[CLA-2003:568] Conectiva Linux Security Announcement - mozilla
Date: Thu, 13 Feb 2003 15:55:26 -0200
From: secure@conectiva.com.br
To: conectiva-updates@papaleguas.conectiva.com.br, lwn@lwn.net,
Subject: [CLA-2003:568] Conectiva Linux Security Announcement - mozilla
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : mozilla
SUMMARY : Several vulnerabilities
DATE : 2003-02-13 15:54:00
ID : CLA-2003:568
RELEVANT
RELEASES : 6.0, 7.0, 8
- -------------------------------------------------------------------------
DESCRIPTION
Mozilla is an open-source web browser designed for standards
compliance, performance and portability.
This update addresses several vulnerabilities found after the mozilla
1.0rc2 release, wich was the last version sent as an official
update[1] for Conectiva Linux distributions. A complete list of such
vulnerabilities can be obtained in [2,3], and details about the most
known ones in [5,6,7,8,9].
A remote attacker could exploit these vulnerabilities by creating
malicious web pages that, when acessed, would crash the browser,
potentially allow remote arbitrary code execution or cause some sort
of unexpected behavior.
The packages from this update are of Mozilla 1.2.1, which is the
latest stable release[10] from mozilla.org and includes fixes for the
known vulnerabilities. Besides the security fixes, it also includes
several new features and other minor corrections.
The vulnerabilities aforementioned also affect the Galeon web
browser, which uses the Mozilla engine. Galeon is being updated to
the version 1.2.7 in Conectiva Linux 8, but not in Conectiva Linux
6.0 and 7.0. The Galeon version distributed in these versions of
Conectiva Linux was in its early stages of development and would not
work with the new Mozilla packages. A new version of Galeon for these
distributions would need many other updated packages and therefore
will not be provided.
SOLUTION
All mozilla and galeon users should upgrade. Galeon users on
Conectiva Linux 6.0 and 7.0 should consider upgrading their
distribution or choosing another browser.
REFERENCES:
1.http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000490
2.http://mozilla.org/releases/mozilla1.0.1/security-fixes-1.0.1.html
3.http://www.mozilla.org/projects/security/known-vulnerabilities.html
4.http://online.securityfocus.com/bid/5665/discussion/
5.http://online.securityfocus.com/bid/5694/discussion/
6.http://online.securityfocus.com/bid/5757/discussion/
7.http://online.securityfocus.com/bid/5759/discussion/
8.http://online.securityfocus.com/bid/5762/discussion/
9.http://online.securityfocus.com/bid/5766/discussion/
10.http://www.mozilla.org/releases/mozilla1.2.1/
UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/mozilla-1.2.1-1U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/mozilla-devel-1.2.1-1U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/mozilla-1.2.1-1U60_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/mozilla-1.2.1-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/mozilla-devel-1.2.1-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/mozilla-devel-static-1.2.1-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/mozilla-irc-1.2.1-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/mozilla-mail-1.2.1-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/mozilla-psm-1.2.1-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/mozilla-1.2.1-1U70_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/mozilla-1.2.1-1U80_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/mozilla-devel-1.2.1-1U80_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/mozilla-devel-static-1.2.1-1U80_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/mozilla-irc-1.2.1-1U80_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/mozilla-mail-1.2.1-1U80_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/mozilla-psm-1.2.1-1U80_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/galeon-1.2.7-1U80_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/galeon-devel-1.2.7-1U80_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/mozilla-1.2.1-1U80_5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/galeon-1.2.7-1U80_5cl.src.rpm
ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE+S9wN42jd0JmAcZARAqZcAJ46gKJh6DkblFy3ru866JtYOwtOvQCgt/Q2
nM+hTrbUCmSQs/BlJtiuFHs=
=96my
-----END PGP SIGNATURE-----
