[gentoo-announce] [ GLSA 200703-05 ] Mozilla Suite: Multiple vulnerabilities - gentoo-announce

From:	Raphael Marichez <falco@g.o>
To:	gentoo-announce@g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200703-05 ] Mozilla Suite: Multiple vulnerabilities
Date:	Sat, 03 Mar 2007 16:50:32
Message-Id:	`20070303163419.GB8439@falco.falcal.net`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200703-05

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: Mozilla Suite: Multiple vulnerabilities

9

      Date: March 03, 2007

10

      Bugs: #135257

11

        ID: 200703-05

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Several vulnerabilities exist in the Mozilla Suite, which is no longer

19

supported by the Mozilla project.

20

21

Background

22

==========

23

24

The Mozilla Suite is a popular all-in-one web browser that includes a

25

mail and news reader.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package                 /  Vulnerable  /               Unaffected

32

    -------------------------------------------------------------------

33

  1  www-client/mozilla          <= 1.7.13                 Vulnerable!

34

  2  www-client/mozilla-bin      <= 1.7.13                 Vulnerable!

35

    -------------------------------------------------------------------

36

     NOTE: Certain packages are still vulnerable. Users should migrate

37

           to another package if one is available or wait for the

38

           existing packages to be marked stable by their

39

           architecture maintainers.

40

    -------------------------------------------------------------------

41

     2 affected packages on all of their supported architectures.

42

    -------------------------------------------------------------------

43

44

Description

45

===========

46

47

Several vulnerabilities ranging from code execution with elevated

48

privileges to information leaks affect the Mozilla Suite.

49

50

Impact

51

======

52

53

A remote attacker could entice a user to browse to a specially crafted

54

website or open a specially crafted mail that could trigger some of the

55

vulnerabilities, potentially allowing execution of arbitrary code,

56

denials of service, information leaks, or cross-site scripting attacks

57

leading to the robbery of cookies of authentication credentials.

58

59

Workaround

60

==========

61

62

Most of the issues, but not all of them, can be prevented by disabling

63

the HTML rendering in the mail client and JavaScript on every

64

application.

65

66

Resolution

67

==========

68

69

The Mozilla Suite is no longer supported and has been masked after some

70

necessary changes on all the other ebuilds which used to depend on it.

71

Mozilla Suite users should unmerge www-client/mozilla or

72

www-client/mozilla-bin, and switch to a supported product, like

73

SeaMonkey, Thunderbird or Firefox.

74

75

76

    # emerge --unmerge "www-client/mozilla"

77

78

    # emerge --unmerge "www-client/mozilla-bin"

79

80

References

81

==========

82

83

  [ 1 ] Official Advisory

84

        http://www.mozilla.org/projects/security/known-vulnerabilities.html#Mozilla

85

86

Availability

87

============

88

89

This GLSA and any updates to it are available for viewing at

90

the Gentoo Security Website:

91

92

  http://security.gentoo.org/glsa/glsa-200703-05.xml

93

94

Concerns?

95

=========

96

97

Security is a primary focus of Gentoo Linux and ensuring the

98

confidentiality and security of our users machines is of utmost

99

importance to us. Any security concerns should be addressed to

100

security@g.o or alternatively, you may file a bug at

101

http://bugs.gentoo.org.

102

103

License

104

=======

105

106

Copyright 2007 Gentoo Foundation, Inc; referenced text

107

belongs to its owner(s).

108

109

The contents of this document are licensed under the

110

Creative Commons - Attribution / Share Alike license.

111

112

http://creativecommons.org/licenses/by-sa/2.5

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200703-05
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Mozilla Suite: Multiple vulnerabilities
9	Date: March 03, 2007
10	Bugs: #135257
11	ID: 200703-05
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Several vulnerabilities exist in the Mozilla Suite, which is no longer
19	supported by the Mozilla project.
20
21	Background
22	==========
23
24	The Mozilla Suite is a popular all-in-one web browser that includes a
25	mail and news reader.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 www-client/mozilla <= 1.7.13 Vulnerable!
34	2 www-client/mozilla-bin <= 1.7.13 Vulnerable!
35	-------------------------------------------------------------------
36	NOTE: Certain packages are still vulnerable. Users should migrate
37	to another package if one is available or wait for the
38	existing packages to be marked stable by their
39	architecture maintainers.
40	-------------------------------------------------------------------
41	2 affected packages on all of their supported architectures.
42	-------------------------------------------------------------------
43
44	Description
45	===========
46
47	Several vulnerabilities ranging from code execution with elevated
48	privileges to information leaks affect the Mozilla Suite.
49
50	Impact
51	======
52
53	A remote attacker could entice a user to browse to a specially crafted
54	website or open a specially crafted mail that could trigger some of the
55	vulnerabilities, potentially allowing execution of arbitrary code,
56	denials of service, information leaks, or cross-site scripting attacks
57	leading to the robbery of cookies of authentication credentials.
58
59	Workaround
60	==========
61
62	Most of the issues, but not all of them, can be prevented by disabling
63	the HTML rendering in the mail client and JavaScript on every
64	application.
65
66	Resolution
67	==========
68
69	The Mozilla Suite is no longer supported and has been masked after some
70	necessary changes on all the other ebuilds which used to depend on it.
71	Mozilla Suite users should unmerge www-client/mozilla or
72	www-client/mozilla-bin, and switch to a supported product, like
73	SeaMonkey, Thunderbird or Firefox.
74
75
76	# emerge --unmerge "www-client/mozilla"
77
78	# emerge --unmerge "www-client/mozilla-bin"
79
80	References
81	==========
82
83	[ 1 ] Official Advisory
84	http://www.mozilla.org/projects/security/known-vulnerabilities.html#Mozilla
85
86	Availability
87	============
88
89	This GLSA and any updates to it are available for viewing at
90	the Gentoo Security Website:
91
92	http://security.gentoo.org/glsa/glsa-200703-05.xml
93
94	Concerns?
95	=========
96
97	Security is a primary focus of Gentoo Linux and ensuring the
98	confidentiality and security of our users machines is of utmost
99	importance to us. Any security concerns should be addressed to
100	security@g.o or alternatively, you may file a bug at
101	http://bugs.gentoo.org.
102
103	License
104	=======
105
106	Copyright 2007 Gentoo Foundation, Inc; referenced text
107	belongs to its owner(s).
108
109	The contents of this document are licensed under the
110	Creative Commons - Attribution / Share Alike license.
111
112	http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce