[UCI-Linux] [SECURITY] Fedora Core 3 Update: mozilla-1.7.12-1.3.1

Mike Iglesias IGLESIAS at uci.edu
Mon Sep 26 10:59:11 PDT 2005

From: "Christopher Aillon" <caillon at redhat.com>
To: fedora-announce-list at redhat.com
Date: Mon, 26 Sep 2005 13:16:34 -0400
Subject: [SECURITY] Fedora Core 3 Update: mozilla-1.7.12-1.3.1

Fedora Update Notification

Product     : Fedora Core 3
Name        : mozilla
Version     : 1.7.12                      
Release     : 1.3.1                  
Summary     : Web browser and mail reader
Description :
Mozilla is an open-source web browser, designed for standards
compliance, performance and portability.

Update Information:

Updated mozilla packages that fix several security bugs are
now available for Fedora Core 3.

This update has been rated as having critical security
impact by the Fedora Security Response Team.

Mozilla is an open source Web browser, advanced email and
newsgroup client, IRC chat client, and HTML editor.

A bug was found in the way Mozilla processes XBM image
files. If a user views a specially crafted XBM file, it
becomes possible to execute arbitrary code as the user
running Mozilla. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2005-2701
to this issue.

A bug was found in the way Mozilla processes certain Unicode
sequences. It may be possible to execute arbitrary code as
the user running Mozilla, if the user views a specially
crafted Unicode sequence. (CAN-2005-2702)

A bug was found in the way Mozilla makes XMLHttp requests.
It is possible that a malicious web page could leverage this
flaw to exploit other proxy or server flaws from the
victim's machine. It is also possible that this flaw could
be leveraged to send XMLHttp requests to hosts other than
the originator; the default behavior of the browser is to
disallow this. (CAN-2005-2703)

A bug was found in the way Mozilla implemented its XBL
interface. It may be possible for a malicious web page to
create an XBL binding in a way that would allow arbitrary
JavaScript execution with chrome permissions. Please note
that in Mozilla 1.7.10 this issue is not directly
exploitable and would need to leverage other unknown
exploits. (CAN-2005-2704)

An integer overflow bug was found in Mozilla's JavaScript
engine. Under favorable conditions, it may be possible for a
malicious web page to execute arbitrary code as the user
running Mozilla. (CAN-2005-2705)

A bug was found in the way Mozilla displays about: pages. It
is possible for a malicious web page to open an about: page,
such as about:mozilla, in such a way that it becomes
possible to execute JavaScript with chrome privileges.

A bug was found in the way Mozilla opens new windows. It is
possible for a malicious web site to construct a new window
without any user interface components, such as the address
bar and the status bar. This window could then be used to
mislead the user for malicious purposes. (CAN-2005-2707)

Users of Mozilla are advised to upgrade to this updated
package that contains Mozilla version 1.7.12 and is not
vulnerable to these issues.

* Thu Sep 22 2005 Christopher Aillon <caillon at redhat.com> 37:1.7.12-1.3.1
- Update to 1.7.12, containing fixes for:
  CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704
  CAN-2005-2705 CAN-2005-2706 CAN-2005-2707 CAN-2005-2968

This update can be downloaded from:

63bd78810cf5b5536353633a747c30a2  SRPMS/mozilla-1.7.12-1.3.1.src.rpm
e284cf3bf15bbd75a034403803780f7b  x86_64/mozilla-1.7.12-1.3.1.x86_64.rpm
03de6b7b8717b06cd340a4ef24e77968  x86_64/mozilla-nspr-1.7.12-1.3.1.x86_64.rpm
4f0845e48ac3dc090328f8ccc4d05223  x86_64/mozilla-nspr-devel-1.7.12-1.3.1.x86_64.rpm
7592b2aaa765de6b2663dd1e874c92b7  x86_64/mozilla-nss-1.7.12-1.3.1.x86_64.rpm
626844eb2fe11ea77d995774754f9031  x86_64/mozilla-nss-devel-1.7.12-1.3.1.x86_64.rpm
51836f29a3241931115639aafacdbada  x86_64/mozilla-devel-1.7.12-1.3.1.x86_64.rpm
5977fc3d3e271f470cde62c3c65654aa  x86_64/mozilla-mail-1.7.12-1.3.1.x86_64.rpm
6a8720bf69cd9d5de1e441fa78b11f7d  x86_64/mozilla-chat-1.7.12-1.3.1.x86_64.rpm
726a24bc7f7d89f8ecf16425b82f46fc  x86_64/mozilla-js-debugger-1.7.12-1.3.1.x86_64.rpm
8365d36d8a9a3ff32214d539ee6e2851  x86_64/mozilla-dom-inspector-1.7.12-1.3.1.x86_64.rpm
6a48abbf3dffac1559bd832727534848  x86_64/debug/mozilla-debuginfo-1.7.12-1.3.1.x86_64.rpm
4b13cf4c6680ffcacef3c32c7216835c  x86_64/mozilla-nspr-1.7.12-1.3.1.i386.rpm
7a6d96394cb522bb87fddb8b1f1de2bc  x86_64/mozilla-nss-1.7.12-1.3.1.i386.rpm
196301d969606f6b24539fe115b20c85  i386/mozilla-1.7.12-1.3.1.i386.rpm
4b13cf4c6680ffcacef3c32c7216835c  i386/mozilla-nspr-1.7.12-1.3.1.i386.rpm
108c926ed91f44c61413323079682120  i386/mozilla-nspr-devel-1.7.12-1.3.1.i386.rpm
7a6d96394cb522bb87fddb8b1f1de2bc  i386/mozilla-nss-1.7.12-1.3.1.i386.rpm
d5297a5613453214304e8f066a174736  i386/mozilla-nss-devel-1.7.12-1.3.1.i386.rpm
f6822735fb99eab4f77d5cf9e5310aaa  i386/mozilla-devel-1.7.12-1.3.1.i386.rpm
f2b13215621464fd2d1121b3df958d7a  i386/mozilla-mail-1.7.12-1.3.1.i386.rpm
045f61a21038fc15eb78ca700677e70d  i386/mozilla-chat-1.7.12-1.3.1.i386.rpm
0d4d7b682ccffc4aa61c0468cb4e5096  i386/mozilla-js-debugger-1.7.12-1.3.1.i386.rpm
be245dfb92cb4b610f2349888fceefa4  i386/mozilla-dom-inspector-1.7.12-1.3.1.i386.rpm
f5d066e3bd2b12a561ec1f54399aef99  i386/debug/mozilla-debuginfo-1.7.12-1.3.1.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  

fedora-announce-list mailing list
fedora-announce-list at redhat.com

More information about the UCI-Linux mailing list