mozilla: multiple vulnerabilities [LWN.net]

Package(s):

firefox, thunderbird, seamonkey

CVE #(s):

CVE-2013-1701 CVE-2013-1709 CVE-2013-1710 CVE-2013-1713 CVE-2013-1714 CVE-2013-1717

Created:

August 7, 2013

Updated:

August 30, 2013

Description:

From the CVE entries:

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. (CVE-2013-1701)

Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly handle the interaction between FRAME elements and history, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving spoofing a relative location in a previously visited document. (CVE-2013-1709)

The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allows remote attackers to execute arbitrary JavaScript code or conduct cross-site scripting (XSS) attacks via vectors related to Certificate Request Message Format (CRMF) request generation. (CVE-2013-1710)

Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 use an incorrect URI within unspecified comparisons during enforcement of the Same Origin Policy, which allows remote attackers to conduct cross-site scripting (XSS) attacks or install arbitrary add-ons via a crafted web site. (CVE-2013-1713)

The Web Workers implementation in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 does not properly restrict XMLHttpRequest calls, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via unspecified vectors. (CVE-2013-1714)

Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly restrict local-filesystem access by Java applets, which allows user-assisted remote attackers to read arbitrary files by leveraging a download to a fixed pathname or other predictable pathname. (CVE-2013-1717)

Alerts:

Red Hat	RHSA-2013:1140-01	2013-08-07
CentOS	CESA-2013:1140	2013-08-07
CentOS	CESA-2013:1140	2013-08-07
Debian	DSA-2735-1	2013-08-07
Mandriva	MDVSA-2013:210	2013-08-07
Scientific Linux	SL-fire-20130807	2013-08-07
Ubuntu	USN-1924-1	2013-08-06
Ubuntu	USN-1925-1	2013-08-07
Ubuntu	USN-1924-2	2013-08-06
Red Hat	RHSA-2013:1142-01	2013-08-07
CentOS	CESA-2013:1142	2013-08-07
Oracle	ELSA-2013-1140	2013-08-07
Oracle	ELSA-2013-1140	2013-08-07
Oracle	ELSA-2013-1142	2013-08-07
Scientific Linux	SL-thun-20130807	2013-08-07
Slackware	SSA:2013-219-02	2013-08-07
Slackware	SSA:2013-219-01	2013-08-07
Slackware	SSA:2013-219-03	2013-08-07
CentOS	CESA-2013:1142	2013-08-09
Fedora	FEDORA-2013-14412	2013-08-09
Fedora	FEDORA-2013-14412	2013-08-09
Fedora	FEDORA-2013-14412	2013-08-09
Mageia	MGASA-2013-0248	2013-08-12
openSUSE	openSUSE-SU-2013:1334-1	2013-08-14
SUSE	SUSE-SU-2013:1325-1	2013-08-14
Fedora	FEDORA-2013-14419	2013-08-15
Fedora	FEDORA-2013-14419	2013-08-15
Fedora	FEDORA-2013-14419	2013-08-15
openSUSE	openSUSE-SU-2013:1348-1	2013-08-16
SUSE	SUSE-SU-2013:1325-2	2013-08-23
SUSE	SUSE-SU-2013:1382-1	2013-08-27
Debian	DSA-2746-1	2013-08-29
Gentoo	201309-23	2013-09-27

(Log in to post comments)