FSA/F7/FEDORA-2007-0001

[SECURITY] Fedora 7 Update: firefox-2.0.0.4-1.fc7
Fedora Update Notification FEDORA-2007-0001 None

Name       : firefox Product    : Fedora 7 Version    : 2.0.0.4 Release    : 1.fc7 Summary    : Mozilla Firefox Web browser. Description : Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability.

Update Information:

Updated firefox packages that fix several security bugs are now available for Fedora 7 (Corrected).

This update has been rated as having critical security impact by the Fedora Security Response Team.

Mozilla Firefox is an open source Web browser.

Several flaws were found in the way Firefox processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause Firefox to crash or potentially execute arbitrary code as the user running Firefox. (CVE-2007-2867, CVE-2007-2868)

A flaw was found in the way Firefox handled certain FTP PASV commands. A malicious FTP server could use this flaw to perform a rudimentary port-scan of machines behind a user's firewall. (CVE-2007-1562)

Several denial of service flaws were found in the way Firefox handled certain form and cookie data. A malicious web site that is able to set arbitrary form and cookie data could prevent Firefox from functioning properly. (CVE-2007-1362, CVE-2007-2869)

A flaw was found in the way Firefox handled the addEventListener JavaScript method. A malicious web site could use this method to access or modify sensitive data from another web site. (CVE-2007-2870)

A flaw was found in the way Firefox displayed certain web content. A malicious web page could generate content that would overlay user interface elements such as the hostname and security indicators, tricking users into thinking they are visiting a different site. (CVE-2007-2871)

Users of Firefox are advised to upgrade to these erratum packages, which contain Firefox version 2.0.0.4 that corrects these issues.

ChangeLog:

- Final version - Update to 2.0.0.4 RC3
 * Wed May 30 2007 Christopher Aillon 2.0.0.4-1
 * Wed May 23 2007 Christopher Aillon 2.0.0.4-0.rc3

References:

Bug #241840 - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=241840 CVE-2007-1362 - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1362 CVE-2007-1562 - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1562 CVE-2007-2867 - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2867 CVE-2007-2868 - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2868 CVE-2007-2869 - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2869 CVE-2007-2870 - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2870 CVE-2007-2871 - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2871

Updated packages:

18c29736efa5d1b4727e4cd202f5e0155e897a53 firefox-debuginfo-2.0.0.4-1.fc7.ppc64.rpm bc29016cee75b9f7fc5b9cb07a1122c37021bd62 firefox-devel-2.0.0.4-1.fc7.ppc64.rpm 42aa46f5b3fbfd5ba298a404b8a7fba1246b8c20 firefox-2.0.0.4-1.fc7.ppc64.rpm 9f4cd34855dfca83f5b4125b6ea3ca396643732e firefox-debuginfo-2.0.0.4-1.fc7.i386.rpm 5fcf42599604c2fe48c575a07ecb78990ac96e25 firefox-2.0.0.4-1.fc7.i386.rpm 76ac8b455fa63a690544f43146f4f249afbfe5a4 firefox-devel-2.0.0.4-1.fc7.i386.rpm 6ac169395f65e5a17430b1c6a4a3a32dbd1aae91 firefox-2.0.0.4-1.fc7.x86_64.rpm e83da4ee0c5f2ed01494f6169f3e4f8b4d1631c6 firefox-devel-2.0.0.4-1.fc7.x86_64.rpm c06b4a2604549fad7af51b4c128d7835780c6273 firefox-debuginfo-2.0.0.4-1.fc7.x86_64.rpm bc4610a1b5c90849b85ca5bed576eef1bf2b5530 firefox-debuginfo-2.0.0.4-1.fc7.ppc.rpm 94f0b1d0431054d16e7f67be994e26cdd48a2e0b firefox-2.0.0.4-1.fc7.ppc.rpm edae97c5880043e1aad745594d5fdd2eb650666c firefox-devel-2.0.0.4-1.fc7.ppc.rpm 17f2bfe4b2792faa84f9e46d6e88e8e240eb342b firefox-2.0.0.4-1.fc7.src.rpm

This update can be installed with the 'yum' update program. Use 'yum update package-name' at the command line. For more information, refer to 'Managing Software with yum,' available at http://docs.fedoraproject.org/yum/.