Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
news

[RHSA-2008:0879-01] Critical: firefox security update

By news, in Upcoming News

Recommended Posts

news    28

news
Posted

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Critical: firefox security update

Advisory ID: RHSA-2008:0879-01

Product: Red Hat Enterprise Linux

Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0879.html

Issue date: 2008-09-23

CVE Names: CVE-2008-3837 CVE-2008-4058 CVE-2008-4060

CVE-2008-4061 CVE-2008-4062 CVE-2008-4063

CVE-2008-4064 CVE-2008-4065 CVE-2008-4067

CVE-2008-4068

=====================================================================

 

1. Summary:

 

An updated firefox package that fixes various security issues is now

available for Red Hat Enterprise Linux 4 and 5.

 

This update has been rated as having critical security impact by the Red

Hat Security Response Team.

 

2. Relevant releases/architectures:

 

Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64

Red Hat Enterprise Linux Desktop version 4 - i386, x86_64

Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64

Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

RHEL Desktop Workstation (v. 5 client) - i386, x86_64

Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64

 

3. Description:

 

Mozilla Firefox is an open source Web browser.

 

Several flaws were found in the processing of malformed web content. A web

page containing malicious content could cause Firefox to crash or,

potentially, execute arbitrary code as the user running Firefox.

(CVE-2008-4058, CVE-2008-4060, CVE-2008-4061, CVE-2008-4062,

CVE-2008-4063, CVE-2008-4064)

 

Several flaws were found in the way malformed web content was displayed. A

web page containing specially crafted content could potentially trick a

Firefox user into surrendering sensitive information. (CVE-2008-4067,

CVE-2008-4068)

 

A flaw was found in the way Firefox handles mouse click events. A web page

containing specially crafted JavaScript code could move the content window

while a mouse-button was pressed, causing any item under the pointer to be

dragged. This could, potentially, cause the user to perform an unsafe

drag-and-drop action. (CVE-2008-3837)

 

A flaw was found in Firefox that caused certain characters to be stripped

from JavaScript code. This flaw could allow malicious JavaScript to bypass

or evade script filters. (CVE-2008-4065)

 

For technical details regarding these flaws, please see the Mozilla

security advisories for Firefox 3.0.2. You can find a link to the Mozilla

advisories in the References section.

 

All firefox users should upgrade to this updated package, which contains

backported patches that correct these issues.

 

4. Solution:

 

Before applying this update, make sure that all previously-released

errata relevant to your system have been applied.

 

This update is available via Red Hat Network. Details on how to use

the Red Hat Network to apply this update are available at

http://kbase.redhat.com/faq/FAQ_58_10188

 

5. Bugs fixed (http://bugzilla.redhat.com/):

 

463189 - CVE-2008-3837 Forced mouse drag

463190 - CVE-2008-4058 Mozilla privilege escalation via XPCnativeWrapper pollution

463198 - CVE-2008-4060 Mozilla privilege escalation via XPCnativeWrapper pollution

463199 - CVE-2008-4061 Mozilla layout engine crash

463201 - CVE-2008-4062 Mozilla crashes with evidence of memory corruption

463203 - CVE-2008-4063 Mozilla crashes with evidence of memory corruption

463204 - CVE-2008-4064 Mozilla crashes with evidence of memory corruption

463234 - CVE-2008-4065 Mozilla BOM characters stripped from JavaScript before execution

463246 - CVE-2008-4067 Mozilla resource: traversal vulnerability

463248 - CVE-2008-4068 Mozilla local HTML file recource: bypass

 

6. Package List:

 

Red Hat Enterprise Linux AS version 4:

 

Source:

ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/firefox-3.0.2-3.el4.src.rpm

