Security Advisory Critical: firefox security update

Advisory: RHSA-2009:0397-1
Type: Security Advisory
Severity: Critical
Issued on: 2009-03-27
Last updated on: 2009-03-27
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.7.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.7.z)
Red Hat Enterprise Linux EUS (v. 5.3.z server)
Red Hat Enterprise Linux WS (v. 4)
OVAL: com.redhat.rhsa-20090397.xml
CVEs (cve.mitre.org): CVE-2009-1044
CVE-2009-1169

Details

Updated firefox packages that fix two security issues are now available for
Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

Mozilla Firefox is an open source Web browser. XULRunner provides the XUL
Runtime environment for Mozilla Firefox.

A memory corruption flaw was discovered in the way Firefox handles XML
files containing an XSLT transform. A remote attacker could use this flaw
to crash Firefox or, potentially, execute arbitrary code as the user
running Firefox. (CVE-2009-1169)

A flaw was discovered in the way Firefox handles certain XUL garbage
collection events. A remote attacker could use this flaw to crash Firefox
or, potentially, execute arbitrary code as the user running Firefox.
(CVE-2009-1044)

For technical details regarding these flaws, refer to the Mozilla security
advisories. You can find a link to the Mozilla advisories in the References
section of this errata.

Firefox users should upgrade to these updated packages, which resolve these
issues. For Red Hat Enterprise Linux 4, they contain backported patches to
the firefox package. For Red Hat Enterprise Linux 5, they contain
backported patches to the xulrunner packages. After installing the update,
Firefox must be restarted for the changes to take effect.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
xulrunner-1.9.0.7-3.el5.src.rpm
File outdated by:  RHSA-2009:1530
    174ddee258f6e2033de63993fe184ca6
 
IA-32:
xulrunner-devel-1.9.0.7-3.el5.i386.rpm
File outdated by:  RHSA-2009:1530
    c9bbe802c0bbd09a01db3acca383a2a9
xulrunner-devel-unstable-1.9.0.7-3.el5.i386.rpm
File outdated by:  RHSA-2009:1530
    f04febd0a7fe3ad90df078ceb215bd51
 
x86_64:
xulrunner-devel-1.9.0.7-3.el5.i386.rpm
File outdated by:  RHSA-2009:1530
    c9bbe802c0bbd09a01db3acca383a2a9
xulrunner-devel-1.9.0.7-3.el5.x86_64.rpm
File outdated by:  RHSA-2009:1530
    9c3c622f26e7ef56dfd8080738efb8f9
xulrunner-devel-unstable-1.9.0.7-3.el5.x86_64.rpm
File outdated by:  RHSA-2009:1530
    8e662856939d314b888d5d75ddd42da0
 
Red Hat Desktop (v. 4)

SRPMS:
firefox-3.0.7-3.el4.src.rpm
File outdated by:  RHSA-2009:1530
    976ef646a96e04edeff19eb97a72ef0d
 
IA-32:
firefox-3.0.7-3.el4.i386.rpm
File outdated by:  RHSA-2009:1530
    a66b4ecd1bc925108acd03381c14d12c
 
x86_64:
firefox-3.0.7-3.el4.x86_64.rpm
File outdated by:  RHSA-2009:1530
    09a108223f8f308f999ccd95594e85e7
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
xulrunner-1.9.0.7-3.el5.src.rpm
File outdated by:  RHSA-2009:1530
    174ddee258f6e2033de63993fe184ca6
 
IA-32:
xulrunner-1.9.0.7-3.el5.i386.rpm
File outdated by:  RHSA-2009:1530
    ff411c1008c240dcd3a5618ac0a00ea8
xulrunner-devel-1.9.0.7-3.el5.i386.rpm
File outdated by:  RHSA-2009:1530
    c9bbe802c0bbd09a01db3acca383a2a9
xulrunner-devel-unstable-1.9.0.7-3.el5.i386.rpm
File outdated by:  RHSA-2009:1530
    f04febd0a7fe3ad90df078ceb215bd51
 
IA-64:
xulrunner-1.9.0.7-3.el5.ia64.rpm
File outdated by:  RHSA-2009:1530
    4c82d2ab39c44bedc1cb1095f4ecd302
xulrunner-devel-1.9.0.7-3.el5.ia64.rpm
File outdated by:  RHSA-2009:1530
    d543e25191ed94b51a4ff9bd3ad762e8
xulrunner-devel-unstable-1.9.0.7-3.el5.ia64.rpm
File outdated by:  RHSA-2009:1530
    e4b12267b0b83e55398c23c8eae9a4b0
 
PPC:
xulrunner-1.9.0.7-3.el5.ppc.rpm
File outdated by:  RHSA-2009:1530
    0d4877375524fbe28c5a7d3b3e50f300
xulrunner-1.9.0.7-3.el5.ppc64.rpm
File outdated by:  RHSA-2009:1530
    0da0bf104f508a4e478ba7eb6a1efaff
xulrunner-devel-1.9.0.7-3.el5.ppc.rpm
File outdated by:  RHSA-2009:1530
    258c49f3f14145757650f7d0b5ba4faf
xulrunner-devel-1.9.0.7-3.el5.ppc64.rpm
File outdated by:  RHSA-2009:1530
    ddf2c18b541f5090b733b5c44a4f4602
xulrunner-devel-unstable-1.9.0.7-3.el5.ppc.rpm
File outdated by:  RHSA-2009:1530
    6ff492eb0f758b20d2cac193614ec0f3
 
s390x:
xulrunner-1.9.0.7-3.el5.s390.rpm
File outdated by:  RHSA-2009:1530
    98d229ddc2023ee6a7fce4fe089e4bd2
xulrunner-1.9.0.7-3.el5.s390x.rpm
File outdated by:  RHSA-2009:1530
    0ae5afa983dd5aa69256074d556ed304
xulrunner-devel-1.9.0.7-3.el5.s390.rpm
File outdated by:  RHSA-2009:1530
    9d9586538d8ee26f30b7536b0dc18cde
xulrunner-devel-1.9.0.7-3.el5.s390x.rpm
File outdated by:  RHSA-2009:1530
    f123649b286883f55de910d11fd8e5d1
xulrunner-devel-unstable-1.9.0.7-3.el5.s390x.rpm
File outdated by:  RHSA-2009:1530
    59d50f030a4dce148e673aca68a76843
 
x86_64:
xulrunner-1.9.0.7-3.el5.i386.rpm
File outdated by:  RHSA-2009:1530
    ff411c1008c240dcd3a5618ac0a00ea8
xulrunner-1.9.0.7-3.el5.x86_64.rpm
File outdated by:  RHSA-2009:1530
    80b59eb5258b2f608de5a902c0dd1888
xulrunner-devel-1.9.0.7-3.el5.i386.rpm
File outdated by:  RHSA-2009:1530
    c9bbe802c0bbd09a01db3acca383a2a9
xulrunner-devel-1.9.0.7-3.el5.x86_64.rpm
File outdated by:  RHSA-2009:1530
    9c3c622f26e7ef56dfd8080738efb8f9
xulrunner-devel-unstable-1.9.0.7-3.el5.x86_64.rpm
File outdated by:  RHSA-2009:1530
    8e662856939d314b888d5d75ddd42da0
 
Red Hat Enterprise Linux AS (v. 4)

SRPMS:
firefox-3.0.7-3.el4.src.rpm
File outdated by:  RHSA-2009:1530
    976ef646a96e04edeff19eb97a72ef0d
 
IA-32:
firefox-3.0.7-3.el4.i386.rpm
File outdated by:  RHSA-2009:1530
    a66b4ecd1bc925108acd03381c14d12c
 
IA-64:
firefox-3.0.7-3.el4.ia64.rpm
File outdated by:  RHSA-2009:1530
    2da85b7bf98fed5f5e52285895d789f8
 
PPC:
firefox-3.0.7-3.el4.ppc.rpm
File outdated by:  RHSA-2009:1530
    b0be5d23c748defde7a9ce971264bef3
 
s390:
firefox-3.0.7-3.el4.s390.rpm
File outdated by:  RHSA-2009:1530
    8ec0b665d29d2cd6914cd9dee0da7394
 
s390x:
firefox-3.0.7-3.el4.s390x.rpm
File outdated by:  RHSA-2009:1530
    518d5d901d624d4305c16e2d254a49a1
 
x86_64:
firefox-3.0.7-3.el4.x86_64.rpm
File outdated by:  RHSA-2009:1530
    09a108223f8f308f999ccd95594e85e7
 
