Skip to navigation

Security Advisory Critical: firefox security update

Advisory: RHSA-2007:0097-5
Type: Security Advisory
Severity: Critical
Issued on: 2007-03-14
Last updated on: 2007-03-14
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2006-6077
CVE-2007-0008
CVE-2007-0009
CVE-2007-0775
CVE-2007-0777
CVE-2007-0778
CVE-2007-0779
CVE-2007-0780
CVE-2007-0800
CVE-2007-0981
CVE-2007-0994
CVE-2007-0995
CVE-2007-0996

Details

Updated firefox packages that fix several security bugs are now available
for Red Hat Enterprise Linux 5.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

Mozilla Firefox is an open source Web browser.

Flaws were found in the way Firefox executed malformed JavaScript code. A
malicious web page could cause Firefox to crash or allow arbitrary code
to be executed as the user running Firefox. (CVE-2007-0775, CVE-2007-0777)

Cross-site scripting (XSS) flaws were found in Firefox. A malicious web
page could display misleading information, allowing a user to unknowingly
divulge sensitive information, such as a password. (CVE-2006-6077,
CVE-2007-0995, CVE-2007-0996)

A flaw was found in the way Firefox processed JavaScript contained in
certain tags. A malicious web page could cause Firefox to execute
JavaScript code with the privileges of the user running Firefox.
(CVE-2007-0994)

A flaw was found in the way Firefox cached web pages on the local disk. A
malicious web page may have been able to inject arbitrary HTML into a
browsing session if the user reloaded a targeted site. (CVE-2007-0778)

Certain web content could overlay Firefox user interface elements such as
the hostname and security indicators. A malicious web page could trick a
user into thinking they were visiting a different site. (CVE-2007-0779)

Two flaws were found in Firefox's displaying of blocked popup windows. If a
user could be convinced to open a blocked popup, it was possible to read
arbitrary local files, or conduct a cross-site scripting attack against the
user.
(CVE-2007-0780, CVE-2007-0800)

Two buffer overflow flaws were found in the Network Security Services (NSS)
code for processing the SSLv2 protocol. Connecting to a malicious secure
web server could cause the execution of arbitrary code as the user running
Firefox. (CVE-2007-0008, CVE-2007-0009)

A flaw was found in the way Firefox handled the "location.hostname" value.
A malicious web page could set domain cookies for an arbitrary site, or
possibly perform a cross-site scripting attack. (CVE-2007-0981)

Users of Firefox are advised to upgrade to this erratum package, containing
Firefox version 1.5.0.10 which is not vulnerable to these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

RHEL Desktop Workstation (v. 5 client)
SRPMS:
devhelp-0.12-10.0.1.el5.src.rpm
File outdated by:  RHSA-2013:0271		     MD5: ecc6ccfcf4c2c08e941f72f5cfeaa55c
 
IA-32:
devhelp-devel-0.12-10.0.1.el5.i386.rpm
File outdated by:  RHSA-2013:0271		     MD5: ede028c4f35108e54ded794f91d4f82e
firefox-devel-1.5.0.10-2.el5.i386.rpm
File outdated by:  RHSA-2008:0222		     MD5: c334841929aae1eb36a71772f51d89da
 
x86_64:
devhelp-devel-0.12-10.0.1.el5.i386.rpm
File outdated by:  RHSA-2013:0271		     MD5: ede028c4f35108e54ded794f91d4f82e
devhelp-devel-0.12-10.0.1.el5.x86_64.rpm
File outdated by:  RHSA-2013:0271		     MD5: 44f47bf9e6a7ecb39f7c907ca4a381d9
firefox-devel-1.5.0.10-2.el5.i386.rpm
File outdated by:  RHSA-2008:0222		     MD5: c334841929aae1eb36a71772f51d89da
firefox-devel-1.5.0.10-2.el5.x86_64.rpm
File outdated by:  RHSA-2008:0222		     MD5: 5ba38c9a8e94ed9bb254e8b2010bdbbb
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
devhelp-0.12-10.0.1.el5.src.rpm
File outdated by:  RHSA-2013:0271		     MD5: ecc6ccfcf4c2c08e941f72f5cfeaa55c
yelp-2.16.0-14.0.1.el5.src.rpm
File outdated by:  RHSA-2013:0271		     MD5: 56ce5fe3b3776b01fc7886f65ef1404b
 
