Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > September 2005 > Fedora - Nine Update Notifications

September 2005

Fedora - Nine Update Notifications

ID: 00839
Ref: 782/05
Date: 27 September 2005:14:58:22
Version: 1
Title: Fedora - Nine Update Notifications
Abstract: Updates for both Core 4 and 3 for firefox, mozilla, devhelp, epiphany, and yelp
Vendors affected: Fedora
Operating systems affected: Fedora
Applications affected: Fedora

Title
=====

Fedora - Nine Update Notifications:
1. Fedora Core 4 Update: firefox-1.0.7-1.1.fc4 [FEDORA-2005-926]
2. Fedora Core 4 Update: mozilla-1.7.12-1.5.1 [FEDORA-2005-927]
3. Fedora Core 4 Update: devhelp-0.10-1.4.2 [FEDORA-2005-928]
4. Fedora Core 4 Update: epiphany-1.6.5-2 [FEDORA-2005-929]
5. Fedora Core 4 Update: yelp-2.10.0-1.4.2 [FEDORA-2005-930]
6. Fedora Core 3 Update: firefox-1.0.7-1.1.fc3 [FEDORA-2005-931]
7. Fedora Core 3 Update: mozilla-1.7.12-1.3.1 [FEDORA-2005-932]
8. Fedora Core 3 Update: devhelp-0.9.2-2.3.6 [FEDORA-2005-933]
9. Fedora Core 3 Update: epiphany-1.4.9-1 [FEDORA-2005-934]


Detail
======

Update notification follows:


1.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-926
2005-09-26
- ---------------------------------------------------------------------

Product : Fedora Core 4
Name : firefox
Version : 1.0.7
Release : 1.1.fc4
Summary : Mozilla Firefox Web browser.
Description :
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance and portability.

- ---------------------------------------------------------------------
Update Information:

An updated firefox package that fixes several security bugs
is now available for Fedora Core 4.

This update has been rated as having critical security
impact by the Fedora Security Response Team.

Mozilla Firefox is an open source Web browser.

A bug was found in the way Firefox processes XBM image
files. If a user views a specially crafted XBM file, it
becomes possible to execute arbitrary code as the user
running Firefox. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2005-2701
to this issue.

A bug was found in the way Firefox processes certain Unicode
sequences. It may be possible to execute arbitrary code as
the user running Firefox if the user views a specially
crafted Unicode sequence. (CAN-2005-2702)

A bug was found in the way Firefox makes XMLHttp requests.
It is possible that a malicious web page could leverage this
flaw to exploit other proxy or server flaws from the
victim's machine. It is also possible that this flaw could
be leveraged to send XMLHttp requests to hosts other than
the originator; the default behavior of the browser is to
disallow this. (CAN-2005-2703)

A bug was found in the way Firefox implemented its XBL
interface. It may be possible for a malicious web page to
create an XBL binding in such a way that would allow
arbitrary JavaScript execution with chrome permissions.
Please note that in Firefox 1.0.6 this issue is not directly
exploitable and will need to leverage other unknown
exploits. (CAN-2005-2704)

An integer overflow bug was found in Firefox's JavaScript
engine. Under favorable conditions, it may be possible for a
malicious web page to execute arbitrary code as the user
running Firefox. (CAN-2005-2705)

A bug was found in the way Firefox displays about: pages. It
is possible for a malicious web page to open an about: page,
such as about:mozilla, in such a way that it becomes
possible to execute JavaScript with chrome privileges.
(CAN-2005-2706)

A bug was found in the way Firefox opens new windows. It is
possible for a malicious web site to construct a new window
without any user interface components, such as the address
bar and the status bar. This window could then be used to
mislead the user for malicious purposes. (CAN-2005-2707)

A bug was found in the way Firefox processes URLs passed to
it on the command line. If a user passes a malformed URL to
Firefox, such as clicking on a link in an instant messaging
program, it is possible to execute arbitrary commands as the
user running Firefox. (CAN-2005-2968)

Users of Firefox are advised to upgrade to this updated
package that contains Firefox version 1.0.7 and is not
vulnerable to these issues.

- ---------------------------------------------------------------------
* Thu Sep 22 2005 Christopher Aillon 0:1.0.7-1.1.fc4
- - Update to 1.0.7, containing fixes for:
CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704
CAN-2005-2705 CAN-2005-2706 CAN-2005-2707 CAN-2005-2968


- ---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

3d34c9afd050102e342e54d18c938892 SRPMS/firefox-1.0.7-1.1.fc4.src.rpm
064d9b23b001d6e1e794914254ae60fe ppc/firefox-1.0.7-1.1.fc4.ppc.rpm
4469655cc945d0bd97743c42ba7326b1 ppc/debug/firefox-debuginfo-1.0.7-1.1.fc4.ppc.rpm
3a9cc318a771fa152e65368d43a4b5a0 x86_64/firefox-1.0.7-1.1.fc4.x86_64.rpm
2c3ee4f39f825a78d97420f120629f8e x86_64/debug/firefox-debuginfo-1.0.7-1.1.fc4.x86_64.rpm
61bfc913f93131be9d2754944a7afcfc i386/firefox-1.0.7-1.1.fc4.i386.rpm
5ab51918877bf51b3586ce35f7e01de7 i386/debug/firefox-debuginfo-1.0.7-1.1.fc4.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
- ---------------------------------------------------------------------




2.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-927
2005-09-26
- ---------------------------------------------------------------------

Product : Fedora Core 4
Name : mozilla
Version : 1.7.12
Release : 1.5.1
Summary : Web browser and mail reader
Description :
Mozilla is an open-source web browser, designed for standards
compliance, performance and portability.

- ---------------------------------------------------------------------
Update Information:

Updated mozilla packages that fix several security bugs are
now available for Fedora Core 4.

This update has been rated as having critical security
impact by the Fedora Security Response Team.

Mozilla is an open source Web browser, advanced email and
newsgroup client, IRC chat client, and HTML editor.

A bug was found in the way Mozilla processes XBM image
files. If a user views a specially crafted XBM file, it
becomes possible to execute arbitrary code as the user
running Mozilla. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2005-2701
to this issue.

A bug was found in the way Mozilla processes certain Unicode
sequences. It may be possible to execute arbitrary code as
the user running Mozilla, if the user views a specially
crafted Unicode sequence. (CAN-2005-2702)

A bug was found in the way Mozilla makes XMLHttp requests.
It is possible that a malicious web page could leverage this
flaw to exploit other proxy or server flaws from the
victim's machine. It is also possible that this flaw could
be leveraged to send XMLHttp requests to hosts other than
the originator; the default behavior of the browser is to
disallow this. (CAN-2005-2703)

A bug was found in the way Mozilla implemented its XBL
interface. It may be possible for a malicious web page to
create an XBL binding in a way that would allow arbitrary
JavaScript execution with chrome permissions. Please note
that in Mozilla 1.7.10 this issue is not directly
exploitable and would need to leverage other unknown
exploits. (CAN-2005-2704)

An integer overflow bug was found in Mozilla's JavaScript
engine. Under favorable conditions, it may be possible for a
malicious web page to execute arbitrary code as the user
running Mozilla. (CAN-2005-2705)

A bug was found in the way Mozilla displays about: pages. It
is possible for a malicious web page to open an about: page,
such as about:mozilla, in such a way that it becomes
possible to execute JavaScript with chrome privileges.
(CAN-2005-2706)

A bug was found in the way Mozilla opens new windows. It is
possible for a malicious web site to construct a new window
without any user interface components, such as the address
bar and the status bar. This window could then be used to
mislead the user for malicious purposes. (CAN-2005-2707)

Users of Mozilla are advised to upgrade to this updated
package that contains Mozilla version 1.7.12 and is not
vulnerable to these issues.

- ---------------------------------------------------------------------
* Thu Sep 22 2005 Christopher Aillon 37:1.7.12-1.5.1
- - Update to 1.7.12, containing fixes for:
CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704
CAN-2005-2705 CAN-2005-2706 CAN-2005-2707 CAN-2005-2968


- ---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

15996667d8d7ff6f716f9a3b3fd73a46 SRPMS/mozilla-1.7.12-1.5.1.src.rpm
6e5d4465c6818212dc200884a6772efc ppc/mozilla-1.7.12-1.5.1.ppc.rpm
554fab19cd517dac6af547fc9f8a0cab ppc/mozilla-nspr-1.7.12-1.5.1.ppc.rpm
d96547c7855f990aea45008176c94151 ppc/mozilla-nspr-devel-1.7.12-1.5.1.ppc.rpm
eb943304ee62ad1c21323d48cffac07f ppc/mozilla-nss-1.7.12-1.5.1.ppc.rpm
388bf012368737e2e9abd8fdae61cd10 ppc/mozilla-nss-devel-1.7.12-1.5.1.ppc.rpm
73a56b8de2ed1ce21ce934d7b4fc0030 ppc/mozilla-devel-1.7.12-1.5.1.ppc.rpm
f0e2bb8447868c5310506cdf4e59f610 ppc/mozilla-mail-1.7.12-1.5.1.ppc.rpm
b6d8b972a810d6be63c9e49acb311a63 ppc/mozilla-chat-1.7.12-1.5.1.ppc.rpm
19bb5d74ed7f347b0bff67b9e2687426 ppc/mozilla-js-debugger-1.7.12-1.5.1.ppc.rpm
87dc66737ae9ff2d01f0900c02a34c92 ppc/mozilla-dom-inspector-1.7.12-1.5.1.ppc.rpm
af43d44627d556682f070afe5b0fcc88 ppc/debug/mozilla-debuginfo-1.7.12-1.5.1.ppc.rpm
7834b3634d54f4ab835c77e247a56b6f x86_64/mozilla-1.7.12-1.5.1.x86_64.rpm
06bf1c0ffd94de4dd3abe534f6c62448 x86_64/mozilla-nspr-1.7.12-1.5.1.x86_64.rpm
aaea1e31b0d1818d9165928c716f81d7 x86_64/mozilla-nspr-devel-1.7.12-1.5.1.x86_64.rpm
2986c7d17771826b0ce3802b2322cbef x86_64/mozilla-nss-1.7.12-1.5.1.x86_64.rpm
fd477dad54c6b764730db8255854d8c4 x86_64/mozilla-nss-devel-1.7.12-1.5.1.x86_64.rpm
fba077cce640223cab879d41e5916c99 x86_64/mozilla-devel-1.7.12-1.5.1.x86_64.rpm
5f8e89073c0fb61e9cfe1f36789a3933 x86_64/mozilla-mail-1.7.12-1.5.1.x86_64.rpm
99932f0cd7bc71c5300f7b83021e8bc5 x86_64/mozilla-chat-1.7.12-1.5.1.x86_64.rpm
891fff494775baeef27bd3137684eeec x86_64/mozilla-js-debugger-1.7.12-1.5.1.x86_64.rpm
ac1e58cffbe7b5cb163c056da0a0f282 x86_64/mozilla-dom-inspector-1.7.12-1.5.1.x86_64.rpm
7e0ea761ff2e9caea8c42b082c13f604 x86_64/debug/mozilla-debuginfo-1.7.12-1.5.1.x86_64.rpm
47c89bff509e46e4b54041aac04f2137 x86_64/mozilla-nspr-1.7.12-1.5.1.i386.rpm
ae517ab122351d6ada9e9289b1c1ef3d x86_64/mozilla-nss-1.7.12-1.5.1.i386.rpm
9b9ca33577a785f0e36ed2092ed97555 i386/mozilla-1.7.12-1.5.1.i386.rpm
47c89bff509e46e4b54041aac04f2137 i386/mozilla-nspr-1.7.12-1.5.1.i386.rpm
9c409c087a06ccec4ba0b404ca2e1b1d i386/mozilla-nspr-devel-1.7.12-1.5.1.i386.rpm
ae517ab122351d6ada9e9289b1c1ef3d i386/mozilla-nss-1.7.12-1.5.1.i386.rpm
d74dd6b014102d3a6f9e0fafae217edf i386/mozilla-nss-devel-1.7.12-1.5.1.i386.rpm
4b3cacd4a3c274c008d55aae107d108a i386/mozilla-devel-1.7.12-1.5.1.i386.rpm
b24a2919fafa1f4e314e5a26ef65280f i386/mozilla-mail-1.7.12-1.5.1.i386.rpm
86ac5ce35a97c750eeb38764553a7653 i386/mozilla-chat-1.7.12-1.5.1.i386.rpm
74b1fd6aea19fd037e5ccec3c94c70c7 i386/mozilla-js-debugger-1.7.12-1.5.1.i386.rpm
30d339600011964baec08ce5d895f42d i386/mozilla-dom-inspector-1.7.12-1.5.1.i386.rpm
d7c08369f13113f9195097969107549e i386/debug/mozilla-debuginfo-1.7.12-1.5.1.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
- ---------------------------------------------------------------------




