LinuxSecurity.com 		Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
How strictly do your users obey your security policies?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
Emily Ratliff: OS Security
DanWalsh LiveJournal
Security Bloggers Network
Latest Newsletters
Linux Security Week: December 1st, 2008
Linux Advisory Watch: November 28th, 2008
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
RedHat: Critical: firefox security update Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
RedHat Linux Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. A cross-site scripting flaw was found in the way Firefox handled the jar: URI scheme. It was possible for a malicious website to leverage this flaw and conduct a cross-site scripting attack against a user running Firefox 
- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Critical: firefox security update
Advisory ID:       RHSA-2007:1082-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2007-1082.html
Issue date:        2007-11-26
Updated on:        2007-11-26
Product:           Red Hat Enterprise Linux
CVE Names:         CVE-2007-5947 CVE-2007-5959 CVE-2007-5960 
- ---------------------------------------------------------------------

1. Summary:

Updated firefox packages that fix several security issues are now available
for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux AS version 4.5.z - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux ES version 4.5.z - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64

3. Problem description:

Mozilla Firefox is an open source Web browser.

A cross-site scripting flaw was found in the way Firefox handled the
jar: URI scheme. It was possible for a malicious website to leverage this
flaw and conduct a cross-site scripting attack against a user running
Firefox. (CVE-2007-5947)

Several flaws were found in the way Firefox processed certain malformed web
content. A webpage containing malicious content could cause Firefox to
crash, or potentially execute arbitrary code as the user running Firefox.
(CVE-2007-5959)

A race condition existed when Firefox set the "window.location" property
for a webpage. This flaw could allow a webpage to set an arbitrary Referer
header, which may lead to a Cross-site Request Forgery (CSRF) attack
against websites that rely only on the Referer header for protection.
(CVE-2007-5960)

Users of Firefox are advised to upgrade to these updated packages, which
contain backported patches to resolve these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  

This update is available via Red Hat Network.  Details on how to use 
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

5. Bug IDs fixed (http://bugzilla.redhat.com/):

394211 - CVE-2007-5947 Mozilla jar: protocol XSS
394241 - CVE-2007-5959 Multiple flaws in Firefox
394261 - CVE-2007-5960 Mozilla Cross-site Request Forgery flaw

6. RPMs required:

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/firefox-1.5.0.12-0.8.el4.src.rpm
e2c978d4b14f9cf19a8e39de02583008  firefox-1.5.0.12-0.8.el4.src.rpm

i386:
7c65767dfdaed3f752ff8d2432bbbb87  firefox-1.5.0.12-0.8.el4.i386.rpm
f370caeea0a992722a3856d63da52b1f  firefox-debuginfo-1.5.0.12-0.8.el4.i386.rpm

ia64:
1cf6f4a4b1555f8da1c9f6a69ad7f51a  firefox-1.5.0.12-0.8.el4.ia64.rpm
82eb56cadb11007f53a485bb4278f13a  firefox-debuginfo-1.5.0.12-0.8.el4.ia64.rpm

ppc:
2849e6a776fe9d7427f373d2634051bd  firefox-1.5.0.12-0.8.el4.ppc.rpm
20e0e2ef9266025221beca008d75eaa0  firefox-debuginfo-1.5.0.12-0.8.el4.ppc.rpm

s390:
39c83103495fb726421799de80f8553d  firefox-1.5.0.12-0.8.el4.s390.rpm
d899e6879dbae602227a1326a78d92d2  firefox-debuginfo-1.5.0.12-0.8.el4.s390.rpm

s390x:
719c9da1a4d6c07b5ffa970859d687bf  firefox-1.5.0.12-0.8.el4.s390x.rpm
baa53ea0dd0d4e423acbdbbf06eb9363  firefox-debuginfo-1.5.0.12-0.8.el4.s390x.rpm

x86_64:
07ae1640a44aed479a5d6afb668ed6ee  firefox-1.5.0.12-0.8.el4.x86_64.rpm
bf2c92230f3dcd965145c900eac0e803  firefox-debuginfo-1.5.0.12-0.8.el4.x86_64.rpm

Red Hat Enterprise Linux AS version 4.5.z:

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/4AS-4.5.z/en/os/SRPMS/firefox-1.5.0.12-0.8.el4.src.rpm
e2c978d4b14f9cf19a8e39de02583008  firefox-1.5.0.12-0.8.el4.src.rpm

i386:
7c65767dfdaed3f752ff8d2432bbbb87  firefox-1.5.0.12-0.8.el4.i386.rpm
f370caeea0a992722a3856d63da52b1f  firefox-debuginfo-1.5.0.12-0.8.el4.i386.rpm

ia64:
1cf6f4a4b1555f8da1c9f6a69ad7f51a  firefox-1.5.0.12-0.8.el4.ia64.rpm
82eb56cadb11007f53a485bb4278f13a  firefox-debuginfo-1.5.0.12-0.8.el4.ia64.rpm

ppc:
2849e6a776fe9d7427f373d2634051bd  firefox-1.5.0.12-0.8.el4.ppc.rpm
20e0e2ef9266025221beca008d75eaa0  firefox-debuginfo-1.5.0.12-0.8.el4.ppc.rpm

s390:
39c83103495fb726421799de80f8553d  firefox-1.5.0.12-0.8.el4.s390.rpm
d899e6879dbae602227a1326a78d92d2  firefox-debuginfo-1.5.0.12-0.8.el4.s390.rpm

s390x:
719c9da1a4d6c07b5ffa970859d687bf  firefox-1.5.0.12-0.8.el4.s390x.rpm
baa53ea0dd0d4e423acbdbbf06eb9363  firefox-debuginfo-1.5.0.12-0.8.el4.s390x.rpm

x86_64:
07ae1640a44aed479a5d6afb668ed6ee  firefox-1.5.0.12-0.8.el4.x86_64.rpm
bf2c92230f3dcd965145c900eac0e803  firefox-debuginfo-1.5.0.12-0.8.el4.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/firefox-1.5.0.12-0.8.el4.src.rpm
e2c978d4b14f9cf19a8e39de02583008  firefox-1.5.0.12-0.8.el4.src.rpm

i386:
7c65767dfdaed3f752ff8d2432bbbb87  firefox-1.5.0.12-0.8.el4.i386.rpm
f370caeea0a992722a3856d63da52b1f  firefox-debuginfo-1.5.0.12-0.8.el4.i386.rpm

x86_64:
07ae1640a44aed479a5d6afb668ed6ee  firefox-1.5.0.12-0.8.el4.x86_64.rpm
bf2c92230f3dcd965145c900eac0e803  firefox-debuginfo-1.5.0.12-0.8.el4.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/firefox-1.5.0.12-0.8.el4.src.rpm
e2c978d4b14f9cf19a8e39de02583008  firefox-1.5.0.12-0.8.el4.src.rpm

i386:
7c65767dfdaed3f752ff8d2432bbbb87  firefox-1.5.0.12-0.8.el4.i386.rpm
f370caeea0a992722a3856d63da52b1f  firefox-debuginfo-1.5.0.12-0.8.el4.i386.rpm

ia64:
1cf6f4a4b1555f8da1c9f6a69ad7f51a  firefox-1.5.0.12-0.8.el4.ia64.rpm
82eb56cadb11007f53a485bb4278f13a  firefox-debuginfo-1.5.0.12-0.8.el4.ia64.rpm

x86_64:
07ae1640a44aed479a5d6afb668ed6ee  firefox-1.5.0.12-0.8.el4.x86_64.rpm
bf2c92230f3dcd965145c900eac0e803  firefox-debuginfo-1.5.0.12-0.8.el4.x86_64.rpm

Red Hat Enterprise Linux ES version 4.5.z:

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/4ES-4.5.z/en/os/SRPMS/firefox-1.5.0.12-0.8.el4.src.rpm
e2c978d4b14f9cf19a8e39de02583008  firefox-1.5.0.12-0.8.el4.src.rpm

i386:
7c65767dfdaed3f752ff8d2432bbbb87  firefox-1.5.0.12-0.8.el4.i386.rpm
f370caeea0a992722a3856d63da52b1f  firefox-debuginfo-1.5.0.12-0.8.el4.i386.rpm

ia64:
1cf6f4a4b1555f8da1c9f6a69ad7f51a  firefox-1.5.0.12-0.8.el4.ia64.rpm
82eb56cadb11007f53a485bb4278f13a  firefox-debuginfo-1.5.0.12-0.8.el4.ia64.rpm

x86_64:
07ae1640a44aed479a5d6afb668ed6ee  firefox-1.5.0.12-0.8.el4.x86_64.rpm
bf2c92230f3dcd965145c900eac0e803  firefox-debuginfo-1.5.0.12-0.8.el4.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/firefox-1.5.0.12-0.8.el4.src.rpm
e2c978d4b14f9cf19a8e39de02583008  firefox-1.5.0.12-0.8.el4.src.rpm

i386:
7c65767dfdaed3f752ff8d2432bbbb87  firefox-1.5.0.12-0.8.el4.i386.rpm
f370caeea0a992722a3856d63da52b1f  firefox-debuginfo-1.5.0.12-0.8.el4.i386.rpm

ia64:
1cf6f4a4b1555f8da1c9f6a69ad7f51a  firefox-1.5.0.12-0.8.el4.ia64.rpm
82eb56cadb11007f53a485bb4278f13a  firefox-debuginfo-1.5.0.12-0.8.el4.ia64.rpm

x86_64:
07ae1640a44aed479a5d6afb668ed6ee  firefox-1.5.0.12-0.8.el4.x86_64.rpm
bf2c92230f3dcd965145c900eac0e803  firefox-debuginfo-1.5.0.12-0.8.el4.x86_64.rpm

Red Hat Enterprise Linux Desktop (v. 5 client):

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-1.5.0.12-7.el5.src.rpm
9e6f9f8659b25e6420a1f395bbe09896  firefox-1.5.0.12-7.el5.src.rpm

i386:
e1b690ba4dfdd41e20aacfbb9d8fbb9a  firefox-1.5.0.12-7.el5.i386.rpm
e576368db6ed9eb70c65a596d5d684aa  firefox-debuginfo-1.5.0.12-7.el5.i386.rpm

x86_64:
e1b690ba4dfdd41e20aacfbb9d8fbb9a  firefox-1.5.0.12-7.el5.i386.rpm
88f3e7c170437da320696055350436dc  firefox-1.5.0.12-7.el5.x86_64.rpm
e576368db6ed9eb70c65a596d5d684aa  firefox-debuginfo-1.5.0.12-7.el5.i386.rpm
bdddabfbc73567c7537291b931abee4c  firefox-debuginfo-1.5.0.12-7.el5.x86_64.rpm

RHEL Desktop Workstation (v. 5 client):

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-1.5.0.12-7.el5.src.rpm
9e6f9f8659b25e6420a1f395bbe09896  firefox-1.5.0.12-7.el5.src.rpm

i386:
e576368db6ed9eb70c65a596d5d684aa  firefox-debuginfo-1.5.0.12-7.el5.i386.rpm
06509ba586d9f37e71483107137f7843  firefox-devel-1.5.0.12-7.el5.i386.rpm

x86_64:
e576368db6ed9eb70c65a596d5d684aa  firefox-debuginfo-1.5.0.12-7.el5.i386.rpm
bdddabfbc73567c7537291b931abee4c  firefox-debuginfo-1.5.0.12-7.el5.x86_64.rpm
06509ba586d9f37e71483107137f7843  firefox-devel-1.5.0.12-7.el5.i386.rpm
ca90b71f3c70b0543a91cea11aec9b08  firefox-devel-1.5.0.12-7.el5.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-1.5.0.12-7.el5.src.rpm
9e6f9f8659b25e6420a1f395bbe09896  firefox-1.5.0.12-7.el5.src.rpm

i386:
e1b690ba4dfdd41e20aacfbb9d8fbb9a  firefox-1.5.0.12-7.el5.i386.rpm
e576368db6ed9eb70c65a596d5d684aa  firefox-debuginfo-1.5.0.12-7.el5.i386.rpm
06509ba586d9f37e71483107137f7843  firefox-devel-1.5.0.12-7.el5.i386.rpm

ia64:
695649f81669a4bafb978c88c642a39d  firefox-1.5.0.12-7.el5.ia64.rpm
ca793f2ebcfc331a8e268959ee4d6eb4  firefox-debuginfo-1.5.0.12-7.el5.ia64.rpm
e83a2c4bbf2b8a8047eff54a92c73cf0  firefox-devel-1.5.0.12-7.el5.ia64.rpm

ppc:
2cd4f2936f18ce3aadc7738dcd1f64a5  firefox-1.5.0.12-7.el5.ppc.rpm
07bde30423e53504cac2c903b98f166d  firefox-debuginfo-1.5.0.12-7.el5.ppc.rpm
f974e753a4a1406e0f2c765bd1c6a903  firefox-devel-1.5.0.12-7.el5.ppc.rpm

s390x:
275ec90ac2e5119ef3a368f3635a6bed  firefox-1.5.0.12-7.el5.s390.rpm
f555a92ba6d9ccdab5b4f02dc6e0d486  firefox-1.5.0.12-7.el5.s390x.rpm
801eeef24bc79972ffeac00345bc4826  firefox-debuginfo-1.5.0.12-7.el5.s390.rpm
ddeb88632059d8fde675a8bbcb81bb0f  firefox-debuginfo-1.5.0.12-7.el5.s390x.rpm
6047f5e8ba382cca4e49bd203382ff33  firefox-devel-1.5.0.12-7.el5.s390.rpm
9ecba47676489b65b5975f32c3332d0f  firefox-devel-1.5.0.12-7.el5.s390x.rpm

x86_64:
e1b690ba4dfdd41e20aacfbb9d8fbb9a  firefox-1.5.0.12-7.el5.i386.rpm
88f3e7c170437da320696055350436dc  firefox-1.5.0.12-7.el5.x86_64.rpm
e576368db6ed9eb70c65a596d5d684aa  firefox-debuginfo-1.5.0.12-7.el5.i386.rpm
bdddabfbc73567c7537291b931abee4c  firefox-debuginfo-1.5.0.12-7.el5.x86_64.rpm
06509ba586d9f37e71483107137f7843  firefox-devel-1.5.0.12-7.el5.i386.rpm
ca90b71f3c70b0543a91cea11aec9b08  firefox-devel-1.5.0.12-7.el5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5947
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5959
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5960
http://www.redhat.com/security/updates/classification/#critical

8. Contact:

The Red Hat security contact is .  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2007 Red Hat, Inc.
 
< Prev   Next >
    
Partner:

 
Latest Features
A Secure Nagios Server
Never Installed a Firewall on Ubuntu? Try Firestarter
Review: Hacking Exposed Linux, Third Edition
Security Features of Firefox 3.0
Review: The Book of Wireless
April 2008 Open Source Tool of the Month: sudo
Open Source Tool of March: ZoneMinder
Yesterday's Edition
Linux Role in Botnets Studied
10 Mistakes New Linux Administrators Make

QuickLinks: Comunity , HOWTOs , Blogs , Features , Book Reviews , Networking ,
  Security Projects ,   Latest News ,  Newsletters ,  SELinux ,  Privacy ,  Home,
 Hardening ,   About Us,   Advertise,   Legal Notice,   RSS,   Guardian Digital

(c)Copyright 2008 Guardian Digital, Inc. All rights reserved.