IA-32:
devhelp-0.12-10.0.1.el5.i386.rpm
File outdated by:  RHSA-2013:0271		     MD5: 0774d6e92c98fd2507952d9ce59ce891
devhelp-devel-0.12-10.0.1.el5.i386.rpm
File outdated by:  RHSA-2013:0271		     MD5: ede028c4f35108e54ded794f91d4f82e
firefox-1.5.0.10-2.el5.i386.rpm
File outdated by:  RHSA-2013:0820		     MD5: 39b98bd5460439dbdd1f0c495028fd33
firefox-devel-1.5.0.10-2.el5.i386.rpm
File outdated by:  RHSA-2008:0222		     MD5: c334841929aae1eb36a71772f51d89da
yelp-2.16.0-14.0.1.el5.i386.rpm
File outdated by:  RHSA-2013:0271		     MD5: 7ac3f70e9c5ba8e68a068946a66a3163
 
IA-64:
devhelp-0.12-10.0.1.el5.ia64.rpm
File outdated by:  RHSA-2013:0271		     MD5: 0543d59be616203f72d6b46b33051ac2
devhelp-devel-0.12-10.0.1.el5.ia64.rpm
File outdated by:  RHSA-2013:0271		     MD5: f40918a968dd3425e534e589cda9b81b
firefox-1.5.0.10-2.el5.ia64.rpm
File outdated by:  RHSA-2013:0820		     MD5: f22781eca58556113552b288dd7fe76b
firefox-devel-1.5.0.10-2.el5.ia64.rpm
File outdated by:  RHSA-2008:0222		     MD5: 56ea2d1debbf5c4d7a0f1ae3ebb3e741
yelp-2.16.0-14.0.1.el5.ia64.rpm
File outdated by:  RHSA-2013:0271		     MD5: 250095927ac38854ab4b42a473a785f7
 
PPC:
devhelp-0.12-10.0.1.el5.ppc.rpm
File outdated by:  RHSA-2013:0271		     MD5: 576bd9205f61c07a8328ac3309c3cccd
devhelp-devel-0.12-10.0.1.el5.ppc.rpm
File outdated by:  RHSA-2013:0271		     MD5: 57b04a6c88b63d1227129f1509ecf8ae
firefox-1.5.0.10-2.el5.ppc.rpm
File outdated by:  RHSA-2013:0820		     MD5: 266c896a44c5818506058d3f43fb510a
firefox-devel-1.5.0.10-2.el5.ppc.rpm
File outdated by:  RHSA-2008:0222		     MD5: 81d6fd77e467137a6383ebd75aac7c38
yelp-2.16.0-14.0.1.el5.ppc.rpm
File outdated by:  RHSA-2013:0271		     MD5: cdd89632e1d496fdc00db638bbb85297
 
s390x:
devhelp-0.12-10.0.1.el5.s390.rpm
File outdated by:  RHSA-2013:0271		     MD5: 92415d0cd192d89b829d5cea4957ffd3
devhelp-0.12-10.0.1.el5.s390x.rpm
File outdated by:  RHSA-2013:0271		     MD5: 249086f31984ef20db1edcc668769c64
devhelp-devel-0.12-10.0.1.el5.s390.rpm
File outdated by:  RHSA-2013:0271		     MD5: 3c659c50b265f059367e3572d5dc908c
devhelp-devel-0.12-10.0.1.el5.s390x.rpm
File outdated by:  RHSA-2013:0271		     MD5: 8821c3e5f96844a0563ba7a773925ea4
firefox-1.5.0.10-2.el5.s390.rpm
File outdated by:  RHSA-2013:0820		     MD5: 0c8ef9a9f6246dd277247fedcf65e2ef
firefox-1.5.0.10-2.el5.s390x.rpm
File outdated by:  RHSA-2013:0820		     MD5: 1f2fc90bc59dc42e3068fb358aec67bd
firefox-devel-1.5.0.10-2.el5.s390.rpm
File outdated by:  RHSA-2008:0222		     MD5: 1364113945647fd64b1d2b2b42a40d52
firefox-devel-1.5.0.10-2.el5.s390x.rpm
File outdated by:  RHSA-2008:0222		     MD5: eda1b9d310aeeb22821a0c807794349c
yelp-2.16.0-14.0.1.el5.s390x.rpm
File outdated by:  RHSA-2013:0271		     MD5: 73bb10b49cc143dce64fafea46b74081
 
