[gentoo-announce] [ GLSA 200612-07 ] Mozilla Firefox: Multiple vulnerabilities - gentoo-announce

From:	Raphael Marichez <falco@g.o>
To:	gentoo-announce@g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200612-07 ] Mozilla Firefox: Multiple vulnerabilities
Date:	Sun, 10 Dec 2006 19:30:24
Message-Id:	`20061210190223.GK16201@falco.falcal.net`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200612-07

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: Mozilla Firefox: Multiple vulnerabilities

9

      Date: December 10, 2006

10

      Bugs: #154434

11

        ID: 200612-07

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been reported in Mozilla Firefox.

19

20

Background

21

==========

22

23

Mozilla Firefox is a popular open-source web browser from the Mozilla

24

Project.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package                         /  Vulnerable  /       Unaffected

31

    -------------------------------------------------------------------

32

  1  www-client/mozilla-firefox          < 1.5.0.8          >= 1.5.0.8

33

  2  www-client/mozilla-firefox-bin      < 1.5.0.8          >= 1.5.0.8

34

    -------------------------------------------------------------------

35

     2 affected packages on all of their supported architectures.

36

    -------------------------------------------------------------------

37

38

Description

39

===========

40

41

Mozilla Firefox improperly handles Script objects while they are being

42

executed. Mozilla Firefox has also been found to be vulnerable to

43

various possible buffer overflows. Lastly, the binary release of

44

Mozilla Firefox is vulnerable to a low exponent RSA signature forgery

45

issue because it is bundled with a vulnerable version of NSS.

46

47

Impact

48

======

49

50

An attacker could entice a user to view specially crafted JavaScript

51

and execute arbitrary code with the rights of the user running Mozilla

52

Firefox. An attacker could also entice a user to view a specially

53

crafted web page that causes a buffer overflow and again executes

54

arbitrary code. It is also possible for an attacker to make up SSL/TLS

55

certificates that would not be detected as invalid by the binary

56

release of Mozilla Firefox, raising the possibility for

57

Man-in-the-Middle attacks.

58

59

Workaround

60

==========

61

62

There is no known workaround at this time.

63

64

Resolution

65

==========

66

67

All Mozilla Firefox users should upgrade to the latest version:

68

69

    # emerge --sync

70

    # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.5.0.8"

71

72

All Mozilla Firefox binary release users should upgrade to the latest

73

version:

74

75

    # emerge --sync

76

    # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.5.0.8"

77

78

References

79

==========

80

81

  [ 1 ] CVE-2006-5462

82

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5462

83

  [ 2 ] CVE-2006-5463

84

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5463

85

  [ 3 ] CVE-2006-5464

86

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5464

87

  [ 4 ] CVE-2006-5747

88

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5747

89

  [ 5 ] CVE-2006-5748

90

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5748

91

92

Availability

93

============

94

95

This GLSA and any updates to it are available for viewing at

96

the Gentoo Security Website:

97

98

  http://security.gentoo.org/glsa/glsa-200612-07.xml

99

100

Concerns?

101

=========

102

103

Security is a primary focus of Gentoo Linux and ensuring the

104

confidentiality and security of our users machines is of utmost

105

importance to us. Any security concerns should be addressed to

106

security@g.o or alternatively, you may file a bug at

107

http://bugs.gentoo.org.

108

109

License

110

=======

111

112

Copyright 2006 Gentoo Foundation, Inc; referenced text

113

belongs to its owner(s).

114

115

The contents of this document are licensed under the

116

Creative Commons - Attribution / Share Alike license.

117

118

http://creativecommons.org/licenses/by-sa/2.5

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200612-07
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Mozilla Firefox: Multiple vulnerabilities
9	Date: December 10, 2006
10	Bugs: #154434
11	ID: 200612-07
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been reported in Mozilla Firefox.
19
20	Background
21	==========
22
23	Mozilla Firefox is a popular open-source web browser from the Mozilla
24	Project.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 www-client/mozilla-firefox < 1.5.0.8 >= 1.5.0.8
33	2 www-client/mozilla-firefox-bin < 1.5.0.8 >= 1.5.0.8
34	-------------------------------------------------------------------
35	2 affected packages on all of their supported architectures.
36	-------------------------------------------------------------------
37
38	Description
39	===========
40
41	Mozilla Firefox improperly handles Script objects while they are being
42	executed. Mozilla Firefox has also been found to be vulnerable to
43	various possible buffer overflows. Lastly, the binary release of
44	Mozilla Firefox is vulnerable to a low exponent RSA signature forgery
45	issue because it is bundled with a vulnerable version of NSS.
46
47	Impact
48	======
49
50	An attacker could entice a user to view specially crafted JavaScript
51	and execute arbitrary code with the rights of the user running Mozilla
52	Firefox. An attacker could also entice a user to view a specially
53	crafted web page that causes a buffer overflow and again executes
54	arbitrary code. It is also possible for an attacker to make up SSL/TLS
55	certificates that would not be detected as invalid by the binary
56	release of Mozilla Firefox, raising the possibility for
57	Man-in-the-Middle attacks.
58
59	Workaround
60	==========
61
62	There is no known workaround at this time.
63
64	Resolution
65	==========
66
67	All Mozilla Firefox users should upgrade to the latest version:
68
69	# emerge --sync
70	# emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.5.0.8"
71
72	All Mozilla Firefox binary release users should upgrade to the latest
73	version:
74
75	# emerge --sync
76	# emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.5.0.8"
77
78	References
79	==========
80
81	[ 1 ] CVE-2006-5462
82	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5462
83	[ 2 ] CVE-2006-5463
84	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5463
85	[ 3 ] CVE-2006-5464
86	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5464
87	[ 4 ] CVE-2006-5747
88	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5747
89	[ 5 ] CVE-2006-5748
90	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5748
91
92	Availability
93	============
94
95	This GLSA and any updates to it are available for viewing at
96	the Gentoo Security Website:
97
98	http://security.gentoo.org/glsa/glsa-200612-07.xml
99
100	Concerns?
101	=========
102
103	Security is a primary focus of Gentoo Linux and ensuring the
104	confidentiality and security of our users machines is of utmost
105	importance to us. Any security concerns should be addressed to
106	security@g.o or alternatively, you may file a bug at
107	http://bugs.gentoo.org.
108
109	License
110	=======
111
112	Copyright 2006 Gentoo Foundation, Inc; referenced text
113	belongs to its owner(s).
114
115	The contents of this document are licensed under the
116	Creative Commons - Attribution / Share Alike license.
117
118	http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce