#14548 closed enhancement (fixed)
seamonkey-2.53.6
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | highest | Milestone: | 10.1 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New point version
Contains security fixes from Firefox-78.6 and Thunderbird-78.6
Change History (5)
comment:1 by , 5 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
follow-up: 5 comment:2 by , 5 years ago
| Priority: | high → highest |
|---|
comment:3 by , 5 years ago
A couple build system changes:
--with-pthreads is no longer recognized
--enable-application=suite needs to become --enable-application=comm/suite
comment:5 by , 5 years ago
Replying to renodr:
Ken, it's worth noting that this should be compatible with rust-1.48.0 should we need to upgrade anytime soon
I've just looked at firefox-86.0beta1, and that still requires rust >= 1.47.0. ff87 (beta due after 23rd Feb) will want 1.48. But until we move to the next firefox esr series (91, due 13th July) or until librsvg forces us, for the moment no reason to change.
My (unmeasured) impression is that each newer version of rust takes longer to build firefox.
Note:
See TracTickets
for help on using tickets.
What's New in SeaMonkey 2.53.6 SeaMonkey 2.53.6 contains (among other changes) the following major changes relative to SeaMonkey 2.53.5.1: Improve usability of multiple mailboxes/folders selectionbug 1600103. Add Greek localisation (el). Remove more RDF from mailnews code. Switch to mozilla as topsrcdir and component for building is comm/suite now. Rust support is now up to 1.48 and official build is now using 1.47.0 Various security and general platform fixes. SeaMonkey 2.53.6 contains (among other changes) the following major changes relative to SeaMonkey 2.49.5: The Bookmarks Manager has switched its name to Library, and now also includes the History list. When invoking History, the Library will be shown with the History list selected. The extensive modifications were needed because of Mozilla Gecko platform API changes. Download Manager has been migrated to a new API. Although it looks pretty much the same as before, the search option is missing and some other minor details work differently. The previous downloads history is removed during the upgrade. The layout panel was added to the CSS Grid tools. TLS 1.3 is the default SSL version now. The only NPAPI plugin which will work with SeaMonkey 2.53.6 is Flash. Support for other NPAPI plugins like Java and Silverlight has been removed. For displaying pdf files in the browser you can use pdf.js-seamonkey from Isaac Schemm. SeaMonkey now uses a new api for formatting regional data like time and date. Default is to use the application locale of the current SeaMonkey build. If you use a language pack or a different OS formatting this is usually not desired. You can change the formatting from the application locale to the regional settings locale (OS) in the preferences dialog under "Appearance". SeaMonkey 2.53.6 uses the same backend as Firefox and contains the relevant Firefox 60.8 security fixes. SeaMonkey 2.53.6 shares most parts of the mail and news code with Thunderbird. Please read the Thunderbird 60.0 release notes for specific changes and security fixes in this release. Additional important security fixes up to Current Firefox 78.6 ESR and a few enhancements have been backported. We will continue to enhance SeaMonkey security in subsequent 2.53.x beta and release versions as fast as we are able to.Ken, it's worth noting that this should be compatible with rust-1.48.0 should we need to upgrade anytime soon
On that note, it's time for some security fixes. The previous version of seamonkey, 2.53.5.1, included fixes from Firefox and Thunderbird 78.4.0esr.
Security fixes from Firefox-78.4.1esr:
CVE-2020-26950: Write side effects in MCallGetProperty opcode not accounted for Reporter 360政企安全漏洞研究院 in Tianfu Cup 2020 International Cybersecurity Contest Impact critical Description In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. References Bug 1675905Security fixes from Firefox-78.5.0esr:
#CVE-2020-26951: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code Reporter Irvan Kurniawan (@sourc7) Impact high Description A parsing and event loading mismatch in Firefox's SVG code could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass our built-in sanitizer. References Bug 1667113 #CVE-2020-16012: Variable time processing of cross-origin images during drawImage calls Reporter Aleksejs Popovs Impact moderate Description When drawing a transparent image on top of an unknown cross-origin image, the Skia library drawImage function took a variable amount of time depending on the content of the underlying image. This resulted in potential cross-origin information exposure of image content through timing side-channel attacks. References Bug 1642028 #CVE-2020-26953: Fullscreen could be enabled without displaying the security UI Reporter Abdulrahman Alqabandi of Microsoft Browser Vulnerability Research Impact moderate Description It was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus making it possible to attempt a phishing attack or otherwise confuse the user. References Bug 1656741 #CVE-2020-26956: XSS through paste (manual and clipboard API) Reporter Irvan Kurniawan (@sourc7) Impact moderate Description In some cases, removing HTML elements during sanitization would keep existing SVG event handlers and therefore lead to XSS. References Bug 1666300 #CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME type restrictions Reporter Moti Harmats Impact moderate Description Firefox did not block execution of scripts with incorrect MIME types when the response was intercepted and cached through a ServiceWorker. This could lead to a cross-site script inclusion vulnerability, or a Content Security Policy bypass. References Bug 1669355 #CVE-2020-26959: Use-after-free in WebRequestService Reporter Bharadwaj Machiraju Impact moderate Description During browser shutdown, reference decrementing could have occured on a previously freed object, resulting in a use-after-free, memory corruption, and a potentially exploitable crash. References