Security advisories for Monday [LWN.net]

Fedora has updated epiphany (F8, F9: multiple Mozilla vulnerabilities), chmsee (F8, F9: multiple Mozilla vulnerabilities), firefox (F8, F9: multiple Mozilla vulnerabilities), blam (F8, F9: multiple Mozilla vulnerabilities), cairo-dock (F8, F9: multiple Mozilla vulnerabilities), kazehakase (F8, F9: multiple Mozilla vulnerabilities), gnome-python2-extras (F8, F9: multiple Mozilla vulnerabilities), gnome-web-photo (F8, F9: multiple Mozilla vulnerabilities), galeon (F8, F9: multiple Mozilla vulnerabilities), evolution-rss (F8, F9: multiple Mozilla vulnerabilities), epiphany-extensions (F8, F9: multiple Mozilla vulnerabilities), devhelp (F8, F9: multiple Mozilla vulnerabilities), gtkmozembedmm (F8, F9: multiple Mozilla vulnerabilities), liferea (F8: multiple Mozilla vulnerabilities), ruby-gnome2 (F8, F9: multiple Mozilla vulnerabilities), Miro (F8, F9: multiple Mozilla vulnerabilities), yelp (F8, F9: multiple Mozilla vulnerabilities), openvrml (F8: multiple Mozilla vulnerabilities), seamonkey (F8, F9: multiple vulnerabilities), google-gadgets (F9: multiple Mozilla vulnerabilities), mugshot (F9: multiple Mozilla vulnerabilities), mozvoikko (F9: multiple Mozilla vulnerabilities), xulrunner (F9: multiple Mozilla vulnerabilities), totem (F9: multiple Mozilla vulnerabilities), rubygem-rails (F9: SQL injection), rubygem-activesupport (F9: SQL injection), rubygem-activerecord (F9: SQL injection), rubygem-activeresource (F9: SQL injection), rubygem-actionmailer (F9: SQL injection), rubygem-actionpack (F9: SQL injection), rubygems (F9: SQL injection).

Mandriva has updated thunderbird (update to 2.0.0.17 for multiple vulnerabilities).

Slackware has updated thunderbird (update to 2.0.0.17 for multiple vulnerabilities).

(Log in to post comments)

Security advisories for Monday

Posted Sep 29, 2008 22:39 UTC (Mon) by jspaleta (subscriber, #50639) [Link]

For the record, the number of packages updated has nothing to do with a backlog or the previous system downtime. The listed packages are from one of two issues: a mozilla firefox/xulrunner security update or a ruby-rails security update. Neither of which were old enough to be affected by the previous Fedora infrastructure outage.

The list of packages associated with mozilla vulnerabilities is quite long because it represents pretty much all the applications which depend on gecko-libs. They are being rebuilt as updates against the new versioned gecko-libs dependency as shipped in the updated xulrunner package. The xulrunner package itself is part of the multiple vulnerability fix as announced by Mozilla in the past week.

If you look back the same sort of situation occurred when firefox and xulrunner were updated on July 18, prior to the infrastructure outage.

The xulrunner situation is more complicated than most library situations, since Mozilla admits that xulrunner is not a stable api..yet. Even Mozilla encourages that application writers make explicit requirements on the exact version of xulrunner needed. Having multiple applications target unstable library API's is a bit tricky.

When Fedora introduced xulrunner for F9, applications which previously required firefox's copy of gecko-libs or their own internal copy were transitioned to require a common system xulrunner using a versioned gecko-libs requirement as expressed in the packaging system.

What does this mean? Let's take the devhelp package as an example.

The devhelp package which shipped in F9 required gecko-libs = 1.9

The new updated xulrunner package provides gecko-libs = 1.9.0.2

To make sure updates worked as expected, devhelp was rebuilt against the updated gecko-libs to match the xulrunner update and the new package was made available at the same time as the xulrunner update.

Other apps which use gecko-libs were similarly rebuilt as part of the xulrunner update process in an effort to ensure applications continue to operate as the libraries in xulrunner slide forward.

-jef