Red Hat Enterprise Linux AS (v. 4.7.z)

SRPMS:
firefox-3.0.7-3.el4.src.rpm
File outdated by:  RHSA-2009:1530
    976ef646a96e04edeff19eb97a72ef0d
 
IA-32:
firefox-3.0.7-3.el4.i386.rpm
File outdated by:  RHSA-2009:0449
    a66b4ecd1bc925108acd03381c14d12c
 
IA-64:
firefox-3.0.7-3.el4.ia64.rpm
File outdated by:  RHSA-2009:0449
    2da85b7bf98fed5f5e52285895d789f8
 
PPC:
firefox-3.0.7-3.el4.ppc.rpm
File outdated by:  RHSA-2009:0449
    b0be5d23c748defde7a9ce971264bef3
 
s390:
firefox-3.0.7-3.el4.s390.rpm
File outdated by:  RHSA-2009:0449
    8ec0b665d29d2cd6914cd9dee0da7394
 
s390x:
firefox-3.0.7-3.el4.s390x.rpm
File outdated by:  RHSA-2009:0449
    518d5d901d624d4305c16e2d254a49a1
 
x86_64:
firefox-3.0.7-3.el4.x86_64.rpm
File outdated by:  RHSA-2009:0449
    09a108223f8f308f999ccd95594e85e7
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
xulrunner-1.9.0.7-3.el5.src.rpm
File outdated by:  RHSA-2009:1530
    174ddee258f6e2033de63993fe184ca6
 
IA-32:
xulrunner-1.9.0.7-3.el5.i386.rpm
File outdated by:  RHSA-2009:1530
    ff411c1008c240dcd3a5618ac0a00ea8
 
x86_64:
xulrunner-1.9.0.7-3.el5.i386.rpm
File outdated by:  RHSA-2009:1530
    ff411c1008c240dcd3a5618ac0a00ea8
xulrunner-1.9.0.7-3.el5.x86_64.rpm
File outdated by:  RHSA-2009:1530
    80b59eb5258b2f608de5a902c0dd1888
 
Red Hat Enterprise Linux ES (v. 4)

SRPMS:
firefox-3.0.7-3.el4.src.rpm
File outdated by:  RHSA-2009:1530
    976ef646a96e04edeff19eb97a72ef0d
 
IA-32:
firefox-3.0.7-3.el4.i386.rpm
File outdated by:  RHSA-2009:1530
    a66b4ecd1bc925108acd03381c14d12c
 
IA-64:
firefox-3.0.7-3.el4.ia64.rpm
File outdated by:  RHSA-2009:1530
    2da85b7bf98fed5f5e52285895d789f8
 
x86_64:
firefox-3.0.7-3.el4.x86_64.rpm
File outdated by:  RHSA-2009:1530
    09a108223f8f308f999ccd95594e85e7
 
Red Hat Enterprise Linux ES (v. 4.7.z)

SRPMS:
firefox-3.0.7-3.el4.src.rpm
File outdated by:  RHSA-2009:1530
    976ef646a96e04edeff19eb97a72ef0d
 
IA-32:
firefox-3.0.7-3.el4.i386.rpm
File outdated by:  RHSA-2009:0449
    a66b4ecd1bc925108acd03381c14d12c
 
IA-64:
firefox-3.0.7-3.el4.ia64.rpm
File outdated by:  RHSA-2009:0449
    2da85b7bf98fed5f5e52285895d789f8
 
x86_64:
firefox-3.0.7-3.el4.x86_64.rpm
File outdated by:  RHSA-2009:0449
    09a108223f8f308f999ccd95594e85e7
 
Red Hat Enterprise Linux EUS (v. 5.3.z server)

SRPMS:
xulrunner-1.9.0.7-3.el5.src.rpm
File outdated by:  RHSA-2009:1530
    174ddee258f6e2033de63993fe184ca6
 
IA-32:
xulrunner-1.9.0.7-3.el5.i386.rpm
File outdated by:  RHSA-2009:1162
    ff411c1008c240dcd3a5618ac0a00ea8
xulrunner-devel-1.9.0.7-3.el5.i386.rpm
File outdated by:  RHSA-2009:1162
    c9bbe802c0bbd09a01db3acca383a2a9
xulrunner-devel-unstable-1.9.0.7-3.el5.i386.rpm
File outdated by:  RHSA-2009:1162
    f04febd0a7fe3ad90df078ceb215bd51
 
IA-64:
xulrunner-1.9.0.7-3.el5.ia64.rpm
File outdated by:  RHSA-2009:1162
    4c82d2ab39c44bedc1cb1095f4ecd302
xulrunner-devel-1.9.0.7-3.el5.ia64.rpm
File outdated by:  RHSA-2009:1162
    d543e25191ed94b51a4ff9bd3ad762e8
xulrunner-devel-unstable-1.9.0.7-3.el5.ia64.rpm
File outdated by:  RHSA-2009:1162
    e4b12267b0b83e55398c23c8eae9a4b0
 
PPC:
xulrunner-1.9.0.7-3.el5.ppc.rpm
File outdated by:  RHSA-2009:1162
    0d4877375524fbe28c5a7d3b3e50f300
xulrunner-1.9.0.7-3.el5.ppc64.rpm
File outdated by:  RHSA-2009:1162
    0da0bf104f508a4e478ba7eb6a1efaff
xulrunner-devel-1.9.0.7-3.el5.ppc.rpm
File outdated by:  RHSA-2009:1162
    258c49f3f14145757650f7d0b5ba4faf
xulrunner-devel-1.9.0.7-3.el5.ppc64.rpm
File outdated by:  RHSA-2009:1162
    ddf2c18b541f5090b733b5c44a4f4602
xulrunner-devel-unstable-1.9.0.7-3.el5.ppc.rpm
File outdated by:  RHSA-2009:1162
    6ff492eb0f758b20d2cac193614ec0f3
 
s390x:
xulrunner-1.9.0.7-3.el5.s390.rpm
File outdated by:  RHSA-2009:1162
    98d229ddc2023ee6a7fce4fe089e4bd2
xulrunner-1.9.0.7-3.el5.s390x.rpm
File outdated by:  RHSA-2009:1162
    0ae5afa983dd5aa69256074d556ed304
xulrunner-devel-1.9.0.7-3.el5.s390.rpm
File outdated by:  RHSA-2009:1162
    9d9586538d8ee26f30b7536b0dc18cde
xulrunner-devel-1.9.0.7-3.el5.s390x.rpm
File outdated by:  RHSA-2009:1162
    f123649b286883f55de910d11fd8e5d1
xulrunner-devel-unstable-1.9.0.7-3.el5.s390x.rpm
File outdated by:  RHSA-2009:1162
    59d50f030a4dce148e673aca68a76843
 
x86_64:
xulrunner-1.9.0.7-3.el5.i386.rpm
File outdated by:  RHSA-2009:1162
    ff411c1008c240dcd3a5618ac0a00ea8
xulrunner-1.9.0.7-3.el5.x86_64.rpm
File outdated by:  RHSA-2009:1162
    80b59eb5258b2f608de5a902c0dd1888
xulrunner-devel-1.9.0.7-3.el5.i386.rpm
File outdated by:  RHSA-2009:1162
    c9bbe802c0bbd09a01db3acca383a2a9
xulrunner-devel-1.9.0.7-3.el5.x86_64.rpm
File outdated by:  RHSA-2009:1162
    9c3c622f26e7ef56dfd8080738efb8f9
xulrunner-devel-unstable-1.9.0.7-3.el5.x86_64.rpm
File outdated by:  RHSA-2009:1162
    8e662856939d314b888d5d75ddd42da0
 
Red Hat Enterprise Linux WS (v. 4)

SRPMS:
firefox-3.0.7-3.el4.src.rpm
File outdated by:  RHSA-2009:1530
    976ef646a96e04edeff19eb97a72ef0d
 
IA-32:
firefox-3.0.7-3.el4.i386.rpm
File outdated by:  RHSA-2009:1530
    a66b4ecd1bc925108acd03381c14d12c
 
IA-64:
firefox-3.0.7-3.el4.ia64.rpm
File outdated by:  RHSA-2009:1530
    2da85b7bf98fed5f5e52285895d789f8
 
x86_64:
firefox-3.0.7-3.el4.x86_64.rpm
File outdated by:  RHSA-2009:1530
    09a108223f8f308f999ccd95594e85e7
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

492211 - CVE-2009-1169 Firefox XSLT memory corruption issue
492212 - CVE-2009-1044 Firefox XUL garbage collection issue (cansecwest pwn2own)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/