diff options
Diffstat (limited to 'metadata/glsa/glsa-200507-14.xml')
| -rw-r--r-- | metadata/glsa/glsa-200507-14.xml | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-200507-14.xml b/metadata/glsa/glsa-200507-14.xml new file mode 100644 index 000000000000..5bd7686b8e3f --- /dev/null +++ b/metadata/glsa/glsa-200507-14.xml @@ -0,0 +1,97 @@ +<?xml version="1.0" encoding="utf-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="200507-14"> + <title>Mozilla Firefox: Multiple vulnerabilities</title> + <synopsis> + Several vulnerabilities in Mozilla Firefox allow attacks ranging from + execution of script code with elevated privileges to information leak. + </synopsis> + <product type="ebuild">mozilla</product> + <announced>2005-07-15</announced> + <revised count="01">2005-07-15</revised> + <bug>95199</bug> + <access>remote</access> + <affected> + <package name="www-client/mozilla-firefox" auto="yes" arch="*"> + <unaffected range="ge">1.0.5</unaffected> + <vulnerable range="lt">1.0.5</vulnerable> + </package> + <package name="www-client/mozilla-firefox-bin" auto="yes" arch="*"> + <unaffected range="ge">1.0.5</unaffected> + <vulnerable range="lt">1.0.5</vulnerable> + </package> + </affected> + <background> + <p> + Mozilla Firefox is the next-generation web browser from the + Mozilla project. + </p> + </background> + <description> + <p> + The following vulnerabilities were found and fixed in Mozilla + Firefox: + </p> + <ul> + <li>"moz_bug_r_a4" and "shutdown" discovered that + Firefox was improperly cloning base objects (MFSA 2005-56).</li> + <li>Michael Krax reported that Firefox was not correctly handling + JavaScript URLs from external applications (MFSA 2005-53), and that the + "Set as wallpaper" function in versions 1.0.3 and 1.0.4 could be abused + to load JavaScript (MFSA 2005-47).</li> + <li>Several researchers + reported ways to trick Firefox into accepting events generated by web + content (MFSA 2005-45).</li> + <li>Kohei Yoshino discovered a new way to + inject script from the sidebar panel using data: (MFSA 2005-49).</li> + <li>"moz_bug_r_a4" reported that Firefox failed to validate XHTML DOM + nodes properly (MFSA 2005-55), and that XBL scripts ran even when + Javascript is disabled (MFSA 2005-46).</li> + <li>"shutdown" discovered a + possibly exploitable crash in InstallVersion.compareTo (MFSA + 2005-50).</li> + <li>Finally, Secunia discovered that a child frame can + call top.focus() even if the framing page comes from a different origin + and has overridden the focus() routine (MFSA 2005-52), and that the + frame injection spoofing bug fixed in 1.0.2 was mistakenly reintroduced + in 1.0.3 and 1.0.4 (MFSA 2005-51).</li> + </ul> + </description> + <impact type="normal"> + <p> + A remote attacker could craft malicious web pages that would + leverage these issues to inject and execute arbitrary script code with + elevated privileges, steal cookies or other information from web pages, + or spoof content. + </p> + </impact> + <workaround> + <p> + There are no known workarounds for all the issues at this time. + </p> + </workaround> + <resolution> + <p> + All Mozilla Firefox users should upgrade to the latest version: + </p> + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.0.5"</code> + <p> + All Mozilla Firefox binary users should upgrade to the latest + version: + </p> + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.0.5"</code> + </resolution> + <references> + <uri link="https://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox">Mozilla Foundation Security Advisories</uri> + </references> + <metadata tag="submitter" timestamp="2005-07-13T20:26:29Z"> + koon + </metadata> + <metadata tag="bugReady" timestamp="2005-07-15T05:32:06Z"> + jaervosz + </metadata> +</glsa> |