Joey Hess
2005-Sep-01 17:01 UTC
[Secure-testing-commits] r1761 - in data/DTSA: . advs hints
Author: joeyh Date: 2005-09-01 17:01:09 +0000 (Thu, 01 Sep 2005) New Revision: 1761 Added: data/DTSA/DTSA-8-2 Modified: data/DTSA/advs/8-mozilla-firefox.adv data/DTSA/hints/joeyh data/DTSA/list Log: update firefox advisory since the DSA was updated Added: data/DTSA/DTSA-8-2 ==================================================================--- data/DTSA/DTSA-8-2 2005-09-01 15:04:09 UTC (rev 1760) +++ data/DTSA/DTSA-8-2 2005-09-01 17:01:09 UTC (rev 1761) @@ -0,0 +1,117 @@ +------------------------------------------------------------------------------ +Debian Testing Security Advisory DTSA-8-2 http://secure-testing.debian.net +secure-testing-team@lists.alioth.debian.org Joey Hess +September 1st, 2005 +------------------------------------------------------------------------------ + +Package : mozilla-firefox +Vulnerability : several vulnerabilities (update) +Problem-Scope : remote +Debian-specific: No +CVE ID : CAN-2004-0718 CAN-2005-1937 CAN-2005-2260 CAN-2005-2261 CAN-2005-2262 CAN-2005-2263 CAN-2005-2264 CAN-2005-2265 CAN-2005-2266 CAN-2005-2267 CAN-2005-2268 CAN-2005-2269 CAN-2005-2270 + +We experienced that the update for Mozilla Firefox from DTSA-8-1 +unfortunately was a regression in several cases. Since the usual +praxis of backporting apparently does not work, this update is +basically version 1.0.6 with the version number rolled back, and hence +still named 1.0.4-*. For completeness below is the original advisory +text: + +Several problems were discovered in Mozilla Firefox: + +CAN-2004-0718 CAN-2005-1937 + +A vulnerability has been discovered in Mozilla Firefox that allows remote +attackers to inject arbitrary Javascript from one page into the frameset of +another site. + +CAN-2005-2260 + +The browser user interface does not properly distinguish between +user-generated events and untrusted synthetic events, which makes it easier +for remote attackers to perform dangerous actions that normally could only be +performed manually by the user. + +CAN-2005-2261 + +XML scripts ran even when Javascript disabled. + +CAN-2005-2262 + +The user can be tricked to executing arbitrary JavaScript code by using a +JavaScript URL as wallpaper. + +CAN-2005-2263 + +It is possible for a remote attacker to execute a callback function in the +context of another domain (i.e. frame). + +CAN-2005-2264 + +By opening a malicious link in the sidebar it is possible for remote +attackers to steal sensitive information. + +CAN-2005-2265 + +Missing input sanitising of InstallVersion.compareTo() can cause the +application to crash. + +CAN-2005-2266 + +Remote attackers could steal sensitive information such as cookies and +passwords from web sites by accessing data in alien frames. + +CAN-2005-2267 + +By using standalone applications such as Flash and QuickTime to open a +javascript: URL, it is possible for a remote attacker to steal sensitive +information and possibly execute arbitrary code. + +CAN-2005-2268 + +It is possible for a Javascript dialog box to spoof a dialog box from a +trusted site and facilitates phishing attacks. + +CAN-2005-2269 + +Remote attackers could modify certain tag properties of DOM nodes that could +lead to the execution of arbitrary script or code. + +CAN-2005-2270 + +The Mozilla browser family does not properly clone base objects, which allows +remote attackers to execute arbitrary code. + +Note that this is the same set of security fixes put into stable in +DSA-775 and DSA-779, and updated in DSA-779-2. + +For the