Mailinglist Archive: opensuse-bugs (4667 mails)

< Previous Next >
[Bug 639552] New: VUL-0: Mozilla Firefox 3.6.8 a. o.: version 3.6.9 and 3.5.12 fixes security bug Cross-Site Scripting Attacks, Obtain Potentially Sensitive Information, and Execute Arbitrary Code (related: Thunderbird 3.1.2 Thunderbird 3.0.6 SeaMonkey 2.0.6 )
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Wed, 15 Sep 2010 14:51:20 +0000
  • Message-id: <bug-639552-21960@xxxxxxxxxxxxxxxxxxxxxxxx/>

https://bugzilla.novell.com/show_bug.cgi?id=639552

https://bugzilla.novell.com/show_bug.cgi?id=639552#c0


Summary: VUL-0: Mozilla Firefox 3.6.8 a. o.: version 3.6.9 and
3.5.12 fixes security bug Cross-Site Scripting
Attacks, Obtain Potentially Sensitive Information, and
Execute Arbitrary Code (related: Thunderbird 3.1.2
Thunderbird 3.0.6 SeaMonkey 2.0.6 )
Classification: openSUSE
Product: openSUSE 11.2
Version: Final
Platform: All
OS/Version: openSUSE 11.2
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Firefox
AssignedTo: bnc-team-mozilla@xxxxxxxxxxxxxxxxxxxxxx
ReportedBy: Martin.Seidler@xxxxxx
QAContact: qa@xxxxxxx
Found By: ---
Blocker: ---


User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.8
SUSE/7.0.522.0 (KHTML, like Gecko) Chrome/7.0.522.0 Safari/534.8

Will also affect 11.3 ; Firefox 3.5.11 ; Thunderbird 3.1.2 ; Thunderbird 3.0.6
; SeaMonkey 2.0.6 )

References

[1] http://www.mozilla.org/security/announce/2010/mfsa2010-49.html
"Title: Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12)
Impact: Critical
Announced: September 7, 2010
Reporter: Mozilla developers and community
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.6.9 Firefox 3.5.12 Thunderbird 3.1.3 Thunderbird
3.0.7 SeaMonkey 2.0.7"

[2] Mozilla Thunderbird Bugs Let Remote Users Conduct Cross-Site
Scripting Attacks, Obtain Potentially Sensitive Information, and Execute
Arbitrary Code SecurityTracker; SecurityTracker URL:
http://securitytracker.com/id?1024403
(2010-09-08)
"Impact: A remote user can create a HTML that, when loaded by the
target user, will execute arbitrary code on the target user's system.

A remote user can access the target user's cookies (including
authentication cookies), if any, associated with the target site, access
data recently submitted by the target user via web form to the site, or
take actions on the site acting as the target user.

A remote user can obtain potentially sensitive information.
Solution: The vendor has issued a fix (3.0.7, 3.1.3).
"
[3] Mozilla Firefox DLL Loading Error Lets Remote Users Execute
Arbitrary Code; SecurityTracker URL:
http://securitytracker.com/id?1024406
(2010-09-08)

[4] Mozilla Firefox Bugs Let Remote Users Conduct Cross-Site Scripting
Attacks, Obtain Potentially Sensitive Information, and Execute Arbitrary
Code, SecurityTracker URL:
http://securitytracker.com/id?1024401
(2010-09-08)

Reproducible: Didn't try

Steps to Reproduce:
This bug is public and the vendor Mozilla has released fixing versions on
2010-09-07.
1. Try to build a Cross-Site Scripting attacking page?
2. Read the references.
Actual Results:
I cannot find a coordinated release date (CRD) set or a openSUSE security
warning.

Expected Results:
1. Release a security warning (documentation bug).
2. Update to Mozilla Firefox 3.6.9 and 3.5.12 ; Thunderbird 3.1.3 ; Thunderbird
3.0.7 ; SeaMonkey 2.0.7 - Push the release to main repository update and the
maybe the further openSUSE testing.


[5] Problems with mozilla-nspr (Netscape Portable Runtime) ? :
http://lists.opensuse.org/opensuse-factory-mozilla/2010-09/msg00000.html

What (how stable) is
"mozilla-nspr 4.8.6-1.1
Changelog:
23 July 2010 ([...]):
- update to 4.8.6 "?
in
http://download.opensuse.org/repositories/mozilla/openSUSE_11.2/i586/
http://download.opensuse.org/repositories/mozilla/openSUSE_11.3/i586/
http://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.8.6/

Compare:
4.8.*3*
http://www.mozilla.org/projects/nspr/release-notes/
http://www.mozilla.org/projects/nspr/release-notes/nspr483.html
http://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.8.3/

[6]
http://forums.opensuse.org/english/community/general-chit-chat/445980-security-issues-how-do-users-maintainers-developers-work-together-exemple-opera-10-60-issues.html

--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >