Skip to navigation

Security Advisory Critical: firefox security update

Advisory: RHSA-2010:0112-1
Type: Security Advisory
Severity: Critical
Issued on: 2010-02-17
Last updated on: 2010-02-17
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.8.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.8.z)
Red Hat Enterprise Linux EUS (v. 5.4.z server)
Red Hat Enterprise Linux WS (v. 4)
CVEs (cve.mitre.org): CVE-2009-1571
CVE-2009-3988
CVE-2010-0159
CVE-2010-0160
CVE-2010-0162
CVE-2010-0167
CVE-2010-0169
CVE-2010-0171

Details

Updated firefox packages that fix several security issues are now available
for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

Mozilla Firefox is an open source Web browser. XULRunner provides the XUL
Runtime environment for Mozilla Firefox.

A use-after-free flaw was found in Firefox. Under low memory conditions,
visiting a web page containing malicious content could result in Firefox
executing arbitrary code with the privileges of the user running Firefox.
(CVE-2009-1571)

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2010-0159, CVE-2010-0160)

Two flaws were found in the way certain content was processed. An attacker
could use these flaws to create a malicious web page that could bypass the
same-origin policy, or possibly run untrusted JavaScript. (CVE-2009-3988,
CVE-2010-0162)

For technical details regarding these flaws, refer to the Mozilla security
advisories for Firefox 3.0.18. You can find a link to the Mozilla
advisories in the References section of this errata.

All Firefox users should upgrade to these updated packages, which contain
Firefox version 3.0.18, which corrects these issues. After installing the
update, Firefox must be restarted for the changes to take effect.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)
SRPMS:
xulrunner-1.9.0.18-1.el5_4.src.rpm
File outdated by:  RHSA-2013:0820		     MD5: eb343c00384eb5009bbc7ff9515e2cc6
 
IA-32:
xulrunner-devel-1.9.0.18-1.el5_4.i386.rpm
File outdated by:  RHSA-2013:0820		     MD5: bcba4ac14be1d39d748e4e27f8b39c21
xulrunner-devel-unstable-1.9.0.18-1.el5_4.i386.rpm
File outdated by:  RHSA-2010:0332		     MD5: 002d96cd0e5eb8534f3a5d9cec217af1
 
x86_64:
xulrunner-devel-1.9.0.18-1.el5_4.i386.rpm
File outdated by:  RHSA-2013:0820		     MD5: bcba4ac14be1d39d748e4e27f8b39c21
xulrunner-devel-1.9.0.18-1.el5_4.x86_64.rpm
File outdated by:  RHSA-2013:0820		     MD5: 8bf6666499e53f6c46491eb111f48102
xulrunner-devel-unstable-1.9.0.18-1.el5_4.x86_64.rpm
File outdated by:  RHSA-2010:0332		     MD5: 450baa6bf230e4d5acfb07e2c8642390
 
Red Hat Desktop (v. 4)
SRPMS:
firefox-3.0.18-1.el4.src.rpm
File outdated by:  RHSA-2012:0142		     MD5: b038f1d2b5d8d9727d759169ed58af35
 
IA-32:
firefox-3.0.18-1.el4.i386.rpm
File outdated by:  RHSA-2012:0142		     MD5: 8e66532655bf531deafc7d2730f7d5aa
 
x86_64:
firefox-3.0.18-1.el4.x86_64.rpm
File outdated by:  RHSA-2012:0142		     MD5: 5c203e4000ca8ca60c283e809909c5bb
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
firefox-3.0.18-1.el5_4.src.rpm
File outdated by:  RHSA-2013:0820		     MD5: c9dc4c632116602ba0362c70f86828ca
xulrunner-1.9.0.18-1.el5_4.src.rpm
File outdated by:  RHSA-2013:0820		     MD5: eb343c00384eb5009bbc7ff9515e2cc6
 
IA-32:
firefox-3.0.18-1.el5_4.i386.rpm
File outdated by:  RHSA-2013:0820		     MD5: 94eae77c3c9a3d8ec6ddf69c778bfcac
xulrunner-1.9.0.18-1.el5_4.i386.rpm
File outdated by:  RHSA-2013:0820		     MD5: b44af0258121f4bed502039432a83438
xulrunner-devel-1.9.0.18-1.el5_4.i386.rpm
File outdated by:  RHSA-2013:0820		     MD5: bcba4ac14be1d39d748e4e27f8b39c21
xulrunner-devel-unstable-1.9.0.18-1.el5_4.i386.rpm
File outdated by:  RHSA-2010:0332		     MD5: 002d96cd0e5eb8534f3a5d9cec217af1
 
