Joey Hess
2005-Aug-28 21:13 UTC
[secure-testing-announce] [DTSA-7-1] New mozilla packages fix frame injection spoofing
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------------ Debian Testing Security Advisory DTSA-7-1 http://secure-testing.debian.net secure-testing-team@lists.alioth.debian.org Joey Hess August 28th, 2005 - ------------------------------------------------------------------------------ Package : mozilla Vulnerability : frame injection spoofing Problem-Scope : remote Debian-specific: No CVE ID : CAN-2004-0718 CAN-2005-1937 A vulnerability has been discovered in Mozilla that allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site. Thunderbird is not affected by this and Galeon will be automatically fixed as it uses Mozilla components. Mozilla Firefox is vulnerable and will be covered by a separate advisory. For the testing distribution (etch) this is fixed in version 2:1.7.8-1sarge1 For the unstable distribution (sid) this is fixed in version 2:1.7.10-1 This upgrade is recommended if you use mozilla. Note that this is the same security fix put into stable in DSA-777. Upgrade Instructions - -------------------- To use the Debian testing security archive, add the following lines to your /etc/apt/sources.list: deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free The archive signing key can be downloaded from http://secure-testing.debian.net/ziyi-2005-7.asc To install the update, run this command as root: apt-get update && apt-get upgrade For further information about the Debian testing security team, please refer to http://secure-testing.debian.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDEh1p2tp5zXiKP0wRAj0vAJ4ypd9Uk+QoIGWcE96uvTEDzMrlzACgiK1b MagU4/YlT5189qI3/Bt4ZQQ=D+Er -----END PGP SIGNATURE-----