- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated Mozilla packages fix security vulnerability.
Advisory ID:       RHSA-2003:162-02
Issue date:        2003-07-15
Updated on:        2003-07-21
Product:           Red Hat Linux
Keywords:          
Cross references:  
Obsoletes:         RHSA-2002:192
CVE Names:         CAN-2002-1308
- ---------------------------------------------------------------------

1. Topic:

Updated Mozilla packages fixing various bugs and security issues are now
available.

[Updated 18 July 2003]
Our Mozilla packages were found to be incompatible with Galeon. Updated
versions of Galeon are now included for Red Hat Linux 7.2, 7.3, and 8.0. 
In addition new builds of Mozilla for Red Hat Linux 8.0 are included as the
previous packages were built with the wrong compiler.

2. Relevant releases/architectures:

Red Hat Linux 7.1 - i386
Red Hat Linux 7.2 - i386
Red Hat Linux 7.3 - i386
Red Hat Linux 8.0 - i386

3. Problem description:

Mozilla is an open source Web browser.  

A heap-based buffer overflow in Netscape and Mozilla allows remote
attackers to execute arbitrary code via a jar: URL referencing a
malformed .jar file, which overflows a buffer during decompression. This
issue affects versions Mozilla packages for Red Hat Linux 7.1, 7.2, 7.3,
and 8.0.

These errata packages upgrade Mozilla to version 1.0.2, which is not
vulnerable to this issue. Mozilla 1.0.2 also contains a number of other
stability and security enhancements.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. RPMs required:

Red Hat Linux 7.1:

SRPMS: 
 

i386: 
  
  
  
  
  
  
  
  
  
  
 

Red Hat Linux 7.2:

SRPMS: 
  
 

i386: 
  
  
  
  
  
  
  
  
  
  
  
 

Red Hat Linux 7.3:

SRPMS: 
  
 

i386: 
  
  
  
  
  
  
  
  
  
  
  
 

Red Hat Linux 8.0:

SRPMS: 
  
 

i386: 
  
  
  
  
  
  
  
  
  
  
  
 