IA-64:
firefox-3.0.18-1.el5_4.ia64.rpm
File outdated by:  RHSA-2013:0820		     MD5: 7e9223a4e8f096a47daea3af90f492a1
xulrunner-1.9.0.18-1.el5_4.ia64.rpm
File outdated by:  RHSA-2013:0820		     MD5: a15edec522176a0e8f1fccf4a100998c
xulrunner-devel-1.9.0.18-1.el5_4.ia64.rpm
File outdated by:  RHSA-2013:0820		     MD5: ad8d8e47d4b9912e88b49fc342166ee0
xulrunner-devel-unstable-1.9.0.18-1.el5_4.ia64.rpm
File outdated by:  RHSA-2010:0332		     MD5: 6308fcd605ce571d49fccd623c2c8106
 
PPC:
firefox-3.0.18-1.el5_4.ppc.rpm
File outdated by:  RHSA-2013:0820		     MD5: 629db10ee994f2c4c182d02b8e7af640
xulrunner-1.9.0.18-1.el5_4.ppc.rpm
File outdated by:  RHSA-2013:0820		     MD5: a11799b68ad415e543c50a9f26c5c3e2
xulrunner-1.9.0.18-1.el5_4.ppc64.rpm
File outdated by:  RHSA-2013:0820		     MD5: 42069f76fd233f5079ea0c3c113f24d2
xulrunner-devel-1.9.0.18-1.el5_4.ppc.rpm
File outdated by:  RHSA-2013:0820		     MD5: 84cf386f5f3daa48d5cfe948e92ed64d
xulrunner-devel-1.9.0.18-1.el5_4.ppc64.rpm
File outdated by:  RHSA-2013:0820		     MD5: f3e37c4e4f7652a10ce7d1758ef362ce
xulrunner-devel-unstable-1.9.0.18-1.el5_4.ppc.rpm
File outdated by:  RHSA-2010:0332		     MD5: e790f16307534751591e018ebe0092f6
 
s390x:
firefox-3.0.18-1.el5_4.s390.rpm
File outdated by:  RHSA-2013:0820		     MD5: d788eeaa020de4b3c914a97775290880
firefox-3.0.18-1.el5_4.s390x.rpm
File outdated by:  RHSA-2013:0820		     MD5: 0bfe744fe8cb9fbb9cbc2809627ca0de
xulrunner-1.9.0.18-1.el5_4.s390.rpm
File outdated by:  RHSA-2013:0820		     MD5: d362f98ffac8d380fb7ece86f2db1b29
xulrunner-1.9.0.18-1.el5_4.s390x.rpm
File outdated by:  RHSA-2013:0820		     MD5: 32cca30b94caeb2119ab82f466d542cb
xulrunner-devel-1.9.0.18-1.el5_4.s390.rpm
File outdated by:  RHSA-2013:0820		     MD5: 8c330fa47e81d44e19d34dc988598ed6
xulrunner-devel-1.9.0.18-1.el5_4.s390x.rpm
File outdated by:  RHSA-2013:0820		     MD5: 04effd4354ac5bf8c851d0fd739ab0e1
xulrunner-devel-unstable-1.9.0.18-1.el5_4.s390x.rpm
File outdated by:  RHSA-2010:0332		     MD5: 8a7c3fb987996c9558c928c106f6b47a
 
