GNU bug report logs - #39766
Security-Problems, probably known

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: gnuzilla; Reported by: Arne Wichmann <aw@HIDDEN>; dated Mon, 24 Feb 2020 15:28:02 UTC; Maintainer for gnuzilla is bug-gnuzilla@HIDDEN.

Message received at 39766 <at> debbugs.gnu.org:


Received: (at 39766) by debbugs.gnu.org; 10 Mar 2020 17:27:39 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Mar 10 13:27:39 2020
Received: from localhost ([127.0.0.1]:53240 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1jBifL-0005Yz-C2
	for submit <at> debbugs.gnu.org; Tue, 10 Mar 2020 13:27:39 -0400
Received: from mail-wm1-f50.google.com ([209.85.128.50]:54324)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <anto.trande@HIDDEN>) id 1jBicV-0005Tb-Sm
 for 39766 <at> debbugs.gnu.org; Tue, 10 Mar 2020 13:24:44 -0400
Received: by mail-wm1-f50.google.com with SMTP id n8so2322832wmc.4
 for <39766 <at> debbugs.gnu.org>; Tue, 10 Mar 2020 10:24:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:subject:to:cc:references:autocrypt:message-id:date:user-agent
 :mime-version:in-reply-to;
 bh=UVhxcfsgE9nKeNQJV1shWLC8HlEZtQWA274STPss2UI=;
 b=vEEfx/f252ZyhEoMbNJosjUsadcmuIgfZyrPWbeyd0KZYfPUem1H4pnmA99l5jwflB
 90ONfWztIQQX6ZqsTLdah9O/uVhDZvN8S7qEGThnCdsN1AdEoEBfSUPiFr/kN4KL/sD7
 3XBR9gWmH1+Ze3mTSM16ImdR8Ey+zWQKLU087aibGSFJwz4XJWxbQpjhPdlacAHIAHmy
 YlrK5NaTIF3lXIjo0KTH1arue5cguF8VVnRdGnllHZnXmvUdEADfUHHqeVwytZNYYauv
 XPA1x42K6cwxAagyRe/O6g9tp8xwiRiYoPgFt7hss+4lBbNvnZIjaKggBkKfBEfGNkq2
 lfPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:subject:to:cc:references:autocrypt
 :message-id:date:user-agent:mime-version:in-reply-to;
 bh=UVhxcfsgE9nKeNQJV1shWLC8HlEZtQWA274STPss2UI=;
 b=TFmsS7jL6glACINVUTY4y58DhUt0TInr4HBKC/Ed/zTa2nAQp9up46pq15wVjg2O1t
 7k87HnV4EB3k3yRcca1YlMHRkLhfKr4esSH28HzXwbzDBmgM2dS/CnRg0GfdEd026Osw
 WqhPzljtknEF5lx/hte6jZIzkWY74Ml2WF/zKhOy3W6yPJx6rWm83Zqmj+ziLu9KN/XS
 4bLHmskfS/z1CdFYalHtEdpLoKhVzG76Zoda/DFS5aLGy5m6vqPod8ymh9rGXdb6qRzV
 Im1hIqquPvWDqtxq2l/sHtyDN+v0ffxqnnYlFff0LlkctYg1bzzHyrD+q5t8zwzudWd2
 aAhA==
X-Gm-Message-State: ANhLgQ0IlZLuxqPtwWOH58eaPQx6VzUbyjJvp/2JsJ/6pZLq86i7OWE3
 x2FVDpUCtZaoZk0JyzDzVAE=
X-Google-Smtp-Source: ADFU+vsEb8s3VHfniplGiJ/tp2/GJOaxF4yTUYNaoP6cSilwus7eC7ptH1XPsnQ+TaHPwfSmxcSc0A==
X-Received: by 2002:a1c:9d09:: with SMTP id g9mr3224051wme.68.1583861077878;
 Tue, 10 Mar 2020 10:24:37 -0700 (PDT)
Received: from localhost.localdomain ([37.77.122.222])
 by smtp.gmail.com with ESMTPSA id c3sm16389595wrw.95.2020.03.10.10.24.33
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Tue, 10 Mar 2020 10:24:37 -0700 (PDT)
From: Antonio Trande <anto.trande@HIDDEN>
X-Google-Original-From: Antonio Trande <sagitter@HIDDEN>
Subject: Re: bug#39766: Security-Problems, probably known
To: "info@HIDDEN" <info@HIDDEN>, 39766 <at> debbugs.gnu.org
References: <20200224110908.GA30626@HIDDEN>
 <368582f2-a547-5585-e995-ca343ab1927c@HIDDEN>
 <1d0e372c-1427-ae8d-8fde-4cf6385bd6ff@HIDDEN>
Autocrypt: addr=sagitter@HIDDEN; prefer-encrypt=mutual; keydata=
 mQSuBF2y7VURDAD3VN0+cpPnzexleHqLyrd/nbOygmhJVbITCnLU0cHdfMov0Qup1cyU5wYO
 s7YG1PJBvwI6bRQkpTpaNS9ECSn6PNraZzPI8dvpZwTlFWNXhV5iFL9sYVRZRKsMKXDwi+mu
 IqgawSEqAeZ4aW1TfNItSFq0lX6xgxczxDJgibelquHfV5Nhpe7WUEDSld3WpVIgMFyUk/vG
 d/vw1nHZyE7jmQURaeWbAtjbGjMDNMQLf9wTnXPGU5OlS+Wx5J3Pom5Qk97aFAUQPogFmuxM
 qgNqSNxRLkckfbVNMwbhePXDnyKeQUTTGFel+P5NYlM4vZ+3SmJqC/Cw8+o7F/jNLKR5ZUxH
 3YOFYHC6GX3aA9eA47u+nNhOCMhjYM6fuM6cce9p37C4EC4FBwvjZHZm3m+QhH0zyJdP1uE6
 xdUeMNe6Z+x9x8qx1wChp87MRhQ92xscpOloi/1d6Yu20tYST+XzHbRhPYkjD721qmhXwaL2
 WYsZ29i2O7zqimgTOxMHdl8BANewKKtyFEBRsImMbkdF9CG5rLXJhKOoiY6MOZUL7+0vC/oC
 57Q1p5GN/gZs2pPhXP1ycE5S6bqxglyS2qabIAHeMqi2eKGphkVHkqmH7OH3dvbFwqi1/kKs
 lTzBD1KbFfBdZrEdyG9/zsiiDHwXTVrESD7BosXaa4DHN+LxCMeSBYp3CY55d8o1Bsl7TCQz
 NdalVpwtBI1q2nzgOM0aXZyRom022BeuJpyOX+lyiw3LefdsDD9bHP1nOQ/Y/8HzWWmdVcjJ
 U4bi44bBYhTps5rzR+m2R0u4BEBm1hIE/FyaeMsO/HMzY/LU9cF8nc+rTYRywgmWp8/XNXEY
 vBOQ/ZlM/QTlcu97NQQWI9Q/7jdHQAKvgC5O7wT/NN6Kr7zpt+fyPOVv27hnI3SEx1S1Ko5u
 6RE32whkBlF7ortd1UDCkHA/PDhAkim2x38XD+yJ50FFwiOs5eCTXYKSPMtnLJYe0M0W5Se3
 8Nr9jzxMxuw+87XhxAtybey2heNun2n71gOZtdS5Ll0QaL7o2OqQiWv4+vZ5Mx4AbWlQUJ3M
 qCtGTF8L/0lvwFU7C4rDlLnlzWppJGuwTZiutWdPNq1PHtrplEapOw9V/gpwtFefxgh7810l
 uDDYA6T2jreV6gCEhn85zdjwJSUH5tyFIHVWxWxAjvL8DtW7MFXKGm8Mb98lK4cmT4Iq5aHy
 c5+IoZYuE8WJ3x9zgXCRe/ob3bGMU6LTuazS13VcoeytrmzdH88UkUVMkIFUSlFcYMpdgyv7
 LBb0QXaHLdttJeY3YNfCpcEOrfffzm/UJ9tTrb5ZW6pLQz0oebTNchbpPzebnckfjrwDReqL
 +OXGiOa4jzR2Gg6vijgpVGgwrGGoh0kPcx3Qj1CQzpk5h7e5D7/5tF/kcf2grxNuZmms0qH5
 xBCDZUtSqt4Ta+rVfKRk+70Orez5uYf+BbpLmVy2Em5eFNyKD9+eW/uYRaRn5tg8mDjlVDNn
 CZm1CU6lQP+VQ9STg04OL+KZeXfim1XH3dC85Bd83I7ncdcWwm2oBAoWK/RqxFnHC38TvxNy
 ZI9arD49aphfHWPuN7RBQW50b25pbyBUcmFuZGUgKEZlZG9yYSBQcm9qZWN0IDIwMjApIDxz
 YWdpdHRlckBmZWRvcmFwcm9qZWN0Lm9yZz6IlgQTEQgAPhYhBMp8RITaal0/cG930nsw7gTl
 dqqEBQJdsu1VAhsDBQkB66fbBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEHsw7gTldqqE
 z+EA/2iKoToDux82nIGdGxuukwZHM2fv/zed76yhJp0pBnLyAP9b0ufjfzM2J8sKGgsTRbDq
 GEw3INc9iNQKWolgjEd4q7kEDQRdsu1VEBAAybID/xTY53ajol+tm2eQze1K/E9OEFtuXfQK
 0QLyf/ZGYzWK0d92HDjj7u/K2BRPh4oQSC3M6pXsWMdEAslcGGFFsn2qZmpbt6/wujCrNc3X
 9AMsoBSHi5cPEZ9EGRz2FVS3gSPIF7oHg3i8tuhAg/rvCX4r5cs5/AXxXdycuIqMJDH/JyBE
 zarxAIa433b3KKu4GhYbAFFbgeUJAdGUMGjtPozOqY+fY43eyhFG4nYTM31nwD6KxK67V7Ts
 WKTOAu8XeOpz2Wov09H42Buq+FkStk0xLGV8lYXCvhx0O0zxSSXoS6ve0XyLFKIgff8k/GTN
 HVMq6v3syMEJqI8PNm5MAIyQBJdRJyKHkgjiSfctd15i1qYQF+4UWQvWcZGjPwD22PI71bge
 mOrkxMzUezngV9dMJoIhPakXzl5X2+1yNl0QlviaVxrgvvEN0kgi60x/wH6B1lo/MPiiE9zi
 xF8b0YjO0Gte59LDLU0HMEOZhXH6oXfJy73i1VLzZuExpfO4MYsxYQYKhxkT+9R8B7JxgUSu
 YQiJL4eNXXeIWdthIRwM1+YU5s3CHuQ+AV1Y+0zIWQSC7Npx0o1ClI8BZELdgAZxRHroUjEN
 Q0pP3isfkCocth6eoVd6E2MHpRRS3b6xZQUMr3GSBUhEmIH1iomB6OijiYueznh0ALSmLj8A
 BA0QAJwyo2EX6HVDHBWHiGzE/Yh4nrsu9Z5Z2G0h0INuKC81TQtaL/Em6cHu23aO7jNIm7jJ
 yi4Jv2oFVtOVFWcCdRSDOjJwfiVG6BgX6X0oer4/kJzKLecS4fkSHcmtHluKBZUsgslvyEAJ
 +CncPYIuo+YyjfJy/uQfSF1CJl7dWTzm6mKEiusENZu579bQ8H+nVlNYEbqXLHEICdT7i13s
 QHIDacpiuycPVcofVUqV9XRVgEZ7Kk4GgkVNuIsossr0JoFVcOP0JZHzJQkPcl8SVlqSoeO3
 YrSp3LfQacJAw6ku0XOIepQNh+iw4SCEJ6IUwm2E1TDVEMuWqWNOXUpmFU4BtHH14l4D7Rzr
 zdlZ+a5NK+PRzIHcFm/MGplEeMjopQG95sd3hqrka5CLpIViwt9es/4KMb5au+odo/f7p1xS
 PoZ2MxfkMTiLOHMBkitcA4t8fVWX+ztNWOl8mvdZATZQnKm+A61Wxq2dEXOoCbCe+enD2kGL
 NtLc+h5fOVdTnQrtU1CJ5QcmUNQqXn4LFtRS+vo1DW6klrHWE3fVdWZYlebOMUdbTXgaOhl+
 l/fnAAUIdMEvf+Z+9Kf+VkdzfDJhXRry8kkAqVMT12BUwJK/C50wEpk8fo+J1pmOuUv/tqMd
 W2Cr/4ZNJ/ugKjyvi5BZnDe3JQDeJzlkp5qH6fejiH4EGBEIACYWIQTKfESE2mpdP3Bvd9J7
 MO4E5XaqhAUCXbLtVQIbDAUJAeun2wAKCRB7MO4E5XaqhJ/IAQDDGUy4hWJi6lPiSwB3KUi/
 PY0O+1dDM4d5xaPdkIk2RAEA1Dtll06A/WX/f6JxgxxUcaTE+jXrEzb4uy60ywJusyM=
Message-ID: <68eba345-dd0b-39a7-bb7e-190d6265a159@HIDDEN>
Date: Tue, 10 Mar 2020 18:24:22 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <1d0e372c-1427-ae8d-8fde-4cf6385bd6ff@HIDDEN>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="U8KAxmgVweIEn5CWnY2cNaxvZ7UmjCWHY"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 39766
X-Mailman-Approved-At: Tue, 10 Mar 2020 13:27:37 -0400
Cc: help-gnuzilla@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--U8KAxmgVweIEn5CWnY2cNaxvZ7UmjCWHY
Content-Type: multipart/mixed; boundary="Vo92cqJLCZGHtumAmHAZxjCcqrHIAUVTW"

--Vo92cqJLCZGHtumAmHAZxjCcqrHIAUVTW
Content-Type: text/plain; charset=windows-1252
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

These issues have been fixed with Firefox ESR 68.4.1; current IceCat
release on 68 branch is the 68.6.0. So, what's the problem?

On 10/03/20 10:29, info@HIDDEN wrote:
> Hello,
>=20
> It seems no one has replied to this. I think IceCat should no longer be=

> recommended to users until this issue is resolved especially since
> IceCat is advertised as a browser with "Privacy protection features".
> Suffice to say such protection features are no good if the browser
> itself is vulnerable to the types of vulnerabilities as eluded to befor=
e.
>=20
> I understand that there aren't sufficient developers to maintain IceCat=

> but that does not mean the GNU website should offer the browser without=

> at least clearly addressing it's potential vulnerabilities on the
> appropriate webpages.
>=20
> As of now, users might download, install and subsequently use IceCat
> with the understanding that they have downloaded a browser with enhance=
d
> privacy protection features while not being aware that it is potentiall=
y
> susceptible to recently discovered vulnerabilities.
>=20
> This is precisely the sort of situation that free software, and free an=
d
> open information should prevent.
>=20
> I hope we can resolve this quickly.
>=20
> Kind regards,
> Corne
>=20
> On 2/24/20 7:05 PM, info@HIDDEN wrote:
>> Hello,
>>
>> I was also really wondering about this as the current version of IceCa=
t
>> is a version of Firefox that was affected.
>>
>> On 24-02-2020 12:09, Arne Wichmann wrote:
>>> Good day tou you!
>>>
>>> I see here some security problems referenced for Firefox, which are
>>> probably applicable to Icecat, too:
>>>
>>> CVE-2019-17026 - IonMonkey type confusion with StoreElementHole and
>>>   FallibleStoreElement
>>> CVE-2019-17017 - Type Confusion in XPCVariant.cpp
>>>
>>> More less critical ones are referenced, too.
>>>
>>> Are there plans to adress these?
>>>
>>> cu
>>>
>>> AW
>>>


--=20
---
Antonio Trande
Fedora Project
mailto 'sagitter at fedoraproject dot org'
GPG key: 0x7B30EE04E576AA84
GPG key server: https://keys.openpgp.org/


--Vo92cqJLCZGHtumAmHAZxjCcqrHIAUVTW--

--U8KAxmgVweIEn5CWnY2cNaxvZ7UmjCWHY
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iHUEAREIAB0WIQTKfESE2mpdP3Bvd9J7MO4E5XaqhAUCXmfNSwAKCRB7MO4E5Xaq
hDjzAQDQuwUovMKltVpj3W2vfQ7UGm891t3+Npk7PONv6dglaAEAg7luqDiCewIO
cOpkWi8i3pyy2fbCAoM7KnCGh6yAasc=
=gJDW
-----END PGP SIGNATURE-----

--U8KAxmgVweIEn5CWnY2cNaxvZ7UmjCWHY--




Information forwarded to bug-gnuzilla@HIDDEN:
bug#39766; Package gnuzilla. Full text available.

Message received at 39766 <at> debbugs.gnu.org:


