From unknown Sun Jun 15 08:40:00 2025
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
From: bug#39766 <39766@debbugs.gnu.org>
To: bug#39766 <39766@debbugs.gnu.org>
Subject: Status: Security-Problems, probably known
Reply-To: bug#39766 <39766@debbugs.gnu.org>
Date: Sun, 15 Jun 2025 15:40:00 +0000

retitle 39766 Security-Problems, probably known
reassign 39766 gnuzilla
submitter 39766 Arne Wichmann <aw@old-forest.org>
severity 39766 normal

thanks


From debbugs-submit-bounces@debbugs.gnu.org Mon Feb 24 10:27:42 2020
Received: (at submit) by debbugs.gnu.org; 24 Feb 2020 15:27:42 +0000
Received: from localhost ([127.0.0.1]:53940 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1j6Fe2-0005Q4-49
	for submit@debbugs.gnu.org; Mon, 24 Feb 2020 10:27:42 -0500
Received: from lists.gnu.org ([209.51.188.17]:48199)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <aw@old-forest.org>) id 1j6Bc5-0002IV-VL
 for submit@debbugs.gnu.org; Mon, 24 Feb 2020 06:09:27 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:49812)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <aw@old-forest.org>) id 1j6Bc5-0006X3-0c
 for bug-gnuzilla@gnu.org; Mon, 24 Feb 2020 06:09:25 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: *
X-Spam-Status: No, score=1.2 required=5.0 tests=BAYES_50,KHOP_HELO_FCRDNS,
 URIBL_BLOCKED autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <aw@old-forest.org>) id 1j6Bc3-0002OP-9l
 for bug-gnuzilla@gnu.org; Mon, 24 Feb 2020 06:09:24 -0500
Received: from penta.old-forest.org ([217.197.86.38]:47386 helo=old-forest.org)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <aw@old-forest.org>) id 1j6Bc3-0002Jy-2u
 for bug-gnuzilla@gnu.org; Mon, 24 Feb 2020 06:09:23 -0500
Received: from [192.168.3.5] (helo=chao)
 by old-forest.org with esmtp (Exim 4.92.2)
 (envelope-from <aw@old-forest.org>) id 1j6Bby-0005aK-Vb
 for bug-gnuzilla@gnu.org; Mon, 24 Feb 2020 11:09:19 +0000
Received: from [192.168.10.23] (helo=anhrefn.saar.de)
 by chao with esmtps (Exim 4.89) (envelope-from <aw@old-forest.org>)
 id 1j6BXE-00006M-Ie
 for bug-gnuzilla@gnu.org; Mon, 24 Feb 2020 12:04:24 +0100
Received: from aw by anhrefn.saar.de with local (Exim 4.92)
 (envelope-from <aw@old-forest.org>) id 1j6Bbp-00081b-1u
 for bug-gnuzilla@gnu.org; Mon, 24 Feb 2020 12:09:09 +0100
Date: Mon, 24 Feb 2020 12:09:08 +0100
From: Arne Wichmann <aw@old-forest.org>
To: bug-gnuzilla@gnu.org
Subject: Security-Problems, probably known
Message-ID: <20200224110908.GA30626@anhrefn.saar.de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="opJtzjQTFsWo+cga"
Content-Disposition: inline
X-message-flag: Outluck ist kaputt :-)
User-Agent: Mutt/1.10.1 (2018-07-13)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-Received-From: 217.197.86.38
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Mon, 24 Feb 2020 10:27:41 -0500
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)


--opJtzjQTFsWo+cga
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Good day tou you!

I see here some security problems referenced for Firefox, which are
probably applicable to Icecat, too:

CVE-2019-17026 - IonMonkey type confusion with StoreElementHole and
  FallibleStoreElement
CVE-2019-17017 - Type Confusion in XPCVariant.cpp

More less critical ones are referenced, too.

Are there plans to adress these?

cu

AW
--=20
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@saar.de)

--opJtzjQTFsWo+cga
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEtFUkbndwdIn81UX3EIremXYA/4kFAl5TrtQACgkQEIremXYA
/4mt9BAAnafOMCxCYfvcCPH6qd5XtbcR4kurhmjwEaoSkr4LUbnNyGK0OfxJaIL3
ENIzUKTjukEMz0rY+sLc7O36927LcQy7G6qVeZLPdAs57IKpBIJHC3TyYhJqB8gN
gjCy7KR/dta9BaF7dUnNR7tg8JD9KqyWWT4ZVr2bZMS/cNQRsmp0fY87d4gFIwI8
GJDS+qevIkB/6L3EucR/5tTOZDGYW/r9q7AuosoVhiVu4qW1i8IYBlbjGwmmwyfG
ct65sO8rBfP+jzF6t6SplHtnDEsRwJecaLskubs8rr0wff2HUMInBVrMwnyCRIHU
R4SQ84fAomK7l3K8jCAyK5HftwW78maKrqeFmECLnAB+2rblCl44+Nn5w0I5pAXH
OwioDyYjnGV1uQ/zaKIqig3xdNhcwUEZziaVwVrusxF2rGAR0KZVXHfGfYRzlR7w
nPxjlg8YJTRxjLyydOguF1HXWTr/GWaIv3fyKmmpbkYrcikPcyEvy+y8D3A/B1vR
BC9+d4aoVIz5DB7VOhlaQhdmEb8ohGhDfgO3NCVFCZtQonqgiF0npwcNuYoHqNBx
8tOLFR8LH8Ml7YBMiFvuEjI/aeh28Ce0iV/a+a+f3Gkcv+U0+30gHgxIUHEy41YD
S6pcDdq1K/RVgGBSpoc+BvdQXpltqXtMPIp5EwccIF9XXOcLb4Y=
=/ZiZ
-----END PGP SIGNATURE-----

--opJtzjQTFsWo+cga--




From debbugs-submit-bounces@debbugs.gnu.org Mon Feb 24 13:15:01 2020
Received: (at submit) by debbugs.gnu.org; 24 Feb 2020 18:15:01 +0000
Received: from localhost ([127.0.0.1]:54050 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1j6IFw-0001Zl-Ew
	for submit@debbugs.gnu.org; Mon, 24 Feb 2020 13:15:01 -0500
Received: from lists.gnu.org ([209.51.188.17]:56394)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <info@dantalion.nl>) id 1j6I7B-0001MX-EI
 for submit@debbugs.gnu.org; Mon, 24 Feb 2020 13:05:58 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:55409)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <info@dantalion.nl>) id 1j6I7A-0003nZ-Ab
 for bug-gnuzilla@gnu.org; Mon, 24 Feb 2020 13:05:57 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,RCVD_IN_DNSWL_NONE
 autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <info@dantalion.nl>) id 1j6I79-0001Ss-0U
 for bug-gnuzilla@gnu.org; Mon, 24 Feb 2020 13:05:55 -0500
Received: from s02.spamexperts.axc.nl ([185.182.56.112]:41703)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <info@dantalion.nl>) id 1j6I78-0001PM-Pt
 for bug-gnuzilla@gnu.org; Mon, 24 Feb 2020 13:05:54 -0500
Received: from vserver22.axc.nl ([185.182.56.82])
 by s02.spamexperts.axc.nl with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92)
 (envelope-from <info@dantalion.nl>) id 1j6I73-00084v-7u
 for bug-gnuzilla@gnu.org; Mon, 24 Feb 2020 19:05:51 +0100
Received: from mail.axc.nl ([185.182.56.42])
 by vserver22.axc.nl with esmtp (Exim 4.92)
 (envelope-from <info@dantalion.nl>) id 1j6I6s-001xer-M2
 for bug-gnuzilla@gnu.org; Mon, 24 Feb 2020 19:05:38 +0100
Subject: Re: bug#39766: Security-Problems, probably known
To: bug-gnuzilla@gnu.org
References: <20200224110908.GA30626@anhrefn.saar.de>
From: "info@dantalion.nl" <info@dantalion.nl>
Autocrypt: addr=info@dantalion.nl; prefer-encrypt=mutual; keydata=
 xsFNBFhJEIkBEADOo1uqQuwqWyjCd8iXWxVaGfmcaHtY/bjG8Rx5s/cB5jTwgXveG4hvEhAG
 9KajjQw9exDLcuwvMjlBY1pM0utNC3I8gK9uHwiQ5MHknL76JhvTOzVot98+pZXVIMmc0IqX
 uG53NJoxxdYNgVgcdwMJEwPdBVbUVQvHdml6HtZdJULttn0D/RDgKFrgYKrx17g0flaIU/at
 G8eR9mG0ZRWxWZcubi2je7JAVQ6Myix0alu0Dod9xR10sm4A/Hja04NAKtquj/AUa14C247q
 WpS/cvkhRTEERbkAwdCDP8zWWk/VpPWBULmlCNWuzHncMyBod82mmWDtniOKIWrUWD+7YAu2
 oN/6lffBFvQoOYwr4Fg2tTl5sXvr0++SFNOTOWgxM1dH5eGr+ge8YDibGWj4LzamfJI1bXT3
 FREM5a6/zlPVkbjuHfZ0fUl/T/9VSOhDtc6mjKRQTBOqXsMXYk3RyUyXA0y2Z9KtGRaPHjM9
 sEutKHkdZ46Fghj+K4cEau2Cru2VvJmWZtCIa0A7U8PdkLjBSlt+ZJ+9jrOKmRTODZQAf/fd
 3mbgWnn9oU+oY3t/slZQpyFE1kj2MRmVwejUEUywbMRARToPY3UhkzhtEQ8opeYcl1SHwGxq
 FM8Ip06gG9n5LewU8WOCvhnguvoDNNFkPUgG39nVzSLE2IZzKwARAQABzR1EYW50YWxpMG4g
 PGluZm9AZGFudGFsaW9uLm5sPsLBfgQTAQIAKAUCWEkQiQIbAwUJCWYBgAYLCQgHAwIGFQgC
 CQoLBBYCAwECHgECF4AACgkQU4wQwpJuFRbosA//dd8DAU6B/Y9opPOzoCz1Y0lsQXBp+FK+
 cb+dlDLNisvfsJWUgoEiaK33lOryy/eUo6DLVzIr46i9MkG9mH7Nv0Qb7GEwPpL0T5dx+cE6
 GcgyV7hEauH0Dp4elfFAfeIgjL8o2dhyrtKjMKGIAeWptcpA1C42CIk4OclvMxW6UZLYXuTd
 JFYmXtCvKkn8UBxAuwI8wORKFVmIyWwFvRYOIdMbVuxkMHbd/aCEUdDkufsZfuVkHz5F6ECI
 bCLC2bmI+25E9HZcDMtylf9BLuen2WLlQpWyN4UkiJjyHqfRBNS2r39QvXul+YXFHSigH2me
 hTKEUZ+9ZYNkler83oUb0azGPKwP0ePSgObhHv2pPIZZSFz/GXohJYEhB2QZkJV4AIOnMtlL
 4kCjwjEeulfWixtLx7k1DSmRwgvwP6v/N/yDS2O4Qv50UprOhS5OWe06+FeS5j6CMB/IhS79
 ZcCiLU3IK84FRuE3hUzw3gNMG44wzZqQ1Zps8+EKu0a9XLHhmBR+LfY/dkcrpxMnqLBgIDqu
 45o1uVYP9RjuZdtBxeOqD9Z4J5wjFK72Qfn2n620oeLGhBa/zh298fdHlAP6Pv78DmDEIWR2
 1+qbE9k0FTO43GKg+7HFyHkMN/qiperjqJ1DXXOBoqAbMcHRAr3ArrVasZHzMTe6XkNmXqSB
 FurOwU0EWEkQiQEQAJTxfbluFXZO4pxCxetZASmZ6hVmRbwWUGmnXPcgcJl/Gb+PKhPotXU2
 KgJDpvukYzMIyTc4Lb5Y9Zl50eCkqEdrdQbbCYpttOV1Nulm7gpdbzJalqZu7+WD8KFBRpSg
 9lmNvZoQluiZ2VMlYd0NhLjiOgGVL1cCuhE5730HHLc0/7zeccGL2HmVqQ5BxA46M4nha+uZ
 pydfZeEXLaZjsxHwV1j6WnH+a/DsxcCgZn5p19w+AdrGbDxCT77dLTM6kWR8abFimkooett6
 lV7sFUCoEas+6pX7UQSRTZZk7AroR5yYkRxaRz323kgcj49ePciCyM4rdVg4VopN8UzstB9s
 luIma8gKCWIdajvSGAwhdV/rRJE7bGXSKc6WhPNPR+gkRr3a2yYy/qiGJXHyTXqhecGcZqu/
 6hfphcUho01BlP9IQjnmmW+gV1wCEPiXRND7CEvV5XKq+16/jC2IkVSSN/PetF4oP5sc0GZ/
 qWCiDwShFPoX3Fcpo6n/rYL7VZG5ZmIMitYKHNTrYhfRcthR7Yxz0gse460GwpsWPl3w1TRJ
 Z0Sp4FsNYlI0M2Lf7u68ULS6T1MwjIuG2EKoF4mQzcRXAmP1OfD9HHBLcqyWZOcEz9+XmANw
 Xa532Ofwrpy+9mWiOC9iZaG/z7TORyBRBFaMHhPuEAyb3hRLNGNlABEBAAHCwWUEGAECAA8F
 AlhJEIkCGwwFCQlmAYAACgkQU4wQwpJuFRbC4Q/+J0HaQ6bEUQL5LUf6DNEzkUDAZy2q+Yiy
 npRIghU2nGbvc/Huo/uOVO8So6kxbASjEICv/dZgSsAtFCl+rLpgq1zUruYigTxml30O9EjJ
 iopRbUWMZ/9gGLkZ0Lxx02KrMP0kk8xyasnJWMarMhqZGm7WDOqRsHja8B6+K9V20yokBPZ8
 YCKMZ8jhBvn2ogVExSCbhaoezFIZRjKonok8Ra43NX3Ps0aQ5/G2rfpDEEfXE43lYe9RUnaT
 n/CKIYrvPCykkWZVHQRdxQ5mMHaIVrTwXFRpEuUyuy3CN8qtTOlfz1w1QR/AKzdyqHgA18Un
 +f1XCX0YJNJBPFhoIVfyMa2OEOL7EXN0/G0qy+Lj5KVCbDdc2frtnIF0aqd1cHvYkp+F34Ra
 enUFhAoDVrEdo8LanIaJVOqlexifE2JSBW4KSWCgKlT3aKQKazoXrkaHWo5kv7Rgx2WTJCwD
 C3Klo0pHwSXuAoDcEq9hOv2Q+4buzi4tKTzpEWL6TGtrjcYiB0xqfIZMKs2bSPxfo7GyxeAq
 Bc4Si7HRzsg4Rv4As6sdyb6E8jWskWe0gt7gtP0PQB9xZRkP2dIyA6AI7IeLSYfAgmEDLW/t
 MVl6UJcU6I2YOJ9H8sWLy6Rhd6Y+rOKKr59dP9UKxGh+Z5mY8cGR3uVoRTFrfU8yw/BCHkcO 4W8=
Message-ID: <368582f2-a547-5585-e995-ca343ab1927c@dantalion.nl>
Date: Mon, 24 Feb 2020 19:05:31 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <20200224110908.GA30626@anhrefn.saar.de>
Content-Type: text/plain; charset=windows-1252
Content-Language: en-US
Content-Transfer-Encoding: 7bit
PrimaryMX: Accepted email from trusted host. Hint: This skips spam scanning so
 make sure other host is not vulnerable
SPFCheck: Server passes SPF test, -30 Spam score
X-Relay-Host: 185.182.56.42
SpamTally: Final spam score: -30
X-AuthUser: 
X-Originating-IP: 185.182.56.82
X-SpamExperts-Domain: vserver22.axc.nl
X-SpamExperts-Username: 185.182.56.82
Authentication-Results: spamexperts.axc.nl;
 auth=pass smtp.auth=185.182.56.82@vserver22.axc.nl
X-SpamExperts-Outgoing-Class: unsure
X-SpamExperts-Outgoing-Evidence: Combined (0.39)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0eYBE/I2+wvb5IJ3WTuccampSDasLI4SayDByyq9LIhVdnb6eh2Mad9a
 6RimvoHbC0TNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDQGbTc3ZGTZa+rTPXxdGs0FKC
 ZuDzeM/QymeO8B9NFMmoGdZc/C9BM3Zwm6KQcdC/QVFPFt+4EqMnp4CTDhVg0lKlzDUUdXZXKiJE
 9FAeBYpBbCpe79Kozx0nomzoHNuE3M5vj1mDOPKpdpCGjirSghKXEGJ0Tua96W0W3xbHbuwNjS91
 xLLHjz8tOnVewUzjK7zD8+2VdbSTJCSyYgZzt99gQK3D3eDvx0S6Eeo7KsUpk7cjbWy91pm/jG4G
 U42zKLTFpngmCzMfOMV6XuhaofZKWD9oWdUil6qsNtvy2jQf7lN25FLvYrmmV4cTlBHfdCZm6kTr
 qH+fmxyzQoG+NtezYqxGMqsKjARq8PBC4qjD+4dJhUym39SjYnQVEUVBkxwuudjecZtFeqTLBVNZ
 aJ9TrjYo22Tif+7yfJXbGyN6EipRzMVZ5LqwTx7Vvn9SP+LiFhV9TEgXGI3XmDfDnNTJRxEGU2Da
 RttYwn1TGi12IXMmVAQPt11XkEwxOYwNZPcytf1kxCJwvehZcCCrC5G9nwrglhrrfuarY2+8I92c
 dXV7LSoYz5iFheogXHzf5L7jRXQ1s5g5AllOOECxDZq7xqDoiTjjGpNS1XGXbXIqJ+ZN4bITaKN5
 n7YEltBiuJoevVTmoeXfaVS7ga0qElPrUoH2tvxl37FSEzkqC/3RCwXTJopjKJhdgGe0IyFDIbtf
 63VNbf0lrvssY+k7ALKRmTa5VFvlmwmdHh2582BhskTn1DOWgs8ZFF04wLkfoF7v+ap0oBiqDUek
 XtdxPDnCpc370COEMoySnnDCdTC4brFV2mGtSlhA75FqrK3cBZ6++DfkTVlBWsR5QGklueMZzqho
 KSP8IceFEZcohuLhYJZfEc4CpfbHSlMZ/VUqT4cG8eHoZAvkGaGh2Q6N6A==
X-Report-Abuse-To: spam@s01.spamexperts.axc.nl
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-Received-From: 185.182.56.112
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Mon, 24 Feb 2020 13:14:59 -0500
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

Hello,

I was also really wondering about this as the current version of IceCat
is a version of Firefox that was affected.

On 24-02-2020 12:09, Arne Wichmann wrote:
> Good day tou you!
> 
> I see here some security problems referenced for Firefox, which are
> probably applicable to Icecat, too:
> 
> CVE-2019-17026 - IonMonkey type confusion with StoreElementHole and
>   FallibleStoreElement
> CVE-2019-17017 - Type Confusion in XPCVariant.cpp
> 
> More less critical ones are referenced, too.
> 
> Are there plans to adress these?
> 
> cu
> 
> AW
> 




From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 10 10:28:43 2020
Received: (at submit) by debbugs.gnu.org; 10 Mar 2020 14:28:43 +0000
Received: from localhost ([127.0.0.1]:53026 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1jBfsA-0007aK-SW
	for submit@debbugs.gnu.org; Tue, 10 Mar 2020 10:28:43 -0400
Received: from lists.gnu.org ([209.51.188.17]:44496)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <info@dantalion.nl>) id 1jBb8k-0003Wz-Ji
 for submit@debbugs.gnu.org; Tue, 10 Mar 2020 05:25:31 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:48092)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <info@dantalion.nl>) id 1jBb8j-0003Aw-EL
 for bug-gnuzilla@gnu.org; Tue, 10 Mar 2020 05:25:30 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,RCVD_IN_DNSWL_NONE,
 URIBL_BLOCKED autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <info@dantalion.nl>) id 1jBb8i-00079o-5T
 for bug-gnuzilla@gnu.org; Tue, 10 Mar 2020 05:25:29 -0400
Received: from s02.spamexperts.axc.nl ([185.182.56.112]:41493)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <info@dantalion.nl>)
 id 1jBb8f-0006x2-Cl; Tue, 10 Mar 2020 05:25:25 -0400
Received: from vserver22.axc.nl ([185.182.56.82])
 by s02.spamexperts.axc.nl with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92)
 (envelope-from <info@dantalion.nl>)
 id 1jBb8W-0003vu-1j; Tue, 10 Mar 2020 10:25:21 +0100
Received: from mail.axc.nl ([185.182.56.42])
 by vserver22.axc.nl with esmtp (Exim 4.92)
 (envelope-from <info@dantalion.nl>)
 id 1jBb8L-006yeh-79; Tue, 10 Mar 2020 10:25:05 +0100
Subject: Re: bug#39766: Security-Problems, probably known
To: bug-gnuzilla@gnu.org
References: <20200224110908.GA30626@anhrefn.saar.de>
 <368582f2-a547-5585-e995-ca343ab1927c@dantalion.nl>
From: "info@dantalion.nl" <info@dantalion.nl>
Message-ID: <1d0e372c-1427-ae8d-8fde-4cf6385bd6ff@dantalion.nl>
Date: Tue, 10 Mar 2020 10:29:50 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <368582f2-a547-5585-e995-ca343ab1927c@dantalion.nl>
Content-Type: text/plain; charset=windows-1252
Content-Language: en-US
Content-Transfer-Encoding: 8bit
PrimaryMX: Accepted email from trusted host. Hint: This skips spam scanning so
 make sure other host is not vulnerable
SPFCheck: Server passes SPF test, -30 Spam score
X-Relay-Host: 185.182.56.42
SpamTally: Final spam score: -60
X-AuthUser: 
X-Originating-IP: 185.182.56.82
X-SpamExperts-Domain: vserver22.axc.nl
X-SpamExperts-Username: 185.182.56.82
Authentication-Results: spamexperts.axc.nl;
 auth=pass smtp.auth=185.182.56.82@vserver22.axc.nl
X-SpamExperts-Outgoing-Class: unsure
X-SpamExperts-Outgoing-Evidence: Combined (0.37)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0c21/ZGerkmA2qMAhBYlqympSDasLI4SayDByyq9LIhVeAA4E8d7j74C
 HouF4CpeQUTNWdUk1Ol2OGx3IfrIJKyP9eGNFz9TW9u+Jt8z2T3KePJuGUY65Cj4Uh2i3OwwYuIB
 FIzMWo6hpoEMRIgL+9sn0zGVpG0c6zkK2erhX3IBQEJ7CzvDpS++3d23c94qhq8uYoOybhvnnFLf
 wJrV7qYxOEnX8zgzl/R7TYEOW+/nF3ec9p+LIJZNn+ZU1p8L27r+KYLTTm/GWD/uBn6U0gY04npx
 Wlq2P0Wj4LKWBk7zwmsL1QouhwwuwaEg6acCMy2UzZMb4kuX6D5eETmGUuUcqbdy+7WYS7ujrPXH
 qhox0HpT3S2SFmqVvJUoDpLg153GLC8mUuZ69ZuJHxVoTX+2hjnXmPuZpD5ALRwGiv0ZChNE2HVO
 gSnsCR/VCR1em3TaVz/7pRFegyFAy3NGHeok5WBPmXJ/Kdaz6RuuD9cuo6y2shoCA2iF+tBt75gH
 +amHZ7x6u9Brd8pYitTyb+KBE9EEBMUUr/EeHfiqlF+7YOaeuiH/yEdZH8S1+TgcJBOjh0vPxcQO
 jKKOrYIQYpwamUdylUIKhf3z2GAHxH7ItK/fbC3fJgkL7hvQ995X8KTY4Zbeyl3eNW4IAoy5+BdB
 Xz790yMtq6d2IMRosM1Lz4gcUBegcV7vZJaIiEo2SD9VKXB7fqUmI5FNjfBO/A7g7tbTiKU7sa8y
 wZQEu33tERWeKKG4PAQYNyavp7c49EN7brS9MRCben9MugshJqaLGcWW448WoxHX6ojCPCMQFRFM
 a/vW1Fx3U8kCRfDyui3LCmcldLypr1tqR1P42GAHvzL7egntIuzWc454Pn0ilnL0+YNBRaTiw1qA
 w0rTAH6m+UeFXprlCOm3BAEbJtCtRwosParqTl7hy89HQrA8BIExPWPgIB62PjgcP/Vy4jfV62kT
 ht0+bD/yaxKQmg6tP1GMDhHqwwIEZ7GVleVYMG1QP35nsYfP84c+RFK3KqN3P9gfVJTm3zezSOvX
 iuQZrqpC1wjAV/qK1pG17sL3
X-Report-Abuse-To: spam@s01.spamexperts.axc.nl
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-Received-From: 185.182.56.112
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Tue, 10 Mar 2020 10:28:40 -0400
Cc: help-gnuzilla@gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

Hello,

It seems no one has replied to this. I think IceCat should no longer be
recommended to users until this issue is resolved especially since
IceCat is advertised as a browser with "Privacy protection features".
Suffice to say such protection features are no good if the browser
itself is vulnerable to the types of vulnerabilities as eluded to before.

I understand that there aren't sufficient developers to maintain IceCat
but that does not mean the GNU website should offer the browser without
at least clearly addressing it's potential vulnerabilities on the
appropriate webpages.

As of now, users might download, install and subsequently use IceCat
with the understanding that they have downloaded a browser with enhanced
privacy protection features while not being aware that it is potentially
susceptible to recently discovered vulnerabilities.

This is precisely the sort of situation that free software, and free and
open information should prevent.

I hope we can resolve this quickly.

Kind regards,
Corne

On 2/24/20 7:05 PM, info@dantalion.nl wrote:
> Hello,
> 
> I was also really wondering about this as the current version of IceCat
> is a version of Firefox that was affected.
> 
> On 24-02-2020 12:09, Arne Wichmann wrote:
>> Good day tou you!
>>
>> I see here some security problems referenced for Firefox, which are
>> probably applicable to Icecat, too:
>>
>> CVE-2019-17026 - IonMonkey type confusion with StoreElementHole and
>>   FallibleStoreElement
>> CVE-2019-17017 - Type Confusion in XPCVariant.cpp
>>
>> More less critical ones are referenced, too.
>>
>> Are there plans to adress these?
>>
>> cu
>>
>> AW
>>
> 
> 
> 




