7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
We experienced that the update for Mozilla Firefox from DSA 779-1
unfortunately was a regression in several cases. Â Since the usual
praxis of backporting apparently does not work, this update is
basically version 1.0.6 with the version number rolled back, and hence
still named 1.0.4-*. Â For completeness below is the original advisory
text:
>
> Several problems have been discovered in Mozilla Firefox, a
> lightweight web browser based on Mozilla. The Common Vulnerabilities
> and Exposures project identifies the following problems:
>
>
> * CAN-2005-2260
> The browser user interface does not properly distinguish between
> user-generated events and untrusted synthetic events, which makes
> it easier for remote attackers to perform dangerous actions that
> normally could only be performed manually by the user.
>
> * CAN-2005-2261
> XML scripts ran even when Javascript disabled.
>
> * CAN-2005-2262
> The user can be tricked to executing arbitrary JavaScript code by
> using a JavaScript URL as wallpaper.
>
> * CAN-2005-2263
> It is possible for a remote attacker to execute a callback
> function in the context of another domain (i.e. frame).
>
> * CAN-2005-2264
> By opening a malicious link in the sidebar it is possible for
> remote attackers to steal sensitive information.
>
> * CAN-2005-2265
> Missing input sanitising of InstallVersion.compareTo() can cause
> the application to crash.
>
> * CAN-2005-2266
> Remote attackers could steal sensitive information such as cookies
> and passwords from web sites by accessing data in alien frames.
>
> * CAN-2005-2267
> By using standalone applications such as Flash and QuickTime to
> open a javascript: URL, it is possible for a remote attacker to
> steal sensitive information and possibly execute arbitrary code.
>
> * CAN-2005-2268
> It is possible for a Javascript dialog box to spoof a dialog box
> from a trusted site and facilitates phishing attacks.
>
> * CAN-2005-2269
> Remote attackers could modify certain tag properties of DOM nodes
> that could lead to the execution of arbitrary script or code.
>
> * CAN-2005-2270
> The Mozilla browser family does not properly clone base objects,
> which allows remote attackers to execute arbitrary code.
>
>
>
The old stable distribution (woody) is not affected by these problems.
For the stable distribution (sarge) these problems have been fixed in
version 1.0.4-2sarge3.
For the unstable distribution (sid) these problems have been fixed in
version 1.0.6-1.
We recommend that you upgrade your Mozilla Firefox packages.
CPE | Name | Operator | Version |
---|---|---|---|
mozilla-firefox | eq | 1.0.4-2sarge1 | |
mozilla-firefox | eq | 1.0.4-2 |