x86_64:
firefox-3.0.18-1.el5_4.i386.rpm
File outdated by:  RHSA-2013:0820		     MD5: 94eae77c3c9a3d8ec6ddf69c778bfcac
firefox-3.0.18-1.el5_4.x86_64.rpm
File outdated by:  RHSA-2013:0820		     MD5: b21ae2f30f797823be0f907bdad9e5fa
xulrunner-1.9.0.18-1.el5_4.i386.rpm
File outdated by:  RHSA-2013:0820		     MD5: b44af0258121f4bed502039432a83438
xulrunner-1.9.0.18-1.el5_4.x86_64.rpm
File outdated by:  RHSA-2013:0820		     MD5: 939f191c5c3979ea83c5ede96c9572fd
xulrunner-devel-1.9.0.18-1.el5_4.i386.rpm
File outdated by:  RHSA-2013:0820		     MD5: bcba4ac14be1d39d748e4e27f8b39c21
xulrunner-devel-1.9.0.18-1.el5_4.x86_64.rpm
File outdated by:  RHSA-2013:0820		     MD5: 8bf6666499e53f6c46491eb111f48102
xulrunner-devel-unstable-1.9.0.18-1.el5_4.x86_64.rpm
File outdated by:  RHSA-2010:0332		     MD5: 450baa6bf230e4d5acfb07e2c8642390
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
firefox-3.0.18-1.el4.src.rpm
File outdated by:  RHSA-2012:0142		     MD5: b038f1d2b5d8d9727d759169ed58af35
 
IA-32:
firefox-3.0.18-1.el4.i386.rpm
File outdated by:  RHSA-2012:0142		     MD5: 8e66532655bf531deafc7d2730f7d5aa
 
IA-64:
firefox-3.0.18-1.el4.ia64.rpm
File outdated by:  RHSA-2012:0142		     MD5: 79a48d2c1e725c797caac24fe2093285
 
PPC:
firefox-3.0.18-1.el4.ppc.rpm
File outdated by:  RHSA-2012:0142		     MD5: 51e50ef4bd5d118faaa4a76f696e651f
 
s390:
firefox-3.0.18-1.el4.s390.rpm
File outdated by:  RHSA-2012:0142		     MD5: 2c3b8a3ca74141cc040276a6d17724fc
 
s390x:
firefox-3.0.18-1.el4.s390x.rpm
File outdated by:  RHSA-2012:0142		     MD5: 66b6110fa49f7ba500e35762c42f49b9
 
x86_64:
firefox-3.0.18-1.el4.x86_64.rpm
File outdated by:  RHSA-2012:0142		     MD5: 5c203e4000ca8ca60c283e809909c5bb
 
Red Hat Enterprise Linux AS (v. 4.8.z)
SRPMS:
firefox-3.0.18-1.el4.src.rpm
File outdated by:  RHSA-2012:0142		     MD5: b038f1d2b5d8d9727d759169ed58af35
 
IA-32:
firefox-3.0.18-1.el4.i386.rpm
File outdated by:  RHSA-2011:0885		     MD5: 8e66532655bf531deafc7d2730f7d5aa
 
IA-64:
firefox-3.0.18-1.el4.ia64.rpm
File outdated by:  RHSA-2011:0885		     MD5: 79a48d2c1e725c797caac24fe2093285
 
PPC:
firefox-3.0.18-1.el4.ppc.rpm
File outdated by:  RHSA-2011:0885		     MD5: 51e50ef4bd5d118faaa4a76f696e651f
 
s390:
firefox-3.0.18-1.el4.s390.rpm
File outdated by:  RHSA-2011:0885		     MD5: 2c3b8a3ca74141cc040276a6d17724fc
 
s390x:
firefox-3.0.18-1.el4.s390x.rpm
File outdated by:  RHSA-2011:0885		     MD5: 66b6110fa49f7ba500e35762c42f49b9
 
x86_64:
firefox-3.0.18-1.el4.x86_64.rpm
File outdated by:  RHSA-2011:0885		     MD5: 5c203e4000ca8ca60c283e809909c5bb
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
firefox-3.0.18-1.el5_4.src.rpm
File outdated by:  RHSA-2013:0820		     MD5: c9dc4c632116602ba0362c70f86828ca
xulrunner-1.9.0.18-1.el5_4.src.rpm
File outdated by:  RHSA-2013:0820		     MD5: eb343c00384eb5009bbc7ff9515e2cc6
 
