Red Hat: 2010:0781-01 Critical: Seamonkey Exploit Issues
Oct 19, 2010
•
LinuxSecurity Advisories
10 - 19 min read
Updated seamonkey packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4. The Red Hat Security Response Team has rated this update as having critical [More...]
==================================================================== Red Hat Security Advisory
Synopsis: Critical: seamonkey security update
Advisory ID: RHSA-2010:0781-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2010:0781.html
Issue date: 2010-10-19
CVE Names: CVE-2010-3170 CVE-2010-3173 CVE-2010-3176
CVE-2010-3177 CVE-2010-3180 CVE-2010-3182
====================================================================
1. Summary:
Updated seamonkey packages that fix several security issues are now
available for Red Hat Enterprise Linux 3 and 4.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64
3. Description:
SeaMonkey is an open source web browser, email and newsgroup client, IRC
chat client, and HTML editor.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause SeaMonkey to crash or,
potentially, execute arbitrary code with the privileges of the user running
SeaMonkey. (CVE-2010-3176, CVE-2010-3180)
A flaw was found in the way the Gopher parser in SeaMonkey converted text
into HTML. A malformed file name on a Gopher server could, when accessed by
a victim running SeaMonkey, allow arbitrary JavaScript to be executed in
the context of the Gopher domain. (CVE-2010-3177)
A flaw was found in the script that launches SeaMonkey. The LD_LIBRARY_PATH
variable was appending a "." character, which could allow a local attacker
to execute arbitrary code with the privileges of a different user running
SeaMonkey, if that user ran SeaMonkey from within an attacker-controlled
directory. (CVE-2010-3182)
It was found that the SSL DHE (Diffie-Hellman Ephemeral) mode
implementation for key exchanges in SeaMonkey accepted DHE keys that were
256 bits in length. This update removes support for 256 bit DHE keys, as
such keys are easily broken using modern hardware. (CVE-2010-3173)
A flaw was found in the way SeaMonkey matched SSL certificates when the
certificates had a Common Name containing a wildcard and a partial IP
address. SeaMonkey incorrectly accepted connections to IP addresses that
fell within the SSL certificate's wildcard range as valid SSL connections,
possibly allowing an attacker to conduct a man-in-the-middle attack.
(CVE-2010-3170)
All SeaMonkey users should upgrade to these updated packages, which correct
these issues. After installing the update, SeaMonkey must be restarted for
the changes to take effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
5. Bugs fixed (http://bugzilla.redhat.com/):
630047 - CVE-2010-3170 firefox/nss: Doesn't handle wildcards in Common Name properly
642272 - CVE-2010-3176 Mozilla miscellaneous memory safety hazards
642283 - CVE-2010-3180 Mozilla use-after-free error in nsBarProp
642290 - CVE-2010-3177 Mozilla XSS in gopher parser when parsing hrefs
642300 - CVE-2010-3182 Mozilla unsafe library loading flaw
642302 - CVE-2010-3173 Mozilla insecure Diffie-Hellman key exchange
6. Package List:
Red Hat Enterprise Linux AS version 3:
Source:
i386:
seamonkey-1.0.9-0.61.el3.i386.rpm
seamonkey-chat-1.0.9-0.61.el3.i386.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.i386.rpm
seamonkey-devel-1.0.9-0.61.el3.i386.rpm
seamonkey-dom-inspector-1.0.9-0.61.el3.i386.rpm
seamonkey-js-debugger-1.0.9-0.61.el3.i386.rpm
seamonkey-mail-1.0.9-0.61.el3.i386.rpm
seamonkey-nspr-1.0.9-0.61.el3.i386.rpm
seamonkey-nspr-devel-1.0.9-0.61.el3.i386.rpm
seamonkey-nss-1.0.9-0.61.el3.i386.rpm
seamonkey-nss-devel-1.0.9-0.61.el3.i386.rpm
ia64:
seamonkey-1.0.9-0.61.el3.ia64.rpm
seamonkey-chat-1.0.9-0.61.el3.ia64.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.i386.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.ia64.rpm
seamonkey-devel-1.0.9-0.61.el3.ia64.rpm
seamonkey-dom-inspector-1.0.9-0.61.el3.ia64.rpm
seamonkey-js-debugger-1.0.9-0.61.el3.ia64.rpm
seamonkey-mail-1.0.9-0.61.el3.ia64.rpm
seamonkey-nspr-1.0.9-0.61.el3.i386.rpm
seamonkey-nspr-1.0.9-0.61.el3.ia64.rpm
seamonkey-nspr-devel-1.0.9-0.61.el3.ia64.rpm
seamonkey-nss-1.0.9-0.61.el3.i386.rpm
seamonkey-nss-1.0.9-0.61.el3.ia64.rpm
seamonkey-nss-devel-1.0.9-0.61.el3.ia64.rpm
ppc:
seamonkey-1.0.9-0.61.el3.ppc.rpm
seamonkey-chat-1.0.9-0.61.el3.ppc.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.ppc.rpm
seamonkey-devel-1.0.9-0.61.el3.ppc.rpm
seamonkey-dom-inspector-1.0.9-0.61.el3.ppc.rpm
seamonkey-js-debugger-1.0.9-0.61.el3.ppc.rpm
seamonkey-mail-1.0.9-0.61.el3.ppc.rpm
seamonkey-nspr-1.0.9-0.61.el3.ppc.rpm
seamonkey-nspr-devel-1.0.9-0.61.el3.ppc.rpm
seamonkey-nss-1.0.9-0.61.el3.ppc.rpm
seamonkey-nss-devel-1.0.9-0.61.el3.ppc.rpm
s390:
seamonkey-1.0.9-0.61.el3.s390.rpm
seamonkey-chat-1.0.9-0.61.el3.s390.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.s390.rpm
seamonkey-devel-1.0.9-0.61.el3.s390.rpm
seamonkey-dom-inspector-1.0.9-0.61.el3.s390.rpm
seamonkey-js-debugger-1.0.9-0.61.el3.s390.rpm
seamonkey-mail-1.0.9-0.61.el3.s390.rpm
seamonkey-nspr-1.0.9-0.61.el3.s390.rpm
seamonkey-nspr-devel-1.0.9-0.61.el3.s390.rpm
seamonkey-nss-1.0.9-0.61.el3.s390.rpm
seamonkey-nss-devel-1.0.9-0.61.el3.s390.rpm
s390x:
seamonkey-1.0.9-0.61.el3.s390x.rpm
seamonkey-chat-1.0.9-0.61.el3.s390x.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.s390.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.s390x.rpm
seamonkey-devel-1.0.9-0.61.el3.s390x.rpm
seamonkey-dom-inspector-1.0.9-0.61.el3.s390x.rpm
seamonkey-js-debugger-1.0.9-0.61.el3.s390x.rpm
seamonkey-mail-1.0.9-0.61.el3.s390x.rpm
seamonkey-nspr-1.0.9-0.61.el3.s390.rpm
seamonkey-nspr-1.0.9-0.61.el3.s390x.rpm
seamonkey-nspr-devel-1.0.9-0.61.el3.s390x.rpm
seamonkey-nss-1.0.9-0.61.el3.s390.rpm
seamonkey-nss-1.0.9-0.61.el3.s390x.rpm
seamonkey-nss-devel-1.0.9-0.61.el3.s390x.rpm
x86_64:
seamonkey-1.0.9-0.61.el3.i386.rpm
seamonkey-1.0.9-0.61.el3.x86_64.rpm
seamonkey-chat-1.0.9-0.61.el3.x86_64.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.i386.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.x86_64.rpm
seamonkey-devel-1.0.9-0.61.el3.x86_64.rpm
seamonkey-dom-inspector-1.0.9-0.61.el3.x86_64.rpm
seamonkey-js-debugger-1.0.9-0.61.el3.x86_64.rpm
seamonkey-mail-1.0.9-0.61.el3.x86_64.rpm
seamonkey-nspr-1.0.9-0.61.el3.i386.rpm
seamonkey-nspr-1.0.9-0.61.el3.x86_64.rpm
seamonkey-nspr-devel-1.0.9-0.61.el3.x86_64.rpm
seamonkey-nss-1.0.9-0.61.el3.i386.rpm
seamonkey-nss-1.0.9-0.61.el3.x86_64.rpm
seamonkey-nss-devel-1.0.9-0.61.el3.x86_64.rpm
Red Hat Desktop version 3:
Source:
i386:
seamonkey-1.0.9-0.61.el3.i386.rpm
seamonkey-chat-1.0.9-0.61.el3.i386.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.i386.rpm
seamonkey-devel-1.0.9-0.61.el3.i386.rpm
seamonkey-dom-inspector-1.0.9-0.61.el3.i386.rpm
seamonkey-js-debugger-1.0.9-0.61.el3.i386.rpm
seamonkey-mail-1.0.9-0.61.el3.i386.rpm
seamonkey-nspr-1.0.9-0.61.el3.i386.rpm
seamonkey-nspr-devel-1.0.9-0.61.el3.i386.rpm
seamonkey-nss-1.0.9-0.61.el3.i386.rpm
seamonkey-nss-devel-1.0.9-0.61.el3.i386.rpm
x86_64:
seamonkey-1.0.9-0.61.el3.i386.rpm
seamonkey-1.0.9-0.61.el3.x86_64.rpm
seamonkey-chat-1.0.9-0.61.el3.x86_64.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.i386.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.x86_64.rpm
seamonkey-devel-1.0.9-0.61.el3.x86_64.rpm
seamonkey-dom-inspector-1.0.9-0.61.el3.x86_64.rpm
seamonkey-js-debugger-1.0.9-0.61.el3.x86_64.rpm
seamonkey-mail-1.0.9-0.61.el3.x86_64.rpm
seamonkey-nspr-1.0.9-0.61.el3.i386.rpm
seamonkey-nspr-1.0.9-0.61.el3.x86_64.rpm
seamonkey-nspr-devel-1.0.9-0.61.el3.x86_64.rpm
seamonkey-nss-1.0.9-0.61.el3.i386.rpm
seamonkey-nss-1.0.9-0.61.el3.x86_64.rpm
seamonkey-nss-devel-1.0.9-0.61.el3.x86_64.rpm
Red Hat Enterprise Linux ES version 3:
Source:
i386:
seamonkey-1.0.9-0.61.el3.i386.rpm
seamonkey-chat-1.0.9-0.61.el3.i386.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.i386.rpm
seamonkey-devel-1.0.9-0.61.el3.i386.rpm
seamonkey-dom-inspector-1.0.9-0.61.el3.i386.rpm
seamonkey-js-debugger-1.0.9-0.61.el3.i386.rpm
seamonkey-mail-1.0.9-0.61.el3.i386.rpm
seamonkey-nspr-1.0.9-0.61.el3.i386.rpm
seamonkey-nspr-devel-1.0.9-0.61.el3.i386.rpm
seamonkey-nss-1.0.9-0.61.el3.i386.rpm
seamonkey-nss-devel-1.0.9-0.61.el3.i386.rpm
ia64:
seamonkey-1.0.9-0.61.el3.ia64.rpm
seamonkey-chat-1.0.9-0.61.el3.ia64.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.i386.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.ia64.rpm
seamonkey-devel-1.0.9-0.61.el3.ia64.rpm
seamonkey-dom-inspector-1.0.9-0.61.el3.ia64.rpm
seamonkey-js-debugger-1.0.9-0.61.el3.ia64.rpm
seamonkey-mail-1.0.9-0.61.el3.ia64.rpm
seamonkey-nspr-1.0.9-0.61.el3.i386.rpm
seamonkey-nspr-1.0.9-0.61.el3.ia64.rpm
seamonkey-nspr-devel-1.0.9-0.61.el3.ia64.rpm
seamonkey-nss-1.0.9-0.61.el3.i386.rpm
seamonkey-nss-1.0.9-0.61.el3.ia64.rpm
seamonkey-nss-devel-1.0.9-0.61.el3.ia64.rpm
x86_64:
seamonkey-1.0.9-0.61.el3.i386.rpm
seamonkey-1.0.9-0.61.el3.x86_64.rpm
