Hi Folks, Over the (HOLIDAY!) weekend, Mozilla released a new Firefox (1.0.8) fixing a set of critical vulnerabilities. The upstream (mozilla.org) chose *not*, however, to release the Mozilla code for 1.7.13 yet, but I am told that the updated Mozilla will be released officially in the near future. We may, however, be able to get our hands on the sources before then and get it in the pipeline for QA and such. Some of the critical issues (potential remotely exploited code execution) can be mitigated by turning off Javascript, but not all, as there is one issue that I am told that can be triggered by HTML tags. From MFSA 2006-18 <http://www.mozilla.org/security/announce/2006/mfsa2006-18.html>, <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0749>: "A particular sequence of HTML tags that reliably crash Mozilla clients was reported by an anonymous researcher via TippingPoint and the Zero Day Initiative. The crash is due to memory corruption that can be exploited to run arbitary code. "Mozilla mail clients will crash on the tag sequence, but without the ability to run scripts to fill memory with the attack code it may not be possible for an attacker to exploit this crash." These issues affect Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0, according to CVE-2006-0749. Be careful out there! We'll get these out for Legacy as soon as we can. Regards, David Eisenstein -- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list
