-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                     ESB-2003.0491 -- RHSA-2003:162-01
            Updated Mozilla packages fix security vulnerability
                               16 July 2003

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                mozilla
Publisher:              Red Hat
Operating System:       Red Hat Linux 8.0
                        Red Hat Linux 7.3
                        Red Hat Linux 7.2
                        Red Hat Linux 7.1
                        Linux
Impact:                 Execute Arbitrary Code/Commands
Access Required:        Remote
CVE Names:              CAN-2002-1308

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated Mozilla packages fix security vulnerability
Advisory ID:       RHSA-2003:162-01
Issue date:        2003-07-15
Updated on:        2003-07-15
Product:           Red Hat Linux
Keywords:          
Cross references:  
Obsoletes:         RHSA-2002:192
CVE Names:         CAN-2002-1308
- - ---------------------------------------------------------------------

1. Topic:

Updated Mozilla packages fixing various bugs and security issues are now
available.

2. Relevant releases/architectures:

Red Hat Linux 7.1 - i386
Red Hat Linux 7.2 - i386
Red Hat Linux 7.3 - i386
Red Hat Linux 8.0 - i386

3. Problem description:

Mozilla is an open source web browser.  

A heap-based buffer overflow in Netscape and Mozilla allows remote
attackers to execute arbitrary code via a jar: URL referencing a
malformed .jar file, which overflows a buffer during decompression.  This
issue affects versions Mozilla packages for Red Hat Linux 7.1, 7.2, 7.3,
and 8.0.

These errata packages upgrade Mozilla to version 1.0.2, which is not
vulnerable to this issue.  Mozilla 1.0.2 also contains a number of other
stability and security enhancements.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. RPMs required:

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/mozilla-1.0.2-2.7.1.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/mozilla-1.0.2-2.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/mozilla-chat-1.0.2-2.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/mozilla-devel-1.0.2-2.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/mozilla-dom-inspector-1.0.2-2.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/mozilla-js-debugger-1.0.2-2.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/mozilla-mail-1.0.2-2.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/mozilla-nspr-1.0.2-2.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/mozilla-nspr-devel-1.0.2-2.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/mozilla-nss-1.0.2-2.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/mozilla-nss-devel-1.0.2-2.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/mozilla-psm-1.0.2-2.7.1.i386.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/mozilla-1.0.2-2.7.2.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/mozilla-1.0.2-2.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/mozilla-chat-1.0.2-2.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/mozilla-devel-1.0.2-2.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/mozilla-dom-inspector-1.0.2-2.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/mozilla-js-debugger-1.0.2-2.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/mozilla-mail-1.0.2-2.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/mozilla-nspr-1.0.2-2.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/mozilla-nspr-devel-1.0.2-2.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/mozilla-nss-1.0.2-2.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/mozilla-nss-devel-1.0.2-2.7.2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/mozilla-psm-1.0.2-2.7.2.i386.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/mozilla-1.0.2-2.7.3.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/mozilla-1.0.2-2.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/mozilla-chat-1.0.2-2.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/mozilla-devel-1.0.2-2.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/mozilla-dom-inspector-1.0.2-2.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/mozilla-js-debugger-1.0.2-2.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/mozilla-mail-1.0.2-2.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/mozilla-nspr-1.0.2-2.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/mozilla-nspr-devel-1.0.2-2.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/mozilla-nss-1.0.2-2.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/mozilla-nss-devel-1.0.2-2.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/mozilla-psm-1.0.2-2.7.3.i386.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/mozilla-1.0.2-1.8.0.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/mozilla-1.0.2-1.8.0.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/mozilla-chat-1.0.2-1.8.0.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/mozilla-devel-1.0.2-1.8.0.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/mozilla-dom-inspector-1.0.2-1.8.0.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/mozilla-js-debugger-1.0.2-1.8.0.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/mozilla-mail-1.0.2-1.8.0.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/mozilla-nspr-1.0.2-1.8.0.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/mozilla-nspr-devel-1.0.2-1.8.0.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/mozilla-nss-1.0.2-1.8.0.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/mozilla-nss-devel-1.0.2-1.8.0.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/mozilla-psm-1.0.2-1.8.0.i386.rpm



