Heads up! Firefox & Mozilla
Rahul Sundaram
sundaram at fedoraproject.org
Tue Apr 18 16:57:11 UTC 2006
On Mon, 2006-04-17 at 10:24 -0500, David Eisenstein wrote:
> Hi Folks,
>
> Over the (HOLIDAY!) weekend, Mozilla released a new Firefox (1.0.8) fixing
> a set of critical vulnerabilities. The upstream (mozilla.org) chose
> *not*, however, to release the Mozilla code for 1.7.13 yet, but I am told
> that the updated Mozilla will be released officially in the near future.
> We may, however, be able to get our hands on the sources before then and
> get it in the pipeline for QA and such.
>
> Some of the critical issues (potential remotely exploited code execution)
> can be mitigated by turning off Javascript, but not all, as there is one
> issue that I am told that can be triggered by HTML tags. From MFSA
> 2006-18 <http://www.mozilla.org/security/announce/2006/mfsa2006-18.html>,
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0749>:
>
> "A particular sequence of HTML tags that reliably crash Mozilla clients
> was reported by an anonymous researcher via TippingPoint and the Zero
> Day Initiative. The crash is due to memory corruption that can be
> exploited to run arbitary code.
>
> "Mozilla mail clients will crash on the tag sequence, but without the
> ability to run scripts to fill memory with the attack code it may not
> be possible for an attacker to exploit this crash."
>
> These issues affect Mozilla Firefox and Thunderbird 1.x before 1.5 and
> 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0,
> according to CVE-2006-0749.
>
> Be careful out there! We'll get these out for Legacy as soon as we can.
Updates have been announced for Fedora Core 4 and Fedora Core 5. It
should be easy enough to rebuild it and provide them for Fedora Legacy.
Rahul
More information about the fedora-legacy-list
mailing list