seamonkey security update

2007-11-30T03:00:22
ID CESA-2007:1084-01
Type centos
Reporter CentOS Project
Modified 2007-11-30T03:00:22

Description

CentOS Errata and Security Advisory CESA-2007:1084-01

SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor.

A cross-site scripting flaw was found in the way SeaMonkey handled the jar: URI scheme. It was possible for a malicious website to leverage this flaw and conduct a cross-site scripting attack against a user running SeaMonkey. (CVE-2007-5947)

Several flaws were found in the way SeaMonkey processed certain malformed web content. A webpage containing malicious content could cause SeaMonkey to crash, or potentially execute arbitrary code as the user running SeaMonkey. (CVE-2007-5959)

A race condition existed when Seamonkey set the "window.location" property for a webpage. This flaw could allow a webpage to set an arbitrary Referer header, which may lead to a Cross-site Request Forgery (CSRF) attack against websites that rely only on the Referer header for protection. (CVE-2007-5960)

Users of SeaMonkey are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

Merged security bulletin from advisories: http://lists.centos.org/pipermail/centos-announce/2007-November/026508.html

Affected packages: seamonkey seamonkey-chat seamonkey-devel seamonkey-dom-inspector seamonkey-js-debugger seamonkey-mail seamonkey-nspr seamonkey-nspr-devel seamonkey-nss seamonkey-nss-devel

Upstream details at: https://rhn.redhat.com/errata/rh21as-errata.html