[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050518131647.A6981@caldera.com>
Date: Wed, 18 May 2005 13:16:47 -0700
From: please_reply_to_security@....com
To: security-announce@...t.sco.com, bugtraq@...urityfocus.com,
full-disclosure@...ts.grok.org.uk
Subject: UnixWare 7.1.4 : Updated mozilla fixes many
security issues
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: UnixWare 7.1.4 : Updated mozilla fixes many security issues
Advisory number: SCOSA-2005.25
Issue date: 2005 May 18
Cross reference: sr891008 fz529877 erg712655 sr891398 fz530151 erg712686 sr892164 fz530485 erg712734 sr892473 fz530642 erg712748 sr893376 fz531626 erg712820 CAN-2005-0399 CAN-2004-0597 CAN-2004-0599 CAN-2004-0718 CAN-2004-0722 CAN-2004-0757 CAN-2004-0758 CAN-2004-0759 CAN-2004-0760 CAN-2004-0761 CAN-2004-0762 CAN-2004-0763 CAN-2004-0764 CAN-2004-0765
______________________________________________________________________________
1. Problem Description
The Mozilla 1.7.6 browser in this update represents a
significant advancement in features and fixes over the
Mozilla 1.2.1 released with UnixWare 7.1.4.
This update addresses the following security issues:
Technical Cyber Security Alert TA04-261A Multiple vulnerabilities in
Mozilla products
VU#414240 - Mozilla Mail vulnerable to buffer overflow via writeGroup()
function in nsVCardObj.cpp
VU#847200 - Mozilla contains integer overflows in bitmap image decoder
VU#808216 - Mozilla contains heap overflow in UTF8 conversion of
hostname portion of URLs
VU#125776 - Multiple buffer overflows in Mozilla POP3 protocol handler
VU#327560 - Mozilla "send page" feature contains a buffer overflow
VU#651928 - Mozilla allows arbitrary code execution via link dragging
These vulnerabilities could allow a remote attacker to execute arbitrary
code with the privileges of the user running the affected application.
This fix also addresses several other security issues, and their
CAN numbers are listed below.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the following names:CAN-2005-0399 CAN-2004-0597
CAN-2004-0599 CAN-2004-0718 CAN-2004-0722 CAN-2004-0757
CAN-2004-0758 CAN-2004-0759 CAN-2004-0760 CAN-2004-0761
CAN-2004-0762 CAN-2004-0763 CAN-2004-0764 CAN-2004-0765
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
UnixWare 7.1.4 Mozilla distribution
3. Solution
The proper solution is to install the latest packages.
4. UnixWare 7.1.4
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.25
4.2 Verification
(mozilla-1.7.6.pkg) = c4f4ee1a73c3d6d10d3064c7e68f6299
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download mozilla.image.pkg to the /var/spool/pkg directory
# pkgadd -d /var/spool/pkg/mozilla.image.pkg
5. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0399
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0718
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0722
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0757
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0758
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0759
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0760
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0761
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0762
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0763
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0764
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0765
http://www.us-cert.gov/cas/techalerts/TA04-261A.html
http://www.kb.cert.org/vuls/id/414240
http://www.kb.cert.org/vuls/id/847200
http://www.kb.cert.org/vuls/id/808216
http://www.kb.cert.org/vuls/id/125776
http://www.kb.cert.org/vuls/id/327560
http://www.kb.cert.org/vuls/id/651928
SCO security resources:
http://www.sco.com/support/security/index.html
SCO security advisories via email
http://www.sco.com/support/forums/security.html
This security fix closes SCO incidents sr891008 fz529877
erg712655 sr891398 fz530151 erg712686 sr892164 fz530485
erg712734 sr892473 fz530642 erg712748 sr893376 fz531626
erg712820.
6. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
7. Acknowledgments
SCO would like to thank Georgi Guninski, Gael Delalleau,
Mats Palmgren, and Jesse Ruderman
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (SCO/SYSV)
iD8DBQFCi1rVaqoBO7ipriERAiHrAJ4trp0n1Tse98oWr7VU0jGFlhes+gCfVZph
9SDDehPywPTZzQdU4V9xrEs=
=udtT
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists