[FLSA-2005:160202] Updated mozilla packages fix security issues

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [FLSA-2005:160202] Updated mozilla packages fix security issues
From: Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx>
Date: Wed, 14 Sep 2005 22:03:09 -0400
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla Thunderbird 1.0.6-1.1.fc4 (X11/20050720)
---------------------------------------------------------------------
               Fedora Legacy Update Advisory

Synopsis:          Updated mozilla packages fix security issues
Advisory ID:       FLSA:160202
Issue date:        2005-09-14
Product:           Red Hat Linux, Fedora Core
Keywords:          Bugfix
CVE Names:         CAN-2005-2260 CAN-2005-2261 CAN-2005-2263
                   CAN-2005-2265 CAN-2005-1937 CAN-2005-2266
                   CAN-2005-2267 CAN-2005-2268 CAN-2005-2269
                   CAN-2005-2270
---------------------------------------------------------------------


---------------------------------------------------------------------
1. Topic:

Updated mozilla packages that fix various security issues are now
available.

Mozilla is an open source Web browser, advanced email and newsgroup
client, IRC chat client, and HTML editor.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

A bug was found in the way Mozilla handled synthetic events. It is
possible that Web content could generate events such as keystrokes or
mouse clicks that could be used to steal data or execute malicious
Javascript code. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-2260 to this issue.

A bug was found in the way Mozilla executed Javascript in XBL controls.
It is possible for a malicious webpage to leverage this vulnerability to
execute other JavaScript based attacks even when JavaScript is disabled.
(CAN-2005-2261)

A bug was found in the way Mozilla installed its extensions. If a user
can be tricked into visiting a malicious webpage, it may be possible to
obtain sensitive information such as cookies or passwords.
(CAN-2005-2263)

A bug was found in the way Mozilla handled certain Javascript functions.
It is possible for a malicious webpage to crash the browser by executing
malformed Javascript code. (CAN-2005-2265)

A bug was found in the way Mozilla handled multiple frame domains. It is
possible for a frame as part of a malicious website to inject content
into a frame that belongs to another domain. This issue was previously
fixed as CAN-2004-0718 but was accidentally disabled. (CAN-2005-1937)

A bug was found in the way Mozilla handled child frames. It is possible
for a malicious framed page to steal sensitive information from its
parent page. (CAN-2005-2266)

A bug was found in the way Mozilla opened URLs from media players. If a
media player opens a URL which is Javascript, the Javascript executes
with access to the currently open webpage. (CAN-2005-2267)

A design flaw was found in the way Mozilla displayed alerts and prompts.
Alerts and prompts were given the generic title [JavaScript Application]
which prevented a user from knowing which site created them.
(CAN-2005-2268)

A bug was found in the way Mozilla handled DOM node names. It is
possible for a malicious site to overwrite a DOM node name, allowing
certain privileged chrome actions to execute the malicious Javascript.
(CAN-2005-2269)

A bug was found in the way Mozilla cloned base objects. It is possible
for Web content to traverse the prototype chain to gain access to
privileged chrome objects. (CAN-2005-2270)

Users of Mozilla are advised to upgrade to these updated packages, which
contain Mozilla version 1.7.10 and are not vulnerable to these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160202

