[SLE] Multiple Mozilla security holes - But how to upgrade???
I haven't been able to find v.1.5 for either Firefox or Thunderbird for Suse v.9.3. Is Suse dropping support for it? I haven't seen any discussion of the below on this list, so... For Your Reading Pleasure::::::) -------- Original Message -------- Subject: US-CERT Technical Cyber Security Alert TA06-208A -- Mozilla Products Contain Multiple Vulnerabilities Date: Thu, 27 Jul 2006 16:38:20 -0400 From: US-CERT Technical Alerts <technical-alerts@us-cert.gov> Organization: US-CERT - +1 202-205-5266 To: technical-alerts@us-cert.gov -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-208A Mozilla Products Contain Multiple Vulnerabilities Original release date: July 27, 2006 Last revised: -- Source: US-CERT Systems Affected * Mozilla SeaMonkey * Mozilla Firefox * Mozilla Thunderbird Any products based on Mozilla components, specifically Gecko, may also be affected. Overview The Mozilla web browser and derived products contain several vulnerabilities, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system. I. Description Several vulnerabilities have been reported in the Mozilla web browser and derived products. More detailed information is available in the individual vulnerability notes, including the following: VU#476724 - Mozilla products fail to properly handle frame references Mozilla products fail to properly handle frame or window references. This may allow a remote attacker to execute arbitrary code on a vulnerable system. (CVE-2006-3801) VU#670060 - Mozilla fails to properly release JavaScript references Mozilla products fail to properly release memory. This vulnerability may allow a remote attacker to execute code on a vulnerable system. (CVE-2006-3677) VU#239124 - Mozilla fails to properly handle simultaneous XPCOM events Mozilla products are vulnerable to memory corruption via simultaneous XPCOM events. This may allow a remote attacker to execute arbitrary code on a vulnerable system. (CVE-2006-3113) VU#265964 - Mozilla products contain a race condition Mozilla products contain a race condition. This vulnerability may allow a remote attacker to execute code on a vulnerable system. (CVE-2006-3803) VU#897540 - Mozilla products VCard attachment buffer overflow Mozilla products fail to properly handle malformed VCard attachments, allowing a buffer overflow to occur. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system. (CVE-2006-3804) VU#876420 - Mozilla fails to properly handle garbage collection The Mozilla JavaScript engine fails to properly perform garbage collection, which may allow a remote attacker to execute arbitrary code on a vulnerable system. (CVE-2006-3805) VU#655892 - Mozilla JavaScript engine contains multiple integer overflows The Mozilla JavaScript engine contains multiple integer overflows. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system. (CVE-2006-3806) VU#687396 - Mozilla products fail to properly validate JavaScript constructors Mozilla products fail to properly validate references returned by JavaScript constructors. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system. (CVE-2006-3807) VU#527676 - Mozilla contains multiple memory corruption vulnerabilities Mozilla products contain multiple vulnerabilities that can cause memory corruption. This may allow a remote attacker to execute arbitrary code on a vulnerable system. (CVE-2006-3811) II. Impact A remote, unauthenticated attacker could execute arbitrary code on a vulnerable system. An attacker may also be able to cause the vulnerable application to crash. III. Solution Upgrade Upgrade to Mozilla Firefox 1.5.0.5, Mozilla Thunderbird 1.5.0.5, or SeaMonkey 1.0.3. Disable JavaScript and Java These vulnerabilities can be mitigated by disabling JavaScript and Java in all affected products. Instructions for disabling Java in Firefox can be found in the "Securing Your Web Browser" document. Appendix A. References * US-CERT Vulnerability Notes Related to July Mozilla Security Advisories - <http://www.kb.cert.org/vuls/byid?searchview&query=firefox_1505> * CVE-2006-3081 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3801> * CVE-2006-3677 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3677> * CVE-2006-3113 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3113> * CVE-2006-3803 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803> * CVE-2006-3804 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3804> * CVE-2006-3805 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3805> * CVE-2006-3806 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3806> * CVE-2006-3807 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3807> * CVE-2006-3811 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3811> * Mozilla Foundation Security Advisories - <http://www.mozilla.org/security/announce/> * Known Vulnerabilities in Mozilla Products - <http://www.mozilla.org/projects/security/known-vulnerabilities.html> * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/browser_security.html#Mozilla_Firefox> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-208A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-208A Feedback VU#239124" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History Jul 27, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRMkgNexOF3G+ig+rAQIFsAgAoWoMkxxhkzb+xgLVCJF7h4k4EBCgJGWa BSOiFfL4Gs4vv4lNooDRCIOdxiBfXYL71XsIOT4aWry5852/6kyYnyAiXXYj1Uv0 SbPY2sQSZ5EaG+G9i8HDIy3fpJN4XgH3ng1uzUnJihY19IfndbXicpZE+debIUri qt9NRD2f5FW5feKo1cBpYxtmxQAEePOa2dJHh7I7cnFGtG3MixHx4kVEyuYUutCX 5tHDsfTIdySNkIdCQ4vhk846bErB/kaHiKMQDfMglllb3GOSc07OQ0CDo2eTPVsA 9DtKkiDP1C4dh1mxco8CWlS6327+EB0KXGGoqDF2+j/rrpsW0oc8nA== =HwuK -----END PGP SIGNATURE----- -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Friday 28 July 2006 18:37, ken wrote:
I haven't been able to find v.1.5 for either Firefox or Thunderbird for Suse v.9.3. Is Suse dropping support for it?
Start here and pick your architecture: ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE Under the correct directory for your architecture are a number of directories for various projects/applications. For example, under the directory for 9.3 on i386 (32-bit) is a directory called "RPMS.mozilla": ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE/9.3-i386/RPMS.mozilla The rpm packages you want are there. hth & regards, Carl P.S.: You might consider installing apt for SUSE 9.3... works a treat here (on 10.0, too.) There should even be an apt installation script and instructions here: http://linux01.gwdg.de/apt4rpm/ -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Carl Hartung wrote:
...
ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE
....
ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE/9.3-i386/RPMS.mozilla
The rpm packages you want are there.
hth & regards,
Carl
P.S.: You might consider installing apt for SUSE 9.3... works a treat here (on 10.0, too.) There should even be an apt installation script and instructions here: http://linux01.gwdg.de/apt4rpm/
Carl, Muchissimas Dank. Sehr appreciated. I never would have thought to look for RPMs under an "apt" subdirectory. I guess I need to think more outside the box once in awhile. One of the factors which drew me to Suse was that it spoke both RPM and apt. If I didn't have to take time to unsurprise myself so frequently, I'd probably get to the latter sooner. One further surprise is that Wolfgang Rosenauer's (who signed the Mozilla packages I downloaded) gpg key isn't signed by anyone. Yes, I've heard the name before. But I or anyone else could post a public key claiming to be anyone-- for example, have a look at all those claiming to be the First Dufus: <http://pgp.mit.edu:11371/pks/lookup?search=%22George+Bush%22&op=index>, even providing an accurate mailto. So just to humor those of us who try to read and follow the docs and best practices, could a few folks at Novell, folks who know (the real) Wolfgang sufficiently, ascertain that the posted gpg signature at <http://pgp.mit.edu:11371/pks/lookup?search=0x71423d59&op=index> is his, then sign it. (It's a little weird that this hasn't already been done.. or am I reading the wrong docs?) TIA. Sorry for the inconvenience. Thanks again, Carl, -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
ken wrote:
One further surprise is that Wolfgang Rosenauer's (who signed the Mozilla packages I downloaded) gpg key isn't signed by anyone. To import a gpg signature into RPM, I usually have to delete all the other signatures, otherwise it won't work IIRC. So the fact it is only his sig suggests he meant for it to be imported into your rpm database. Quite nice of him IMHO.
-- Joe Morris Registered Linux user 231871 -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Fri, Jul 28, 2006 at 06:37:15PM -0400, ken wrote:
I haven't been able to find v.1.5 for either Firefox or Thunderbird for Suse v.9.3. Is Suse dropping support for it?
We would really like to cancel any Mozilla support, but no. We are planning to release a version upgrade of Firefox 1.0.x to 1.5.0.x pretty soon to fix the issues for NLD 9, SUSE Linux 9.2 -> 10.0. (10.1 has Firefox 1.5 already.) Ciao, Marcus -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
participants (4)
-
Carl Hartung -
Joe Morris (NTM) -
ken -
Marcus Meissner