[gentoo-announce] [ GLSA 200712-21 ] Mozilla Firefox, SeaMonkey: Multiple vulnerabilities - gentoo-announce

From:	Robert Buchholz <rbu@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200712-21 ] Mozilla Firefox, SeaMonkey: Multiple vulnerabilities
Date:	Sat, 29 Dec 2007 17:01:15
Message-Id:	`200712291725.03511.rbu@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200712-21

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: Mozilla Firefox, SeaMonkey: Multiple vulnerabilities

9

      Date: December 29, 2007

10

      Bugs: #198965, #200909

11

        ID: 200712-21

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been discovered in Mozilla Firefox and

19

Mozilla Seamonkey.

20

21

Background

22

==========

23

24

Mozilla Firefox is a cross-platform web browser from Mozilla. SeaMonkey

25

is a free, cross-platform Internet suite.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package                         /  Vulnerable  /       Unaffected

32

    -------------------------------------------------------------------

33

  1  www-client/mozilla-firefox         < 2.0.0.11         >= 2.0.0.11

34

  2  www-client/mozilla-firefox-bin     < 2.0.0.11         >= 2.0.0.11

35

  3  www-client/seamonkey                 < 1.1.7             >= 1.1.7

36

  4  www-client/seamonkey-bin             < 1.1.7             >= 1.1.7

37

    -------------------------------------------------------------------

38

     4 affected packages on all of their supported architectures.

39

    -------------------------------------------------------------------

40

41

Description

42

===========

43

44

Jesse Ruderman and Petko D. Petkov reported that the jar protocol

45

handler in Mozilla Firefox and Seamonkey does not properly check MIME

46

types (CVE-2007-5947). Gregory Fleischer reported that the

47

window.location property can be used to generate a fake HTTP Referer

48

(CVE-2007-5960). Multiple memory errors have also been reported

49

(CVE-2007-5959).

50

51

Impact

52

======

53

54

A remote attacker could possibly exploit these vulnerabilities to

55

execute arbitrary code in the context of the browser and conduct

56

Cross-Site-Scripting or Cross-Site Request Forgery attacks.

57

58

Workaround

59

==========

60

61

There is no known workaround at this time.

62

63

Resolution

64

==========

65

66

All Mozilla Firefox users should upgrade to the latest version:

67

68

    # emerge --sync

69

    # emerge --ask --oneshot -v ">=www-client/mozilla-firefox-2.0.0.11"

70

71

All Mozilla Firefox binary users should upgrade to the latest version:

72

73

    # emerge --sync

74

    # emerge --ask -1 -v ">=www-client/mozilla-firefox-bin-2.0.0.11"

75

76

All SeaMonkey users should upgrade to the latest version:

77

78

    # emerge --sync

79

    # emerge --ask --oneshot --verbose ">=www-client/seamonkey-1.1.7"

80

81

All SeaMonkey binary users should upgrade to the latest version:

82

83

    # emerge --sync

84

    # emerge --ask --oneshot -v ">=www-client/seamonkey-bin-1.1.7"

85

86

References

87

==========

88

89

  [ 1 ] CVE-2007-5947

90

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5947

91

  [ 2 ] CVE-2007-5959

92

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5959

93

  [ 3 ] CVE-2007-5960

94

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5960

95

96

Availability

97

============

98

99

This GLSA and any updates to it are available for viewing at

100

the Gentoo Security Website:

101

102

  http://security.gentoo.org/glsa/glsa-200712-21.xml

103

104

Concerns?

105

=========

106

107

Security is a primary focus of Gentoo Linux and ensuring the

108

confidentiality and security of our users machines is of utmost

109

importance to us. Any security concerns should be addressed to

110

security@g.o or alternatively, you may file a bug at

111

http://bugs.gentoo.org.

112

113

License

114

=======

115

116

Copyright 2007 Gentoo Foundation, Inc; referenced text

117

belongs to its owner(s).

118

119

The contents of this document are licensed under the

120

Creative Commons - Attribution / Share Alike license.

121

122

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200712-21
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Mozilla Firefox, SeaMonkey: Multiple vulnerabilities
9	Date: December 29, 2007
10	Bugs: #198965, #200909
11	ID: 200712-21
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been discovered in Mozilla Firefox and
19	Mozilla Seamonkey.
20
21	Background
22	==========
23
24	Mozilla Firefox is a cross-platform web browser from Mozilla. SeaMonkey
25	is a free, cross-platform Internet suite.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 www-client/mozilla-firefox < 2.0.0.11 >= 2.0.0.11
34	2 www-client/mozilla-firefox-bin < 2.0.0.11 >= 2.0.0.11
35	3 www-client/seamonkey < 1.1.7 >= 1.1.7
36	4 www-client/seamonkey-bin < 1.1.7 >= 1.1.7
37	-------------------------------------------------------------------
38	4 affected packages on all of their supported architectures.
39	-------------------------------------------------------------------
40
41	Description
42	===========
43
44	Jesse Ruderman and Petko D. Petkov reported that the jar protocol
45	handler in Mozilla Firefox and Seamonkey does not properly check MIME
46	types (CVE-2007-5947). Gregory Fleischer reported that the
47	window.location property can be used to generate a fake HTTP Referer
48	(CVE-2007-5960). Multiple memory errors have also been reported
49	(CVE-2007-5959).
50
51	Impact
52	======
53
54	A remote attacker could possibly exploit these vulnerabilities to
55	execute arbitrary code in the context of the browser and conduct
56	Cross-Site-Scripting or Cross-Site Request Forgery attacks.
57
58	Workaround
59	==========
60
61	There is no known workaround at this time.
62
63	Resolution
64	==========
65
66	All Mozilla Firefox users should upgrade to the latest version:
67
68	# emerge --sync
69	# emerge --ask --oneshot -v ">=www-client/mozilla-firefox-2.0.0.11"
70
71	All Mozilla Firefox binary users should upgrade to the latest version:
72
73	# emerge --sync
74	# emerge --ask -1 -v ">=www-client/mozilla-firefox-bin-2.0.0.11"
75
76	All SeaMonkey users should upgrade to the latest version:
77
78	# emerge --sync
79	# emerge --ask --oneshot --verbose ">=www-client/seamonkey-1.1.7"
80
81	All SeaMonkey binary users should upgrade to the latest version:
82
83	# emerge --sync
84	# emerge --ask --oneshot -v ">=www-client/seamonkey-bin-1.1.7"
85
86	References
87	==========
88
89	[ 1 ] CVE-2007-5947
90	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5947
91	[ 2 ] CVE-2007-5959
92	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5959
93	[ 3 ] CVE-2007-5960
94	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5960
95
96	Availability
97	============
98
99	This GLSA and any updates to it are available for viewing at
100	the Gentoo Security Website:
101
102	http://security.gentoo.org/glsa/glsa-200712-21.xml
103
104	Concerns?
105	=========
106
107	Security is a primary focus of Gentoo Linux and ensuring the
108	confidentiality and security of our users machines is of utmost
109	importance to us. Any security concerns should be addressed to
110	security@g.o or alternatively, you may file a bug at
111	http://bugs.gentoo.org.
112
113	License
114	=======
115
116	Copyright 2007 Gentoo Foundation, Inc; referenced text
117	belongs to its owner(s).
118
119	The contents of this document are licensed under the
120	Creative Commons - Attribution / Share Alike license.
121
122	http://creativecommons.org/licenses/by-sa/2.5