seamonkey-2.53.19

[Bruce Dubbs]

New point version.

[Bruce Dubbs]

This seems to be a beta: 2.53.19b1

[Xi Ruoyao]

The beta still needs our patch and sed. And it still does not build with Python 3.12.

No improvement from a book maintenance viewpoint.

[Bruce Dubbs]

Now a stable version 2.53.19.

Release notes are at ​https://www.seamonkey-project.org/releases/seamonkey2.53.19/

I do not see any reference to Python in the release notes. I don't know if python-3.11 is still required or not.

[Douglas R. Reno]

Moving to highest priority due to the 0.0.0.0 day vulnerability fix (more information can be found at ​https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser ) - we'll start to see fixes for this 18 year old security flaw in other browsers as well.

In addition, this includes fixes from Firefox 115.14.0 and Thunderbird 115.14.0

[Xi Ruoyao]

It looks like we need to add MACH_USE_SYSTEM_PYTHON=1 for ./mach build.

[Xi Ruoyao]

Replying to Xi Ruoyao:

It looks like we need to add MACH_USE_SYSTEM_PYTHON=1 for ./mach build.

And also ./mach install.

[Douglas R. Reno]

Release notes:

What's New in SeaMonkey 2.53.19

SeaMonkey 2.53.19 contains (among other changes) the following changes relative to SeaMonkey 2.53.18.2:

• Cancel button in SeaMonkey bookmarking star ui not working
• Remove OfflineAppCacheHelper.jsm copy from SeaMonkey and use the one in toolkit
• Remove obsolete registerFactoryLocation calls from cZ
• Remove needless implements='nsIDOMEventListener' and QI
• Replace use of nsIStandardURL::Init
• Switch SeaMonkey website from hg.mozilla.org to heptapod.
• Allow view-image to open a data: URI by setting a flag on the loadinfo
• Save-link-as feature should use the loading principal and context menu using nsIContentPolicy.TYPE_SAVE_AS_DOWNLOAD
• Use punycode in SeaMonkey JS
• Font lists in preferences are no longer grouped by font type, port asynchronous handling like Bug 1399206
• SeaMonkey broken tab after undo closed tab with invalid protocol
• SeaMonkey session restore is missing the checkboxes in the Classic theme
• Implement about:credits on seamonkey-project.org website

The following bugs were fixed in our branch of the Gecko source code only:

• Fix for the 0.0.0.0 day vulnerability
• Link in update notification does not open Browser
• Update ReadExtensionPrefs in Preferences.cpp
• Add about:seamonkey page to SeaMonkey

[Douglas R. Reno]

Fixed at ce066d28e810524a2a3a5bfe8cb83349e7f929da

Security advisory to come after I get Thunderbird running

[Douglas R. Reno]

Security Fixes:

• CVE-2024-29944: Privileged JavaScript Execution via Event Handlers (Critical)
• CVE-2024-3852: GetBoundName in the JIT returned the wrong object (High)
• CVE-2024-3854: Out-of-bounds-read after mis-optimized switch statement (High)
• CVE-2024-3857: Incorrect JITting of arguments led to use-after-free during garbage collection (High)
• CVE-2024-2609: Permission prompt input delay could expire when not in focus (Moderate)
• CVE-2024-3859: Integer-overflow led to out-of-bounds-read in the OpenType sanitizer (Moderate)
• CVE-2024-3861: Potential use-after-free due to AlignedBuffer self-move (Moderate)
• CVE-2024-3302: Denial of Service using HTTP/2 CONTINUATION frames (Low)
• CVE-2024-3864: Memory safety bug fixed in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10 (High)
• CVE-2024-4367: Arbitrary JavaScript execution in PDF.js (High)
• CVE-2024-4767: IndexedDB files retained in private browsing mode (Moderate)
• CVE-2024-4768: Potential permissions request bypass via clickjacking (Moderate)
• CVE-2024-4769: Cross-origin responses could be distinguished between script and non-script content-types (Moderate)
• CVE-2024-4770: Use-after-free could occur when printing to PDF (Moderate)
• CVE-2024-4777: Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11 (Moderate)
• CVE-2024-5702: Use-after-free in networking (High)
• CVE-2024-5688: Use-after-free in JavaScript object transplant (High)
• CVE-2024-5690: External protocol handlers leaked by timing attack (Moderate)
• CVE-2024-5691: Sandboxed iframes were able to bypass sandbox restrictions to open a new window (Moderate)
• CVE-2024-5693: Cross-Origin Image leak via Offscreen Canvas (Moderate)
• CVE-2024-5696: Memory Corruption in Text Fragments (Moderate)
• CVE-2024-5700: Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12 (High)
• CVE-2024-7652: Type Confusion in Async Generators in Javascript Engine (High)
• CVE-2024-6601: Race condition in permission assignment (Moderate)
• CVE-2024-6602: Memory corruption in NSS (Moderate)
• CVE-2024-6603: Memory corruption in thread creation (Moderate)
• CVE-2024-6604: Memory safety bugs fixed in Firefox 128, Firefox ESR 115.13, Thunderbird 128, and Thunderbird 115.13 (High)
• CVE-2024-7519: Out of bounds memory access in graphics shared memory handling (High)
• CVE-2024-7521: Incomplete WebAssembly exception handing (High)
• CVE-2024-7522: Out of bounds read in editor component (High)
• CVE-2024-7524: CSP strict-dynamic bypass using web-compatibility shims (High)
• CVE-2024-7525: Missing permission check when creating a StreamFilter (High)
• CVE-2024-7526: Uninitialized memory used by WebGL (High)
• CVE-2024-7527: Use-after-free in JavaScript garbage collection (High)
• CVE-2024-7529: Document content could partially obscure security prompts (Moderate)
• CVE-2024-7531: PK11_Encrypt using CKM_CHACHA20 can reveal plaintext on Intel Sandy Bridge machines (Moderate)
• The 0.0.0.0 Day Vulnerability (​https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser)

[Douglas R. Reno]

SA-12.2-011 issued