https://bugzilla.novell.com/show_bug.cgi?id=639552 https://bugzilla.novell.com/show_bug.cgi?id=639552#c0 Summary: VUL-0: Mozilla Firefox 3.6.8 a. o.: version 3.6.9 and 3.5.12 fixes security bug Cross-Site Scripting Attacks, Obtain Potentially Sensitive Information, and Execute Arbitrary Code (related: Thunderbird 3.1.2 Thunderbird 3.0.6 SeaMonkey 2.0.6 ) Classification: openSUSE Product: openSUSE 11.2 Version: Final Platform: All OS/Version: openSUSE 11.2 Status: NEW Severity: Normal Priority: P5 - None Component: Firefox AssignedTo: bnc-team-mozilla@forge.provo.novell.com ReportedBy: Martin.Seidler@web.de QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.8 SUSE/7.0.522.0 (KHTML, like Gecko) Chrome/7.0.522.0 Safari/534.8 Will also affect 11.3 ; Firefox 3.5.11 ; Thunderbird 3.1.2 ; Thunderbird 3.0.6 ; SeaMonkey 2.0.6 ) References [1] http://www.mozilla.org/security/announce/2010/mfsa2010-49.html "Title: Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12) Impact: Critical Announced: September 7, 2010 Reporter: Mozilla developers and community Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 3.6.9 Firefox 3.5.12 Thunderbird 3.1.3 Thunderbird 3.0.7 SeaMonkey 2.0.7" [2] Mozilla Thunderbird Bugs Let Remote Users Conduct Cross-Site Scripting Attacks, Obtain Potentially Sensitive Information, and Execute Arbitrary Code SecurityTracker; SecurityTracker URL: http://securitytracker.com/id?1024403 (2010-09-08) "Impact: A remote user can create a HTML that, when loaded by the target user, will execute arbitrary code on the target user's system. A remote user can access the target user's cookies (including authentication cookies), if any, associated with the target site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. A remote user can obtain potentially sensitive information. Solution: The vendor has issued a fix (3.0.7, 3.1.3). " [3] Mozilla Firefox DLL Loading Error Lets Remote Users Execute Arbitrary Code; SecurityTracker URL: http://securitytracker.com/id?1024406 (2010-09-08) [4] Mozilla Firefox Bugs Let Remote Users Conduct Cross-Site Scripting Attacks, Obtain Potentially Sensitive Information, and Execute Arbitrary Code, SecurityTracker URL: http://securitytracker.com/id?1024401 (2010-09-08) Reproducible: Didn't try Steps to Reproduce: This bug is public and the vendor Mozilla has released fixing versions on 2010-09-07. 1. Try to build a Cross-Site Scripting attacking page? 2. Read the references. Actual Results: I cannot find a coordinated release date (CRD) set or a openSUSE security warning. Expected Results: 1. Release a security warning (documentation bug). 2. Update to Mozilla Firefox 3.6.9 and 3.5.12 ; Thunderbird 3.1.3 ; Thunderbird 3.0.7 ; SeaMonkey 2.0.7 - Push the release to main repository update and the maybe the further openSUSE testing. [5] Problems with mozilla-nspr (Netscape Portable Runtime) ? : http://lists.opensuse.org/opensuse-factory-mozilla/2010-09/msg00000.html What (how stable) is "mozilla-nspr 4.8.6-1.1 Changelog: 23 July 2010 ([...]): - update to 4.8.6 "? in http://download.opensuse.org/repositories/mozilla/openSUSE_11.2/i586/ http://download.opensuse.org/repositories/mozilla/openSUSE_11.3/i586/ http://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.8.6/ Compare: 4.8.*3* http://www.mozilla.org/projects/nspr/release-notes/ http://www.mozilla.org/projects/nspr/release-notes/nspr483.html http://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.8.3/ [6] http://forums.opensuse.org/english/community/general-chit-chat/445980-securi... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.