lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20061203163528.5A6ABFDE1@finlandia.home.infodrom.org>
Date: Sun,  3 Dec 2006 17:35:28 +0100 (CET)
From: joey@...odrom.org (Martin Schulze)
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 1225-1] New Mozilla Firefox packages fix several vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1225-1                    security@...ian.org
http://www.debian.org/security/                             Martin Schulze
December 3rd, 2006                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : mozilla-firefox
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE IDs        : CVE-2006-4310 CVE-2006-5462 CVE-2006-5463 CVE-2006-5464
                 CVE-2006-5748
CERT advisories: VU#335392 VU#390480 VU#495288 VU#714496 
BugTraq IDs    : 19678 20957

Several security related problems have been discovered in Mozilla and
derived products such as Mozilla Firefox.  The Common Vulnerabilities
and Exposures project identifies the following vulnerabilities:

CVE-2006-4310

    Tomas Kempinsky discovered that malformed FTP server responses
    could lead to denial of service.

CVE-2006-5462

    Ulrich Kühn discovered that the correction for a cryptographic
    flaw in the handling of PKCS-1 certificates was incomplete, which
    allows the forgery of certificates.

CVE-2006-5463

    "shutdown" discovered that modification of JavaScript objects
    during execution could lead to the execution of arbitrary
    JavaScript bytecode.

CVE-2006-5464

    Jesse Ruderman and Martijn Wargers discovered several crashes in
    the layout engine, which might also allow execution of arbitrary
    code.

CVE-2006-5748

    Igor Bukanov and Jesse Ruderman discovered several crashes in the
    JavaScript engine, which might allow execution of arbitrary code.

This update also adresses several crashes, which could be triggered by
malicious websites and fixes a regression introduced in the previous
Mozilla update.


For the stable distribution (sarge) these problems have been fixed in
version 1.0.4-2sarge13.

For the unstable distribution (sid) these problems have been fixed in
the current iceweasel package 2.0+dfsg-1.

We recommend that you upgrade your mozilla-firefox package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13.dsc
      Size/MD5 checksum:     1003 4a8d05c1e9563e6066ca838e7c0b2f53
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13.diff.gz
      Size/MD5 checksum:   450265 46d4bedf12a1e0c92a275ae012d92b5a
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4.orig.tar.gz
      Size/MD5 checksum: 40212297 8e4ba81ad02c7986446d4e54e978409d

  Alpha architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_alpha.deb
      Size/MD5 checksum: 11182242 388bf02a94456182cd7a39187886875a
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_alpha.deb
      Size/MD5 checksum:   170908 4cbff185bb88b1c7e11791059cd83142
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_alpha.deb
      Size/MD5 checksum:    62736 f42571aa18001fc521be0f5348eb9511

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_amd64.deb
      Size/MD5 checksum:  9412474 fcd7ced169a47d7413197a918047036a
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_amd64.deb
      Size/MD5 checksum:   165706 931ebeee155ac01fcecb1467388a2fab
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_amd64.deb
      Size/MD5 checksum:    61276 cf839454fe9e09a0b58641353f9c75c6

  ARM architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_arm.deb
      Size/MD5 checksum:  8233670 39a042f6300c805ad372828fd115cab0
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_arm.deb
      Size/MD5 checksum:   157176 873eb90c91c98e1c4168f215b493fd74
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_arm.deb
      Size/MD5 checksum:    56586 c53ca4b95b188684381338eae43603cc

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_hppa.deb
      Size/MD5 checksum: 10287242 8a7eddef738dfe4eb164bd5e486474a2
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_hppa.deb
      Size/MD5 checksum:   168624 fa195e512062a19cf92018de4009160d
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_hppa.deb
      Size/MD5 checksum:    61736 b0dbfbbce97f954c9487a126d20b9a90

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_i386.deb
      Size/MD5 checksum:  8908194 9cfe0ac430050c7d62066cd3f8beb64f
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_i386.deb
      Size/MD5 checksum:   160902 77a78dd1eac37417b4a5629e745e4391
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_i386.deb
      Size/MD5 checksum:    58124 f82b3d3fc66e1054d5da72a69ab9bd20

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_ia64.deb
      Size/MD5 checksum: 11646376 83d5349be8156e1f95eb75da89beb578
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_ia64.deb
      Size/MD5 checksum:   171244 46ae3d6d9112d31f92407922832e6599
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_ia64.deb
      Size/MD5 checksum:    65934 690969e2e7a865faee22ed6fb8a88384

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_m68k.deb
      Size/MD5 checksum:  8186050 ab9f31d6cbd9ff6c1820c59ef1e44ce7
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_m68k.deb
      Size/MD5 checksum:   159792 69c3cf68fc12fd5fb3929339aa8cd9cb
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_m68k.deb
      Size/MD5 checksum:    57394 14636fe25df3a18c536819129e83e1a0

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_mips.deb
      Size/MD5 checksum:  9943474 75b7796d42079421a151bfac35a17f95
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_mips.deb
      Size/MD5 checksum:   158694 a3c6f1c71947cb5e9c2fc8d8acece832
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_mips.deb
      Size/MD5 checksum:    58386 395683ab3ebb0983e24bc3afde8d28f5

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge12_mipsel.deb
      Size/MD5 checksum:  9819470 41ecbd5f3543c0b110771e93e2307abc
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge12_mipsel.deb
      Size/MD5 checksum:   157672 43ca2a353bacf378a2dc7dfa9a7f3a73
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge12_mipsel.deb
      Size/MD5 checksum:    57634 8d16796108c3a7627ab9654e977277a5

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_powerpc.deb
      Size/MD5 checksum:  8580222 c2f239d0961911962bea6b7f7bf1cdc1
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_powerpc.deb
      Size/MD5 checksum:   159320 5a5ea9d8a9f7a845bc1898b0c9976112
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_powerpc.deb
      Size/MD5 checksum:    60508 3ce3df0f45aeef3acb1964960bf76406

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_s390.deb
      Size/MD5 checksum:  9650866 9fd3e3788898152580a0ab344112b5ab
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_s390.deb
      Size/MD5 checksum:   166290 70bcea0f67fc9d0288c75bb2ad8e7b36
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_s390.deb
      Size/MD5 checksum:    60696 7d6b7a3cf65fa798f3e41275f4bb9967

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_sparc.deb
      Size/MD5 checksum:  8672090 c32301aeb3eb3ebbad2ff26f56d3e9ee
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_sparc.deb
      Size/MD5 checksum:   159508 7c3fd5b5a0c78c8abf09082dcb06bbfc
    http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_sparc.deb
      Size/MD5 checksum:    56946 0b154ceb732d771ca492e4d98ea21350


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFcvzPW5ql+IAeqTIRAv/HAJwNUC+NOPCf2Nq1161rGipNubPqDQCfWnmg
FvfjUK0FBtQjuT9x9Fg3gu8=
=1YQv
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