-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1225-1 security@xxxxxxxxxx http://www.debian.org/security/ Martin Schulze December 3rd, 2006 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : mozilla-firefox Vulnerability : several Problem type : remote Debian-specific: no CVE IDs : CVE-2006-4310 CVE-2006-5462 CVE-2006-5463 CVE-2006-5464 CVE-2006-5748 CERT advisories: VU#335392 VU#390480 VU#495288 VU#714496 BugTraq IDs : 19678 20957 Several security related problems have been discovered in Mozilla and derived products such as Mozilla Firefox. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-4310 Tomas Kempinsky discovered that malformed FTP server responses could lead to denial of service. CVE-2006-5462 Ulrich Kühn discovered that the correction for a cryptographic flaw in the handling of PKCS-1 certificates was incomplete, which allows the forgery of certificates. CVE-2006-5463 "shutdown" discovered that modification of JavaScript objects during execution could lead to the execution of arbitrary JavaScript bytecode. CVE-2006-5464 Jesse Ruderman and Martijn Wargers discovered several crashes in the layout engine, which might also allow execution of arbitrary code. CVE-2006-5748 Igor Bukanov and Jesse Ruderman discovered several crashes in the JavaScript engine, which might allow execution of arbitrary code. This update also adresses several crashes, which could be triggered by malicious websites and fixes a regression introduced in the previous Mozilla update. For the stable distribution (sarge) these problems have been fixed in version 1.0.4-2sarge13. For the unstable distribution (sid) these problems have been fixed in the current iceweasel package 2.0+dfsg-1. We recommend that you upgrade your mozilla-firefox package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13.dsc Size/MD5 checksum: 1003 4a8d05c1e9563e6066ca838e7c0b2f53 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13.diff.gz Size/MD5 checksum: 450265 46d4bedf12a1e0c92a275ae012d92b5a http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4.orig.tar.gz Size/MD5 checksum: 40212297 8e4ba81ad02c7986446d4e54e978409d Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_alpha.deb Size/MD5 checksum: 11182242 388bf02a94456182cd7a39187886875a http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_alpha.deb Size/MD5 checksum: 170908 4cbff185bb88b1c7e11791059cd83142 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_alpha.deb Size/MD5 checksum: 62736 f42571aa18001fc521be0f5348eb9511 AMD64 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_amd64.deb Size/MD5 checksum: 9412474 fcd7ced169a47d7413197a918047036a http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_amd64.deb Size/MD5 checksum: 165706 931ebeee155ac01fcecb1467388a2fab http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_amd64.deb Size/MD5 checksum: 61276 cf839454fe9e09a0b58641353f9c75c6 ARM architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_arm.deb Size/MD5 checksum: 8233670 39a042f6300c805ad372828fd115cab0 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_arm.deb Size/MD5 checksum: 157176 873eb90c91c98e1c4168f215b493fd74 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_arm.deb Size/MD5 checksum: 56586 c53ca4b95b188684381338eae43603cc HP Precision architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_hppa.deb Size/MD5 checksum: 10287242 8a7eddef738dfe4eb164bd5e486474a2 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_hppa.deb Size/MD5 checksum: 168624 fa195e512062a19cf92018de4009160d http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_hppa.deb Size/MD5 checksum: 61736 b0dbfbbce97f954c9487a126d20b9a90 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_i386.deb Size/MD5 checksum: 8908194 9cfe0ac430050c7d62066cd3f8beb64f http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_i386.deb Size/MD5 checksum: 160902 77a78dd1eac37417b4a5629e745e4391 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_i386.deb Size/MD5 checksum: 58124 f82b3d3fc66e1054d5da72a69ab9bd20 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_ia64.deb Size/MD5 checksum: 11646376 83d5349be8156e1f95eb75da89beb578 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_ia64.deb Size/MD5 checksum: 171244 46ae3d6d9112d31f92407922832e6599 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_ia64.deb Size/MD5 checksum: 65934 690969e2e7a865faee22ed6fb8a88384 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_m68k.deb Size/MD5 checksum: 8186050 ab9f31d6cbd9ff6c1820c59ef1e44ce7 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_m68k.deb Size/MD5 checksum: 159792 69c3cf68fc12fd5fb3929339aa8cd9cb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_m68k.deb Size/MD5 checksum: 57394 14636fe25df3a18c536819129e83e1a0 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_mips.deb Size/MD5 checksum: 9943474 75b7796d42079421a151bfac35a17f95 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_mips.deb Size/MD5 checksum: 158694 a3c6f1c71947cb5e9c2fc8d8acece832 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_mips.deb Size/MD5 checksum: 58386 395683ab3ebb0983e24bc3afde8d28f5 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge12_mipsel.deb Size/MD5 checksum: 9819470 41ecbd5f3543c0b110771e93e2307abc http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge12_mipsel.deb Size/MD5 checksum: 157672 43ca2a353bacf378a2dc7dfa9a7f3a73 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge12_mipsel.deb Size/MD5 checksum: 57634 8d16796108c3a7627ab9654e977277a5 PowerPC architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_powerpc.deb Size/MD5 checksum: 8580222 c2f239d0961911962bea6b7f7bf1cdc1 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_powerpc.deb Size/MD5 checksum: 159320 5a5ea9d8a9f7a845bc1898b0c9976112 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_powerpc.deb Size/MD5 checksum: 60508 3ce3df0f45aeef3acb1964960bf76406 IBM S/390 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_s390.deb Size/MD5 checksum: 9650866 9fd3e3788898152580a0ab344112b5ab http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_s390.deb Size/MD5 checksum: 166290 70bcea0f67fc9d0288c75bb2ad8e7b36 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_s390.deb Size/MD5 checksum: 60696 7d6b7a3cf65fa798f3e41275f4bb9967 Sun Sparc architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge13_sparc.deb Size/MD5 checksum: 8672090 c32301aeb3eb3ebbad2ff26f56d3e9ee http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge13_sparc.deb Size/MD5 checksum: 159508 7c3fd5b5a0c78c8abf09082dcb06bbfc http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge13_sparc.deb Size/MD5 checksum: 56946 0b154ceb732d771ca492e4d98ea21350 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFcvzPW5ql+IAeqTIRAv/HAJwNUC+NOPCf2Nq1161rGipNubPqDQCfWnmg FvfjUK0FBtQjuT9x9Fg3gu8= =1YQv -----END PGP SIGNATURE-----