IA-32:
firefox-3.0.18-1.el5_4.i386.rpm
File outdated by:  RHSA-2013:0820		     MD5: 94eae77c3c9a3d8ec6ddf69c778bfcac
xulrunner-1.9.0.18-1.el5_4.i386.rpm
File outdated by:  RHSA-2013:0820		     MD5: b44af0258121f4bed502039432a83438
 
x86_64:
firefox-3.0.18-1.el5_4.i386.rpm
File outdated by:  RHSA-2013:0820		     MD5: 94eae77c3c9a3d8ec6ddf69c778bfcac
firefox-3.0.18-1.el5_4.x86_64.rpm
File outdated by:  RHSA-2013:0820		     MD5: b21ae2f30f797823be0f907bdad9e5fa
xulrunner-1.9.0.18-1.el5_4.i386.rpm
File outdated by:  RHSA-2013:0820		     MD5: b44af0258121f4bed502039432a83438
xulrunner-1.9.0.18-1.el5_4.x86_64.rpm
File outdated by:  RHSA-2013:0820		     MD5: 939f191c5c3979ea83c5ede96c9572fd
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
firefox-3.0.18-1.el4.src.rpm
File outdated by:  RHSA-2012:0142		     MD5: b038f1d2b5d8d9727d759169ed58af35
 
IA-32:
firefox-3.0.18-1.el4.i386.rpm
File outdated by:  RHSA-2012:0142		     MD5: 8e66532655bf531deafc7d2730f7d5aa
 
IA-64:
firefox-3.0.18-1.el4.ia64.rpm
File outdated by:  RHSA-2012:0142		     MD5: 79a48d2c1e725c797caac24fe2093285
 
x86_64:
firefox-3.0.18-1.el4.x86_64.rpm
File outdated by:  RHSA-2012:0142		     MD5: 5c203e4000ca8ca60c283e809909c5bb
 
Red Hat Enterprise Linux ES (v. 4.8.z)
SRPMS:
firefox-3.0.18-1.el4.src.rpm
File outdated by:  RHSA-2012:0142		     MD5: b038f1d2b5d8d9727d759169ed58af35
 
IA-32:
firefox-3.0.18-1.el4.i386.rpm
File outdated by:  RHSA-2011:0885		     MD5: 8e66532655bf531deafc7d2730f7d5aa
 
IA-64:
firefox-3.0.18-1.el4.ia64.rpm
File outdated by:  RHSA-2011:0885		     MD5: 79a48d2c1e725c797caac24fe2093285
 
x86_64:
firefox-3.0.18-1.el4.x86_64.rpm
File outdated by:  RHSA-2011:0885		     MD5: 5c203e4000ca8ca60c283e809909c5bb
 
Red Hat Enterprise Linux EUS (v. 5.4.z server)
SRPMS:
firefox-3.0.18-1.el5_4.src.rpm
File outdated by:  RHSA-2013:0820		     MD5: c9dc4c632116602ba0362c70f86828ca
xulrunner-1.9.0.18-1.el5_4.src.rpm
File outdated by:  RHSA-2013:0820		     MD5: eb343c00384eb5009bbc7ff9515e2cc6
 
IA-32:
firefox-3.0.18-1.el5_4.i386.rpm     MD5: 94eae77c3c9a3d8ec6ddf69c778bfcac
xulrunner-1.9.0.18-1.el5_4.i386.rpm     MD5: b44af0258121f4bed502039432a83438
xulrunner-devel-1.9.0.18-1.el5_4.i386.rpm     MD5: bcba4ac14be1d39d748e4e27f8b39c21
xulrunner-devel-unstable-1.9.0.18-1.el5_4.i386.rpm     MD5: 002d96cd0e5eb8534f3a5d9cec217af1
 
IA-64:
firefox-3.0.18-1.el5_4.ia64.rpm     MD5: 7e9223a4e8f096a47daea3af90f492a1
xulrunner-1.9.0.18-1.el5_4.ia64.rpm     MD5: a15edec522176a0e8f1fccf4a100998c
xulrunner-devel-1.9.0.18-1.el5_4.ia64.rpm     MD5: ad8d8e47d4b9912e88b49fc342166ee0
xulrunner-devel-unstable-1.9.0.18-1.el5_4.ia64.rpm     MD5: 6308fcd605ce571d49fccd623c2c8106
 
