MDKSA-2004:021 - Updated mozilla packages fix multiple vulnerabilities

From: Mandrake Linux Security Team (security_at_linux-mandrake.com)
Date: 03/10/04

  • Next message: Luigi Auriemma: "Format string bug in EpicGames Unreal engine" 
    Date: 10 Mar 2004 16:28:13 -0000
To: bugtraq@securityfocus.com

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

     _______________________________________________________________________

                     Mandrakelinux Security Update Advisory
     _______________________________________________________________________

     Package name: mozilla
     Advisory ID: MDKSA-2004:021
     Date: March 10th, 2004

     Affected versions: 9.2
     ______________________________________________________________________

     Problem Description:

     A number of vulnerabilities were discovered in Mozilla 1.4:
     
     A malicious website could gain access to a user's authentication
     credentials to a proxy server.
     
     Script.prototype.freeze/thaw could allow an attacker to run
     arbitrary code on your computer.
     
     A vulnerability was also discovered in the NSS security suite which
     ships with Mozilla. The S/MIME implementation would allow remote
     attackers to cause a Denial of Service and possibly execute arbitrary
     code via an S/MIME email message containing certain unexpected ASN.1
     constructs, which was demonstrated using the NISCC test suite. NSS
     version 3.9 corrects these problems and has been included in this
     package (which shipped with NSS 3.8).
     
     Finally, Corsaire discovered that a number of HTTP user agents
     contained a flaw in how they handle cookies. This flaw could
     allow an attacker to avoid the path restrictions specified by a
     cookie's originator. According to their advisory:
     
     "The cookie specifications detail a path argument that can be used to
     restrict the areas of a host that will be exposed to a cookie. By
     using standard traversal techniques this functionality can be
     subverted, potentially exposing the cookie to scrutiny and use in
     further attacks."
     
     As well, a bug with Mozilla and Finnish keyboards has been corrected.
     
     The updated packages are patched to correct these vulnerabilities.
     _______________________________________________________________________

     References:

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0594
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0564
      http://www.kb.cert.org/vuls/id/428230
      http://bugzilla.mozilla.org/show_bug.cgi?id=220122
      http://bugzilla.mozilla.org/show_bug.cgi?id=221526
      http://bugzilla.mozilla.org/show_bug.cgi?id=213012
      http://www.uniras.gov.uk/vuls/2003/006489/smime.htm
     ______________________________________________________________________

     Updated Packages:
      
     Mandrakelinux 9.2:
     c38912bc7ec63477a99d54ca9d0da6a2 9.2/RPMS/libnspr4-1.4-13.2.92mdk.i586.rpm
     0389815c9e7dbe3e10fc0c26375bb3b1 9.2/RPMS/libnspr4-devel-1.4-13.2.92mdk.i586.rpm
     7646ec4e16c2c9358dcc98ebabf0a3b9 9.2/RPMS/libnss3-1.4-13.2.92mdk.i586.rpm
     63a527da7c61047ba425606e94ecd3be 9.2/RPMS/libnss3-devel-1.4-13.2.92mdk.i586.rpm
     e8bbe96aeb65cfab46ffe2aa354d902f 9.2/RPMS/mozilla-1.4-13.2.92mdk.i586.rpm
     dfa83fa168d574770a8799c581e18335 9.2/RPMS/mozilla-devel-1.4-13.2.92mdk.i586.rpm
     bb2b9c485b566b219749366c62500721 9.2/RPMS/mozilla-dom-inspector-1.4-13.2.92mdk.i586.rpm
     ad11d0c4800bd95452d00a8ebaf5d98b 9.2/RPMS/mozilla-enigmail-1.4-13.2.92mdk.i586.rpm
     5fc51520069a0eba9f5a53dc93ba4eab 9.2/RPMS/mozilla-enigmime-1.4-13.2.92mdk.i586.rpm
     54bc668f3881fc320ee5d7c5a47cf691 9.2/RPMS/mozilla-irc-1.4-13.2.92mdk.i586.rpm
     adee5ba7d06873222b272fd5cb4002a6 9.2/RPMS/mozilla-js-debugger-1.4-13.2.92mdk.i586.rpm
     8ae4e6c230046102f6fb3718ea89a44c 9.2/RPMS/mozilla-mail-1.4-13.2.92mdk.i586.rpm
     1e1d178eb6e1b712ed4172fbcb9645a8 9.2/RPMS/mozilla-spellchecker-1.4-13.2.92mdk.i586.rpm
     18dcce51283517af9f1d280e4cc671b2 9.2/SRPMS/mozilla-1.4-13.2.92mdk.src.rpm

