Critical: firefox security update

Updated firefox packages that fix several security issues are now available
for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

Mozilla Firefox is an open source Web browser.

A cross-site scripting flaw was found in the way Firefox handled the
jar: URI scheme. It was possible for a malicious website to leverage this
flaw and conduct a cross-site scripting attack against a user running
Firefox. (CVE-2007-5947)

Several flaws were found in the way Firefox processed certain malformed web
content. A webpage containing malicious content could cause Firefox to
crash, or potentially execute arbitrary code as the user running Firefox.
(CVE-2007-5959)

A race condition existed when Firefox set the "window.location" property
for a webpage. This flaw could allow a webpage to set an arbitrary Referer
header, which may lead to a Cross-site Request Forgery (CSRF) attack
against websites that rely only on the Referer header for protection.
(CVE-2007-5960)

Users of Firefox are advised to upgrade to these updated packages, which
contain backported patches to resolve these issues.

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

394211 - CVE-2007-5947 Mozilla jar: protocol XSS
394241 - CVE-2007-5959 Multiple flaws in Firefox
394261 - CVE-2007-5960 Mozilla Cross-site Request Forgery flaw

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5947
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5959
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5960
http://www.redhat.com/security/updates/classification/#critical