From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 10 13:27:21 2020
Received: (at 39766) by debbugs.gnu.org; 10 Mar 2020 17:27:21 +0000
Received: from localhost ([127.0.0.1]:53238 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1jBif0-0005YT-OM
	for submit@debbugs.gnu.org; Tue, 10 Mar 2020 13:27:19 -0400
Received: from s02.spamexperts.axc.nl ([185.182.56.112]:53047)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <info@dantalion.nl>) id 1jBiew-0005YE-E9
 for 39766@debbugs.gnu.org; Tue, 10 Mar 2020 13:27:15 -0400
Received: from vserver22.axc.nl ([185.182.56.82])
 by s02.spamexperts.axc.nl with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92)
 (envelope-from <info@dantalion.nl>)
 id 1jBieh-0005NE-Au; Tue, 10 Mar 2020 18:27:07 +0100
Received: from mail.axc.nl ([185.182.56.42])
 by vserver22.axc.nl with esmtp (Exim 4.92)
 (envelope-from <info@dantalion.nl>)
 id 1jBieM-008lcG-8j; Tue, 10 Mar 2020 18:26:38 +0100
Subject: Re: bug#39766: Security-Problems, probably known
To: Antonio Trande <anto.trande@gmail.com>, 39766@debbugs.gnu.org
References: <20200224110908.GA30626@anhrefn.saar.de>
 <368582f2-a547-5585-e995-ca343ab1927c@dantalion.nl>
 <1d0e372c-1427-ae8d-8fde-4cf6385bd6ff@dantalion.nl>
 <68eba345-dd0b-39a7-bb7e-190d6265a159@fedoraproject.org>
From: "info@dantalion.nl" <info@dantalion.nl>
Message-ID: <447714f2-3d8f-14bc-b298-51d99e00c333@dantalion.nl>
Date: Tue, 10 Mar 2020 18:31:23 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <68eba345-dd0b-39a7-bb7e-190d6265a159@fedoraproject.org>
Content-Type: text/plain; charset=windows-1252
Content-Language: en-US
Content-Transfer-Encoding: 7bit
PrimaryMX: Accepted email from trusted host. Hint: This skips spam scanning so
 make sure other host is not vulnerable
SPFCheck: Server passes SPF test, -30 Spam score
X-Relay-Host: 185.182.56.42
X-Spam-Score: 0.0 (/)
X-Spam-Report: Spam detection software,
 running on the system "vserver22.axc.nl", 
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: Current binary release is 60.7.0 which is vulnerable and that
 is the problem, see: https://ftp.gnu.org/gnu/gnuzilla/?C=M;O=D On 3/10/20
 6:24 PM, Antonio Trande wrote: > These issues have been fixed with Firefox
 ESR 68.4.1; current IceCat > release on 68 branch is the 68.6.0. So, what's
 the problem? > > On 10/03/20 10:29, in [...] 
 Content analysis details:   (0.0 points, 5.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
 blocked.  See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
 for more information. [URIs: gnu.org]
SpamTally: Final spam score: -90
X-AuthUser: 
X-Originating-IP: 185.182.56.82
X-SpamExperts-Domain: vserver22.axc.nl
X-SpamExperts-Username: 185.182.56.82
Authentication-Results: spamexperts.axc.nl;
 auth=pass smtp.auth=185.182.56.82@vserver22.axc.nl
X-SpamExperts-Outgoing-Class: unsure
X-SpamExperts-Outgoing-Evidence: Combined (0.38)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0c21/ZGerkmA2qMAhBYlqympSDasLI4SayDByyq9LIhVV3P7+zsTsdAW
 TjhbpwStAkTNWdUk1Ol2OGx3IfrIJKyP9eGNFz9TW9u+Jt8z2T3KePJuGUY65Cj4Uh2i3OwwYkYA
 pUp/khQ8H7I+V6VJNBdi8wWc+4yCPv0u8PqCFiEnIYC5b43V6PyRGXLrVQdw5PqSjx73F0p/XGxX
 8YQS/6K/q5f5MtjuoCH585QksFvpWmuNA8WTybi1JN85FSnfKQQaH2wjyOen9n43sb5/bwtpw2IT
 CGzTa8j2UYVqjPqMPx7YKSc64FgIFBfuASKVtwbG1HJMGGaR7kqafQye7jY7YxJrtChiZZEdCQqr
 ceoTbmvTNWWAwO5ZPceCdI3FV4H8dkRkFi5XTKWKzjwdbpCb662/rVKGbaZ5TUU0LhsTBQUpxGu6
 0ep3MKn/Zxd12697IdvSIUBO8mbZ+L0zAAGo2nDJJ7etIbmtBL4g5Nq7vvE/X9f4ikS6v/cnqp1T
 bBmSvC6qJad8oDRDO7zv2HyUKXBN5egnPhpSCzBGhpXdr4g47/dXqNFGfPUjdI4X5Q2QEetkvH00
 /xmn6oF5z8skuB4fLNdsm49znGEOwW1RyaT+fhnmPmZ+OUuV5BM6eyy5Vo6xOiF9lxkCbdmQZuSv
 ViZm4XpHa4HCbA5RwXWosUtN6Zd4kJhNnLO7YVLjnuJrRiSq8ksEBlGWXxXc8TirIo0LA+KZk1ak
 xG4AJe2OzhRC7isOoIq7T/qV3mBwXVMwvu8lQhYAhscMiq2v7oKxgvqz+DMwHjW2kjiNWALMUyQ5
 +BVz8/sZB2WQ295Xe/5HTkpQ5VFDq5iH+oIzk3hP2ts4KzDEMQk6HpPAIpm9XPWlFdaGOH191uXj
 gjQN/cAhfvkuvQuvUgfMQyJsPqpCLx99Idn15jlF1y/kvN+ftz0IZNnK945Xfgrb1AV15ncehzMV
 YKlZeUETYXlVkozvpZLSAr3jBzAtGBhZHAsUVOtEHDFKmZKcB0WKucuGpzKuauQo9YUZtcE0zacu
 y9Bgicwe2ic7PfN3cCzD4rmaMJM04c3rsnK5BEzcM+hsjg==
X-Report-Abuse-To: spam@s01.spamexperts.axc.nl
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 39766
Cc: help-gnuzilla@gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Current binary release is 60.7.0 which is vulnerable and that is the
problem, see: https://ftp.gnu.org/gnu/gnuzilla/?C=M;O=D

On 3/10/20 6:24 PM, Antonio Trande wrote:
> These issues have been fixed with Firefox ESR 68.4.1; current IceCat
> release on 68 branch is the 68.6.0. So, what's the problem?
> 
> On 10/03/20 10:29, info@dantalion.nl wrote:
>> Hello,
>>
>> It seems no one has replied to this. I think IceCat should no longer be
>> recommended to users until this issue is resolved especially since
>> IceCat is advertised as a browser with "Privacy protection features".
>> Suffice to say such protection features are no good if the browser
>> itself is vulnerable to the types of vulnerabilities as eluded to before.
>>
>> I understand that there aren't sufficient developers to maintain IceCat
>> but that does not mean the GNU website should offer the browser without
>> at least clearly addressing it's potential vulnerabilities on the
>> appropriate webpages.
>>
>> As of now, users might download, install and subsequently use IceCat
>> with the understanding that they have downloaded a browser with enhanced
>> privacy protection features while not being aware that it is potentially
>> susceptible to recently discovered vulnerabilities.
>>
>> This is precisely the sort of situation that free software, and free and
>> open information should prevent.
>>
>> I hope we can resolve this quickly.
>>
>> Kind regards,
>> Corne
>>
>> On 2/24/20 7:05 PM, info@dantalion.nl wrote:
>>> Hello,
>>>
>>> I was also really wondering about this as the current version of IceCat
>>> is a version of Firefox that was affected.
>>>
>>> On 24-02-2020 12:09, Arne Wichmann wrote:
>>>> Good day tou you!
>>>>
>>>> I see here some security problems referenced for Firefox, which are
>>>> probably applicable to Icecat, too:
>>>>
>>>> CVE-2019-17026 - IonMonkey type confusion with StoreElementHole and
>>>>   FallibleStoreElement
>>>> CVE-2019-17017 - Type Confusion in XPCVariant.cpp
>>>>
>>>> More less critical ones are referenced, too.
>>>>
>>>> Are there plans to adress these?
>>>>
>>>> cu
>>>>
>>>> AW
>>>>
> 
> 




From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 10 13:27:39 2020
Received: (at 39766) by debbugs.gnu.org; 10 Mar 2020 17:27:39 +0000
Received: from localhost ([127.0.0.1]:53240 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1jBifL-0005Yz-C2
	for submit@debbugs.gnu.org; Tue, 10 Mar 2020 13:27:39 -0400
Received: from mail-wm1-f50.google.com ([209.85.128.50]:54324)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <anto.trande@gmail.com>) id 1jBicV-0005Tb-Sm
 for 39766@debbugs.gnu.org; Tue, 10 Mar 2020 13:24:44 -0400
Received: by mail-wm1-f50.google.com with SMTP id n8so2322832wmc.4
 for <39766@debbugs.gnu.org>; Tue, 10 Mar 2020 10:24:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:subject:to:cc:references:autocrypt:message-id:date:user-agent
 :mime-version:in-reply-to;
 bh=UVhxcfsgE9nKeNQJV1shWLC8HlEZtQWA274STPss2UI=;
 b=vEEfx/f252ZyhEoMbNJosjUsadcmuIgfZyrPWbeyd0KZYfPUem1H4pnmA99l5jwflB
 90ONfWztIQQX6ZqsTLdah9O/uVhDZvN8S7qEGThnCdsN1AdEoEBfSUPiFr/kN4KL/sD7
 3XBR9gWmH1+Ze3mTSM16ImdR8Ey+zWQKLU087aibGSFJwz4XJWxbQpjhPdlacAHIAHmy
 YlrK5NaTIF3lXIjo0KTH1arue5cguF8VVnRdGnllHZnXmvUdEADfUHHqeVwytZNYYauv
 XPA1x42K6cwxAagyRe/O6g9tp8xwiRiYoPgFt7hss+4lBbNvnZIjaKggBkKfBEfGNkq2
 lfPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:subject:to:cc:references:autocrypt
 :message-id:date:user-agent:mime-version:in-reply-to;
 bh=UVhxcfsgE9nKeNQJV1shWLC8HlEZtQWA274STPss2UI=;
 b=TFmsS7jL6glACINVUTY4y58DhUt0TInr4HBKC/Ed/zTa2nAQp9up46pq15wVjg2O1t
 7k87HnV4EB3k3yRcca1YlMHRkLhfKr4esSH28HzXwbzDBmgM2dS/CnRg0GfdEd026Osw
 WqhPzljtknEF5lx/hte6jZIzkWY74Ml2WF/zKhOy3W6yPJx6rWm83Zqmj+ziLu9KN/XS
 4bLHmskfS/z1CdFYalHtEdpLoKhVzG76Zoda/DFS5aLGy5m6vqPod8ymh9rGXdb6qRzV
 Im1hIqquPvWDqtxq2l/sHtyDN+v0ffxqnnYlFff0LlkctYg1bzzHyrD+q5t8zwzudWd2
 aAhA==
X-Gm-Message-State: ANhLgQ0IlZLuxqPtwWOH58eaPQx6VzUbyjJvp/2JsJ/6pZLq86i7OWE3
 x2FVDpUCtZaoZk0JyzDzVAE=
X-Google-Smtp-Source: ADFU+vsEb8s3VHfniplGiJ/tp2/GJOaxF4yTUYNaoP6cSilwus7eC7ptH1XPsnQ+TaHPwfSmxcSc0A==
X-Received: by 2002:a1c:9d09:: with SMTP id g9mr3224051wme.68.1583861077878;
 Tue, 10 Mar 2020 10:24:37 -0700 (PDT)
Received: from localhost.localdomain ([37.77.122.222])
 by smtp.gmail.com with ESMTPSA id c3sm16389595wrw.95.2020.03.10.10.24.33
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Tue, 10 Mar 2020 10:24:37 -0700 (PDT)
From: Antonio Trande <anto.trande@gmail.com>
X-Google-Original-From: Antonio Trande <sagitter@fedoraproject.org>
Subject: Re: bug#39766: Security-Problems, probably known
To: "info@dantalion.nl" <info@dantalion.nl>, 39766@debbugs.gnu.org
References: <20200224110908.GA30626@anhrefn.saar.de>
 <368582f2-a547-5585-e995-ca343ab1927c@dantalion.nl>
 <1d0e372c-1427-ae8d-8fde-4cf6385bd6ff@dantalion.nl>
Autocrypt: addr=sagitter@fedoraproject.org; prefer-encrypt=mutual; keydata=
 mQSuBF2y7VURDAD3VN0+cpPnzexleHqLyrd/nbOygmhJVbITCnLU0cHdfMov0Qup1cyU5wYO
 s7YG1PJBvwI6bRQkpTpaNS9ECSn6PNraZzPI8dvpZwTlFWNXhV5iFL9sYVRZRKsMKXDwi+mu
 IqgawSEqAeZ4aW1TfNItSFq0lX6xgxczxDJgibelquHfV5Nhpe7WUEDSld3WpVIgMFyUk/vG
 d/vw1nHZyE7jmQURaeWbAtjbGjMDNMQLf9wTnXPGU5OlS+Wx5J3Pom5Qk97aFAUQPogFmuxM
 qgNqSNxRLkckfbVNMwbhePXDnyKeQUTTGFel+P5NYlM4vZ+3SmJqC/Cw8+o7F/jNLKR5ZUxH
 3YOFYHC6GX3aA9eA47u+nNhOCMhjYM6fuM6cce9p37C4EC4FBwvjZHZm3m+QhH0zyJdP1uE6
 xdUeMNe6Z+x9x8qx1wChp87MRhQ92xscpOloi/1d6Yu20tYST+XzHbRhPYkjD721qmhXwaL2
 WYsZ29i2O7zqimgTOxMHdl8BANewKKtyFEBRsImMbkdF9CG5rLXJhKOoiY6MOZUL7+0vC/oC
 57Q1p5GN/gZs2pPhXP1ycE5S6bqxglyS2qabIAHeMqi2eKGphkVHkqmH7OH3dvbFwqi1/kKs
 lTzBD1KbFfBdZrEdyG9/zsiiDHwXTVrESD7BosXaa4DHN+LxCMeSBYp3CY55d8o1Bsl7TCQz
 NdalVpwtBI1q2nzgOM0aXZyRom022BeuJpyOX+lyiw3LefdsDD9bHP1nOQ/Y/8HzWWmdVcjJ
 U4bi44bBYhTps5rzR+m2R0u4BEBm1hIE/FyaeMsO/HMzY/LU9cF8nc+rTYRywgmWp8/XNXEY
 vBOQ/ZlM/QTlcu97NQQWI9Q/7jdHQAKvgC5O7wT/NN6Kr7zpt+fyPOVv27hnI3SEx1S1Ko5u
 6RE32whkBlF7ortd1UDCkHA/PDhAkim2x38XD+yJ50FFwiOs5eCTXYKSPMtnLJYe0M0W5Se3
 8Nr9jzxMxuw+87XhxAtybey2heNun2n71gOZtdS5Ll0QaL7o2OqQiWv4+vZ5Mx4AbWlQUJ3M
 qCtGTF8L/0lvwFU7C4rDlLnlzWppJGuwTZiutWdPNq1PHtrplEapOw9V/gpwtFefxgh7810l
 uDDYA6T2jreV6gCEhn85zdjwJSUH5tyFIHVWxWxAjvL8DtW7MFXKGm8Mb98lK4cmT4Iq5aHy
 c5+IoZYuE8WJ3x9zgXCRe/ob3bGMU6LTuazS13VcoeytrmzdH88UkUVMkIFUSlFcYMpdgyv7
 LBb0QXaHLdttJeY3YNfCpcEOrfffzm/UJ9tTrb5ZW6pLQz0oebTNchbpPzebnckfjrwDReqL
 +OXGiOa4jzR2Gg6vijgpVGgwrGGoh0kPcx3Qj1CQzpk5h7e5D7/5tF/kcf2grxNuZmms0qH5
 xBCDZUtSqt4Ta+rVfKRk+70Orez5uYf+BbpLmVy2Em5eFNyKD9+eW/uYRaRn5tg8mDjlVDNn
 CZm1CU6lQP+VQ9STg04OL+KZeXfim1XH3dC85Bd83I7ncdcWwm2oBAoWK/RqxFnHC38TvxNy
 ZI9arD49aphfHWPuN7RBQW50b25pbyBUcmFuZGUgKEZlZG9yYSBQcm9qZWN0IDIwMjApIDxz
 YWdpdHRlckBmZWRvcmFwcm9qZWN0Lm9yZz6IlgQTEQgAPhYhBMp8RITaal0/cG930nsw7gTl
 dqqEBQJdsu1VAhsDBQkB66fbBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEHsw7gTldqqE
 z+EA/2iKoToDux82nIGdGxuukwZHM2fv/zed76yhJp0pBnLyAP9b0ufjfzM2J8sKGgsTRbDq
 GEw3INc9iNQKWolgjEd4q7kEDQRdsu1VEBAAybID/xTY53ajol+tm2eQze1K/E9OEFtuXfQK
 0QLyf/ZGYzWK0d92HDjj7u/K2BRPh4oQSC3M6pXsWMdEAslcGGFFsn2qZmpbt6/wujCrNc3X
 9AMsoBSHi5cPEZ9EGRz2FVS3gSPIF7oHg3i8tuhAg/rvCX4r5cs5/AXxXdycuIqMJDH/JyBE
 zarxAIa433b3KKu4GhYbAFFbgeUJAdGUMGjtPozOqY+fY43eyhFG4nYTM31nwD6KxK67V7Ts
 WKTOAu8XeOpz2Wov09H42Buq+FkStk0xLGV8lYXCvhx0O0zxSSXoS6ve0XyLFKIgff8k/GTN
 HVMq6v3syMEJqI8PNm5MAIyQBJdRJyKHkgjiSfctd15i1qYQF+4UWQvWcZGjPwD22PI71bge
 mOrkxMzUezngV9dMJoIhPakXzl5X2+1yNl0QlviaVxrgvvEN0kgi60x/wH6B1lo/MPiiE9zi
 xF8b0YjO0Gte59LDLU0HMEOZhXH6oXfJy73i1VLzZuExpfO4MYsxYQYKhxkT+9R8B7JxgUSu
 YQiJL4eNXXeIWdthIRwM1+YU5s3CHuQ+AV1Y+0zIWQSC7Npx0o1ClI8BZELdgAZxRHroUjEN
 Q0pP3isfkCocth6eoVd6E2MHpRRS3b6xZQUMr3GSBUhEmIH1iomB6OijiYueznh0ALSmLj8A
 BA0QAJwyo2EX6HVDHBWHiGzE/Yh4nrsu9Z5Z2G0h0INuKC81TQtaL/Em6cHu23aO7jNIm7jJ
 yi4Jv2oFVtOVFWcCdRSDOjJwfiVG6BgX6X0oer4/kJzKLecS4fkSHcmtHluKBZUsgslvyEAJ
 +CncPYIuo+YyjfJy/uQfSF1CJl7dWTzm6mKEiusENZu579bQ8H+nVlNYEbqXLHEICdT7i13s
 QHIDacpiuycPVcofVUqV9XRVgEZ7Kk4GgkVNuIsossr0JoFVcOP0JZHzJQkPcl8SVlqSoeO3
 YrSp3LfQacJAw6ku0XOIepQNh+iw4SCEJ6IUwm2E1TDVEMuWqWNOXUpmFU4BtHH14l4D7Rzr
 zdlZ+a5NK+PRzIHcFm/MGplEeMjopQG95sd3hqrka5CLpIViwt9es/4KMb5au+odo/f7p1xS
 PoZ2MxfkMTiLOHMBkitcA4t8fVWX+ztNWOl8mvdZATZQnKm+A61Wxq2dEXOoCbCe+enD2kGL
 NtLc+h5fOVdTnQrtU1CJ5QcmUNQqXn4LFtRS+vo1DW6klrHWE3fVdWZYlebOMUdbTXgaOhl+
 l/fnAAUIdMEvf+Z+9Kf+VkdzfDJhXRry8kkAqVMT12BUwJK/C50wEpk8fo+J1pmOuUv/tqMd
 W2Cr/4ZNJ/ugKjyvi5BZnDe3JQDeJzlkp5qH6fejiH4EGBEIACYWIQTKfESE2mpdP3Bvd9J7
 MO4E5XaqhAUCXbLtVQIbDAUJAeun2wAKCRB7MO4E5XaqhJ/IAQDDGUy4hWJi6lPiSwB3KUi/
 PY0O+1dDM4d5xaPdkIk2RAEA1Dtll06A/WX/f6JxgxxUcaTE+jXrEzb4uy60ywJusyM=
Message-ID: <68eba345-dd0b-39a7-bb7e-190d6265a159@fedoraproject.org>
Date: Tue, 10 Mar 2020 18:24:22 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <1d0e372c-1427-ae8d-8fde-4cf6385bd6ff@dantalion.nl>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="U8KAxmgVweIEn5CWnY2cNaxvZ7UmjCWHY"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 39766
X-Mailman-Approved-At: Tue, 10 Mar 2020 13:27:37 -0400
Cc: help-gnuzilla@gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--U8KAxmgVweIEn5CWnY2cNaxvZ7UmjCWHY
Content-Type: multipart/mixed; boundary="Vo92cqJLCZGHtumAmHAZxjCcqrHIAUVTW"

--Vo92cqJLCZGHtumAmHAZxjCcqrHIAUVTW
Content-Type: text/plain; charset=windows-1252
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

These issues have been fixed with Firefox ESR 68.4.1; current IceCat
release on 68 branch is the 68.6.0. So, what's the problem?

On 10/03/20 10:29, info@dantalion.nl wrote:
> Hello,
>=20
> It seems no one has replied to this. I think IceCat should no longer be=

> recommended to users until this issue is resolved especially since
> IceCat is advertised as a browser with "Privacy protection features".
> Suffice to say such protection features are no good if the browser
> itself is vulnerable to the types of vulnerabilities as eluded to befor=
e.
>=20
> I understand that there aren't sufficient developers to maintain IceCat=

> but that does not mean the GNU website should offer the browser without=

> at least clearly addressing it's potential vulnerabilities on the
> appropriate webpages.
>=20
> As of now, users might download, install and subsequently use IceCat
> with the understanding that they have downloaded a browser with enhance=
d
> privacy protection features while not being aware that it is potentiall=
y
> susceptible to recently discovered vulnerabilities.
>=20
> This is precisely the sort of situation that free software, and free an=
d
> open information should prevent.
>=20
> I hope we can resolve this quickly.
>=20
> Kind regards,
> Corne
>=20
> On 2/24/20 7:05 PM, info@dantalion.nl wrote:
>> Hello,
>>
>> I was also really wondering about this as the current version of IceCa=
t
>> is a version of Firefox that was affected.
>>
>> On 24-02-2020 12:09, Arne Wichmann wrote:
>>> Good day tou you!
>>>
>>> I see here some security problems referenced for Firefox, which are
>>> probably applicable to Icecat, too:
>>>
>>> CVE-2019-17026 - IonMonkey type confusion with StoreElementHole and
>>>   FallibleStoreElement
>>> CVE-2019-17017 - Type Confusion in XPCVariant.cpp
>>>
>>> More less critical ones are referenced, too.
>>>
>>> Are there plans to adress these?
>>>
>>> cu
>>>
>>> AW
>>>


--=20
---
Antonio Trande
Fedora Project
mailto 'sagitter at fedoraproject dot org'
GPG key: 0x7B30EE04E576AA84
GPG key server: https://keys.openpgp.org/


--Vo92cqJLCZGHtumAmHAZxjCcqrHIAUVTW--

--U8KAxmgVweIEn5CWnY2cNaxvZ7UmjCWHY
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iHUEAREIAB0WIQTKfESE2mpdP3Bvd9J7MO4E5XaqhAUCXmfNSwAKCRB7MO4E5Xaq
hDjzAQDQuwUovMKltVpj3W2vfQ7UGm891t3+Npk7PONv6dglaAEAg7luqDiCewIO
cOpkWi8i3pyy2fbCAoM7KnCGh6yAasc=
=gJDW
-----END PGP SIGNATURE-----

--U8KAxmgVweIEn5CWnY2cNaxvZ7UmjCWHY--




From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 10 14:03:36 2020
Received: (at 39766) by debbugs.gnu.org; 10 Mar 2020 18:03:36 +0000
Received: from localhost ([127.0.0.1]:53275 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1jBjE7-0008Sp-GE
	for submit@debbugs.gnu.org; Tue, 10 Mar 2020 14:03:36 -0400
Received: from mail-wm1-f45.google.com ([209.85.128.45]:35223)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <anto.trande@gmail.com>) id 1jBip4-0007pv-QM
 for 39766@debbugs.gnu.org; Tue, 10 Mar 2020 13:37:43 -0400
Received: by mail-wm1-f45.google.com with SMTP id m3so2355283wmi.0
 for <39766@debbugs.gnu.org>; Tue, 10 Mar 2020 10:37:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:subject:to:cc:references:autocrypt:message-id:date:user-agent
 :mime-version:in-reply-to;
 bh=BgCI12hnj3NhIYJV31Vw/eOoSvk/wDDe1ptXftT/Nfw=;
 b=QrV4fIQs0Tkqhal7oSkS9NaTUVwQQCUft93vNmzhEXy7xr9lLGRWqf64TYJNePzqNf
 KT77uXUwhfMEhE6d6CtzXtO0pTNU8DHw1fUiQ7XzWFRkdO5I/Z2sKdI6VPbC0q3jAl4R
 wHHpsUhsX8nHbEKzyNR/0x+rBeA9Jph5jIPjnyon5kInvloVrzKont75kjxRT2YPRaZ0
 R6jXq8/swH43NTmFC5XKOFlCT0MQK8sidw4ex+KcoH3GqzVDJjrkcxZvWvNWc3n3RQjH
 C7X9NkXkiwQPdj8upKVOBfBi9ZzljqRFnLAaZXvuxAyKQAUleM+QO18UGzW69aIASZ1c
 SyPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:subject:to:cc:references:autocrypt
 :message-id:date:user-agent:mime-version:in-reply-to;
 bh=BgCI12hnj3NhIYJV31Vw/eOoSvk/wDDe1ptXftT/Nfw=;
 b=gQe4XVIXhSFEtXz8B0E0rq4gztZtVEpvsuG2/l8Hh/qpebiR6c04uUl7lPzCvYf1oI
 LkmTLw9olL51QTI2o+b5O7FVPvCiULxUHOheJyL8lfunwti5LpfiRQI1f+KUtM7Yeegv
 HrIFthFGVlKnLZoi4aFPEHUwIIPySFP6+WNAZN0aTJtCGLdl15EaW5SY6tiUI9Exyu81
 RSY6lXNJHnS7manDYjyq/PGlKXQLHgD5Tcr5JByYPCu57aJ1nrrIenSLLtyw17Ms4L7o
 48rBLo22vI3mW3Z53o+l0kyS5aitypHsjvCEM4/ZWBMoxb6IUOsFEOjqvKFOLpwBK/40
 tJZw==
X-Gm-Message-State: ANhLgQ1WIX6XmLYrygwdzo3Yw7BHMhMJxs3oMjMWp99x81+I+EdEsgv0
 8SQB017TlXNxduw03d+TUN4=
X-Google-Smtp-Source: ADFU+vuzqOrJAWHIwrPcMEYgsx25mT6ucz12kb3vVHRTepg0dTg6NKZLf/mhNUEVYUz8OwpSz71dBg==
X-Received: by 2002:a1c:2c03:: with SMTP id s3mr59776wms.177.1583861855912;
 Tue, 10 Mar 2020 10:37:35 -0700 (PDT)
Received: from localhost.localdomain ([37.77.122.222])
 by smtp.gmail.com with ESMTPSA id y200sm2478222wmc.20.2020.03.10.10.37.34
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Tue, 10 Mar 2020 10:37:35 -0700 (PDT)
From: Antonio Trande <anto.trande@gmail.com>
X-Google-Original-From: Antonio Trande <sagitter@fedoraproject.org>
Subject: Re: bug#39766: Security-Problems, probably known
To: 39766@debbugs.gnu.org, help-gnuzilla@gnu.org
References: <20200224110908.GA30626@anhrefn.saar.de>
 <368582f2-a547-5585-e995-ca343ab1927c@dantalion.nl>
 <1d0e372c-1427-ae8d-8fde-4cf6385bd6ff@dantalion.nl>
 <68eba345-dd0b-39a7-bb7e-190d6265a159@fedoraproject.org>
 <447714f2-3d8f-14bc-b298-51d99e00c333@dantalion.nl>
Autocrypt: addr=sagitter@fedoraproject.org; prefer-encrypt=mutual; keydata=
 mQSuBF2y7VURDAD3VN0+cpPnzexleHqLyrd/nbOygmhJVbITCnLU0cHdfMov0Qup1cyU5wYO
 s7YG1PJBvwI6bRQkpTpaNS9ECSn6PNraZzPI8dvpZwTlFWNXhV5iFL9sYVRZRKsMKXDwi+mu
 IqgawSEqAeZ4aW1TfNItSFq0lX6xgxczxDJgibelquHfV5Nhpe7WUEDSld3WpVIgMFyUk/vG
 d/vw1nHZyE7jmQURaeWbAtjbGjMDNMQLf9wTnXPGU5OlS+Wx5J3Pom5Qk97aFAUQPogFmuxM
 qgNqSNxRLkckfbVNMwbhePXDnyKeQUTTGFel+P5NYlM4vZ+3SmJqC/Cw8+o7F/jNLKR5ZUxH
 3YOFYHC6GX3aA9eA47u+nNhOCMhjYM6fuM6cce9p37C4EC4FBwvjZHZm3m+QhH0zyJdP1uE6
 xdUeMNe6Z+x9x8qx1wChp87MRhQ92xscpOloi/1d6Yu20tYST+XzHbRhPYkjD721qmhXwaL2
 WYsZ29i2O7zqimgTOxMHdl8BANewKKtyFEBRsImMbkdF9CG5rLXJhKOoiY6MOZUL7+0vC/oC
 57Q1p5GN/gZs2pPhXP1ycE5S6bqxglyS2qabIAHeMqi2eKGphkVHkqmH7OH3dvbFwqi1/kKs
 lTzBD1KbFfBdZrEdyG9/zsiiDHwXTVrESD7BosXaa4DHN+LxCMeSBYp3CY55d8o1Bsl7TCQz
 NdalVpwtBI1q2nzgOM0aXZyRom022BeuJpyOX+lyiw3LefdsDD9bHP1nOQ/Y/8HzWWmdVcjJ
 U4bi44bBYhTps5rzR+m2R0u4BEBm1hIE/FyaeMsO/HMzY/LU9cF8nc+rTYRywgmWp8/XNXEY
 vBOQ/ZlM/QTlcu97NQQWI9Q/7jdHQAKvgC5O7wT/NN6Kr7zpt+fyPOVv27hnI3SEx1S1Ko5u
 6RE32whkBlF7ortd1UDCkHA/PDhAkim2x38XD+yJ50FFwiOs5eCTXYKSPMtnLJYe0M0W5Se3
 8Nr9jzxMxuw+87XhxAtybey2heNun2n71gOZtdS5Ll0QaL7o2OqQiWv4+vZ5Mx4AbWlQUJ3M
 qCtGTF8L/0lvwFU7C4rDlLnlzWppJGuwTZiutWdPNq1PHtrplEapOw9V/gpwtFefxgh7810l
 uDDYA6T2jreV6gCEhn85zdjwJSUH5tyFIHVWxWxAjvL8DtW7MFXKGm8Mb98lK4cmT4Iq5aHy
 c5+IoZYuE8WJ3x9zgXCRe/ob3bGMU6LTuazS13VcoeytrmzdH88UkUVMkIFUSlFcYMpdgyv7
 LBb0QXaHLdttJeY3YNfCpcEOrfffzm/UJ9tTrb5ZW6pLQz0oebTNchbpPzebnckfjrwDReqL
 +OXGiOa4jzR2Gg6vijgpVGgwrGGoh0kPcx3Qj1CQzpk5h7e5D7/5tF/kcf2grxNuZmms0qH5
 xBCDZUtSqt4Ta+rVfKRk+70Orez5uYf+BbpLmVy2Em5eFNyKD9+eW/uYRaRn5tg8mDjlVDNn
 CZm1CU6lQP+VQ9STg04OL+KZeXfim1XH3dC85Bd83I7ncdcWwm2oBAoWK/RqxFnHC38TvxNy
 ZI9arD49aphfHWPuN7RBQW50b25pbyBUcmFuZGUgKEZlZG9yYSBQcm9qZWN0IDIwMjApIDxz
 YWdpdHRlckBmZWRvcmFwcm9qZWN0Lm9yZz6IlgQTEQgAPhYhBMp8RITaal0/cG930nsw7gTl
 dqqEBQJdsu1VAhsDBQkB66fbBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEHsw7gTldqqE
 z+EA/2iKoToDux82nIGdGxuukwZHM2fv/zed76yhJp0pBnLyAP9b0ufjfzM2J8sKGgsTRbDq
 GEw3INc9iNQKWolgjEd4q7kEDQRdsu1VEBAAybID/xTY53ajol+tm2eQze1K/E9OEFtuXfQK
 0QLyf/ZGYzWK0d92HDjj7u/K2BRPh4oQSC3M6pXsWMdEAslcGGFFsn2qZmpbt6/wujCrNc3X
 9AMsoBSHi5cPEZ9EGRz2FVS3gSPIF7oHg3i8tuhAg/rvCX4r5cs5/AXxXdycuIqMJDH/JyBE
 zarxAIa433b3KKu4GhYbAFFbgeUJAdGUMGjtPozOqY+fY43eyhFG4nYTM31nwD6KxK67V7Ts
 WKTOAu8XeOpz2Wov09H42Buq+FkStk0xLGV8lYXCvhx0O0zxSSXoS6ve0XyLFKIgff8k/GTN
 HVMq6v3syMEJqI8PNm5MAIyQBJdRJyKHkgjiSfctd15i1qYQF+4UWQvWcZGjPwD22PI71bge
 mOrkxMzUezngV9dMJoIhPakXzl5X2+1yNl0QlviaVxrgvvEN0kgi60x/wH6B1lo/MPiiE9zi
 xF8b0YjO0Gte59LDLU0HMEOZhXH6oXfJy73i1VLzZuExpfO4MYsxYQYKhxkT+9R8B7JxgUSu
 YQiJL4eNXXeIWdthIRwM1+YU5s3CHuQ+AV1Y+0zIWQSC7Npx0o1ClI8BZELdgAZxRHroUjEN
 Q0pP3isfkCocth6eoVd6E2MHpRRS3b6xZQUMr3GSBUhEmIH1iomB6OijiYueznh0ALSmLj8A
 BA0QAJwyo2EX6HVDHBWHiGzE/Yh4nrsu9Z5Z2G0h0INuKC81TQtaL/Em6cHu23aO7jNIm7jJ
 yi4Jv2oFVtOVFWcCdRSDOjJwfiVG6BgX6X0oer4/kJzKLecS4fkSHcmtHluKBZUsgslvyEAJ
 +CncPYIuo+YyjfJy/uQfSF1CJl7dWTzm6mKEiusENZu579bQ8H+nVlNYEbqXLHEICdT7i13s
 QHIDacpiuycPVcofVUqV9XRVgEZ7Kk4GgkVNuIsossr0JoFVcOP0JZHzJQkPcl8SVlqSoeO3
 YrSp3LfQacJAw6ku0XOIepQNh+iw4SCEJ6IUwm2E1TDVEMuWqWNOXUpmFU4BtHH14l4D7Rzr
 zdlZ+a5NK+PRzIHcFm/MGplEeMjopQG95sd3hqrka5CLpIViwt9es/4KMb5au+odo/f7p1xS
 PoZ2MxfkMTiLOHMBkitcA4t8fVWX+ztNWOl8mvdZATZQnKm+A61Wxq2dEXOoCbCe+enD2kGL
 NtLc+h5fOVdTnQrtU1CJ5QcmUNQqXn4LFtRS+vo1DW6klrHWE3fVdWZYlebOMUdbTXgaOhl+
 l/fnAAUIdMEvf+Z+9Kf+VkdzfDJhXRry8kkAqVMT12BUwJK/C50wEpk8fo+J1pmOuUv/tqMd
 W2Cr/4ZNJ/ugKjyvi5BZnDe3JQDeJzlkp5qH6fejiH4EGBEIACYWIQTKfESE2mpdP3Bvd9J7
 MO4E5XaqhAUCXbLtVQIbDAUJAeun2wAKCRB7MO4E5XaqhJ/IAQDDGUy4hWJi6lPiSwB3KUi/
 PY0O+1dDM4d5xaPdkIk2RAEA1Dtll06A/WX/f6JxgxxUcaTE+jXrEzb4uy60ywJusyM=
Message-ID: <7b96ebda-cedb-1eec-42ea-134482c0a22e@fedoraproject.org>
Date: Tue, 10 Mar 2020 18:37:27 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <447714f2-3d8f-14bc-b298-51d99e00c333@dantalion.nl>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="GvsTpLYdy6fT2w4JA7vPFwr86VmWOhJdS"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 39766
X-Mailman-Approved-At: Tue, 10 Mar 2020 14:03:33 -0400
Cc: Mark H Weaver <mhw@netris.org>, "info@dantalion.nl" <info@dantalion.nl>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--GvsTpLYdy6fT2w4JA7vPFwr86VmWOhJdS
Content-Type: multipart/mixed; boundary="hUzBv8oj6jX4Kp4VmSBbZ16z8Ckz041J0"

--hUzBv8oj6jX4Kp4VmSBbZ16z8Ckz041J0
Content-Type: text/plain; charset=windows-1252
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

@Mark,

do you why the binary releases are not spread?