Bug 1669466 #CVE-2020-26960: Potential use-after-free in uses of nsTArray Reporter Zijie Zhao Impact moderate Description If the Compact() method was called on an nsTArray, the array could have been reallocated without updating other pointers, leading to a potential use-after-free and exploitable crash. References Bug 1670358 #CVE-2020-15999: Heap buffer overflow in freetype Reporter Sergei Glazunov of Google Project Zero Impact moderate Description In Freetype, if PNG images were embedded into fonts, the Load_SBit_Png function contained an integer overflow that led to a heap buffer overflow, memory corruption, and an exploitable crash. Note: While Project Zero did discover instances of this vulnerability being exploited in the wild against Chrome, in Firefox this vulnerability is only triggerable if a rarely-used, hidden preference is toggled, and only affected Linux and Android operating systems. Other operating systems are unaffected; and Linux and Android are unaffected in the default configuration. References Bug 1672223 #CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses Reporter Gabriel Corona Impact moderate Description When DNS over HTTPS is in use, it intentionally filters RFC1918 and related IP ranges from the responses as these do not make sense coming from a DoH resolver. However when an IPv4 address was mapped through IPv6, these addresses were erroneously let through, leading to a potential DNS Rebinding attack. References Bug 1672528 #CVE-2020-26965: Software keyboards may have remembered typed passwords Reporter Makoto Kato Impact low Description Some websites have a feature "Show Password" where clicking a button will change a password field into a textbook field, revealing the typed password. If, when using a software keyboard that remembers user input, a user typed their password and used that feature, the type of the password field was changed, resulting in a keyboard layout change and the possibility for the software keyboard to remember the typed password. References Bug 1661617 #CVE-2020-26966: Single-word search queries were also broadcast to local network Reporter tiebuchen Impact low Description Searching for a single word from the address bar caused an mDNS request to be sent on the local network searching for a hostname consisting of that string; resulting in an information leak. Note: This issue only affected Windows operating systems. Other operating systems are unaffected. References Bug 1663571 #CVE-2020-26968: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5 Reporter Mozilla developers and community Impact high Description Mozilla developers Steve Fink, Jason Kratzer, Randell Jesup, Christian Holler, and Byron Campen reported memory safety bugs present in Firefox 82 and Firefox ESR 78.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5Security fixes from Firefox-78.6.0esr (NOTE: 78.6.1esr SCTP fix doesn't seem to be included :-( ):
#CVE-2020-16042: Operations on a BigInt could have caused uninitialized memory to be exposed Reporter André Bargull Impact critical Description When a BigInt was right-shifted the backing store was not properly cleared, allowing uninitialized memory to be read. References Bug 1679003 #CVE-2020-26971: Heap buffer overflow in WebGL Reporter Omair, Abraruddin Khan Impact high Description Certain blit values provided by the user were not properly constrained leading to a heap buffer overflow on some video drivers. References Bug 1663466 #CVE-2020-26973: CSS Sanitizer performed incorrect sanitization Reporter Kai Engert Impact high Description Certain input to the CSS Sanitizer confused it, resulting in incorrect components being removed. This could have been used as a sanitizer bypass. References Bug 1680084 #CVE-2020-26974: Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free Reporter Pham Bao of VinCSS (Member of Vingroup) Impact high Description When flex-basis was used on a table wrapper, a StyleGenericFlexBasis object could have been incorrectly cast to the wrong type. This resulted in a heap user-after-free, memory corruption, and a potentially exploitable crash. References Bug 1681022 #CVE-2020-26978: Internal network hosts could have been probed by a malicious webpage Reporter Samy Kamkar, Ben Seri, and Gregory Vishnepolsky Impact moderate Description Using techniques that built on the slipstream research, a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. References Bug 1677047 #CVE-2020-35111: The proxy.onRequest API did not catch view-source URLs Reporter Yassine Tioual Impact low Description When an extension with the proxy permission registered to receive <all_urls>, the proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening View Source could have inadvertently leaked their IP address. References Bug 1657916 #CVE-2020-35112: Opening an extension-less download may have inadvertently launched an executable instead Reporter Samuel Attard via the Chrome Security Team Impact low Description If a user downloaded a file lacking an extension on Windows, and then "Open"-ed it from the downloads panel, if there was an executable file in the downloads directory with the same name but with an executable extension (such as .bat or .exe) that executable would have been launched instead. Note: This issue only affected Windows operating systems. Other operating systems are unaffected. References Bug 1661365 #CVE-2020-35113: Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6 Reporter Christian Holler Impact high Description Mozilla developer Christian Holler reported memory safety bugs present in Firefox 83 and Firefox ESR 78.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6Thunderbird's SMTP 0day has been included in this as well:
#CVE-2020-26970: Stack overflow due to incorrect parsing of SMTP server response codes Reporter Chiaki Ishikawa Impact high Description When reading SMTP server status codes, Thunderbird writes an integer value to a position on the stack that is intended to contain just one byte. Depending on processor architecture and stack layout, this leads to stack corruption that may be exploitable. References Bug 1677338