 CC: cas, dkoryavov, oddity
Version: unspecified   
Hardware: all   
OS: Linux   
Bug Depends on: 24053    
Bug Blocks:    

Description AEN 2010-07-25 01:18:01 MSD 
Собрать 3.5.11
Comment 1 Ilya Mashkin 2010-09-01 02:45:17 MSD 
Текущая версия 3.5.9 содержит 20 уязвимостей, более десятка из них  - критические.
Comment 2 Ilya Mashkin 2010-09-01 02:51:26 MSD 
Кроме того, на сколько я понимаю, текущая версия 3.5.9 собрана неправильно, со старой версией xulrunner (1.9.1.8) и, соответственно все ещё содержит ошибки исправленные в 3.5.9 (+ ещё 5 критических уязвимостей).   Посему нужно не забыть собрать xulrunner 1.9.1.11
Comment 3 Andrey Cherepanov 2010-09-01 16:31:04 MSD 
Соберу 3.6.x
Comment 4 Repository Robot 2010-09-09 11:02:33 MSD 
firefox-3.6-3.6.9-alt0.20100725.M50P.1 -> p5:

* Mon Sep 06 2010 Andrey Cherepanov <cas@altlinux> 3.6.9-alt0.20100725.M50P.1
- backport to p5 branch (new version with security fixes) (closes: #23809)

* Thu Jul 29 2010 Alexey Gladkov <legion@altlinux> 3.6.9-alt1.20100725
- New release (3.6.8).
- Fixed:
  + MFSA 2010-48 Dangling pointer crash regression from plugin parameter array fix
  + MFSA 2010-47 Cross-origin data leakage from script filename in error messages
  + MFSA 2010-46 Cross-domain data theft using CSS
  + MFSA 2010-45 Multiple location bar spoofing vulnerabilities
  + MFSA 2010-44 Characters mapped to U+FFFD in 8 bit encodings cause subsequent character to vanish
  + MFSA 2010-43 Same-origin bypass using canvas context
  + MFSA 2010-42 Cross-origin data disclosure via Web Workers and importScripts
  + MFSA 2010-41 Remote code execution using malformed PNG image
  + MFSA 2010-40 nsTreeSelection dangling pointer remote code execution vulnerability
  + MFSA 2010-39 nsCSSValue::Array index integer overflow
  + MFSA 2010-38 Arbitrary code execution using SJOW and fast native function
  + MFSA 2010-37 Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability
  + MFSA 2010-36 Use-after-free error in NodeIterator
  + MFSA 2010-35 DOM attribute cloning remote code execution vulnerability
  + MFSA 2010-34 Miscellaneous memory safety hazards (rv:1.9.2.7/ 1.9.1.11)

* Sun Jun 27 2010 Alexey Gladkov <legion@altlinux> 3.6.6-alt1.20100626
- New release (3.6.6).
- Fixed:
  + MFSA 2010-33 User tracking across sites using Math.random()
  + MFSA 2010-32 Content-Disposition: attachment ignored if Content-Type: multipart also present
  + MFSA 2010-31 focus() behavior can be used to inject or steal keystrokes
  + MFSA 2010-30 Integer Overflow in XSLT Node Sorting
  + MFSA 2010-29 Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal
  + MFSA 2010-28 Freed object reuse across plugin instances
  + MFSA 2010-26 Crashes with evidence of memory corruption (rv:1.9.2.4/ 1.9.1.10)
Comment 5 Ilya Mashkin 2010-09-10 00:04:58 MSD 
По иронии судьбы вышла уже 3.6.9 версия с новыми критическими исправлениями :)
Comment 6 Денис Корявов 2010-09-10 14:08:42 MSD 
Так же, у 3.6 проблемы - после некоторого времени использования на p5, почему-то перестает реагировать главное меню (вернее реагирует но с задержкой 5-10 секунд и сам firefox ооочень тормозит). 
Иногда, проявляется сразу, иногда, через неделю использования.
Comment 7 Repository Robot 2010-09-16 15:26:37 MSD 
firefox-3.6-3.6.9-alt0.20100725.M50P.1 -> 5.1:

* Mon Sep 06 2010 Andrey Cherepanov <cas@altlinux> 3.6.9-alt0.20100725.M50P.1
- backport to p5 branch (new version with security fixes) (closes: #23809)

* Thu Jul 29 2010 Alexey Gladkov <legion@altlinux> 3.6.9-alt1.20100725
- New release (3.6.8).
- Fixed:
  + MFSA 2010-48 Dangling pointer crash regression from plugin parameter array fix
  + MFSA 2010-47 Cross-origin data leakage from script filename in error messages
  + MFSA 2010-46 Cross-domain data theft using CSS
  + MFSA 2010-45 Multiple location bar spoofing vulnerabilities
  + MFSA 2010-44 Characters mapped to U+FFFD in 8 bit encodings cause subsequent character to vanish
  + MFSA 2010-43 Same-origin bypass using canvas context
  + MFSA 2010-42 Cross-origin data disclosure via Web Workers and importScripts
  + MFSA 2010-41 Remote code execution using malformed PNG image
  + MFSA 2010-40 nsTreeSelection dangling pointer remote code execution vulnerability
  + MFSA 2010-39 nsCSSValue::Array index integer overflow
  + MFSA 2010-38 Arbitrary code execution using SJOW and fast native function
  + MFSA 2010-37 Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability
  + MFSA 2010-36 Use-after-free error in NodeIterator
  + MFSA 2010-35 DOM attribute cloning remote code execution vulnerability
  + MFSA 2010-34 Miscellaneous memory safety hazards (rv:1.9.2.7/ 1.9.1.11)

* Sun Jun 27 2010 Alexey Gladkov <legion@altlinux> 3.6.6-alt1.20100626
- New release (3.6.6).
- Fixed:
  + MFSA 2010-33 User tracking across sites using Math.random()
  + MFSA 2010-32 Content-Disposition: attachment ignored if Content-Type: multipart also present
  + MFSA 2010-31 focus() behavior can be used to inject or steal keystrokes
  + MFSA 2010-30 Integer Overflow in XSLT Node Sorting
  + MFSA 2010-29 Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal
  + MFSA 2010-28 Freed object reuse across plugin instances
  + MFSA 2010-26 Crashes with evidence of memory corruption (rv:1.9.2.4/ 1.9.1.10)