Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Red Hat Enterprise Linux: RHSA-2008:1036-01 Critical: Firefox Threats

red hat
Calendar Grey December 16, 2008
Dist Redhat Esm H88
Significant Chrome security patch issued for Ubuntu, vital for protection against threats and attack methods.
An updated firefox package that fixes various security issues is now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact...

Solution

Before applying this update, make sure that all previously-released errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at

Summary

Mozilla Firefox is an open source Web browser.
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2008-5500, CVE-2008-5501, CVE-2008-5502, CVE-2008-5511, CVE-2008-5512, CVE-2008-5513)
Several flaws were found in the way malformed content was processed. A website containing specially-crafted content could potentially trick a Firefox user into surrendering sensitive information. (CVE-2008-5506, CVE-2008-5507)
A flaw was found in the way Firefox stored attributes in XML User Interface Language (XUL) elements. A web site could use this flaw to track users across browser sessions, even if users did not allow the site to store cookies in the victim's browser. (CVE-2008-5505)
A flaw was found in the way malformed URLs were processed by Firefox. This flaw could prevent various URL sanitization mechanisms from properly parsing a malicious URL. (CVE-2008-5508)
A flaw was found in Firefox's CSS parser. A malicious web page could inject NULL characters into a CSS input string, possibly bypassing an application's script sanitization routines. (CVE-2008-5510)
For technical details regarding these flaws, please see the Mozilla security advisories for Firefox 3.0.5. You can find a link to the Mozilla advisories in the References section.
Note: after the errata packages are installed, Firefox must be restarted for the update to take effect.
All firefox users should upgrade to these updated packages, which contain backported patches that correct these issues.

References

https://www.cve.org/CVERecord?id=CVE-2008-5500 https://www.cve.org/CVERecord?id=CVE-2008-5501 https://www.cve.org/CVERecord?id=CVE-2008-5502 https://www.cve.org/CVERecord?id=CVE-2008-5505 https://www.cve.org/CVERecord?id=CVE-2008-5506 https://www.cve.org/CVERecord?id=CVE-2008-5507 https://www.cve.org/CVERecord?id=CVE-2008-5508 https://www.cve.org/CVERecord?id=CVE-2008-5510 https://www.cve.org/CVERecord?id=CVE-2008-5511 https://www.cve.org/CVERecord?id=CVE-2008-5512 https://www.cve.org/CVERecord?id=CVE-2008-5513 https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-3.0/

Package List

Red Hat Enterprise Linux AS version 4:
Source:
i386: firefox-3.0.5-1.el4.i386.rpm firefox-debuginfo-3.0.5-1.el4.i386.rpm nspr-4.7.3-1.el4.i386.rpm nspr-debuginfo-4.7.3-1.el4.i386.rpm nspr-devel-4.7.3-1.el4.i386.rpm nss-3.12.2.0-1.el4.i386.rpm nss-debuginfo-3.12.2.0-1.el4.i386.rpm nss-devel-3.12.2.0-1.el4.i386.rpm
ia64: firefox-3.0.5-1.el4.ia64.rpm firefox-debuginfo-3.0.5-1.el4.ia64.rpm nspr-4.7.3-1.el4.i386.rpm nspr-4.7.3-1.el4.ia64.rpm nspr-debuginfo-4.7.3-1.el4.ia64.rpm nspr-devel-4.7.3-1.el4.ia64.rpm nss-3.12.2.0-1.el4.i386.rpm nss-3.12.2.0-1.el4.ia64.rpm nss-debuginfo-3.12.2.0-1.el4.ia64.rpm nss-devel-3.12.2.0-1.el4.ia64.rpm
ppc: firefox-3.0.5-1.el4.ppc.rpm firefox-debuginfo-3.0.5-1.el4.ppc.rpm nspr-4.7.3-1.el4.ppc.rpm nspr-4.7.3-1.el4.ppc64.rpm nspr-debuginfo-4.7.3-1.el4.ppc.rpm nspr-debuginfo-4.7.3-1.el4.ppc64.rpm nspr-devel-4.7.3-1.el4.ppc.rpm nss-3.12.2.0-1.el4.ppc.rpm nss-3.12.2.0-1.el4.ppc64.rpm nss-debuginfo-3.12.2.0-1.el4.ppc.rpm nss-debuginfo-3.12.2.0-1.el4.ppc64.rpm nss-devel-3.12.2.0-1.el4.ppc.rpm
s390: firefox-3.0.5-1.el4.s390.rpm firefox-debuginfo-3.0.5-1.el4.s390.rpm nspr-4.7.3-1.el4.s390.rpm nspr-debuginfo-4.7.3-1.el4.s390.rpm nspr-devel-4.7.3-1.el4.s390.rpm nss-3.12.2.0-1.el4.s390.rpm

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2008:1036-01
Product: Red Hat Enterprise Linux
Issue date: 2008-12-16

Topic

An updated firefox package that fixes various security issues is now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Relevant Releases Architectures

Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64

Red Hat Enterprise Linux Desktop version 4 - i386, x86_64

Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64

Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

RHEL Desktop Workstation (v. 5 client) - i386, x86_64

Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64

Bugs Fixed

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here