Received: (at 39766) by debbugs.gnu.org; 10 Mar 2020 17:27:21 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Mar 10 13:27:21 2020
Received: from localhost ([127.0.0.1]:53238 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1jBif0-0005YT-OM
	for submit <at> debbugs.gnu.org; Tue, 10 Mar 2020 13:27:19 -0400
Received: from s02.spamexperts.axc.nl ([185.182.56.112]:53047)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <info@HIDDEN>) id 1jBiew-0005YE-E9
 for 39766 <at> debbugs.gnu.org; Tue, 10 Mar 2020 13:27:15 -0400
Received: from vserver22.axc.nl ([185.182.56.82])
 by s02.spamexperts.axc.nl with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92)
 (envelope-from <info@HIDDEN>)
 id 1jBieh-0005NE-Au; Tue, 10 Mar 2020 18:27:07 +0100
Received: from mail.axc.nl ([185.182.56.42])
 by vserver22.axc.nl with esmtp (Exim 4.92)
 (envelope-from <info@HIDDEN>)
 id 1jBieM-008lcG-8j; Tue, 10 Mar 2020 18:26:38 +0100
Subject: Re: bug#39766: Security-Problems, probably known
To: Antonio Trande <anto.trande@HIDDEN>, 39766 <at> debbugs.gnu.org
References: <20200224110908.GA30626@HIDDEN>
 <368582f2-a547-5585-e995-ca343ab1927c@HIDDEN>
 <1d0e372c-1427-ae8d-8fde-4cf6385bd6ff@HIDDEN>
 <68eba345-dd0b-39a7-bb7e-190d6265a159@HIDDEN>
From: "info@HIDDEN" <info@HIDDEN>
Message-ID: <447714f2-3d8f-14bc-b298-51d99e00c333@HIDDEN>
Date: Tue, 10 Mar 2020 18:31:23 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <68eba345-dd0b-39a7-bb7e-190d6265a159@HIDDEN>
Content-Type: text/plain; charset=windows-1252
Content-Language: en-US
Content-Transfer-Encoding: 7bit
PrimaryMX: Accepted email from trusted host. Hint: This skips spam scanning so
 make sure other host is not vulnerable
SPFCheck: Server passes SPF test, -30 Spam score
X-Relay-Host: 185.182.56.42
X-Spam-Score: 0.0 (/)
X-Spam-Report: Spam detection software,
 running on the system "vserver22.axc.nl", 
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: Current binary release is 60.7.0 which is vulnerable and that
 is the problem, see: https://ftp.gnu.org/gnu/gnuzilla/?C=M;O=D On 3/10/20
 6:24 PM, Antonio Trande wrote: > These issues have been fixed with Firefox
 ESR 68.4.1; current IceCat > release on 68 branch is the 68.6.0. So, what's
 the problem? > > On 10/03/20 10:29, in [...] 
 Content analysis details:   (0.0 points, 5.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
 blocked.  See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
 for more information. [URIs: gnu.org]
SpamTally: Final spam score: -90
X-AuthUser: 
X-Originating-IP: 185.182.56.82
X-SpamExperts-Domain: vserver22.axc.nl
X-SpamExperts-Username: 185.182.56.82
Authentication-Results: spamexperts.axc.nl;
 auth=pass smtp.auth=185.182.56.82@HIDDEN
X-SpamExperts-Outgoing-Class: unsure
X-SpamExperts-Outgoing-Evidence: Combined (0.38)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0c21/ZGerkmA2qMAhBYlqympSDasLI4SayDByyq9LIhVV3P7+zsTsdAW
 TjhbpwStAkTNWdUk1Ol2OGx3IfrIJKyP9eGNFz9TW9u+Jt8z2T3KePJuGUY65Cj4Uh2i3OwwYkYA
 pUp/khQ8H7I+V6VJNBdi8wWc+4yCPv0u8PqCFiEnIYC5b43V6PyRGXLrVQdw5PqSjx73F0p/XGxX
 8YQS/6K/q5f5MtjuoCH585QksFvpWmuNA8WTybi1JN85FSnfKQQaH2wjyOen9n43sb5/bwtpw2IT
 CGzTa8j2UYVqjPqMPx7YKSc64FgIFBfuASKVtwbG1HJMGGaR7kqafQye7jY7YxJrtChiZZEdCQqr
 ceoTbmvTNWWAwO5ZPceCdI3FV4H8dkRkFi5XTKWKzjwdbpCb662/rVKGbaZ5TUU0LhsTBQUpxGu6
 0ep3MKn/Zxd12697IdvSIUBO8mbZ+L0zAAGo2nDJJ7etIbmtBL4g5Nq7vvE/X9f4ikS6v/cnqp1T
 bBmSvC6qJad8oDRDO7zv2HyUKXBN5egnPhpSCzBGhpXdr4g47/dXqNFGfPUjdI4X5Q2QEetkvH00
 /xmn6oF5z8skuB4fLNdsm49znGEOwW1RyaT+fhnmPmZ+OUuV5BM6eyy5Vo6xOiF9lxkCbdmQZuSv
 ViZm4XpHa4HCbA5RwXWosUtN6Zd4kJhNnLO7YVLjnuJrRiSq8ksEBlGWXxXc8TirIo0LA+KZk1ak
 xG4AJe2OzhRC7isOoIq7T/qV3mBwXVMwvu8lQhYAhscMiq2v7oKxgvqz+DMwHjW2kjiNWALMUyQ5
 +BVz8/sZB2WQ295Xe/5HTkpQ5VFDq5iH+oIzk3hP2ts4KzDEMQk6HpPAIpm9XPWlFdaGOH191uXj
 gjQN/cAhfvkuvQuvUgfMQyJsPqpCLx99Idn15jlF1y/kvN+ftz0IZNnK945Xfgrb1AV15ncehzMV
 YKlZeUETYXlVkozvpZLSAr3jBzAtGBhZHAsUVOtEHDFKmZKcB0WKucuGpzKuauQo9YUZtcE0zacu
 y9Bgicwe2ic7PfN3cCzD4rmaMJM04c3rsnK5BEzcM+hsjg==
X-Report-Abuse-To: spam@HIDDEN
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 39766
Cc: help-gnuzilla@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Current binary release is 60.7.0 which is vulnerable and that is the
problem, see: https://ftp.gnu.org/gnu/gnuzilla/?C=M;O=D

On 3/10/20 6:24 PM, Antonio Trande wrote:
> These issues have been fixed with Firefox ESR 68.4.1; current IceCat
> release on 68 branch is the 68.6.0. So, what's the problem?
> 
> On 10/03/20 10:29, info@HIDDEN wrote:
>> Hello,
>>
>> It seems no one has replied to this. I think IceCat should no longer be
>> recommended to users until this issue is resolved especially since
>> IceCat is advertised as a browser with "Privacy protection features".
>> Suffice to say such protection features are no good if the browser
>> itself is vulnerable to the types of vulnerabilities as eluded to before.
>>
>> I understand that there aren't sufficient developers to maintain IceCat
>> but that does not mean the GNU website should offer the browser without
>> at least clearly addressing it's potential vulnerabilities on the
>> appropriate webpages.
>>
>> As of now, users might download, install and subsequently use IceCat
>> with the understanding that they have downloaded a browser with enhanced
>> privacy protection features while not being aware that it is potentially
>> susceptible to recently discovered vulnerabilities.
>>
>> This is precisely the sort of situation that free software, and free and
>> open information should prevent.
>>
>> I hope we can resolve this quickly.
>>
>> Kind regards,
>> Corne
>>
>> On 2/24/20 7:05 PM, info@HIDDEN wrote:
>>> Hello,
>>>
>>> I was also really wondering about this as the current version of IceCat
>>> is a version of Firefox that was affected.
>>>
>>> On 24-02-2020 12:09, Arne Wichmann wrote:
>>>> Good day tou you!
>>>>
>>>> I see here some security problems referenced for Firefox, which are
>>>> probably applicable to Icecat, too:
>>>>
>>>> CVE-2019-17026 - IonMonkey type confusion with StoreElementHole and
>>>>   FallibleStoreElement
>>>> CVE-2019-17017 - Type Confusion in XPCVariant.cpp
>>>>
>>>> More less critical ones are referenced, too.
>>>>
>>>> Are there plans to adress these?
>>>>
>>>> cu
>>>>
>>>> AW
>>>>
> 
> 




