lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 18 May 2005 13:16:47 -0700
From: please_reply_to_security@....com
To: security-announce@...t.sco.com, bugtraq@...urityfocus.com,
	full-disclosure@...ts.grok.org.uk
Subject: UnixWare 7.1.4 : Updated mozilla fixes many
	security issues



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

			SCO Security Advisory

Subject:		UnixWare 7.1.4 : Updated mozilla fixes many security issues
Advisory number: 	SCOSA-2005.25
Issue date: 		2005 May 18
Cross reference:	sr891008 fz529877 erg712655 sr891398 fz530151 erg712686 sr892164 fz530485 erg712734 sr892473 fz530642 erg712748 sr893376 fz531626 erg712820 CAN-2005-0399 CAN-2004-0597 CAN-2004-0599 CAN-2004-0718 CAN-2004-0722 CAN-2004-0757 CAN-2004-0758 CAN-2004-0759 CAN-2004-0760 CAN-2004-0761 CAN-2004-0762 CAN-2004-0763 CAN-2004-0764 CAN-2004-0765
______________________________________________________________________________


1. Problem Description

	The Mozilla 1.7.6 browser in this update represents a
	significant advancement in features and fixes over the
	Mozilla 1.2.1 released with UnixWare 7.1.4. 

	This update addresses the following security issues: 

	Technical Cyber Security Alert TA04-261A Multiple vulnerabilities in 
	Mozilla products 

	VU#414240 - Mozilla Mail vulnerable to buffer overflow via writeGroup()
		    function in nsVCardObj.cpp
	VU#847200 - Mozilla contains integer overflows in bitmap image decoder
	VU#808216 - Mozilla contains heap overflow in UTF8 conversion of 
		    hostname portion of URLs 
	VU#125776 - Multiple buffer overflows in Mozilla POP3 protocol handler 
	VU#327560 - Mozilla "send page" feature contains a buffer overflow 
	VU#651928 - Mozilla allows arbitrary code execution via link dragging 

	These vulnerabilities could allow a remote attacker to execute arbitrary
	code with the privileges of the user running the affected application.

	This fix also addresses several other security issues, and their
	CAN numbers are listed below. 

	The Common Vulnerabilities and Exposures project (cve.mitre.org) 
	has assigned the following names:CAN-2005-0399 CAN-2004-0597 
	CAN-2004-0599 CAN-2004-0718 CAN-2004-0722 CAN-2004-0757 
	CAN-2004-0758 CAN-2004-0759 CAN-2004-0760 CAN-2004-0761 
	CAN-2004-0762 CAN-2004-0763 CAN-2004-0764 CAN-2004-0765


2. Vulnerable Supported Versions

	System				Binaries
	----------------------------------------------------------------------
	UnixWare 7.1.4			Mozilla distribution

3. Solution

	The proper solution is to install the latest packages.


4. UnixWare 7.1.4

	4.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.25

	4.2 Verification

	(mozilla-1.7.6.pkg) = c4f4ee1a73c3d6d10d3064c7e68f6299  

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools

	4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	Download mozilla.image.pkg to the /var/spool/pkg directory

	# pkgadd -d /var/spool/pkg/mozilla.image.pkg

5. References

	Specific references for this advisory:
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0399 
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597 
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599 
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0718 
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0722 
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0757 
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0758 
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0759 
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0760 
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0761 
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0762 
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0763 
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0764 
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0765 
		http://www.us-cert.gov/cas/techalerts/TA04-261A.html 
		http://www.kb.cert.org/vuls/id/414240 
		http://www.kb.cert.org/vuls/id/847200 
		http://www.kb.cert.org/vuls/id/808216 
		http://www.kb.cert.org/vuls/id/125776 
		http://www.kb.cert.org/vuls/id/327560 
		http://www.kb.cert.org/vuls/id/651928

	SCO security resources:
		http://www.sco.com/support/security/index.html

	SCO security advisories via email
		http://www.sco.com/support/forums/security.html

	This security fix closes SCO incidents sr891008 fz529877
	erg712655 sr891398 fz530151 erg712686 sr892164 fz530485
	erg712734 sr892473 fz530642 erg712748 sr893376 fz531626
	erg712820.


6. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers
	intended to promote secure installation and use of SCO
	products.


7. Acknowledgments

	SCO would like to thank Georgi Guninski, Gael Delalleau,
	Mats Palmgren, and Jesse Ruderman

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (SCO/SYSV)

iD8DBQFCi1rVaqoBO7ipriERAiHrAJ4trp0n1Tse98oWr7VU0jGFlhes+gCfVZph
9SDDehPywPTZzQdU4V9xrEs=
=udtT
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists