[GLSA-200712-21] Mozilla Firefox, SeaMonkey: Multiple vulnerabilities

Severity Normal

Affected Packages 4

Unaffected Packages 4

CVEs 3

Multiple vulnerabilities have been discovered in Mozilla Firefox and Mozilla Seamonkey.

Background

Mozilla Firefox is a cross-platform web browser from Mozilla. SeaMonkey
is a free, cross-platform Internet suite.

Description

Jesse Ruderman and Petko D. Petkov reported that the jar protocol
handler in Mozilla Firefox and Seamonkey does not properly check MIME
types (CVE-2007-5947). Gregory Fleischer reported that the
window.location property can be used to generate a fake HTTP Referer
(CVE-2007-5960). Multiple memory errors have also been reported
(CVE-2007-5959).

Impact

A remote attacker could possibly exploit these vulnerabilities to
execute arbitrary code in the context of the browser and conduct
Cross-Site-Scripting or Cross-Site Request Forgery attacks.

Workaround

There is no known workaround at this time.

Resolution

All Mozilla Firefox users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-2.0.0.11"

All Mozilla Firefox binary users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-2.0.0.11"

All SeaMonkey users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/seamonkey-1.1.7"

All SeaMonkey binary users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/seamonkey-bin-1.1.7"

Package	Affected Version
pkg:ebuild/www-client/seamonkey?distro=gentoo	< 1.1.7
pkg:ebuild/www-client/seamonkey-bin?distro=gentoo	< 1.1.7
pkg:ebuild/www-client/mozilla-firefox?distro=gentoo	< 2.0.0.11
pkg:ebuild/www-client/mozilla-firefox-bin?distro=gentoo	< 2.0.0.11

Package	Unaffected Version
pkg:ebuild/www-client/seamonkey?distro=gentoo	>= 1.1.7
pkg:ebuild/www-client/seamonkey-bin?distro=gentoo	>= 1.1.7
pkg:ebuild/www-client/mozilla-firefox?distro=gentoo	>= 2.0.0.11
pkg:ebuild/www-client/mozilla-firefox-bin?distro=gentoo	>= 2.0.0.11

ID

GLSA-200712-21

Severity

normal

URL

https://security.gentoo.org/glsa/200712-21

Published

2007-12-29T00:00:00
(16 years ago)

Modified

2007-12-29T00:00:00
(16 years ago)

Rights

Gentoo Foundation, Inc.

Other Advisories

Source	# ID	Name	URL
CVE	CVE-2007-5947	CVE-2007-5947	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5947
CVE	CVE-2007-5959	CVE-2007-5959	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5959
CVE	CVE-2007-5960	CVE-2007-5960	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5960
Bugzilla	198965	Bugzilla #198965	https://bugs.gentoo.org/show_bug.cgi?id=198965
Bugzilla	200909	Bugzilla #200909	https://bugs.gentoo.org/show_bug.cgi?id=200909

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform
Affected	pkg:ebuild/www-client/seamonkey?distro=gentoo	www-client	seamonkey	< 1.1.7	gentoo
Unaffected	pkg:ebuild/www-client/seamonkey?distro=gentoo	www-client	seamonkey	>= 1.1.7	gentoo
Affected	pkg:ebuild/www-client/seamonkey-bin?distro=gentoo	www-client	seamonkey-bin	< 1.1.7	gentoo
Unaffected	pkg:ebuild/www-client/seamonkey-bin?distro=gentoo	www-client	seamonkey-bin	>= 1.1.7	gentoo
Affected	pkg:ebuild/www-client/mozilla-firefox?distro=gentoo	www-client	mozilla-firefox	< 2.0.0.11	gentoo
Unaffected	pkg:ebuild/www-client/mozilla-firefox?distro=gentoo	www-client	mozilla-firefox	>= 2.0.0.11	gentoo
Affected	pkg:ebuild/www-client/mozilla-firefox-bin?distro=gentoo	www-client	mozilla-firefox-bin	< 2.0.0.11	gentoo
Unaffected	pkg:ebuild/www-client/mozilla-firefox-bin?distro=gentoo	www-client	mozilla-firefox-bin	>= 2.0.0.11	gentoo

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date