Information forwarded to bug-gnuzilla@HIDDEN:
bug#39766; Package gnuzilla. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 10 Mar 2020 14:28:43 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Mar 10 10:28:43 2020
Received: from localhost ([127.0.0.1]:53026 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1jBfsA-0007aK-SW
	for submit <at> debbugs.gnu.org; Tue, 10 Mar 2020 10:28:43 -0400
Received: from lists.gnu.org ([209.51.188.17]:44496)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <info@HIDDEN>) id 1jBb8k-0003Wz-Ji
 for submit <at> debbugs.gnu.org; Tue, 10 Mar 2020 05:25:31 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:48092)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <info@HIDDEN>) id 1jBb8j-0003Aw-EL
 for bug-gnuzilla@HIDDEN; Tue, 10 Mar 2020 05:25:30 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,RCVD_IN_DNSWL_NONE,
 URIBL_BLOCKED autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <info@HIDDEN>) id 1jBb8i-00079o-5T
 for bug-gnuzilla@HIDDEN; Tue, 10 Mar 2020 05:25:29 -0400
Received: from s02.spamexperts.axc.nl ([185.182.56.112]:41493)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <info@HIDDEN>)
 id 1jBb8f-0006x2-Cl; Tue, 10 Mar 2020 05:25:25 -0400
Received: from vserver22.axc.nl ([185.182.56.82])
 by s02.spamexperts.axc.nl with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92)
 (envelope-from <info@HIDDEN>)
 id 1jBb8W-0003vu-1j; Tue, 10 Mar 2020 10:25:21 +0100
Received: from mail.axc.nl ([185.182.56.42])
 by vserver22.axc.nl with esmtp (Exim 4.92)
 (envelope-from <info@HIDDEN>)
 id 1jBb8L-006yeh-79; Tue, 10 Mar 2020 10:25:05 +0100
Subject: Re: bug#39766: Security-Problems, probably known
To: bug-gnuzilla@HIDDEN
References: <20200224110908.GA30626@HIDDEN>
 <368582f2-a547-5585-e995-ca343ab1927c@HIDDEN>
From: "info@HIDDEN" <info@HIDDEN>
Message-ID: <1d0e372c-1427-ae8d-8fde-4cf6385bd6ff@HIDDEN>
Date: Tue, 10 Mar 2020 10:29:50 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <368582f2-a547-5585-e995-ca343ab1927c@HIDDEN>
Content-Type: text/plain; charset=windows-1252
Content-Language: en-US
Content-Transfer-Encoding: 8bit
PrimaryMX: Accepted email from trusted host. Hint: This skips spam scanning so
 make sure other host is not vulnerable
SPFCheck: Server passes SPF test, -30 Spam score
X-Relay-Host: 185.182.56.42
SpamTally: Final spam score: -60
X-AuthUser: 
X-Originating-IP: 185.182.56.82
X-SpamExperts-Domain: vserver22.axc.nl
X-SpamExperts-Username: 185.182.56.82
Authentication-Results: spamexperts.axc.nl;
 auth=pass smtp.auth=185.182.56.82@HIDDEN
X-SpamExperts-Outgoing-Class: unsure
X-SpamExperts-Outgoing-Evidence: Combined (0.37)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0c21/ZGerkmA2qMAhBYlqympSDasLI4SayDByyq9LIhVeAA4E8d7j74C
 HouF4CpeQUTNWdUk1Ol2OGx3IfrIJKyP9eGNFz9TW9u+Jt8z2T3KePJuGUY65Cj4Uh2i3OwwYuIB
 FIzMWo6hpoEMRIgL+9sn0zGVpG0c6zkK2erhX3IBQEJ7CzvDpS++3d23c94qhq8uYoOybhvnnFLf
 wJrV7qYxOEnX8zgzl/R7TYEOW+/nF3ec9p+LIJZNn+ZU1p8L27r+KYLTTm/GWD/uBn6U0gY04npx
 Wlq2P0Wj4LKWBk7zwmsL1QouhwwuwaEg6acCMy2UzZMb4kuX6D5eETmGUuUcqbdy+7WYS7ujrPXH
 qhox0HpT3S2SFmqVvJUoDpLg153GLC8mUuZ69ZuJHxVoTX+2hjnXmPuZpD5ALRwGiv0ZChNE2HVO
 gSnsCR/VCR1em3TaVz/7pRFegyFAy3NGHeok5WBPmXJ/Kdaz6RuuD9cuo6y2shoCA2iF+tBt75gH
 +amHZ7x6u9Brd8pYitTyb+KBE9EEBMUUr/EeHfiqlF+7YOaeuiH/yEdZH8S1+TgcJBOjh0vPxcQO
 jKKOrYIQYpwamUdylUIKhf3z2GAHxH7ItK/fbC3fJgkL7hvQ995X8KTY4Zbeyl3eNW4IAoy5+BdB
 Xz790yMtq6d2IMRosM1Lz4gcUBegcV7vZJaIiEo2SD9VKXB7fqUmI5FNjfBO/A7g7tbTiKU7sa8y
 wZQEu33tERWeKKG4PAQYNyavp7c49EN7brS9MRCben9MugshJqaLGcWW448WoxHX6ojCPCMQFRFM
 a/vW1Fx3U8kCRfDyui3LCmcldLypr1tqR1P42GAHvzL7egntIuzWc454Pn0ilnL0+YNBRaTiw1qA
 w0rTAH6m+UeFXprlCOm3BAEbJtCtRwosParqTl7hy89HQrA8BIExPWPgIB62PjgcP/Vy4jfV62kT
 ht0+bD/yaxKQmg6tP1GMDhHqwwIEZ7GVleVYMG1QP35nsYfP84c+RFK3KqN3P9gfVJTm3zezSOvX
 iuQZrqpC1wjAV/qK1pG17sL3
X-Report-Abuse-To: spam@HIDDEN
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-Received-From: 185.182.56.112
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Tue, 10 Mar 2020 10:28:40 -0400
Cc: help-gnuzilla@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

Hello,

It seems no one has replied to this. I think IceCat should no longer be
recommended to users until this issue is resolved especially since
IceCat is advertised as a browser with "Privacy protection features".
Suffice to say such protection features are no good if the browser
itself is vulnerable to the types of vulnerabilities as eluded to before.

I understand that there aren't sufficient developers to maintain IceCat
but that does not mean the GNU website should offer the browser without
at least clearly addressing it's potential vulnerabilities on the
appropriate webpages.

As of now, users might download, install and subsequently use IceCat
with the understanding that they have downloaded a browser with enhanced
privacy protection features while not being aware that it is potentially
susceptible to recently discovered vulnerabilities.

This is precisely the sort of situation that free software, and free and
open information should prevent.

I hope we can resolve this quickly.

Kind regards,
Corne

On 2/24/20 7:05 PM, info@HIDDEN wrote:
> Hello,
> 
> I was also really wondering about this as the current version of IceCat
> is a version of Firefox that was affected.
> 
> On 24-02-2020 12:09, Arne Wichmann wrote:
>> Good day tou you!
>>
>> I see here some security problems referenced for Firefox, which are
>> probably applicable to Icecat, too:
>>
>> CVE-2019-17026 - IonMonkey type confusion with StoreElementHole and
>>   FallibleStoreElement
>> CVE-2019-17017 - Type Confusion in XPCVariant.cpp
>>
>> More less critical ones are referenced, too.
>>
>> Are there plans to adress these?
>>
>> cu
>>
>> AW
>>
> 
> 
> 




Information forwarded to bug-gnuzilla@HIDDEN:
bug#39766; Package gnuzilla. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 24 Feb 2020 18:15:01 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Feb 24 13:15:01 2020
Received: from localhost ([127.0.0.1]:54050 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1j6IFw-0001Zl-Ew
	for submit <at> debbugs.gnu.org; Mon, 24 Feb 2020 13:15:01 -0500
Received: from lists.gnu.org ([209.51.188.17]:56394)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <info@HIDDEN>) id 1j6I7B-0001MX-EI
 for submit <at> debbugs.gnu.org; Mon, 24 Feb 2020 13:05:58 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:55409)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <info@HIDDEN>) id 1j6I7A-0003nZ-Ab
 for bug-gnuzilla@HIDDEN; Mon, 24 Feb 2020 13:05:57 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,RCVD_IN_DNSWL_NONE
 autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <info@HIDDEN>) id 1j6I79-0001Ss-0U
 for bug-gnuzilla@HIDDEN; Mon, 24 Feb 2020 13:05:55 -0500
Received: from s02.spamexperts.axc.nl ([185.182.56.112]:41703)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <info@HIDDEN>) id 1j6I78-0001PM-Pt
 for bug-gnuzilla@HIDDEN; Mon, 24 Feb 2020 13:05:54 -0500
Received: from vserver22.axc.nl ([185.182.56.82])
 by s02.spamexperts.axc.nl with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92)
 (envelope-from <info@HIDDEN>) id 1j6I73-00084v-7u
 for bug-gnuzilla@HIDDEN; Mon, 24 Feb 2020 19:05:51 +0100
Received: from mail.axc.nl ([185.182.56.42])
 by vserver22.axc.nl with esmtp (Exim 4.92)
 (envelope-from <info@HIDDEN>) id 1j6I6s-001xer-M2
 for bug-gnuzilla@HIDDEN; Mon, 24 Feb 2020 19:05:38 +0100
Subject: Re: bug#39766: Security-Problems, probably known
To: bug-gnuzilla@HIDDEN
References: <20200224110908.GA30626@HIDDEN>
From: "info@HIDDEN" <info@HIDDEN>
Autocrypt: addr=info@HIDDEN; prefer-encrypt=mutual; keydata=
 xsFNBFhJEIkBEADOo1uqQuwqWyjCd8iXWxVaGfmcaHtY/bjG8Rx5s/cB5jTwgXveG4hvEhAG
 9KajjQw9exDLcuwvMjlBY1pM0utNC3I8gK9uHwiQ5MHknL76JhvTOzVot98+pZXVIMmc0IqX
 uG53NJoxxdYNgVgcdwMJEwPdBVbUVQvHdml6HtZdJULttn0D/RDgKFrgYKrx17g0flaIU/at
 G8eR9mG0ZRWxWZcubi2je7JAVQ6Myix0alu0Dod9xR10sm4A/Hja04NAKtquj/AUa14C247q
 WpS/cvkhRTEERbkAwdCDP8zWWk/VpPWBULmlCNWuzHncMyBod82mmWDtniOKIWrUWD+7YAu2
 oN/6lffBFvQoOYwr4Fg2tTl5sXvr0++SFNOTOWgxM1dH5eGr+ge8YDibGWj4LzamfJI1bXT3
 FREM5a6/zlPVkbjuHfZ0fUl/T/9VSOhDtc6mjKRQTBOqXsMXYk3RyUyXA0y2Z9KtGRaPHjM9
 sEutKHkdZ46Fghj+K4cEau2Cru2VvJmWZtCIa0A7U8PdkLjBSlt+ZJ+9jrOKmRTODZQAf/fd
 3mbgWnn9oU+oY3t/slZQpyFE1kj2MRmVwejUEUywbMRARToPY3UhkzhtEQ8opeYcl1SHwGxq
 FM8Ip06gG9n5LewU8WOCvhnguvoDNNFkPUgG39nVzSLE2IZzKwARAQABzR1EYW50YWxpMG4g
 PGluZm9AZGFudGFsaW9uLm5sPsLBfgQTAQIAKAUCWEkQiQIbAwUJCWYBgAYLCQgHAwIGFQgC
 CQoLBBYCAwECHgECF4AACgkQU4wQwpJuFRbosA//dd8DAU6B/Y9opPOzoCz1Y0lsQXBp+FK+
 cb+dlDLNisvfsJWUgoEiaK33lOryy/eUo6DLVzIr46i9MkG9mH7Nv0Qb7GEwPpL0T5dx+cE6
 GcgyV7hEauH0Dp4elfFAfeIgjL8o2dhyrtKjMKGIAeWptcpA1C42CIk4OclvMxW6UZLYXuTd
 JFYmXtCvKkn8UBxAuwI8wORKFVmIyWwFvRYOIdMbVuxkMHbd/aCEUdDkufsZfuVkHz5F6ECI
 bCLC2bmI+25E9HZcDMtylf9BLuen2WLlQpWyN4UkiJjyHqfRBNS2r39QvXul+YXFHSigH2me
 hTKEUZ+9ZYNkler83oUb0azGPKwP0ePSgObhHv2pPIZZSFz/GXohJYEhB2QZkJV4AIOnMtlL
 4kCjwjEeulfWixtLx7k1DSmRwgvwP6v/N/yDS2O4Qv50UprOhS5OWe06+FeS5j6CMB/IhS79
 ZcCiLU3IK84FRuE3hUzw3gNMG44wzZqQ1Zps8+EKu0a9XLHhmBR+LfY/dkcrpxMnqLBgIDqu