On 10/03/20 18:31, info@dantalion.nl wrote:
> Current binary release is 60.7.0 which is vulnerable and that is the
> problem, see: https://ftp.gnu.org/gnu/gnuzilla/?C=3DM;O=3DD
>=20
> On 3/10/20 6:24 PM, Antonio Trande wrote:
>> These issues have been fixed with Firefox ESR 68.4.1; current IceCat
>> release on 68 branch is the 68.6.0. So, what's the problem?
>>
>> On 10/03/20 10:29, info@dantalion.nl wrote:
>>> Hello,
>>>
>>> It seems no one has replied to this. I think IceCat should no longer =
be
>>> recommended to users until this issue is resolved especially since
>>> IceCat is advertised as a browser with "Privacy protection features".=

>>> Suffice to say such protection features are no good if the browser
>>> itself is vulnerable to the types of vulnerabilities as eluded to bef=
ore.
>>>
>>> I understand that there aren't sufficient developers to maintain IceC=
at
>>> but that does not mean the GNU website should offer the browser witho=
ut
>>> at least clearly addressing it's potential vulnerabilities on the
>>> appropriate webpages.
>>>
>>> As of now, users might download, install and subsequently use IceCat
>>> with the understanding that they have downloaded a browser with enhan=
ced
>>> privacy protection features while not being aware that it is potentia=
lly
>>> susceptible to recently discovered vulnerabilities.
>>>
>>> This is precisely the sort of situation that free software, and free =
and
>>> open information should prevent.
>>>
>>> I hope we can resolve this quickly.
>>>
>>> Kind regards,
>>> Corne
>>>
>>> On 2/24/20 7:05 PM, info@dantalion.nl wrote:
>>>> Hello,
>>>>
>>>> I was also really wondering about this as the current version of Ice=
Cat
>>>> is a version of Firefox that was affected.
>>>>
>>>> On 24-02-2020 12:09, Arne Wichmann wrote:
>>>>> Good day tou you!
>>>>>
>>>>> I see here some security problems referenced for Firefox, which are=

>>>>> probably applicable to Icecat, too:
>>>>>
>>>>> CVE-2019-17026 - IonMonkey type confusion with StoreElementHole and=

>>>>>   FallibleStoreElement
>>>>> CVE-2019-17017 - Type Confusion in XPCVariant.cpp
>>>>>
>>>>> More less critical ones are referenced, too.
>>>>>
>>>>> Are there plans to adress these?
>>>>>
>>>>> cu
>>>>>
>>>>> AW
>>>>>
>>
>>

--=20
---
Antonio Trande
Fedora Project
mailto 'sagitter at fedoraproject dot org'
GPG key: 0x7B30EE04E576AA84
GPG key server: https://keys.openpgp.org/


--hUzBv8oj6jX4Kp4VmSBbZ16z8Ckz041J0--

--GvsTpLYdy6fT2w4JA7vPFwr86VmWOhJdS
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iHUEAREIAB0WIQTKfESE2mpdP3Bvd9J7MO4E5XaqhAUCXmfQWAAKCRB7MO4E5Xaq
hIzMAP0fnv/61KYxsmpWg3NpwlexhnP0VFP5v1+oGv5g2W/9qgD/acNXuP7q53ab
XB7jlwrxaYQQmohi86ZoJUD6l6aFmyw=
=qsmf
-----END PGP SIGNATURE-----

--GvsTpLYdy6fT2w4JA7vPFwr86VmWOhJdS--




From debbugs-submit-bounces@debbugs.gnu.org Wed Mar 11 17:07:13 2020
Received: (at 39766) by debbugs.gnu.org; 11 Mar 2020 21:07:13 +0000
Received: from localhost ([127.0.0.1]:55647 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1jC8ZN-0003wg-Bd
	for submit@debbugs.gnu.org; Wed, 11 Mar 2020 17:07:13 -0400
Received: from penta.old-forest.org ([217.197.86.38]:33294 helo=old-forest.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <aw@old-forest.org>) id 1jC7i7-0000ZR-Jr
 for 39766@debbugs.gnu.org; Wed, 11 Mar 2020 16:12:12 -0400
Received: from [192.168.3.5] (helo=chao)
 by old-forest.org with esmtp (Exim 4.92.2)
 (envelope-from <aw@old-forest.org>)
 id 1jC7hx-0004pS-IV; Wed, 11 Mar 2020 20:12:01 +0000
Received: from [192.168.10.23] (helo=anhrefn.saar.de)
 by chao with esmtps (Exim 4.89) (envelope-from <aw@old-forest.org>)
 id 1jC7cg-0007MQ-IT; Wed, 11 Mar 2020 21:06:34 +0100
Received: from aw by anhrefn.saar.de with local (Exim 4.92)
 (envelope-from <aw@old-forest.org>)
 id 1jC7he-0005RX-Hu; Wed, 11 Mar 2020 21:11:42 +0100
Date: Wed, 11 Mar 2020 21:11:42 +0100
From: Arne Wichmann <aw@old-forest.org>
To: Antonio Trande <anto.trande@gmail.com>
Subject: Success report (was Re: bug#39766: Security-Problems, probably known)
Message-ID: <20200311201142.GA20882@anhrefn.saar.de>
References: <20200224110908.GA30626@anhrefn.saar.de>
 <368582f2-a547-5585-e995-ca343ab1927c@dantalion.nl>
 <1d0e372c-1427-ae8d-8fde-4cf6385bd6ff@dantalion.nl>
 <68eba345-dd0b-39a7-bb7e-190d6265a159@fedoraproject.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="k1lZvvs/B4yU6o8G"
Content-Disposition: inline
In-Reply-To: <68eba345-dd0b-39a7-bb7e-190d6265a159@fedoraproject.org>
X-message-flag: Outluck ist kaputt :-)
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 39766
X-Mailman-Approved-At: Wed, 11 Mar 2020 17:07:12 -0400
Cc: 39766@debbugs.gnu.org, help-gnuzilla@gnu.org,
 "info@dantalion.nl" <info@dantalion.nl>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


--k1lZvvs/B4yU6o8G
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Good day!

begin  quotation  from Antonio Trande (in <68eba345-dd0b-39a7-bb7e-190d6265=
a159@fedoraproject.org>):
> These issues have been fixed with Firefox ESR 68.4.1; current IceCat
> release on 68 branch is the 68.6.0. So, what's the problem?

So, first a success report - I was able to compile Icecat using the version
=66rom the 68 branch. And it seems to work.

Second: what are the reasons why this is not yet merged back into master
and released? Can I possibly help with that?

cu

AW
--=20
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@saar.de)

--k1lZvvs/B4yU6o8G
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEtFUkbndwdIn81UX3EIremXYA/4kFAl5pRf4ACgkQEIremXYA
/4m11xAAkInJLmpM+oACXFzXihg88VQS1gTGIFA8gP/hczOsxW45PEe4uI32p3Rr
sTmPi4EeY76sseQP2CILgGaGJKU28KEQKvF2XXzjfvQ4oFWCz+zzzCYH1OMjQoh1
mX1e6MgdBR/prGSsTBQfHNqKgdxqcoujatGdKy0eCYik8yIwdzMZqDMRgLXCmF+G
0LbgYEly+Xs9YSzGYQBqftomzK87A/le+p8iJGugDEVBaRh0NndlnJUqZrL8j75W
IJkbDCmt/N/1ou8SN3uhxYAeFo6I+QG7z8dZ5M4/N3bJjZ4Z7hcsK84E/uvvu0vC
CPxfKTVDWXqy0IIfR9a/p6uS+HEqLxg5WsrSFYrjnyINpGeFXRFnuZ5UruVZVgB5
xtzMnI8YjvmKuccdEzA5vuYt+toJ8TDOrGZVQJuz7QgBrG0DemW0cr8+0asN77oh
hmnUc8tL2Ol7ppFRxzNUXioc2zPmCslG+C5pMrbXQrLp28ncuGLWhBf6ki92uS4C
bgLdOug8qFJ3xBMF02HLuxtiVEgGio9yknvr3JE3ydl/5gN3RMiYl0N0oulj2gJD
2zy2MqOE68MUteuV1oTdH8/OhgIAkYZI6fQillb6ya6Mha4R3d0+5Ls1El5+LI6e
mjzhqRDuB03L6cJmSzmV1t8rZ1e3Bp3yiAj9aHanLik0QVSsqm0=
=YFCs
-----END PGP SIGNATURE-----

--k1lZvvs/B4yU6o8G--