-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- --------------------------------------------------------------------- Red Hat Security Advisory
Synopsis: Critical: firefox security update Advisory ID: RHSA-2007:0979-01 Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0979.html Issue date: 2007-10-19 Updated on: 2007-10-19 Product: Red Hat Enterprise Linux CVE Names: CVE-2007-1095 CVE-2007-2292 CVE-2007-3511 CVE-2007-3844 CVE-2007-5334 CVE-2007-5337 CVE-2007-5338 CVE-2007-5339 CVE-2007-5340 - ---------------------------------------------------------------------
1. Summary:
Updated firefox packages that fix several security bugs are now available for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having critical security impact by the Red Hat Security Response Team.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
3. Problem description:
Mozilla Firefox is an open source Web browser.
Several flaws were found in the way in which Firefox processed certain malformed web content. A web page containing malicious content could cause Firefox to crash or potentially execute arbitrary code as the user running Firefox. (CVE-2007-5338, CVE-2007-5339, CVE-2007-5340)
Several flaws were found in the way in which Firefox displayed malformed web content. A web page containing specially-crafted content could potentially trick a user into surrendering sensitive information. (CVE-2007-1095, CVE-2007-3844, CVE-2007-3511, CVE-2007-5334)
A flaw was found in the Firefox sftp protocol handler. A malicious web page could access data from a remote sftp site, possibly stealing sensitive user data. (CVE-2007-5337)
A request-splitting flaw was found in the way in which Firefox generates a digest authentication request. If a user opened a specially-crafted URL, it was possible to perform cross-site scripting attacks, web cache poisoning, or other, similar exploits. (CVE-2007-2292)
All users of Firefox are advised to upgrade to these updated packages, which contain backported patches that correct these issues.
4. Solution:
Before applying this update, make sure that all previously-released errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188
5. Bug IDs fixed (http://bugzilla.redhat.com/):
246248 - firefox crashes when searching for word "do" 333991 - Mozilla products security update (CVE-2007-1095, CVE-2007-2292, CVE-2007-3511, CVE-2007-3844, CVE-2007-5334, CVE-2007-5337, CVE-2007-5338, CVE-2007-5339, CVE-2007-5340)
6. RPMs required:
Red Hat Enterprise Linux AS version 4:
SRPMS: firefox-1.5.0.12-0.7.el4.src.rpm 14521bc61a8a3fae6f51e01b7397dcb6 firefox-1.5.0.12-0.7.el4.src.rpm
i386: a77fcb609b6967686ace6611ee46006b firefox-1.5.0.12-0.7.el4.i386.rpm a10903d25275b7f3b45b087f5075ac8d firefox-debuginfo-1.5.0.12-0.7.el4.i386.rpm
ia64: 22a57ce44aa809198be66d6eef97bb9c firefox-1.5.0.12-0.7.el4.ia64.rpm 94f312b4eadfa99165d44c573bec784d firefox-debuginfo-1.5.0.12-0.7.el4.ia64.rpm
ppc: a3067493f97b4921b3e4320516b09988 firefox-1.5.0.12-0.7.el4.ppc.rpm 767062821eba593df0116a7bfc8725b2 firefox-debuginfo-1.5.0.12-0.7.el4.ppc.rpm
s390: 304d4a73bbbc1691762caa56fbe751b1 firefox-1.5.0.12-0.7.el4.s390.rpm 91f1b89ec8f0feef079b546327b232dc firefox-debuginfo-1.5.0.12-0.7.el4.s390.rpm
s390x: 0536c7d1e6ce3c7147082020d126c546 firefox-1.5.0.12-0.7.el4.s390x.rpm 3d45b068acfd5cb48a047938cdf94339 firefox-debuginfo-1.5.0.12-0.7.el4.s390x.rpm
x86_64: 3ee97b00b1b1a207bed96c195fac7c32 firefox-1.5.0.12-0.7.el4.x86_64.rpm 774b51deb8e133d53cba92831f80d1c9 firefox-debuginfo-1.5.0.12-0.7.el4.x86_64.rpm
Red Hat Enterprise Linux Desktop version 4:
SRPMS: firefox-1.5.0.12-0.7.el4.src.rpm 14521bc61a8a3fae6f51e01b7397dcb6 firefox-1.5.0.12-0.7.el4.src.rpm
i386: a77fcb609b6967686ace6611ee46006b firefox-1.5.0.12-0.7.el4.i386.rpm a10903d25275b7f3b45b087f5075ac8d firefox-debuginfo-1.5.0.12-0.7.el4.i386.rpm
x86_64: 3ee97b00b1b1a207bed96c195fac7c32 firefox-1.5.0.12-0.7.el4.x86_64.rpm 774b51deb8e133d53cba92831f80d1c9 firefox-debuginfo-1.5.0.12-0.7.el4.x86_64.rpm
Red Hat Enterprise Linux ES version 4:
SRPMS: firefox-1.5.0.12-0.7.el4.src.rpm 14521bc61a8a3fae6f51e01b7397dcb6 firefox-1.5.0.12-0.7.el4.src.rpm
i386: a77fcb609b6967686ace6611ee46006b firefox-1.5.0.12-0.7.el4.i386.rpm a10903d25275b7f3b45b087f5075ac8d firefox-debuginfo-1.5.0.12-0.7.el4.i386.rpm
ia64: 22a57ce44aa809198be66d6eef97bb9c firefox-1.5.0.12-0.7.el4.ia64.rpm 94f312b4eadfa99165d44c573bec784d firefox-debuginfo-1.5.0.12-0.7.el4.ia64.rpm
x86_64: 3ee97b00b1b1a207bed96c195fac7c32 firefox-1.5.0.12-0.7.el4.x86_64.rpm 774b51deb8e133d53cba92831f80d1c9 firefox-debuginfo-1.5.0.12-0.7.el4.x86_64.rpm
Red Hat Enterprise Linux WS version 4:
SRPMS: firefox-1.5.0.12-0.7.el4.src.rpm 14521bc61a8a3fae6f51e01b7397dcb6 firefox-1.5.0.12-0.7.el4.src.rpm
i386: a77fcb609b6967686ace6611ee46006b firefox-1.5.0.12-0.7.el4.i386.rpm a10903d25275b7f3b45b087f5075ac8d firefox-debuginfo-1.5.0.12-0.7.el4.i386.rpm
ia64: 22a57ce44aa809198be66d6eef97bb9c firefox-1.5.0.12-0.7.el4.ia64.rpm 94f312b4eadfa99165d44c573bec784d firefox-debuginfo-1.5.0.12-0.7.el4.ia64.rpm
x86_64: 3ee97b00b1b1a207bed96c195fac7c32 firefox-1.5.0.12-0.7.el4.x86_64.rpm 774b51deb8e133d53cba92831f80d1c9 firefox-debuginfo-1.5.0.12-0.7.el4.x86_64.rpm
Red Hat Enterprise Linux Desktop (v. 5 client):
SRPMS: firefox-1.5.0.12-6.el5.src.rpm 8751dd10ea3396a563771e436a3eb1d1 firefox-1.5.0.12-6.el5.src.rpm
i386: e6d7cc39fef9cd508408ebc48d56509f firefox-1.5.0.12-6.el5.i386.rpm 999ed30a8fbb750206abbb6fabf13583 firefox-debuginfo-1.5.0.12-6.el5.i386.rpm
x86_64: e6d7cc39fef9cd508408ebc48d56509f firefox-1.5.0.12-6.el5.i386.rpm a3025709096696676df09a4b2125b2e1 firefox-1.5.0.12-6.el5.x86_64.rpm 999ed30a8fbb750206abbb6fabf13583 firefox-debuginfo-1.5.0.12-6.el5.i386.rpm 3d9792bf0c4946b4e901608ff70a2731 firefox-debuginfo-1.5.0.12-6.el5.x86_64.rpm
RHEL Desktop Workstation (v. 5 client):
SRPMS: firefox-1.5.0.12-6.el5.src.rpm 8751dd10ea3396a563771e436a3eb1d1 firefox-1.5.0.12-6.el5.src.rpm
i386: 999ed30a8fbb750206abbb6fabf13583 firefox-debuginfo-1.5.0.12-6.el5.i386.rpm f307deb5f1cca86fe342f99eef6a0400 firefox-devel-1.5.0.12-6.el5.i386.rpm
x86_64: 999ed30a8fbb750206abbb6fabf13583 firefox-debuginfo-1.5.0.12-6.el5.i386.rpm 3d9792bf0c4946b4e901608ff70a2731 firefox-debuginfo-1.5.0.12-6.el5.x86_64.rpm f307deb5f1cca86fe342f99eef6a0400 firefox-devel-1.5.0.12-6.el5.i386.rpm a512569a312536720d54a60b123974c1 firefox-devel-1.5.0.12-6.el5.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
SRPMS: firefox-1.5.0.12-6.el5.src.rpm 8751dd10ea3396a563771e436a3eb1d1 firefox-1.5.0.12-6.el5.src.rpm
i386: e6d7cc39fef9cd508408ebc48d56509f firefox-1.5.0.12-6.el5.i386.rpm 999ed30a8fbb750206abbb6fabf13583 firefox-debuginfo-1.5.0.12-6.el5.i386.rpm f307deb5f1cca86fe342f99eef6a0400 firefox-devel-1.5.0.12-6.el5.i386.rpm
ia64: 2ca6057ea5a0d1cc04128558d4c85069 firefox-1.5.0.12-6.el5.ia64.rpm eeb360a59d2d93916944ad8f77b0c8a3 firefox-debuginfo-1.5.0.12-6.el5.ia64.rpm 83e887e01be14575bddb90b27fd12046 firefox-devel-1.5.0.12-6.el5.ia64.rpm
ppc: 513389cac0f34e73c6ea7268d4105a47 firefox-1.5.0.12-6.el5.ppc.rpm 874161d6167c4fec200ab3c0cc5354ea firefox-debuginfo-1.5.0.12-6.el5.ppc.rpm 6d043336dbfbac647ed0b356b2c0b9a6 firefox-devel-1.5.0.12-6.el5.ppc.rpm
s390x: e94181f34bdbf029e08afd540f4788da firefox-1.5.0.12-6.el5.s390.rpm fddf399d5ec6d03d8b8d8e5deec8ff93 firefox-1.5.0.12-6.el5.s390x.rpm b7c23f1cc8a0e93f4363d2a6af5a4981 firefox-debuginfo-1.5.0.12-6.el5.s390.rpm 0110422f2449199de04754571ab3acec firefox-debuginfo-1.5.0.12-6.el5.s390x.rpm 40acebdc1765435c854d4ffb6e74733c firefox-devel-1.5.0.12-6.el5.s390.rpm 09ad411554d856053321d42f590187b4 firefox-devel-1.5.0.12-6.el5.s390x.rpm
x86_64: e6d7cc39fef9cd508408ebc48d56509f firefox-1.5.0.12-6.el5.i386.rpm a3025709096696676df09a4b2125b2e1 firefox-1.5.0.12-6.el5.x86_64.rpm 999ed30a8fbb750206abbb6fabf13583 firefox-debuginfo-1.5.0.12-6.el5.i386.rpm 3d9792bf0c4946b4e901608ff70a2731 firefox-debuginfo-1.5.0.12-6.el5.x86_64.rpm f307deb5f1cca86fe342f99eef6a0400 firefox-devel-1.5.0.12-6.el5.i386.rpm a512569a312536720d54a60b123974c1 firefox-devel-1.5.0.12-6.el5.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package
7. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2292 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3511 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3844 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5334 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5337 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5338 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5339 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5340 http://en.wikipedia.org/wiki/HTTP_response_splitting http://www.redhat.com/security/updates/classification/#critical
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/
Copyright 2007 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFHGNWqXlSAg2UNWIIRAjdUAJ9qsmnqUCLsbUSJqfWEK3hCpFElsgCeLUXx iXqKe+sQlgYotHUQYpYd7GA= =lf6m -----END PGP SIGNATURE-----
-- Enterprise-watch-list mailing list Enterprise-watch-list@redhat.com https://www.redhat.com/mailman/listinfo/enterprise-watch-list
|