3.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-928
2005-09-26
- ---------------------------------------------------------------------

Product : Fedora Core 4
Name : devhelp
Version : 0.10
Release : 1.4.2
Summary : API document browser
Description :
A API document browser for GNOME 2.

- ---------------------------------------------------------------------
Update Information:

There were several security flaws found in the mozilla
package, which devhelp depends on. Users of devhelp are
advised to upgrade to this updated package which has been
rebuilt against a version of mozilla not vulnerable to these
flaws.
- ---------------------------------------------------------------------
* Fri Sep 23 2005 Christopher Aillon 0.10-1.4.2
- - Rebuild


- ---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

fb4a86c6842691da1b9ebb25cf906f0a SRPMS/devhelp-0.10-1.4.2.src.rpm
cc9b66e03b088c1503da8b0c00779740 ppc/devhelp-0.10-1.4.2.ppc.rpm
026c779e5a15a71d7f75821d58537702 ppc/devhelp-devel-0.10-1.4.2.ppc.rpm
bd0deababf6fa8edc746b89987889298 ppc/debug/devhelp-debuginfo-0.10-1.4.2.ppc.rpm
426d4f3950a436fcdfa014906c42f157 x86_64/devhelp-0.10-1.4.2.x86_64.rpm
a3ecf635f8b85bcbe6fb182dc04cb1fd x86_64/devhelp-devel-0.10-1.4.2.x86_64.rpm
7c84b29a48ad8a538bf33b1be95a9041 x86_64/debug/devhelp-debuginfo-0.10-1.4.2.x86_64.rpm
642e7d0594fae35b32ef7ef752ea9c43 i386/devhelp-0.10-1.4.2.i386.rpm
388c777fb7577fbde24c48dba1017347 i386/devhelp-devel-0.10-1.4.2.i386.rpm
2ee406235aa1d67b5736a9a4cf8fb1cd i386/debug/devhelp-debuginfo-0.10-1.4.2.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
- ---------------------------------------------------------------------




4.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-929
2005-09-26
- ---------------------------------------------------------------------

Product : Fedora Core 4
Name : epiphany
Version : 1.6.5
Release : 2
Summary : GNOME web browser based on the Mozilla rendering engine
Description :
epiphany is a simple GNOME web browser based on the Mozilla rendering
engine

- ---------------------------------------------------------------------
Update Information:

There were several security flaws found in the mozilla
package, which epiphany depends on. Users of epiphany are
advised to upgrade to this updated package which has been
rebuilt against a version of mozilla not vulnerable to these
flaws.

- ---------------------------------------------------------------------
* Fri Sep 23 2005 Christopher Aillon - 1.6.5-2
- - Rebuild


- ---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

987dd6e5e3ae9f87bc757c99c1519ba5 SRPMS/epiphany-1.6.5-2.src.rpm
5eebf43731e094d0ce5c0f59528155a2 ppc/epiphany-1.6.5-2.ppc.rpm
e8b6acdfd0ca79f29797be0acef2ac81 ppc/epiphany-devel-1.6.5-2.ppc.rpm
12249bfad81eab1e62906c6c0e086ce2 ppc/debug/epiphany-debuginfo-1.6.5-2.ppc.rpm
e43f45174c326a40d14c48fd656a2a8c x86_64/epiphany-1.6.5-2.x86_64.rpm
542897334dc7c600cf9984fae4878b67 x86_64/epiphany-devel-1.6.5-2.x86_64.rpm
6635d6362496ffdaab16e68706da0386 x86_64/debug/epiphany-debuginfo-1.6.5-2.x86_64.rpm
8999e83768c5f347c5723d6fecd2ca0f i386/epiphany-1.6.5-2.i386.rpm
d11777a161b440e626d8862b46c4efa7 i386/epiphany-devel-1.6.5-2.i386.rpm
85eade7b9cc4710c0472441afdf3255c i386/debug/epiphany-debuginfo-1.6.5-2.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
- ---------------------------------------------------------------------




5.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-930
2005-09-26
- ---------------------------------------------------------------------

Product : Fedora Core 4
Name : yelp
Version : 2.10.0
Release : 1.4.2
Summary : A system documentation reader from the Gnome project.
Description :
Yelp is the Gnome 2 help/documentation browser. It is designed
to help you browse all the documentation on your system in
one central tool.

- ---------------------------------------------------------------------
Update Information:

There were several security flaws found in the mozilla
package, which yelp depends on. Users of yelp are advised
to upgrade to this updated package which has been rebuilt
against a version of mozilla not vulnerable to these flaws.
- ---------------------------------------------------------------------
* Fri Sep 23 2005 Christopher Aillon 2.10-1.4.2
- - Rebuild


- ---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

09582592aa56ac3570e5b941c43dfc3e SRPMS/yelp-2.10.0-1.4.2.src.rpm
9d778d62f3ba49dbf81cb4ddd0e95a12 ppc/yelp-2.10.0-1.4.2.ppc.rpm
065a07fe7307b98f0799cf571a884892 ppc/debug/yelp-debuginfo-2.10.0-1.4.2.ppc.rpm
51e3a4b828fb0d89039bb8d54f26eac5 x86_64/yelp-2.10.0-1.4.2.x86_64.rpm
71fb06c953fc9d084de373089b87c170 x86_64/debug/yelp-debuginfo-2.10.0-1.4.2.x86_64.rpm
2e6008f323bf9487fcac37889ceb66b2 i386/yelp-2.10.0-1.4.2.i386.rpm
718dc7cdeb2307631dfd90c7cd8b7dd2 i386/debug/yelp-debuginfo-2.10.0-1.4.2.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
- ---------------------------------------------------------------------




6.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-931
2005-09-26
- ---------------------------------------------------------------------

Product : Fedora Core 3
Name : firefox
Version : 1.0.7
Release : 1.1.fc3
Summary : Mozilla Firefox Web browser.
Description :
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance and portability.

- ---------------------------------------------------------------------
Update Information:

An updated firefox package that fixes several security bugs
is now available for Fedora Core 3.

This update has been rated as having critical security
impact by the Fedora Security Response Team.

Mozilla Firefox is an open source Web browser.

A bug was found in the way Firefox processes XBM image
files. If a user views a specially crafted XBM file, it
becomes possible to execute arbitrary code as the user
running Firefox. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2005-2701
to this issue.

A bug was found in the way Firefox processes certain Unicode
sequences. It may be possible to execute arbitrary code as
the user running Firefox if the user views a specially
crafted Unicode sequence. (CAN-2005-2702)

A bug was found in the way Firefox makes XMLHttp requests.
It is possible that a malicious web page could leverage this
flaw to exploit other proxy or server flaws from the
victim's machine. It is also possible that this flaw could
be leveraged to send XMLHttp requests to hosts other than
the originator; the default behavior of the browser is to
disallow this. (CAN-2005-2703)

A bug was found in the way Firefox implemented its XBL
interface. It may be possible for a malicious web page to
create an XBL binding in such a way that would allow
arbitrary JavaScript execution with chrome permissions.
Please note that in Firefox 1.0.6 this issue is not directly
exploitable and will need to leverage other unknown
exploits. (CAN-2005-2704)

An integer overflow bug was found in Firefox's JavaScript
engine. Under favorable conditions, it may be possible for a
malicious web page to execute arbitrary code as the user
running Firefox. (CAN-2005-2705)

A bug was found in the way Firefox displays about: pages. It
is possible for a malicious web page to open an about: page,
such as about:mozilla, in such a way that it becomes
possible to execute JavaScript with chrome privileges.
(CAN-2005-2706)

A bug was found in the way Firefox opens new windows. It is
possible for a malicious web site to construct a new window
without any user interface components, such as the address
bar and the status bar. This window could then be used to
mislead the user for malicious purposes. (CAN-2005-2707)

A bug was found in the way Firefox processes URLs passed to
it on the command line. If a user passes a malformed URL to
Firefox, such as clicking on a link in an instant messaging
program, it is possible to execute arbitrary commands as the
user running Firefox. (CAN-2005-2968)

Users of Firefox are advised to upgrade to this updated
package that contains Firefox version 1.0.7 and is not
vulnerable to these issues.

- ---------------------------------------------------------------------
* Thu Sep 22 2005 Christopher Aillon 0:1.0.7-1.1.fc3
- - Update to 1.0.7, containing fixes for:
CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704
CAN-2005-2705 CAN-2005-2706 CAN-2005-2707 CAN-2005-2968


- ---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

85c2728183b838e6c09ce4728a20f233 SRPMS/firefox-1.0.7-1.1.fc3.src.rpm
30343391ad2e1a36945bbed41becd72e x86_64/firefox-1.0.7-1.1.fc3.x86_64.rpm
ceabd83c7b403b674795b981c8e57506 x86_64/debug/firefox-debuginfo-1.0.7-1.1.fc3.x86_64.rpm
9836f31b20397c5d717b0a915456c362 i386/firefox-1.0.7-1.1.fc3.i386.rpm
3d9c472fc684a6285dd48781fab34281 i386/debug/firefox-debuginfo-1.0.7-1.1.fc3.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
- ---------------------------------------------------------------------




7.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-932
2005-09-26
- ---------------------------------------------------------------------

Product : Fedora Core 3
Name : mozilla
Version : 1.7.12
Release : 1.3.1
Summary : Web browser and mail reader
Description :
Mozilla is an open-source web browser, designed for standards
compliance, performance and portability.

- ---------------------------------------------------------------------
Update Information:

Updated mozilla packages that fix several security bugs are
now available for Fedora Core 3.

This update has been rated as having critical security
impact by the Fedora Security Response Team.

Mozilla is an open source Web browser, advanced email and
newsgroup client, IRC chat client, and HTML editor.

A bug was found in the way Mozilla processes XBM image
files. If a user views a specially crafted XBM file, it
becomes possible to execute arbitrary code as the user
running Mozilla. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2005-2701
to this issue.

A bug was found in the way Mozilla processes certain Unicode
sequences. It may be possible to execute arbitrary code as
the user running Mozilla, if the user views a specially
crafted Unicode sequence. (CAN-2005-2702)

A bug was found in the way Mozilla makes XMLHttp requests.
It is possible that a malicious web page could leverage this
flaw to exploit other proxy or server flaws from the
victim's machine. It is also possible that this flaw could
be leveraged to send XMLHttp requests to hosts other than
the originator; the default behavior of the browser is to
disallow this. (CAN-2005-2703)

