lp://staging/ubuntu/hardy-updates/xulrunner

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

22. By Alexander Sack on 2009-03-31

* New security upstream release - backports for ffox 3.0.8
  + Fixed on Firefox EOL branch
    - MFSA 2009-13 Arbitrary code execution through XUL <tree> element
    - MFSA 2009-12 XSL Transformation vulnerability
    - MFSA 2009-10 Upgrade PNG library to fix memory safety hazards
    - MFSA 2009-09 XML data theft via RDFXMLDataSource and cross-domain redirect
    - MFSA 2009-07 Crashes with evidence of memory corruption (rv:1.9.0.7)
    - MFSA 2009-05 XMLHttpRequest allows reading HTTPOnly cookies
    - MFSA 2009-03 Local file stealing with SessionStore
    - MFSA 2009-01 Crashes with evidence of memory corruption (rv:1.9.0.6)
  + Fixed in Firefox 2.0.0.20
    - MFSA 2008-65 Cross-domain data theft via script redirect error message (Windows)
  + Fixed in Firefox 2.0.0.19
    - MFSA 2008-69 XSS vulnerabilities in SessionStore
    - MFSA 2008-68 XSS and JavaScript privilege escalation
    - MFSA 2008-67 Escaped null characters ignored by CSS parser
    - MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters
    - MFSA 2008-65 Cross-domain data theft via script redirect error message
    - MFSA 2008-64 XMLHttpRequest 302 response disclosure
    - MFSA 2008-62 Additional XSS attack vectors in feed preview
    - MFSA 2008-61 Information stealing via loadBindingDocument
    - MFSA 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)
  + Fixed in Firefox 2.0.0.18
    - MFSA 2008-58 Parsing error in E4X default namespace
    - MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals
    - MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation
    - MFSA 2008-55 Crash and remote code execution in nsFrameManager
    - MFSA 2008-54 Buffer overflow in http-index-format parser
    - MFSA 2008-53 XSS and JavaScript privilege escalation via session restore
    - MFSA 2008-52 Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18)
    - MFSA 2008-50 Crash and remote code execution via __proto__ tampering
    - MFSA 2008-49 Arbitrary code execution via Flash Player dynamic module unloading
    - MFSA 2008-48 Image stealing via canvas and HTTP redirect
    - MFSA 2008-47 Information stealing via local shortcut files
  + Fixed in Firefox 2.0.0.17
    - MFSA 2008-45 XBM image uninitialized memory reading
    - MFSA 2008-44 resource: traversal vulnerabilities
    - MFSA 2008-43 BOM characters stripped from JavaScript before execution
    - MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
    - MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
    - MFSA 2008-40 Forced mouse drag
    - MFSA 2008-39 Privilege escalation using feed preview page and XSS flaw
    - MFSA 2008-38 nsXMLDocument::OnChannelRedirect() same-origin violation
    - MFSA 2008-37 UTF-8 URL stack buffer overflow
  + Fixed in Firefox 2.0.0.16
    - MFSA 2008-35 Command-line URLs launch multiple tabs when Firefox not running
    - MFSA 2008-34 Remote code execution by overflowing CSS reference counter
  + Fixed in Firefox 2.0.0.15
    - MFSA 2008-33 Crash and remote code execution in block reflow
    - MFSA 2008-32 Remote site run as local file via Windows URL shortcut
    - MFSA 2008-31 Peer-trusted certs can use alt names to spoof
    - MFSA 2008-30 File location URL in directory listings not escaped properly
    - MFSA 2008-29 Faulty .properties file results in uninitialized memory being used
    - MFSA 2008-28 Arbitrary socket connections with Java LiveConnect on Mac OS X
    - MFSA 2008-27 Arbitrary file upload via originalTarget and DOM Range
    - MFSA 2008-25 Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
    - MFSA 2008-24 Chrome script loading from fastload file
    - MFSA 2008-23 Signed JAR tampering
    - MFSA 2008-22 XSS through JavaScript same-origin violation
    - MFSA 2008-21 Crashes with evidence of memory corruption (rv:1.8.1.15)
  + Fixed in Firefox 2.0.0.14
    - MFSA 2008-20 Crash in JavaScript garbage collector

21. By Fabien Tassin on 2008-03-26

* New security upstream release: 1.8.1.13 (LP: #207171)
* Security fixes:
  - MFSA 2008-19 XUL popup spoofing variant (cross-tab popups)
  - MFSA 2008-18 Java socket connection to any local port via LiveConnect
  - MFSA 2008-17 Privacy issue with SSL Client Authentication
  - MFSA 2008-16 HTTP Referrer spoofing with malformed URLs
  - MFSA 2008-15 Crashes with evidence of memory corruption
  - MFSA 2008-14 JavaScript privilege escalation and arbitrary code execution
* Merge from debian unstable (1.8.1.12-5). Remaining ubuntu changes:
  - debian/patches/88_force-no-pragma-visibility-for-gcc-4.2_4.3.dpatch
  - xulrunner alternative in /usr/bin
* Drop patches applied upstream:
  - drop debian/patches/10_SECAlgorithmIDTemplate.dpatch
  - update debian/patches/00list
* Update diverged patches:
  - update debian/patches/99_configure.dpatch

20. By Fabien Tassin on 2007-12-05

* Merge from debian unstable (LP: #174219), remaining changes:
   - 88_bz384304_lp117575_linkrecursion_fix_in_startscript.dpatch
   - 88_bz399589_fix_missing_symbol_with_new_nss.dpatch
   - 88_force-no-pragma-visibility-for-gcc-4.2_4.3.dpatch
   - xulrunner alternative in /usr/bin
     - debian/xulrunner.install
     - debian/xulrunner.{postinst,prerm}
* Update debian/patches/99_configure.dpatch

19. By Fabien Tassin on 2007-11-17

* Merge from debian unstable (LP: #163271), remaining changes:
  - remaining Ubuntu patches in debian/patches:
    - 88_force-no-pragma-visibility-for-gcc-4.2_4.3
    - 88_bz384304_lp117575_linkrecursion_fix_in_startscript
  - xulrunner diversion (xulrunner.{postinst,prerm,install})
  - Maintainer set to Ubuntu MOTU Developers
* Drop debian/patches/{68_python25_api_breakage.dpatch,
  88_ubuntu_pyginputstream.dpatch,88_ubuntu_pyiinputstream.dpatch}
  merge by Debian into debian/patches/35_python_2.5.dpatch
  - update debian/patches/00list
* Drop debian/patches/61_python_py_ssize_t_detect now useless
  - update debian/patches/00list
* Fix FTBFS with cairo lib needing Xrender:
  - add patch 88_bz344818_missing_library_check
  - update debian/patches/00list
* Fix FTBFS with newer nss allowing to build with either old nss 3.11
  or upcoming 3.12.
  - add patch 88_bz399589_fix_missing_symbol_with_new_nss
  - update debian/patches/00list
* Update debian/patches/99_configure.dpatch

18. By Alexander Sack on 2007-09-28

debian/control: build depend on ecj instead of ecj-bootstrap, that doesn't
exist anymore.

17. By Alexander Sack on 2007-09-27

Prepare xul 1.8 to play nicely with forthcoming xulrunner 1.9 upload:

* debian/xulrunner.install: install startup script as
  /usr/lib/xulrunner/xulrunner instead of /usr/bin/xulrunner
* debian/xulrunner.{postinst,prerm}: introduce xulrunner alternative
  to allow multiple xulrunner versions to be installed on the same
  system.
* debian/patches/88_bz384304_lp117575_linkrecursion_fix_in_startscript.dpatch:
  adapt patch from bugzilla 384304 to allow deep link recursions of xulrunner
  start script.

16. By Alexander Sack on 2007-08-21

* debian/patches/88_ubuntu_pyginputstream.dpatch,
  debian/patches/88_ubuntu_pyiinputstream.dpatch: drop patches because they
  are not applied anyway.
* debian/patches/88_force-no-pragma-visibility-for-gcc-4.2_4.3.dpatch,
  debian/patches/00list: add anti ftbfs-on-gcc-4.2_4.3 patch to force use of
  -fvisibility=hidden instead of pragma push (hidden) even if gcc bugs are not
  detected.
* debian/patches/99_configure.dpatch: refresh configure accordingly.

15. By Alexander Sack on 2007-07-04

* replacing bogus patches that can cause access to unintialized
  memory and that should have never ended up in here:
    - Dropped 88_ubuntu_pyginputstream.dpatch
    - Dropped 88_ubuntu_pyiinputstream.dpatch
    - Adding 61_python_py_ssize_t_detect.dpatch
    - Adding 68_python25_api_breakage.dpatch
    - Update 99_configure.dpatch because 61_python_py_ssize_t_detect.dpatch
      touches configure.in.
  New patches that do boundary checks are submitted to bugzilla
  bug 386610 and debian bug 431483.
    - update 00list accordingly

  Remaining Ubuntu Changes:
    - Adding 61_python_py_ssize_t_detect.dpatch
    - Adding 68_python25_api_breakage.dpatch
    - update 00list accordingly
    - Update 99_configure.dpatch like:
       1. dpatch-edit-patch 99_configure.dpatch
       2. autoconf2.13
       3. exit 0
    - debian/control: Change Maintainer/XSBC-Original-Maintainer field.

14. By Michele Angrisano <email address hidden> on 2007-06-11

* Merge from Debian unstable. Remaining Ubuntu changes:
  + Fixing __x86_64__ and __ia64__ FTBFS
    - Added 88_ubuntu_pyginputstream.dpatch
    - Added 88_ubuntu_pyiinputstream.dpatch
    - update debian/patches/00list
  + debian/control: Change Maintainer/XSBC-Original-Maintainer field.

13. By Michael Bienia on 2007-06-06

Apply the fix for AMD64 also to IA64
(this should hopefully fix the FTBFS on IA64).