seamonkey-chat-1.0.9-0.61.el3.x86_64.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.i386.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.x86_64.rpm
seamonkey-devel-1.0.9-0.61.el3.x86_64.rpm
seamonkey-dom-inspector-1.0.9-0.61.el3.x86_64.rpm
seamonkey-js-debugger-1.0.9-0.61.el3.x86_64.rpm
seamonkey-mail-1.0.9-0.61.el3.x86_64.rpm
seamonkey-nspr-1.0.9-0.61.el3.i386.rpm
seamonkey-nspr-1.0.9-0.61.el3.x86_64.rpm
seamonkey-nspr-devel-1.0.9-0.61.el3.x86_64.rpm
seamonkey-nss-1.0.9-0.61.el3.i386.rpm
seamonkey-nss-1.0.9-0.61.el3.x86_64.rpm
seamonkey-nss-devel-1.0.9-0.61.el3.x86_64.rpm
Red Hat Enterprise Linux WS version 3:
Source:
i386:
seamonkey-1.0.9-0.61.el3.i386.rpm
seamonkey-chat-1.0.9-0.61.el3.i386.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.i386.rpm
seamonkey-devel-1.0.9-0.61.el3.i386.rpm
seamonkey-dom-inspector-1.0.9-0.61.el3.i386.rpm
seamonkey-js-debugger-1.0.9-0.61.el3.i386.rpm
seamonkey-mail-1.0.9-0.61.el3.i386.rpm
seamonkey-nspr-1.0.9-0.61.el3.i386.rpm
seamonkey-nspr-devel-1.0.9-0.61.el3.i386.rpm
seamonkey-nss-1.0.9-0.61.el3.i386.rpm
seamonkey-nss-devel-1.0.9-0.61.el3.i386.rpm
ia64:
seamonkey-1.0.9-0.61.el3.ia64.rpm
seamonkey-chat-1.0.9-0.61.el3.ia64.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.i386.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.ia64.rpm
seamonkey-devel-1.0.9-0.61.el3.ia64.rpm
seamonkey-dom-inspector-1.0.9-0.61.el3.ia64.rpm
seamonkey-js-debugger-1.0.9-0.61.el3.ia64.rpm
seamonkey-mail-1.0.9-0.61.el3.ia64.rpm
seamonkey-nspr-1.0.9-0.61.el3.i386.rpm
seamonkey-nspr-1.0.9-0.61.el3.ia64.rpm
seamonkey-nspr-devel-1.0.9-0.61.el3.ia64.rpm
seamonkey-nss-1.0.9-0.61.el3.i386.rpm
seamonkey-nss-1.0.9-0.61.el3.ia64.rpm
seamonkey-nss-devel-1.0.9-0.61.el3.ia64.rpm
x86_64:
seamonkey-1.0.9-0.61.el3.i386.rpm
seamonkey-1.0.9-0.61.el3.x86_64.rpm
seamonkey-chat-1.0.9-0.61.el3.x86_64.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.i386.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.x86_64.rpm
seamonkey-devel-1.0.9-0.61.el3.x86_64.rpm
seamonkey-dom-inspector-1.0.9-0.61.el3.x86_64.rpm
seamonkey-js-debugger-1.0.9-0.61.el3.x86_64.rpm
seamonkey-mail-1.0.9-0.61.el3.x86_64.rpm
seamonkey-nspr-1.0.9-0.61.el3.i386.rpm
seamonkey-nspr-1.0.9-0.61.el3.x86_64.rpm
seamonkey-nspr-devel-1.0.9-0.61.el3.x86_64.rpm
seamonkey-nss-1.0.9-0.61.el3.i386.rpm
seamonkey-nss-1.0.9-0.61.el3.x86_64.rpm
seamonkey-nss-devel-1.0.9-0.61.el3.x86_64.rpm
Red Hat Enterprise Linux AS version 4:
Source:
i386:
seamonkey-1.0.9-64.el4.i386.rpm
seamonkey-chat-1.0.9-64.el4.i386.rpm
seamonkey-debuginfo-1.0.9-64.el4.i386.rpm
seamonkey-devel-1.0.9-64.el4.i386.rpm
seamonkey-dom-inspector-1.0.9-64.el4.i386.rpm
seamonkey-js-debugger-1.0.9-64.el4.i386.rpm
seamonkey-mail-1.0.9-64.el4.i386.rpm
ia64:
seamonkey-1.0.9-64.el4.ia64.rpm
seamonkey-chat-1.0.9-64.el4.ia64.rpm
seamonkey-debuginfo-1.0.9-64.el4.ia64.rpm
seamonkey-devel-1.0.9-64.el4.ia64.rpm
seamonkey-dom-inspector-1.0.9-64.el4.ia64.rpm
seamonkey-js-debugger-1.0.9-64.el4.ia64.rpm
