Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Red Hat Enterprise Linux 4 and 5: RHSA-2008:0879-01 Critical Firefox Issues

red hat
Calendar Grey September 23, 2008
Dist Redhat Esm H88
Important security patch for Firefox released targeting Red Hat Enterprise Linux versions 4 and 5, mitigating serious online risks.
An updated firefox package that fixes various security issues is now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact...

Solution

Before applying this update, make sure that all previously-released errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at

Summary

Mozilla Firefox is an open source Web browser.
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-4058, CVE-2008-4060, CVE-2008-4061, CVE-2008-4062, CVE-2008-4063, CVE-2008-4064)
Several flaws were found in the way malformed web content was displayed. A web page containing specially crafted content could potentially trick a Firefox user into surrendering sensitive information. (CVE-2008-4067, CVE-2008-4068)
A flaw was found in the way Firefox handles mouse click events. A web page containing specially crafted JavaScript code could move the content window while a mouse-button was pressed, causing any item under the pointer to be dragged. This could, potentially, cause the user to perform an unsafe drag-and-drop action. (CVE-2008-3837)
A flaw was found in Firefox that caused certain characters to be stripped from JavaScript code. This flaw could allow malicious JavaScript to bypass or evade script filters. (CVE-2008-4065)
For technical details regarding these flaws, please see the Mozilla security advisories for Firefox 3.0.2. You can find a link to the Mozilla advisories in the References section.
All firefox users should upgrade to this updated package, which contains backported patches that correct these issues.

References

https://www.cve.org/CVERecord?id=CVE-2008-3837 https://www.cve.org/CVERecord?id=CVE-2008-4058 https://www.cve.org/CVERecord?id=CVE-2008-4060 https://www.cve.org/CVERecord?id=CVE-2008-4061 https://www.cve.org/CVERecord?id=CVE-2008-4062 https://www.cve.org/CVERecord?id=CVE-2008-4063 https://www.cve.org/CVERecord?id=CVE-2008-4064 https://www.cve.org/CVERecord?id=CVE-2008-4065 https://www.cve.org/CVERecord?id=CVE-2008-4067 https://www.cve.org/CVERecord?id=CVE-2008-4068 https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-3.0/

Package List

Red Hat Enterprise Linux AS version 4:
Source:
i386: firefox-3.0.2-3.el4.i386.rpm firefox-debuginfo-3.0.2-3.el4.i386.rpm
ia64: firefox-3.0.2-3.el4.ia64.rpm firefox-debuginfo-3.0.2-3.el4.ia64.rpm
ppc: firefox-3.0.2-3.el4.ppc.rpm firefox-debuginfo-3.0.2-3.el4.ppc.rpm
s390: firefox-3.0.2-3.el4.s390.rpm firefox-debuginfo-3.0.2-3.el4.s390.rpm
s390x: firefox-3.0.2-3.el4.s390x.rpm firefox-debuginfo-3.0.2-3.el4.s390x.rpm
x86_64: firefox-3.0.2-3.el4.x86_64.rpm firefox-debuginfo-3.0.2-3.el4.x86_64.rpm
Red Hat Enterprise Linux Desktop version 4:
Source:
i386: firefox-3.0.2-3.el4.i386.rpm firefox-debuginfo-3.0.2-3.el4.i386.rpm
x86_64: firefox-3.0.2-3.el4.x86_64.rpm firefox-debuginfo-3.0.2-3.el4.x86_64.rpm
Red Hat Enterprise Linux ES version 4:
Source:
i386: firefox-3.0.2-3.el4.i386.rpm firefox-debuginfo-3.0.2-3.el4.i386.rpm
ia64: firefox-3.0.2-3.el4.ia64.rpm firefox-debuginfo-3.0.2-3.el4.ia64.rpm
x86_64: firefox-3.0.2-3.el4.x86_64.rpm firefox-debuginfo-3.0.2-3.el4.x86_64.rpm
Red Hat Enterprise Linux WS version 4:
Source:
i386: firefox-3.0.2-3.el4.i386.rpm firefox-debuginfo-3.0.2-3.el4.i386.rpm
ia64: firefox-3.0.2-3.el4.ia64.rpm firefox-debuginfo-3.0.2-3.el4.ia64.rpm
x86_64: firefox-3.0.2-3.el4.x86_64.rpm

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2008:0879-01
Product: Red Hat Enterprise Linux
Issue date: 2008-09-23

Topic

An updated firefox package that fixes various security issues is now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Relevant Releases Architectures

Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64

Red Hat Enterprise Linux Desktop version 4 - i386, x86_64

Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64

Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

RHEL Desktop Workstation (v. 5 client) - i386, x86_64

Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64

Bugs Fixed

463189 - CVE-2008-3837 Forced mouse drag

463190 - CVE-2008-4058 Mozilla privilege escalation via XPCnativeWrapper pollution

463198 - CVE-2008-4060 Mozilla privilege escalation via XPCnativeWrapper pollution

463199 - CVE-2008-4061 Mozilla layout engine crash

463201 - CVE-2008-4062 Mozilla crashes with evidence of memory corruption

463203 - CVE-2008-4063 Mozilla crashes with evidence of memory corruption

463204 - CVE-2008-4064 Mozilla crashes with evidence of memory corruption

463234 - CVE-2008-4065 Mozilla BOM characters stripped from JavaScript before execution

463246 - CVE-2008-4067 Mozilla resource: traversal vulnerability

463248 - CVE-2008-4068 Mozilla local HTML file recource: bypass

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here