     Mandrakelinux 9.2/AMD64:
     5452e154db36916d4e0710001a8c1bf4 amd64/9.2/RPMS/lib64nspr4-1.4-13.2.92mdk.amd64.rpm
     0dd5edee872e319e43b055348b439eb3 amd64/9.2/RPMS/lib64nspr4-devel-1.4-13.2.92mdk.amd64.rpm
     18d23cac7a7eb9a45c40e484a42665fb amd64/9.2/RPMS/lib64nss3-1.4-13.2.92mdk.amd64.rpm
     96e5b7a0bffa68a8a26f0fc0c33179bb amd64/9.2/RPMS/lib64nss3-devel-1.4-13.2.92mdk.amd64.rpm
     8f86da0aafcf57ce795935354bfe1284 amd64/9.2/RPMS/mozilla-1.4-13.2.92mdk.amd64.rpm
     4294cda22a8639804d64961b5232217b amd64/9.2/RPMS/mozilla-devel-1.4-13.2.92mdk.amd64.rpm
     fe1d7bbfcff75ed48276b125e5e07150 amd64/9.2/RPMS/mozilla-dom-inspector-1.4-13.2.92mdk.amd64.rpm
     0389b9624511d9bfa8f9873c64e78819 amd64/9.2/RPMS/mozilla-enigmail-1.4-13.2.92mdk.amd64.rpm
     f65b2fdf67002011cf138a7fc2a15048 amd64/9.2/RPMS/mozilla-enigmime-1.4-13.2.92mdk.amd64.rpm
     3908bf0f64951a31d0b0d13fbed460f1 amd64/9.2/RPMS/mozilla-irc-1.4-13.2.92mdk.amd64.rpm
     e75e31efbc498cc11851c75c44233e93 amd64/9.2/RPMS/mozilla-js-debugger-1.4-13.2.92mdk.amd64.rpm
     dee877e87556e579d54668a1e3a0bbf2 amd64/9.2/RPMS/mozilla-mail-1.4-13.2.92mdk.amd64.rpm
     09155dea70b8b6cf7afdd13a27dede18 amd64/9.2/RPMS/mozilla-spellchecker-1.4-13.2.92mdk.amd64.rpm
     18dcce51283517af9f1d280e4cc671b2 amd64/9.2/SRPMS/mozilla-1.4-13.2.92mdk.src.rpm
     _______________________________________________________________________

     Bug IDs fixed (see http://bugs.mandrakelinux.com for more information):

      376 - mozilla and finnish keyboard give pipe
     _______________________________________________________________________

     To upgrade automatically use MandrakeUpdate or urpmi. The verification
     of md5 checksums and GPG signatures is performed automatically for you.

     A list of FTP mirrors can be obtained from:

      http://www.mandrakesecure.net/en/ftp.php

     All packages are signed by Mandrakesoft for security. You can obtain
     the GPG public key of the Mandrakelinux Security Team by executing:

      gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

     Please be aware that sometimes it takes the mirrors a few hours to
     update.

     You can view other update advisories for Mandrakelinux at:

      http://www.mandrakesecure.net/en/advisories/

     Mandrakesoft has several security-related mailing list services that
     anyone can subscribe to. Information on these lists can be obtained by
     visiting:

      http://www.mandrakesecure.net/en/mlist.php

     If you want to report vulnerabilities, please contact

      security_linux-mandrake.com

     Type Bits/KeyID Date User ID
     pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
      <security linux-mandrake.com>
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iD8DBQFAT0IdmqjQ0CJFipgRAiHpAJ4jvYpnAFf5x3VM8hkqcetxlBgBnACgxtj9
    SaERIMikLF67jQm9MDX1ZDA=
    =bKxo
    -----END PGP SIGNATURE-----

  • Next message: Luigi Auriemma: "Format string bug in EpicGames Unreal engine"

    Relevant Pages