[avaya.com #1005] [RHSA-2005:434-01] Important: firefox security update
av at picasso.dr.avaya.com
av at picasso.dr.avaya.com
Mon May 23 15:35:23 UTC 2005
This alert is a duplicate of ticket 1006. One ASA will be issued for
both tickets.
Jason Shirk
> [bugzilla at redhat.com - Mon May 23 04:03:43 2005]:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> -
> ---------------------------------------------------------------------
> Red Hat Security Advisory
>
> Synopsis: Important: firefox security update
> Advisory ID: RHSA-2005:434-01
> Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-434.html
> Issue date: 2005-05-23
> Updated on: 2005-05-23
> Product: Red Hat Enterprise Linux
> CVE Names: CAN-2005-1476 CAN-2005-1477 CAN-2005-1531 CAN-
2005-
> 1532
> -
> ---------------------------------------------------------------------
>
> 1. Summary:
>
> Updated firefox packages that fix various security bugs are now
> available.
>
> This update has been rated as having important security impact by the
> Red
> Hat Security Response Team.
>
> 2. Relevant releases/architectures:
>
> Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x,
> x86_64
> Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
> Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
> Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64
>
> 3. Problem description:
>
> Mozilla Firefox is an open source Web browser.
>
> Several bugs were found in the way Firefox executes javascript code.
> Javascript executed from a web page should run with a restricted
> access
> level, preventing dangerous actions. It is possible that a malicious
> web
> page could execute javascript code with elevated privileges, allowing
> access to protected data and functions. The Common Vulnerabilities
and
> Exposures project (cve.mitre.org) has assigned the names CAN-2005-
> 1476,
> CAN-2005-1477, CAN-2005-1531, and CAN-2005-1532 to these issues.
>
> Please note that the effects of CAN-2005-1477 are mitigated by the
> default
> setup, which allows only the Mozilla Update site to attempt
> installation of
> Firefox extensions. The Mozilla Update site has been modified to
> prevent
> this attack from working. If other URLs have been manually added to
> the
> whitelist, it may be possible to execute this attack.
>
> Users of Firefox are advised to upgrade to this updated package which
> contains Firefox version 1.0.4 which is not vulnerable to these
> issues.
>
> 4. Solution:
>
> Before applying this update, make sure all previously released errata
> relevant to your system have been applied.
>
> This update is available via Red Hat Network. To use Red Hat
Network,
> launch the Red Hat Update Agent with the following command:
>
> up2date
>
> This will start an interactive process that will result in the
> appropriate
> RPMs being upgraded on your system.
>
> 5. RPMs required:
>
> Red Hat Enterprise Linux AS version 4:
>
> SRPMS:
> ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/firefox-1.0.4-
> 1.4.1.src.rpm
> 4f9b4bd723aba8d5293d00aac34c1b86 firefox-1.0.4-1.4.1.src.rpm
>
> i386:
> b68ad59036bb0b74fea8c5d53ea39438 firefox-1.0.4-1.4.1.i386.rpm
>
> ia64:
> bfa8af9ed21d9a3827f866b841a783cc firefox-1.0.4-1.4.1.ia64.rpm
>
> ppc:
> 71dbb17fce1828eb3f46114d05272fa8 firefox-1.0.4-1.4.1.ppc.rpm
>
> s390:
> 534c7d82c927c24aae9f37acbcdcd4ea firefox-1.0.4-1.4.1.s390.rpm
>
> s390x:
> dbdfe11ecc3482691f0674a83ccbb82e firefox-1.0.4-1.4.1.s390x.rpm
>
> x86_64:
> 33a6987f34b973610f9dab1a0efb59ed firefox-1.0.4-1.4.1.x86_64.rpm
>
> Red Hat Enterprise Linux Desktop version 4:
>
> SRPMS:
> ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/firefox-
> 1.0.4-1.4.1.src.rpm
> 4f9b4bd723aba8d5293d00aac34c1b86 firefox-1.0.4-1.4.1.src.rpm
>
> i386:
> b68ad59036bb0b74fea8c5d53ea39438 firefox-1.0.4-1.4.1.i386.rpm
>
> x86_64:
> 33a6987f34b973610f9dab1a0efb59ed firefox-1.0.4-1.4.1.x86_64.rpm
>
> Red Hat Enterprise Linux ES version 4:
>
> SRPMS:
> ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/firefox-1.0.4-
> 1.4.1.src.rpm
> 4f9b4bd723aba8d5293d00aac34c1b86 firefox-1.0.4-1.4.1.src.rpm
>
> i386:
> b68ad59036bb0b74fea8c5d53ea39438 firefox-1.0.4-1.4.1.i386.rpm
>
> ia64:
> bfa8af9ed21d9a3827f866b841a783cc firefox-1.0.4-1.4.1.ia64.rpm
>
> x86_64:
> 33a6987f34b973610f9dab1a0efb59ed firefox-1.0.4-1.4.1.x86_64.rpm
>
> Red Hat Enterprise Linux WS version 4:
>
> SRPMS:
> ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/firefox-1.0.4-
> 1.4.1.src.rpm
> 4f9b4bd723aba8d5293d00aac34c1b86 firefox-1.0.4-1.4.1.src.rpm
>
> i386:
> b68ad59036bb0b74fea8c5d53ea39438 firefox-1.0.4-1.4.1.i386.rpm
>
> ia64:
> bfa8af9ed21d9a3827f866b841a783cc firefox-1.0.4-1.4.1.ia64.rpm
>
> x86_64:
> 33a6987f34b973610f9dab1a0efb59ed firefox-1.0.4-1.4.1.x86_64.rpm
>
> These packages are GPG signed by Red Hat for security. Our key and
> details on how to verify the signature are available from
> https://www.redhat.com/security/team/key/#package
>
> 6. References:
>
> http://www.mozilla.org/projects/security/known-
> vulnerabilities.html#firefox1.0.4
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1476
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1477
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1531
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1532
>
> 7. Contact:
>
> The Red Hat security contact is <secalert at redhat.com>. More contact
> details at https://www.redhat.com/security/team/contact/
>
> Copyright 2005 Red Hat, Inc.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iD8DBQFCkajcXlSAg2UNWIIRApH1AJ9OefzL6lxylJg57TZPNGbj+E82QACfaU98
> 76klb2Vt019J+fseTtF8+nQ=
> =Q/I8
> -----END PGP SIGNATURE-----
>
>
>
>
More information about the Enterprise-watch-list
mailing list