Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src / Print Next >>

Date: Sat, 3 Mar 2007 17:34:19 +0100
From: Raphael Marichez <falco@gentoo.org.>
To: gentoo-announce@gentoo.org
Subject: [ GLSA 200703-05 ] Mozilla Suite: Multiple vulnerabilities
Message-ID: <20070303163419.GB8439@falco.falcal.net.>
Mail-Followup-To: gentoo-announce@gentoo.org,
        bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk,
        security-alerts@linuxsecurity.com
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="9zSXsLTf0vkW971A"
Content-Disposition: inline
X-Web: http://falco.bz/
X-GPG-fingerprint: 04EB 153A 6B28 3E80 87A9  9B4F A77C 4BDE 021C 5BD2
X-GPG-Key: http://subkeys.pgp.net:11371/pks/lookup?op=get&search=0x021C5BD2
X-GPG-Subkey: http://subkeys.pgp.net:11371/pks/lookup?op=get&search=0x0114FC45
Organization: Gentoo Linux Security Team
User-Agent: mutt-ng/devel-r804 (Linux)
X-Virus-Scanned: antivirus-gw at tyumen.ru


--9zSXsLTf0vkW971A
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200703-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


  Severity: Normal
     Title: Mozilla Suite: Multiple vulnerabilities
      Date: March 03, 2007
      Bugs: #135257
        ID: 200703-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


Synopsis
=3D=3D=3D=3D=3D=3D=3D=3D

Several vulnerabilities exist in the Mozilla Suite, which is no longer
supported by the Mozilla project.

Background
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

The Mozilla Suite is a popular all-in-one web browser that includes a
mail and news reader.

Affected packages
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

    -------------------------------------------------------------------
     Package                 /  Vulnerable  /               Unaffected
    -------------------------------------------------------------------
  1  www-client/mozilla          <=3D 1.7.13                 Vulnerable!
  2  www-client/mozilla-bin      <=3D 1.7.13                 Vulnerable!
    -------------------------------------------------------------------
     NOTE: Certain packages are still vulnerable. Users should migrate
           to another package if one is available or wait for the
           existing packages to be marked stable by their
           architecture maintainers.
    -------------------------------------------------------------------
     2 affected packages on all of their supported architectures.
    -------------------------------------------------------------------


Description
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Several vulnerabilities ranging from code execution with elevated
privileges to information leaks affect the Mozilla Suite.

Impact
=3D=3D=3D=3D=3D=3D

A remote attacker could entice a user to browse to a specially crafted
website or open a specially crafted mail that could trigger some of the
vulnerabilities, potentially allowing execution of arbitrary code,
denials of service, information leaks, or cross-site scripting attacks
leading to the robbery of cookies of authentication credentials.

Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Most of the issues, but not all of them, can be prevented by disabling
the HTML rendering in the mail client and JavaScript on every
application.

Resolution
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

The Mozilla Suite is no longer supported and has been masked after some
necessary changes on all the other ebuilds which used to depend on it.
Mozilla Suite users should unmerge www-client/mozilla or
www-client/mozilla-bin, and switch to a supported product, like
SeaMonkey, Thunderbird or Firefox.

   =20
    # emerge --unmerge "www-client/mozilla"
   =20
    # emerge --unmerge "www-client/mozilla-bin"

References
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

  [ 1 ] Official Advisory
        http://www.mozilla.org/projects/security/known-vulnerabilities.html=
#Mozilla

Availability
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200703-05.xml

Concerns?
=3D=3D=3D=3D=3D=3D=3D=3D=3D

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=3D=3D=3D=3D=3D=3D=3D

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

--9zSXsLTf0vkW971A
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBRemjizvRww8BFPxFAQKKEAf7BQ5yI3p1M3tft8S4YytsMVLcnLU+XQrX
li1bM4+3ZZHmnEdWWiGQtxCyQHtwkqhltmkYztrvQmL+cZmFPfdHkbgXUhttbE2y
qj4nhIufj+LeXROjeNgQ6ZCaizc+qezrQy/UUlpKT2Jr3GVY6Ef3mWGVf9DWXakW
IxrOJTzCB1ViP59nzJfTreLvNCjfg2RTeix8Bu2v5kMfPwnxL2ghBbi4TRV0R5kE
pPlwpri4T2gm+PWy1isT8av7U1HspvsZwWRr0oemeC7ikfTV4NBqxIylqfGIhUjT
LxhtTnE8PVIZP9MT3dNBRbC0R955GQVagYZnSeHtPj5MuDIMTq50eg==
=ZR9b
-----END PGP SIGNATURE-----

--9zSXsLTf0vkW971A--

<< Previous INDEX Search src / Print Next >>

Партнёры:

Хостинг: