Date:         Fri, 19 Feb 2010 13:55:07 -0600
Reply-To:     Troy Dawson 
Sender:       Security Errata for Scientific Linux
              
From:         Troy Dawson 
Subject:      Security ERRATA Critical: firefox on SL4.x, SL5.x i386/x86_64
Comments: To: "scientific-linux-errata@fnal.gov"
          

Synopsis:	Critical: firefox security update
Issue date:	2010-02-17
CVE Names:	CVE-2009-1571 CVE-2009-3988 CVE-2010-0159
                 CVE-2010-0160 CVE-2010-0162

CVE-2010-0159 Mozilla crashes with evidence of memory corruption (MFSA 
2010-01)
CVE-2010-0160 Mozilla implementation of Web Workers can lead to crash 
with evidence of memory corruption (MFSA 2010-02)
CVE-2009-1571 Mozilla incorrectly frees used memory (MFSA 2010-03)
CVE-2009-3988 Mozilla violation of same-origin policy due to properties 
set on objects passed to showModalDialog (MFSA 2010-04)
CVE-2010-0162 Mozilla bypass of same-origin policy due to improper SVG 
document processing (MFSA 2010-05)

A use-after-free flaw was found in Firefox. Under low memory conditions,
visiting a web page containing malicious content could result in Firefox
executing arbitrary code with the privileges of the user running 
Firefox. (CVE-2009-1571)

Several flaws were found in the processing of malformed web content. A 
web page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user 
running Firefox. (CVE-2010-0159, CVE-2010-0160)

Two flaws were found in the way certain content was processed. An 
attacker could use these flaws to create a malicious web page that could 
bypass the same-origin policy, or possibly run untrusted JavaScript. 
(CVE-2009-3988, CVE-2010-0162)

After installing the update, Firefox must be restarted for the changes 
to take effect.

SL 4.x

      SRPMS:
firefox-3.0.18-1.el4.src.rpm
      i386:

      x86_64:

SL 5.x

      SRPMS:
firefox-3.0.18-1.el5_4.src.rpm
xulrunner-1.9.0.18-1.el5_4.src.rpm
      i386:

      x86_64:

-Connie Sieh
-Troy Dawson