CentOS Errata and Security Advisory CESA-2005:587
Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor.
A bug was found in the way Mozilla installed its extensions. If a user can be tricked into visiting a malicious webpage, it may be possible to obtain sensitive information such as cookies or passwords. (CAN-2005-2263)
A bug was found in the way Mozilla handled multiple frame domains. It is possible for a frame as part of a malicious website to inject content into a frame that belongs to another domain. This issue was previously fixed as CAN-2004-0718 but was accidentally disabled. (CAN-2005-1937)
A bug was found in the way Mozilla handled child frames. It is possible for a malicious framed page to steal sensitive information from its parent page. (CAN-2005-2266)
A bug was found in the way Mozilla cloned base objects. It is possible for Web content to traverse the prototype chain to gain access to privileged chrome objects. (CAN-2005-2270)
Users of Mozilla are advised to upgrade to these updated packages, which contain Mozilla version 1.7.10 and are not vulnerable to these issues.
Merged security bulletin from advisories: http://lists.centos.org/pipermail/centos-announce/2005-July/011948.html http://lists.centos.org/pipermail/centos-announce/2005-July/011963.html http://lists.centos.org/pipermail/centos-announce/2005-July/011964.html http://lists.centos.org/pipermail/centos-announce/2005-July/011965.html http://lists.centos.org/pipermail/centos-announce/2005-July/011966.html http://lists.centos.org/pipermail/centos-announce/2005-July/011967.html http://lists.centos.org/pipermail/centos-announce/2005-July/011968.html
Affected packages: devhelp devhelp-devel mozilla mozilla-chat mozilla-devel mozilla-dom-inspector mozilla-js-debugger mozilla-mail mozilla-nspr mozilla-nspr-devel mozilla-nss mozilla-nss-devel
Upstream details at: https://rhn.redhat.com/errata/RHSA-2005-587.html