RHSA-2007:0400-01 Critical: firefox security update
Posted on: 05/31/2007 04:00 AM

A new update is available for Red Hat Enterprise Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Critical: firefox security update
Advisory ID: RHSA-2007:0400-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0400.html
Issue date: 2007-05-30
Updated on: 2007-05-30
Product: Red Hat Enterprise Linux
CVE Names: CVE-2007-1362 CVE-2007-1562 CVE-2007-2867
CVE-2007-2868 CVE-2007-2869 CVE-2007-2870
CVE-2007-2871
- ---------------------------------------------------------------------

1. Summary:

Updated firefox packages that fix several security bugs are now available
for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64

3. Problem description:

Mozilla Firefox is an open source Web browser.

Several flaws were found in the way Firefox processed certain malformed
JavaScript code. A web page containing malicious JavaScript code could
cause Firefox to crash or potentially execute arbitrary code as the user
running Firefox. (CVE-2007-2867, CVE-2007-2868)

A flaw was found in the way Firefox handled certain FTP PASV commands. A
malicious FTP server could use this flaw to perform a rudimentary
port-scan of machines behind a user's firewall. (CVE-2007-1562)

Several denial of service flaws were found in the way Firefox handled
certain form and cookie data. A malicious web site that is able to set
arbitrary form and cookie data could prevent Firefox from
functioning properly. (CVE-2007-1362, CVE-2007-2869)

A flaw was found in the way Firefox handled the addEventListener
JavaScript method. A malicious web site could use this method to access or
modify sensitive data from another web site. (CVE-2007-2870)

A flaw was found in the way Firefox displayed certain web content. A
malicious web page could generate content that would overlay user
interface elements such as the hostname and security indicators, tricking
users into thinking they are visiting a different site. (CVE-2007-2871)

Users of Firefox are advised to upgrade to these erratum packages, which
contain Firefox version 1.5.0.12 that corrects these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

5. Bug IDs fixed (http://bugzilla.redhat.com/):

241670 - CVE-2007-1362 Multiple Firefox flaws (CVE-2007-1562, CVE-2007-2867, CVE-2007-2868, CVE-2007-2869, CVE-2007-2870, CVE-2007-2871)

6. RPMs required:

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/firefox-1.5.0.12-0.1.el4.src.rpm
b65c0e149c9a2a99e4dd19f127301bcc firefox-1.5.0.12-0.1.el4.src.rpm

i386:
86978cc9d7fe03d6826c77516ebdadf0 firefox-1.5.0.12-0.1.el4.i386.rpm
47e44ab5f3aabbf46d4a49188ac5fef1 firefox-debuginfo-1.5.0.12-0.1.el4.i386.rpm

ia64:
91a38b7498a5e459ad2be38100282550 firefox-1.5.0.12-0.1.el4.ia64.rpm
aa1bc419ac3f56c05c5f617840610daf firefox-debuginfo-1.5.0.12-0.1.el4.ia64.rpm

ppc:
30e7be931ea1331c2971df5e108e50eb firefox-1.5.0.12-0.1.el4.ppc.rpm
c65a76732d020d804326e02dc67eda35 firefox-debuginfo-1.5.0.12-0.1.el4.ppc.rpm

s390:
efb2e30a6beedd50881f3ec66db89d48 firefox-1.5.0.12-0.1.el4.s390.rpm
6e804c9d97559d8c0d7a99d01d0f1d46 firefox-debuginfo-1.5.0.12-0.1.el4.s390.rpm

s390x:
7abeac347fe36f9b99c2da0e7297407b firefox-1.5.0.12-0.1.el4.s390x.rpm
bed63c7079f11b11196881526b84bbd7 firefox-debuginfo-1.5.0.12-0.1.el4.s390x.rpm

x86_64:
99e6f6963881507969dfc748202452df firefox-1.5.0.12-0.1.el4.x86_64.rpm
2577b656e6e3ac5b396985878d506040 firefox-debuginfo-1.5.0.12-0.1.el4.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/firefox-1.5.0.12-0.1.el4.src.rpm
b65c0e149c9a2a99e4dd19f127301bcc firefox-1.5.0.12-0.1.el4.src.rpm

i386:
86978cc9d7fe03d6826c77516ebdadf0 firefox-1.5.0.12-0.1.el4.i386.rpm
47e44ab5f3aabbf46d4a49188ac5fef1 firefox-debuginfo-1.5.0.12-0.1.el4.i386.rpm

