| 1 |
Just received this CERT announce concerning firefox vulnerabilities. I |
| 2 |
checked portage and there is no ebuild for 1.5.0.5. Anyone have an idea |
| 3 |
when we can expect an ebuild for this version? |
| 4 |
|
| 5 |
- Rod |
| 6 |
|
| 7 |
-- |
| 8 |
___ ____ ___ _ ___ |
| 9 |
Rod Moffitt / _ \/ __ \/ _ \ (_)__ / _/__ |
| 10 |
http://rod.info / , _/ /_/ / // / / / _ \/ _/ _ \ |
| 11 |
rodANTISPAM@×××.info /_/|_|\____/____(*)_/_//_/_/ \___/ |
| 12 |
======================================================= |
| 13 |
~ Where loved ones are remembered http://memoriam.org ~ |
| 14 |
|
| 15 |
---------- Forwarded message ---------- |
| 16 |
Date: Thu, 27 Jul 2006 16:38:31 -0400 |
| 17 |
From: CERT Advisory <cert-advisory@××××.org> |
| 18 |
To: cert-advisory@××××.org |
| 19 |
Subject: US-CERT Technical Cyber Security Alert TA06-208A -- Mozilla Products |
| 20 |
Contain Multiple Vulnerabilities |
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 25 |
Hash: SHA1 |
| 26 |
|
| 27 |
National Cyber Alert System |
| 28 |
|
| 29 |
Technical Cyber Security Alert TA06-208A |
| 30 |
|
| 31 |
|
| 32 |
Mozilla Products Contain Multiple Vulnerabilities |
| 33 |
|
| 34 |
Original release date: July 27, 2006 |
| 35 |
Last revised: -- |
| 36 |
Source: US-CERT |
| 37 |
|
| 38 |
|
| 39 |
Systems Affected |
| 40 |
|
| 41 |
* Mozilla SeaMonkey |
| 42 |
* Mozilla Firefox |
| 43 |
* Mozilla Thunderbird |
| 44 |
|
| 45 |
Any products based on Mozilla components, specifically Gecko, may also |
| 46 |
be affected. |
| 47 |
|
| 48 |
|
| 49 |
Overview |
| 50 |
|
| 51 |
The Mozilla web browser and derived products contain several |
| 52 |
vulnerabilities, the most serious of which could allow a remote |
| 53 |
attacker to execute arbitrary code on an affected system. |
| 54 |
|
| 55 |
|
| 56 |
I. Description |
| 57 |
|
| 58 |
Several vulnerabilities have been reported in the Mozilla web browser |
| 59 |
and derived products. More detailed information is available in the |
| 60 |
individual vulnerability notes, including the following: |
| 61 |
|
| 62 |
|
| 63 |
VU#476724 - Mozilla products fail to properly handle frame references |
| 64 |
|
| 65 |
Mozilla products fail to properly handle frame or window references. |
| 66 |
This may allow a remote attacker to execute arbitrary code on a |
| 67 |
vulnerable system. |
| 68 |
(CVE-2006-3801) |
| 69 |
|
| 70 |
|
| 71 |
VU#670060 - Mozilla fails to properly release JavaScript references |
| 72 |
|
| 73 |
Mozilla products fail to properly release memory. This vulnerability |
| 74 |
may allow a remote attacker to execute code on a vulnerable system. |
| 75 |
(CVE-2006-3677) |
| 76 |
|
| 77 |
|
| 78 |
VU#239124 - Mozilla fails to properly handle simultaneous XPCOM events |
| 79 |
|
| 80 |
Mozilla products are vulnerable to memory corruption via simultaneous |
| 81 |
XPCOM events. This may allow a remote attacker to execute arbitrary |
| 82 |
code on a vulnerable system. |
| 83 |
(CVE-2006-3113) |
| 84 |
|
| 85 |
|
| 86 |
VU#265964 - Mozilla products contain a race condition |
| 87 |
|
| 88 |
Mozilla products contain a race condition. This vulnerability may |
| 89 |
allow a remote attacker to execute code on a vulnerable system. |
| 90 |
(CVE-2006-3803) |
| 91 |
|
| 92 |
|
| 93 |
VU#897540 - Mozilla products VCard attachment buffer overflow |
| 94 |
|
| 95 |
Mozilla products fail to properly handle malformed VCard attachments, |
| 96 |
allowing a buffer overflow to occur. This vulnerability may allow a |
| 97 |
remote attacker to execute arbitrary code on a vulnerable system. |
| 98 |
(CVE-2006-3804) |
| 99 |
|
| 100 |
|
| 101 |
VU#876420 - Mozilla fails to properly handle garbage collection |
| 102 |
|
| 103 |
The Mozilla JavaScript engine fails to properly perform garbage |
| 104 |
collection, which may allow a remote attacker to execute arbitrary |
| 105 |
code on a vulnerable system. |
| 106 |
(CVE-2006-3805) |
| 107 |
|
| 108 |
|
| 109 |
VU#655892 - Mozilla JavaScript engine contains multiple integer |
| 110 |
overflows |
| 111 |
|
| 112 |
The Mozilla JavaScript engine contains multiple integer overflows. |
| 113 |
This vulnerability may allow a remote attacker to execute arbitrary |
| 114 |
code on a vulnerable system. |
| 115 |
(CVE-2006-3806) |
| 116 |
|
| 117 |
|
| 118 |
VU#687396 - Mozilla products fail to properly validate JavaScript |
| 119 |
constructors |
| 120 |
|
| 121 |
Mozilla products fail to properly validate references returned by |
| 122 |
JavaScript constructors. This vulnerability may allow a remote |
| 123 |
attacker to execute arbitrary code on a vulnerable system. |
