lp:ubuntu/hardy-security/seamonkey

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

14. By Chris Coulson on 2010-12-06

* New upstream release v2.0.11 (SEAMONKEY_2_0_11_BUILD1)
* SECURITY UPDATE:
  - http://www.mozilla.org/security/known-vulnerabilities/seamonkey20.html#seamonkey2.0.11
* Fixes LP: #575160 - seamonkey 2.0 crashes with 'RenderBadPicture'

13. By Chris Coulson on 2010-10-27

* New upstream release v2.0.10 (SEAMONKEY_2_0_10_BUILD1)
* SECURITY UPDATE:
  - http://www.mozilla.org/security/known-vulnerabilities/seamonkey20.html#seamonkey2.0.10

12. By Chris Coulson on 2010-10-05

* New upstream release v2.0.9 (SEAMONKEY_2_0_9_BUILD1)
* SECURITY UPDATE:
  - http://www.mozilla.org/security/known-vulnerabilities/seamonkey20.html#seamonkey2.0.9

* Bump minimum system NSS to 3.12.8 after landing of (bmo: 600104) aka
  Bump minimum required version for system NSS to 3.12.8
  - update debian/rules
* Bump minimum system NSPR to 4.8.6 after landing of (bmo: 567620) aka
  Bump minimum required version for system NSPR to 4.8.6
  - update debian/rules
* Fix LP: #646632 - No dictionaries present in Seamonkey. Ship a
  symlink to the system dictionaries
  - update debian/rules
  - update debian/seamonkey-browser.install
* Fix LP: #643047 - Don't touch $LIBDIR/.autoreg from the seamonkey
  postinst script. The seamonkey package is just a meta-package, and
  the file is shipped by seamonkey-browser. Changing this ensures that
  seamonkey doesn't fail to configure if there is version skew during
  upgrades, and avoids the need for having tight dependencies
  - update debian/rules
  - remove debian/seamonkey.postinst.in
  - remove debian/seamonkey.prerm.in

11. By Chris Coulson on 2010-09-17

* New upstream release v2.0.8 (SEAMONKEY_2_0_8_BUILD1)

* SECURITY UPDATES:
* MFSA 2010-49: Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12)
  - CVE-2010-3169
* MFSA 2010-50: Frameset integer overflow vulnerability
  - CVE-2010-2765
* MFSA 2010-51: Dangling pointer vulnerability using DOM plugin array
  - CVE-2010-2767
* MFSA 2010-52: Windows XP DLL loading vulnerability
  - CVE-2010-3131
* MFSA 2010-53: Heap buffer overflow in nsTextFrameUtils::TransformText
  - CVE-2010-3166
* MFSA 2010-54: Dangling pointer vulnerability in nsTreeSelection
  - CVE-2010-2760
* MFSA 2010-55: XUL tree removal crash and remote code execution
  - CVE-2010-3168
* MFSA 2010-56: Dangling pointer vulnerability in nsTreeContentView
  - CVE-2010-3167
* MFSA 2010-57: Crash and remote code execution in normalizeDocument
  - CVE-2010-2766
* MFSA 2010-58: Crash on Mac using fuzzed font in data: URL
  - CVE-2010-2770
* MFSA 2010-60: XSS using SJOW scripted functio
  - CVE-2010-2763
* MFSA 2010-61: UTF-7 XSS by overriding document charset using <object>
  type attribute
  - CVE-2010-2768
* MFSA 2010-62: Copy-and-paste or drag-and-drop into designMode document
  allows XSS
  - CVE-2010-62
* MFSA 2010-63: Information leak via XMLHttpRequest statusText
  - CVE-2010-63

* Refresh patches for new upstream version
  - update debian/patches/seamonkey-fsh.patch
* Fix LP: #593571 - searching for am-newsblog.xul in the wrong chrome package
  Install the newsblog.js XPCOM component
  - update debian/seamonkey-mailnews.install

10. By Micah Gersten on 2010-05-06

* New upstream release v2.0.5 (SEAMONKEY_2_0_5_BUILD1)

[ Fabien Tassin <email address hidden> ]
* Add conditional support for system Cairo, NSS, NSPR
  - update debian/rules
* Update icons from xpm to png
  - update debian/seamonkey-*.{install,links,menu}
* We no longer need dynamic -lsoftokn, disable NSS_DYNAMIC_SOFTOKN
  - add debian/patches/no_dynamic_nss_softokn.patch
  - update debian/patches/series

[ Micah Gersten <email address hidden> ]
* Use versioned install directory
  - update debian/rules
* Bump minimum versions of system libs; cairo to 1.8.8; NSPR to 4.8;
  NSS to 3.12.6
  - update debian/rules
* Update .install files for latest release
  - update debian/seamonkey-browser.install
  - update debian/seamonkey-mailnews.install
* Refresh patches
  - update debian/patches/cleaner_dist_clean.patch
  - update debian/patches/fix_installer.patch
  - update debian/patches/seamonkey-fsh.patch
* Drop cairo FTBFS patch after upstream landing
  - drop debian/patches/fix_ftbfs_with_cairo_fb.patch
  - update debian/series
* Install gnome components in -browser package so that it works out of the box
  - update debian/seamonkey-browser.install
  - update debian/control
  - update debian/rules
* Move mozclient to be in source
  - add debian/mozclient/compare.mk
  - add debian/mozclient/seamonkey-remove.binonly.sh
  - add debian/mozclient/seamonkey.conf
  - add debian/mozclient/seamonkey.mk
  - update debian/rules
* Fix FTBFS on Sparc by disabling jit (LP: #523627)
  - update debian/rules

[ Chris Coulson <email address hidden> ]
* Ensure the symlinks are installed correctly. File name expansion
  doesn't work in the .links files, so call dh_link explicitly in
  debian/rules instead
  - drop debian/seamonkey-browser.links
  - drop debian/seamonkey-mailnews.links
  - update debian/rules
* Only the seamonkey-gnome-support package should have dependencies on GNOME
  libraries - ensure that seamonkey-browser doesn't have the GNOME components
  installed when dh_shlibdeps is run
  - update debian/rules
  - update debian/seamonkey-browser.install

9. By John Vivirito on 2009-07-06

* New upstream security release: 1.1.17 (LP: #356274)
  - CVE-2009-1841: JavaScript chrome privilege escalation
  - CVE-2009-1838: Arbitrary code execution using event listeners attached to an element whose owner document is null
  - CVE-2009-1836: SSL tampering via non-200 responses to proxy CONNECT requests
  - CVE-2009-1835: Arbitrary domain cookie access by local file: resources
  - CVE-2009-1392, CVE-2009-1832, CVE-2009-1833: Crashes with evidence of memory corruption (rv:1.9.0.11)
  - CVE-2009-1311: POST data sent to wrong site when saving web page with embedded frame
  - CVE-2009-1307: Same-origin violations when Adobe Flash loaded via view-source: scheme
  - MFSA 2009-33 Crash viewing multipart/alternative message with text/enhanced part
* removed debian/patches/90_181_484320_attachment_368977.patch
* removed debian/patches/90_181_485217_attachment_369357.patch
* removed debian/patches/90_181_485286_attachment_369457.patch
  - update debian/patches/series

8. By Alexander Sack on 2009-03-31

* CVE-2009-1044: Arbitrary code execution via XUL tree element
  - add debian/patches/90_181_484320_attachment_368977.patch
  - update debian/patches/series
* CVE-2009-1169: XSL Transformation vulnerability
  - add 90_181_485217_attachment_369357.patch
  - add debian/patches/90_181_485286_attachment_369457.patch

7. By Fabien Tassin on 2008-09-30

* New security upstream release: 1.1.12 (LP: #276437)
  - CVE-2008-4070: Heap overflow when canceling newsgroup message
  - CVE-2008-4069: XBM image uninitialized memory reading
  - CVE-2008-4067..4068: resource: traversal vulnerabilities
  - CVE-2008-4065..4066: BOM characters stripped from JavaScript before execution
  - CVE-2008-4061..4064: Crashes with evidence of memory corruption
  - CVE-2008-4058..4060: Privilege escalation via XPCnativeWrapper pollution
  - CVE-2008-3837: Forced mouse drag
  - CVE-2008-3835: nsXMLDocument::OnChannelRedirect() same-origin violation
  - CVE-2008-0016: UTF-8 URL stack buffer overflow
* Also includes security fixes from 1.1.11 and 1.1.10 (LP: #218534)
  - CVE-2008-2785: Remote code execution by overflowing CSS reference counter
  - CVE-2008-2811: Crash and remote code execution in block reflow
  - CVE-2008-2810: Remote site run as local file via Windows URL shortcut
  - CVE-2008-2809: Peer-trusted certs can use alt names to spoof
  - CVE-2008-2808: File location URL in directory listings not escaped properly
  - CVE-2008-2807: Faulty .properties file results in uninitialized memory being used
  - CVE-2008-2806: Arbitrary socket connections with Java LiveConnect on Mac OS X
  - CVE-2008-2805: Arbitrary file upload via originalTarget and DOM Range
  - MFSA 2008-26 (follow-up of CVE-2008-0304): Buffer length checks in MIME processing
  - CVE-2008-2803: Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
  - CVE-2008-2802: Chrome script loading from fastload file
  - CVE-2008-2801: Signed JAR tampering
  - CVE-2008-2800: XSS through JavaScript same-origin violation
  - CVE-2008-2798..2799: Crashes with evidence of memory corruption
  - CVE-2008-1380: Crash in JavaScript garbage collector
* Refresh diverged patch:
  - update debian/patches/80_security_build.patch
* Fix FTBFS with missing -lfontconfig
  - add debian/patches/11_fix_ftbfs_with_fontconfig.patch
  - update debian/patches/series

6. By Fabien Tassin on 2008-03-27

* New security upstream release: 1.1.9 (LP: #207461)
* Security fixes:
  - MFSA 2008-19 XUL popup spoofing variant (cross-tab popups)
  - MFSA 2008-18 Java socket connection to any local port via LiveConnect
  - MFSA 2008-17 Privacy issue with SSL Client Authentication
  - MFSA 2008-16 HTTP Referrer spoofing with malformed URLs
  - MFSA 2008-15 Crashes with evidence of memory corruption
  - MFSA 2008-14 JavaScript privilege escalation and arbitrary code execution
* Drop patches applied upstream:
  - drop debian/patches/11_bz399589_fix_missing_symbol_with_new_nss.patch
  - update debian/patches/series
* Add missing Ubuntu-specific menu items (LP: #190845)
  - add debian/patches/85_ubuntu_menu.patch
  - update debian/patches/series
  Contributed by Andrea Colangelo <email address hidden>

5. By Fabien Tassin on 2008-02-08

* New security upstream release: 1.1.8
* Security fixes:
  - MFSA 2008-10 URL token stealing via stylesheet redirect
  - MFSA 2008-09 Mishandling of locally-saved plain text files
  - MFSA 2008-06 Web browsing history and forward navigation stealing
  - MFSA 2008-05 Directory traversal via chrome: URI
  - MFSA 2008-03 Privilege escalation, XSS, Remote Code Execution
  - MFSA 2008-02 Multiple file input focus stealing vulnerabilities
  - MFSA 2008-01 Crashes with evidence of memory corruption (rv:1.8.1.12)
* Drop unwanted patches:
  - drop debian/patches/82_homepage.patch
  - drop debian/patches/85_about.patch
  - drop debian/patches/85_release_notes.patch
  - update debian/patches/series
* Update diverged patch:
  - update debian/patches/99_configure.patch