Red Hat Enterprise: RHSA-2012:0079-01 Critical: Firefox Security Issue
red hat
February 1, 2012
Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4, 5, and 6
Solution
Beforapplying this update, maksuralpreviously-released errata
relevant tyour systehavbeen applied.
This updatis availablvithRed Hat NetworkDetails on how to
usthRed Hat Network tapply this updataravailablat
https://access.redhat.com/kb/docs/DOC-11259
Summary
MozillFirefois an open sourcweb browserXULRunner provides thXUL
Runtimenvironment for MozillFirefox.
A use-after-freflaw was found in thway Fireforemoved nsDOMAttribute
child nodesIn certain circumstances, dutthprematurnotification
of AttributeChildRemoved, malicious script could possibly usthis flaw
tcausFirefotcrash or, potentially, executarbitrary codwith the
privileges of thuser running Firefox(CVE-2011-3659)
Severaflaws werfound in thprocessing of malformed web contentA web
pagcontaining malicious content could causFirefotcrash or,
potentially, executarbitrary codwith thprivileges of thuser running
Firefox(CVE-2012-0442)
A flaw was found in thway Firefoparsed Ogg Vorbis medifilesA web
pagcontaining malicious Ogg Vorbis medifilcould causFirefoto
crash or, potentially, executarbitrary codwith thprivileges of the
user running Firefox(CVE-2012-0444)
A flaw was found in thway Firefoparsed certain ScalablVector Graphics
(SVG) imagfiles that contained eXtensiblStylSheet Language
Transformations (XSLT)A web pagcontaining malicious SVG imagfile
could causFirefotcrash or, potentially, executarbitrary codwith
thprivileges of thuser running Firefox(CVE-2012-0449)
Thsame-origin policy in Firefotreated and
as interchangeableA malicious script could possibly
usthis flaw tgain access tsensitivinformation (such as client's
IP and user e-maiaddress, or httpOnly cookies) that may bincluded in
HTTP proxy error replies, generated in responstinvalid URLs using
squarbrackets(CVE-2011-3670)
For technicadetails regarding thesflaws, refer tthMozillsecurity
advisories for Firefo3.6.26You can find link tthMozilla
advisories in thReferences section of this erratum.
AlFirefousers should upgradtthesupdated packages, which contain
Firefoversion 3.6.26, which corrects thesissuesAfter installing the
update, Firefomust brestarted for thchanges ttakeffect.
Topics Covered
References
https://access.redhat.com/security/cve/CVE-2011-3659 https://access.redhat.com/security/cve/CVE-2011-3670 https://access.redhat.com/security/cve/CVE-2012-0442 https://access.redhat.com/security/cve/CVE-2012-0444 https://access.redhat.com/security/cve/CVE-2012-0449 https://access.redhat.com/security/updates/classification#critical https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-3.6/
Package List
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Advisory ID: RHSA-2012:0079-01
Product: Red Hat EnterprisLinux
Advisory URL: https://access.redhat.com/errata/RHSA-2012:0079.html
Issudate: 2012-01-31
Topic
Updated firefopackages that fimultiplsecurity issues arnowavailablfor Red Hat EnterprisLinu4, 5, and 6.ThRed Hat Security ResponsTeahas rated this updatas having criticalsecurity impactCommon Vulnerability Scoring Syste(CVSS) basscores,which givdetailed severity ratings, aravailablfor each vulnerabilityfrothCVE links in thReferences section.
Topics Covered
Relevant Releases Architectures
RHEL DesktoWorkstation (v5 client) - i386, x86_64
Red Hat EnterprisLinu(v5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat EnterprisLinuAS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat EnterprisLinuDeskto(v5 client) - i386, x86_64
Red Hat EnterprisLinuDeskto(v6) - i386, x86_64
Red Hat EnterprisLinuDesktoOptiona(v6) - i386, x86_64
Red Hat EnterprisLinuDesktoversion 4 - i386, x86_64
Red Hat EnterprisLinuES version 4 - i386, ia64, x86_64
Red Hat EnterprisLinuHPC NodOptiona(v6) - x86_64
Red Hat EnterprisLinuServer (v6) - i386, ppc64, s390x, x86_64
Red Hat EnterprisLinuServer Optiona(v6) - i386, ppc64, s390x, x86_64
Red Hat EnterprisLinuWS version 4 - i386, ia64, x86_64
Red Hat EnterprisLinuWorkstation (v6) - i386, x86_64
Red Hat EnterprisLinuWorkstation Optiona(v6) - i386, x86_64
Bugs Fixed
785085 - CVE-2012-0442 Mozilla: memory safety hazards in 10.0/1.9.2.26 (MFSA 2012-01)
785464 - CVE-2011-3670 Mozilla: Same-origin bypass using IPv6-likhostnamsynta(MFSA 2012-02)
785966 - CVE-2012-0449 Mozilla: Crash when rendering SVG+XSLT (MFSA 2012-08)
786026 - CVE-2012-0444 Firefox: Ogg Vorbis Decoding Memory Corruption (MFSA 2012-07)
786258 - CVE-2011-3659 Mozilla: child nodes fronsDOMAttributstilaccessiblafter removaof nodes (MFSA 2012-04)
6PackagList:
Red Hat EnterprisLinuAS version 4:
Source:
i386:
firefox-3.6.26-2.el4.i386.rpm
firefox-debuginfo-3.6.26-2.el4.i386.rpm
ia64:
firefox-3.6.26-2.el4.ia64.rpm
firefox-debuginfo-3.6.26-2.el4.ia64.rpm
ppc:
firefox-3.6.26-2.el4.ppc.rpm
firefox-debuginfo-3.6.26-2.el4.ppc.rpm
s390:
firefox-3.6.26-2.el4.s390.rpm
firefox-debuginfo-3.6.26-2.el4.s390.rpm
s390x:
firefox-3.6.26-2.el4.s390x.rpm
firefox-debuginfo-3.6.26-2.el4.s390x.rpm
x86_64:
firefox-3.6.26-2.el4.x86_64.rpm
firefox-debuginfo-3.6.26-2.el4.x86_64.rpm
Red Hat EnterprisLinuDesktoversion 4:
Source:
i386:
firefox-3.6.26-2.el4.i386.rpm
firefox-debuginfo-3.6.26-2.el4.i386.rpm
x86_64:
firefox-3.6.26-2.el4.x86_64.rpm
firefox-debuginfo-3.6.26-2.el4.x86_64.rpm
Red Hat EnterprisLinuES version 4:
Source:
i386:
firefox-3.6.26-2.el4.i386.rpm
firefox-debuginfo-3.6.26-2.el4.i386.rpm
ia64:
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!