seamonkey-2.53.10.1

[Bruce Dubbs]

New point version.

[ken@…]

I see that fedora have a patch for building with rustc>=1.56.0, ​https://src.fedoraproject.org/rpms/seamonkey/raw/rawhide/f/seamonkey-2.53.10-rust156.patch

[Douglas R. Reno]

Looking at the release notes for these last night, it's obvious these two contain some pretty significant security fixes. I may promote them to High after more research (which will happen after Java).

[Douglas R. Reno]

2.53.10

What's New in SeaMonkey 2.53.10

SeaMonkey 2.53.10 contains (among other changes) the following major changes relative to SeaMonkey 2.53.9.1:

    Minor fixes for testdisplay command in ChatZilla bug 1727976.
    Show CTCP requests (excluding ACTION and DCC) bug 1722156.
    IRCv3: Add support for server-time bug 1724586.
    Add localization note for network editor dialog width in ChatZilla bug 1727977.
    IRCv3: Add support for extended-join and account-notify bug 1722159.
    Add ability to collapse message groups in ChatZilla bug 1724588.
    Fix JS strict warnings in unescapeTagValue in ChatZilla bug 1727989.
    IRCv3: Add support for invite-notify bug 1722161.
    IRCv3: Add support for batch bug 1724589.
    Fix JS strict warning in addHistory in cZ static.js bug 1727992.
    IRCv3: Add support for cap-notify bug 1722162.
    Stop using canonical name as collection keys in ChatZilla bug 1728025.
    IRCv3: Add support for TLS and STS bug 1722166.
    Helper function for renaming irc server properties in ChatZilla bug 1728027.
    IRCv3: Add support for MONITOR bug 1722174.
    Remove use of msg.commasp in ChatZilla bug 1726965.
    Allow shiftKey to modify behaviour of link clicking in cZ bug 1713458.
    IRCv3: Add support for echo-message bug 1722211.
    In ChatZilla make /commands return all matches starting with pattern bug 1726966.
    Use SeaMonkey prefs to determine how links behave in cZ bug 1713467.
    Allow parameters to be localised in ChatZilla bug 1724105.
    Add identify command to cZ and hook into password management bug 1713470.
    IRCv3.1: Implement SASL with PLAIN mechanism bug 1717545.
    IRCv3: Add support for message tags bug 1724584.
    Add last read message divider to ChatZilla bug 1729159.
    IRCv3: Add support for account-tag bug 1724585.
    Missing option "text encoding Unicode/UTF-8" in preferences - Mailnews bug 1679260.
    Detect Crashreporter using AppConstants in SeaMonkey bug 1735236.
    Link about LEGACY extensions in Add-ons Manager is broken bug 1656797.
    Update help for clear private data preferences and dialog bug 1728911.
    Fix typo in cs_nav_prefs_appearance bug 1737473.
    Drop leftover "Edit Menu" comment from messageWindow.xul and addressbook.xul bug 1725121.
    Add dummy tab routines to SeaMonkey mailnews tab browser bug 1735243.
    Folder pane and tab/window title not updated correctly when opening in new tab bug 1726940.
    Allow mail tab bar to be controlled separately to browser tab bar bug 1724515.
    Copy any user set values for new mail.tabs prefs bug 1729165.
    Merge Master Passwords and Passwords pref panes into a single pref pane bug 1728099.
    Move warning about redirection pref from Content to Privacy & Security pane bug 1728185.
    Move website icons prefs from content pref pane to browser pref pane bug 1727425.
    Move browser / mailnews system integration prefs into advanced pane bug 1727659.
    Have separate opentabfor.middleclick for mailnews bug 1727948.
    Add removeBrowser helper for tabbrowser bug 1730391.
    Put <browser> in a <stack> so it's easy to overlay bug 1730392.
    Allow browser focus to be avoided bug 1720003.
    SeaMonkey 32x32 default icon has light stripe at the bottom bug 1729153.
    Support <input type=time> and <input type=date> in SeaMonkey bug 1730408.
    Middleclick on browser tab handled twice (closes tab and loads URL from primary or clipboard) bug 1734407.
    Unable to create a new "Saved Search Folder" using "Save View as a Folder..." bug 1738669.

The following bugs were fixed in our branch of the Gecko source code only:

    Enable compression for standard http connections bug 1728996.
    Support VS2022 for compiling under Windows bug 1728988.

"But wait, there's more!" - the version is now 2.53.10.1

This one also includes the fixes from Firefox-78.15 ESR:

Security Vulnerabilities fixed in Firefox ESR 78.15

Announced
    October 5, 2021
Impact
    high
Products
    Firefox ESR
Fixed in

        Firefox ESR 78.15

#CVE-2021-38496: Use-after-free in MessageTask

Reporter
    Yangkang of 360 ATA Team
Impact
    high

Description

During operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash.
References

    Bug 1725335

#CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2

Reporter
    Mozilla developers
Impact
    high

Description

Mozilla developers and community members Andreas Pehrson and Christian Holler reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References

    Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2

[Douglas R. Reno]

2.53.10.1

SeaMonkey 2.53.10.1 contains (among other changes) the following major changes relative to SeaMonkey 2.53.10:

    Security fix for NSS code bug 1737470.
    Only use networks and servers in lower case in ChatZilla bug 1742502.
    Change classic form icon in SeaMonkey composer bug 1710915.
    Addition fixes for SeaMonkey 32x32 default icons on Windows and macOS bug 1729153.

Also includes fixes up to 91.4esr, so that would be:

Security Vulnerabilities fixed in Firefox ESR 91.3

Announced
    November 2, 2021
Impact
    high
Products
    Firefox ESR
Fixed in

        Firefox ESR 91.3

#CVE-2021-38503: iframe sandbox rules did not apply to XSLT stylesheets

Reporter
    Armin Ebert
Impact
    high

Description

The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame.
References

    Bug 1729517

#CVE-2021-38504: Use-after-free in file picker dialog

Reporter
    Irvan Kurniawan
Impact
    high

Description

When interacting with an HTML input element's file picker dialog with webkitdirectory set, a use-after-free could have resulted, leading to memory corruption and a potentially exploitable crash.
References

    Bug 1730156

#CVE-2021-38505: Windows 10 Cloud Clipboard may have recorded sensitive user data

Reporter
    Sergey Galich
Impact
    high

Description

Microsoft introduced a new feature in Windows 10 known as Cloud Clipboard which, if enabled, will record data copied to the clipboard to the cloud, and make it available on other computers in certain scenarios. Applications that wish to prevent copied data from being recorded in Cloud History must use specific clipboard formats; and Firefox before versions 94 and ESR 91.3 did not implement them. This could have caused sensitive data to be recorded to a user's Microsoft account.
This bug only affects Firefox for Windows 10+ with Cloud Clipboard enabled. Other operating systems are unaffected.
References

    Bug 1730194

#CVE-2021-38506: Firefox could be coaxed into going into fullscreen mode without notification or warning

Reporter
    Irvan Kurniawan
Impact
    high

Description

Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing.
References

    Bug 1730750

#CVE-2021-38507: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports

Reporter
    Takeshi Terada
Impact
    high

Description

The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP. This was resolved by disabling the Opportunistic Encryption feature, which had low usage.
References

    Bug 1730935

#CVE-2021-43535: Use-after-free in HTTP2 Session object

Reporter
    Julien Cristau
Impact
    high

Description

A use-after-free could have occured when an HTTP2 session object was released on a different thread, leading to memory corruption and a potentially exploitable crash.
References

    Bug 1667102

#CVE-2021-38508: Permission Prompt could be overlaid, resulting in user confusion and potential spoofing