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mozilla-1.7.10-0.73.1.legacy.src.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/galeon-1.2.14-0.73.4.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-1.7.10-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-chat-1.7.10-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-devel-1.7.10-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-dom-inspector-1.7.10-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-js-debugger-1.7.10-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-mail-1.7.10-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nspr-1.7.10-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nspr-devel-1.7.10-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nss-1.7.10-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nss-devel-1.7.10-0.73.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/galeon-1.2.14-0.73.4.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/mozilla-1.7.10-0.90.1.legacy.src.rpm
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/galeon-1.2.14-0.90.4.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-1.7.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-chat-1.7.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-devel-1.7.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-dom-inspector-1.7.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-js-debugger-1.7.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-mail-1.7.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nspr-1.7.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nspr-devel-1.7.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nss-1.7.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nss-devel-1.7.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/galeon-1.2.14-0.90.4.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mozilla-1.7.10-1.1.1.legacy.src.rpm
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/epiphany-1.0.8-1.fc1.4.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-1.7.10-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-chat-1.7.10-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-devel-1.7.10-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-dom-inspector-1.7.10-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-js-debugger-1.7.10-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-mail-1.7.10-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nspr-1.7.10-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nspr-devel-1.7.10-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nss-1.7.10-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nss-devel-1.7.10-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/epiphany-1.0.8-1.fc1.4.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/mozilla-1.7.10-1.2.1.legacy.src.rpm
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/epiphany-1.2.10-0.2.5.legacy.src.rpm
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/devhelp-0.9.1-0.2.8.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-1.7.10-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-chat-1.7.10-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-devel-1.7.10-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-dom-inspector-1.7.10-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-js-debugger-1.7.10-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-mail-1.7.10-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nspr-1.7.10-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nspr-devel-1.7.10-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nss-1.7.10-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nss-devel-1.7.10-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/epiphany-1.2.10-0.2.5.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/devhelp-0.9.1-0.2.8.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/devhelp-devel-0.9.1-0.2.8.legacy.i386.rpm


7. Verification:

SHA1 sum                                 Package Name
---------------------------------------------------------------------

21ef0fc3fb4a4b1bab035a3ca39f05793980f96c
redhat/7.3/updates/i386/mozilla-1.7.10-0.73.1.legacy.i386.rpm
bd577e6f2da710d29e4b80178c06824dc49f777e
redhat/7.3/updates/i386/mozilla-chat-1.7.10-0.73.1.legacy.i386.rpm
ead8a39e3bf89266c46ad4416b7089b1685c1611
redhat/7.3/updates/i386/mozilla-devel-1.7.10-0.73.1.legacy.i386.rpm
f3cbc0d33c063472bd02836c5bb6fa1358a07144
redhat/7.3/updates/i386/mozilla-dom-inspector-1.7.10-0.73.1.legacy.i386.rpm
d80e8e4ca42908fcddb3fe210ca7e3239572d645
redhat/7.3/updates/i386/mozilla-js-debugger-1.7.10-0.73.1.legacy.i386.rpm
cd099e3c6886784093ab23fc4217c3d9c8202ddc
redhat/7.3/updates/i386/mozilla-mail-1.7.10-0.73.1.legacy.i386.rpm
7423c24f838e81e69f14363324bebad96c87bf87
redhat/7.3/updates/i386/mozilla-nspr-1.7.10-0.73.1.legacy.i386.rpm
1b4d201829286b23cf6f86068e82e1f116f5e238
redhat/7.3/updates/i386/mozilla-nspr-devel-1.7.10-0.73.1.legacy.i386.rpm
afce419aeac48067ec55ba4c54b75a96b84ae248
redhat/7.3/updates/i386/mozilla-nss-1.7.10-0.73.1.legacy.i386.rpm
9e2b0fc1e17b6a014fb78b1d4ed73aa9b33a6998
redhat/7.3/updates/i386/mozilla-nss-devel-1.7.10-0.73.1.legacy.i386.rpm
a055ace074f9d074f8dc24b8467ef03ab2a4f56d
redhat/7.3/updates/SRPMS/mozilla-1.7.10-0.73.1.legacy.src.rpm
9e617122c902d6a41fe8ab5a7541c6ad7d7a4274
redhat/7.3/updates/i386/galeon-1.2.14-0.73.4.legacy.i386.rpm
9a09d9823313a758f7d73631e46d5fd44f018a04
redhat/7.3/updates/SRPMS/galeon-1.2.14-0.73.4.legacy.src.rpm
361bb85b2bd856bb6f75a2067ca9f8b64740d55e
redhat/9/updates/i386/mozilla-1.7.10-0.90.1.legacy.i386.rpm
5b5331a02a50612518a9b04e8e25e1f0e61afbc9
redhat/9/updates/i386/mozilla-chat-1.7.10-0.90.1.legacy.i386.rpm
1cef67b7101ca5ef94c2da52cf7e6fa1904ddab7
redhat/9/updates/i386/mozilla-devel-1.7.10-0.90.1.legacy.i386.rpm
ebfd6b8d96a12c32c8c32cd06a0eb29ce44ebd9c
redhat/9/updates/i386/mozilla-dom-inspector-1.7.10-0.90.1.legacy.i386.rpm
00a5dc6a4da814c68efa0e6f0bebaeb2e5af43e4
redhat/9/updates/i386/mozilla-js-debugger-1.7.10-0.90.1.legacy.i386.rpm
3cff356510a48956b0ce9e7ab7cc158da2f37906
redhat/9/updates/i386/mozilla-mail-1.7.10-0.90.1.legacy.i386.rpm
998feb261e696dcd5a08cfd2d884b30063944f78
redhat/9/updates/i386/mozilla-nspr-1.7.10-0.90.1.legacy.i386.rpm
12d4caa735df18edaf636d30de98ab41b0c394ac
redhat/9/updates/i386/mozilla-nspr-devel-1.7.10-0.90.1.legacy.i386.rpm
e20f1d5b4111a23b1f6ec30547ebd447c2c9eb54
redhat/9/updates/i386/mozilla-nss-1.7.10-0.90.1.legacy.i386.rpm
815236f90f4778e52a364ae4795b762f95b11909
redhat/9/updates/i386/mozilla-nss-devel-1.7.10-0.90.1.legacy.i386.rpm
49801c7d362ba0e659096516f7dc89960aaba5ab
redhat/9/updates/SRPMS/mozilla-1.7.10-0.90.1.legacy.src.rpm
abd5ff8e4e92dacc43cd8ddbb88061bee410a965
redhat/9/updates/i386/galeon-1.2.14-0.90.4.legacy.i386.rpm
f252f4ec0b3132199e30362b5aa12fcf70345708
redhat/9/updates/SRPMS/galeon-1.2.14-0.90.4.legacy.src.rpm
024af661649ccdd80f61cdbcd67405146ddd290e
fedora/1/updates/i386/mozilla-1.7.10-1.1.1.legacy.i386.rpm
c714508dfbf5194b518ab8c36ef15e35b5f9f34d
fedora/1/updates/i386/mozilla-chat-1.7.10-1.1.1.legacy.i386.rpm
9f87a7c1b15b1eacf77d785ba02a6e5272786483
fedora/1/updates/i386/mozilla-devel-1.7.10-1.1.1.legacy.i386.rpm
40d6a447c6fa50971449a12ed04d2139e7f38c86
fedora/1/updates/i386/mozilla-dom-inspector-1.7.10-1.1.1.legacy.i386.rpm
7d7993584caf000376d414adfea09ef03b5dcfcc
fedora/1/updates/i386/mozilla-js-debugger-1.7.10-1.1.1.legacy.i386.rpm
ddb668ea5ef6354bcea561d396f322b812986d3c
fedora/1/updates/i386/mozilla-mail-1.7.10-1.1.1.legacy.i386.rpm
ba21eee7662528448aeab774f9f1eedcd27bef6e
fedora/1/updates/i386/mozilla-nspr-1.7.10-1.1.1.legacy.i386.rpm