6. Verification:

MD5 sum                          Package Name
- --------------------------------------------------------------------------
0ea62d7694ed12283afb3950082500d6 7.1/en/os/SRPMS/mozilla-1.0.2-2.7.1.src.rpm
53bff095e62748c16d015aa9b593daf3 7.1/en/os/i386/mozilla-1.0.2-2.7.1.i386.rpm
e28aa8324f807b6e6d6c68756094b16c 7.1/en/os/i386/mozilla-chat-1.0.2-2.7.1.i386.rpm
8efe869efa87cc7077541cf6feb4589d 7.1/en/os/i386/mozilla-devel-1.0.2-2.7.1.i386.rpm
9feb61104257d1c768327862df98fe85 7.1/en/os/i386/mozilla-dom-inspector-1.0.2-2.7.1.i386.rpm
f135db91f8340fadb0dd366c428c316b 7.1/en/os/i386/mozilla-js-debugger-1.0.2-2.7.1.i386.rpm
35c65b77f6e5e43889299e03a2b69c57 7.1/en/os/i386/mozilla-mail-1.0.2-2.7.1.i386.rpm
d6e0875fd0ef5e5289f0965316132d85 7.1/en/os/i386/mozilla-nspr-1.0.2-2.7.1.i386.rpm
2145ef81c9556b8257e3f8a5360fd949 7.1/en/os/i386/mozilla-nspr-devel-1.0.2-2.7.1.i386.rpm
4fb06f7ab7c8878922589bf88f1bd590 7.1/en/os/i386/mozilla-nss-1.0.2-2.7.1.i386.rpm
86dc7c08ce51c6e5a77642935e082464 7.1/en/os/i386/mozilla-nss-devel-1.0.2-2.7.1.i386.rpm
d7e1b8fe2afa76cee0495d38f619a20d 7.1/en/os/i386/mozilla-psm-1.0.2-2.7.1.i386.rpm
b656ecde82c58b171f2e2b9698067d62 7.2/en/os/SRPMS/galeon-1.2.11-1.7.2.src.rpm
091e7c8bed97714370a13edc59e541e5 7.2/en/os/SRPMS/mozilla-1.0.2-2.7.2.src.rpm
381995eb6ec4563f9adbd18d258cde58 7.2/en/os/i386/galeon-1.2.11-1.7.2.i386.rpm
8faed3fce6e562ab92e160ce50a3902f 7.2/en/os/i386/mozilla-1.0.2-2.7.2.i386.rpm
ccdf0868d4ec2be860ee9611d37edf5c 7.2/en/os/i386/mozilla-chat-1.0.2-2.7.2.i386.rpm
e20342d6f5dfb1af33ee5287f9432a4b 7.2/en/os/i386/mozilla-devel-1.0.2-2.7.2.i386.rpm
db5315ec67e24ad2e25eb927ffd26fcd 7.2/en/os/i386/mozilla-dom-inspector-1.0.2-2.7.2.i386.rpm
3be5ea19103267fc7e9a21250f19b0ba 7.2/en/os/i386/mozilla-js-debugger-1.0.2-2.7.2.i386.rpm
282f5191699ad803e36e6c245dc12204 7.2/en/os/i386/mozilla-mail-1.0.2-2.7.2.i386.rpm
be8fba8aa43a219135df619873214291 7.2/en/os/i386/mozilla-nspr-1.0.2-2.7.2.i386.rpm
d3aea764a15e0b4da18f5c2d361481a6 7.2/en/os/i386/mozilla-nspr-devel-1.0.2-2.7.2.i386.rpm
7c3c988b12406f4fdca1482a597415f0 7.2/en/os/i386/mozilla-nss-1.0.2-2.7.2.i386.rpm
9b4d4c39e477aacc273050f8ed29603d 7.2/en/os/i386/mozilla-nss-devel-1.0.2-2.7.2.i386.rpm
254af66bbd9e2ff5a5c5fc674051be73 7.2/en/os/i386/mozilla-psm-1.0.2-2.7.2.i386.rpm
7e771546d00f1ebb212081b70ea20da5 7.3/en/os/SRPMS/galeon-1.2.11-1.7.3.src.rpm
1422c777f85d9cf8c389d26b0409c884 7.3/en/os/SRPMS/mozilla-1.0.2-2.7.3.src.rpm
3f067f07f0c07594a7a4caebe18e8d64 7.3/en/os/i386/galeon-1.2.11-1.7.3.i386.rpm
79f4c4d5f606c44b99e0ba41541bf11c 7.3/en/os/i386/mozilla-1.0.2-2.7.3.i386.rpm
005d46a9a1548bcbbd912327f908bb49 7.3/en/os/i386/mozilla-chat-1.0.2-2.7.3.i386.rpm
6ceff96da5dfab5ab11dacbc8a91a25a 7.3/en/os/i386/mozilla-devel-1.0.2-2.7.3.i386.rpm
6dc44762c79a1fe09e24b4197e788068 7.3/en/os/i386/mozilla-dom-inspector-1.0.2-2.7.3.i386.rpm
2d0638f0319d3caffa17143fc137a9e9 7.3/en/os/i386/mozilla-js-debugger-1.0.2-2.7.3.i386.rpm
37cf0ed35c4468baa063f4d675ea80b1 7.3/en/os/i386/mozilla-mail-1.0.2-2.7.3.i386.rpm
4f5d57a79a3e09d189dbfcb3c3b68965 7.3/en/os/i386/mozilla-nspr-1.0.2-2.7.3.i386.rpm
983ae99e55402c47f4d75f082799603b 7.3/en/os/i386/mozilla-nspr-devel-1.0.2-2.7.3.i386.rpm
5b2a2c126e2a22e737e2613c27f25172 7.3/en/os/i386/mozilla-nss-1.0.2-2.7.3.i386.rpm
e94fc6cd89ea1d34ab7c863674b10633 7.3/en/os/i386/mozilla-nss-devel-1.0.2-2.7.3.i386.rpm
80eeba8d0ff8c10871bba5df19602d08 7.3/en/os/i386/mozilla-psm-1.0.2-2.7.3.i386.rpm
72dc632e0d5da76c74ba92c0c26997ba 8.0/en/os/SRPMS/galeon-1.2.11-1.8.0.src.rpm
ad372d6a2c6b8255bd172e55c3446c4b 8.0/en/os/SRPMS/mozilla-1.0.2-2.8.0.src.rpm
11461c125fcd9eeaf9af372393e65062 8.0/en/os/i386/galeon-1.2.11-1.8.0.i386.rpm
78bc7ca090ccead804b873fc8a16eec8 8.0/en/os/i386/mozilla-1.0.2-2.8.0.i386.rpm
46498b472e13f19760c031ed636396b3 8.0/en/os/i386/mozilla-chat-1.0.2-2.8.0.i386.rpm
4674b8ef2dcca69196ed47e54c8ba038 8.0/en/os/i386/mozilla-devel-1.0.2-2.8.0.i386.rpm
8a1cc220c9c441fd006d2dd0a6167348 8.0/en/os/i386/mozilla-dom-inspector-1.0.2-2.8.0.i386.rpm
5a760c866bdb8cedbe3ee1c04c8ec834 8.0/en/os/i386/mozilla-js-debugger-1.0.2-2.8.0.i386.rpm
31d278cd13edb9f78767d09e4bf38c6f 8.0/en/os/i386/mozilla-mail-1.0.2-2.8.0.i386.rpm
369fdbc3b8293c7279623d8adb4d130a 8.0/en/os/i386/mozilla-nspr-1.0.2-2.8.0.i386.rpm
fd3a65967c53bb08fadf9022db4d446a 8.0/en/os/i386/mozilla-nspr-devel-1.0.2-2.8.0.i386.rpm
2f00e1d57540af49f075d48418cd5f1c 8.0/en/os/i386/mozilla-nss-1.0.2-2.8.0.i386.rpm
0a375873ce70d9ee453321e35959fa85 8.0/en/os/i386/mozilla-nss-devel-1.0.2-2.8.0.i386.rpm
add62bfa139ba242e3e908f607b958f0 8.0/en/os/i386/mozilla-psm-1.0.2-2.8.0.i386.rpm


These packages are GPG signed by Red Hat for security.  Our key is
available from  Product Signing Keys - Red Hat Customer Portal

You can verify each package with the following command:
    
    rpm --checksig -v 

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    
    md5sum 


7. References:
 
  
CVE -CVE-2002-1308

8. Contact:

The Red Hat security contact is <secalert@Red Hat.com>.  More contact
details at  All Red Hat products

Copyright 2003 Red Hat, Inc.

RedHat: mozilla heap overflow vulnerability

A heap-based buffer overflow in Netscape and Mozilla allows remoteattackers to execute arbitrary code via a jar: URL referencing amalformed .jar file, which overflows a buffer duri...

Summary



Summary

Mozilla is an open source Web browser. A heap-based buffer overflow in Netscape and Mozilla allows remoteattackers to execute arbitrary code via a jar: URL referencing amalformed .jar file, which overflows a buffer during decompression. Thisissue affects versions Mozilla packages for Red Hat Linux 7.1, 7.2, 7.3,and 8.0.These errata packages upgrade Mozilla to version 1.0.2, which is notvulnerable to this issue. Mozilla 1.0.2 also contains a number of otherstability and security enhancements.


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs.
Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.
5. RPMs required:
Red Hat Linux 7.1:
SRPMS:

i386:











Red Hat Linux 7.2:
SRPMS:


i386:












Red Hat Linux 7.3:
SRPMS:


i386:












Red Hat Linux 8.0:
SRPMS:


i386:














6. Verification:
MD5 sum Package Name 0ea62d7694ed12283afb3950082500d6 7.1/en/os/SRPMS/mozilla-1.0.2-2.7.1.src.rpm 53bff095e62748c16d015aa9b593daf3 7.1/en/os/i386/mozilla-1.0.2-2.7.1.i386.rpm e28aa8324f807b6e6d6c68756094b16c 7.1/en/os/i386/mozilla-chat-1.0.2-2.7.1.i386.rpm 8efe869efa87cc7077541cf6feb4589d 7.1/en/os/i386/mozilla-devel-1.0.2-2.7.1.i386.rpm 9feb61104257d1c768327862df98fe85 7.1/en/os/i386/mozilla-dom-inspector-1.0.2-2.7.1.i386.rpm f135db91f8340fadb0dd366c428c316b 7.1/en/os/i386/mozilla-js-debugger-1.0.2-2.7.1.i386.rpm 35c65b77f6e5e43889299e03a2b69c57 7.1/en/os/i386/mozilla-mail-1.0.2-2.7.1.i386.rpm d6e0875fd0ef5e5289f0965316132d85 7.1/en/os/i386/mozilla-nspr-1.0.2-2.7.1.i386.rpm 2145ef81c9556b8257e3f8a5360fd949 7.1/en/os/i386/mozilla-nspr-devel-1.0.2-2.7.1.i386.rpm 4fb06f7ab7c8878922589bf88f1bd590 7.1/en/os/i386/mozilla-nss-1.0.2-2.7.1.i386.rpm 86dc7c08ce51c6e5a77642935e082464 7.1/en/os/i386/mozilla-nss-devel-1.0.2-2.7.1.i386.rpm d7e1b8fe2afa76cee0495d38f619a20d 7.1/en/os/i386/mozilla-psm-1.0.2-2.7.1.i386.rpm b656ecde82c58b171f2e2b9698067d62 7.2/en/os/SRPMS/galeon-1.2.11-1.7.2.src.rpm 091e7c8bed97714370a13edc59e541e5 7.2/en/os/SRPMS/mozilla-1.0.2-2.7.2.src.rpm 381995eb6ec4563f9adbd18d258cde58 7.2/en/os/i386/galeon-1.2.11-1.7.2.i386.rpm 8faed3fce6e562ab92e160ce50a3902f 7.2/en/os/i386/mozilla-1.0.2-2.7.2.i386.rpm ccdf0868d4ec2be860ee9611d37edf5c 7.2/en/os/i386/mozilla-chat-1.0.2-2.7.2.i386.rpm e20342d6f5dfb1af33ee5287f9432a4b 7.2/en/os/i386/mozilla-devel-1.0.2-2.7.2.i386.rpm db5315ec67e24ad2e25eb927ffd26fcd 7.2/en/os/i386/mozilla-dom-inspector-1.0.2-2.7.2.i386.rpm 3be5ea19103267fc7e9a21250f19b0ba 7.2/en/os/i386/mozilla-js-debugger-1.0.2-2.7.2.i386.rpm 282f5191699ad803e36e6c245dc12204 7.2/en/os/i386/mozilla-mail-1.0.2-2.7.2.i386.rpm be8fba8aa43a219135df619873214291 7.2/en/os/i386/mozilla-nspr-1.0.2-2.7.2.i386.rpm d3aea764a15e0b4da18f5c2d361481a6 7.2/en/os/i386/mozilla-nspr-devel-1.0.2-2.7.2.i386.rpm 7c3c988b12406f4fdca1482a597415f0 7.2/en/os/i386/mozilla-nss-1.0.2-2.7.2.i386.rpm 9b4d4c39e477aacc273050f8ed29603d 7.2/en/os/i386/mozilla-nss-devel-1.0.2-2.7.2.i386.rpm 254af66bbd9e2ff5a5c5fc674051be73 7.2/en/os/i386/mozilla-psm-1.0.2-2.7.2.i386.rpm 7e771546d00f1ebb212081b70ea20da5 7.3/en/os/SRPMS/galeon-1.2.11-1.7.3.src.rpm 1422c777f85d9cf8c389d26b0409c884 7.3/en/os/SRPMS/mozilla-1.0.2-2.7.3.src.rpm 3f067f07f0c07594a7a4caebe18e8d64 7.3/en/os/i386/galeon-1.2.11-1.7.3.i386.rpm 79f4c4d5f606c44b99e0ba41541bf11c 7.3/en/os/i386/mozilla-1.0.2-2.7.3.i386.rpm 005d46a9a1548bcbbd912327f908bb49 7.3/en/os/i386/mozilla-chat-1.0.2-2.7.3.i386.rpm 6ceff96da5dfab5ab11dacbc8a91a25a 7.3/en/os/i386/mozilla-devel-1.0.2-2.7.3.i386.rpm 6dc44762c79a1fe09e24b4197e788068 7.3/en/os/i386/mozilla-dom-inspector-1.0.2-2.7.3.i386.rpm 2d0638f0319d3caffa17143fc137a9e9 7.3/en/os/i386/mozilla-js-debugger-1.0.2-2.7.3.i386.rpm 37cf0ed35c4468baa063f4d675ea80b1 7.3/en/os/i386/mozilla-mail-1.0.2-2.7.3.i386.rpm 4f5d57a79a3e09d189dbfcb3c3b68965 7.3/en/os/i386/mozilla-nspr-1.0.2-2.7.3.i386.rpm 983ae99e55402c47f4d75f082799603b 7.3/en/os/i386/mozilla-nspr-devel-1.0.2-2.7.3.i386.rpm 5b2a2c126e2a22e737e2613c27f25172 7.3/en/os/i386/mozilla-nss-1.0.2-2.7.3.i386.rpm e94fc6cd89ea1d34ab7c863674b10633 7.3/en/os/i386/mozilla-nss-devel-1.0.2-2.7.3.i386.rpm 80eeba8d0ff8c10871bba5df19602d08 7.3/en/os/i386/mozilla-psm-1.0.2-2.7.3.i386.rpm 72dc632e0d5da76c74ba92c0c26997ba 8.0/en/os/SRPMS/galeon-1.2.11-1.8.0.src.rpm ad372d6a2c6b8255bd172e55c3446c4b 8.0/en/os/SRPMS/mozilla-1.0.2-2.8.0.src.rpm 11461c125fcd9eeaf9af372393e65062 8.0/en/os/i386/galeon-1.2.11-1.8.0.i386.rpm 78bc7ca090ccead804b873fc8a16eec8 8.0/en/os/i386/mozilla-1.0.2-2.8.0.i386.rpm 46498b472e13f19760c031ed636396b3 8.0/en/os/i386/mozilla-chat-1.0.2-2.8.0.i386.rpm 4674b8ef2dcca69196ed47e54c8ba038 8.0/en/os/i386/mozilla-devel-1.0.2-2.8.0.i386.rpm 8a1cc220c9c441fd006d2dd0a6167348 8.0/en/os/i386/mozilla-dom-inspector-1.0.2-2.8.0.i386.rpm 5a760c866bdb8cedbe3ee1c04c8ec834 8.0/en/os/i386/mozilla-js-debugger-1.0.2-2.8.0.i386.rpm 31d278cd13edb9f78767d09e4bf38c6f 8.0/en/os/i386/mozilla-mail-1.0.2-2.8.0.i386.rpm 369fdbc3b8293c7279623d8adb4d130a 8.0/en/os/i386/mozilla-nspr-1.0.2-2.8.0.i386.rpm fd3a65967c53bb08fadf9022db4d446a 8.0/en/os/i386/mozilla-nspr-devel-1.0.2-2.8.0.i386.rpm 2f00e1d57540af49f075d48418cd5f1c 8.0/en/os/i386/mozilla-nss-1.0.2-2.8.0.i386.rpm 0a375873ce70d9ee453321e35959fa85 8.0/en/os/i386/mozilla-nss-devel-1.0.2-2.8.0.i386.rpm add62bfa139ba242e3e908f607b958f0 8.0/en/os/i386/mozilla-psm-1.0.2-2.8.0.i386.rpm

These packages are GPG signed by Red Hat for security. Our key is available from Product Signing Keys - Red Hat Customer Portal
You can verify each package with the following command:
rpm --checksig -v
If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command:
md5sum

References

Package List


Severity
Advisory ID: RHSA-2003:162-02
Issued Date: : 2003-07-15
Updated on: 2003-07-21
Product: Red Hat Linux
Keywords:
Cross references:
Obsoletes: RHSA-2002:192
CVE Names: CAN-2002-1308

Topic


Topic

Updated Mozilla packages fixing various bugs and security issues are now

available.

[Updated 18 July 2003]

Our Mozilla packages were found to be incompatible with Galeon. Updated

versions of Galeon are now included for Red Hat Linux 7.2, 7.3, and 8.0.

In addition new builds of Mozilla for Red Hat Linux 8.0 are included as the

previous packages were built with the wrong compiler.


 

Relevant Releases Architectures

Red Hat Linux 7.1 - i386

Red Hat Linux 7.2 - i386

Red Hat Linux 7.3 - i386

Red Hat Linux 8.0 - i386


Bugs Fixed