x86_64:
99e6f6963881507969dfc748202452df firefox-1.5.0.12-0.1.el4.x86_64.rpm
2577b656e6e3ac5b396985878d506040 firefox-debuginfo-1.5.0.12-0.1.el4.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/firefox-1.5.0.12-0.1.el4.src.rpm
b65c0e149c9a2a99e4dd19f127301bcc firefox-1.5.0.12-0.1.el4.src.rpm

i386:
86978cc9d7fe03d6826c77516ebdadf0 firefox-1.5.0.12-0.1.el4.i386.rpm
47e44ab5f3aabbf46d4a49188ac5fef1 firefox-debuginfo-1.5.0.12-0.1.el4.i386.rpm

ia64:
91a38b7498a5e459ad2be38100282550 firefox-1.5.0.12-0.1.el4.ia64.rpm
aa1bc419ac3f56c05c5f617840610daf firefox-debuginfo-1.5.0.12-0.1.el4.ia64.rpm

x86_64:
99e6f6963881507969dfc748202452df firefox-1.5.0.12-0.1.el4.x86_64.rpm
2577b656e6e3ac5b396985878d506040 firefox-debuginfo-1.5.0.12-0.1.el4.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/firefox-1.5.0.12-0.1.el4.src.rpm
b65c0e149c9a2a99e4dd19f127301bcc firefox-1.5.0.12-0.1.el4.src.rpm

i386:
86978cc9d7fe03d6826c77516ebdadf0 firefox-1.5.0.12-0.1.el4.i386.rpm
47e44ab5f3aabbf46d4a49188ac5fef1 firefox-debuginfo-1.5.0.12-0.1.el4.i386.rpm

ia64:
91a38b7498a5e459ad2be38100282550 firefox-1.5.0.12-0.1.el4.ia64.rpm
aa1bc419ac3f56c05c5f617840610daf firefox-debuginfo-1.5.0.12-0.1.el4.ia64.rpm

x86_64:
99e6f6963881507969dfc748202452df firefox-1.5.0.12-0.1.el4.x86_64.rpm
2577b656e6e3ac5b396985878d506040 firefox-debuginfo-1.5.0.12-0.1.el4.x86_64.rpm

Red Hat Enterprise Linux Desktop (v. 5 client):

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/devhelp-0.12-11.el5.src.rpm
85adab21471a9e46c5d0cb5816bbbcff devhelp-0.12-11.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-1.5.0.12-1.el5.src.rpm
b0645efeba60c77ad740a212d465b453 firefox-1.5.0.12-1.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/yelp-2.16.0-15.el5.src.rpm
ed0f92a5a1721891f10cfadf08b3782f yelp-2.16.0-15.el5.src.rpm

i386:
b7958042531e8f6b5931605a0f2d17fc devhelp-0.12-11.el5.i386.rpm
ca85406a19b36f412dfdb129b29a71c9 devhelp-debuginfo-0.12-11.el5.i386.rpm
7b959d51178a768c437bdc1fd1dc3e3c firefox-1.5.0.12-1.el5.i386.rpm
4d1671461afeb3ec1784d591ecb134f5 firefox-debuginfo-1.5.0.12-1.el5.i386.rpm
c0e883b6c8d47a1fbce33dc3133161de yelp-2.16.0-15.el5.i386.rpm
165c0d376519fa7f46dfef9412dfbe6d yelp-debuginfo-2.16.0-15.el5.i386.rpm

x86_64:
b7958042531e8f6b5931605a0f2d17fc devhelp-0.12-11.el5.i386.rpm
47012533019d250c132ebbd97e87d227 devhelp-0.12-11.el5.x86_64.rpm
ca85406a19b36f412dfdb129b29a71c9 devhelp-debuginfo-0.12-11.el5.i386.rpm
b09ba06d46894a888f8ea6ae04cf416e devhelp-debuginfo-0.12-11.el5.x86_64.rpm
7b959d51178a768c437bdc1fd1dc3e3c firefox-1.5.0.12-1.el5.i386.rpm
244bb754d6039cc48c144c5f45052260 firefox-1.5.0.12-1.el5.x86_64.rpm
4d1671461afeb3ec1784d591ecb134f5 firefox-debuginfo-1.5.0.12-1.el5.i386.rpm
21bf5480e44a66710ba5f90eaef52294 firefox-debuginfo-1.5.0.12-1.el5.x86_64.rpm
35f3463a249179df63b98239cf4e3cbc yelp-2.16.0-15.el5.x86_64.rpm
6fbdcb7e6b7586a7f7c2b4a17ab2e2fa yelp-debuginfo-2.16.0-15.el5.x86_64.rpm

RHEL Desktop Workstation (v. 5 client):

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/devhelp-0.12-11.el5.src.rpm
85adab21471a9e46c5d0cb5816bbbcff devhelp-0.12-11.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-1.5.0.12-1.el5.src.rpm
b0645efeba60c77ad740a212d465b453 firefox-1.5.0.12-1.el5.src.rpm

i386:
ca85406a19b36f412dfdb129b29a71c9 devhelp-debuginfo-0.12-11.el5.i386.rpm
77fe09441514cd6482f4596362485343 devhelp-devel-0.12-11.el5.i386.rpm
4d1671461afeb3ec1784d591ecb134f5 firefox-debuginfo-1.5.0.12-1.el5.i386.rpm
fa39c7e1fd6232e62b3d9a4f53acbc9b firefox-devel-1.5.0.12-1.el5.i386.rpm

x86_64:
ca85406a19b36f412dfdb129b29a71c9 devhelp-debuginfo-0.12-11.el5.i386.rpm
b09ba06d46894a888f8ea6ae04cf416e devhelp-debuginfo-0.12-11.el5.x86_64.rpm
77fe09441514cd6482f4596362485343 devhelp-devel-0.12-11.el5.i386.rpm
141d1df1f9e83521808efafd42f944fc devhelp-devel-0.12-11.el5.x86_64.rpm
4d1671461afeb3ec1784d591ecb134f5 firefox-debuginfo-1.5.0.12-1.el5.i386.rpm
21bf5480e44a66710ba5f90eaef52294 firefox-debuginfo-1.5.0.12-1.el5.x86_64.rpm
fa39c7e1fd6232e62b3d9a4f53acbc9b firefox-devel-1.5.0.12-1.el5.i386.rpm
e048eb9adb9dd967d1630c1fe4778f98 firefox-devel-1.5.0.12-1.el5.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/devhelp-0.12-11.el5.src.rpm
85adab21471a9e46c5d0cb5816bbbcff devhelp-0.12-11.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-1.5.0.12-1.el5.src.rpm
b0645efeba60c77ad740a212d465b453 firefox-1.5.0.12-1.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/yelp-2.16.0-15.el5.src.rpm
ed0f92a5a1721891f10cfadf08b3782f yelp-2.16.0-15.el5.src.rpm

i386:
b7958042531e8f6b5931605a0f2d17fc devhelp-0.12-11.el5.i386.rpm
ca85406a19b36f412dfdb129b29a71c9 devhelp-debuginfo-0.12-11.el5.i386.rpm
77fe09441514cd6482f4596362485343 devhelp-devel-0.12-11.el5.i386.rpm
7b959d51178a768c437bdc1fd1dc3e3c firefox-1.5.0.12-1.el5.i386.rpm
4d1671461afeb3ec1784d591ecb134f5 firefox-debuginfo-1.5.0.12-1.el5.i386.rpm
fa39c7e1fd6232e62b3d9a4f53acbc9b firefox-devel-1.5.0.12-1.el5.i386.rpm
c0e883b6c8d47a1fbce33dc3133161de yelp-2.16.0-15.el5.i386.rpm
165c0d376519fa7f46dfef9412dfbe6d yelp-debuginfo-2.16.0-15.el5.i386.rpm

ia64:
bb162cf991018497ba2107bd312acb48 devhelp-0.12-11.el5.ia64.rpm
570bd03ebe8669998c0b76df1a00bbcb devhelp-debuginfo-0.12-11.el5.ia64.rpm
b565891923dc59b5d4d8d1e9261dba0b devhelp-devel-0.12-11.el5.ia64.rpm
76e85b583ef60111b84983938e96004d firefox-1.5.0.12-1.el5.ia64.rpm
382d26b8141480f8937a24216936d2ce firefox-debuginfo-1.5.0.12-1.el5.ia64.rpm
035d9cf222fe66a807e63c1d346376ac firefox-devel-1.5.0.12-1.el5.ia64.rpm
e1fc1489d821f1175b30f7af2bf80bb2 yelp-2.16.0-15.el5.ia64.rpm
b3318cd359029f8fb0ffb49d363cda96 yelp-debuginfo-2.16.0-15.el5.ia64.rpm

ppc:
71d19c30096ca87d8fbc8740652e9a00 devhelp-0.12-11.el5.ppc.rpm
12ca05b2dcbcc34dd8c51b8e6eaf3d0b devhelp-debuginfo-0.12-11.el5.ppc.rpm
6aefe858236f2e1e1406cd5fea314d02 devhelp-devel-0.12-11.el5.ppc.rpm
88a37e6d10a175a50737a8b6c767c561 firefox-1.5.0.12-1.el5.ppc.rpm
26398c53bc44663d49e7dabf14c37100 firefox-debuginfo-1.5.0.12-1.el5.ppc.rpm
cf551a704d6cc2f33ce8086dcb6f4884 firefox-devel-1.5.0.12-1.el5.ppc.rpm
2fda60703e56ff7998740ce624c4157c yelp-2.16.0-15.el5.ppc.rpm
829c9d72ece2a5fcd7d4be637d799d65 yelp-debuginfo-2.16.0-15.el5.ppc.rpm

s390x:
96802b267541ad3c0d5d8253eac7a0f6 devhelp-0.12-11.el5.s390.rpm
25fdb9f47687b447a85fdabdf9df80e5 devhelp-0.12-11.el5.s390x.rpm
9691ea4d3ca3db1eeeda64de5202bdc5 devhelp-debuginfo-0.12-11.el5.s390.rpm
4f18514595059a8e7dde34a42e0089e2 devhelp-debuginfo-0.12-11.el5.s390x.rpm
fa7ccd2ecc5ef946a26963e99fbb5ce1 devhelp-devel-0.12-11.el5.s390.rpm
b4f3cbab3249f5e63c659a4787f76af1 devhelp-devel-0.12-11.el5.s390x.rpm
7ea83a23a6e3de26b34d0585b7c12d10 firefox-1.5.0.12-1.el5.s390.rpm
bd45b8871ccbcbc35ff43b25a36210fa firefox-1.5.0.12-1.el5.s390x.rpm
09e81d147f861ec7ed9bf0a7c4aa7a5b firefox-debuginfo-1.5.0.12-1.el5.s390.rpm
b5172e50a9ceac771a47337f79e61751 firefox-debuginfo-1.5.0.12-1.el5.s390x.rpm
71196dd2cad1dc1b89b1354937abfa22 firefox-devel-1.5.0.12-1.el5.s390.rpm
fdb884e4d38b109868c6d7445b8c454b firefox-devel-1.5.0.12-1.el5.s390x.rpm
1b84f778dcc83da7ca2a3fd4a92206a1 yelp-2.16.0-15.el5.s390x.rpm
e7b25ab33671e71edb7b57502738f55c yelp-debuginfo-2.16.0-15.el5.s390x.rpm

x86_64:
b7958042531e8f6b5931605a0f2d17fc devhelp-0.12-11.el5.i386.rpm
47012533019d250c132ebbd97e87d227 devhelp-0.12-11.el5.x86_64.rpm
ca85406a19b36f412dfdb129b29a71c9 devhelp-debuginfo-0.12-11.el5.i386.rpm
b09ba06d46894a888f8ea6ae04cf416e devhelp-debuginfo-0.12-11.el5.x86_64.rpm
77fe09441514cd6482f4596362485343 devhelp-devel-0.12-11.el5.i386.rpm
141d1df1f9e83521808efafd42f944fc devhelp-devel-0.12-11.el5.x86_64.rpm
7b959d51178a768c437bdc1fd1dc3e3c firefox-1.5.0.12-1.el5.i386.rpm
244bb754d6039cc48c144c5f45052260 firefox-1.5.0.12-1.el5.x86_64.rpm
4d1671461afeb3ec1784d591ecb134f5 firefox-debuginfo-1.5.0.12-1.el5.i386.rpm
21bf5480e44a66710ba5f90eaef52294 firefox-debuginfo-1.5.0.12-1.el5.x86_64.rpm
fa39c7e1fd6232e62b3d9a4f53acbc9b firefox-devel-1.5.0.12-1.el5.i386.rpm
e048eb9adb9dd967d1630c1fe4778f98 firefox-devel-1.5.0.12-1.el5.x86_64.rpm
35f3463a249179df63b98239cf4e3cbc yelp-2.16.0-15.el5.x86_64.rpm
6fbdcb7e6b7586a7f7c2b4a17ab2e2fa yelp-debuginfo-2.16.0-15.el5.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1362
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1562
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2867
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2868
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2869
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2870
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2871
http://www.redhat.com/security/updates/classification/#critical

8. Contact:

The Red Hat security contact is lt;secalert@redhat.comgt;. More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2007 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFGXjqBXlSAg2UNWIIRAglPAKCAeRQCF4+YvA/v9NrVIYXOW8tN7QCffKV9
JZKnT/ApRY/7XancitITvFs=
=ovHo
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/rhsa_20070400_01_critical_firefox_security_update.html)