Fedora 7: FEDORA-2007-3952 Critical: Firefox Cross-Site Scripting

Liferea (Linux Feed Reader) is an RSS/RDF feed reader.

It's intended to be a clone of the Windows-only FeedReader.

It can be used to maintain a list of subscribed feeds,

browse through their items, and show their contents.

Updated firefox packages that fix several security issues are now available for Fedora 7.

This update has been rated as having critical security impact by the Fedora Security Response Team.

Mozilla Firefox is an open source Web browser.

A cross-site scripting flaw was found in the way Firefox handled the jar: URI scheme. It was possible for a malicious website to leverage this flaw and conduct a cross-site scripting attack against a user running Firefox. (CVE-2007-5947)

Several flaws were found in the way Firefox processed certain malformed web content. A webpage containing malicious content could cause Firefox to crash, or potentially execute arbitrary code as the user running Firefox. (CVE-2007-5959)

A race condition existed when Firefox set the "window.location" property for a webpage. This flaw could allow a webpage to set an arbitrary Referer header, which may lead to a Cross-site Request Forgery (CSRF) attack against websites that rely only on the Referer header for protection. (CVE-2007-5960)

Users of Firefox are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

* Tue Nov 27 2007 Christopher Aillon - 1.4.8-2

- Rebuild against newer gecko

9f1c924945c9747560f31e36face0ca490b770c4 liferea-1.4.8-2.fc7.ppc64.rpm

1cb69c699f34a6316f06faccee5647d701a14e93 liferea-debuginfo-1.4.8-2.fc7.ppc64.rpm

bc0ee372b0ccc34292e6fbf086ed5c392a90fb5c liferea-1.4.8-2.fc7.i386.rpm

da40d224fc3ce1d39c1b44b2add512fd01721087 liferea-debuginfo-1.4.8-2.fc7.i386.rpm

2156d38c78babed912d7272a95979dd7a033a4d8 liferea-debuginfo-1.4.8-2.fc7.x86_64.rpm

e89988f449bf88fbcac321fcdf0460ec8918afe4 liferea-1.4.8-2.fc7.x86_64.rpm

26c81b423032ea3c46271f35476178012410512b liferea-debuginfo-1.4.8-2.fc7.ppc.rpm

d4d6fca0abe8266fdb672aed74086fa324001890 liferea-1.4.8-2.fc7.ppc.rpm

848d984ada76801c6e983502b443f8cd26b9f6bb liferea-1.4.8-2.fc7.src.rpm

This update can be installed with the "yum" update program. Use

su -c 'yum update liferea'

at the command line. For more information, refer to "Managing Software

with yum", available at .

Fedora-package-announce mailing list

Fedora-package-announce@redhat.com

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/