Reporter
    Raphael
Impact
    moderate

Description

By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission.
References

    Bug 1366818

#CVE-2021-38509: Javascript alert box could have been spoofed onto an arbitrary domain

Reporter
    Ademar Nowasky Junior
Impact
    moderate

Description

Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing.
References

    Bug 1718571

#CVE-2021-38510: Download Protections were bypassed by .inetloc files on Mac OS

Reporter
    Hou JingYi
Impact
    moderate

Description

The executable file warning was not presented when downloading .inetloc files, which, due to a flaw in Mac OS, can run commands on a user's computer.
Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected.
References

    Bug 1731779

#CVE-2021-43534: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3

Reporter
    Mozilla developers
Impact
    high

Description

Mozilla developers and community members Christian Holler, Valentin Gosu, and Andrew McCreight reported memory safety bugs present in Firefox 93 and Firefox ESR 91.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References

    Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3

and

Security Vulnerabilities fixed in Firefox ESR 91.4.0

Announced
    December 7, 2021
Impact
    high
Products
    Firefox ESR
Fixed in

        Firefox ESR 91.4

#CVE-2021-43536: URL leakage when navigating while executing asynchronous function

Reporter
    Sunwoo Kim and Youngmin Kim of SNU CompSec Lab
Impact
    high

Description

Under certain circumstances, asynchronous functions could have caused a navigation to fail but expose the target URL.
References

    Bug 1730120

#CVE-2021-43537: Heap buffer overflow when using structured clone

Reporter
    bo13oy of Cyber Kunlun Lab
Impact
    high

Description

An incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory leading to a potentially exploitable crash.
References

    Bug 1738237

#CVE-2021-43538: Missing fullscreen and pointer lock notification when requesting both

Reporter
    Irvan Kurniawan (@sourc7)
Impact
    high

Description

By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks.
References

    Bug 1739091

#CVE-2021-43539: GC rooting failure when calling wasm instance methods

Reporter
    Asumu Takikawa and Ioanna Dimitriou
Impact
    high

Description

Failure to correctly record the location of live pointers across wasm instance calls resulted in a GC occurring within the call not tracing those live pointers. This could have led to a use-after-free causing a potentially exploitable crash.
References

    Bug 1739683

#CVE-2021-43541: External protocol handler parameters were unescaped

Reporter
    chriscla
Impact
    moderate

Description

When invoking protocol handlers for external protocols, a supplied parameter URL containing spaces was not properly escaped.
References

    Bug 1696685

#CVE-2021-43542: XMLHttpRequest error codes could have leaked the existence of an external protocol handler

Reporter
    Raphael Smolik
Impact
    moderate

Description

Using XMLHttpRequest, an attacker could have identified installed applications by probing error messages for loading external protocols.
References

    Bug 1723281

#CVE-2021-43543: Bypass of CSP sandbox directive when embedding

Reporter
    Armin Ebert
Impact
    moderate

Description

Documents loaded with the CSP sandbox directive could have escaped the sandbox's script restriction by embedding additional content.
References

    Bug 1738418

#CVE-2021-43545: Denial of Service when using the Location API in a loop

Reporter
    Paul Zühlcke
Impact
    low

Description

Using the Location API in a loop could have caused severe application hangs and crashes.
References

    Bug 1720926

#CVE-2021-43546: Cursor spoofing could overlay user interface when native cursor is zoomed

Reporter
    Daniel Veditz
Impact
    low

Description

It was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor.
References

    Bug 1737751

#CVE-2021-4129: Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4

Reporter
    Mozilla developers and community
Impact
    high

Description

Mozilla developers and community members Julian Hector, Randell Jesup, Gabriele Svelto, Tyson Smith, Christian Holler, and Masayuki Nakano reported memory safety bugs present in Firefox 94 and Firefox ESR 91.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References

    Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4

[Douglas R. Reno]

Fixed at 6968e3cb711779b52a10e1ea76b4b081af26b0e7