Fedora Legacy Test Update Notification: mozilla

Marc Deslauriers marcdeslauriers at videotron.ca
Fri May 6 02:04:06 UTC 2005 

---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2005-152883
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152883
2005-05-05
---------------------------------------------------------------------

Name        : mozilla
Versions    : rh7.3: mozilla-1.7.7-0.73.2.legacy
Versions    : rh9: mozilla-1.7.7-0.90.1.legacy
Versions    : fc1: mozilla-1.7.7-1.1.2.legacy
Versions    : fc2: mozilla-1.7.7-1.2.2.legacy
Summary     : A Web browser.
Description :
Mozilla is an open-source Web browser, designed for standards
compliance, performance, and portability.

---------------------------------------------------------------------
Update Information:

Updated mozilla packages that fix various bugs are now available.

Mozilla is an open source Web browser, advanced email and newsgroup
client, IRC chat client, and HTML editor.

A bug was found in the way Mozilla sets file permissions when installing
XPI packages. It is possible for an XPI package to install some files
world readable or writable, allowing a malicious local user to steal
information or execute arbitrary code. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0906 to
this issue.

A bug was found in the way Mozilla handles pop-up windows. It is
possible for a malicious website to control the content in an unrelated
site's pop-up window. (CAN-2004-1156)

iSEC Security Research has discovered a buffer overflow bug in the way
Mozilla handles NNTP URLs. If a user visits a malicious web page or is
convinced to click on a malicious link, it may be possible for an
attacker to execute arbitrary code on the victim's machine.
(CAN-2004-1316)

A bug was found in the way Mozilla displays dialog windows. It is
possible that a malicious web page which is being displayed in a
background tab could present the user with a dialog window appearing to
come from the active page. (CAN-2004-1380)

A bug was found in the way Mozilla handles certain start tags followed
by a NULL character. A malicious web page could cause Mozilla to crash
when viewed by a victim. (CAN-2004-1613)

A bug was found in the way Mozilla loads links in a new tab which are
middle clicked. A malicious web page could read local files or modify
privileged chrom settings. (CAN-2005-0141)

Several bugs were found with the way Mozilla handles temporary files. A
local user could view sensitive temporary information or delete
arbitrary files. (CAN-2005-0142 CAN-2005-0578)

Several bugs were found with the way Mozilla displays the secure site
icon. It is possible that a malicious website could display the secure
site icon along with incorrect certificate information. (CAN-2005-0143
CAN-2005-0593)

A bug was found in the way Mozilla displays the secure site icon. A
malicious web page can use a view-source URL targetted at a secure page,
while loading an insecure page, yet the secure site icon shows the
previous secure state. (CAN-2005-0144)

A bug was found in the way Mozilla handles synthetic middle click
events. It is possible for a malicious web page to steal the contents of
a victims clipboard. (CAN-2005-0146)

A bug was found in the way Mozilla responds to proxy auth requests. It
is possible for a malicious webserver to steal credentials from a
victims browser by issuing a 407 proxy authentication request.
(CAN-2005-0147)

A bug was found in the way Mozilla Mail handles cookies when loading
content over HTTP regardless of the user's preference. It is possible
that a particular user could be tracked through the use of malicious
mail messages which load content over HTTP. (CAN-2005-0149)

A bug was found in the Mozilla javascript security manager. If a user
drags a malicious link to a tab, the javascript security manager is
bypassed, which could result in remote code execution or information
disclosure. (CAN-2005-0231)

A bug was found in the way Mozilla allows plug-ins to load privileged
content into a frame. It is possible that a malicious webpage could
trick a user into clicking in certain places to modify configuration
settings or execute arbitrary code. (CAN-2005-0232 and CAN-2005-0527)

A flaw was found in the way Mozilla displays international domain names.
It is possible for an attacker to display a valid URL, tricking the user
into thinking they are viewing a legitimate webpage when they are not.
(CAN-2005-0233)

A buffer overflow bug was found in the way Mozilla processes GIF images.
It is possible for an attacker to create a specially crafted GIF image,
which when viewed by a victim will execute arbitrary code as the victim.
(CAN-2005-0399)

A bug was found in the way Mozilla processes XUL content. If a malicious
web page can trick a user into dragging an object, it is possible to
load malicious XUL content. (CAN-2005-0401)

Several bugs were found in the way Mozilla displays alert dialogs. It is
possible for a malicious webserver or website to trick a user into
thinking the dialog window is being generated from a trusted site.
(CAN-2005-0584 CAN-2005-0585 CAN-2005-0586 CAN-2005-0590 CAN-2005-0591)

A bug was found in the way Mozilla handles xsl:include and xsl:import
directives. It is possible for a malicious website to import XSLT
stylesheets from a domain behind a firewall, leaking information to an
attacker. (CAN-2005-0588)

A bug was found in the way Mozilla handles anonymous functions during
regular expression string replacement. It is possible for a malicious
web page to capture a random block of browser memory. (CAN-2005-0989)

A bug was found in the way Mozilla displays pop-up windows. If a user
choses to open a pop-up window whose URL is malicious javascript, the
script will be executed with elevated privileges. (CAN-2005-1153)

Several bugs were found in the Mozilla javascript engine. A malicious
web page could leverage these issues to execute javascript with elevated
privileges or steal sensitive information. (CAN-2005-1154 CAN-2005-1155
CAN-2005-1159 CAN-2005-1160)

A bug was found in the way Mozilla installed search plugins. If a user
chooses to install a search plugin from a malicious site, the new plugin
could silently overwrite an existing plugin. This could allow the
malicious plugin to execute arbitrary code and stealm sensitive
information. (CAN-2005-1156 CAN-2005-1157)

Users of Mozilla are advised to upgrade to this updated package which
contains Mozilla version 1.7.7 to correct these issues.

---------------------------------------------------------------------
Changelogs

rh7.3:
* Tue May 03 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
37:1.7.7-0.73.2.legacy
- Added missing freetype-devel BuildRequires

* Thu Apr 28 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
37:1.7.7-0.73.1.legacy
- Rebuild as a Fedora Legacy update for Red Hat Linux 7.3
- Fix missing icons in desktop files

rh9:
* Fri Apr 29 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
37:1.7.7-0.90.1.legacy
- Rebuilt as a Fedora Legacy update for Red Hat Linux 9
- Disabled desktop-file-utils
- Disabled gtk2
- Added missing BuildRequires
- Force build with gcc296 to remain compatible with plugins
- Added xft font preferences and patch back in
- Removed mozilla-compose.desktop

fc1:
* Wed May 04 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
37:1.7.7-1.1.2.legacy
- Added missing gnome-vfs2-devel and desktop-file-utils to BuildRequires

* Sat Apr 30 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
37:1.7.7-1.1.1.legacy
- Rebuilt as Fedora Legacy update for Fedora Core 1
- Changed useragent vendor tag to Fedora
- Removed Network category from mozilla.desktop

fc2:
* Tue May 03 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
37:1.7.7-1.2.2.legacy
- Added missing gnome-vfs2-devel, desktop-file-utils and krb5-devel
BuildPrereq

* Sat Apr 30 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
37:1.7.7-1.2.1.legacy
- Rebuilt as a Fedora Legacy update to Fedora Core 2
- Reverted to desktop-file-utils 0.4
- Removed desktop-update-database
- Disabled pango support

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh7.3:
9acd3892e1ec3b272274ed250f630e316e72334c
redhat/7.3/updates-testing/i386/mozilla-1.7.7-0.73.2.legacy.i386.rpm
bdf6c767bd8d8a1dc74138e8da7c1672b1934764
redhat/7.3/updates-testing/i386/mozilla-chat-1.7.7-0.73.2.legacy.i386.rpm
7168b5bfcd5a090b62464f8b7d82d20bff365ba5
redhat/7.3/updates-testing/i386/mozilla-devel-1.7.7-0.73.2.legacy.i386.rpm
6baa66d77ecbaf4aefcd99e42dbc81dee8b5533b
redhat/7.3/updates-testing/i386/mozilla-dom-inspector-1.7.7-0.73.2.legacy.i386.rpm
c8fd69f3e6e3a63554382ec412208f74a48ba8fe
redhat/7.3/updates-testing/i386/mozilla-js-debugger-1.7.7-0.73.2.legacy.i386.rpm
83a181ed9ecade3c9cb3cd3f64ac7cdd5add9057
redhat/7.3/updates-testing/i386/mozilla-mail-1.7.7-0.73.2.legacy.i386.rpm
904dd59f1b4d5e4426232549848b83a9e407e2ba
redhat/7.3/updates-testing/i386/mozilla-nspr-1.7.7-0.73.2.legacy.i386.rpm
3513150062f0d54dfa14f3d4fc320114b72a95ad
redhat/7.3/updates-testing/i386/mozilla-nspr-devel-1.7.7-0.73.2.legacy.i386.rpm
f56ac87aae05c1530cfc49844f59410ac3db82d9
redhat/7.3/updates-testing/i386/mozilla-nss-1.7.7-0.73.2.legacy.i386.rpm
d4a42d185260a6778133dc51beb0098b637306c5
redhat/7.3/updates-testing/i386/mozilla-nss-devel-1.7.7-0.73.2.legacy.i386.rpm
8f731240e4c04d12861836a20ebd51faac33db54
redhat/7.3/updates-testing/SRPMS/mozilla-1.7.7-0.73.2.legacy.src.rpm
265ca0a31dd9a66b3de6364b1a8e0bab108ebedc
redhat/7.3/updates-testing/i386/galeon-1.2.14-0.73.2.legacy.i386.rpm
591f6a2ab89ae9b5995cc172017bc8d5b39f0236
redhat/7.3/updates-testing/SRPMS/galeon-1.2.14-0.73.2.legacy.src.rpm

