[Full-disclosure] [FLSA-2005:158149] Updated mozilla packages fix security issues

From: Marc Deslauriers (marcdeslauriers_at_videotron.ca)
Date: 07/16/05

Next message: Marc Deslauriers: "[Full-disclosure] [FLSA-2005:154272] Updated gdk-pixbuf packages fix a security issue"

Previous message: Thierry Carrez: "[Full-disclosure] [ GLSA 200507-16 ] dhcpcd: Denial of Service vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 15 Jul 2005 22:00:46 -0400
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk

---------------------------------------------------------------------
Fedora Legacy Update Advisory

Synopsis: Updated mozilla packages fix security issues
Advisory ID: FLSA:158149
Issue date: 2005-07-15
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CAN-2005-1476 CAN-2005-1477 CAN-2005-1531
CAN-2005-1532
---------------------------------------------------------------------

---------------------------------------------------------------------
1. Topic:

Updated mozilla packages that fix various security bugs are now
available.

Mozilla is an open source Web browser, advanced email and newsgroup
client, IRC chat client, and HTML editor.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

Several bugs were found in the way Mozilla executes javascript code.
Javascript executed from a web page should run with a restricted access
level, preventing dangerous actions. It is possible that a malicious web
page could execute javascript code with elevated privileges, allowing
access to protected data and functions. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the names CAN-2005-1476,
CAN-2005-1477, CAN-2005-1531, and CAN-2005-1532 to these issues.

Users of Mozilla are advised to upgrade to this updated package, which
contains Mozilla version 1.7.8 to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=158149

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mozilla-1.7.8-0.73.1.legacy.src.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/galeon-1.2.14-0.73.3.legacy.src.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/mozilla-1.7.8-0.90.1.legacy.src.rpm
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/galeon-1.2.14-0.90.3.legacy.src.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mozilla-1.7.8-1.1.1.legacy.src.rpm
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/epiphany-1.0.8-1.fc1.3.legacy.src.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/mozilla-1.7.8-1.2.1.legacy.src.rpm
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/epiphany-1.2.10-0.2.4.legacy.src.rpm
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/devhelp-0.9.1-0.2.7.legacy.src.rpm

