User: Password:
|
|
Subscribe / Log in / New account

Fedora-Legacy alert FLSA:152883 (mozilla)

From:  Marc Deslauriers <marcdeslauriers@videotron.ca>
To:  bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Subject:  [FLSA-2005:152883] Updated mozilla packages fix security issues
Date:  Wed, 18 May 2005 16:48:04 -0400

--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated mozilla packages fix security issues Advisory ID: FLSA:152883 Issue date: 2005-05-18 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2004-0906 CAN-2004-1156 CAN-2004-1316 CAN-2004-1380 CAN-2004-1613 CAN-2005-0141 CAN-2005-0142 CAN-2005-0578 CAN-2005-0143 CAN-2005-0593 CAN-2005-0144 CAN-2005-0146 CAN-2005-0147 CAN-2005-0149 CAN-2005-0231 CAN-2005-0232 CAN-2005-0527 CAN-2005-0233 CAN-2005-0399 CAN-2005-0401 CAN-2005-0584 CAN-2005-0585 CAN-2005-0586 CAN-2005-0590 CAN-2005-0591 CAN-2005-0588 CAN-2005-0989 CAN-2005-1153 CAN-2005-1154 CAN-2005-1155 CAN-2005-1159 CAN-2005-1160 CAN-2005-1156 CAN-2005-1157 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated mozilla packages that fix various bugs are now available. Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A bug was found in the way Mozilla sets file permissions when installing XPI packages. It is possible for an XPI package to install some files world readable or writable, allowing a malicious local user to steal information or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0906 to this issue. A bug was found in the way Mozilla handles pop-up windows. It is possible for a malicious website to control the content in an unrelated site's pop-up window. (CAN-2004-1156) iSEC Security Research has discovered a buffer overflow bug in the way Mozilla handles NNTP URLs. If a user visits a malicious web page or is convinced to click on a malicious link, it may be possible for an attacker to execute arbitrary code on the victim's machine. (CAN-2004-1316) A bug was found in the way Mozilla displays dialog windows. It is possible that a malicious web page which is being displayed in a background tab could present the user with a dialog window appearing to come from the active page. (CAN-2004-1380) A bug was found in the way Mozilla handles certain start tags followed by a NULL character. A malicious web page could cause Mozilla to crash when viewed by a victim. (CAN-2004-1613) A bug was found in the way Mozilla loads links in a new tab which are middle clicked. A malicious web page could read local files or modify privileged chrom settings. (CAN-2005-0141) Several bugs were found with the way Mozilla handles temporary files. A local user could view sensitive temporary information or delete arbitrary files. (CAN-2005-0142 CAN-2005-0578) Several bugs were found with the way Mozilla displays the secure site icon. It is possible that a malicious website could display the secure site icon along with incorrect certificate information. (CAN-2005-0143 CAN-2005-0593) A bug was found in the way Mozilla displays the secure site icon. A malicious web page can use a view-source URL targetted at a secure page, while loading an insecure page, yet the secure site icon shows the previous secure state. (CAN-2005-0144) A bug was found in the way Mozilla handles synthetic middle click events. It is possible for a malicious web page to steal the contents of a victims clipboard. (CAN-2005-0146) A bug was found in the way Mozilla responds to proxy auth requests. It is possible for a malicious webserver to steal credentials from a victims browser by issuing a 407 proxy authentication request. (CAN-2005-0147) A bug was found in the way Mozilla Mail handles cookies when loading content over HTTP regardless of the user's preference. It is possible that a particular user could be tracked through the use of malicious mail messages which load content over HTTP. (CAN-2005-0149) A bug was found in the Mozilla javascript security manager. If a user drags a malicious link to a tab, the javascript security manager is bypassed, which could result in remote code execution or information disclosure. (CAN-2005-0231) A bug was found in the way Mozilla allows plug-ins to load privileged content into a frame. It is possible that a malicious webpage could trick a user into clicking in certain places to modify configuration settings or execute arbitrary code. (CAN-2005-0232 and CAN-2005-0527) A flaw was found in the way Mozilla displays international domain names. It is possible for an attacker to display a valid URL, tricking the user into thinking they are viewing a legitimate webpage when they are not. (CAN-2005-0233) A buffer overflow bug was found in the way Mozilla processes GIF images. It is possible for an attacker to create a specially crafted GIF image, which when viewed by a victim will execute arbitrary code as the victim. (CAN-2005-0399) A bug was found in the way Mozilla processes XUL content. If a malicious web page can trick a user into dragging an object, it is possible to load malicious XUL content. (CAN-2005-0401) Several bugs were found in the way Mozilla displays alert dialogs. It is possible for a malicious webserver or website to trick a user into thinking the dialog window is being generated from a trusted site. (CAN-2005-0584 CAN-2005-0585 CAN-2005-0586 CAN-2005-0590 CAN-2005-0591) A bug was found in the way Mozilla handles xsl:include and xsl:import directives. It is possible for a malicious website to import XSLT stylesheets from a domain behind a firewall, leaking information to an attacker. (CAN-2005-0588) A bug was found in the way Mozilla handles anonymous functions during regular expression string replacement. It is possible for a malicious web page to capture a random block of browser memory. (CAN-2005-0989) A bug was found in the way Mozilla displays pop-up windows. If a user choses to open a pop-up window whose URL is malicious javascript, the script will be executed with elevated privileges. (CAN-2005-1153) Several bugs were found in the Mozilla javascript engine. A malicious web page could leverage these issues to execute javascript with elevated privileges or steal sensitive information. (CAN-2005-1154 CAN-2005-1155 CAN-2005-1159 CAN-2005-1160) A bug was found in the way Mozilla installed search plugins. If a user chooses to install a search plugin from a malicious site, the new plugin could silently overwrite an existing plugin. This could allow the malicious plugin to execute arbitrary code and stealm sensitive information. (CAN-2005-1156 CAN-2005-1157) Users of Mozilla are advised to upgrade to this updated package which contains Mozilla version 1.7.7 to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152883 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS... http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS... i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/... http://download.fedoralegacy.org/redhat/7.3/updates/i386/... http://download.fedoralegacy.org/redhat/7.3/updates/i386/... http://download.fedoralegacy.org/redhat/7.3/updates/i386/... http://download.fedoralegacy.org/redhat/7.3/updates/i386/... http://download.fedoralegacy.org/redhat/7.3/updates/i386/... http://download.fedoralegacy.org/redhat/7.3/updates/i386/... http://download.fedoralegacy.org/redhat/7.3/updates/i386/... http://download.fedoralegacy.org/redhat/7.3/updates/i386/... http://download.fedoralegacy.org/redhat/7.3/updates/i386/... http://download.fedoralegacy.org/redhat/7.3/updates/i386/... Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/m... http://download.fedoralegacy.org/redhat/9/updates/SRPMS/g... i386: http://download.fedoralegacy.org/redhat/9/updates/i386/mo... http://download.fedoralegacy.org/redhat/9/updates/i386/mo... http://download.fedoralegacy.org/redhat/9/updates/i386/mo... http://download.fedoralegacy.org/redhat/9/updates/i386/mo... http://download.fedoralegacy.org/redhat/9/updates/i386/mo... http://download.fedoralegacy.org/redhat/9/updates/i386/mo... http://download.fedoralegacy.org/redhat/9/updates/i386/mo... http://download.fedoralegacy.org/redhat/9/updates/i386/mo... http://download.fedoralegacy.org/redhat/9/updates/i386/mo... http://download.fedoralegacy.org/redhat/9/updates/i386/mo... http://download.fedoralegacy.org/redhat/9/updates/i386/ga... Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/m... http://download.fedoralegacy.org/fedora/1/updates/SRPMS/e... i386: http://download.fedoralegacy.org/fedora/1/updates/i386/mo... http://download.fedoralegacy.org/fedora/1/updates/i386/mo... http://download.fedoralegacy.org/fedora/1/updates/i386/mo... http://download.fedoralegacy.org/fedora/1/updates/i386/mo... http://download.fedoralegacy.org/fedora/1/updates/i386/mo... http://download.fedoralegacy.org/fedora/1/updates/i386/mo... http://download.fedoralegacy.org/fedora/1/updates/i386/mo... http://download.fedoralegacy.org/fedora/1/updates/i386/mo... http://download.fedoralegacy.org/fedora/1/updates/i386/mo... http://download.fedoralegacy.org/fedora/1/updates/i386/mo... http://download.fedoralegacy.org/fedora/1/updates/i386/ep... Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/m... http://download.fedoralegacy.org/fedora/2/updates/SRPMS/e... http://download.fedoralegacy.org/fedora/2/updates/SRPMS/d... i386: http://download.fedoralegacy.org/fedora/2/updates/i386/mo... http://download.fedoralegacy.org/fedora/2/updates/i386/mo... http://download.fedoralegacy.org/fedora/2/updates/i386/mo... http://download.fedoralegacy.org/fedora/2/updates/i386/mo... http://download.fedoralegacy.org/fedora/2/updates/i386/mo... http://download.fedoralegacy.org/fedora/2/updates/i386/mo... http://download.fedoralegacy.org/fedora/2/updates/i386/mo... http://download.fedoralegacy.org/fedora/2/updates/i386/mo... http://download.fedoralegacy.org/fedora/2/updates/i386/mo... http://download.fedoralegacy.org/fedora/2/updates/i386/mo... http://download.fedoralegacy.org/fedora/2/updates/i386/ep... http://download.fedoralegacy.org/fedora/2/updates/i386/de... http://download.fedoralegacy.org/fedora/2/updates/i386/de... 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 9acd3892e1ec3b272274ed250f630e316e72334c redhat/7.3/updates/i386/mozilla-1.7.7-0.73.2.legacy.i386.rpm bdf6c767bd8d8a1dc74138e8da7c1672b1934764 redhat/7.3/updates/i386/mozilla-chat-1.7.7-0.73.2.legacy.i386.rpm 7168b5bfcd5a090b62464f8b7d82d20bff365ba5 redhat/7.3/updates/i386/mozilla-devel-1.7.7-0.73.2.legacy.i386.rpm 6baa66d77ecbaf4aefcd99e42dbc81dee8b5533b redhat/7.3/updates/i386/mozilla-dom-inspector-1.7.7-0.73.2.legacy.i386.rpm c8fd69f3e6e3a63554382ec412208f74a48ba8fe redhat/7.3/updates/i386/mozilla-js-debugger-1.7.7-0.73.2.legacy.i386.rpm 83a181ed9ecade3c9cb3cd3f64ac7cdd5add9057 redhat/7.3/updates/i386/mozilla-mail-1.7.7-0.73.2.legacy.i386.rpm 