Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2007.0540 -- [RedHat]
Critical: firefox security update
19 July 2007
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Mozilla Firefox 2.0.0.4 and prior
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Impact: Execute Arbitrary Code/Commands
Cross-site Scripting
Access: Remote/Unauthenticated
CVE Names: CVE-2007-3738 CVE-2007-3737 CVE-2007-3736
CVE-2007-3735 CVE-2007-3734 CVE-2007-3656
CVE-2007-3089
Ref: ESB-2007-0536
ESB-2007-0404
Original Bulletin: https://rhn.redhat.com/errata/RHSA-2007-0724.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ---------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Critical: firefox security update
Advisory ID: RHSA-2007:0724-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0724.html
Issue date: 2007-07-18
Updated on: 2007-07-18
Product: Red Hat Enterprise Linux
CVE Names: CVE-2007-3089 CVE-2007-3656 CVE-2007-3734
CVE-2007-3735 CVE-2007-3736 CVE-2007-3737
CVE-2007-3738
- - ---------------------------------------------------------------------
1. Summary:
Updated firefox packages that fix several security bugs are now available
for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having critical security impact by the Red
Hat Security Response Team.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
3. Problem description:
Mozilla Firefox is an open source Web browser.
Several flaws were found in the way Firefox processed certain malformed
JavaScript code. A web page containing malicious JavaScript code could
cause Firefox to crash or potentially execute arbitrary code as the user
running Firefox. (CVE-2007-3734, CVE-2007-3735, CVE-2007-3737, CVE-2007-3738)
Several content injection flaws were found in the way Firefox handled
certain JavaScript code. A web page containing malicious JavaScript code
could inject arbitrary content into other web pages. (CVE-2007-3736,
CVE-2007-3089)
A flaw was found in the way Firefox cached web pages on the local disk. A
malicious web page may be able to inject arbitrary HTML into a browsing
session if the user reloads a targeted site. (CVE-2007-3656)
Users of Firefox are advised to upgrade to these erratum packages, which
contain backported patches that correct these issues.
4. Solution:
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188
5. Bug IDs fixed (http://bugzilla.redhat.com/):
248518 - CVE-2007-3089 various flaws in mozilla products (CVE-2007-3734 CVE-2007-3735 CVE-2007-3736 CVE-2007-3737 CVE-2007-3656 CVE-2007-3738)
6. RPMs required:
Red Hat Enterprise Linux AS version 4:
SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/firefox-1.5.0.12-0.3.el4.src.rpm
f07113979e83ca0e3b0f9caa8e34a4a6 firefox-1.5.0.12-0.3.el4.src.rpm
i386:
7622fec562eb6248eed19ac4903695fb firefox-1.5.0.12-0.3.el4.i386.rpm
6359107ef13d6a6a21e1acd6e22b12cb firefox-debuginfo-1.5.0.12-0.3.el4.i386.rpm
ia64:
27da182682ae877ea07b154c45ea8edc firefox-1.5.0.12-0.3.el4.ia64.rpm
aeee3e428309d64bbe9c4714ad48b28d firefox-debuginfo-1.5.0.12-0.3.el4.ia64.rpm
ppc:
732fe2238d90fd91ae72be8816fe8772 firefox-1.5.0.12-0.3.el4.ppc.rpm
89fea0cc921d3cc113dd28b6eed91022 firefox-debuginfo-1.5.0.12-0.3.el4.ppc.rpm
s390:
666483674e567946cb9c07e202814518 firefox-1.5.0.12-0.3.el4.s390.rpm
68f501a441bac6e34fca1582ca871b52 firefox-debuginfo-1.5.0.12-0.3.el4.s390.rpm
s390x:
9af7bbfc652a0e7f6b58b72fa2f598e9 firefox-1.5.0.12-0.3.el4.s390x.rpm
91c6e2324de24864de6cfbde5d058567 firefox-debuginfo-1.5.0.12-0.3.el4.s390x.rpm
x86_64:
ee0e7204d23c2a6109baf4610593c5af firefox-1.5.0.12-0.3.el4.x86_64.rpm
29f780a7080136522b9339ac46af2414 firefox-debuginfo-1.5.0.12-0.3.el4.x86_64.rpm
Red Hat Enterprise Linux Desktop version 4:
SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/firefox-1.5.0.12-0.3.el4.src.rpm
f07113979e83ca0e3b0f9caa8e34a4a6 firefox-1.5.0.12-0.3.el4.src.rpm
i386:
7622fec562eb6248eed19ac4903695fb firefox-1.5.0.12-0.3.el4.i386.rpm
6359107ef13d6a6a21e1acd6e22b12cb firefox-debuginfo-1.5.0.12-0.3.el4.i386.rpm
x86_64:
ee0e7204d23c2a6109baf4610593c5af firefox-1.5.0.12-0.3.el4.x86_64.rpm
29f780a7080136522b9339ac46af2414 firefox-debuginfo-1.5.0.12-0.3.el4.x86_64.rpm
Red Hat Enterprise Linux ES version 4:
SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/firefox-1.5.0.12-0.3.el4.src.rpm
f07113979e83ca0e3b0f9caa8e34a4a6 firefox-1.5.0.12-0.3.el4.src.rpm
i386:
7622fec562eb6248eed19ac4903695fb firefox-1.5.0.12-0.3.el4.i386.rpm
6359107ef13d6a6a21e1acd6e22b12cb firefox-debuginfo-1.5.0.12-0.3.el4.i386.rpm
ia64:
27da182682ae877ea07b154c45ea8edc firefox-1.5.0.12-0.3.el4.ia64.rpm
aeee3e428309d64bbe9c4714ad48b28d firefox-debuginfo-1.5.0.12-0.3.el4.ia64.rpm
x86_64:
ee0e7204d23c2a6109baf4610593c5af firefox-1.5.0.12-0.3.el4.x86_64.rpm
29f780a7080136522b9339ac46af2414 firefox-debuginfo-1.5.0.12-0.3.el4.x86_64.rpm
Red Hat Enterprise Linux WS version 4:
SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/firefox-1.5.0.12-0.3.el4.src.rpm
f07113979e83ca0e3b0f9caa8e34a4a6 firefox-1.5.0.12-0.3.el4.src.rpm
i386:
7622fec562eb6248eed19ac4903695fb firefox-1.5.0.12-0.3.el4.i386.rpm
6359107ef13d6a6a21e1acd6e22b12cb firefox-debuginfo-1.5.0.12-0.3.el4.i386.rpm
ia64:
27da182682ae877ea07b154c45ea8edc firefox-1.5.0.12-0.3.el4.ia64.rpm
aeee3e428309d64bbe9c4714ad48b28d firefox-debuginfo-1.5.0.12-0.3.el4.ia64.rpm
x86_64:
ee0e7204d23c2a6109baf4610593c5af firefox-1.5.0.12-0.3.el4.x86_64.rpm
29f780a7080136522b9339ac46af2414 firefox-debuginfo-1.5.0.12-0.3.el4.x86_64.rpm
Red Hat Enterprise Linux Desktop (v. 5 client):
SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-1.5.0.12-3.el5.src.rpm
9c788fafd5691d3345f053e3134ca2ea firefox-1.5.0.12-3.el5.src.rpm
i386:
41f9235be61710608c049fed0c39ba19 firefox-1.5.0.12-3.el5.i386.rpm
d4d2e8f63a26bb7137ca0f62a034446c firefox-debuginfo-1.5.0.12-3.el5.i386.rpm
x86_64:
41f9235be61710608c049fed0c39ba19 firefox-1.5.0.12-3.el5.i386.rpm
5d2539b4e150e2ebea6c6304a4c08325 firefox-1.5.0.12-3.el5.x86_64.rpm
d4d2e8f63a26bb7137ca0f62a034446c firefox-debuginfo-1.5.0.12-3.el5.i386.rpm
9848654d72200a04b5e7c729711412f1 firefox-debuginfo-1.5.0.12-3.el5.x86_64.rpm
RHEL Desktop Workstation (v. 5 client):
SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-1.5.0.12-3.el5.src.rpm
9c788fafd5691d3345f053e3134ca2ea firefox-1.5.0.12-3.el5.src.rpm
i386:
d4d2e8f63a26bb7137ca0f62a034446c firefox-debuginfo-1.5.0.12-3.el5.i386.rpm
be1322bcd982139d6bd88a739af188a8 firefox-devel-1.5.0.12-3.el5.i386.rpm
x86_64:
d4d2e8f63a26bb7137ca0f62a034446c firefox-debuginfo-1.5.0.12-3.el5.i386.rpm
9848654d72200a04b5e7c729711412f1 firefox-debuginfo-1.5.0.12-3.el5.x86_64.rpm
be1322bcd982139d6bd88a739af188a8 firefox-devel-1.5.0.12-3.el5.i386.rpm
ecfcecad587c5b5a87ecb990407768c1 firefox-devel-1.5.0.12-3.el5.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-1.5.0.12-3.el5.src.rpm
9c788fafd5691d3345f053e3134ca2ea firefox-1.5.0.12-3.el5.src.rpm
i386:
41f9235be61710608c049fed0c39ba19 firefox-1.5.0.12-3.el5.i386.rpm
d4d2e8f63a26bb7137ca0f62a034446c firefox-debuginfo-1.5.0.12-3.el5.i386.rpm
be1322bcd982139d6bd88a739af188a8 firefox-devel-1.5.0.12-3.el5.i386.rpm
ia64:
6dda2d0463fe1e15117224e263fd8646 firefox-1.5.0.12-3.el5.ia64.rpm
17165a01a2e49f826167d383eae245b2 firefox-debuginfo-1.5.0.12-3.el5.ia64.rpm
8eacfbf523a9e5bf9f7f5f24232da9bf firefox-devel-1.5.0.12-3.el5.ia64.rpm
ppc:
0e17d445a346697a695c708dd4ff7f77 firefox-1.5.0.12-3.el5.ppc.rpm
7df6f3aa268061dbc540b78163c03266 firefox-debuginfo-1.5.0.12-3.el5.ppc.rpm
8a604711c03a1e383e2dc86689c9b1f6 firefox-devel-1.5.0.12-3.el5.ppc.rpm
s390x:
85527cdc87805574e6cea54cd997bf08 firefox-1.5.0.12-3.el5.s390.rpm
ce660ba2b2af5bcea03789ce1c197e5f firefox-1.5.0.12-3.el5.s390x.rpm
1782f86797fd6c8ef1e79628262e4abd firefox-debuginfo-1.5.0.12-3.el5.s390.rpm
d1bfa2b33e6e7115d53d14563b525379 firefox-debuginfo-1.5.0.12-3.el5.s390x.rpm
47818dff9de4c75518ae322ae2887213 firefox-devel-1.5.0.12-3.el5.s390.rpm
1177441caa8e95e7fffab1fe036f7128 firefox-devel-1.5.0.12-3.el5.s390x.rpm
x86_64:
41f9235be61710608c049fed0c39ba19 firefox-1.5.0.12-3.el5.i386.rpm
5d2539b4e150e2ebea6c6304a4c08325 firefox-1.5.0.12-3.el5.x86_64.rpm
d4d2e8f63a26bb7137ca0f62a034446c firefox-debuginfo-1.5.0.12-3.el5.i386.rpm
9848654d72200a04b5e7c729711412f1 firefox-debuginfo-1.5.0.12-3.el5.x86_64.rpm
be1322bcd982139d6bd88a739af188a8 firefox-devel-1.5.0.12-3.el5.i386.rpm
ecfcecad587c5b5a87ecb990407768c1 firefox-devel-1.5.0.12-3.el5.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package
7. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3656
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3734
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3735
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3736
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3737
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3738
http://www.redhat.com/security/updates/classification/#critical
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/
Copyright 2007 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFGntE6XlSAg2UNWIIRAs+0AKC+b+OgzqV5WDh/Yu0Xj004bEVncgCbBY9V
qKRzX2H1qWFJ272wudZIGAM=
=bMiF
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRp7iMyh9+71yA2DNAQI9cgP/WE0sBZoyc21DJJetbVEIfeJv3Jhd+Gqt
3X2g55pauSZE8KxjbPh4V1vlJqTB6H7qriDb5rMOfLOxHMzPCvB9YUnmHXDnzgFG
0hwBLCMZa5439bspDwaRf5USdezFxJqxUR29ZtZUwCebLfQSSuk5xAFBlu1fw+s9
pdYBxy/bsnA=
=FCwR
-----END PGP SIGNATURE-----