6. Verification:

MD5 sum                          Package Name
- - --------------------------------------------------------------------------
0ea62d7694ed12283afb3950082500d6 7.1/en/os/SRPMS/mozilla-1.0.2-2.7.1.src.rpm
53bff095e62748c16d015aa9b593daf3 7.1/en/os/i386/mozilla-1.0.2-2.7.1.i386.rpm
e28aa8324f807b6e6d6c68756094b16c 7.1/en/os/i386/mozilla-chat-1.0.2-2.7.1.i386.rpm
8efe869efa87cc7077541cf6feb4589d 7.1/en/os/i386/mozilla-devel-1.0.2-2.7.1.i386.rpm
9feb61104257d1c768327862df98fe85 7.1/en/os/i386/mozilla-dom-inspector-1.0.2-2.7.1.i386.rpm
f135db91f8340fadb0dd366c428c316b 7.1/en/os/i386/mozilla-js-debugger-1.0.2-2.7.1.i386.rpm
35c65b77f6e5e43889299e03a2b69c57 7.1/en/os/i386/mozilla-mail-1.0.2-2.7.1.i386.rpm
d6e0875fd0ef5e5289f0965316132d85 7.1/en/os/i386/mozilla-nspr-1.0.2-2.7.1.i386.rpm
2145ef81c9556b8257e3f8a5360fd949 7.1/en/os/i386/mozilla-nspr-devel-1.0.2-2.7.1.i386.rpm
4fb06f7ab7c8878922589bf88f1bd590 7.1/en/os/i386/mozilla-nss-1.0.2-2.7.1.i386.rpm
86dc7c08ce51c6e5a77642935e082464 7.1/en/os/i386/mozilla-nss-devel-1.0.2-2.7.1.i386.rpm
d7e1b8fe2afa76cee0495d38f619a20d 7.1/en/os/i386/mozilla-psm-1.0.2-2.7.1.i386.rpm
091e7c8bed97714370a13edc59e541e5 7.2/en/os/SRPMS/mozilla-1.0.2-2.7.2.src.rpm
8faed3fce6e562ab92e160ce50a3902f 7.2/en/os/i386/mozilla-1.0.2-2.7.2.i386.rpm
ccdf0868d4ec2be860ee9611d37edf5c 7.2/en/os/i386/mozilla-chat-1.0.2-2.7.2.i386.rpm
e20342d6f5dfb1af33ee5287f9432a4b 7.2/en/os/i386/mozilla-devel-1.0.2-2.7.2.i386.rpm
db5315ec67e24ad2e25eb927ffd26fcd 7.2/en/os/i386/mozilla-dom-inspector-1.0.2-2.7.2.i386.rpm
3be5ea19103267fc7e9a21250f19b0ba 7.2/en/os/i386/mozilla-js-debugger-1.0.2-2.7.2.i386.rpm
282f5191699ad803e36e6c245dc12204 7.2/en/os/i386/mozilla-mail-1.0.2-2.7.2.i386.rpm
be8fba8aa43a219135df619873214291 7.2/en/os/i386/mozilla-nspr-1.0.2-2.7.2.i386.rpm
d3aea764a15e0b4da18f5c2d361481a6 7.2/en/os/i386/mozilla-nspr-devel-1.0.2-2.7.2.i386.rpm
7c3c988b12406f4fdca1482a597415f0 7.2/en/os/i386/mozilla-nss-1.0.2-2.7.2.i386.rpm
9b4d4c39e477aacc273050f8ed29603d 7.2/en/os/i386/mozilla-nss-devel-1.0.2-2.7.2.i386.rpm
254af66bbd9e2ff5a5c5fc674051be73 7.2/en/os/i386/mozilla-psm-1.0.2-2.7.2.i386.rpm
1422c777f85d9cf8c389d26b0409c884 7.3/en/os/SRPMS/mozilla-1.0.2-2.7.3.src.rpm
79f4c4d5f606c44b99e0ba41541bf11c 7.3/en/os/i386/mozilla-1.0.2-2.7.3.i386.rpm
005d46a9a1548bcbbd912327f908bb49 7.3/en/os/i386/mozilla-chat-1.0.2-2.7.3.i386.rpm
6ceff96da5dfab5ab11dacbc8a91a25a 7.3/en/os/i386/mozilla-devel-1.0.2-2.7.3.i386.rpm
6dc44762c79a1fe09e24b4197e788068 7.3/en/os/i386/mozilla-dom-inspector-1.0.2-2.7.3.i386.rpm
2d0638f0319d3caffa17143fc137a9e9 7.3/en/os/i386/mozilla-js-debugger-1.0.2-2.7.3.i386.rpm
37cf0ed35c4468baa063f4d675ea80b1 7.3/en/os/i386/mozilla-mail-1.0.2-2.7.3.i386.rpm
4f5d57a79a3e09d189dbfcb3c3b68965 7.3/en/os/i386/mozilla-nspr-1.0.2-2.7.3.i386.rpm
983ae99e55402c47f4d75f082799603b 7.3/en/os/i386/mozilla-nspr-devel-1.0.2-2.7.3.i386.rpm
5b2a2c126e2a22e737e2613c27f25172 7.3/en/os/i386/mozilla-nss-1.0.2-2.7.3.i386.rpm
e94fc6cd89ea1d34ab7c863674b10633 7.3/en/os/i386/mozilla-nss-devel-1.0.2-2.7.3.i386.rpm
80eeba8d0ff8c10871bba5df19602d08 7.3/en/os/i386/mozilla-psm-1.0.2-2.7.3.i386.rpm
1ab24a690bd15d75506dc6a8c2e273ee 8.0/en/os/SRPMS/mozilla-1.0.2-1.8.0.src.rpm
5911caaf582e1df67ce46193fdc76c29 8.0/en/os/i386/mozilla-1.0.2-1.8.0.i386.rpm
c077e7be3cdda9628f6ca13ca3e65166 8.0/en/os/i386/mozilla-chat-1.0.2-1.8.0.i386.rpm
9128c1af768a09eda849a69aa22f982e 8.0/en/os/i386/mozilla-devel-1.0.2-1.8.0.i386.rpm
011722b79b93f93f0be6cce5fcd88574 8.0/en/os/i386/mozilla-dom-inspector-1.0.2-1.8.0.i386.rpm
011015a782b908cbf1beb07752163333 8.0/en/os/i386/mozilla-js-debugger-1.0.2-1.8.0.i386.rpm
a08c04ce82a9542fe9cbd34ab2efa685 8.0/en/os/i386/mozilla-mail-1.0.2-1.8.0.i386.rpm
db1f0c95e0c6476669be3cf339a01840 8.0/en/os/i386/mozilla-nspr-1.0.2-1.8.0.i386.rpm
f21ec830971bed5fb97243f3bc40d2d4 8.0/en/os/i386/mozilla-nspr-devel-1.0.2-1.8.0.i386.rpm
4c93a87a06222772e2de2e244e2d3e59 8.0/en/os/i386/mozilla-nss-1.0.2-1.8.0.i386.rpm
5fd5561787d6f3bc0d2ad2bb5f00f6d5 8.0/en/os/i386/mozilla-nss-devel-1.0.2-1.8.0.i386.rpm
c0fc99835abe54966ea45fcc34bcf67e 8.0/en/os/i386/mozilla-psm-1.0.2-1.8.0.i386.rpm


These packages are GPG signed by Red Hat for security.  Our key is
available from http://www.redhat.com/security/keys.html

You can verify each package with the following command:
    
    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    
    md5sum <filename>


7. References:

http://www.mozilla.org/releases/mozilla1.0.2/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1308

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at http://www.redhat.com/solutions/security/news/contact.html

Copyright 2003 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/E7OqXlSAg2UNWIIRAsAKAJ4smR+bi8VjCZnfozce6bS5k8TbkwCgxHjV
S3Jv8K1DHl43qN6aZqi1NRM=
=e02u
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBPxSTOih9+71yA2DNAQFbiAP/crm7/N2i0sbPPBal0LZcIEcv3vkGWZ7u
juVVA3NpYzSoqRbmsU8alafHk8ljaErJwztKu3bjRda6gXkYa1/0bAf5Ri58DGYP
rdqH4uzqgssnC6BDxK2sfK8oB3FFnQJIh+KDfmmYjpcNgV0h+2YzTZniErb0q9fL
J8sluGK+BHs=
=JE/f
-----END PGP SIGNATURE-----