firefox security update

2006-11-09T21:11:25
ID CESA-2006:0733
Type centos
Reporter CentOS Project
Modified 2006-11-10T19:15:56

Description

CentOS Errata and Security Advisory CESA-2006:0733

Mozilla Firefox is an open source Web browser.

Several flaws were found in the way Firefox processes certain malformed Javascript code. A malicious web page could cause the execution of Javascript code in such a way that could cause Firefox to crash or execute arbitrary code as the user running Firefox. (CVE-2006-5463, CVE-2006-5747, CVE-2006-5748)

Several flaws were found in the way Firefox renders web pages. A malicious web page could cause the browser to crash or possibly execute arbitrary code as the user running Firefox. (CVE-2006-5464)

A flaw was found in the way Firefox verifies RSA signatures. For RSA keys with exponent 3 it is possible for an attacker to forge a signature that would be incorrectly verified by the NSS library. Firefox as shipped trusts several root Certificate Authorities that use exponent 3. An attacker could have created a carefully crafted SSL certificate which be incorrectly trusted when their site was visited by a victim. This flaw was previously thought to be fixed in Firefox 1.5.0.7, however Ulrich Kuehn discovered the fix was incomplete (CVE-2006-5462)

Users of Firefox are advised to upgrade to these erratum packages, which contain Firefox version 1.5.0.8 that corrects these issues.

Merged security bulletin from advisories: http://lists.centos.org/pipermail/centos-announce/2006-November/025416.html http://lists.centos.org/pipermail/centos-announce/2006-November/025419.html http://lists.centos.org/pipermail/centos-announce/2006-November/025420.html http://lists.centos.org/pipermail/centos-announce/2006-November/025435.html

Affected packages: firefox

Upstream details at: https://rhn.redhat.com/errata/RHSA-2006-0733.html