Skip to navigation

Security Advisory seamonkey security update (was mozilla)

Advisory: RHSA-2006:0594-9
Type: Security Advisory
Severity: Critical
Issued on: 2006-08-28
Last updated on: 2006-08-28
Affected Products: Red Hat Enterprise Linux AS (v. 2.1)
Red Hat Enterprise Linux ES (v. 2.1)
Red Hat Enterprise Linux WS (v. 2.1)
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
CVEs (cve.mitre.org): CVE-2006-2776
CVE-2006-2778
CVE-2006-2779
CVE-2006-2780
CVE-2006-2781
CVE-2006-2782
CVE-2006-2783
CVE-2006-2784
CVE-2006-2785
CVE-2006-2786
CVE-2006-2787
CVE-2006-2788
CVE-2006-3113
CVE-2006-3677
CVE-2006-3801
CVE-2006-3802
CVE-2006-3803
CVE-2006-3804
CVE-2006-3805
CVE-2006-3806
CVE-2006-3807
CVE-2006-3808
CVE-2006-3809
CVE-2006-3810
CVE-2006-3811
CVE-2006-3812

Details

Updated seamonkey packages that fix several security bugs in the mozilla
packages are now available for Red Hat Enterprise Linux 2.1.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

SeaMonkey is an open source Web browser, advanced email and newsgroup
client, IRC chat client, and HTML editor.

The Mozilla Foundation has discontinued support for the Mozilla Suite. This
update deprecates the Mozilla Suite in Red Hat Enterprise Linux 2.1 in
favor of the supported SeaMonkey Suite.

This update also resolves a number of outstanding Mozilla security issues:

Several flaws were found in the way SeaMonkey processed certain javascript
actions. A malicious web page could execute arbitrary javascript
instructions with the permissions of "chrome", allowing the page to steal
sensitive information or install browser malware. (CVE-2006-2776,
CVE-2006-2784, CVE-2006-2785, CVE-2006-2787, CVE-2006-3807, CVE-2006-3809,
CVE-2006-3812)

Several denial of service flaws were found in the way SeaMonkey processed
certain web content. A malicious web page could crash the browser or
possibly execute arbitrary code as the user running SeaMonkey.
(CVE-2006-2779, CVE-2006-2780, CVE-2006-3801, CVE-2006-3677, CVE-2006-3113,
CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3811)

Two flaws were found in the way SeaMonkey Messenger displayed malformed
inline vcard attachments. If a victim viewed an email message containing
a carefully crafted vcard it was possible to execute arbitrary code as the
user running SeaMonkey Messenger. (CVE-2006-2781, CVE-2006-3804)

A cross-site scripting flaw was found in the way SeaMonkey processed
Unicode Byte-Order-Mark (BOM) markers in UTF-8 web pages. A malicious web
page could execute a script within the browser that a web input sanitizer
could miss due to a malformed "script" tag. (CVE-2006-2783)

Several flaws were found in the way SeaMonkey processed certain javascript
actions. A malicious web page could conduct a cross-site scripting attack
or steal sensitive information (such as cookies owned by other domains).
(CVE-2006-3802, CVE-2006-3810)

A form file upload flaw was found in the way SeaMonkey handled javascript
input object mutation. A malicious web page could upload an arbitrary local
file at form submission time without user interaction. (CVE-2006-2782)

A denial of service flaw was found in the way SeaMonkey called the
crypto.signText() javascript function. A malicious web page could crash the
browser if the victim had a client certificate loaded. (CVE-2006-2778)

Two HTTP response smuggling flaws were found in the way SeaMonkey processed
certain invalid HTTP response headers. A malicious web site could return
specially crafted HTTP response headers which may bypass HTTP proxy
restrictions. (CVE-2006-2786)

A flaw was found in the way SeaMonkey processed Proxy AutoConfig scripts. A
malicious Proxy AutoConfig server could execute arbitrary javascript
instructions with the permissions of "chrome", allowing the page to steal
sensitive information or install browser malware. (CVE-2006-3808)

A double free flaw was found in the way the nsIX509::getRawDER method was
called. If a victim visited a carefully crafted web page it was possible to
execute arbitrary code as the user running SeaMonkey. (CVE-2006-2788)

Users of Mozilla are advised to upgrade to this update, which contains
SeaMonkey version 1.0.3 that corrects these issues.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Enterprise Linux AS (v. 2.1)

SRPMS:
seamonkey-1.0.3-0.0.1.5.EL2.src.rpm
File outdated by:  RHSA-2009:0437
    MD5: b0910e2c771e7dc70a16153bc7cf8daf
 
