openSUSE Security Update: seamonkey: 1.1.19 security update ______________________________________________________________________________
Announcement ID: openSUSE-SU-2010:0273-1 Rating: important References: #590499 Cross-References: CVE-2009-0689 CVE-2009-2463 CVE-2009-3072 CVE-2009-3075 CVE-2009-3077 CVE-2009-3376 CVE-2009-3385 CVE-2009-3983 CVE-2010-0161 CVE-2010-0163 Affected Products: openSUSE 11.1 openSUSE 11.0 ______________________________________________________________________________
An update that fixes 10 vulnerabilities is now available. It includes one version update.
This update brings Mozilla Seamonkey to 1.1.19 fixing various bugs and security issues.
Following security issues are fixed: MFSA 2010-07: Mozilla developers took fixes from previously fixed memory safety bugs in newer Mozilla-based products and ported them to the Mozilla 1.8.1 branch so they can be utilized by Thunderbird 2 and SeaMonkey 1.1.
MFSA 2009-68 / CVE-2009-3983: Security researcher Takehiro Takahashi of the IBM X-Force reported that Mozilla's NTLM implementation was vulnerable to reflection attacks in which NTLM credentials from one application could be forwarded to another arbitary application via the browser. If an attacker could get a user to visit a web page he controlled he could force NTLM authenticated requests to be forwarded to another application on behalf of the user.
MFSA 2009-62 / CVE-2009-3376: Mozilla security researchers Jesse Ruderman and Sid Stamm reported that when downloading a file containing a right-to-left override character (RTL) in the filename, the name displayed in the dialog title bar conflicts with the name of the file shown in the dialog body. An attacker could use this vulnerability to obfuscate the name and file extension of a file to be downloaded and opened, potentially causing a user to run an executable file when they expected to open a non-executable file.
Update: The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz.
MFSA 2009-49 / CVE-2009-3077: An anonymous security researcher, via TippingPoint's Zero Day Initiative, reported that the columns of a XUL tree element could be manipulated in a particular way which would leave a pointer owned by the column pointing to freed memory. An attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on the victim's computer.
Please see http://www.mozilla.org/security/known-vulnerabilities/seamon key11.html
To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product:
- openSUSE 11.1:
zypper in -t patch seamonkey-2388
- openSUSE 11.0:
zypper in -t patch seamonkey-2388
To bring your system up-to-date, use "zypper patch".
- openSUSE 11.1 (i586 ppc src x86_64) [New Version: 1.1.19]:
- openSUSE 11.1 (i586 ppc x86_64) [New Version: 1.1.19]:
seamonkey-dom-inspector-1.1.19-0.1.1 seamonkey-irc-1.1.19-0.1.1 seamonkey-mail-1.1.19-0.1.1 seamonkey-spellchecker-1.1.19-0.1.1 seamonkey-venkman-1.1.19-0.1.1
- openSUSE 11.0 (i586 ppc src x86_64) [New Version: 1.1.19]:
- openSUSE 11.0 (i586 ppc x86_64) [New Version: 1.1.19]:
seamonkey-dom-inspector-1.1.19-0.1 seamonkey-irc-1.1.19-0.1 seamonkey-mail-1.1.19-0.1 seamonkey-spellchecker-1.1.19-0.1 seamonkey-venkman-1.1.19-0.1
http://support.novell.com/security/cve/CVE-2009-0689.html http://support.novell.com/security/cve/CVE-2009-2463.html http://support.novell.com/security/cve/CVE-2009-3072.html http://support.novell.com/security/cve/CVE-2009-3075.html http://support.novell.com/security/cve/CVE-2009-3077.html http://support.novell.com/security/cve/CVE-2009-3376.html http://support.novell.com/security/cve/CVE-2009-3385.html http://support.novell.com/security/cve/CVE-2009-3983.html http://support.novell.com/security/cve/CVE-2010-0161.html http://support.novell.com/security/cve/CVE-2010-0163.html https://bugzilla.novell.com/590499