testing distribution (etch) this is fixed in version +1.0.4-2sarge3 + +For the unstable distribution (sid) this is fixed in version +1.0.6-3 + +This upgrade is recommended if you use mozilla-firefox. + +The Debian testing security team does not track security issues for then +stable (sarge) and oldstable (woody) distributions. If stable is vulnerable, +the Debian security team will make an announcement once a fix is ready. + +Upgrade Instructions +-------------------- + +To use the Debian testing security archive, add the following lines to +your /etc/apt/sources.list: + +deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free +deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free + +The archive signing key can be downloaded from +http://secure-testing.debian.net/ziyi-2005-7.asc + +To install the update, run this command as root: + +apt-get update && apt-get install mozilla-firefox + +For further information about the Debian testing security team, please refer +to http://secure-testing.debian.net/ Modified: data/DTSA/advs/8-mozilla-firefox.adv ==================================================================--- data/DTSA/advs/8-mozilla-firefox.adv 2005-09-01 15:04:09 UTC (rev 1760) +++ data/DTSA/advs/8-mozilla-firefox.adv 2005-09-01 17:01:09 UTC (rev 1761) @@ -1,14 +1,21 @@ -dtsa: DTSA-8-1 +dtsa: DTSA-8-2 source: mozilla-firefox -date: August 28th, 2005 +date: September 1st, 2005 author: Joey Hess -vuln-type: several vulnerabilities +vuln-type: several vulnerabilities (update) problem-scope: remote debian-specific: no cve: CAN-2004-0718 CAN-2005-1937 CAN-2005-2260 CAN-2005-2261 CAN-2005-2262 CAN-2005-2263 CAN-2005-2264 CAN-2005-2265 CAN-2005-2266 CAN-2005-2267 CAN-2005-2268 CAN-2005-2269 CAN-2005-2270 -testing-fix: 1.0.4-2sarge2 +testing-fix: 1.0.4-2sarge3 sid-fix: 1.0.6-3 +We experienced that the update for Mozilla Firefox from DTSA-8-1 +unfortunately was a regression in several cases. Since the usual +praxis of backporting apparently does not work, this update is +basically version 1.0.6 with the version number rolled back, and hence +still named 1.0.4-*. For completeness below is the original advisory +text: + Several problems were discovered in Mozilla Firefox: CAN-2004-0718 CAN-2005-1937 @@ -75,4 +82,4 @@ remote attackers to execute arbitrary code. Note that this is the same set of security fixes put into stable in -DSA-775 and DSA-779. +DSA-775 and DSA-779, and updated in DSA-779-2. Modified: data/DTSA/hints/joeyh ==================================================================--- data/DTSA/hints/joeyh 2005-09-01 15:04:09 UTC (rev 1760) +++ data/DTSA/hints/joeyh 2005-09-01 17:01:09 UTC (rev 1761) @@ -1,6 +1,6 @@ sync maildrop/1.5.3-1.1etch1 sync pcre3/6.3-0.1etch1 -sync mozilla-firefox/1.0.4-2sarge2 +sync mozilla-firefox/1.0.4-2sarge3 sync mozilla/2:1.7.8-1sarge1 sync centericq/4.20.0-8etch1 sync clamav/0.86.2-4etch1 Modified: data/DTSA/list ==================================================================--- data/DTSA/list 2005-09-01 15:04:09 UTC (rev 1760) +++ data/DTSA/list 2005-09-01 17:01:09 UTC (rev 1761) @@ -6,8 +6,8 @@ [31 Aug 2005] DTSA-9-1 bluez-utils - bad device name escaping - bluez-utils 2.19-0.1etch1 TODO: unreleased -[28 Aug 2005] DTSA-8-1 mozilla-firefox - several vulnerabilities - - mozilla-firefox 1.0.4-2sarge2 (high) +[28 Aug 2005] DTSA-8-2 mozilla-firefox - several vulnerabilities + - mozilla-firefox 1.0.4-2sarge3 (high) [28 Aug 2005] DTSA-7-1 mozilla - frame injection spoofing - mozilla 2:1.7.8-1sarge1 (high) [28 Aug 2005] DTSA-6-1 cgiwrap - multiple vulnerabilities