Skip to navigation

Security Advisory firefox security update

Advisory: RHSA-2006:0610-4
Type: Security Advisory
Severity: Critical
Issued on: 2006-07-28
Last updated on: 2006-07-28
Affected Products: Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 4)
CVEs (cve.mitre.org): CVE-2006-2776
CVE-2006-2778
CVE-2006-2779
CVE-2006-2780
CVE-2006-2782
CVE-2006-2783
CVE-2006-2784
CVE-2006-2785
CVE-2006-2786
CVE-2006-2787
CVE-2006-2788
CVE-2006-3113
CVE-2006-3677
CVE-2006-3801
CVE-2006-3802
CVE-2006-3803
CVE-2006-3805
CVE-2006-3806
CVE-2006-3807
CVE-2006-3808
CVE-2006-3809
CVE-2006-3810
CVE-2006-3811
CVE-2006-3812

Details

Updated firefox packages that fix several security bugs are now available
for Red Hat Enterprise Linux 4.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

Mozilla Firefox is an open source Web browser.

The Mozilla Foundation has discontinued support for the Mozilla Firefox
1.0 branch. This update deprecates the Mozilla Firefox 1.0 branch in
Red Hat Enterprise Linux 4 in favor of the supported Mozilla Firefox
1.5 branch.

This update also resolves a number of outstanding Firefox security issues:

Several flaws were found in the way Firefox processed certain javascript
actions. A malicious web page could execute arbitrary javascript
instructions with the permissions of "chrome", allowing the page to steal
sensitive information or install browser malware. (CVE-2006-2776,
CVE-2006-2784, CVE-2006-2785, CVE-2006-2787, CVE-2006-3807, CVE-2006-3809,
CVE-2006-3812)

Several denial of service flaws were found in the way Firefox processed
certain web content. A malicious web page could crash the browser or
possibly execute arbitrary code as the user running Firefox.
(CVE-2006-2779, CVE-2006-2780, CVE-2006-3801, CVE-2006-3677, CVE-2006-3113,
CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3811)

A cross-site scripting flaw was found in the way Firefox processed
Unicode Byte-Order-Mark (BOM) markers in UTF-8 web pages. A malicious web
page could execute a script within the browser that a web input sanitizer
could miss due to a malformed "script" tag. (CVE-2006-2783)

Several flaws were found in the way Firefox processed certain javascript
actions. A malicious web page could conduct a cross-site scripting attack
or steal sensitive information (such as cookies owned by other domains).
(CVE-2006-3802, CVE-2006-3810)

A form file upload flaw was found in the way Firefox handled javascript
input object mutation. A malicious web page could upload an arbitrary local
file at form submission time without user interaction. (CVE-2006-2782)

A denial of service flaw was found in the way Firefox called the
crypto.signText() javascript function. A malicious web page could crash the
browser if the victim had a client certificate loaded. (CVE-2006-2778)

Two HTTP response smuggling flaws were found in the way Firefox processed
certain invalid HTTP response headers. A malicious web site could return
specially crafted HTTP response headers which may bypass HTTP proxy
restrictions. (CVE-2006-2786)

A flaw was found in the way Firefox processed Proxy AutoConfig scripts. A
malicious Proxy AutoConfig server could execute arbitrary javascript
instructions with the permissions of "chrome", allowing the page to steal
sensitive information or install browser malware. (CVE-2006-3808)

A double free flaw was found in the way the nsIX509::getRawDER method was
called. If a victim visited a carefully crafted web page, it was possible
to execute arbitrary code as the user running Firefox. (CVE-2006-2788)

Users of Firefox are advised to upgrade to this update, which contains
Firefox version 1.5.0.5 that corrects these issues.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Desktop (v. 4)

SRPMS:
firefox-1.5.0.5-0.el4.1.src.rpm
File outdated by:  RHSA-2012:0142
    MD5: 6b7faea0461d07518bd00000001a4bbe
 
IA-32:
firefox-1.5.0.5-0.el4.1.i386.rpm
File outdated by:  RHSA-2012:0142
    MD5: 93a78aeae71078e700fe06be36e33c8a
 
x86_64:
firefox-1.5.0.5-0.el4.1.x86_64.rpm
File outdated by:  RHSA-2012:0142
    MD5: d523fd14b4efd77944a75f80c400f37b
 
Red Hat Enterprise Linux AS (v. 4)

SRPMS:
firefox-1.5.0.5-0.el4.1.src.rpm
File outdated by:  RHSA-2012:0142
    MD5: 6b7faea0461d07518bd00000001a4bbe
 
IA-32:
firefox-1.5.0.5-0.el4.1.i386.rpm
File outdated by:  RHSA-2012:0142
    MD5: 93a78aeae71078e700fe06be36e33c8a
 
IA-64:
firefox-1.5.0.5-0.el4.1.ia64.rpm
File outdated by:  RHSA-2012:0142
    MD5: 29ae3f60c50462267765855063edddf4
 
PPC:
firefox-1.5.0.5-0.el4.1.ppc.rpm
File outdated by:  RHSA-2012:0142
    MD5: 27c343290fd4c6fcf16323cd62f02e9b
 
s390:
firefox-1.5.0.5-0.el4.1.s390.rpm
File outdated by:  RHSA-2012:0142
    MD5: 4be9436cc0d3cb1daee6f6962fb894ec
 
s390x:
firefox-1.5.0.5-0.el4.1.s390x.rpm
File outdated by:  RHSA-2012:0142
    MD5: ddbb5e0ae4707724e08422de346aaedf
 
x86_64:
firefox-1.5.0.5-0.el4.1.x86_64.rpm
File outdated by:  RHSA-2012:0142
    MD5: d523fd14b4efd77944a75f80c400f37b
 
Red Hat Enterprise Linux ES (v. 4)

SRPMS:
firefox-1.5.0.5-0.el4.1.src.rpm
File outdated by:  RHSA-2012:0142
    MD5: 6b7faea0461d07518bd00000001a4bbe
 
IA-32:
firefox-1.5.0.5-0.el4.1.i386.rpm
File outdated by:  RHSA-2012:0142
    MD5: 93a78aeae71078e700fe06be36e33c8a
 
IA-64:
firefox-1.5.0.5-0.el4.1.ia64.rpm
File outdated by:  RHSA-2012:0142
    MD5: 29ae3f60c50462267765855063edddf4
 
x86_64:
firefox-1.5.0.5-0.el4.1.x86_64.rpm
File outdated by:  RHSA-2012:0142
    MD5: d523fd14b4efd77944a75f80c400f37b
 
Red Hat Enterprise Linux WS (v. 4)

SRPMS:
firefox-1.5.0.5-0.el4.1.src.rpm
File outdated by:  RHSA-2012:0142
    MD5: 6b7faea0461d07518bd00000001a4bbe
 
IA-32:
firefox-1.5.0.5-0.el4.1.i386.rpm
File outdated by:  RHSA-2012:0142
    MD5: 93a78aeae71078e700fe06be36e33c8a
 
IA-64:
firefox-1.5.0.5-0.el4.1.ia64.rpm
File outdated by:  RHSA-2012:0142
    MD5: 29ae3f60c50462267765855063edddf4
 
x86_64:
firefox-1.5.0.5-0.el4.1.x86_64.rpm
File outdated by:  RHSA-2012:0142
    MD5: d523fd14b4efd77944a75f80c400f37b
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

193895 - CVE-2006-2779 multiple firefox DoS issues (CVE-2006-2780)
196973 - CVE-2006-2783 multiple Firefox issues (CVE-2006-2782,CVE-2006-2778,CVE-2006-2776,CVE-2006-2784,CVE-2006-2785,CVE-2006-2786,CVE-2006-2787,CVE-2006-2788)
200168 - CVE-2006-3801 Multiple Seamonkey issues (CVE-2006-3677, CVE-2006-3113, CVE-2006-3802, CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/