seamonkey-2.53.8

[Bruce Dubbs]

New point version.

[Douglas R. Reno]

As is common with the Seamonkey developers, there are some changes required:

"make -f client.mk" no longer works, you must use 'mach build' and 'mach install'.

However, system NSS now works again, and the RUSTC_BOOTSTRAP variable is no longer necessary as well.

[Douglas R. Reno]

There is an IRC Client, Calendar, and DOM Inspector that we've been missing. I'll add the requisite options to the mozconfig to that to be built, with instructions on how to disable it for those who don't want it.

[Douglas R. Reno]

 SeaMonkey 2.53.8 contains (among other changes) the following major changes relative to SeaMonkey 2.53.7.1:

    Serious performance improvements and bug fixes tracked in bug 1633339 and bug 1711050.
    Language attributes with country codes not recognized when building the Website Navigation Bar link toolbar bug 134436 and bug 1709443.
    Optimize SeaMonkey icons for speed and optional higher quality for branding bug 1362210 and bug 1699322.
    Support from= option when opening email compose window from the command line bug 1628671.
    Update subject handling and GenericSendMessage function in compose window bug 1693994.
    All message windows should update when view preferences are changed bug 1694765.
    Improve marking of multiple messages as read / unread bug 1700530.
    Show version numbers again in the add-on manager by the partial backout of bug 1161183.
    Update available networks in chatZilla (including adding libera.chat)bug 1704392 and bug 1712505.
    Change default port for IRC via TLS/SSL to 6697 bug 1704280.
    Remove chatZilla and Lightning extension language packs and incorpate localisations within the main language pack bug 1604663.
    Fix address drag and drop handling in compose window bug 1712002 and bug 1712227.
    Further fixes for legacy generators and the deprecated for each statement in add-ons and the Add-on SDK bug 1702903.
    For developers, fork DOMi repo into main SeaMonkey one which means no need to separately checkout the extension bug 1700003.

Security fixes go up to 78.11.0ESR, and started at 78.8.0. That'll be:

Security Vulnerabilities fixed in Firefox ESR 78.9

Announced
    March 23, 2021
Impact
    high
Products
    Firefox ESR
Fixed in

        Firefox ESR 78.9

Note: This advisory was updated June 8, 2021 to include CVE-2021-29955 which was also fixed in this release.
#CVE-2021-29955: Transient Execution Vulnerability allowed leaking arbitrary memory address

Reporter
    Hany Ragab, Enrico Barberis, Herbert Bos, and Cristiano Giuffrida from the VUSec group at VU Amsterdam
Impact
    high

Description

A transient execution vulnerability, named Floating Point Value Injection (FPVI) allowed an attacker to leak arbitrary memory addresses and may have also enabled JIT type confusion attacks. (A related vulnerability, Speculative Code Store Bypass (SCSB), did not affect Firefox.)
References

    Bug 1692972

#CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read

Reporter
    Abraruddin Khan and Omair
Impact
    high

Description

A texture upload of a Pixel Buffer Object could have confused the WebGL code to skip binding the buffer used to unpack it, resulting in memory corruption and a potentially exploitable information leak or crash.
References

    Bug 1692832

#MOZ-2021-0002: Angle graphics library out of date

Reporter
    Mozilla Developers, Abraruddin Khan and Omair
Impact
    high

Description

An out of date graphics library (Angle) likely contained vulnerabilities that could potentially be exploited.
References

    Bug 1691547

#CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage

Reporter
    Samy Kamkar, Ben Seri, and Gregory Vishnepolsky
Impact
    moderate

Description

Using techniques that built on the slipstream research, a malicious webpage could have scanned both an internal network's hosts as well as services running on the user's local machine utilizing WebRTC connections.
References

    Bug 1677046

#CVE-2021-23984: Malicious extensions could have spoofed popup information

Reporter
    Rob Wu
Impact
    moderate

Description

A malicious extension could have opened a popup window lacking an address bar. The title of the popup lacking an address bar should not be fully controllable, but in this situation was. This could have been used to spoof a website and attempt to trick the user into providing credentials.
References

    Bug 1693664

#CVE-2021-23987: Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9

Reporter
    Mozilla developers and community
Impact
    high

Description

Mozilla developers and community members Alexis Beingessner, Tyson Smith, Julien Wajsberg, and Matthew Gregan reported memory safety bugs present in Firefox 86 and Firefox ESR 78.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References

    Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9

Mozilla Foundation Security Advisory 2021-15
Security Vulnerabilities fixed in Firefox ESR 78.10

Announced
    April 19, 2021
Impact
    high
Products
    Firefox ESR
Fixed in

        Firefox ESR 78.10

#CVE-2021-23994: Out of bound write due to lazy initialization

Reporter
    Abraruddin Khan and Omair
Impact
    high

Description

A WebGL framebuffer was not initialized early enough, resulting in memory corruption and an out of bound write.
References

    Bug 1699077

#CVE-2021-23995: Use-after-free in Responsive Design Mode

Reporter
    Irvan Kurniawan
Impact
    high

Description

When Responsive Design Mode was enabled, it used references to objects that were previously freed. We presume that with enough effort this could have been exploited to run arbitrary code.
References

    Bug 1699835

#CVE-2021-23998: Secure Lock icon could have been spoofed

Reporter
    Jordi Chancel
Impact
    moderate

Description

Through complicated navigations with new windows, an HTTP page could have inherited a secure lock icon from an HTTPS page.
References

    Bug 1667456

#CVE-2021-23961: More internal network hosts could have been probed by a malicious webpage

Reporter
    Samy Kamkar, Ben Seri, and Gregory Vishnepolsky
Impact
    moderate

Description

Further techniques that built on the slipstream research combined with a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine.
References

    Bug 1677940

#CVE-2021-23999: Blob URLs may have been granted additional privileges

Reporter
    Nika Layzell
Impact
    moderate

Description

If a Blob URL was loaded through some unusual user interaction, it could have been loaded by the System Principal and granted additional privileges that should not be granted to web content.
References

    Bug 1691153

#CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an encoded URL

Reporter
    Daniel Santos
Impact
    moderate

Description

When a user clicked on an FTP URL containing encoded newline characters (%0A and %0D), the newlines would have been interpreted as such and allowed arbitrary commands to be sent to the FTP server.
References

    Bug 1702374

#CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to null-reads

Reporter
    Christian Holler
Impact
    moderate

Description

The WebAssembly JIT could miscalculate the size of a return type, which could lead to a null read and result in a crash.
Note: This issue only affected x86-32 platforms. Other platforms are unaffected.
References

    Bug 1700690

#CVE-2021-29946: Port blocking could be bypassed

Reporter
    Frederik Braun
Impact
    low

Description

Ports that were written as an integer overflow above the bounds of a 16-bit integer could have bypassed port blocking restrictions when used in the Alt-Svc header.
References

    Bug 1698503

Mozilla Foundation Security Advisory 2021-18
Security Vulnerabilities fixed in Firefox ESR 78.10.1

Announced
    May 4, 2021
Impact
    moderate
Products
    Firefox ESR
Fixed in

        Firefox ESR 78.10.1

#CVE-2021-29951: Mozilla Maintenance Service could have been started or stopped by domain users

Reporter
    James Forshaw
Impact
    moderate

Description

The Mozilla Maintenance Service granted SERVICE_START access to BUILTIN|Users which, in a domain network, grants normal remote users access to start or stop the service. This could be used to prevent the browser update service from operating (if an attacker spammed the 'Stop' command); but also exposed attack surface in the maintenance service.
Note: This issue only affected Windows operating systems older than Win 10 build 1709. Other operating systems are unaffected.
References

    Bug 1690062

Mozilla Foundation Security Advisory 2021-24
Security Vulnerabilities fixed in Firefox ESR 78.11

Announced
    June 1, 2021
Impact
    moderate
Products
    Firefox ESR
Fixed in

        Firefox ESR 78.11

#CVE-2021-29964: Out of bounds-read when parsing a `WM_COPYDATA` message

Reporter
    Ronald Crane
Impact
    moderate

Description

A locally-installed hostile program could send WM_COPYDATA messages that Firefox would processing incorrectly, leading to an out-of-bounds read.
This bug only affects Firefox on Windows. Other operating systems are unaffected.
References

    Bug 1706501

#CVE-2021-29967: Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11

Reporter
    Mozilla developers and community
Impact
    high

Description

Mozilla developers Gabriele Svelto, Anny Gakhokidze, Alexandru Michis, Christian Holler reported memory safety bugs present in Firefox 88 and Firefox ESR 78.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References

    Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11

That will include:

CVE-2021-29955 CVE-2021-23981 MOZ-2021-0002 CVE-2021-23982 CVE-2021-23984 CVE-2021-23987 CVE-2021-23994 CVE-2021-23995 CVE-2021-23998 CVE-2021-23961 CVE-2021-23999 CVE-2021-24002 CVE-2021-29945 CVE-2021-29946 CVE-2021-29951 CVE-2021-29964 CVE-2021-29967

[Douglas R. Reno]

Fixed at 257c1bf2a3f5e76d96ded9e18f04b9c25e9ddd56

[Bruce Dubbs]

Milestone renamed