[guru-merlin] [joey@infodrom.org: [SECURITY] [DSA 779-1] New Mozilla Firefox packages fix several vulnerabilities]
DATE: Mon, 22 Aug 2005 13:29:25 +0200
A mozilla firefox csomagban számtalan (főként javascript-tel összefüggő)
biztonsági hibát találtak, Debian kijött a csomag javításával.
----- Forwarded message from Martin Schulze <joey@infodrom.org> -----
Date: Sat, 20 Aug 2005 15:35:34 +0200 (CEST)
From: joey@infodrom.org (Martin Schulze)
Subject: [SECURITY] [DSA 779-1] New Mozilla Firefox packages fix several vulnerabilities
To: bugtraq@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 779-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
August 20th, 2005 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : mozilla-firefox
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-2260 CAN-2005-2261 CAN-2005-2262 CAN-2005-2263
CAN-2005-2264 CAN-2005-2265 CAN-2005-2266 CAN-2005-2267
CAN-2005-2268 CAN-2005-2269 CAN-2005-2270
BugTraq ID : 14242
Debian Bug : 318061
Several problems have been discovered in Mozilla Firefox, a
lightweight web browser based on Mozilla. The Common Vulnerabilities
and Exposures project identifies the following problems:
CAN-2005-2260
The browser user interface does not properly distinguish between
user-generated events and untrusted synthetic events, which makes
it easier for remote attackers to perform dangerous actions that
normally could only be performed manually by the user.
CAN-2005-2261
XML scripts ran even when Javascript disabled.
CAN-2005-2262
The user can be tricked to executing arbitrary JavaScript code by
using a JavaScript URL as wallpaper.
CAN-2005-2263
It is possible for a remote attacker to execute a callback
function in the context of another domain (i.e. frame).
CAN-2005-2264
By opening a malicious link in the sidebar it is possible for
remote attackers to steal sensitive information.
CAN-2005-2265
Missing input sanitising of InstallVersion.compareTo() can cause
the application to crash.
CAN-2005-2266
Remote attackers could steal sensitive information such as cookies
and passwords from web sites by accessing data in alien frames.
CAN-2005-2267
By using standalone applications such as Flash and QuickTime to
open a javascript: URL, it is possible for a remote attacker to
steal sensitive information and possibly execute arbitrary code.
CAN-2005-2268
It is possible for a Javascript dialog box to spoof a dialog box
from a trusted site and facilitates phishing attacks.
CAN-2005-2269
Remote attackers could modify certain tag properties of DOM nodes
that could lead to the execution of arbitrary script or code.
CAN-2005-2270
The Mozilla browser familie does not properly clone base objects,
which allows remote attackers to execute arbitrary code.
The old stable distribution (woody) is not affected by these problems.
For the stable distribution (sarge) these problems have been fixed in
version 1.0.4-2sarge2.
For the unstable distribution (sid) these problems have been fixed in
version 1.0.6-1.
We recommend that you upgrade your Mozilla Firefox packages.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2.dsc
Size/MD5 checksum: 1001 a5cf2fc8bc04662e6c192c15666011e4
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2.diff.gz
Size/MD5 checksum: 285974 45e66f5ddde0d5c016fd15268da0e522
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4.orig.tar.gz
Size/MD5 checksum: 40212297 8e4ba81ad02c7986446d4e54e978409d
Alpha architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2_alpha.deb
Size/MD5 checksum: 11162656 4c8e579214a7bd4030303c6e33ec95f7
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge2_alpha.deb
Size/MD5 checksum: 166698 027d4c7fddb899faff3ef9928864bb71
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge2_alpha.deb
Size/MD5 checksum: 58528 2cff714da9bf45d1112621132f9fc940
AMD64 architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2_amd64.deb
Size/MD5 checksum: 9396736 0a28ce7a8f6f783f16c201fc0daf6e0a
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge2_amd64.deb
Size/MD5 checksum: 161458 f9384873ae04a233001b37088abc510a
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge2_amd64.deb
Size/MD5 checksum: 57012 b09a95b0f7587001540398f1a5fce173
ARM architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2_arm.deb
Size/MD5 checksum: 8216228 9ca98872228db6ba98cf5123d642fc4b
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge2_arm.deb
Size/MD5 checksum: 152944 e0dc5a23ec713373753bcdf4e774c6f7
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge2_arm.deb
Size/MD5 checksum: 52362 decd529d18ee714bcf2dbe5a82e53e37
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2_i386.deb
Size/MD5 checksum: 8887610 54e66239bff8195d09a76a8b0c65e096
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge2_i386.deb
Size/MD5 checksum: 156664 e40d4387cdf627df5706e8a83f39640d
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge2_i386.deb
Size/MD5 checksum: 53906 3bc7062690df1334a92eeeae36819ea0
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2_ia64.deb
Size/MD5 checksum: 11615046 5b41f9a2f87e8bc9017c94cd5b24b180
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge2_ia64.deb
Size/MD5 checksum: 167044 67972c83f83c325861b21ff6486519e9
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge2_ia64.deb
Size/MD5 checksum: 61720 86ecafea4b179e1739ea521402d2e53b
HP Precision architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2_hppa.deb
Size/MD5 checksum: 10264776 822d581c33a2628807fd955c1a72a66a
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge2_hppa.deb
Size/MD5 checksum: 164432 bf6da3e624453a2b9669f889e56c0a76
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge2_hppa.deb
Size/MD5 checksum: 57512 aa8ee4e91cdead5a455a70c3608ba85e
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2_m68k.deb
Size/MD5 checksum: 8166186 6ae9415318e2156f420b1926936f28b6
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge2_m68k.deb
Size/MD5 checksum: 155562 54c6667bd665e961b5bd45c2b44df43d
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge2_m68k.deb
Size/MD5 checksum: 53176 7c3a5484eb5d7155181653d25f927af1
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2_mips.deb
Size/MD5 checksum: 9917724 bc430e659978ea1114dc38c0982a5917
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge2_mips.deb
Size/MD5 checksum: 154452 84399a208bda215a7983bc2f35f30bd2
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge2_mips.deb
Size/MD5 checksum: 54188 f6ea0de213759e27da7dc5c06c6a5e57
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2_mipsel.deb
Size/MD5 checksum: 9802342 7e995ec5e6ee01d2ebc86d8e6e77d58a
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge2_mipsel.deb
Size/MD5 checksum: 154006 110274d1994cfe33062244e28ee04fd6
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge2_mipsel.deb
Size/MD5 checksum: 54012 83610c805d36e4cea229cab960a06e32
PowerPC architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2_powerpc.deb
Size/MD5 checksum: 8560170 ac40dd1ebef525009556eac5f5dbeff3
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge2_powerpc.deb
Size/MD5 checksum: 155046 ab31c9d12c13b9e63a4af5f8babcb6ad
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge2_powerpc.deb
Size/MD5 checksum: 56300 dab2c4918f383416a2418c2327988cc1
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2_s390.deb
Size/MD5 checksum: 9635642 2514b2a60f87aedff82c0d5c29f53f25
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge2_s390.deb
Size/MD5 checksum: 162076 2a3fe0537ebeebc2ea9f1a3aa952279c
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge2_s390.deb
Size/MD5 checksum: 56488 a914c752690bc8abcb6ad247d73dc041
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge2_sparc.deb
Size/MD5 checksum: 8649734 60765d2a2480a9aa5b45d288a2d6df65
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge2_sparc.deb
Size/MD5 checksum: 155298 9aab4bf6a3a7187243b60b044ed4d80c
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge2_sparc.deb
Size/MD5 checksum: 52734 5af8d15d55aa1d13e80776e1079c2007
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDBzGlW5ql+IAeqTIRAts4AKCWr8HJM0OMD1owrJnTK8Tp//+kkgCePaRv
AZJnTiHLIzbaxDV8362FXzA=
=+ShV
-----END PGP SIGNATURE-----
----- End forwarded message -----