rh9:
3d70328b95b7af8ebb4a808ed2c6d58f8d8d3f32
redhat/9/updates-testing/i386/mozilla-1.7.7-0.90.1.legacy.i386.rpm
f0602f47ebb9e66a600749832bf68b63787bde35
redhat/9/updates-testing/i386/mozilla-chat-1.7.7-0.90.1.legacy.i386.rpm
005590efef49bb5d39f665d61b335496ca18798d
redhat/9/updates-testing/i386/mozilla-devel-1.7.7-0.90.1.legacy.i386.rpm
5a54884ce7108215746ac96668018bdbe2e70494
redhat/9/updates-testing/i386/mozilla-dom-inspector-1.7.7-0.90.1.legacy.i386.rpm
5fd7e6f7145787da6926807ad22a8cddaa14b927
redhat/9/updates-testing/i386/mozilla-js-debugger-1.7.7-0.90.1.legacy.i386.rpm
0ea4683b6d02b6605e7c515ee6c4717ee443eee3
redhat/9/updates-testing/i386/mozilla-mail-1.7.7-0.90.1.legacy.i386.rpm
cd8c01029571274c79dc3b0b083a68f61f8276b4
redhat/9/updates-testing/i386/mozilla-nspr-1.7.7-0.90.1.legacy.i386.rpm
c043f95965b668bc18adb9a58b8e0f332f295285
redhat/9/updates-testing/i386/mozilla-nspr-devel-1.7.7-0.90.1.legacy.i386.rpm
1b9952e1ae88be813398d47c56ccdb1c6297defb
redhat/9/updates-testing/i386/mozilla-nss-1.7.7-0.90.1.legacy.i386.rpm
0048ddbfbccca48c2e3a20d436a8eeaeaa5e7d27
redhat/9/updates-testing/i386/mozilla-nss-devel-1.7.7-0.90.1.legacy.i386.rpm
3ef84161c6d31a0a022e30dccfa38c3e48bfc826
redhat/9/updates-testing/SRPMS/mozilla-1.7.7-0.90.1.legacy.src.rpm
f34febaaa2e03ffc62097a8abf977cfa98bce03a
redhat/9/updates-testing/i386/galeon-1.2.14-0.90.2.legacy.i386.rpm
72ddc204978e74630ef9cab1e17a80a6a2e06658
redhat/9/updates-testing/SRPMS/galeon-1.2.14-0.90.2.legacy.src.rpm