x86_64:
devhelp-0.12-10.0.1.el5.i386.rpm
File outdated by:  RHSA-2013:0271		     MD5: 0774d6e92c98fd2507952d9ce59ce891
devhelp-0.12-10.0.1.el5.x86_64.rpm
File outdated by:  RHSA-2013:0271		     MD5: 2c7791aad7d6e18b322f4834088f8708
devhelp-devel-0.12-10.0.1.el5.i386.rpm
File outdated by:  RHSA-2013:0271		     MD5: ede028c4f35108e54ded794f91d4f82e
devhelp-devel-0.12-10.0.1.el5.x86_64.rpm
File outdated by:  RHSA-2013:0271		     MD5: 44f47bf9e6a7ecb39f7c907ca4a381d9
firefox-1.5.0.10-2.el5.i386.rpm
File outdated by:  RHSA-2013:0820		     MD5: 39b98bd5460439dbdd1f0c495028fd33
firefox-1.5.0.10-2.el5.x86_64.rpm
File outdated by:  RHSA-2013:0820		     MD5: a0ffe472bf6a3c517d41f0dc8900af86
firefox-devel-1.5.0.10-2.el5.i386.rpm
File outdated by:  RHSA-2008:0222		     MD5: c334841929aae1eb36a71772f51d89da
firefox-devel-1.5.0.10-2.el5.x86_64.rpm
File outdated by:  RHSA-2008:0222		     MD5: 5ba38c9a8e94ed9bb254e8b2010bdbbb
yelp-2.16.0-14.0.1.el5.x86_64.rpm
File outdated by:  RHSA-2013:0271		     MD5: 502e2b4dd68c59593652bf8f44d7dee4
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
devhelp-0.12-10.0.1.el5.src.rpm
File outdated by:  RHSA-2013:0271		     MD5: ecc6ccfcf4c2c08e941f72f5cfeaa55c
yelp-2.16.0-14.0.1.el5.src.rpm
File outdated by:  RHSA-2013:0271		     MD5: 56ce5fe3b3776b01fc7886f65ef1404b
 
IA-32:
devhelp-0.12-10.0.1.el5.i386.rpm
File outdated by:  RHSA-2013:0271		     MD5: 0774d6e92c98fd2507952d9ce59ce891
firefox-1.5.0.10-2.el5.i386.rpm
File outdated by:  RHSA-2013:0820		     MD5: 39b98bd5460439dbdd1f0c495028fd33
yelp-2.16.0-14.0.1.el5.i386.rpm
File outdated by:  RHSA-2013:0271		     MD5: 7ac3f70e9c5ba8e68a068946a66a3163
 
x86_64:
devhelp-0.12-10.0.1.el5.i386.rpm
File outdated by:  RHSA-2013:0271		     MD5: 0774d6e92c98fd2507952d9ce59ce891
devhelp-0.12-10.0.1.el5.x86_64.rpm
File outdated by:  RHSA-2013:0271		     MD5: 2c7791aad7d6e18b322f4834088f8708
firefox-1.5.0.10-2.el5.i386.rpm
File outdated by:  RHSA-2013:0820		     MD5: 39b98bd5460439dbdd1f0c495028fd33
firefox-1.5.0.10-2.el5.x86_64.rpm
File outdated by:  RHSA-2013:0820		     MD5: a0ffe472bf6a3c517d41f0dc8900af86
yelp-2.16.0-14.0.1.el5.x86_64.rpm
File outdated by:  RHSA-2013:0271		     MD5: 502e2b4dd68c59593652bf8f44d7dee4
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

230050 - CVE-2007-0775 Multiple Firefox flaws (CVE-2007-0777, CVE-2007-0994, CVE-2007-0995, CVE-2007-0996, CVE-2006-6077, CVE-2007-0778, CVE-2007-0779, CVE-2007-0780, CVE-2007-0800, CVE-2007-0008, CVE-2007-0009, CVE-2007-0981)


References

https://www.redhat.com/security/data/cve/CVE-2006-6077.html
https://www.redhat.com/security/data/cve/CVE-2007-0008.html
https://www.redhat.com/security/data/cve/CVE-2007-0009.html
https://www.redhat.com/security/data/cve/CVE-2007-0775.html
https://www.redhat.com/security/data/cve/CVE-2007-0777.html
https://www.redhat.com/security/data/cve/CVE-2007-0778.html
https://www.redhat.com/security/data/cve/CVE-2007-0779.html
https://www.redhat.com/security/data/cve/CVE-2007-0780.html
https://www.redhat.com/security/data/cve/CVE-2007-0800.html
https://www.redhat.com/security/data/cve/CVE-2007-0981.html
https://www.redhat.com/security/data/cve/CVE-2007-0994.html
https://www.redhat.com/security/data/cve/CVE-2007-0995.html
https://www.redhat.com/security/data/cve/CVE-2007-0996.html
http://www.redhat.com/security/updates/classification/#critical

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/