Oval Definition:oval:com.redhat.rhsa:def:20070097
Revision Date:2008-03-20Version:638
Title:RHSA-2007:0097: firefox security update (Critical)
Description:Mozilla Firefox is an open source Web browser.

  • Flaws were found in the way Firefox executed malformed JavaScript code. A malicious web page could cause Firefox to crash or allow arbitrary code to be executed as the user running Firefox. (CVE-2007-0775, CVE-2007-0777)

  • Cross-site scripting (XSS) flaws were found in Firefox. A malicious web page could display misleading information, allowing a user to unknowingly divulge sensitive information, such as a password. (CVE-2006-6077, CVE-2007-0995, CVE-2007-0996)

  • A flaw was found in the way Firefox processed JavaScript contained in certain tags. A malicious web page could cause Firefox to execute JavaScript code with the privileges of the user running Firefox. (CVE-2007-0994)

  • A flaw was found in the way Firefox cached web pages on the local disk. A malicious web page may have been able to inject arbitrary HTML into a browsing session if the user reloaded a targeted site. (CVE-2007-0778)

  • Certain web content could overlay Firefox user interface elements such as the hostname and security indicators. A malicious web page could trick a user into thinking they were visiting a different site. (CVE-2007-0779)

  • Two flaws were found in Firefox's displaying of blocked popup windows. If a user could be convinced to open a blocked popup, it was possible to read arbitrary local files, or conduct a cross-site scripting attack against the user. (CVE-2007-0780, CVE-2007-0800)

  • Two buffer overflow flaws were found in the Network Security Services (NSS) code for processing the SSLv2 protocol. Connecting to a malicious secure web server could cause the execution of arbitrary code as the user running Firefox. (CVE-2007-0008, CVE-2007-0009)

  • A flaw was found in the way Firefox handled the "location.hostname" value. A malicious web page could set domain cookies for an arbitrary site, or possibly perform a cross-site scripting attack. (CVE-2007-0981)

    Users of Firefox are advised to upgrade to this erratum package, containing Firefox version 1.5.0.10 which is not vulnerable to these issues.
    • Family:unixClass:patch
    Status:Reference(s):CVE-2006-6077
    CVE-2007-0008
    CVE-2007-0009
    CVE-2007-0775
    CVE-2007-0777
    CVE-2007-0778
    CVE-2007-0779
    CVE-2007-0780
    CVE-2007-0800
    CVE-2007-0981
    CVE-2007-0994
    CVE-2007-0995
    CVE-2007-0996
    RHSA-2007:0097
    RHSA-2007:0097-02
    RHSA-2007:0097-02
    Platform(s):Red Hat Enterprise Linux 5
    		Product(s):
    Definition Synopsis
  • Red Hat Enterprise Linux must be installed
  • OR Package Information
  • Red Hat Enterprise Linux 5 is installed
  • AND
  • devhelp is earlier than 0:0.12-10.0.1.el5
  • AND devhelp is signed with Red Hat redhatrelease2 key
  • devhelp-devel is earlier than 0:0.12-10.0.1.el5
  • AND devhelp-devel is signed with Red Hat redhatrelease2 key
  • yelp is earlier than 0:2.16.0-14.0.1.el5
  • AND yelp is signed with Red Hat redhatrelease2 key
  • firefox is earlier than 0:1.5.0.10-2.el5
  • AND firefox is signed with Red Hat redhatrelease2 key
    • BACK