IA-32:
seamonkey-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 70958f4e8c846415378ed27c3f0c8f6b
seamonkey-chat-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 912bd251a230fb09f53c02ec08cb225f
seamonkey-devel-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 0afe89859a8a396a10e7accec3a72d38
seamonkey-dom-inspector-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 35b47ef74f5e060a85239f0bdc7dccd9
seamonkey-js-debugger-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 1aca4926298500257f98b47c66358ec7
seamonkey-mail-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 4a9dcf9c792d1048a3f06033fad6a028
seamonkey-nspr-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 7f0fed654899a9aab5f06bcb9bbba6a4
seamonkey-nspr-devel-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 00938797b6f04a46c110b6eb39b1c8a4
seamonkey-nss-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 6415cfbcae3798fe954b1d01036adf54
seamonkey-nss-devel-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 673ecb851f6d279614a4bd50a5105bdd
 
IA-64:
seamonkey-1.0.3-0.0.1.5.EL2.ia64.rpm
File outdated by:  RHSA-2009:0437
    MD5: 36d03d31110dd764be5db6839c2611b7
seamonkey-chat-1.0.3-0.0.1.5.EL2.ia64.rpm
File outdated by:  RHSA-2009:0437
    MD5: 2cf04ed7cd38f30000801786cc76acf7
seamonkey-devel-1.0.3-0.0.1.5.EL2.ia64.rpm
File outdated by:  RHSA-2009:0437
    MD5: ff62cc2bc0b64c1316f86f4cd3bf53bb
seamonkey-dom-inspector-1.0.3-0.0.1.5.EL2.ia64.rpm
File outdated by:  RHSA-2009:0437
    MD5: 26f6361f684b74742b24f1ee5bc7f75d
seamonkey-js-debugger-1.0.3-0.0.1.5.EL2.ia64.rpm
File outdated by:  RHSA-2009:0437
    MD5: fcdcb3e9cb54c2cda225ab23a66b7151
seamonkey-mail-1.0.3-0.0.1.5.EL2.ia64.rpm
File outdated by:  RHSA-2009:0437
    MD5: 82d8a7de653ed646e45c478402b3f6a1
seamonkey-nspr-1.0.3-0.0.1.5.EL2.ia64.rpm
File outdated by:  RHSA-2009:0437
    MD5: ad0eab741aca939f72cbd8918d25714f
seamonkey-nspr-devel-1.0.3-0.0.1.5.EL2.ia64.rpm
File outdated by:  RHSA-2009:0437
    MD5: 2202c42a85f579dbe66ddf1fb156ea38
seamonkey-nss-1.0.3-0.0.1.5.EL2.ia64.rpm
File outdated by:  RHSA-2009:0437
    MD5: bb1f7ebe52172d8a58c9adaf7dbae496
seamonkey-nss-devel-1.0.3-0.0.1.5.EL2.ia64.rpm
File outdated by:  RHSA-2009:0437
    MD5: 9adfeb8c31795fad738b268ac0f615ef
 
Red Hat Enterprise Linux ES (v. 2.1)

SRPMS:
seamonkey-1.0.3-0.0.1.5.EL2.src.rpm
File outdated by:  RHSA-2009:0437
    MD5: b0910e2c771e7dc70a16153bc7cf8daf
 
IA-32:
seamonkey-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 70958f4e8c846415378ed27c3f0c8f6b
seamonkey-chat-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 912bd251a230fb09f53c02ec08cb225f
seamonkey-devel-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 0afe89859a8a396a10e7accec3a72d38
seamonkey-dom-inspector-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 35b47ef74f5e060a85239f0bdc7dccd9
seamonkey-js-debugger-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 1aca4926298500257f98b47c66358ec7
seamonkey-mail-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 4a9dcf9c792d1048a3f06033fad6a028
seamonkey-nspr-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 7f0fed654899a9aab5f06bcb9bbba6a4
seamonkey-nspr-devel-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 00938797b6f04a46c110b6eb39b1c8a4
seamonkey-nss-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 6415cfbcae3798fe954b1d01036adf54
seamonkey-nss-devel-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 673ecb851f6d279614a4bd50a5105bdd
 
Red Hat Enterprise Linux WS (v. 2.1)

SRPMS:
seamonkey-1.0.3-0.0.1.5.EL2.src.rpm
File outdated by:  RHSA-2009:0437
    MD5: b0910e2c771e7dc70a16153bc7cf8daf
 
IA-32:
seamonkey-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 70958f4e8c846415378ed27c3f0c8f6b
seamonkey-chat-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 912bd251a230fb09f53c02ec08cb225f
seamonkey-devel-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 0afe89859a8a396a10e7accec3a72d38
seamonkey-dom-inspector-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 35b47ef74f5e060a85239f0bdc7dccd9
seamonkey-js-debugger-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 1aca4926298500257f98b47c66358ec7
seamonkey-mail-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 4a9dcf9c792d1048a3f06033fad6a028
seamonkey-nspr-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 7f0fed654899a9aab5f06bcb9bbba6a4
seamonkey-nspr-devel-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 00938797b6f04a46c110b6eb39b1c8a4
seamonkey-nss-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 6415cfbcae3798fe954b1d01036adf54
seamonkey-nss-devel-1.0.3-0.0.1.5.EL2.i386.rpm
File outdated by:  RHSA-2009:0437
    MD5: 673ecb851f6d279614a4bd50a5105bdd
 
