firefox security update

CentOS Errata and Security Advisory CESA-2007:0079

Mozilla Firefox is an open source Web browser.

Several flaws were found in the way Firefox processed certain malformed
JavaScript code. A malicious web page could execute JavaScript code in such
a way that may result in Firefox crashing or executing arbitrary code as
the user running Firefox. (CVE-2007-0775, CVE-2007-0777)

Several cross-site scripting (XSS) flaws were found in the way Firefox
processed certain malformed web pages. A malicious web page could display
misleading information which may result in a user unknowingly divulging
sensitive information such as a password. (CVE-2006-6077, CVE-2007-0995,
CVE-2007-0996)

A flaw was found in the way Firefox cached web pages on the local disk. A
malicious web page may be able to inject arbitrary HTML into a browsing
session if the user reloads a targeted site. (CVE-2007-0778)

A flaw was found in the way Firefox displayed certain web content. A
malicious web page could generate content which could overlay user
interface elements such as the hostname and security indicators, tricking a
user into thinking they are visiting a different site. (CVE-2007-0779)

Two flaws were found in the way Firefox displayed blocked popup windows. If
a user can be convinced to open a blocked popup, it is possible to read
arbitrary local files, or conduct an XSS attack against the user.
(CVE-2007-0780, CVE-2007-0800)

Two buffer overflow flaws were found in the Network Security Services (NSS)
code for processing the SSLv2 protocol. Connecting to a malicious secure
web server could cause the execution of arbitrary code as the user running
Firefox. (CVE-2007-0008, CVE-2007-0009)

A flaw was found in the way Firefox handled the “location.hostname” value
during certain browser domain checks. This flaw could allow a malicious web
site to set domain cookies for an arbitrary site, or possibly perform an
XSS attack. (CVE-2007-0981)

Users of Firefox are advised to upgrade to these erratum packages, which
contain Firefox version 1.5.0.10 that corrects these issues.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2007-February/075726.html
https://lists.centos.org/pipermail/centos-announce/2007-February/075728.html
https://lists.centos.org/pipermail/centos-announce/2007-February/075729.html
https://lists.centos.org/pipermail/centos-announce/2007-February/075730.html
https://lists.centos.org/pipermail/centos-announce/2007-February/075735.html
https://lists.centos.org/pipermail/centos-announce/2007-February/075736.html

Affected packages:
firefox

Upstream details at:
https://access.redhat.com/errata/RHSA-2007:0079