| 124 |
(CVE-2006-3807) |
| 125 |
|
| 126 |
|
| 127 |
VU#527676 - Mozilla contains multiple memory corruption |
| 128 |
vulnerabilities |
| 129 |
|
| 130 |
Mozilla products contain multiple vulnerabilities that can cause |
| 131 |
memory corruption. This may allow a remote attacker to execute |
| 132 |
arbitrary code on a vulnerable system. |
| 133 |
(CVE-2006-3811) |
| 134 |
|
| 135 |
|
| 136 |
II. Impact |
| 137 |
|
| 138 |
A remote, unauthenticated attacker could execute arbitrary code on a |
| 139 |
vulnerable system. An attacker may also be able to cause the |
| 140 |
vulnerable application to crash. |
| 141 |
|
| 142 |
|
| 143 |
III. Solution |
| 144 |
|
| 145 |
Upgrade |
| 146 |
|
| 147 |
Upgrade to Mozilla Firefox 1.5.0.5, Mozilla Thunderbird 1.5.0.5, or |
| 148 |
SeaMonkey 1.0.3. |
| 149 |
|
| 150 |
Disable JavaScript and Java |
| 151 |
|
| 152 |
These vulnerabilities can be mitigated by disabling JavaScript and |
| 153 |
Java in all affected products. Instructions for disabling Java in |
| 154 |
Firefox can be found in the "Securing Your Web Browser" document. |
| 155 |
|
| 156 |
|
| 157 |
Appendix A. References |
| 158 |
|
| 159 |
* US-CERT Vulnerability Notes Related to July Mozilla Security |
| 160 |
Advisories - |
| 161 |
<http://www.kb.cert.org/vuls/byid?searchview&query=firefox_1505> |
| 162 |
|
| 163 |
* CVE-2006-3081 - |
| 164 |
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3801> |
| 165 |
|
| 166 |
* CVE-2006-3677 - |
| 167 |
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3677> |
| 168 |
|
| 169 |
* CVE-2006-3113 - |
| 170 |
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3113> |
| 171 |
|
| 172 |
* CVE-2006-3803 - |
| 173 |
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803> |
| 174 |
|
| 175 |
* CVE-2006-3804 - |
| 176 |
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3804> |
| 177 |
|
| 178 |
* CVE-2006-3805 - |
| 179 |
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3805> |
| 180 |
|
| 181 |
* CVE-2006-3806 - |
| 182 |
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3806> |
| 183 |
|
| 184 |
* CVE-2006-3807 - |
| 185 |
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3807> |
| 186 |
|
| 187 |
* CVE-2006-3811 - |
| 188 |
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3811> |
| 189 |
|
| 190 |
* Mozilla Foundation Security Advisories - |
| 191 |
<http://www.mozilla.org/security/announce/> |
| 192 |
|
| 193 |
* Known Vulnerabilities in Mozilla Products - |
| 194 |
<http://www.mozilla.org/projects/security/known-vulnerabilities.html> |
| 195 |
|
| 196 |
* Securing Your Web Browser - |
| 197 |
<http://www.us-cert.gov/reading_room/securing_browser/browser_security.html#Mozilla_Firefox> |
| 198 |
|
| 199 |
|
| 200 |
____________________________________________________________________ |
| 201 |
|
| 202 |
The most recent version of this document can be found at: |
| 203 |
|
| 204 |
<http://www.us-cert.gov/cas/techalerts/TA06-208A.html> |
| 205 |
____________________________________________________________________ |
| 206 |
|
| 207 |
Feedback can be directed to US-CERT Technical Staff. Please send |
| 208 |
email to <cert@××××.org> with "TA06-208A Feedback VU#239124" in the |
| 209 |
subject. |
| 210 |
____________________________________________________________________ |
| 211 |
|
| 212 |
For instructions on subscribing to or unsubscribing from this |
| 213 |
mailing list, visit <http://www.us-cert.gov/cas/signup.html>. |
| 214 |
____________________________________________________________________ |
| 215 |
|
| 216 |
Produced 2006 by US-CERT, a government organization. |
| 217 |
|
| 218 |
Terms of use: |
| 219 |
|
| 220 |
<http://www.us-cert.gov/legal.html> |
| 221 |
____________________________________________________________________ |
| 222 |
|
| 223 |
|
| 224 |
Revision History |
| 225 |
|
| 226 |
Jul 27, 2006: Initial release |
| 227 |
|
| 228 |
|
| 229 |
|
| 230 |
|
| 231 |
|
| 232 |
-----BEGIN PGP SIGNATURE----- |
| 233 |
Version: GnuPG v1.2.1 (GNU/Linux) |
| 234 |
|
| 235 |
iQEVAwUBRMkgNexOF3G+ig+rAQIFsAgAoWoMkxxhkzb+xgLVCJF7h4k4EBCgJGWa |
| 236 |
BSOiFfL4Gs4vv4lNooDRCIOdxiBfXYL71XsIOT4aWry5852/6kyYnyAiXXYj1Uv0 |
| 237 |
SbPY2sQSZ5EaG+G9i8HDIy3fpJN4XgH3ng1uzUnJihY19IfndbXicpZE+debIUri |
| 238 |
qt9NRD2f5FW5feKo1cBpYxtmxQAEePOa2dJHh7I7cnFGtG3MixHx4kVEyuYUutCX |
| 239 |
5tHDsfTIdySNkIdCQ4vhk846bErB/kaHiKMQDfMglllb3GOSc07OQ0CDo2eTPVsA |
| 240 |
9DtKkiDP1C4dh1mxco8CWlS6327+EB0KXGGoqDF2+j/rrpsW0oc8nA== |
| 241 |
=HwuK |
| 242 |
-----END PGP SIGNATURE----- |
| 243 |
-- |
| 244 |
gentoo-security@g.o mailing list |
Archives