Security Advisory Critical: firefox security update

Advisory: RHSA-2007:0979-1
Type: Security Advisory
Severity: Critical
Issued on: 2007-10-19
Last updated on: 2007-10-19
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.5.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.5.z)
Red Hat Enterprise Linux WS (v. 4)
OVAL: N/A
CVEs (cve.mitre.org): CVE-2007-1095
CVE-2007-2292
CVE-2007-3511
CVE-2007-3844
CVE-2007-5334
CVE-2007-5337
CVE-2007-5338
CVE-2007-5339
CVE-2007-5340

Details

Updated firefox packages that fix several security bugs are now available
for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

Mozilla Firefox is an open source Web browser.

Several flaws were found in the way in which Firefox processed certain
malformed web content. A web page containing malicious content could cause
Firefox to crash or potentially execute arbitrary code as the user running
Firefox. (CVE-2007-5338, CVE-2007-5339, CVE-2007-5340)

Several flaws were found in the way in which Firefox displayed malformed
web content. A web page containing specially-crafted content could
potentially trick a user into surrendering sensitive information.
(CVE-2007-1095, CVE-2007-3844, CVE-2007-3511, CVE-2007-5334)

A flaw was found in the Firefox sftp protocol handler. A malicious web page
could access data from a remote sftp site, possibly stealing sensitive user
data. (CVE-2007-5337)

A request-splitting flaw was found in the way in which Firefox generates a
digest authentication request. If a user opened a specially-crafted URL, it
was possible to perform cross-site scripting attacks, web cache poisoning,
or other, similar exploits. (CVE-2007-2292)

All users of Firefox are advised to upgrade to these updated packages,
which contain backported patches that correct these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

RHEL Desktop Workstation (v. 5 client)
SRPMS:
firefox-1.5.0.12-6.el5.src.rpm
File outdated by:  RHSA-2008:0222		     8751dd10ea3396a563771e436a3eb1d1
 
IA-32:
firefox-devel-1.5.0.12-6.el5.i386.rpm
File outdated by:  RHSA-2008:0222		     f307deb5f1cca86fe342f99eef6a0400
 
x86_64:
firefox-devel-1.5.0.12-6.el5.i386.rpm
File outdated by:  RHSA-2008:0222		     f307deb5f1cca86fe342f99eef6a0400
firefox-devel-1.5.0.12-6.el5.x86_64.rpm
File outdated by:  RHSA-2008:0222		     a512569a312536720d54a60b123974c1
 
Red Hat Desktop (v. 4)
SRPMS:
firefox-1.5.0.12-0.7.el4.src.rpm
File outdated by:  RHSA-2009:1530		     14521bc61a8a3fae6f51e01b7397dcb6
 
IA-32:
firefox-1.5.0.12-0.7.el4.i386.rpm
File outdated by:  RHSA-2009:1530		     a77fcb609b6967686ace6611ee46006b
 
x86_64:
firefox-1.5.0.12-0.7.el4.x86_64.rpm
File outdated by:  RHSA-2009:1530		     3ee97b00b1b1a207bed96c195fac7c32
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
firefox-1.5.0.12-6.el5.src.rpm
File outdated by:  RHSA-2008:0222		     8751dd10ea3396a563771e436a3eb1d1
 
IA-32:
firefox-1.5.0.12-6.el5.i386.rpm
File outdated by:  RHSA-2009:1530		     e6d7cc39fef9cd508408ebc48d56509f
firefox-devel-1.5.0.12-6.el5.i386.rpm
File outdated by:  RHSA-2008:0222		     f307deb5f1cca86fe342f99eef6a0400
 
IA-64:
firefox-1.5.0.12-6.el5.ia64.rpm
File outdated by:  RHSA-2009:1530		     2ca6057ea5a0d1cc04128558d4c85069
firefox-devel-1.5.0.12-6.el5.ia64.rpm
File outdated by:  RHSA-2008:0222		     83e887e01be14575bddb90b27fd12046
 
PPC:
firefox-1.5.0.12-6.el5.ppc.rpm
File outdated by:  RHSA-2009:1530		     513389cac0f34e73c6ea7268d4105a47
firefox-devel-1.5.0.12-6.el5.ppc.rpm
File outdated by:  RHSA-2008:0222		     6d043336dbfbac647ed0b356b2c0b9a6
 
s390x:
firefox-1.5.0.12-6.el5.s390.rpm
File outdated by:  RHSA-2009:1530		     e94181f34bdbf029e08afd540f4788da
firefox-1.5.0.12-6.el5.s390x.rpm
File outdated by:  RHSA-2009:1530		     fddf399d5ec6d03d8b8d8e5deec8ff93
firefox-devel-1.5.0.12-6.el5.s390.rpm
File outdated by:  RHSA-2008:0222		     40acebdc1765435c854d4ffb6e74733c
firefox-devel-1.5.0.12-6.el5.s390x.rpm
File outdated by:  RHSA-2008:0222		     09ad411554d856053321d42f590187b4
 
x86_64:
firefox-1.5.0.12-6.el5.i386.rpm
File outdated by:  RHSA-2009:1530		     e6d7cc39fef9cd508408ebc48d56509f
firefox-1.5.0.12-6.el5.x86_64.rpm
File outdated by:  RHSA-2009:1530		     a3025709096696676df09a4b2125b2e1
firefox-devel-1.5.0.12-6.el5.i386.rpm
File outdated by:  RHSA-2008:0222		     f307deb5f1cca86fe342f99eef6a0400
firefox-devel-1.5.0.12-6.el5.x86_64.rpm
File outdated by:  RHSA-2008:0222		     a512569a312536720d54a60b123974c1
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
firefox-1.5.0.12-0.7.el4.src.rpm
File outdated by:  RHSA-2009:1530		     14521bc61a8a3fae6f51e01b7397dcb6
 
IA-32:
firefox-1.5.0.12-0.7.el4.i386.rpm
File outdated by:  RHSA-2009:1530		     a77fcb609b6967686ace6611ee46006b
 
IA-64:
firefox-1.5.0.12-0.7.el4.ia64.rpm
File outdated by:  RHSA-2009:1530		     22a57ce44aa809198be66d6eef97bb9c
 
PPC:
firefox-1.5.0.12-0.7.el4.ppc.rpm
File outdated by:  RHSA-2009:1530		     a3067493f97b4921b3e4320516b09988
 
s390:
firefox-1.5.0.12-0.7.el4.s390.rpm
File outdated by:  RHSA-2009:1530		     304d4a73bbbc1691762caa56fbe751b1
 
s390x:
firefox-1.5.0.12-0.7.el4.s390x.rpm
File outdated by:  RHSA-2009:1530		     0536c7d1e6ce3c7147082020d126c546
 
x86_64:
firefox-1.5.0.12-0.7.el4.x86_64.rpm
File outdated by:  RHSA-2009:1530		     3ee97b00b1b1a207bed96c195fac7c32
 
Red Hat Enterprise Linux AS (v. 4.5.z)
SRPMS:
firefox-1.5.0.12-0.7.el4.src.rpm
File outdated by:  RHSA-2009:1530		     14521bc61a8a3fae6f51e01b7397dcb6
 
IA-32:
firefox-1.5.0.12-0.7.el4.i386.rpm
File outdated by:  RHSA-2008:0598		     a77fcb609b6967686ace6611ee46006b
 
IA-64:
firefox-1.5.0.12-0.7.el4.ia64.rpm
File outdated by:  RHSA-2008:0598		     22a57ce44aa809198be66d6eef97bb9c
 
PPC:
firefox-1.5.0.12-0.7.el4.ppc.rpm
File outdated by:  RHSA-2008:0598		     a3067493f97b4921b3e4320516b09988
 
s390:
firefox-1.5.0.12-0.7.el4.s390.rpm
File outdated by:  RHSA-2008:0598		     304d4a73bbbc1691762caa56fbe751b1
 
s390x:
firefox-1.5.0.12-0.7.el4.s390x.rpm
File outdated by:  RHSA-2008:0598		     0536c7d1e6ce3c7147082020d126c546
 
x86_64:
firefox-1.5.0.12-0.7.el4.x86_64.rpm
File outdated by:  RHSA-2008:0598		     3ee97b00b1b1a207bed96c195fac7c32
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
firefox-1.5.0.12-6.el5.src.rpm
File outdated by:  RHSA-2008:0222		     8751dd10ea3396a563771e436a3eb1d1
 
IA-32:
firefox-1.5.0.12-6.el5.i386.rpm
File outdated by:  RHSA-2009:1530		     e6d7cc39fef9cd508408ebc48d56509f
 
x86_64:
firefox-1.5.0.12-6.el5.i386.rpm
File outdated by:  RHSA-2009:1530		     e6d7cc39fef9cd508408ebc48d56509f
firefox-1.5.0.12-6.el5.x86_64.rpm
File outdated by:  RHSA-2009:1530		     a3025709096696676df09a4b2125b2e1
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
firefox-1.5.0.12-0.7.el4.src.rpm
File outdated by:  RHSA-2009:1530		     14521bc61a8a3fae6f51e01b7397dcb6
 
IA-32:
firefox-1.5.0.12-0.7.el4.i386.rpm
File outdated by:  RHSA-2009:1530		     a77fcb609b6967686ace6611ee46006b
 
IA-64:
firefox-1.5.0.12-0.7.el4.ia64.rpm
File outdated by:  RHSA-2009:1530		     22a57ce44aa809198be66d6eef97bb9c
 
x86_64:
firefox-1.5.0.12-0.7.el4.x86_64.rpm
File outdated by:  RHSA-2009:1530		     3ee97b00b1b1a207bed96c195fac7c32
 
Red Hat Enterprise Linux ES (v. 4.5.z)
SRPMS:
firefox-1.5.0.12-0.7.el4.src.rpm
File outdated by:  RHSA-2009:1530		     14521bc61a8a3fae6f51e01b7397dcb6
 
IA-32:
firefox-1.5.0.12-0.7.el4.i386.rpm
File outdated by:  RHSA-2008:0598		     a77fcb609b6967686ace6611ee46006b
 
IA-64:
firefox-1.5.0.12-0.7.el4.ia64.rpm
File outdated by:  RHSA-2008:0598		     22a57ce44aa809198be66d6eef97bb9c
 
x86_64:
firefox-1.5.0.12-0.7.el4.x86_64.rpm
File outdated by:  RHSA-2008:0598		     3ee97b00b1b1a207bed96c195fac7c32
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
firefox-1.5.0.12-0.7.el4.src.rpm
File outdated by:  RHSA-2009:1530		     14521bc61a8a3fae6f51e01b7397dcb6
 
IA-32:
firefox-1.5.0.12-0.7.el4.i386.rpm
File outdated by:  RHSA-2009:1530		     a77fcb609b6967686ace6611ee46006b
 
IA-64:
firefox-1.5.0.12-0.7.el4.ia64.rpm
File outdated by:  RHSA-2009:1530		     22a57ce44aa809198be66d6eef97bb9c
 
x86_64:
firefox-1.5.0.12-0.7.el4.x86_64.rpm
File outdated by:  RHSA-2009:1530		     3ee97b00b1b1a207bed96c195fac7c32
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

246248 - firefox crashes when searching for word "do"
333991 - Mozilla products security update (CVE-2007-1095, CVE-2007-2292, CVE-2007-3511, CVE-2007-3844, CVE-2007-5334, CVE-2007-5337, CVE-2007-5338, CVE-2007-5339, CVE-2007-5340)


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2292
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3511
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3844
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5334
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5338
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5339
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5340
http://en.wikipedia.org/wiki/HTTP_response_splitting
http://www.redhat.com/security/updates/classification/#critical

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/