 45o1uVYP9RjuZdtBxeOqD9Z4J5wjFK72Qfn2n620oeLGhBa/zh298fdHlAP6Pv78DmDEIWR2
 1+qbE9k0FTO43GKg+7HFyHkMN/qiperjqJ1DXXOBoqAbMcHRAr3ArrVasZHzMTe6XkNmXqSB
 FurOwU0EWEkQiQEQAJTxfbluFXZO4pxCxetZASmZ6hVmRbwWUGmnXPcgcJl/Gb+PKhPotXU2
 KgJDpvukYzMIyTc4Lb5Y9Zl50eCkqEdrdQbbCYpttOV1Nulm7gpdbzJalqZu7+WD8KFBRpSg
 9lmNvZoQluiZ2VMlYd0NhLjiOgGVL1cCuhE5730HHLc0/7zeccGL2HmVqQ5BxA46M4nha+uZ
 pydfZeEXLaZjsxHwV1j6WnH+a/DsxcCgZn5p19w+AdrGbDxCT77dLTM6kWR8abFimkooett6
 lV7sFUCoEas+6pX7UQSRTZZk7AroR5yYkRxaRz323kgcj49ePciCyM4rdVg4VopN8UzstB9s
 luIma8gKCWIdajvSGAwhdV/rRJE7bGXSKc6WhPNPR+gkRr3a2yYy/qiGJXHyTXqhecGcZqu/
 6hfphcUho01BlP9IQjnmmW+gV1wCEPiXRND7CEvV5XKq+16/jC2IkVSSN/PetF4oP5sc0GZ/
 qWCiDwShFPoX3Fcpo6n/rYL7VZG5ZmIMitYKHNTrYhfRcthR7Yxz0gse460GwpsWPl3w1TRJ
 Z0Sp4FsNYlI0M2Lf7u68ULS6T1MwjIuG2EKoF4mQzcRXAmP1OfD9HHBLcqyWZOcEz9+XmANw
 Xa532Ofwrpy+9mWiOC9iZaG/z7TORyBRBFaMHhPuEAyb3hRLNGNlABEBAAHCwWUEGAECAA8F
 AlhJEIkCGwwFCQlmAYAACgkQU4wQwpJuFRbC4Q/+J0HaQ6bEUQL5LUf6DNEzkUDAZy2q+Yiy
 npRIghU2nGbvc/Huo/uOVO8So6kxbASjEICv/dZgSsAtFCl+rLpgq1zUruYigTxml30O9EjJ
 iopRbUWMZ/9gGLkZ0Lxx02KrMP0kk8xyasnJWMarMhqZGm7WDOqRsHja8B6+K9V20yokBPZ8
 YCKMZ8jhBvn2ogVExSCbhaoezFIZRjKonok8Ra43NX3Ps0aQ5/G2rfpDEEfXE43lYe9RUnaT
 n/CKIYrvPCykkWZVHQRdxQ5mMHaIVrTwXFRpEuUyuy3CN8qtTOlfz1w1QR/AKzdyqHgA18Un
 +f1XCX0YJNJBPFhoIVfyMa2OEOL7EXN0/G0qy+Lj5KVCbDdc2frtnIF0aqd1cHvYkp+F34Ra
 enUFhAoDVrEdo8LanIaJVOqlexifE2JSBW4KSWCgKlT3aKQKazoXrkaHWo5kv7Rgx2WTJCwD
 C3Klo0pHwSXuAoDcEq9hOv2Q+4buzi4tKTzpEWL6TGtrjcYiB0xqfIZMKs2bSPxfo7GyxeAq
 Bc4Si7HRzsg4Rv4As6sdyb6E8jWskWe0gt7gtP0PQB9xZRkP2dIyA6AI7IeLSYfAgmEDLW/t
 MVl6UJcU6I2YOJ9H8sWLy6Rhd6Y+rOKKr59dP9UKxGh+Z5mY8cGR3uVoRTFrfU8yw/BCHkcO 4W8=
Message-ID: <368582f2-a547-5585-e995-ca343ab1927c@HIDDEN>
Date: Mon, 24 Feb 2020 19:05:31 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <20200224110908.GA30626@HIDDEN>
Content-Type: text/plain; charset=windows-1252
Content-Language: en-US
Content-Transfer-Encoding: 7bit
PrimaryMX: Accepted email from trusted host. Hint: This skips spam scanning so
 make sure other host is not vulnerable
SPFCheck: Server passes SPF test, -30 Spam score
X-Relay-Host: 185.182.56.42
SpamTally: Final spam score: -30
X-AuthUser: 
X-Originating-IP: 185.182.56.82
X-SpamExperts-Domain: vserver22.axc.nl
X-SpamExperts-Username: 185.182.56.82
Authentication-Results: spamexperts.axc.nl;
 auth=pass smtp.auth=185.182.56.82@HIDDEN
X-SpamExperts-Outgoing-Class: unsure
X-SpamExperts-Outgoing-Evidence: Combined (0.39)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0eYBE/I2+wvb5IJ3WTuccampSDasLI4SayDByyq9LIhVdnb6eh2Mad9a
 6RimvoHbC0TNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDQGbTc3ZGTZa+rTPXxdGs0FKC
 ZuDzeM/QymeO8B9NFMmoGdZc/C9BM3Zwm6KQcdC/QVFPFt+4EqMnp4CTDhVg0lKlzDUUdXZXKiJE
 9FAeBYpBbCpe79Kozx0nomzoHNuE3M5vj1mDOPKpdpCGjirSghKXEGJ0Tua96W0W3xbHbuwNjS91
 xLLHjz8tOnVewUzjK7zD8+2VdbSTJCSyYgZzt99gQK3D3eDvx0S6Eeo7KsUpk7cjbWy91pm/jG4G
 U42zKLTFpngmCzMfOMV6XuhaofZKWD9oWdUil6qsNtvy2jQf7lN25FLvYrmmV4cTlBHfdCZm6kTr
 qH+fmxyzQoG+NtezYqxGMqsKjARq8PBC4qjD+4dJhUym39SjYnQVEUVBkxwuudjecZtFeqTLBVNZ
 aJ9TrjYo22Tif+7yfJXbGyN6EipRzMVZ5LqwTx7Vvn9SP+LiFhV9TEgXGI3XmDfDnNTJRxEGU2Da
 RttYwn1TGi12IXMmVAQPt11XkEwxOYwNZPcytf1kxCJwvehZcCCrC5G9nwrglhrrfuarY2+8I92c
 dXV7LSoYz5iFheogXHzf5L7jRXQ1s5g5AllOOECxDZq7xqDoiTjjGpNS1XGXbXIqJ+ZN4bITaKN5
 n7YEltBiuJoevVTmoeXfaVS7ga0qElPrUoH2tvxl37FSEzkqC/3RCwXTJopjKJhdgGe0IyFDIbtf
 63VNbf0lrvssY+k7ALKRmTa5VFvlmwmdHh2582BhskTn1DOWgs8ZFF04wLkfoF7v+ap0oBiqDUek
 XtdxPDnCpc370COEMoySnnDCdTC4brFV2mGtSlhA75FqrK3cBZ6++DfkTVlBWsR5QGklueMZzqho
 KSP8IceFEZcohuLhYJZfEc4CpfbHSlMZ/VUqT4cG8eHoZAvkGaGh2Q6N6A==
X-Report-Abuse-To: spam@HIDDEN
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-Received-From: 185.182.56.112
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Mon, 24 Feb 2020 13:14:59 -0500
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

Hello,

I was also really wondering about this as the current version of IceCat
is a version of Firefox that was affected.