904dd59f1b4d5e4426232549848b83a9e407e2ba redhat/7.3/updates/i386/mozilla-nspr-1.7.7-0.73.2.legacy.i386.rpm 3513150062f0d54dfa14f3d4fc320114b72a95ad redhat/7.3/updates/i386/mozilla-nspr-devel-1.7.7-0.73.2.legacy.i386.rpm f56ac87aae05c1530cfc49844f59410ac3db82d9 redhat/7.3/updates/i386/mozilla-nss-1.7.7-0.73.2.legacy.i386.rpm d4a42d185260a6778133dc51beb0098b637306c5 redhat/7.3/updates/i386/mozilla-nss-devel-1.7.7-0.73.2.legacy.i386.rpm 8f731240e4c04d12861836a20ebd51faac33db54 redhat/7.3/updates/SRPMS/mozilla-1.7.7-0.73.2.legacy.src.rpm 265ca0a31dd9a66b3de6364b1a8e0bab108ebedc redhat/7.3/updates/i386/galeon-1.2.14-0.73.2.legacy.i386.rpm 591f6a2ab89ae9b5995cc172017bc8d5b39f0236 redhat/7.3/updates/SRPMS/galeon-1.2.14-0.73.2.legacy.src.rpm 3d70328b95b7af8ebb4a808ed2c6d58f8d8d3f32 redhat/9/updates/i386/mozilla-1.7.7-0.90.1.legacy.i386.rpm f0602f47ebb9e66a600749832bf68b63787bde35 redhat/9/updates/i386/mozilla-chat-1.7.7-0.90.1.legacy.i386.rpm 005590efef49bb5d39f665d61b335496ca18798d redhat/9/updates/i386/mozilla-devel-1.7.7-0.90.1.legacy.i386.rpm 5a54884ce7108215746ac96668018bdbe2e70494 redhat/9/updates/i386/mozilla-dom-inspector-1.7.7-0.90.1.legacy.i386.rpm 5fd7e6f7145787da6926807ad22a8cddaa14b927 redhat/9/updates/i386/mozilla-js-debugger-1.7.7-0.90.1.legacy.i386.rpm 0ea4683b6d02b6605e7c515ee6c4717ee443eee3 redhat/9/updates/i386/mozilla-mail-1.7.7-0.90.1.legacy.i386.rpm cd8c01029571274c79dc3b0b083a68f61f8276b4 redhat/9/updates/i386/mozilla-nspr-1.7.7-0.90.1.legacy.i386.rpm c043f95965b668bc18adb9a58b8e0f332f295285 redhat/9/updates/i386/mozilla-nspr-devel-1.7.7-0.90.1.legacy.i386.rpm 1b9952e1ae88be813398d47c56ccdb1c6297defb redhat/9/updates/i386/mozilla-nss-1.7.7-0.90.1.legacy.i386.rpm 0048ddbfbccca48c2e3a20d436a8eeaeaa5e7d27 redhat/9/updates/i386/mozilla-nss-devel-1.7.7-0.90.1.legacy.i386.rpm 3ef84161c6d31a0a022e30dccfa38c3e48bfc826 redhat/9/updates/SRPMS/mozilla-1.7.7-0.90.1.legacy.src.rpm f34febaaa2e03ffc62097a8abf977cfa98bce03a redhat/9/updates/i386/galeon-1.2.14-0.90.2.legacy.i386.rpm 72ddc204978e74630ef9cab1e17a80a6a2e06658 redhat/9/updates/SRPMS/galeon-1.2.14-0.90.2.legacy.src.rpm 57100cb971334d7af508b63786aa08605515ca1c fedora/1/updates/i386/mozilla-1.7.7-1.1.2.legacy.i386.rpm d46f3963c22c7dd5460e5dcb54fe48001b9f2bf0 fedora/1/updates/i386/mozilla-chat-1.7.7-1.1.2.legacy.i386.rpm c1fb6304d59a2b40afb0f897068d4790f7188d58 fedora/1/updates/i386/mozilla-devel-1.7.7-1.1.2.legacy.i386.rpm 2e6e6c51cc5f2ec33ed9da3f3cba5b8894cc41c6 fedora/1/updates/i386/mozilla-dom-inspector-1.7.7-1.1.2.legacy.i386.rpm c341b4c436e57743b14fb535117fd22b0cbec5d9 fedora/1/updates/i386/mozilla-js-debugger-1.7.7-1.1.2.legacy.i386.rpm 7132f5a85829789980a6d3e99dcb8b693c2ca2f5 fedora/1/updates/i386/mozilla-mail-1.7.7-1.1.2.legacy.i386.rpm 97fc2ebf5fac4a9db7515d6ce040f69800d4b76f fedora/1/updates/i386/mozilla-nspr-1.7.7-1.1.2.legacy.i386.rpm 4fc55c563a2dab1acea189205a74a55a3193fd90 fedora/1/updates/i386/mozilla-nspr-devel-1.7.7-1.1.2.legacy.i386.rpm 013b70581b5719c09d31a3cd642c9508326ee785 fedora/1/updates/i386/mozilla-nss-1.7.7-1.1.2.legacy.i386.rpm 0b166a9b048615bed8963512f3c14d0fe2b55df3 fedora/1/updates/i386/mozilla-nss-devel-1.7.7-1.1.2.legacy.i386.rpm 78028c39bd74519585f30c5e9fb1811c17174ae6 fedora/1/updates/SRPMS/mozilla-1.7.7-1.1.2.legacy.src.rpm 288dc1525d58a9bfb547dae233217f8560f793da fedora/1/updates/i386/epiphany-1.0.8-1.fc1.2.legacy.i386.rpm 6d7fc5695a4dc5dfda8061d6f15f5f49d9e0ca25 fedora/1/updates/SRPMS/epiphany-1.0.8-1.fc1.2.legacy.src.rpm e30cf25bc4833e0b19464b80edc6a40a022d84ec fedora/2/updates/i386/mozilla-1.7.7-1.2.2.legacy.i386.rpm f6272d64f623060b3e3c312a51d9c4cf79517dbf fedora/2/updates/i386/mozilla-chat-1.7.7-1.2.2.legacy.i386.rpm 3de604792b03c9be05094f93dfab05dc4025bf28 fedora/2/updates/i386/mozilla-devel-1.7.7-1.2.2.legacy.i386.rpm be68ea6a7694e26583788619fd2983d79e7de2a0 fedora/2/updates/i386/mozilla-dom-inspector-1.7.7-1.2.2.legacy.i386.rpm 5fb0ec03a8477716720fa5717096f51b947b3fc7 fedora/2/updates/i386/mozilla-js-debugger-1.7.7-1.2.2.legacy.i386.rpm eaad0dd9b651f50a95645a483874e388c8e8d6ff fedora/2/updates/i386/mozilla-mail-1.7.7-1.2.2.legacy.i386.rpm eab0bd24445c45116bb438c3ab039549aeaf9fff fedora/2/updates/i386/mozilla-nspr-1.7.7-1.2.2.legacy.i386.rpm 230443db97ade4cd419149aac9be2647b9d8e1a9 fedora/2/updates/i386/mozilla-nspr-devel-1.7.7-1.2.2.legacy.i386.rpm 93d1521088d28943d1bb8a3f95b9fe33afbb6cce fedora/2/updates/i386/mozilla-nss-1.7.7-1.2.2.legacy.i386.rpm 69f0872295fcc76410236cbdcfa68ad714fd1019 fedora/2/updates/i386/mozilla-nss-devel-1.7.7-1.2.2.legacy.i386.rpm 9ee87c561862efad6914604117ca1b77347ddce2 fedora/2/updates/SRPMS/mozilla-1.7.7-1.2.2.legacy.src.rpm 2a2d210670d354d8640266735d2ce15ca3a6c637 fedora/2/updates/i386/epiphany-1.2.10-0.2.3.legacy.i386.rpm 0b8dcb95ee3ac871fac5adda63cbe1ec62340540 fedora/2/updates/SRPMS/epiphany-1.2.10-0.2.3.legacy.src.rpm 50bab23717bd9e8f80c1f037d89fea75c240404a fedora/2/updates/i386/devhelp-0.9.1-0.2.6.legacy.i386.rpm 19dd014eda39deb1bafdfa34c47a4e81bf9cf880 fedora/2/updates/i386/devhelp-devel-0.9.1-0.2.6.legacy.i386.rpm 1fa21cf570fa5a210594820c17eacfe764df8a52 fedora/2/updates/SRPMS/devhelp-0.9.1-0.2.6.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0906 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1156 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1316 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1380 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1613 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0141 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0142 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0578 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0143 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0593 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0144 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0146 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0147 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0149 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0231 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0232 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0527 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0233 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0399 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0401 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0584 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0585 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0586 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0590 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0591 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0588 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0989 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1153 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1154 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1155 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1159 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1160 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1156 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1157 9. Contact: The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds