Branches for Hoary

Author: Tollef Fog Heen
Revision Date: 2005-04-04 14:24:50 UTC

* New upstream release with security and stability fixes:
  - MFSA 2005-30 GIF heap overflow parsing Netscape extension 2
  - MFSA 2005-25 Image drag and drop executable spoofing
  - MFSA 2005-21 Overwrite arbitrary files downloading .lnk twice
  - MFSA 2005-18 Memory overwrite in string library
  - MFSA 2005-17 Install source spoofing with user:pass@host
  - MFSA 2005-15 Heap overflow possible in UTF8 to Unicode conversion

Author: Martin Pitt
Revision Date: 2006-07-25 11:35:23 UTC

* This release backports several security issue fixed in thunderbird
  1.5.0.4. the patches listed below can be found in
  debian/patches/tbird.1.0.8-1.0.8a:

  + CVE-2006-2787 : 0001-mfsa2006-31-319263-336601-336313.patch
  + CVE-2006-2786 1/2 : 0002-mfsa2006-33-Part-1-2-329746.patch
  + CVE-2006-2786 1/2 : 0003-mfsa2006-33-Part-2-2-330214.patch
  + CVE-2006-2785 2/2 : 0004-mfsa2006-34-329521-329468.patch
  + CVE-2006-2775 : 0005-mfsa2006-35-329677.patch
                        0024-mfsa2006-35-335142-regression-1-2-for-329677.patch
                        0025-mfsa2006-35-337841-regression-part-2-2-for-329677.patch
  + CVE-2006-2784 : 0006-mfsa2006-36-330037.patch
  + CVE-2006-2776 : 0007-mfsa2006-37-330773-with-belt-and-braces.patch
  + CVE-2006-2778 : 0008-mfsa2006-38-330897.patch
  + CVE-2006-1942 : 0009-mfsa2006-39-CVE-2006-1942-334341.patch
  + CVE-2006-2781 : 0010-mfsa2006-40-334384-sea.patch
                        0010-mfsa2006-40-334384.patch
  + CVE-2006-2782 : 0011-mfsa2006-41-334977.patch
  + CVE-2006-2783 : 0012-mfsa2006-42-335816.patch
  + CVE-2006-2777 : 0013-mfsa2006-43-336830.patch
  + CVE-2006-2779 3/6 : 0014-mfsa2006-32-Part-3-7-326501.patch
  + CVE-2006-2779 4/6 : 0015-mfsa2006-32-Part-4a-7-326931.patch
  + CVE-2006-2779 4/6 : 0016-mfsa2006-32-Part-4b-7-329219.patch
  + CVE-2006-2779 4/6 : 0017-mfsa2006-32-Part-4c-7-330818-proper-aviary.patch
  + CVE-2006-2779 6/6 : 0018-content-html-document-src-nsHTMLContentSink.cpp-332971-mfsa2006-32-Part-6-7.patch
  + CVE-2006-2780 : 0019-js-src-jsstr.c-335535-mfsa2006-32-Part-7-7.patch
  + CVE-2006-2779 5/6 : 0021-mfsa2006-32-Part-5-7-327712.patch
* Note: CVE-2006-2779 (mfsa2006-32) is only partially fixed. Missing are
  tricky parts 1/6 and 2/6 from advisory:
  1/6: Removing nested <option>s from a select (Jesse Ruderman)
    https://bugzilla.mozilla.org/show_bug.cgi?id=324918
  2/6: 'Crashes during DOMNodeRemoved mutation event'
    https://bugzilla.mozilla.org/show_bug.cgi?id=325730
    https://bugzilla.mozilla.org/show_bug.cgi?id=329982
* Patches taken from Debian security update. Many thanks to Alexander Sack
  <asac@debian.org> for providing them!