 

i386:

firefox-3.0.2-3.el4.i386.rpm

firefox-debuginfo-3.0.2-3.el4.i386.rpm

 

ia64:

firefox-3.0.2-3.el4.ia64.rpm

firefox-debuginfo-3.0.2-3.el4.ia64.rpm

 

ppc:

firefox-3.0.2-3.el4.ppc.rpm

firefox-debuginfo-3.0.2-3.el4.ppc.rpm

 

s390:

firefox-3.0.2-3.el4.s390.rpm

firefox-debuginfo-3.0.2-3.el4.s390.rpm

 

s390x:

firefox-3.0.2-3.el4.s390x.rpm

firefox-debuginfo-3.0.2-3.el4.s390x.rpm

 

x86_64:

firefox-3.0.2-3.el4.x86_64.rpm

firefox-debuginfo-3.0.2-3.el4.x86_64.rpm

 

Red Hat Enterprise Linux Desktop version 4:

 

Source:

ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/firefox-3.0.2-3.el4.src.rpm

 

i386:

firefox-3.0.2-3.el4.i386.rpm

firefox-debuginfo-3.0.2-3.el4.i386.rpm

 

x86_64:

firefox-3.0.2-3.el4.x86_64.rpm

firefox-debuginfo-3.0.2-3.el4.x86_64.rpm

 

Red Hat Enterprise Linux ES version 4:

 

Source:

ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/firefox-3.0.2-3.el4.src.rpm

 

i386:

firefox-3.0.2-3.el4.i386.rpm

firefox-debuginfo-3.0.2-3.el4.i386.rpm

 

ia64:

firefox-3.0.2-3.el4.ia64.rpm

firefox-debuginfo-3.0.2-3.el4.ia64.rpm

 

x86_64:

firefox-3.0.2-3.el4.x86_64.rpm

firefox-debuginfo-3.0.2-3.el4.x86_64.rpm

 

Red Hat Enterprise Linux WS version 4:

 

Source:

ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/firefox-3.0.2-3.el4.src.rpm

 

i386:

firefox-3.0.2-3.el4.i386.rpm

firefox-debuginfo-3.0.2-3.el4.i386.rpm

 

ia64:

firefox-3.0.2-3.el4.ia64.rpm

firefox-debuginfo-3.0.2-3.el4.ia64.rpm

 

x86_64:

firefox-3.0.2-3.el4.x86_64.rpm

firefox-debuginfo-3.0.2-3.el4.x86_64.rpm

 

Red Hat Enterprise Linux Desktop (v. 5 client):

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/devhelp-0.12-19.el5.src.rpm

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-3.0.2-3.el5.src.rpm

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nss-3.12.1.1-1.el5.src.rpm

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-1.9.0.2-5.el5.src.rpm

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/yelp-2.16.0-21.el5.src.rpm

 

i386:

devhelp-0.12-19.el5.i386.rpm

devhelp-debuginfo-0.12-19.el5.i386.rpm

firefox-3.0.2-3.el5.i386.rpm

firefox-debuginfo-3.0.2-3.el5.i386.rpm

nss-3.12.1.1-1.el5.i386.rpm

nss-debuginfo-3.12.1.1-1.el5.i386.rpm

nss-tools-3.12.1.1-1.el5.i386.rpm

xulrunner-1.9.0.2-5.el5.i386.rpm

xulrunner-debuginfo-1.9.0.2-5.el5.i386.rpm

yelp-2.16.0-21.el5.i386.rpm

yelp-debuginfo-2.16.0-21.el5.i386.rpm

 

x86_64:

devhelp-0.12-19.el5.i386.rpm

devhelp-0.12-19.el5.x86_64.rpm

devhelp-debuginfo-0.12-19.el5.i386.rpm

devhelp-debuginfo-0.12-19.el5.x86_64.rpm

firefox-3.0.2-3.el5.i386.rpm

firefox-3.0.2-3.el5.x86_64.rpm

firefox-debuginfo-3.0.2-3.el5.i386.rpm

firefox-debuginfo-3.0.2-3.el5.x86_64.rpm

nss-3.12.1.1-1.el5.i386.rpm

nss-3.12.1.1-1.el5.x86_64.rpm

nss-debuginfo-3.12.1.1-1.el5.i386.rpm

nss-debuginfo-3.12.1.1-1.el5.x86_64.rpm

nss-tools-3.12.1.1-1.el5.x86_64.rpm

xulrunner-1.9.0.2-5.el5.i386.rpm

xulrunner-1.9.0.2-5.el5.x86_64.rpm

xulrunner-debuginfo-1.9.0.2-5.el5.i386.rpm

xulrunner-debuginfo-1.9.0.2-5.el5.x86_64.rpm

yelp-2.16.0-21.el5.x86_64.rpm

yelp-debuginfo-2.16.0-21.el5.x86_64.rpm

 

RHEL Desktop Workstation (v. 5 client):

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/devhelp-0.12-19.el5.src.rpm

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nss-3.12.1.1-1.el5.src.rpm

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-1.9.0.2-5.el5.src.rpm

 

i386:

devhelp-debuginfo-0.12-19.el5.i386.rpm

devhelp-devel-0.12-19.el5.i386.rpm

nss-debuginfo-3.12.1.1-1.el5.i386.rpm

nss-devel-3.12.1.1-1.el5.i386.rpm

nss-pkcs11-devel-3.12.1.1-1.el5.i386.rpm

xulrunner-debuginfo-1.9.0.2-5.el5.i386.rpm

xulrunner-devel-1.9.0.2-5.el5.i386.rpm

xulrunner-devel-unstable-1.9.0.2-5.el5.i386.rpm

 

x86_64:

devhelp-debuginfo-0.12-19.el5.i386.rpm

devhelp-debuginfo-0.12-19.el5.x86_64.rpm

devhelp-devel-0.12-19.el5.i386.rpm

devhelp-devel-0.12-19.el5.x86_64.rpm

nss-debuginfo-3.12.1.1-1.el5.i386.rpm

nss-debuginfo-3.12.1.1-1.el5.x86_64.rpm

nss-devel-3.12.1.1-1.el5.i386.rpm

nss-devel-3.12.1.1-1.el5.x86_64.rpm

nss-pkcs11-devel-3.12.1.1-1.el5.i386.rpm

nss-pkcs11-devel-3.12.1.1-1.el5.x86_64.rpm

xulrunner-debuginfo-1.9.0.2-5.el5.i386.rpm

xulrunner-debuginfo-1.9.0.2-5.el5.x86_64.rpm

xulrunner-devel-1.9.0.2-5.el5.i386.rpm

xulrunner-devel-1.9.0.2-5.el5.x86_64.rpm

xulrunner-devel-unstable-1.9.0.2-5.el5.x86_64.rpm

 

Red Hat Enterprise Linux (v. 5 server):

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/devhelp-0.12-19.el5.src.rpm

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-3.0.2-3.el5.src.rpm

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/nss-3.12.1.1-1.el5.src.rpm

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/xulrunner-1.9.0.2-5.el5.src.rpm

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/yelp-2.16.0-21.el5.src.rpm

 

i386:

devhelp-0.12-19.el5.i386.rpm

devhelp-debuginfo-0.12-19.el5.i386.rpm

devhelp-devel-0.12-19.el5.i386.rpm

firefox-3.0.2-3.el5.i386.rpm

firefox-debuginfo-3.0.2-3.el5.i386.rpm

nss-3.12.1.1-1.el5.i386.rpm

nss-debuginfo-3.12.1.1-1.el5.i386.rpm

nss-devel-3.12.1.1-1.el5.i386.rpm

nss-pkcs11-devel-3.12.1.1-1.el5.i386.rpm

nss-tools-3.12.1.1-1.el5.i386.rpm

xulrunner-1.9.0.2-5.el5.i386.rpm

xulrunner-debuginfo-1.9.0.2-5.el5.i386.rpm

xulrunner-devel-1.9.0.2-5.el5.i386.rpm

xulrunner-devel-unstable-1.9.0.2-5.el5.i386.rpm

yelp-2.16.0-21.el5.i386.rpm

yelp-debuginfo-2.16.0-21.el5.i386.rpm

 

ia64:

devhelp-0.12-19.el5.ia64.rpm

devhelp-debuginfo-0.12-19.el5.ia64.rpm

devhelp-devel-0.12-19.el5.ia64.rpm

firefox-3.0.2-3.el5.ia64.rpm

firefox-debuginfo-3.0.2-3.el5.ia64.rpm

nss-3.12.1.1-1.el5.i386.rpm

nss-3.12.1.1-1.el5.ia64.rpm

nss-debuginfo-3.12.1.1-1.el5.i386.rpm

nss-debuginfo-3.12.1.1-1.el5.ia64.rpm

nss-devel-3.12.1.1-1.el5.ia64.rpm

nss-pkcs11-devel-3.12.1.1-1.el5.ia64.rpm

nss-tools-3.12.1.1-1.el5.ia64.rpm

xulrunner-1.9.0.2-5.el5.ia64.rpm

xulrunner-debuginfo-1.9.0.2-5.el5.ia64.rpm

xulrunner-devel-1.9.0.2-5.el5.ia64.rpm

xulrunner-devel-unstable-1.9.0.2-5.el5.ia64.rpm

yelp-2.16.0-21.el5.ia64.rpm

yelp-debuginfo-2.16.0-21.el5.ia64.rpm

 

ppc:

devhelp-0.12-19.el5.ppc.rpm

devhelp-debuginfo-0.12-19.el5.ppc.rpm

devhelp-devel-0.12-19.el5.ppc.rpm

firefox-3.0.2-3.el5.ppc.rpm

firefox-debuginfo-3.0.2-3.el5.ppc.rpm

nss-3.12.1.1-1.el5.ppc.rpm

nss-3.12.1.1-1.el5.ppc64.rpm

nss-debuginfo-3.12.1.1-1.el5.ppc.rpm

nss-debuginfo-3.12.1.1-1.el5.ppc64.rpm

nss-devel-3.12.1.1-1.el5.ppc.rpm

nss-devel-3.12.1.1-1.el5.ppc64.rpm

nss-pkcs11-devel-3.12.1.1-1.el5.ppc.rpm

nss-pkcs11-devel-3.12.1.1-1.el5.ppc64.rpm

nss-tools-3.12.1.1-1.el5.ppc.rpm

xulrunner-1.9.0.2-5.el5.ppc.rpm

xulrunner-1.9.0.2-5.el5.ppc64.rpm

xulrunner-debuginfo-1.9.0.2-5.el5.ppc.rpm

xulrunner-debuginfo-1.9.0.2-5.el5.ppc64.rpm

xulrunner-devel-1.9.0.2-5.el5.ppc.rpm

xulrunner-devel-1.9.0.2-5.el5.ppc64.rpm

xulrunner-devel-unstable-1.9.0.2-5.el5.ppc.rpm

yelp-2.16.0-21.el5.ppc.rpm

yelp-debuginfo-2.16.0-21.el5.ppc.rpm

 

s390x:

