[SECURITY] [DSA 1336-1] New mozilla-firefox packages fix several vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

• -------------------------------------------------------------------------- Debian Security Advisory DSA 1336-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff July 22nd, 2007 http://www.debian.org/security/faq
• --------------------------------------------------------------------------

Package        : mozilla-firefox
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE ID         : CVE-2007-1282 CVE-2007-0994 CVE-2007-0995 CVE-2007-0996 CVE-2007-0981 CVE-2007-0008 CVE-2007-0009 CVE-2007-0775 CVE-2007-0778 CVE-2007-0045 CVE-2006-6077

Several remote vulnerabilities have been discovered in Mozilla Firefox.

This will be the last security update of Mozilla-based products for the oldstable (sarge) distribution of Debian. We recommend to upgrade to stable (etch) as soon as possible.

The Common Vulnerabilities and Exposures project identifies the following vulnerabilities:

CVE-2007-1282     It was discovered that an integer overflow in text/enhanced message     parsing allows the execution of arbitrary code.

CVE-2007-0994     It was discovered that a regression in the Javascript engine allows     the execution of Javascript with elevated privileges.

CVE-2007-0995     It was discovered that incorrect parsing of invalid HTML characters     allows the bypass of content filters.

CVE-2007-0996     It was discovered that insecure child frame handling allows cross-site     scripting.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

CVE-2007-0981     It was discovered that Firefox handles URI withs a null byte in the     hostname insecurely.

CVE-2007-0008     It was discovered that a buffer overflow in the NSS code allows the     execution of arbitrary code.

CVE-2007-0009     It was discovered that a buffer overflow in the NSS code allows the     execution of arbitrary code.

CVE-2007-0775     It was discovered that multiple programming errors in the layout engine     allow the execution of arbitrary code.

CVE-2007-0778     It was discovered that the page cache calculates hashes in an insecure     manner.

CVE-2006-6077     It was discovered that the password manager allows the disclosure of     passwords.

For the oldstable distribution (sarge) these problems have been fixed in version 1.0.4-2sarge17. You should upgrade to etch as soon as possible.

The stable distribution (etch) isn't affected. These vulnerabilities have been fixed prior to the release of Debian etch.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

The unstable distribution (sid) no longer contains mozilla-firefox. Iceweasel is already fixed.

Upgrade Instructions

- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

        will update the internal database apt-get upgrade

        will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge

- --------------------------------

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

  Source archives:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17.dsc
      Size/MD5 checksum:     1641 36715bb647cb3b7cd117edee90a34bfd
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17.diff.gz
      Size/MD5 checksum:   553311 4ba992e60e5c6b156054c5105b1134ae
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4.orig.tar.gz
      Size/MD5 checksum: 40212297 8e4ba81ad02c7986446d4e54e978409d

  Alpha architecture:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_alpha.deb
      Size/MD5 checksum: 11221890 5d8d1de73d162edf8ddbaa40844bb454
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge17_alpha.deb
      Size/MD5 checksum:   172696 42d5c31ec7a2e3163846c347f04773df
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge17_alpha.deb
      Size/MD5 checksum:    63574 238529b9d4ae396dc01d786d4fb843b4

  AMD64 architecture:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_amd64.deb
      Size/MD5 checksum:  9429140 8394fcd85a7218db784160702efc5249
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge17_amd64.deb
      Size/MD5 checksum:   166496 795a8ec3e1aa1b0a718ad6f4439670ef
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge17_amd64.deb
      Size/MD5 checksum:    62022 ef315cc90c3780ff151cd2271e913859

  ARM architecture:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_arm.deb
      Size/MD5 checksum:  8244544 71eaf9cb5418a77410ff12c7f36eb32b
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge17_arm.deb
      Size/MD5 checksum:   157966 5e2e22d04a33ccbc0e6b19b4c4d43492
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge17_arm.deb
      Size/MD5 checksum:    57358 6f34a7a02114e48cadc6860b86f75130

  HP Precision architecture:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_hppa.deb
      Size/MD5 checksum: 10301620 3700a0b7dcb0ab061b3521e2a3f232f9
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge17_hppa.deb
      Size/MD5 checksum:   169432 387b8fa52d406dfdd26c3adc3ccac615
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge17_hppa.deb
      Size/MD5 checksum:    62500 80addaf2d87b6952fdc9104c5fc9dfde

  Intel IA-32 architecture:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_i386.deb
      Size/MD5 checksum:  8919924 8fc67257357687c8611b3e4e5389aee4
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge17_i386.deb
      Size/MD5 checksum:   161684 6c989c4276e34c6031b6185418a8ddb1
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge17_i386.deb
      Size/MD5 checksum:    58896 7e48aa697c8c17f7d22de860a17e7dfd

  Intel IA-64 architecture:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_ia64.deb
      Size/MD5 checksum: 11664142 aa008699700ba3c8b45d3a8961e99192
Can't find what you're looking for?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.debian.org Links
debian-announce
debian-apache
debian-arm-changes
debian-beowulf
debian-boot
debian-cd
debian-cd-vendors
debian-changes
debian-changes-digest
debian-isp
debian-kde
debian-laptop
debian-mirrors-announce
debian-news
debian-security
debian-security-announce
debian-testing
debian-user
debian-user-digest
Request more information about Pantek
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge17_ia64.deb
      Size/MD5 checksum:   172030 e79af50f04490de310cda7f6ce652d44
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge17_ia64.deb
      Size/MD5 checksum:    66718 8cabdbf0919ac447c5d492ef6227d9af

  Motorola 680x0 architecture:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_m68k.deb
      Size/MD5 checksum:  8196148 e3544446b371fd7ed4b79e53f69b556a
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge17_m68k.deb
      Size/MD5 checksum:   160556 0164d4c0f675a020643ccedf94a55eb8
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge17_m68k.deb
      Size/MD5 checksum:    58168 b429907e69e8daa7d51e45552659da27

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

  Big endian MIPS architecture:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_mips.deb
      Size/MD5 checksum:  9954006 0eb0513fc950e7cd8abcae9666b24a7b
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge17_mips.deb
      Size/MD5 checksum:   159496 ca0585a663a5470d3a62ae0786864beb
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge17_mips.deb
      Size/MD5 checksum:    59170 22ea96156de56d046a7afd73d4857419

  Little endian MIPS architecture:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_mipsel.deb
      Size/MD5 checksum:  9831728 dda6865c7290fce658847f0909617c73
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge17_mipsel.deb
      Size/MD5 checksum:   159060 e7a7c4db0f5df82f84ceef6827df2bea
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge17_mipsel.deb
      Size/MD5 checksum:    58984 b0b02ac1c62041db8d377a7ff40c013c

  PowerPC architecture:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge15_powerpc.deb
      Size/MD5 checksum:  8587718 8d219ce9e684b86babfe31db9d7d9658
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge15_powerpc.deb
      Size/MD5 checksum:   159762 41f3707945d5edae6ee1ac90bdef5cab
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge15_powerpc.deb
      Size/MD5 checksum:    60936 1a79408acd12828a3710393e05d99914

  IBM S/390 architecture:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_s390.deb
      Size/MD5 checksum:  9667078 5838d957637b4d4c2c19afea0dd68db5
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge17_s390.deb
      Size/MD5 checksum:   167092 4dd6de7299014d5e0c13da8e480a7f3c
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge17_s390.deb
      Size/MD5 checksum:    61472 64d10c667ed4c6c12947c49f5cca8ff6

  Sun Sparc architecture:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_sparc.deb
      Size/MD5 checksum:  8680322 241cddabdf91eb14b0a6529ffc84a51d
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge17_sparc.deb
      Size/MD5 checksum:   160304 7887081b85d3ead3994a997608bbe22a
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge17_sparc.deb
      Size/MD5 checksum:    57718 4a4eeeb0815cb03d51f74965403911ad

  These files will probably be moved into the oldstable distribution on   its next update.

• --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGo5b7Xm3vHE4uyloRAsdgAKDTo6NxeylHh30syJpFeyF5/Yr/XwCdH188 NdI5zd36oN5mVqIDUsqYC3o=
=/qY/
-----END PGP SIGNATURE-----

-- 
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org