On 24-02-2020 12:09, Arne Wichmann wrote:
> Good day tou you!
> 
> I see here some security problems referenced for Firefox, which are
> probably applicable to Icecat, too:
> 
> CVE-2019-17026 - IonMonkey type confusion with StoreElementHole and
>   FallibleStoreElement
> CVE-2019-17017 - Type Confusion in XPCVariant.cpp
> 
> More less critical ones are referenced, too.
> 
> Are there plans to adress these?
> 
> cu
> 
> AW
> 




Information forwarded to bug-gnuzilla@HIDDEN:
bug#39766; Package gnuzilla. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 24 Feb 2020 15:27:42 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Feb 24 10:27:42 2020
Received: from localhost ([127.0.0.1]:53940 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1j6Fe2-0005Q4-49
	for submit <at> debbugs.gnu.org; Mon, 24 Feb 2020 10:27:42 -0500
Received: from lists.gnu.org ([209.51.188.17]:48199)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <aw@HIDDEN>) id 1j6Bc5-0002IV-VL
 for submit <at> debbugs.gnu.org; Mon, 24 Feb 2020 06:09:27 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:49812)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <aw@HIDDEN>) id 1j6Bc5-0006X3-0c
 for bug-gnuzilla@HIDDEN; Mon, 24 Feb 2020 06:09:25 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: *
X-Spam-Status: No, score=1.2 required=5.0 tests=BAYES_50,KHOP_HELO_FCRDNS,
 URIBL_BLOCKED autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <aw@HIDDEN>) id 1j6Bc3-0002OP-9l
 for bug-gnuzilla@HIDDEN; Mon, 24 Feb 2020 06:09:24 -0500
Received: from penta.old-forest.org ([217.197.86.38]:47386 helo=old-forest.org)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <aw@HIDDEN>) id 1j6Bc3-0002Jy-2u
 for bug-gnuzilla@HIDDEN; Mon, 24 Feb 2020 06:09:23 -0500
Received: from [192.168.3.5] (helo=chao)
 by old-forest.org with esmtp (Exim 4.92.2)
 (envelope-from <aw@HIDDEN>) id 1j6Bby-0005aK-Vb
 for bug-gnuzilla@HIDDEN; Mon, 24 Feb 2020 11:09:19 +0000
Received: from [192.168.10.23] (helo=anhrefn.saar.de)
 by chao with esmtps (Exim 4.89) (envelope-from <aw@HIDDEN>)
 id 1j6BXE-00006M-Ie
 for bug-gnuzilla@HIDDEN; Mon, 24 Feb 2020 12:04:24 +0100
Received: from aw by anhrefn.saar.de with local (Exim 4.92)
 (envelope-from <aw@HIDDEN>) id 1j6Bbp-00081b-1u
 for bug-gnuzilla@HIDDEN; Mon, 24 Feb 2020 12:09:09 +0100
Date: Mon, 24 Feb 2020 12:09:08 +0100
From: Arne Wichmann <aw@HIDDEN>
To: bug-gnuzilla@HIDDEN
Subject: Security-Problems, probably known
Message-ID: <20200224110908.GA30626@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="opJtzjQTFsWo+cga"
Content-Disposition: inline
X-message-flag: Outluck ist kaputt :-)
User-Agent: Mutt/1.10.1 (2018-07-13)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-Received-From: 217.197.86.38
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Mon, 24 Feb 2020 10:27:41 -0500
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)


--opJtzjQTFsWo+cga
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Good day tou you!

I see here some security problems referenced for Firefox, which are
probably applicable to Icecat, too:

CVE-2019-17026 - IonMonkey type confusion with StoreElementHole and
  FallibleStoreElement
CVE-2019-17017 - Type Confusion in XPCVariant.cpp

More less critical ones are referenced, too.

Are there plans to adress these?

cu

AW
--=20
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@HIDDEN)

--opJtzjQTFsWo+cga
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEtFUkbndwdIn81UX3EIremXYA/4kFAl5TrtQACgkQEIremXYA
/4mt9BAAnafOMCxCYfvcCPH6qd5XtbcR4kurhmjwEaoSkr4LUbnNyGK0OfxJaIL3
ENIzUKTjukEMz0rY+sLc7O36927LcQy7G6qVeZLPdAs57IKpBIJHC3TyYhJqB8gN
gjCy7KR/dta9BaF7dUnNR7tg8JD9KqyWWT4ZVr2bZMS/cNQRsmp0fY87d4gFIwI8
GJDS+qevIkB/6L3EucR/5tTOZDGYW/r9q7AuosoVhiVu4qW1i8IYBlbjGwmmwyfG
ct65sO8rBfP+jzF6t6SplHtnDEsRwJecaLskubs8rr0wff2HUMInBVrMwnyCRIHU
R4SQ84fAomK7l3K8jCAyK5HftwW78maKrqeFmECLnAB+2rblCl44+Nn5w0I5pAXH
OwioDyYjnGV1uQ/zaKIqig3xdNhcwUEZziaVwVrusxF2rGAR0KZVXHfGfYRzlR7w
nPxjlg8YJTRxjLyydOguF1HXWTr/GWaIv3fyKmmpbkYrcikPcyEvy+y8D3A/B1vR
BC9+d4aoVIz5DB7VOhlaQhdmEb8ohGhDfgO3NCVFCZtQonqgiF0npwcNuYoHqNBx
8tOLFR8LH8Ml7YBMiFvuEjI/aeh28Ce0iV/a+a+f3Gkcv+U0+30gHgxIUHEy41YD
S6pcDdq1K/RVgGBSpoc+BvdQXpltqXtMPIp5EwccIF9XXOcLb4Y=
=/ZiZ
-----END PGP SIGNATURE-----

--opJtzjQTFsWo+cga--




Acknowledgement sent to Arne Wichmann <aw@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-gnuzilla@HIDDEN. Full text available.
Report forwarded to bug-gnuzilla@HIDDEN:
bug#39766; Package gnuzilla. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Tue, 10 Mar 2020 17:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.