A bug was found in the way Mozilla implemented its XBL
interface. It may be possible for a malicious web page to
create an XBL binding in a way that would allow arbitrary
JavaScript execution with chrome permissions. Please note
that in Mozilla 1.7.10 this issue is not directly
exploitable and would need to leverage other unknown
exploits. (CAN-2005-2704)

An integer overflow bug was found in Mozilla's JavaScript
engine. Under favorable conditions, it may be possible for a
malicious web page to execute arbitrary code as the user
running Mozilla. (CAN-2005-2705)

A bug was found in the way Mozilla displays about: pages. It
is possible for a malicious web page to open an about: page,
such as about:mozilla, in such a way that it becomes
possible to execute JavaScript with chrome privileges.
(CAN-2005-2706)

A bug was found in the way Mozilla opens new windows. It is
possible for a malicious web site to construct a new window
without any user interface components, such as the address
bar and the status bar. This window could then be used to
mislead the user for malicious purposes. (CAN-2005-2707)

Users of Mozilla are advised to upgrade to this updated
package that contains Mozilla version 1.7.12 and is not
vulnerable to these issues.

- ---------------------------------------------------------------------
* Thu Sep 22 2005 Christopher Aillon 37:1.7.12-1.3.1
- - Update to 1.7.12, containing fixes for:
CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704
CAN-2005-2705 CAN-2005-2706 CAN-2005-2707 CAN-2005-2968


- ---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

63bd78810cf5b5536353633a747c30a2 SRPMS/mozilla-1.7.12-1.3.1.src.rpm
e284cf3bf15bbd75a034403803780f7b x86_64/mozilla-1.7.12-1.3.1.x86_64.rpm
03de6b7b8717b06cd340a4ef24e77968 x86_64/mozilla-nspr-1.7.12-1.3.1.x86_64.rpm
4f0845e48ac3dc090328f8ccc4d05223 x86_64/mozilla-nspr-devel-1.7.12-1.3.1.x86_64.rpm
7592b2aaa765de6b2663dd1e874c92b7 x86_64/mozilla-nss-1.7.12-1.3.1.x86_64.rpm
626844eb2fe11ea77d995774754f9031 x86_64/mozilla-nss-devel-1.7.12-1.3.1.x86_64.rpm
51836f29a3241931115639aafacdbada x86_64/mozilla-devel-1.7.12-1.3.1.x86_64.rpm
5977fc3d3e271f470cde62c3c65654aa x86_64/mozilla-mail-1.7.12-1.3.1.x86_64.rpm
6a8720bf69cd9d5de1e441fa78b11f7d x86_64/mozilla-chat-1.7.12-1.3.1.x86_64.rpm
726a24bc7f7d89f8ecf16425b82f46fc x86_64/mozilla-js-debugger-1.7.12-1.3.1.x86_64.rpm
8365d36d8a9a3ff32214d539ee6e2851 x86_64/mozilla-dom-inspector-1.7.12-1.3.1.x86_64.rpm
6a48abbf3dffac1559bd832727534848 x86_64/debug/mozilla-debuginfo-1.7.12-1.3.1.x86_64.rpm
4b13cf4c6680ffcacef3c32c7216835c x86_64/mozilla-nspr-1.7.12-1.3.1.i386.rpm
7a6d96394cb522bb87fddb8b1f1de2bc x86_64/mozilla-nss-1.7.12-1.3.1.i386.rpm
196301d969606f6b24539fe115b20c85 i386/mozilla-1.7.12-1.3.1.i386.rpm
4b13cf4c6680ffcacef3c32c7216835c i386/mozilla-nspr-1.7.12-1.3.1.i386.rpm
108c926ed91f44c61413323079682120 i386/mozilla-nspr-devel-1.7.12-1.3.1.i386.rpm
7a6d96394cb522bb87fddb8b1f1de2bc i386/mozilla-nss-1.7.12-1.3.1.i386.rpm
d5297a5613453214304e8f066a174736 i386/mozilla-nss-devel-1.7.12-1.3.1.i386.rpm
f6822735fb99eab4f77d5cf9e5310aaa i386/mozilla-devel-1.7.12-1.3.1.i386.rpm
f2b13215621464fd2d1121b3df958d7a i386/mozilla-mail-1.7.12-1.3.1.i386.rpm
045f61a21038fc15eb78ca700677e70d i386/mozilla-chat-1.7.12-1.3.1.i386.rpm
0d4d7b682ccffc4aa61c0468cb4e5096 i386/mozilla-js-debugger-1.7.12-1.3.1.i386.rpm
be245dfb92cb4b610f2349888fceefa4 i386/mozilla-dom-inspector-1.7.12-1.3.1.i386.rpm
f5d066e3bd2b12a561ec1f54399aef99 i386/debug/mozilla-debuginfo-1.7.12-1.3.1.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
- ---------------------------------------------------------------------




8.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-933
2005-09-26
- ---------------------------------------------------------------------

Product : Fedora Core 3
Name : devhelp
Version : 0.9.2
Release : 2.3.6
Summary : API document browser
Description :
A API document browser for GNOME 2.

- ---------------------------------------------------------------------
Update Information:

There were several security flaws found in the mozilla
package, which devhelp depends on. Users of devhelp are
advised to upgrade to this updated package which has been
rebuilt against a version of mozilla not vulnerable to these
flaws.
- ---------------------------------------------------------------------
* Fri Sep 23 2005 Christopher Aillon 0.9.2-2.3.6
- - Rebuild


- ---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

25e0cbd798a784e3eb50d26211068c4f SRPMS/devhelp-0.9.2-2.3.6.src.rpm
c0fff5a92df366d8a4d621081d30a0f5 x86_64/devhelp-0.9.2-2.3.6.x86_64.rpm
f8981d6d4a88ab3074b5f39fabf4a3ff x86_64/devhelp-devel-0.9.2-2.3.6.x86_64.rpm
cb679bd693de6751fa51c1db0e853b66 x86_64/debug/devhelp-debuginfo-0.9.2-2.3.6.x86_64.rpm
2887b24dc6e595db9027ce92fac499bf i386/devhelp-0.9.2-2.3.6.i386.rpm
2cf474e30dd1c01465688faab4c9c409 i386/devhelp-devel-0.9.2-2.3.6.i386.rpm
997ec5c53e2070140a3a82706b3a02fe i386/debug/devhelp-debuginfo-0.9.2-2.3.6.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
- ---------------------------------------------------------------------




9.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-934
2005-09-26
- ---------------------------------------------------------------------

Product : Fedora Core 3
Name : epiphany
Version : 1.4.9
Release : 1
Summary : GNOME web browser based on the Mozilla rendering engine
Description :
epiphany is a simple GNOME web browser based on the Mozilla rendering
engine

- ---------------------------------------------------------------------
Update Information:

There were several security flaws found in the mozilla
package, which epiphany depends on. Users of epiphany are
advised to upgrade to this updated package which has been
rebuilt against a version of mozilla not vulnerable to these
flaws.
- ---------------------------------------------------------------------
* Fri Sep 23 2005 Christopher Aillon 1.4.9-1
- - Rebuild


- ---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

32236225d99d32d64ea8f5dfd9e4b3c2 SRPMS/epiphany-1.4.9-1.src.rpm
6e6bb4f22a3fe0a299b6c0641e500303 x86_64/epiphany-1.4.9-1.x86_64.rpm
e374310ea30a84809dfdacc7c30669f5 x86_64/epiphany-devel-1.4.9-1.x86_64.rpm
0983eb0d4dc08e6db2041605046d342c x86_64/debug/epiphany-debuginfo-1.4.9-1.x86_64.rpm
7ef3906d97cc69493831e50802131b3f i386/epiphany-1.4.9-1.i386.rpm
38d442bf2bf276d82e951bd6280d26c2 i386/epiphany-devel-1.4.9-1.i386.rpm
eb9cf478507af7e157916b2d96a426eb i386/debug/epiphany-debuginfo-1.4.9-1.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
- ---------------------------------------------------------------------



  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |