Skip to navigation

Security Advisory Critical: firefox security update

Advisory: RHSA-2009:1674-1
Type: Security Advisory
Severity: Critical
Issued on: 2009-12-16
Last updated on: 2009-12-16
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.8.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.8.z)
Red Hat Enterprise Linux EUS (v. 5.4.z server)
Red Hat Enterprise Linux WS (v. 4)
CVEs (cve.mitre.org): CVE-2009-3979
CVE-2009-3981
CVE-2009-3983
CVE-2009-3984
CVE-2009-3985
CVE-2009-3986

Details

Updated firefox packages that fix several security issues are now available
for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

Mozilla Firefox is an open source Web browser. XULRunner provides the XUL
Runtime environment for Mozilla Firefox.

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2009-3979, CVE-2009-3981, CVE-2009-3986)

A flaw was found in the Firefox NT Lan Manager (NTLM) authentication
protocol implementation. If an attacker could trick a local user that has
NTLM credentials into visiting a specially-crafted web page, they could
send arbitrary requests, authenticated with the user's NTLM credentials, to
other applications on the user's system. (CVE-2009-3983)

A flaw was found in the way Firefox displayed the SSL location bar
indicator. An attacker could create an unencrypted web page that appears to
be encrypted, possibly tricking the user into believing they are visiting a
secure page. (CVE-2009-3984)

A flaw was found in the way Firefox displayed blank pages after a user
navigates to an invalid address. If a user visits an attacker-controlled
web page that results in a blank page, the attacker could inject content
into that blank page, possibly tricking the user into believing they are
viewing a legitimate page. (CVE-2009-3985)

For technical details regarding these flaws, refer to the Mozilla security
advisories for Firefox 3.0.16. You can find a link to the Mozilla
advisories in the References section of this errata.

All Firefox users should upgrade to these updated packages, which contain
Firefox version 3.0.16, which corrects these issues. After installing the
update, Firefox must be restarted for the changes to take effect.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
xulrunner-1.9.0.16-2.el5_4.src.rpm
File outdated by:  RHSA-2013:1476
    MD5: d55690b875b1e0b9d5358135637f6fc1
 
IA-32:
xulrunner-devel-1.9.0.16-2.el5_4.i386.rpm
File outdated by:  RHSA-2013:1476
    MD5: 09a3eb8a9b0b8cf8e56171eb04378bd1
xulrunner-devel-unstable-1.9.0.16-2.el5_4.i386.rpm
File outdated by:  RHSA-2010:0332
    MD5: 3d9ef7ffb9fc68013dec66f4cd2ee0e3
 
x86_64:
xulrunner-devel-1.9.0.16-2.el5_4.i386.rpm
File outdated by:  RHSA-2013:1476
    MD5: 09a3eb8a9b0b8cf8e56171eb04378bd1
xulrunner-devel-1.9.0.16-2.el5_4.x86_64.rpm
File outdated by:  RHSA-2013:1476
    MD5: ee86c594e5d0f3b0e294b39515316d58
xulrunner-devel-unstable-1.9.0.16-2.el5_4.x86_64.rpm
File outdated by:  RHSA-2010:0332
    MD5: f6d987769d76515e969750c2e49ae185
 
Red Hat Desktop (v. 4)

SRPMS:
firefox-3.0.16-4.el4.src.rpm
File outdated by:  RHSA-2012:0142
    MD5: 1b13c30c5017daef208408dc61edd1f4
 
IA-32:
firefox-3.0.16-4.el4.i386.rpm
File outdated by:  RHSA-2012:0142
    MD5: 44aa669eef4fa2a0e5bc84dc59814ea8
 
x86_64:
firefox-3.0.16-4.el4.x86_64.rpm
File outdated by:  RHSA-2012:0142
    MD5: 3649c4af0dad57a08383920016a98da4
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
firefox-3.0.16-1.el5_4.src.rpm
File outdated by:  RHSA-2010:0112
    MD5: 667f2cf3514edbbe6639ae6606b02f92
xulrunner-1.9.0.16-2.el5_4.src.rpm
File outdated by:  RHSA-2013:1476
    MD5: d55690b875b1e0b9d5358135637f6fc1
 
IA-32:
firefox-3.0.16-1.el5_4.i386.rpm
File outdated by:  RHSA-2014:0310
    MD5: e513e985b73dbf29f85fb4fd7ae2c4bc
xulrunner-1.9.0.16-2.el5_4.i386.rpm
File outdated by:  RHSA-2013:1476
    MD5: 32a48187d61e871880fe909ba42dddd1
xulrunner-devel-1.9.0.16-2.el5_4.i386.rpm
File outdated by:  RHSA-2013:1476
    MD5: 09a3eb8a9b0b8cf8e56171eb04378bd1
xulrunner-devel-unstable-1.9.0.16-2.el5_4.i386.rpm
File outdated by:  RHSA-2010:0332
    MD5: 3d9ef7ffb9fc68013dec66f4cd2ee0e3
 
IA-64:
firefox-3.0.16-1.el5_4.ia64.rpm
File outdated by:  RHSA-2014:0310
    MD5: b1a2ee6a9b8f8fdabfbcff17dc0e76f4
xulrunner-1.9.0.16-2.el5_4.ia64.rpm
File outdated by:  RHSA-2013:1476
    MD5: c7e5908ce686349928529070068b1092
xulrunner-devel-1.9.0.16-2.el5_4.ia64.rpm
File outdated by:  RHSA-2013:1476
    MD5: 2f6dcdfa3ab55f723e70fa9e7047c6f0
xulrunner-devel-unstable-1.9.0.16-2.el5_4.ia64.rpm
File outdated by:  RHSA-2010:0332
    MD5: e0b0a551ea5d108a233c7d3dddf1cbea
 
PPC:
firefox-3.0.16-1.el5_4.ppc.rpm
File outdated by:  RHSA-2014:0310
    MD5: 07ccaf85fe2279130f2cb84c167bcd61
xulrunner-1.9.0.16-2.el5_4.ppc.rpm
File outdated by:  RHSA-2013:1476
    MD5: dc9606d039ae20ad470ca1900ed8515d
xulrunner-1.9.0.16-2.el5_4.ppc64.rpm
File outdated by:  RHSA-2013:1476
    MD5: c9ffe7f2851b9ecf3eef5fdc13be7019
xulrunner-devel-1.9.0.16-2.el5_4.ppc.rpm
File outdated by:  RHSA-2013:1476
    MD5: 30de262d08b695d6acedcd34f85263a2
xulrunner-devel-1.9.0.16-2.el5_4.ppc64.rpm
File outdated by:  RHSA-2013:1476
    MD5: 4617c11259116c2dd0a6b267b94033ae
xulrunner-devel-unstable-1.9.0.16-2.el5_4.ppc.rpm
File outdated by:  RHSA-2010:0332
    MD5: 68589e6774f3a962b974cb37a59349f4
 
s390x:
firefox-3.0.16-1.el5_4.s390.rpm
File outdated by:  RHSA-2014:0310
    MD5: 1da24db4a07392094b3fb8fbd74c54ec
firefox-3.0.16-1.el5_4.s390x.rpm
File outdated by:  RHSA-2014:0310
    MD5: 254871ee550542d2365fb65c62b4eb1b
xulrunner-1.9.0.16-2.el5_4.s390.rpm
File outdated by:  RHSA-2013:1476
    MD5: 3c1654043684005e76113813f082713b
xulrunner-1.9.0.16-2.el5_4.s390x.rpm
File outdated by:  RHSA-2013:1476
    MD5: 828965de56d151366ec08aa993d61258
xulrunner-devel-1.9.0.16-2.el5_4.s390.rpm
File outdated by:  RHSA-2013:1476
    MD5: b92e61f8ab0bd5b9457019697252f8b9
xulrunner-devel-1.9.0.16-2.el5_4.s390x.rpm
File outdated by:  RHSA-2013:1476
    MD5: cdf689aa84c23980ec67ba0d05d87fc2
xulrunner-devel-unstable-1.9.0.16-2.el5_4.s390x.rpm
File outdated by:  RHSA-2010:0332
    MD5: ec3bf246acdb0f219ad5a6603e80f1e8
 
x86_64:
firefox-3.0.16-1.el5_4.i386.rpm
File outdated by:  RHSA-2014:0310
    MD5: e513e985b73dbf29f85fb4fd7ae2c4bc
firefox-3.0.16-1.el5_4.x86_64.rpm
File outdated by:  RHSA-2014:0310
    MD5: f7c7397b7ca34eff89c00abb9d9f6147
xulrunner-1.9.0.16-2.el5_4.i386.rpm
File outdated by:  RHSA-2013:1476
    MD5: 32a48187d61e871880fe909ba42dddd1
xulrunner-1.9.0.16-2.el5_4.x86_64.rpm
File outdated by:  RHSA-2013:1476
    MD5: 1c586a67af4d3e0af960e7c670ccac50
xulrunner-devel-1.9.0.16-2.el5_4.i386.rpm
File outdated by:  RHSA-2013:1476
    MD5: 09a3eb8a9b0b8cf8e56171eb04378bd1
xulrunner-devel-1.9.0.16-2.el5_4.x86_64.rpm
File outdated by:  RHSA-2013:1476
    MD5: ee86c594e5d0f3b0e294b39515316d58
xulrunner-devel-unstable-1.9.0.16-2.el5_4.x86_64.rpm
File outdated by:  RHSA-2010:0332
    MD5: f6d987769d76515e969750c2e49ae185
 
Red Hat Enterprise Linux AS (v. 4)

SRPMS:
firefox-3.0.16-4.el4.src.rpm
File outdated by:  RHSA-2012:0142
    MD5: 1b13c30c5017daef208408dc61edd1f4
 
IA-32:
firefox-3.0.16-4.el4.i386.rpm
File outdated by:  RHSA-2012:0142
    MD5: 44aa669eef4fa2a0e5bc84dc59814ea8
 
IA-64:
firefox-3.0.16-4.el4.ia64.rpm
File outdated by:  RHSA-2012:0142
    MD5: b2d24ac583ba2fe2dba35d3f9ff36b28
 
PPC:
firefox-3.0.16-4.el4.ppc.rpm
File outdated by:  RHSA-2012:0142
    MD5: 2f7bb878689aecfab172dc85e4a27968
 
s390:
firefox-3.0.16-4.el4.s390.rpm
File outdated by:  RHSA-2012:0142
    MD5: 60439007315ac45c9e2dba79abeed09c
 
s390x:
firefox-3.0.16-4.el4.s390x.rpm
File outdated by:  RHSA-2012:0142
    MD5: ea67e3917aec90d48c49c58727830bd7
 
x86_64:
firefox-3.0.16-4.el4.x86_64.rpm
File outdated by:  RHSA-2012:0142
    MD5: 3649c4af0dad57a08383920016a98da4
 
Red Hat Enterprise Linux AS (v. 4.8.z)

SRPMS:
firefox-3.0.16-4.el4.src.rpm
File outdated by:  RHSA-2012:0142
    MD5: 1b13c30c5017daef208408dc61edd1f4
 
IA-32:
firefox-3.0.16-4.el4.i386.rpm
File outdated by:  RHSA-2011:0885
    MD5: 44aa669eef4fa2a0e5bc84dc59814ea8
 
IA-64:
firefox-3.0.16-4.el4.ia64.rpm
File outdated by:  RHSA-2011:0885
    MD5: b2d24ac583ba2fe2dba35d3f9ff36b28
 
PPC:
firefox-3.0.16-4.el4.ppc.rpm
File outdated by:  RHSA-2011:0885
    MD5: 2f7bb878689aecfab172dc85e4a27968
 
s390:
firefox-3.0.16-4.el4.s390.rpm
File outdated by:  RHSA-2011:0885
    MD5: 60439007315ac45c9e2dba79abeed09c
 
s390x:
firefox-3.0.16-4.el4.s390x.rpm
File outdated by:  RHSA-2011:0885
    MD5: ea67e3917aec90d48c49c58727830bd7
 
x86_64:
firefox-3.0.16-4.el4.x86_64.rpm
File outdated by:  RHSA-2011:0885
    MD5: 3649c4af0dad57a08383920016a98da4
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
firefox-3.0.16-1.el5_4.src.rpm
File outdated by:  RHSA-2010:0112
    MD5: 667f2cf3514edbbe6639ae6606b02f92
xulrunner-1.9.0.16-2.el5_4.src.rpm
File outdated by:  RHSA-2013:1476
    MD5: d55690b875b1e0b9d5358135637f6fc1
 
IA-32:
firefox-3.0.16-1.el5_4.i386.rpm
File outdated by:  RHSA-2014:0310
    MD5: e513e985b73dbf29f85fb4fd7ae2c4bc
xulrunner-1.9.0.16-2.el5_4.i386.rpm
File outdated by:  RHSA-2013:1476
    MD5: 32a48187d61e871880fe909ba42dddd1
 
x86_64:
firefox-3.0.16-1.el5_4.i386.rpm
File outdated by:  RHSA-2014:0310
    MD5: e513e985b73dbf29f85fb4fd7ae2c4bc
firefox-3.0.16-1.el5_4.x86_64.rpm
File outdated by:  RHSA-2014:0310
    MD5: f7c7397b7ca34eff89c00abb9d9f6147
xulrunner-1.9.0.16-2.el5_4.i386.rpm
File outdated by:  RHSA-2013:1476
    MD5: 32a48187d61e871880fe909ba42dddd1
xulrunner-1.9.0.16-2.el5_4.x86_64.rpm
File outdated by:  RHSA-2013:1476
    MD5: 1c586a67af4d3e0af960e7c670ccac50
 
Red Hat Enterprise Linux ES (v. 4)

SRPMS:
firefox-3.0.16-4.el4.src.rpm
File outdated by:  RHSA-2012:0142
    MD5: 1b13c30c5017daef208408dc61edd1f4
 
IA-32:
firefox-3.0.16-4.el4.i386.rpm
File outdated by:  RHSA-2012:0142
    MD5: 44aa669eef4fa2a0e5bc84dc59814ea8
 
IA-64:
firefox-3.0.16-4.el4.ia64.rpm
File outdated by:  RHSA-2012:0142
    MD5: b2d24ac583ba2fe2dba35d3f9ff36b28
 
x86_64:
firefox-3.0.16-4.el4.x86_64.rpm
File outdated by:  RHSA-2012:0142
    MD5: 3649c4af0dad57a08383920016a98da4
 
Red Hat Enterprise Linux ES (v. 4.8.z)

SRPMS:
firefox-3.0.16-4.el4.src.rpm
File outdated by:  RHSA-2012:0142
    MD5: 1b13c30c5017daef208408dc61edd1f4
 
IA-32:
firefox-3.0.16-4.el4.i386.rpm
File outdated by:  RHSA-2011:0885
    MD5: 44aa669eef4fa2a0e5bc84dc59814ea8
 
IA-64:
firefox-3.0.16-4.el4.ia64.rpm
File outdated by:  RHSA-2011:0885
    MD5: b2d24ac583ba2fe2dba35d3f9ff36b28
 
x86_64:
firefox-3.0.16-4.el4.x86_64.rpm
File outdated by:  RHSA-2011:0885
    MD5: 3649c4af0dad57a08383920016a98da4
 
Red Hat Enterprise Linux EUS (v. 5.4.z server)

SRPMS:
firefox-3.0.16-1.el5_4.src.rpm
File outdated by:  RHSA-2010:0112
    MD5: 667f2cf3514edbbe6639ae6606b02f92
xulrunner-1.9.0.16-2.el5_4.src.rpm
File outdated by:  RHSA-2013:1476
    MD5: d55690b875b1e0b9d5358135637f6fc1
 
IA-32:
firefox-3.0.16-1.el5_4.i386.rpm
File outdated by:  RHSA-2010:0112
    MD5: e513e985b73dbf29f85fb4fd7ae2c4bc
xulrunner-1.9.0.16-2.el5_4.i386.rpm
File outdated by:  RHSA-2010:0112
    MD5: 32a48187d61e871880fe909ba42dddd1
xulrunner-devel-1.9.0.16-2.el5_4.i386.rpm
File outdated by:  RHSA-2010:0112
    MD5: 09a3eb8a9b0b8cf8e56171eb04378bd1
xulrunner-devel-unstable-1.9.0.16-2.el5_4.i386.rpm
File outdated by:  RHSA-2010:0112
    MD5: 3d9ef7ffb9fc68013dec66f4cd2ee0e3
 
IA-64:
firefox-3.0.16-1.el5_4.ia64.rpm
File outdated by:  RHSA-2010:0112
    MD5: b1a2ee6a9b8f8fdabfbcff17dc0e76f4
xulrunner-1.9.0.16-2.el5_4.ia64.rpm
File outdated by:  RHSA-2010:0112
    MD5: c7e5908ce686349928529070068b1092
xulrunner-devel-1.9.0.16-2.el5_4.ia64.rpm
File outdated by:  RHSA-2010:0112
    MD5: 2f6dcdfa3ab55f723e70fa9e7047c6f0
xulrunner-devel-unstable-1.9.0.16-2.el5_4.ia64.rpm
File outdated by:  RHSA-2010:0112
    MD5: e0b0a551ea5d108a233c7d3dddf1cbea
 
PPC:
firefox-3.0.16-1.el5_4.ppc.rpm
File outdated by:  RHSA-2010:0112
    MD5: 07ccaf85fe2279130f2cb84c167bcd61
xulrunner-1.9.0.16-2.el5_4.ppc.rpm
File outdated by:  RHSA-2010:0112
    MD5: dc9606d039ae20ad470ca1900ed8515d
xulrunner-1.9.0.16-2.el5_4.ppc64.rpm
File outdated by:  RHSA-2010:0112
    MD5: c9ffe7f2851b9ecf3eef5fdc13be7019
xulrunner-devel-1.9.0.16-2.el5_4.ppc.rpm
File outdated by:  RHSA-2010:0112
    MD5: 30de262d08b695d6acedcd34f85263a2
xulrunner-devel-1.9.0.16-2.el5_4.ppc64.rpm
File outdated by:  RHSA-2010:0112
    MD5: 4617c11259116c2dd0a6b267b94033ae
xulrunner-devel-unstable-1.9.0.16-2.el5_4.ppc.rpm
File outdated by:  RHSA-2010:0112
    MD5: 68589e6774f3a962b974cb37a59349f4
 
s390x:
firefox-3.0.16-1.el5_4.s390.rpm
File outdated by:  RHSA-2010:0112
    MD5: 1da24db4a07392094b3fb8fbd74c54ec
firefox-3.0.16-1.el5_4.s390x.rpm
File outdated by:  RHSA-2010:0112
    MD5: 254871ee550542d2365fb65c62b4eb1b
xulrunner-1.9.0.16-2.el5_4.s390.rpm
File outdated by:  RHSA-2010:0112
    MD5: 3c1654043684005e76113813f082713b
xulrunner-1.9.0.16-2.el5_4.s390x.rpm
File outdated by:  RHSA-2010:0112
    MD5: 828965de56d151366ec08aa993d61258
xulrunner-devel-1.9.0.16-2.el5_4.s390.rpm
File outdated by:  RHSA-2010:0112
    MD5: b92e61f8ab0bd5b9457019697252f8b9
xulrunner-devel-1.9.0.16-2.el5_4.s390x.rpm
File outdated by:  RHSA-2010:0112
    MD5: cdf689aa84c23980ec67ba0d05d87fc2
xulrunner-devel-unstable-1.9.0.16-2.el5_4.s390x.rpm
File outdated by:  RHSA-2010:0112
    MD5: ec3bf246acdb0f219ad5a6603e80f1e8
 
x86_64:
firefox-3.0.16-1.el5_4.i386.rpm
File outdated by:  RHSA-2010:0112
    MD5: e513e985b73dbf29f85fb4fd7ae2c4bc
firefox-3.0.16-1.el5_4.x86_64.rpm
File outdated by:  RHSA-2010:0112
    MD5: f7c7397b7ca34eff89c00abb9d9f6147
xulrunner-1.9.0.16-2.el5_4.i386.rpm
File outdated by:  RHSA-2010:0112
    MD5: 32a48187d61e871880fe909ba42dddd1
xulrunner-1.9.0.16-2.el5_4.x86_64.rpm
File outdated by:  RHSA-2010:0112
    MD5: 1c586a67af4d3e0af960e7c670ccac50
xulrunner-devel-1.9.0.16-2.el5_4.i386.rpm
File outdated by:  RHSA-2010:0112
    MD5: 09a3eb8a9b0b8cf8e56171eb04378bd1
xulrunner-devel-1.9.0.16-2.el5_4.x86_64.rpm
File outdated by:  RHSA-2010:0112
    MD5: ee86c594e5d0f3b0e294b39515316d58
xulrunner-devel-unstable-1.9.0.16-2.el5_4.x86_64.rpm
File outdated by:  RHSA-2010:0112
    MD5: f6d987769d76515e969750c2e49ae185
 
Red Hat Enterprise Linux WS (v. 4)

SRPMS:
firefox-3.0.16-4.el4.src.rpm
File outdated by:  RHSA-2012:0142
    MD5: 1b13c30c5017daef208408dc61edd1f4
 
IA-32:
firefox-3.0.16-4.el4.i386.rpm
File outdated by:  RHSA-2012:0142
    MD5: 44aa669eef4fa2a0e5bc84dc59814ea8
 
IA-64:
firefox-3.0.16-4.el4.ia64.rpm
File outdated by:  RHSA-2012:0142
    MD5: b2d24ac583ba2fe2dba35d3f9ff36b28
 
x86_64:
firefox-3.0.16-4.el4.x86_64.rpm
File outdated by:  RHSA-2012:0142
    MD5: 3649c4af0dad57a08383920016a98da4
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

546694 - CVE-2009-3979 Mozilla crash with evidence of memory corruption
546713 - CVE-2009-3981 Mozilla crashes with evidence of memory corruption
546720 - CVE-2009-3983 Mozilla NTLM reflection vulnerability
546722 - CVE-2009-3984 Mozilla SSL spoofing with document.location and empty SSL response page
546724 - CVE-2009-3986 Mozilla Chrome privilege escalation via window.opener
546726 - CVE-2009-3985 Mozilla URL spoofing via invalid document.location


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/