devhelp-0.12-19.el5.s390.rpm

devhelp-0.12-19.el5.s390x.rpm

devhelp-debuginfo-0.12-19.el5.s390.rpm

devhelp-debuginfo-0.12-19.el5.s390x.rpm

devhelp-devel-0.12-19.el5.s390.rpm

devhelp-devel-0.12-19.el5.s390x.rpm

firefox-3.0.2-3.el5.s390.rpm

firefox-3.0.2-3.el5.s390x.rpm

firefox-debuginfo-3.0.2-3.el5.s390.rpm

firefox-debuginfo-3.0.2-3.el5.s390x.rpm

nss-3.12.1.1-1.el5.s390.rpm

nss-3.12.1.1-1.el5.s390x.rpm

nss-debuginfo-3.12.1.1-1.el5.s390.rpm

nss-debuginfo-3.12.1.1-1.el5.s390x.rpm

nss-devel-3.12.1.1-1.el5.s390.rpm

nss-devel-3.12.1.1-1.el5.s390x.rpm

nss-pkcs11-devel-3.12.1.1-1.el5.s390.rpm

nss-pkcs11-devel-3.12.1.1-1.el5.s390x.rpm

nss-tools-3.12.1.1-1.el5.s390x.rpm

xulrunner-1.9.0.2-5.el5.s390.rpm

xulrunner-1.9.0.2-5.el5.s390x.rpm

xulrunner-debuginfo-1.9.0.2-5.el5.s390.rpm

xulrunner-debuginfo-1.9.0.2-5.el5.s390x.rpm

xulrunner-devel-1.9.0.2-5.el5.s390.rpm

xulrunner-devel-1.9.0.2-5.el5.s390x.rpm

xulrunner-devel-unstable-1.9.0.2-5.el5.s390x.rpm

yelp-2.16.0-21.el5.s390x.rpm

yelp-debuginfo-2.16.0-21.el5.s390x.rpm

 

x86_64:

devhelp-0.12-19.el5.i386.rpm

devhelp-0.12-19.el5.x86_64.rpm

devhelp-debuginfo-0.12-19.el5.i386.rpm

devhelp-debuginfo-0.12-19.el5.x86_64.rpm

devhelp-devel-0.12-19.el5.i386.rpm

devhelp-devel-0.12-19.el5.x86_64.rpm

firefox-3.0.2-3.el5.i386.rpm

firefox-3.0.2-3.el5.x86_64.rpm

firefox-debuginfo-3.0.2-3.el5.i386.rpm

firefox-debuginfo-3.0.2-3.el5.x86_64.rpm

nss-3.12.1.1-1.el5.i386.rpm

nss-3.12.1.1-1.el5.x86_64.rpm

nss-debuginfo-3.12.1.1-1.el5.i386.rpm

nss-debuginfo-3.12.1.1-1.el5.x86_64.rpm

nss-devel-3.12.1.1-1.el5.i386.rpm

nss-devel-3.12.1.1-1.el5.x86_64.rpm

nss-pkcs11-devel-3.12.1.1-1.el5.i386.rpm

nss-pkcs11-devel-3.12.1.1-1.el5.x86_64.rpm

nss-tools-3.12.1.1-1.el5.x86_64.rpm

xulrunner-1.9.0.2-5.el5.i386.rpm

xulrunner-1.9.0.2-5.el5.x86_64.rpm

xulrunner-debuginfo-1.9.0.2-5.el5.i386.rpm

xulrunner-debuginfo-1.9.0.2-5.el5.x86_64.rpm

xulrunner-devel-1.9.0.2-5.el5.i386.rpm

xulrunner-devel-1.9.0.2-5.el5.x86_64.rpm

xulrunner-devel-unstable-1.9.0.2-5.el5.x86_64.rpm

yelp-2.16.0-21.el5.x86_64.rpm

yelp-debuginfo-2.16.0-21.el5.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://www.redhat.com/security/team/key/#package

 

7. References:

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3837

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4058

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4060

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4061

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4062

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4063

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4064

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4065

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4067

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4068

http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.2

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://www.redhat.com/security/team/contact/

 

Copyright 2008 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.4 (GNU/Linux)

 

iD8DBQFI2aPGXlSAg2UNWIIRAjOKAJ9HDll1WzlDoGIxaGb9LQBp/Pj79QCgiS7P

/TaVMwxAFB9D96eC+I95s5s=

=+cOv

-----END PGP SIGNATURE-----

 

 

--

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Upcoming News
×