Opened 7 months ago

Closed 7 months ago

#18622 closed enhancement (fixed)

seamonkey-2.53.17.1

Reported by: Bruce Dubbs Owned by: Douglas R. Reno
Priority: high Milestone: 12.1
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New nano version.

Change History (5)

comment:1 by Douglas R. Reno, 7 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 7 months ago 

SeaMonkey 2.53.17.1 contains (among other changes) the following changes relative to 
SeaMonkey 2.53.17:

    Upstream libwebp security fix bug 1852749.
    CVE-2023-4863: Heap buffer overflow in libwebp bug 1852649.
    Fix bad string encoded in ansi. l10n fr problem only bug 1847887.

We already have the two libwebp security problems fixed since we use system libwebp, but the other change is relevant to users who use French as their language.

comment:3 by Douglas R. Reno, 7 months ago

Priority: normalhigh

Later in the release notes, it's mentioned that this has security fixes up to Firefox 115.3. Since the last version had fixes up to 102.11, that will mean we have the following CVEs fixed in this version (in addition to the bundled libwebp):

  • CVE-2023-34414: Click-jacking certificate exceptions through rendering lag (High)
  • CVE-2023-34416: Memory safety bugs fixed in Firefox 114 and Firefox ESR 102.12 (High)
  • CVE-2023-3482: Block all cookies bypass for localstorage (moderate)
  • CVE-2023-37201: Use-after-free in WebRTC certificate generation (High)
  • CVE-2023-37202: Potential use-after-free from compartment mismatch in SpiderMonkey (High)
  • CVE-2023-37203: Drag and Drop API may provide access to local system files (Moderate)
  • CVE-2023-37204: Fullscreen notification obscured via option element (Moderate)
  • CVE-2023-37205: URL spoofing in address bar using RTL characters (Moderate)
  • CVE-2023-37206: Insufficient validation of symlinks in the FileSystem API (Moderate)
  • CVE-2023-37207: Fullscreen notification obscured (Moderate)
  • CVE-2023-37208: Lack of warning when opening Diagcab files (Moderate)
  • CVE-2023-37209: Use-after-free in NotifyOnHistoryReload (Moderate)
  • CVE-2023-37210: Full-screen mode exit prevention (Low)
  • CVE-2023-37211: Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, and Thunderbird 102.13 (High)
  • CVE-2023-37212: Memory safety bugs fixed in Firefox 115 (High)
  • CVE-2023-3417: File Extension Spoofing using the Text Direction Override Character (Moderate)
  • CVE-2023-3600: Use-after-free in workers (High)
  • CVE-2023-4045: Offscreen Canvas could have bypassed cross-origin restrictions (High)
  • CVE-2023-4046: Incorrect value used during WASM compilation (High)
  • CVE-2023-4047: Potential permissions request bypass via clickjacking (High)
  • CVE-2023-4048: Crash in DOMParser due to out-of-memory conditions (High)
  • CVE-2023-4049: Fix potential race conditions when releasing platform objects (High)
  • CVE-2023-4050: Stack buffer overflow in StorageManager (High)
  • CVE-2023-4055: Cookie jar overflow caused unexpected cookie jar state (Low)
  • CVE-2023-4056: Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14 (High)
  • CVE-2023-4057: Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1 (High)
  • CVE-2023-4573: Memory corruption in IPC CanvasTranslator (High)
  • CVE-2023-4574: Memory corruption in IPC ColorPickerShownCallback (High)
  • CVE-2023-4575: Memory corruption in IPC FilePickerShownCallback (High)
  • CVE-2023-4576: Integer Overflow in RecordedSourceSurfaceCreation (High)
  • CVE-2023-4577: Memory corruption in JIT UpdateRegExpStatics (High)
  • CVE-2023-4051: Full screen notification obscured by file open dialog (Moderate)
  • CVE-2023-4578: Error reporting methods in SpiderMonkey could have triggered an Out of Memory Exception (Moderate)
  • CVE-2023-4053: Full screen notification obscured by external program (Moderate)
  • CVE-2023-4580: Push notifications saved to disk unencrypted (Moderate)
  • CVE-2023-4581: XLL file extensions were downloadable without warnings (Moderate)
  • CVE-2023-4583: Browsing Context potentially not cleared when closing Private Window (Low)
  • CVE-2023-4584: Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2 (High)
  • CVE-2023-4585: Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2 (High)
  • CVE-2023-5169: Out-of-bounds write in PathOps (High)
  • CVE-2023-5171: Use-after-free in Ion Compiler (High)
  • CVE-2023-5176: Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3 (High)

Seamonkey is now completely caught up to date on security updates.

comment:4 by Douglas R. Reno, 7 months ago

The sed for the 'distro' python module is still needed

comment:5 by Douglas R. Reno, 7 months ago

Resolution: fixed
Status: assignedclosed

Fixed at 1d817374e1e86e176145ec72849e28ef6843a7b6

SA-12.0-014 issued

Note: See TracTickets for help on using tickets.