Heads up! Firefox & Mozilla

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Folks,

Over the (HOLIDAY!) weekend, Mozilla released a new Firefox (1.0.8) fixing
a set of critical vulnerabilities.  The upstream (mozilla.org) chose
*not*, however, to release the Mozilla code for 1.7.13 yet, but I am told
that the updated Mozilla will be released officially in the near future.  
We may, however, be able to get our hands on the sources before then and
get it in the pipeline for QA and such.

Some of the critical issues (potential remotely exploited code execution)  
can be mitigated by turning off Javascript, but not all, as there is one
issue that I am told that can be triggered by HTML tags.  From MFSA
2006-18 <http://www.mozilla.org/security/announce/2006/mfsa2006-18.html>,
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0749>:

   "A particular sequence of HTML tags that reliably crash Mozilla clients
   was reported by an anonymous researcher via TippingPoint and the Zero
   Day Initiative. The crash is due to memory corruption that can be
   exploited to run arbitary code.

   "Mozilla mail clients will crash on the tag sequence, but without the
   ability to run scripts to fill memory with the attack code it may not
   be possible for an attacker to exploit this crash."

These issues affect Mozilla Firefox and Thunderbird 1.x before 1.5 and
1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0,
according to CVE-2006-0749.

Be careful out there!  We'll get these out for Legacy as soon as we can.

	Regards,
	David Eisenstein


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux