--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated mozilla packages fix security issues Advisory ID: FLSA:160202 Issue date: 2005-09-14 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2005-2260 CAN-2005-2261 CAN-2005-2263 CAN-2005-2265 CAN-2005-1937 CAN-2005-2266 CAN-2005-2267 CAN-2005-2268 CAN-2005-2269 CAN-2005-2270 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated mozilla packages that fix various security issues are now available. Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A bug was found in the way Mozilla handled synthetic events. It is possible that Web content could generate events such as keystrokes or mouse clicks that could be used to steal data or execute malicious Javascript code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2260 to this issue. A bug was found in the way Mozilla executed Javascript in XBL controls. It is possible for a malicious webpage to leverage this vulnerability to execute other JavaScript based attacks even when JavaScript is disabled. (CAN-2005-2261) A bug was found in the way Mozilla installed its extensions. If a user can be tricked into visiting a malicious webpage, it may be possible to obtain sensitive information such as cookies or passwords. (CAN-2005-2263) A bug was found in the way Mozilla handled certain Javascript functions. It is possible for a malicious webpage to crash the browser by executing malformed Javascript code. (CAN-2005-2265) A bug was found in the way Mozilla handled multiple frame domains. It is possible for a frame as part of a malicious website to inject content into a frame that belongs to another domain. This issue was previously fixed as CAN-2004-0718 but was accidentally disabled. (CAN-2005-1937) A bug was found in the way Mozilla handled child frames. It is possible for a malicious framed page to steal sensitive information from its parent page. (CAN-2005-2266) A bug was found in the way Mozilla opened URLs from media players. If a media player opens a URL which is Javascript, the Javascript executes with access to the currently open webpage. (CAN-2005-2267) A design flaw was found in the way Mozilla displayed alerts and prompts. Alerts and prompts were given the generic title [JavaScript Application] which prevented a user from knowing which site created them. (CAN-2005-2268) A bug was found in the way Mozilla handled DOM node names. It is possible for a malicious site to overwrite a DOM node name, allowing certain privileged chrome actions to execute the malicious Javascript. (CAN-2005-2269) A bug was found in the way Mozilla cloned base objects. It is possible for Web content to traverse the prototype chain to gain access to privileged chrome objects. (CAN-2005-2270) Users of Mozilla are advised to upgrade to these updated packages, which contain Mozilla version 1.7.10 and are not vulnerable to these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160202 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mozilla-1.7.10-0.73.1.legacy.src.rpm http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/galeon-1.2.14-0.73.4.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-1.7.10-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-chat-1.7.10-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-devel-1.7.10-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-dom-inspector-1.7.10-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-js-debugger-1.7.10-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-mail-1.7.10-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nspr-1.7.10-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nspr-devel-1.7.10-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nss-1.7.10-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nss-devel-1.7.10-0.73.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/galeon-1.2.14-0.73.4.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/mozilla-1.7.10-0.90.1.legacy.src.rpm http://download.fedoralegacy.org/redhat/9/updates/SRPMS/galeon-1.2.14-0.90.4.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-1.7.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-chat-1.7.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-devel-1.7.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-dom-inspector-1.7.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-js-debugger-1.7.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-mail-1.7.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nspr-1.7.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nspr-devel-1.7.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nss-1.7.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nss-devel-1.7.10-0.90.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/galeon-1.2.14-0.90.4.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mozilla-1.7.10-1.1.1.legacy.src.rpm http://download.fedoralegacy.org/fedora/1/updates/SRPMS/epiphany-1.0.8-1.fc1.4.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-1.7.10-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-chat-1.7.10-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-devel-1.7.10-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-dom-inspector-1.7.10-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-js-debugger-1.7.10-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-mail-1.7.10-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nspr-1.7.10-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nspr-devel-1.7.10-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nss-1.7.10-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nss-devel-1.7.10-1.1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/epiphany-1.0.8-1.fc1.4.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/mozilla-1.7.10-1.2.1.legacy.src.rpm http://download.fedoralegacy.org/fedora/2/updates/SRPMS/epiphany-1.2.10-0.2.5.legacy.src.rpm http://download.fedoralegacy.org/fedora/2/updates/SRPMS/devhelp-0.9.1-0.2.8.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-1.7.10-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-chat-1.7.10-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-devel-1.7.10-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-dom-inspector-1.7.10-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-js-debugger-1.7.10-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-mail-1.7.10-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nspr-1.7.10-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nspr-devel-1.7.10-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nss-1.7.10-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nss-devel-1.7.10-1.2.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/epiphany-1.2.10-0.2.5.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/devhelp-0.9.1-0.2.8.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/devhelp-devel-0.9.1-0.2.8.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 21ef0fc3fb4a4b1bab035a3ca39f05793980f96c redhat/7.3/updates/i386/mozilla-1.7.10-0.73.1.legacy.i386.rpm bd577e6f2da710d29e4b80178c06824dc49f777e redhat/7.3/updates/i386/mozilla-chat-1.7.10-0.73.1.legacy.i386.rpm ead8a39e3bf89266c46ad4416b7089b1685c1611 redhat/7.3/updates/i386/mozilla-devel-1.7.10-0.73.1.legacy.i386.rpm f3cbc0d33c063472bd02836c5bb6fa1358a07144 redhat/7.3/updates/i386/mozilla-dom-inspector-1.7.10-0.73.1.legacy.i386.rpm d80e8e4ca42908fcddb3fe210ca7e3239572d645 redhat/7.3/updates/i386/mozilla-js-debugger-1.7.10-0.73.1.legacy.i386.rpm cd099e3c6886784093ab23fc4217c3d9c8202ddc redhat/7.3/updates/i386/mozilla-mail-1.7.10-0.73.1.legacy.i386.rpm 7423c24f838e81e69f14363324bebad96c87bf87 redhat/7.3/updates/i386/mozilla-nspr-1.7.10-0.73.1.legacy.i386.rpm 1b4d201829286b23cf6f86068e82e1f116f5e238 redhat/7.3/updates/i386/mozilla-nspr-devel-1.7.10-0.73.1.legacy.i386.rpm afce419aeac48067ec55ba4c54b75a96b84ae248 redhat/7.3/updates/i386/mozilla-nss-1.7.10-0.73.1.legacy.i386.rpm 9e2b0fc1e17b6a014fb78b1d4ed73aa9b33a6998 redhat/7.3/updates/i386/mozilla-nss-devel-1.7.10-0.73.1.legacy.i386.rpm a055ace074f9d074f8dc24b8467ef03ab2a4f56d redhat/7.3/updates/SRPMS/mozilla-1.7.10-0.73.1.legacy.src.rpm 9e617122c902d6a41fe8ab5a7541c6ad7d7a4274 redhat/7.3/updates/i386/galeon-1.2.14-0.73.4.legacy.i386.rpm 9a09d9823313a758f7d73631e46d5fd44f018a04 redhat/7.3/updates/SRPMS/galeon-1.2.14-0.73.4.legacy.src.rpm 361bb85b2bd856bb6f75a2067ca9f8b64740d55e redhat/9/updates/i386/mozilla-1.7.10-0.90.1.legacy.i386.rpm 5b5331a02a50612518a9b04e8e25e1f0e61afbc9 redhat/9/updates/i386/mozilla-chat-1.7.10-0.90.1.legacy.i386.rpm 1cef67b7101ca5ef94c2da52cf7e6fa1904ddab7 redhat/9/updates/i386/mozilla-devel-1.7.10-0.90.1.legacy.i386.rpm ebfd6b8d96a12c32c8c32cd06a0eb29ce44ebd9c redhat/9/updates/i386/mozilla-dom-inspector-1.7.10-0.90.1.legacy.i386.rpm 00a5dc6a4da814c68efa0e6f0bebaeb2e5af43e4 redhat/9/updates/i386/mozilla-js-debugger-1.7.10-0.90.1.legacy.i386.rpm 3cff356510a48956b0ce9e7ab7cc158da2f37906 redhat/9/updates/i386/mozilla-mail-1.7.10-0.90.1.legacy.i386.rpm 998feb261e696dcd5a08cfd2d884b30063944f78 redhat/9/updates/i386/mozilla-nspr-1.7.10-0.90.1.legacy.i386.rpm 12d4caa735df18edaf636d30de98ab41b0c394ac redhat/9/updates/i386/mozilla-nspr-devel-1.7.10-0.90.1.legacy.i386.rpm e20f1d5b4111a23b1f6ec30547ebd447c2c9eb54 redhat/9/updates/i386/mozilla-nss-1.7.10-0.90.1.legacy.i386.rpm 815236f90f4778e52a364ae4795b762f95b11909 redhat/9/updates/i386/mozilla-nss-devel-1.7.10-0.90.1.legacy.i386.rpm 49801c7d362ba0e659096516f7dc89960aaba5ab redhat/9/updates/SRPMS/mozilla-1.7.10-0.90.1.legacy.src.rpm abd5ff8e4e92dacc43cd8ddbb88061bee410a965 redhat/9/updates/i386/galeon-1.2.14-0.90.4.legacy.i386.rpm f252f4ec0b3132199e30362b5aa12fcf70345708 redhat/9/updates/SRPMS/galeon-1.2.14-0.90.4.legacy.src.rpm 024af661649ccdd80f61cdbcd67405146ddd290e fedora/1/updates/i386/mozilla-1.7.10-1.1.1.legacy.i386.rpm c714508dfbf5194b518ab8c36ef15e35b5f9f34d fedora/1/updates/i386/mozilla-chat-1.7.10-1.1.1.legacy.i386.rpm 9f87a7c1b15b1eacf77d785ba02a6e5272786483 fedora/1/updates/i386/mozilla-devel-1.7.10-1.1.1.legacy.i386.rpm 40d6a447c6fa50971449a12ed04d2139e7f38c86 fedora/1/updates/i386/mozilla-dom-inspector-1.7.10-1.1.1.legacy.i386.rpm 7d7993584caf000376d414adfea09ef03b5dcfcc fedora/1/updates/i386/mozilla-js-debugger-1.7.10-1.1.1.legacy.i386.rpm ddb668ea5ef6354bcea561d396f322b812986d3c fedora/1/updates/i386/mozilla-mail-1.7.10-1.1.1.legacy.i386.rpm ba21eee7662528448aeab774f9f1eedcd27bef6e fedora/1/updates/i386/mozilla-nspr-1.7.10-1.1.1.legacy.i386.rpm 6fc9017c5f1712648f83f74dfc289097244bf2fb fedora/1/updates/i386/mozilla-nspr-devel-1.7.10-1.1.1.legacy.i386.rpm b16af5524e6b5ae6d00b978aa7ae7e382045e42a fedora/1/updates/i386/mozilla-nss-1.7.10-1.1.1.legacy.i386.rpm fe6babcc981d3d8d00405bc668a163c762325556 fedora/1/updates/i386/mozilla-nss-devel-1.7.10-1.1.1.legacy.i386.rpm b897549c97460c0c77cb7cd2a5cc09fa2b87e648 fedora/1/updates/SRPMS/mozilla-1.7.10-1.1.1.legacy.src.rpm 8e927ac2f8ef17d3d33a5f244944c8e23bd349a5 fedora/1/updates/i386/epiphany-1.0.8-1.fc1.4.legacy.i386.rpm e7269e1c82160199d9922ee85116ca6c3b968aa4 fedora/1/updates/SRPMS/epiphany-1.0.8-1.fc1.4.legacy.src.rpm 84191565518894d9064043591f6bd8a87aadf7c1 fedora/2/updates/i386/mozilla-1.7.10-1.2.1.legacy.i386.rpm 840981293c815a81a1e2731cb70890fdcf4a9439 fedora/2/updates/i386/mozilla-chat-1.7.10-1.2.1.legacy.i386.rpm c8239468a1ee288b4a4c476d3499e2dd21f9e15f fedora/2/updates/i386/mozilla-devel-1.7.10-1.2.1.legacy.i386.rpm ead0223ae156bc10bc98d7b3e2b3d73fe295a3b8 fedora/2/updates/i386/mozilla-dom-inspector-1.7.10-1.2.1.legacy.i386.rpm 8f8ce4d865ca4f1a39044c5be16aa3226c379336 fedora/2/updates/i386/mozilla-js-debugger-1.7.10-1.2.1.legacy.i386.rpm f7f86824465f7cefb863edd0185a1d10dd1a9e5b fedora/2/updates/i386/mozilla-mail-1.7.10-1.2.1.legacy.i386.rpm 6ddbbe1bf072839e4d614f875c4bf2b9e613c252 fedora/2/updates/i386/mozilla-nspr-1.7.10-1.2.1.legacy.i386.rpm b19179e3c9636c693519859168c15a374868265b fedora/2/updates/i386/mozilla-nspr-devel-1.7.10-1.2.1.legacy.i386.rpm cb906332518766343ce2e0b42b1daa8ea365f5c2 fedora/2/updates/i386/mozilla-nss-1.7.10-1.2.1.legacy.i386.rpm b321daec595fa820fa1c61636b6e7ae04bc93ec0 fedora/2/updates/i386/mozilla-nss-devel-1.7.10-1.2.1.legacy.i386.rpm 84b27211a322366ed7b55ebd56b27bd311f268b1 fedora/2/updates/SRPMS/mozilla-1.7.10-1.2.1.legacy.src.rpm 602ce3dc7e96667ca3c854208447873660bbbbec fedora/2/updates/i386/epiphany-1.2.10-0.2.5.legacy.i386.rpm d1c8debf69421cf879a8cc124999f09b86849743 fedora/2/updates/SRPMS/epiphany-1.2.10-0.2.5.legacy.src.rpm 616b84cd1427ed5692afaad68e75fa78a306853d fedora/2/updates/i386/devhelp-0.9.1-0.2.8.legacy.i386.rpm 2f93f6d05bf459305427ee159b798a939087d125 fedora/2/updates/i386/devhelp-devel-0.9.1-0.2.8.legacy.i386.rpm 08ac95e7d0f4bdcebbe03994cdacd5074f166479 fedora/2/updates/SRPMS/devhelp-0.9.1-0.2.8.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2260 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2261 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2263 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2265 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2266 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2267 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2268 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2269 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2270 9. Contact: The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------
Attachment:
signature.asc
Description: OpenPGP digital signature