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor

SRPMS:
seamonkey-1.0.3-0.0.1.5.EL2.src.rpm
File outdated by:  RHSA-2009:0437
    MD5: b0910e2c771e7dc70a16153bc7cf8daf
 
IA-64:
seamonkey-1.0.3-0.0.1.5.EL2.ia64.rpm
File outdated by:  RHSA-2009:0437
    MD5: 36d03d31110dd764be5db6839c2611b7
seamonkey-chat-1.0.3-0.0.1.5.EL2.ia64.rpm
File outdated by:  RHSA-2009:0437
    MD5: 2cf04ed7cd38f30000801786cc76acf7
seamonkey-devel-1.0.3-0.0.1.5.EL2.ia64.rpm
File outdated by:  RHSA-2009:0437
    MD5: ff62cc2bc0b64c1316f86f4cd3bf53bb
seamonkey-dom-inspector-1.0.3-0.0.1.5.EL2.ia64.rpm
File outdated by:  RHSA-2009:0437
    MD5: 26f6361f684b74742b24f1ee5bc7f75d
seamonkey-js-debugger-1.0.3-0.0.1.5.EL2.ia64.rpm
File outdated by:  RHSA-2009:0437
    MD5: fcdcb3e9cb54c2cda225ab23a66b7151
seamonkey-mail-1.0.3-0.0.1.5.EL2.ia64.rpm
File outdated by:  RHSA-2009:0437
    MD5: 82d8a7de653ed646e45c478402b3f6a1
seamonkey-nspr-1.0.3-0.0.1.5.EL2.ia64.rpm
File outdated by:  RHSA-2009:0437
    MD5: ad0eab741aca939f72cbd8918d25714f
seamonkey-nspr-devel-1.0.3-0.0.1.5.EL2.ia64.rpm
File outdated by:  RHSA-2009:0437
    MD5: 2202c42a85f579dbe66ddf1fb156ea38
seamonkey-nss-1.0.3-0.0.1.5.EL2.ia64.rpm
File outdated by:  RHSA-2009:0437
    MD5: bb1f7ebe52172d8a58c9adaf7dbae496
seamonkey-nss-devel-1.0.3-0.0.1.5.EL2.ia64.rpm
File outdated by:  RHSA-2009:0437
    MD5: 9adfeb8c31795fad738b268ac0f615ef
 

Bugs fixed (see bugzilla for more information)

198686 - CVE-2006-2783 multiple Seamonkey issues (CVE-2006-2782,CVE-2006-2778,CVE-2006-2776,CVE-2006-2784,CVE-2006-2785,CVE-2006-2786,CVE-2006-2787,CVE-2006-2788)
198687 - CVE-2006-2779 Multiple Mozilla issues (CVE-2006-2780, CVE-2006-2781)
200167 - CVE-2006-3801 Multiple Seamonkey issues (CVE-2006-3677, CVE-2006-3113, CVE-2006-3802, CVE-2006-3803, CVE-2006-3804, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812)


References

https://www.redhat.com/security/data/cve/CVE-2006-2776.html
https://www.redhat.com/security/data/cve/CVE-2006-2778.html
https://www.redhat.com/security/data/cve/CVE-2006-2779.html
https://www.redhat.com/security/data/cve/CVE-2006-2780.html
https://www.redhat.com/security/data/cve/CVE-2006-2781.html
https://www.redhat.com/security/data/cve/CVE-2006-2782.html
https://www.redhat.com/security/data/cve/CVE-2006-2783.html
https://www.redhat.com/security/data/cve/CVE-2006-2784.html
https://www.redhat.com/security/data/cve/CVE-2006-2785.html
https://www.redhat.com/security/data/cve/CVE-2006-2786.html
https://www.redhat.com/security/data/cve/CVE-2006-2787.html
https://www.redhat.com/security/data/cve/CVE-2006-2788.html
https://www.redhat.com/security/data/cve/CVE-2006-3113.html
https://www.redhat.com/security/data/cve/CVE-2006-3677.html
https://www.redhat.com/security/data/cve/CVE-2006-3801.html
https://www.redhat.com/security/data/cve/CVE-2006-3802.html
https://www.redhat.com/security/data/cve/CVE-2006-3803.html
https://www.redhat.com/security/data/cve/CVE-2006-3804.html
https://www.redhat.com/security/data/cve/CVE-2006-3805.html
https://www.redhat.com/security/data/cve/CVE-2006-3806.html
https://www.redhat.com/security/data/cve/CVE-2006-3807.html
https://www.redhat.com/security/data/cve/CVE-2006-3808.html
https://www.redhat.com/security/data/cve/CVE-2006-3809.html
https://www.redhat.com/security/data/cve/CVE-2006-3810.html
https://www.redhat.com/security/data/cve/CVE-2006-3811.html
https://www.redhat.com/security/data/cve/CVE-2006-3812.html
http://www.redhat.com/security/updates/classification/#critical


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/