Red Hat 9042 Published by

Fedora Legacy Update Advisory

Synopsis: Updated firefox package fixes security issues
Advisory ID: FLSA:189137-2
Issue date: 2006-06-06
Product: Fedora Core
Keywords: Bugfix, Security
CVE Names: CVE-2006-0748 CVE-2006-0749 CVE-2006-1724 CVE-2006-1727
CVE-2006-1728 CVE-2006-1729 CVE-2006-1730 CVE-2006-1731
CVE-2006-1732 CVE-2006-1733 CVE-2006-1734 CVE-2006-1735
CVE-2006-1737 CVE-2006-1738 CVE-2006-1739 CVE-2006-1740
CVE-2006-1741 CVE-2006-1742 CVE-2006-1790
---------------------------------------------------------------------



---------------------------------------------------------------------
1. Topic:

An updated firefox package that fixes several security bugs is now
available.

Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance and portability.

2. Relevant releases/architectures:

Fedora Core 3 - i386, x86_64

3. Problem description:

Several bugs were found in the way Firefox processes malformed
javascript. A malicious web page could modify the content of a different
open web page, possibly stealing sensitive information or conducting a
cross-site scripting attack. (CVE-2006-1731, CVE-2006-1732,
CVE-2006-1741)

Several bugs were found in the way Firefox processes certain javascript
actions. A malicious web page could execute arbitrary javascript
instructions with the permissions of "chrome", allowing the page to
steal sensitive information or install browser malware. (CVE-2006-1727,
CVE-2006-1728, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735,
CVE-2006-1742)

Several bugs were found in the way Firefox processes malformed web
pages. A carefully crafted malicious web page could cause the execution
of arbitrary code as the user running Firefox. (CVE-2006-0748,
CVE-2006-0749, CVE-2006-1724, CVE-2006-1730, CVE-2006-1737,
CVE-2006-1738, CVE-2006-1739, CVE-2006-1790)

A bug was found in the way Firefox displays the secure site icon. If a
browser is configured to display the non-default secure site modal
warning dialog, it may be possible to trick a user into believing they
are viewing a secure site. (CVE-2006-1740)

A bug was found in the way Firefox allows javascript mutation events on
"input" form elements. A malicious web page could be created in such a
way that when a user submits a form, an arbitrary file could be uploaded
to the attacker. (CVE-2006-1729)

Users of Firefox are advised to upgrade to these updated packages
containing Firefox version 1.0.8 which corrects these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189137

6. RPMs required:

Fedora Core 3:

SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/firefox-1.0.8-1.1
.fc3.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/firefox-1.0.8-1.1.
fc3.1.legacy.i386.rpm

x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/firefox-1.0.8-1.
1.fc3.1.legacy.x86_64.rpm


7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------

8b719bb18c6dfe14b472c684ac5133d82d1b96d0
fedora/3/updates/i386/firefox-1.0.8-1.1.fc3.1.legacy.i386.rpm
946f2ccbc412675ee6959a3dee50c2cb3ba90c3a
fedora/3/updates/x86_64/firefox-1.0.8-1.1.fc3.1.legacy.x86_64.rpm
0747aa65730e328a9274ec66c0de8dc30645dc1d
fedora/3/updates/SRPMS/firefox-1.0.8-1.1.fc3.1.legacy.src.rpm


These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0748
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0749
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1724
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1727
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1728
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1729
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1730
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1731
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1732
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1733
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1734
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1735
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1737
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1739
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1740
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1741
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1742
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1790

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
project details at http://www.fedoralegacy.org