fc1:
57100cb971334d7af508b63786aa08605515ca1c
fedora/1/updates-testing/i386/mozilla-1.7.7-1.1.2.legacy.i386.rpm
d46f3963c22c7dd5460e5dcb54fe48001b9f2bf0
fedora/1/updates-testing/i386/mozilla-chat-1.7.7-1.1.2.legacy.i386.rpm
c1fb6304d59a2b40afb0f897068d4790f7188d58
fedora/1/updates-testing/i386/mozilla-devel-1.7.7-1.1.2.legacy.i386.rpm
2e6e6c51cc5f2ec33ed9da3f3cba5b8894cc41c6
fedora/1/updates-testing/i386/mozilla-dom-inspector-1.7.7-1.1.2.legacy.i386.rpm
c341b4c436e57743b14fb535117fd22b0cbec5d9
fedora/1/updates-testing/i386/mozilla-js-debugger-1.7.7-1.1.2.legacy.i386.rpm
7132f5a85829789980a6d3e99dcb8b693c2ca2f5
fedora/1/updates-testing/i386/mozilla-mail-1.7.7-1.1.2.legacy.i386.rpm
97fc2ebf5fac4a9db7515d6ce040f69800d4b76f
fedora/1/updates-testing/i386/mozilla-nspr-1.7.7-1.1.2.legacy.i386.rpm
4fc55c563a2dab1acea189205a74a55a3193fd90
fedora/1/updates-testing/i386/mozilla-nspr-devel-1.7.7-1.1.2.legacy.i386.rpm
013b70581b5719c09d31a3cd642c9508326ee785
fedora/1/updates-testing/i386/mozilla-nss-1.7.7-1.1.2.legacy.i386.rpm
0b166a9b048615bed8963512f3c14d0fe2b55df3
fedora/1/updates-testing/i386/mozilla-nss-devel-1.7.7-1.1.2.legacy.i386.rpm
78028c39bd74519585f30c5e9fb1811c17174ae6
fedora/1/updates-testing/SRPMS/mozilla-1.7.7-1.1.2.legacy.src.rpm
288dc1525d58a9bfb547dae233217f8560f793da
fedora/1/updates-testing/i386/epiphany-1.0.8-1.fc1.2.legacy.i386.rpm
6d7fc5695a4dc5dfda8061d6f15f5f49d9e0ca25
fedora/1/updates-testing/SRPMS/epiphany-1.0.8-1.fc1.2.legacy.src.rpm

fc2:
e30cf25bc4833e0b19464b80edc6a40a022d84ec
fedora/2/updates-testing/i386/mozilla-1.7.7-1.2.2.legacy.i386.rpm
f6272d64f623060b3e3c312a51d9c4cf79517dbf
fedora/2/updates-testing/i386/mozilla-chat-1.7.7-1.2.2.legacy.i386.rpm
3de604792b03c9be05094f93dfab05dc4025bf28
fedora/2/updates-testing/i386/mozilla-devel-1.7.7-1.2.2.legacy.i386.rpm
be68ea6a7694e26583788619fd2983d79e7de2a0
fedora/2/updates-testing/i386/mozilla-dom-inspector-1.7.7-1.2.2.legacy.i386.rpm
5fb0ec03a8477716720fa5717096f51b947b3fc7
fedora/2/updates-testing/i386/mozilla-js-debugger-1.7.7-1.2.2.legacy.i386.rpm
eaad0dd9b651f50a95645a483874e388c8e8d6ff
fedora/2/updates-testing/i386/mozilla-mail-1.7.7-1.2.2.legacy.i386.rpm
eab0bd24445c45116bb438c3ab039549aeaf9fff
fedora/2/updates-testing/i386/mozilla-nspr-1.7.7-1.2.2.legacy.i386.rpm
230443db97ade4cd419149aac9be2647b9d8e1a9
fedora/2/updates-testing/i386/mozilla-nspr-devel-1.7.7-1.2.2.legacy.i386.rpm
93d1521088d28943d1bb8a3f95b9fe33afbb6cce
fedora/2/updates-testing/i386/mozilla-nss-1.7.7-1.2.2.legacy.i386.rpm
69f0872295fcc76410236cbdcfa68ad714fd1019
fedora/2/updates-testing/i386/mozilla-nss-devel-1.7.7-1.2.2.legacy.i386.rpm
9ee87c561862efad6914604117ca1b77347ddce2
fedora/2/updates-testing/SRPMS/mozilla-1.7.7-1.2.2.legacy.src.rpm
2a2d210670d354d8640266735d2ce15ca3a6c637
fedora/2/updates-testing/i386/epiphany-1.2.10-0.2.3.legacy.i386.rpm
0b8dcb95ee3ac871fac5adda63cbe1ec62340540
fedora/2/updates-testing/SRPMS/epiphany-1.2.10-0.2.3.legacy.src.rpm
50bab23717bd9e8f80c1f037d89fea75c240404a
fedora/2/updates-testing/i386/devhelp-0.9.1-0.2.6.legacy.i386.rpm
19dd014eda39deb1bafdfa34c47a4e81bf9cf880
fedora/2/updates-testing/i386/devhelp-devel-0.9.1-0.2.6.legacy.i386.rpm
1fa21cf570fa5a210594820c17eacfe764df8a52
fedora/2/updates-testing/SRPMS/devhelp-0.9.1-0.2.6.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 251 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20050505/88225093/attachment.sig>

More information about the fedora-legacy-list mailing list