7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------

53bfba163e4771b025d445b797325241c2f64cc5
redhat/7.3/updates/i386/mozilla-1.7.8-0.73.1.legacy.i386.rpm
1adb3bd0f07970e08a68ad7885455291c715057e
redhat/7.3/updates/i386/mozilla-chat-1.7.8-0.73.1.legacy.i386.rpm
00b6c60d5595977f421566918da4c61aef8fe575
redhat/7.3/updates/i386/mozilla-devel-1.7.8-0.73.1.legacy.i386.rpm
8a41e399f0db66efd9ab716d0a6a8ff6d5d62566
redhat/7.3/updates/i386/mozilla-dom-inspector-1.7.8-0.73.1.legacy.i386.rpm
f7d191586e65e40bff5a68efda356628dbfb5ecf
redhat/7.3/updates/i386/mozilla-js-debugger-1.7.8-0.73.1.legacy.i386.rpm
f3659f9a5c7f90abbc6e8ed95867103773f7a032
redhat/7.3/updates/i386/mozilla-mail-1.7.8-0.73.1.legacy.i386.rpm
b3891f513e1ac4473811b3fb9d6d6cf10fc793eb
redhat/7.3/updates/i386/mozilla-nspr-1.7.8-0.73.1.legacy.i386.rpm
4ec6616b781f1f94ad807525327084435b5be477
redhat/7.3/updates/i386/mozilla-nspr-devel-1.7.8-0.73.1.legacy.i386.rpm
5af05b2836009b2081c3ac035ab82661a056705a
redhat/7.3/updates/i386/mozilla-nss-1.7.8-0.73.1.legacy.i386.rpm
3b41861da189e369bafdca92e22a7ba5cd403d3b
redhat/7.3/updates/i386/mozilla-nss-devel-1.7.8-0.73.1.legacy.i386.rpm
3c0dec35034ceec86ccbe5976d7bcaa937372c99
redhat/7.3/updates/SRPMS/mozilla-1.7.8-0.73.1.legacy.src.rpm
f1d71f876d9a14884a2c78e6f52b0d85eda58420
redhat/7.3/updates/i386/galeon-1.2.14-0.73.3.legacy.i386.rpm
c7c74a1d0c0e82963ae297b299870c0266a6fd29
redhat/7.3/updates/SRPMS/galeon-1.2.14-0.73.3.legacy.src.rpm
19f88b4dc5a45a4252dafe81ecefa575caafac72
redhat/9/updates/i386/mozilla-1.7.8-0.90.1.legacy.i386.rpm
575d3b0ede7f8b9f44b2e5490ac35df7a2b6dbf4
redhat/9/updates/i386/mozilla-chat-1.7.8-0.90.1.legacy.i386.rpm
378b0f97133657932c4cd3d37bc7253382ff4a36
redhat/9/updates/i386/mozilla-devel-1.7.8-0.90.1.legacy.i386.rpm
4d95a0a8aa165cf936ed8241429a6ab79eba2503
redhat/9/updates/i386/mozilla-dom-inspector-1.7.8-0.90.1.legacy.i386.rpm
65c8f757d727d0f9574a453487075150062d67f4
redhat/9/updates/i386/mozilla-js-debugger-1.7.8-0.90.1.legacy.i386.rpm
7293d848df84337a70c2a9a1b1d91761e74ec0a9
redhat/9/updates/i386/mozilla-mail-1.7.8-0.90.1.legacy.i386.rpm
1b82a4b2c9b949d81ee15847e8d60175a164012e
redhat/9/updates/i386/mozilla-nspr-1.7.8-0.90.1.legacy.i386.rpm
743753ebcfa235ab55d2973bf1f27f29edd58740
redhat/9/updates/i386/mozilla-nspr-devel-1.7.8-0.90.1.legacy.i386.rpm
581ba496932635198b89e90b73bdbc2e3960a535
redhat/9/updates/i386/mozilla-nss-1.7.8-0.90.1.legacy.i386.rpm
3a1564245d1fb4f7fec69dc8d804630ae0289846
redhat/9/updates/i386/mozilla-nss-devel-1.7.8-0.90.1.legacy.i386.rpm
d2ec94bec7f180a30689df5ef71dfce501803514
redhat/9/updates/SRPMS/mozilla-1.7.8-0.90.1.legacy.src.rpm
a9d0d67e3e1decf95935fb586e2c20169342a6d9
redhat/9/updates/i386/galeon-1.2.14-0.90.3.legacy.i386.rpm
05aeb7cbb8752b2329a8d8fdda5c8a79fcd6546f
redhat/9/updates/SRPMS/galeon-1.2.14-0.90.3.legacy.src.rpm
f2ccc30d5dee06f1154ba54adac985750e530adf
fedora/1/updates/i386/mozilla-1.7.8-1.1.1.legacy.i386.rpm
0048085efd174b33a9eeed00e48aa687aaee7f99
fedora/1/updates/i386/mozilla-chat-1.7.8-1.1.1.legacy.i386.rpm
d0d0cc511d4d2ffc84073927e34b38345f6abab9
fedora/1/updates/i386/mozilla-devel-1.7.8-1.1.1.legacy.i386.rpm
1b886dbcef418cc55ca974ca3d80850bffe30052
fedora/1/updates/i386/mozilla-dom-inspector-1.7.8-1.1.1.legacy.i386.rpm
177808f5cfe0aa7bd3aa881b3667f8c19c2e0269
fedora/1/updates/i386/mozilla-js-debugger-1.7.8-1.1.1.legacy.i386.rpm
1655745d989c7d66b8f99e0864be7860a59e92fe
fedora/1/updates/i386/mozilla-mail-1.7.8-1.1.1.legacy.i386.rpm
07b0a00586ef0daac144ef99b1af769bb93e9b8c
fedora/1/updates/i386/mozilla-nspr-1.7.8-1.1.1.legacy.i386.rpm
1d613a99f63808f47bc7187012c58211e455ba8d
fedora/1/updates/i386/mozilla-nspr-devel-1.7.8-1.1.1.legacy.i386.rpm
39ff2c9023453a8288010d4c51bfaa08575989f4
fedora/1/updates/i386/mozilla-nss-1.7.8-1.1.1.legacy.i386.rpm
4f48517697ddd63df94272a19ea381b591dad2f5
fedora/1/updates/i386/mozilla-nss-devel-1.7.8-1.1.1.legacy.i386.rpm
bcc8e1337881d00774d61109b795ff26dbaef05f
fedora/1/updates/SRPMS/mozilla-1.7.8-1.1.1.legacy.src.rpm
54323a70f1a98fed5e2cfe1f110ebe36e6b369f0
fedora/1/updates/i386/epiphany-1.0.8-1.fc1.3.legacy.i386.rpm
5fdcb7b6eb361740d92ee428c13896bf279d4d42
fedora/1/updates/SRPMS/epiphany-1.0.8-1.fc1.3.legacy.src.rpm
4c9998181a6aec013277b6033fb76d995ca744fa
fedora/2/updates/i386/mozilla-1.7.8-1.2.1.legacy.i386.rpm
f63261e90613cc48ab9890481b9ba79dbe57e32f
fedora/2/updates/i386/mozilla-chat-1.7.8-1.2.1.legacy.i386.rpm
ac6deaaa97b6a07a751c85002e119158a65ae6bc
fedora/2/updates/i386/mozilla-devel-1.7.8-1.2.1.legacy.i386.rpm
31391d41a8e4580761ee6d8f769f98ac60695e6a
fedora/2/updates/i386/mozilla-dom-inspector-1.7.8-1.2.1.legacy.i386.rpm
dbc5b635361a4c81a16f40e24aa2b5a431bd8cb9
fedora/2/updates/i386/mozilla-js-debugger-1.7.8-1.2.1.legacy.i386.rpm
eb40fa6b6ea9a346a92940341b436a10db1447ab
fedora/2/updates/i386/mozilla-mail-1.7.8-1.2.1.legacy.i386.rpm
6d2ef4fcf9f89756e21a2446584e8e64a3ebc1f2
fedora/2/updates/i386/mozilla-nspr-1.7.8-1.2.1.legacy.i386.rpm
c1096bad603bf508c86e1dbef2a7def8dd5bc457
fedora/2/updates/i386/mozilla-nspr-devel-1.7.8-1.2.1.legacy.i386.rpm
8f576d7491bf3f342ca561f4fd0d7958204f90f1
fedora/2/updates/i386/mozilla-nss-1.7.8-1.2.1.legacy.i386.rpm
852ca275701aca0661fd10135432438f28f3dba4
fedora/2/updates/i386/mozilla-nss-devel-1.7.8-1.2.1.legacy.i386.rpm
4325b3cc4308aa7a0f38da1916b1660762470984
fedora/2/updates/SRPMS/mozilla-1.7.8-1.2.1.legacy.src.rpm
271bcd5329cd2de25c7e306bad38b7fb3c06e0d3
fedora/2/updates/i386/epiphany-1.2.10-0.2.4.legacy.i386.rpm
782fa5b86e1c01c6913c8c17ccba29a807de8443
fedora/2/updates/SRPMS/epiphany-1.2.10-0.2.4.legacy.src.rpm
d90b234dbaeca4b4ade39c5b9dd56cefd6891e90
fedora/2/updates/i386/devhelp-0.9.1-0.2.7.legacy.i386.rpm
76064f34923bafe79ab89a47e2a95d944fdfda51
fedora/2/updates/i386/devhelp-devel-0.9.1-0.2.7.legacy.i386.rpm
11d23437935e95917a803662e6475dc4ea8037ff
fedora/2/updates/SRPMS/devhelp-0.9.1-0.2.7.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1476
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1477
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1531
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1532

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
project details at http://www.fedoralegacy.org

---------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

application/pgp-signature attachment: OpenPGP digital signature

Next message: Marc Deslauriers: "[Full-disclosure] [FLSA-2005:154272] Updated gdk-pixbuf packages fix a security issue"

Previous message: Thierry Carrez: "[Full-disclosure] [ GLSA 200507-16 ] dhcpcd: Denial of Service vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[Full-disclosure] [FLSA-2005:155508] Updated cvs package fixes security issues
... An updated cvs package that fixes security bugs is now available. ... Fedora Core 1 - i386 ... where is a list of the RPMs you wish to upgrade. ...
(Full-Disclosure)
[FLSA-2005:155508] Updated cvs package fixes security issues
... An updated cvs package that fixes security bugs is now available. ... Fedora Core 1 - i386 ... where is a list of the RPMs you wish to upgrade. ...
(Bugtraq)
[Full-disclosure] [FLSA-2005:157696] Updated gzip package fixes security issues
... The gzip package contains the GNU gzip data compression program. ... Fedora Core 1 - i386 ... where is a list of the RPMs you wish to upgrade. ...
(Full-Disclosure)
[FLSA-2005:157696] Updated gzip package fixes security issues
... The gzip package contains the GNU gzip data compression program. ... Fedora Core 1 - i386 ... where is a list of the RPMs you wish to upgrade. ...
(Bugtraq)
is yum working? unable to update a system
... # yum update ... Server: Dag RPM Repository for Fedora Core ... .Package mplayer-mencoder needs libxvidcore.so.2, this is not ...
(Fedora)