[avaya.com #1005] [RHSA-2005:434-01] Important: firefox security update

av at picasso.dr.avaya.com av at picasso.dr.avaya.com
Mon May 23 15:35:23 UTC 2005 

This alert is a duplicate of ticket 1006.  One ASA will be issued for 
both tickets.

Jason Shirk

> [bugzilla at redhat.com - Mon May 23 04:03:43 2005]:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> -
> ---------------------------------------------------------------------
>                    Red Hat Security Advisory
> 
> Synopsis:          Important: firefox security update
> Advisory ID:       RHSA-2005:434-01
> Advisory URL:      https://rhn.redhat.com/errata/RHSA-2005-434.html
> Issue date:        2005-05-23
> Updated on:        2005-05-23
> Product:           Red Hat Enterprise Linux
> CVE Names:         CAN-2005-1476 CAN-2005-1477 CAN-2005-1531 CAN-
2005-
> 1532
> -
> ---------------------------------------------------------------------
> 
> 1. Summary:
> 
> Updated firefox packages that fix various security bugs are now
> available.
> 
> This update has been rated as having important security impact by the
> Red
> Hat Security Response Team.
> 
> 2. Relevant releases/architectures:
> 
> Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x,
> x86_64
> Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
> Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
> Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64
> 
> 3. Problem description:
> 
> Mozilla Firefox is an open source Web browser.
> 
> Several bugs were found in the way Firefox executes javascript code.
> Javascript executed from a web page should run with a restricted
> access
> level, preventing dangerous actions. It is possible that a malicious
> web
> page could execute javascript code with elevated privileges, allowing
> access to protected data and functions. The Common Vulnerabilities 
and
> Exposures project (cve.mitre.org) has assigned the names CAN-2005-
> 1476,
> CAN-2005-1477, CAN-2005-1531, and CAN-2005-1532 to these issues.
> 
> Please note that the effects of CAN-2005-1477 are mitigated by the
> default
> setup, which allows only the Mozilla Update site to attempt
> installation of
> Firefox extensions. The Mozilla Update site has been modified to
> prevent
> this attack from working. If other URLs have been manually added to
> the
> whitelist, it may be possible to execute this attack.
> 
> Users of Firefox are advised to upgrade to this updated package which
> contains Firefox version 1.0.4 which is not vulnerable to these
> issues.
> 
> 4. Solution:
> 
> Before applying this update, make sure all previously released errata
> relevant to your system have been applied.
> 
> This update is available via Red Hat Network.  To use Red Hat 
Network,
> launch the Red Hat Update Agent with the following command:
> 
> up2date
> 
> This will start an interactive process that will result in the
> appropriate
> RPMs being upgraded on your system.
> 
> 5. RPMs required:
> 
> Red Hat Enterprise Linux AS version 4:
> 
> SRPMS:
> ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/firefox-1.0.4-
> 1.4.1.src.rpm
> 4f9b4bd723aba8d5293d00aac34c1b86  firefox-1.0.4-1.4.1.src.rpm
> 
> i386:
> b68ad59036bb0b74fea8c5d53ea39438  firefox-1.0.4-1.4.1.i386.rpm
> 
> ia64:
> bfa8af9ed21d9a3827f866b841a783cc  firefox-1.0.4-1.4.1.ia64.rpm
> 
> ppc:
> 71dbb17fce1828eb3f46114d05272fa8  firefox-1.0.4-1.4.1.ppc.rpm
> 
> s390:
> 534c7d82c927c24aae9f37acbcdcd4ea  firefox-1.0.4-1.4.1.s390.rpm
> 
> s390x:
> dbdfe11ecc3482691f0674a83ccbb82e  firefox-1.0.4-1.4.1.s390x.rpm
> 
> x86_64:
> 33a6987f34b973610f9dab1a0efb59ed  firefox-1.0.4-1.4.1.x86_64.rpm
> 
> Red Hat Enterprise Linux Desktop version 4:
> 
> SRPMS:
> ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/firefox-
> 1.0.4-1.4.1.src.rpm
> 4f9b4bd723aba8d5293d00aac34c1b86  firefox-1.0.4-1.4.1.src.rpm
> 
> i386:
> b68ad59036bb0b74fea8c5d53ea39438  firefox-1.0.4-1.4.1.i386.rpm
> 
> x86_64:
> 33a6987f34b973610f9dab1a0efb59ed  firefox-1.0.4-1.4.1.x86_64.rpm
> 
> Red Hat Enterprise Linux ES version 4:
> 
> SRPMS:
> ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/firefox-1.0.4-
> 1.4.1.src.rpm
> 4f9b4bd723aba8d5293d00aac34c1b86  firefox-1.0.4-1.4.1.src.rpm
> 
> i386:
> b68ad59036bb0b74fea8c5d53ea39438  firefox-1.0.4-1.4.1.i386.rpm
> 
> ia64:
> bfa8af9ed21d9a3827f866b841a783cc  firefox-1.0.4-1.4.1.ia64.rpm
> 
> x86_64:
> 33a6987f34b973610f9dab1a0efb59ed  firefox-1.0.4-1.4.1.x86_64.rpm
> 
> Red Hat Enterprise Linux WS version 4:
> 
> SRPMS:
> ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/firefox-1.0.4-
> 1.4.1.src.rpm
> 4f9b4bd723aba8d5293d00aac34c1b86  firefox-1.0.4-1.4.1.src.rpm
> 
> i386:
> b68ad59036bb0b74fea8c5d53ea39438  firefox-1.0.4-1.4.1.i386.rpm
> 
> ia64:
> bfa8af9ed21d9a3827f866b841a783cc  firefox-1.0.4-1.4.1.ia64.rpm
> 
> x86_64:
> 33a6987f34b973610f9dab1a0efb59ed  firefox-1.0.4-1.4.1.x86_64.rpm
> 
> These packages are GPG signed by Red Hat for security.  Our key and
> details on how to verify the signature are available from
> https://www.redhat.com/security/team/key/#package
> 
> 6. References:
> 
> http://www.mozilla.org/projects/security/known-
> vulnerabilities.html#firefox1.0.4
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1476
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1477
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1531
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1532
> 
> 7. Contact:
> 
> The Red Hat security contact is <secalert at redhat.com>.  More contact
> details at https://www.redhat.com/security/team/contact/
> 
> Copyright 2005 Red Hat, Inc.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> 
> iD8DBQFCkajcXlSAg2UNWIIRApH1AJ9OefzL6lxylJg57TZPNGbj+E82QACfaU98
> 76klb2Vt019J+fseTtF8+nQ=
> =Q/I8
> -----END PGP SIGNATURE-----
> 
> 
> 
>

More information about the Enterprise-watch-list mailing list