From nobody@FreeBSD.org  Fri Feb 22 07:45:35 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B642516A402
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 22 Feb 2008 07:45:35 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id A9A6D13C448
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 22 Feb 2008 07:45:35 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m1M7gxDj081546
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 22 Feb 2008 07:42:59 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m1M7gx5r081545;
	Fri, 22 Feb 2008 07:42:59 GMT
	(envelope-from nobody)
Message-Id: <200802220742.m1M7gx5r081545@www.freebsd.org>
Date: Fri, 22 Feb 2008 07:42:59 GMT
From: Jordan Gordeev <jgordeev@dir.bg>
To: freebsd-gnats-submit@FreeBSD.org
Subject: www/seamonkey needs updating to address security issues
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         120962
>Category:       ports
>Synopsis:       www/seamonkey needs updating to address security issues
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    gnome
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 22 07:50:00 UTC 2008
>Closed-Date:    Thu Feb 28 06:34:20 UTC 2008
>Last-Modified:  Thu Feb 28 06:40:02 UTC 2008
>Originator:     Jordan Gordeev
>Release:        FreeBSD 6.3
>Organization:
>Environment:
>Description:
Seamonkey should be updated to version 1.1.8 to address the following security issues:
MFSA 2008-10  URL token stealing via stylesheet redirect
MFSA 2008-09 Mishandling of locally-saved plain text files
MFSA 2008-07 Possible information disclosure in BMP decoder
MFSA 2008-06 Web browsing history and forward navigation stealing
MFSA 2008-05 Directory traversal via chrome: URI
MFSA 2008-03 Privilege escalation, XSS, Remote Code Execution
MFSA 2008-02 Multiple file input focus stealing vulnerabilities
MFSA 2008-01 Crashes with evidence of memory corruption (rv:1.8.1.12)
Three of these are considered to have critical impact, one - high, two - moderate and two - low.

>How-To-Repeat:

>Fix:
Update the port to version 1.1.8.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->gnome 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Fri Feb 22 07:50:06 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=120962 
State-Changed-From-To: open->closed 
State-Changed-By: mezz 
State-Changed-When: Thu Feb 28 06:33:53 UTC 2008 
State-Changed-Why:  
Committed, thanks for remind. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=120962 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/120962: commit references a PR
Date: Thu, 28 Feb 2008 06:33:35 +0000 (UTC)

 mezz        2008-02-28 06:33:30 UTC
 
   FreeBSD ports repository
 
   Modified files:
     www/seamonkey        Makefile distinfo 
   Log:
   - Update to 1.1.8. [1]
   - Add "--with-default-mozilla-five-home=${PREFIX}/lib/${MOZILLA}" to fix other
     applications in the runtime. Some applications required to have set
     MOZILLA_FIVE_HOME or/and LD_LIBRARY_PATH to make it works in the runtime. Now,
     it's no longer need to set these variables, which this flag takes care of it.
     The MOZILLA_FIVE_HOME still works with this flag if someone need to use
     different one. I have learned about this flag from RPM, Debian, Gentoo ebuild
     and other packages. Have been tested in MC CVS since Dec.
   
   PR:             ports/120962 [1]
   Reminded by:    Jordan Gordeev <jgordeev@dir.bg> [1]
   Security:       - MFSA 2007-08 onUnload + document.write() memory corruption
                   - MFSA 2007-07 Embedded nulls in location.hostname confuse
                     same-domain checks
                   - MFSA 2007-06 Mozilla Network Security Services (NSS) SSLv2
                     buffer overflow
                   - MFSA 2007-05 XSS and local file access by opening blocked
                     popups
                   - MFSA 2007-04 Spoofing using custom cursor and CSS3 hotspot
                   - MFSA 2007-03 Information disclosure through cache collisions
                   - MFSA 2007-02 Improvements to help protect against Cross-Site
                     Scripting attacks
                   - MFSA 2007-01 Crashes with evidence of memory corruption
                     (rv:1.8.0.10/1.8.1.2)
   
   Revision  Changes    Path
   1.274     +7 -5      ports/www/seamonkey/Makefile
   1.101     +3 -3      ports/www/seamonkey/distinfo
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
