Re: Heads up! Firefox & Mozilla

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2006-04-17 at 10:24 -0500, David Eisenstein wrote:
> Hi Folks,
> 
> Over the (HOLIDAY!) weekend, Mozilla released a new Firefox (1.0.8) fixing
> a set of critical vulnerabilities.  The upstream (mozilla.org) chose
> *not*, however, to release the Mozilla code for 1.7.13 yet, but I am told
> that the updated Mozilla will be released officially in the near future.  
> We may, however, be able to get our hands on the sources before then and
> get it in the pipeline for QA and such.
> 
> Some of the critical issues (potential remotely exploited code execution)  
> can be mitigated by turning off Javascript, but not all, as there is one
> issue that I am told that can be triggered by HTML tags.  From MFSA
> 2006-18 <http://www.mozilla.org/security/announce/2006/mfsa2006-18.html>,
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0749>:
> 
>    "A particular sequence of HTML tags that reliably crash Mozilla clients
>    was reported by an anonymous researcher via TippingPoint and the Zero
>    Day Initiative. The crash is due to memory corruption that can be
>    exploited to run arbitary code.
> 
>    "Mozilla mail clients will crash on the tag sequence, but without the
>    ability to run scripts to fill memory with the attack code it may not
>    be possible for an attacker to exploit this crash."
> 
> These issues affect Mozilla Firefox and Thunderbird 1.x before 1.5 and
> 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before 1.0,
> according to CVE-2006-0749.
> 
> Be careful out there!  We'll get these out for Legacy as soon as we can.

Updates have been announced for Fedora Core 4 and Fedora Core 5. It
should be easy enough to rebuild it and provide them for Fedora Legacy.

Rahul


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux