Gentoo Archives: gentoo-announce

From: Thierry Carrez <koon@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200604-12 ] Mozilla Firefox: Multiple vulnerabilities
Date: Sun, 23 Apr 2006 19:59:25
Message-Id: 444BD875.5020803@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200604-12
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Mozilla Firefox: Multiple vulnerabilities
9 Date: April 23, 2006
10 Bugs: #129924
11 ID: 200604-12
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Several vulnerabilities in Mozilla Firefox allow attacks ranging from
19 execution of script code with elevated privileges to information
20 leaks.
21
22 Background
23 ==========
24
25 Mozilla Firefox is the next-generation web browser from the Mozilla
26 project.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 www-client/mozilla-firefox < 1.0.8 >= 1.0.8
35 2 www-client/mozilla-firefox-bin < 1.0.8 >= 1.0.8
36 -------------------------------------------------------------------
37 2 affected packages on all of their supported architectures.
38 -------------------------------------------------------------------
39
40 Description
41 ===========
42
43 Several vulnerabilities were found in Mozilla Firefox. Versions 1.0.8
44 and 1.5.0.2 were released to fix them.
45
46 Impact
47 ======
48
49 A remote attacker could craft malicious web pages that would leverage
50 these issues to inject and execute arbitrary script code with elevated
51 privileges, steal local files, cookies or other information from web
52 pages, and spoof content. Some of these vulnerabilities might even be
53 exploited to execute arbitrary code with the rights of the browser
54 user.
55
56 Workaround
57 ==========
58
59 There are no known workarounds for all the issues at this time.
60
61 Resolution
62 ==========
63
64 All Mozilla Firefox users should upgrade to the latest version:
65
66 # emerge --sync
67 # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.0.8"
68
69 All Mozilla Firefox binary users should upgrade to the latest version:
70
71 # emerge --sync
72 # emerge --ask --oneshot --verbose
73 ">=www-client/mozilla-firefox-bin-1.0.8"
74
75 References
76 ==========
77
78 [ 1 ] CVE-2005-4134
79 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4134
80 [ 2 ] CVE-2006-0292
81 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0292
82 [ 3 ] CVE-2006-0296
83 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0296
84 [ 4 ] CVE-2006-0748
85 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0748
86 [ 5 ] CVE-2006-0749
87 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0749
88 [ 6 ] CVE-2006-1727
89 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1727
90 [ 7 ] CVE-2006-1728
91 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1728
92 [ 8 ] CVE-2006-1729
93 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1729
94 [ 9 ] CVE-2006-1730
95 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1730
96 [ 10 ] CVE-2006-1731
97 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1731
98 [ 11 ] CVE-2006-1732
99 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1732
100 [ 12 ] CVE-2006-1733
101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1733
102 [ 13 ] CVE-2006-1734
103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1734
104 [ 14 ] CVE-2006-1735
105 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1735
106 [ 15 ] CVE-2006-1736
107 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1736
108 [ 16 ] CVE-2006-1737
109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1737
110 [ 17 ] CVE-2006-1738
111 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1738
112 [ 18 ] CVE-2006-1739
113 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1739
114 [ 19 ] CVE-2006-1740
115 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1740
116 [ 20 ] CVE-2006-1741
117 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1741
118 [ 21 ] CVE-2006-1742
119 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1742
120 [ 22 ] CVE-2006-1790
121 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1790
122 [ 23 ] Mozilla Foundation Security Advisories
123
124 http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox
125
126 Availability
127 ============
128
129 This GLSA and any updates to it are available for viewing at
130 the Gentoo Security Website:
131
132 http://security.gentoo.org/glsa/glsa-200604-12.xml
133
134 Concerns?
135 =========
136
137 Security is a primary focus of Gentoo Linux and ensuring the
138 confidentiality and security of our users machines is of utmost
139 importance to us. Any security concerns should be addressed to
140 security@g.o or alternatively, you may file a bug at
141 http://bugs.gentoo.org.
142
143 License
144 =======
145
146 Copyright 2006 Gentoo Foundation, Inc; referenced text
147 belongs to its owner(s).
148
149 The contents of this document are licensed under the
150 Creative Commons - Attribution / Share Alike license.
151
152 http://creativecommons.org/licenses/by-sa/2.0

Attachments

File name MIME type
signature.asc application/pgp-signature