6fc9017c5f1712648f83f74dfc289097244bf2fb
fedora/1/updates/i386/mozilla-nspr-devel-1.7.10-1.1.1.legacy.i386.rpm
b16af5524e6b5ae6d00b978aa7ae7e382045e42a
fedora/1/updates/i386/mozilla-nss-1.7.10-1.1.1.legacy.i386.rpm
fe6babcc981d3d8d00405bc668a163c762325556
fedora/1/updates/i386/mozilla-nss-devel-1.7.10-1.1.1.legacy.i386.rpm
b897549c97460c0c77cb7cd2a5cc09fa2b87e648
fedora/1/updates/SRPMS/mozilla-1.7.10-1.1.1.legacy.src.rpm
8e927ac2f8ef17d3d33a5f244944c8e23bd349a5
fedora/1/updates/i386/epiphany-1.0.8-1.fc1.4.legacy.i386.rpm
e7269e1c82160199d9922ee85116ca6c3b968aa4
fedora/1/updates/SRPMS/epiphany-1.0.8-1.fc1.4.legacy.src.rpm
84191565518894d9064043591f6bd8a87aadf7c1
fedora/2/updates/i386/mozilla-1.7.10-1.2.1.legacy.i386.rpm
840981293c815a81a1e2731cb70890fdcf4a9439
fedora/2/updates/i386/mozilla-chat-1.7.10-1.2.1.legacy.i386.rpm
c8239468a1ee288b4a4c476d3499e2dd21f9e15f
fedora/2/updates/i386/mozilla-devel-1.7.10-1.2.1.legacy.i386.rpm
ead0223ae156bc10bc98d7b3e2b3d73fe295a3b8
fedora/2/updates/i386/mozilla-dom-inspector-1.7.10-1.2.1.legacy.i386.rpm
8f8ce4d865ca4f1a39044c5be16aa3226c379336
fedora/2/updates/i386/mozilla-js-debugger-1.7.10-1.2.1.legacy.i386.rpm
f7f86824465f7cefb863edd0185a1d10dd1a9e5b
fedora/2/updates/i386/mozilla-mail-1.7.10-1.2.1.legacy.i386.rpm
6ddbbe1bf072839e4d614f875c4bf2b9e613c252
fedora/2/updates/i386/mozilla-nspr-1.7.10-1.2.1.legacy.i386.rpm
b19179e3c9636c693519859168c15a374868265b
fedora/2/updates/i386/mozilla-nspr-devel-1.7.10-1.2.1.legacy.i386.rpm
cb906332518766343ce2e0b42b1daa8ea365f5c2
fedora/2/updates/i386/mozilla-nss-1.7.10-1.2.1.legacy.i386.rpm
b321daec595fa820fa1c61636b6e7ae04bc93ec0
fedora/2/updates/i386/mozilla-nss-devel-1.7.10-1.2.1.legacy.i386.rpm
84b27211a322366ed7b55ebd56b27bd311f268b1
fedora/2/updates/SRPMS/mozilla-1.7.10-1.2.1.legacy.src.rpm
602ce3dc7e96667ca3c854208447873660bbbbec
fedora/2/updates/i386/epiphany-1.2.10-0.2.5.legacy.i386.rpm
d1c8debf69421cf879a8cc124999f09b86849743
fedora/2/updates/SRPMS/epiphany-1.2.10-0.2.5.legacy.src.rpm
616b84cd1427ed5692afaad68e75fa78a306853d
fedora/2/updates/i386/devhelp-0.9.1-0.2.8.legacy.i386.rpm
2f93f6d05bf459305427ee159b798a939087d125
fedora/2/updates/i386/devhelp-devel-0.9.1-0.2.8.legacy.i386.rpm
08ac95e7d0f4bdcebbe03994cdacd5074f166479
fedora/2/updates/SRPMS/devhelp-0.9.1-0.2.8.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security.  Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

    sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2260
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2261
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2263
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2265
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2266
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2267
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2268
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2269
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2270

9. Contact:

The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More
project details at http://www.fedoralegacy.org

---------------------------------------------------------------------
Attachment: signature.asc
Description: OpenPGP digital signature
Prev by Date: Re: AWstats Path Disclosure Vulnerability
Next by Date: [FLSA-2005:162680] Updated Zlib packagea fix security issues
Previous by thread: PTL Advisory 050825 - HP LaserJet Network Username and Information Enumeration
Next by thread: [FLSA-2005:162680] Updated Zlib packagea fix security issues
Index(es):
- Date
- Thread