PPC:
firefox-3.0.18-1.el5_4.ppc.rpm     MD5: 629db10ee994f2c4c182d02b8e7af640
xulrunner-1.9.0.18-1.el5_4.ppc.rpm     MD5: a11799b68ad415e543c50a9f26c5c3e2
xulrunner-1.9.0.18-1.el5_4.ppc64.rpm     MD5: 42069f76fd233f5079ea0c3c113f24d2
xulrunner-devel-1.9.0.18-1.el5_4.ppc.rpm     MD5: 84cf386f5f3daa48d5cfe948e92ed64d
xulrunner-devel-1.9.0.18-1.el5_4.ppc64.rpm     MD5: f3e37c4e4f7652a10ce7d1758ef362ce
xulrunner-devel-unstable-1.9.0.18-1.el5_4.ppc.rpm     MD5: e790f16307534751591e018ebe0092f6
 
s390x:
firefox-3.0.18-1.el5_4.s390.rpm     MD5: d788eeaa020de4b3c914a97775290880
firefox-3.0.18-1.el5_4.s390x.rpm     MD5: 0bfe744fe8cb9fbb9cbc2809627ca0de
xulrunner-1.9.0.18-1.el5_4.s390.rpm     MD5: d362f98ffac8d380fb7ece86f2db1b29
xulrunner-1.9.0.18-1.el5_4.s390x.rpm     MD5: 32cca30b94caeb2119ab82f466d542cb
xulrunner-devel-1.9.0.18-1.el5_4.s390.rpm     MD5: 8c330fa47e81d44e19d34dc988598ed6
xulrunner-devel-1.9.0.18-1.el5_4.s390x.rpm     MD5: 04effd4354ac5bf8c851d0fd739ab0e1
xulrunner-devel-unstable-1.9.0.18-1.el5_4.s390x.rpm     MD5: 8a7c3fb987996c9558c928c106f6b47a
 
x86_64:
firefox-3.0.18-1.el5_4.i386.rpm     MD5: 94eae77c3c9a3d8ec6ddf69c778bfcac
firefox-3.0.18-1.el5_4.x86_64.rpm     MD5: b21ae2f30f797823be0f907bdad9e5fa
xulrunner-1.9.0.18-1.el5_4.i386.rpm     MD5: b44af0258121f4bed502039432a83438
xulrunner-1.9.0.18-1.el5_4.x86_64.rpm     MD5: 939f191c5c3979ea83c5ede96c9572fd
xulrunner-devel-1.9.0.18-1.el5_4.i386.rpm     MD5: bcba4ac14be1d39d748e4e27f8b39c21
xulrunner-devel-1.9.0.18-1.el5_4.x86_64.rpm     MD5: 8bf6666499e53f6c46491eb111f48102
xulrunner-devel-unstable-1.9.0.18-1.el5_4.x86_64.rpm     MD5: 450baa6bf230e4d5acfb07e2c8642390
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
firefox-3.0.18-1.el4.src.rpm
File outdated by:  RHSA-2012:0142		     MD5: b038f1d2b5d8d9727d759169ed58af35
 
IA-32:
firefox-3.0.18-1.el4.i386.rpm
File outdated by:  RHSA-2012:0142		     MD5: 8e66532655bf531deafc7d2730f7d5aa
 
IA-64:
firefox-3.0.18-1.el4.ia64.rpm
File outdated by:  RHSA-2012:0142		     MD5: 79a48d2c1e725c797caac24fe2093285
 
x86_64:
firefox-3.0.18-1.el4.x86_64.rpm
File outdated by:  RHSA-2012:0142		     MD5: 5c203e4000ca8ca60c283e809909c5bb
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

566047 - CVE-2010-0159 Mozilla crashes with evidence of memory corruption (MFSA 2010-01)
566049 - CVE-2010-0160 Mozilla implementation of Web Workers can lead to crash with evidence of memory corruption (MFSA 2010-02)
566050 - CVE-2009-1571 Mozilla incorrectly frees used memory (MFSA 2010-03)
566051 - CVE-2009-3988 Mozilla violation of same-origin policy due to properties set on objects passed to showModalDialog (MFSA 2010-04)
566052 - CVE-2010-0162 Mozilla bypass of same-origin policy due to improper SVG document processing (MFSA 2010-05)


References

https://www.redhat.com/security/data/cve/CVE-2009-1571.html
https://www.redhat.com/security/data/cve/CVE-2009-3988.html
https://www.redhat.com/security/data/cve/CVE-2010-0159.html
https://www.redhat.com/security/data/cve/CVE-2010-0160.html
https://www.redhat.com/security/data/cve/CVE-2010-0162.html
https://www.redhat.com/security/data/cve/CVE-2010-0167.html
https://www.redhat.com/security/data/cve/CVE-2010-0169.html
https://www.redhat.com/security/data/cve/CVE-2010-0171.html
http://www.redhat.com/security/updates/classification/#critical
http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.18

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/