[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[RHSA-2007:0097-02] Critical: firefox security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Critical: firefox security update
Advisory ID:       RHSA-2007:0097-02
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2007-0097.html
Issue date:        2007-03-14
Updated on:        2007-03-14
Product:           Red Hat Enterprise Linux
CVE Names:         CVE-2006-6077 CVE-2007-0008 CVE-2007-0009 
                   CVE-2007-0775 CVE-2007-0777 CVE-2007-0778 
                   CVE-2007-0779 CVE-2007-0780 CVE-2007-0800 
                   CVE-2007-0981 CVE-2007-0994 CVE-2007-0995 
                   CVE-2007-0996 
- ---------------------------------------------------------------------

1. Summary:

Updated firefox packages that fix several security bugs are now available
for Red Hat Enterprise Linux 5.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64

3. Problem description:

Mozilla Firefox is an open source Web browser.

Flaws were found in the way Firefox executed malformed JavaScript code. A
malicious web page could cause Firefox to crash or allow arbitrary code 
to be executed as the user running Firefox. (CVE-2007-0775, CVE-2007-0777)

Cross-site scripting (XSS) flaws were found in Firefox.  A malicious web
page could display misleading information, allowing a user to unknowingly
divulge sensitive information, such as a password. (CVE-2006-6077, 
CVE-2007-0995, CVE-2007-0996)

A flaw was found in the way Firefox processed JavaScript contained in
certain tags.  A malicious web page could cause Firefox to execute
JavaScript code with the privileges of the user running Firefox.
(CVE-2007-0994)

A flaw was found in the way Firefox cached web pages on the local disk. A
malicious web page may have been able to inject arbitrary HTML into a
browsing session if the user reloaded a targeted site. (CVE-2007-0778)

Certain web content could overlay Firefox user interface elements such as
the hostname and security indicators.  A malicious web page could trick a
user into thinking they were visiting a different site. (CVE-2007-0779)

Two flaws were found in Firefox's displaying of blocked popup windows. If a
user could be convinced to open a blocked popup, it was possible to read
arbitrary local files, or conduct a cross-site scripting attack against the
user.
(CVE-2007-0780, CVE-2007-0800)

Two buffer overflow flaws were found in the Network Security Services (NSS)
code for processing the SSLv2 protocol. Connecting to a malicious secure
web server could cause the execution of arbitrary code as the user running
Firefox. (CVE-2007-0008, CVE-2007-0009)

A flaw was found in the way Firefox handled the "location.hostname" value.
 A malicious web page could set domain cookies for an arbitrary site, or
possibly perform a cross-site scripting attack. (CVE-2007-0981)
	
Users of Firefox are advised to upgrade to this erratum package, containing
Firefox version 1.5.0.10 which is not vulnerable to these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  

This update is available via Red Hat Network.  Details on how to use 
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

5. Bug IDs fixed (http://bugzilla.redhat.com/):

230050 - CVE-2007-0775 Multiple Firefox flaws (CVE-2007-0777, CVE-2007-0994, CVE-2007-0995, CVE-2007-0996, CVE-2006-6077, CVE-2007-0778, CVE-2007-0779, CVE-2007-0780, CVE-2007-0800, CVE-2007-0008, CVE-2007-0009, CVE-2007-0981)

6. RPMs required:

Red Hat Enterprise Linux Desktop (v. 5 client):

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/devhelp-0.12-10.0.1.el5.src.rpm
ecc6ccfcf4c2c08e941f72f5cfeaa55c  devhelp-0.12-10.0.1.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-1.5.0.10-2.el5.src.rpm
60cf3411d9e9b68bf0f25ac3541cf23a  firefox-1.5.0.10-2.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/yelp-2.16.0-14.0.1.el5.src.rpm
56ce5fe3b3776b01fc7886f65ef1404b  yelp-2.16.0-14.0.1.el5.src.rpm

i386:
0774d6e92c98fd2507952d9ce59ce891  devhelp-0.12-10.0.1.el5.i386.rpm
3acf940cc0301234390c98632c69da11  devhelp-debuginfo-0.12-10.0.1.el5.i386.rpm
39b98bd5460439dbdd1f0c495028fd33  firefox-1.5.0.10-2.el5.i386.rpm
4b0e34c319d80574f720840a04be6716  firefox-debuginfo-1.5.0.10-2.el5.i386.rpm
7ac3f70e9c5ba8e68a068946a66a3163  yelp-2.16.0-14.0.1.el5.i386.rpm
210a17a4c674ef1863bd30498fe91a38  yelp-debuginfo-2.16.0-14.0.1.el5.i386.rpm

x86_64:
0774d6e92c98fd2507952d9ce59ce891  devhelp-0.12-10.0.1.el5.i386.rpm
2c7791aad7d6e18b322f4834088f8708  devhelp-0.12-10.0.1.el5.x86_64.rpm
3acf940cc0301234390c98632c69da11  devhelp-debuginfo-0.12-10.0.1.el5.i386.rpm
b3bf53bcbd8f5e4bc254196496831e74  devhelp-debuginfo-0.12-10.0.1.el5.x86_64.rpm
39b98bd5460439dbdd1f0c495028fd33  firefox-1.5.0.10-2.el5.i386.rpm
a0ffe472bf6a3c517d41f0dc8900af86  firefox-1.5.0.10-2.el5.x86_64.rpm
4b0e34c319d80574f720840a04be6716  firefox-debuginfo-1.5.0.10-2.el5.i386.rpm
1ae549e2cab746aa1e2615a6b73c5e20  firefox-debuginfo-1.5.0.10-2.el5.x86_64.rpm
502e2b4dd68c59593652bf8f44d7dee4  yelp-2.16.0-14.0.1.el5.x86_64.rpm
0974ac1fd3c19e02765a750427efae46  yelp-debuginfo-2.16.0-14.0.1.el5.x86_64.rpm

RHEL Desktop Workstation (v. 5 client):

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/devhelp-0.12-10.0.1.el5.src.rpm
ecc6ccfcf4c2c08e941f72f5cfeaa55c  devhelp-0.12-10.0.1.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-1.5.0.10-2.el5.src.rpm
60cf3411d9e9b68bf0f25ac3541cf23a  firefox-1.5.0.10-2.el5.src.rpm

i386:
3acf940cc0301234390c98632c69da11  devhelp-debuginfo-0.12-10.0.1.el5.i386.rpm
ede028c4f35108e54ded794f91d4f82e  devhelp-devel-0.12-10.0.1.el5.i386.rpm
4b0e34c319d80574f720840a04be6716  firefox-debuginfo-1.5.0.10-2.el5.i386.rpm
c334841929aae1eb36a71772f51d89da  firefox-devel-1.5.0.10-2.el5.i386.rpm

x86_64:
3acf940cc0301234390c98632c69da11  devhelp-debuginfo-0.12-10.0.1.el5.i386.rpm
b3bf53bcbd8f5e4bc254196496831e74  devhelp-debuginfo-0.12-10.0.1.el5.x86_64.rpm
ede028c4f35108e54ded794f91d4f82e  devhelp-devel-0.12-10.0.1.el5.i386.rpm
44f47bf9e6a7ecb39f7c907ca4a381d9  devhelp-devel-0.12-10.0.1.el5.x86_64.rpm
4b0e34c319d80574f720840a04be6716  firefox-debuginfo-1.5.0.10-2.el5.i386.rpm
1ae549e2cab746aa1e2615a6b73c5e20  firefox-debuginfo-1.5.0.10-2.el5.x86_64.rpm
c334841929aae1eb36a71772f51d89da  firefox-devel-1.5.0.10-2.el5.i386.rpm
5ba38c9a8e94ed9bb254e8b2010bdbbb  firefox-devel-1.5.0.10-2.el5.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/devhelp-0.12-10.0.1.el5.src.rpm
ecc6ccfcf4c2c08e941f72f5cfeaa55c  devhelp-0.12-10.0.1.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-1.5.0.10-2.el5.src.rpm
60cf3411d9e9b68bf0f25ac3541cf23a  firefox-1.5.0.10-2.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/yelp-2.16.0-14.0.1.el5.src.rpm
56ce5fe3b3776b01fc7886f65ef1404b  yelp-2.16.0-14.0.1.el5.src.rpm

i386:
0774d6e92c98fd2507952d9ce59ce891  devhelp-0.12-10.0.1.el5.i386.rpm
3acf940cc0301234390c98632c69da11  devhelp-debuginfo-0.12-10.0.1.el5.i386.rpm
ede028c4f35108e54ded794f91d4f82e  devhelp-devel-0.12-10.0.1.el5.i386.rpm
39b98bd5460439dbdd1f0c495028fd33  firefox-1.5.0.10-2.el5.i386.rpm
4b0e34c319d80574f720840a04be6716  firefox-debuginfo-1.5.0.10-2.el5.i386.rpm
c334841929aae1eb36a71772f51d89da  firefox-devel-1.5.0.10-2.el5.i386.rpm
7ac3f70e9c5ba8e68a068946a66a3163  yelp-2.16.0-14.0.1.el5.i386.rpm
210a17a4c674ef1863bd30498fe91a38  yelp-debuginfo-2.16.0-14.0.1.el5.i386.rpm

ia64:
0543d59be616203f72d6b46b33051ac2  devhelp-0.12-10.0.1.el5.ia64.rpm
acab03e92aa6c9cf472218bd698859de  devhelp-debuginfo-0.12-10.0.1.el5.ia64.rpm
f40918a968dd3425e534e589cda9b81b  devhelp-devel-0.12-10.0.1.el5.ia64.rpm
f22781eca58556113552b288dd7fe76b  firefox-1.5.0.10-2.el5.ia64.rpm
a6aaba32c9b8522a18526640c0f8d396  firefox-debuginfo-1.5.0.10-2.el5.ia64.rpm
56ea2d1debbf5c4d7a0f1ae3ebb3e741  firefox-devel-1.5.0.10-2.el5.ia64.rpm
250095927ac38854ab4b42a473a785f7  yelp-2.16.0-14.0.1.el5.ia64.rpm
5df4b3ff6b5cb315a97b7e7f7095cda8  yelp-debuginfo-2.16.0-14.0.1.el5.ia64.rpm

ppc:
576bd9205f61c07a8328ac3309c3cccd  devhelp-0.12-10.0.1.el5.ppc.rpm
dcaf49587708080277a2f10b346babd5  devhelp-debuginfo-0.12-10.0.1.el5.ppc.rpm
57b04a6c88b63d1227129f1509ecf8ae  devhelp-devel-0.12-10.0.1.el5.ppc.rpm
266c896a44c5818506058d3f43fb510a  firefox-1.5.0.10-2.el5.ppc.rpm
6dd9e1c3f0743ec8fb388f601badebcf  firefox-debuginfo-1.5.0.10-2.el5.ppc.rpm
81d6fd77e467137a6383ebd75aac7c38  firefox-devel-1.5.0.10-2.el5.ppc.rpm
cdd89632e1d496fdc00db638bbb85297  yelp-2.16.0-14.0.1.el5.ppc.rpm
9a033f9605570160561823425b547720  yelp-debuginfo-2.16.0-14.0.1.el5.ppc.rpm

s390x:
92415d0cd192d89b829d5cea4957ffd3  devhelp-0.12-10.0.1.el5.s390.rpm
249086f31984ef20db1edcc668769c64  devhelp-0.12-10.0.1.el5.s390x.rpm
dc724a4361cb4dd66381b4d82059c8d1  devhelp-debuginfo-0.12-10.0.1.el5.s390.rpm
97a65832a3dd2f76723e0d5d9b6a6d1f  devhelp-debuginfo-0.12-10.0.1.el5.s390x.rpm
3c659c50b265f059367e3572d5dc908c  devhelp-devel-0.12-10.0.1.el5.s390.rpm
8821c3e5f96844a0563ba7a773925ea4  devhelp-devel-0.12-10.0.1.el5.s390x.rpm
0c8ef9a9f6246dd277247fedcf65e2ef  firefox-1.5.0.10-2.el5.s390.rpm
1f2fc90bc59dc42e3068fb358aec67bd  firefox-1.5.0.10-2.el5.s390x.rpm
108ef308488056b3df8feb04fc535cee  firefox-debuginfo-1.5.0.10-2.el5.s390.rpm
539070e0ca79c624a07230ee7058aff7  firefox-debuginfo-1.5.0.10-2.el5.s390x.rpm
1364113945647fd64b1d2b2b42a40d52  firefox-devel-1.5.0.10-2.el5.s390.rpm
eda1b9d310aeeb22821a0c807794349c  firefox-devel-1.5.0.10-2.el5.s390x.rpm
73bb10b49cc143dce64fafea46b74081  yelp-2.16.0-14.0.1.el5.s390x.rpm
00255312f531140dee6d191dcffbce34  yelp-debuginfo-2.16.0-14.0.1.el5.s390x.rpm

x86_64:
0774d6e92c98fd2507952d9ce59ce891  devhelp-0.12-10.0.1.el5.i386.rpm
2c7791aad7d6e18b322f4834088f8708  devhelp-0.12-10.0.1.el5.x86_64.rpm
3acf940cc0301234390c98632c69da11  devhelp-debuginfo-0.12-10.0.1.el5.i386.rpm
b3bf53bcbd8f5e4bc254196496831e74  devhelp-debuginfo-0.12-10.0.1.el5.x86_64.rpm
ede028c4f35108e54ded794f91d4f82e  devhelp-devel-0.12-10.0.1.el5.i386.rpm
44f47bf9e6a7ecb39f7c907ca4a381d9  devhelp-devel-0.12-10.0.1.el5.x86_64.rpm
39b98bd5460439dbdd1f0c495028fd33  firefox-1.5.0.10-2.el5.i386.rpm
a0ffe472bf6a3c517d41f0dc8900af86  firefox-1.5.0.10-2.el5.x86_64.rpm
4b0e34c319d80574f720840a04be6716  firefox-debuginfo-1.5.0.10-2.el5.i386.rpm
1ae549e2cab746aa1e2615a6b73c5e20  firefox-debuginfo-1.5.0.10-2.el5.x86_64.rpm
c334841929aae1eb36a71772f51d89da  firefox-devel-1.5.0.10-2.el5.i386.rpm
5ba38c9a8e94ed9bb254e8b2010bdbbb  firefox-devel-1.5.0.10-2.el5.x86_64.rpm
502e2b4dd68c59593652bf8f44d7dee4  yelp-2.16.0-14.0.1.el5.x86_64.rpm
0974ac1fd3c19e02765a750427efae46  yelp-debuginfo-2.16.0-14.0.1.el5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6077
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0008
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0009
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0775
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0777
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0778
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0779
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0780
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0981
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0994
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0995
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0996
http://www.redhat.com/security/updates/classification/#critical

8. Contact:

The Red Hat security contact is <secalert redhat com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2007 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFF+BaiXlSAg2UNWIIRAokoAKCzszdtoga3C9d8uXtAegi72gD44QCgvMdN
uRs95KjG0jL0EmzKD2qQ1Kg=
=SSdn
-----END PGP SIGNATURE-----




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]