Oval Definition:oval:com.redhat.rhsa:def:20120079
Revision Date:2012-02-01Version:640
Title:RHSA-2012:0079: firefox security update (Critical)
Description:Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

  • A use-after-free flaw was found in the way Firefox removed nsDOMAttribute child nodes. In certain circumstances, due to the premature notification of AttributeChildRemoved, a malicious script could possibly use this flaw to cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2011-3659)

  • Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-0442)

  • A flaw was found in the way Firefox parsed Ogg Vorbis media files. A web page containing a malicious Ogg Vorbis media file could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-0444)

  • A flaw was found in the way Firefox parsed certain Scalable Vector Graphics (SVG) image files that contained eXtensible Style Sheet Language Transformations (XSLT). A web page containing a malicious SVG image file could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-0449)

  • The same-origin policy in Firefox treated http://example.com and http://[example.com] as interchangeable. A malicious script could possibly use this flaw to gain access to sensitive information (such as a client's IP and user e-mail address, or httpOnly cookies) that may be included in HTTP proxy error replies, generated in response to invalid URLs using square brackets. (CVE-2011-3670)

    For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.26. You can find a link to the Mozilla advisories in the References section of this erratum.

    All Firefox users should upgrade to these updated packages, which contain Firefox version 3.6.26, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.
    • Family:unixClass:patch
    Status:Reference(s):CVE-2011-3659
    CVE-2011-3659
    CVE-2011-3670
    CVE-2011-3670
    CVE-2012-0442
    CVE-2012-0442
    CVE-2012-0444
    CVE-2012-0444
    CVE-2012-0449
    CVE-2012-0449
    RHSA-2012:0079
    RHSA-2012:0079-01
    RHSA-2012:0079-01
    Platform(s):Red Hat Enterprise Linux 4
    Red Hat Enterprise Linux 5
    Red Hat Enterprise Linux 6
    		Product(s):
    Definition Synopsis
  • Red Hat Enterprise Linux must be installed
  • OR Package Information
  • Red Hat Enterprise Linux 4 is installed
  • AND firefox is earlier than 0:3.6.26-2.el4
  • AND firefox is signed with Red Hat redhatrelease2 key
  • OR Package Information
  • Red Hat Enterprise Linux 5 is installed
  • AND
  • xulrunner is earlier than 0:1.9.2.26-1.el5_7
  • AND xulrunner is signed with Red Hat redhatrelease2 key
  • xulrunner-devel is earlier than 0:1.9.2.26-1.el5_7
  • AND xulrunner-devel is signed with Red Hat redhatrelease2 key
  • firefox is earlier than 0:3.6.26-1.el5_7
  • AND firefox is signed with Red Hat redhatrelease2 key
  • OR Package Information
  • Red Hat Enterprise Linux 6 is installed
  • AND
  • xulrunner is earlier than 0:1.9.2.26-1.el6_2
  • AND xulrunner is signed with Red Hat redhatrelease2 key
  • xulrunner-devel is earlier than 0:1.9.2.26-1.el6_2
  • AND xulrunner-devel is signed with Red Hat redhatrelease2 key
  • firefox is earlier than 0:3.6.26-1.el6_2
  • AND firefox is signed with Red Hat redhatrelease2 key
    • BACK