seamonkey-mail-1.0.9-64.el4.ia64.rpm
ppc:
seamonkey-1.0.9-64.el4.ppc.rpm
seamonkey-chat-1.0.9-64.el4.ppc.rpm
seamonkey-debuginfo-1.0.9-64.el4.ppc.rpm
seamonkey-devel-1.0.9-64.el4.ppc.rpm
seamonkey-dom-inspector-1.0.9-64.el4.ppc.rpm
seamonkey-js-debugger-1.0.9-64.el4.ppc.rpm
seamonkey-mail-1.0.9-64.el4.ppc.rpm
s390:
seamonkey-1.0.9-64.el4.s390.rpm
seamonkey-chat-1.0.9-64.el4.s390.rpm
seamonkey-debuginfo-1.0.9-64.el4.s390.rpm
seamonkey-devel-1.0.9-64.el4.s390.rpm
seamonkey-dom-inspector-1.0.9-64.el4.s390.rpm
seamonkey-js-debugger-1.0.9-64.el4.s390.rpm
seamonkey-mail-1.0.9-64.el4.s390.rpm
s390x:
seamonkey-1.0.9-64.el4.s390x.rpm
seamonkey-chat-1.0.9-64.el4.s390x.rpm
seamonkey-debuginfo-1.0.9-64.el4.s390x.rpm
seamonkey-devel-1.0.9-64.el4.s390x.rpm
seamonkey-dom-inspector-1.0.9-64.el4.s390x.rpm
seamonkey-js-debugger-1.0.9-64.el4.s390x.rpm
seamonkey-mail-1.0.9-64.el4.s390x.rpm
x86_64:
seamonkey-1.0.9-64.el4.x86_64.rpm
seamonkey-chat-1.0.9-64.el4.x86_64.rpm
seamonkey-debuginfo-1.0.9-64.el4.x86_64.rpm
seamonkey-devel-1.0.9-64.el4.x86_64.rpm
seamonkey-dom-inspector-1.0.9-64.el4.x86_64.rpm
seamonkey-js-debugger-1.0.9-64.el4.x86_64.rpm
seamonkey-mail-1.0.9-64.el4.x86_64.rpm
Red Hat Enterprise Linux Desktop version 4:
Source:
i386:
seamonkey-1.0.9-64.el4.i386.rpm
seamonkey-chat-1.0.9-64.el4.i386.rpm
seamonkey-debuginfo-1.0.9-64.el4.i386.rpm
seamonkey-devel-1.0.9-64.el4.i386.rpm
seamonkey-dom-inspector-1.0.9-64.el4.i386.rpm
seamonkey-js-debugger-1.0.9-64.el4.i386.rpm
seamonkey-mail-1.0.9-64.el4.i386.rpm
x86_64:
seamonkey-1.0.9-64.el4.x86_64.rpm
seamonkey-chat-1.0.9-64.el4.x86_64.rpm
seamonkey-debuginfo-1.0.9-64.el4.x86_64.rpm
seamonkey-devel-1.0.9-64.el4.x86_64.rpm
seamonkey-dom-inspector-1.0.9-64.el4.x86_64.rpm
seamonkey-js-debugger-1.0.9-64.el4.x86_64.rpm
seamonkey-mail-1.0.9-64.el4.x86_64.rpm
Red Hat Enterprise Linux ES version 4:
Source:
i386:
seamonkey-1.0.9-64.el4.i386.rpm
seamonkey-chat-1.0.9-64.el4.i386.rpm
seamonkey-debuginfo-1.0.9-64.el4.i386.rpm
seamonkey-devel-1.0.9-64.el4.i386.rpm
seamonkey-dom-inspector-1.0.9-64.el4.i386.rpm
seamonkey-js-debugger-1.0.9-64.el4.i386.rpm
seamonkey-mail-1.0.9-64.el4.i386.rpm
ia64:
seamonkey-1.0.9-64.el4.ia64.rpm
seamonkey-chat-1.0.9-64.el4.ia64.rpm
seamonkey-debuginfo-1.0.9-64.el4.ia64.rpm
seamonkey-devel-1.0.9-64.el4.ia64.rpm
seamonkey-dom-inspector-1.0.9-64.el4.ia64.rpm
seamonkey-js-debugger-1.0.9-64.el4.ia64.rpm
seamonkey-mail-1.0.9-64.el4.ia64.rpm
x86_64:
seamonkey-1.0.9-64.el4.x86_64.rpm
seamonkey-chat-1.0.9-64.el4.x86_64.rpm
seamonkey-debuginfo-1.0.9-64.el4.x86_64.rpm
seamonkey-devel-1.0.9-64.el4.x86_64.rpm
seamonkey-dom-inspector-1.0.9-64.el4.x86_64.rpm
seamonkey-js-debugger-1.0.9-64.el4.x86_64.rpm
seamonkey-mail-1.0.9-64.el4.x86_64.rpm
Red Hat Enterprise Linux WS version 4:
Source:
i386:
seamonkey-1.0.9-64.el4.i386.rpm
seamonkey-chat-1.0.9-64.el4.i386.rpm
seamonkey-debuginfo-1.0.9-64.el4.i386.rpm
seamonkey-devel-1.0.9-64.el4.i386.rpm
seamonkey-dom-inspector-1.0.9-64.el4.i386.rpm
seamonkey-js-debugger-1.0.9-64.el4.i386.rpm
seamonkey-mail-1.0.9-64.el4.i386.rpm
ia64:
seamonkey-1.0.9-64.el4.ia64.rpm
seamonkey-chat-1.0.9-64.el4.ia64.rpm
seamonkey-debuginfo-1.0.9-64.el4.ia64.rpm
seamonkey-devel-1.0.9-64.el4.ia64.rpm
seamonkey-dom-inspector-1.0.9-64.el4.ia64.rpm
seamonkey-js-debugger-1.0.9-64.el4.ia64.rpm
seamonkey-mail-1.0.9-64.el4.ia64.rpm
x86_64:
seamonkey-1.0.9-64.el4.x86_64.rpm
seamonkey-chat-1.0.9-64.el4.x86_64.rpm
seamonkey-debuginfo-1.0.9-64.el4.x86_64.rpm
seamonkey-devel-1.0.9-64.el4.x86_64.rpm
seamonkey-dom-inspector-1.0.9-64.el4.x86_64.rpm
seamonkey-js-debugger-1.0.9-64.el4.x86_64.rpm
seamonkey-mail-1.0.9-64.el4.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key#package
7. References:
https://access.redhat.com/security/cve/CVE-2010-3170
https://access.redhat.com/security/cve/CVE-2010-3173
https://access.redhat.com/security/cve/CVE-2010-3176
https://access.redhat.com/security/cve/CVE-2010-3177
https://access.redhat.com/security/cve/CVE-2010-3180
https://access.redhat.com/security/cve/CVE-2010-3182
https://access.redhat.com/security/updates/classification#critical
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2010 Red Hat, Inc.
PREVIOUS
NEXT
Red Hat: 2010:0781-01 Critical: Seamonkey Exploit Issues
red hat
October 19, 2010
Updated seamonkey packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4
Solution
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
Summary
SeaMonkey is an open source web browser, email and newsgroup client, IRC
chat client, and HTML editor.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause SeaMonkey to crash or,
potentially, execute arbitrary code with the privileges of the user running
SeaMonkey. (CVE-2010-3176, CVE-2010-3180)
A flaw was found in the way the Gopher parser in SeaMonkey converted text
into HTML. A malformed file name on a Gopher server could, when accessed by
a victim running SeaMonkey, allow arbitrary JavaScript to be executed in
the context of the Gopher domain. (CVE-2010-3177)
A flaw was found in the script that launches SeaMonkey. The LD_LIBRARY_PATH
variable was appending a "." character, which could allow a local attacker
to execute arbitrary code with the privileges of a different user running
SeaMonkey, if that user ran SeaMonkey from within an attacker-controlled
directory. (CVE-2010-3182)
It was found that the SSL DHE (Diffie-Hellman Ephemeral) mode
implementation for key exchanges in SeaMonkey accepted DHE keys that were
256 bits in length. This update removes support for 256 bit DHE keys, as
such keys are easily broken using modern hardware. (CVE-2010-3173)
A flaw was found in the way SeaMonkey matched SSL certificates when the
certificates had a Common Name containing a wildcard and a partial IP
address. SeaMonkey incorrectly accepted connections to IP addresses that
fell within the SSL certificate's wildcard range as valid SSL connections,
possibly allowing an attacker to conduct a man-in-the-middle attack.
(CVE-2010-3170)
All SeaMonkey users should upgrade to these updated packages, which correct
these issues. After installing the update, SeaMonkey must be restarted for
the changes to take effect.
References
https://access.redhat.com/security/cve/CVE-2010-3170 https://access.redhat.com/security/cve/CVE-2010-3173 https://access.redhat.com/security/cve/CVE-2010-3176 https://access.redhat.com/security/cve/CVE-2010-3177 https://access.redhat.com/security/cve/CVE-2010-3180 https://access.redhat.com/security/cve/CVE-2010-3182 https://access.redhat.com/security/updates/classification#critical
Package List
Red Hat Enterprise Linux AS version 3:
Source:
i386:
seamonkey-1.0.9-0.61.el3.i386.rpm
seamonkey-chat-1.0.9-0.61.el3.i386.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.i386.rpm
seamonkey-devel-1.0.9-0.61.el3.i386.rpm
seamonkey-dom-inspector-1.0.9-0.61.el3.i386.rpm
seamonkey-js-debugger-1.0.9-0.61.el3.i386.rpm
seamonkey-mail-1.0.9-0.61.el3.i386.rpm
seamonkey-nspr-1.0.9-0.61.el3.i386.rpm
seamonkey-nspr-devel-1.0.9-0.61.el3.i386.rpm
seamonkey-nss-1.0.9-0.61.el3.i386.rpm
seamonkey-nss-devel-1.0.9-0.61.el3.i386.rpm
ia64:
seamonkey-1.0.9-0.61.el3.ia64.rpm
seamonkey-chat-1.0.9-0.61.el3.ia64.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.i386.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.ia64.rpm
seamonkey-devel-1.0.9-0.61.el3.ia64.rpm
seamonkey-dom-inspector-1.0.9-0.61.el3.ia64.rpm
seamonkey-js-debugger-1.0.9-0.61.el3.ia64.rpm
seamonkey-mail-1.0.9-0.61.el3.ia64.rpm
seamonkey-nspr-1.0.9-0.61.el3.i386.rpm
seamonkey-nspr-1.0.9-0.61.el3.ia64.rpm
seamonkey-nspr-devel-1.0.9-0.61.el3.ia64.rpm
seamonkey-nss-1.0.9-0.61.el3.i386.rpm
seamonkey-nss-1.0.9-0.61.el3.ia64.rpm
seamonkey-nss-devel-1.0.9-0.61.el3.ia64.rpm
ppc:
seamonkey-1.0.9-0.61.el3.ppc.rpm
seamonkey-chat-1.0.9-0.61.el3.ppc.rpm
seamonkey-debuginfo-1.0.9-0.61.el3.ppc.rpm
seamonkey-devel-1.0.9-0.61.el3.ppc.rpm
Read the Full Advisory
Severity
critical
Lowest
Low
Medium
High
Critical
Advisory ID: RHSA-2010:0781-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2010:0781.html
Issue date: 2010-10-19
Topic
Updated seamonkey packages that fix several security issues are nowavailable for Red Hat Enterprise Linux 3 and 4.The Red Hat Security Response Team has rated this update as having criticalsecurity impact. Common Vulnerability Scoring System (CVSS) base scores,which give detailed severity ratings, are available for each vulnerabilityfrom the CVE links in the References section.
Relevant Releases Architectures
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64
Bugs Fixed
630047 - CVE-2010-3170 firefox/nss: Doesn't handle wildcards in Common Name properly
642272 - CVE-2010-3176 Mozilla miscellaneous memory safety hazards
642283 - CVE-2010-3180 Mozilla use-after-free error in nsBarProp
642290 - CVE-2010-3177 Mozilla XSS in gopher parser when parsing hrefs
642300 - CVE-2010-3182 Mozilla unsafe library loading flaw
642302 - CVE-2010-3173 Mozilla insecure Diffie-Hellman key exchange
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!