Red Hat Product Errata RHSA-2007:1082 - Security Advisory
Issued:
2007-11-26
Updated:
2007-11-26

RHSA-2007:1082 - Security Advisory

Synopsis

Critical: firefox security update

Type/Severity

Security Advisory: Critical

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated firefox packages that fix several security issues are now available
for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

Description

Mozilla Firefox is an open source Web browser.

A cross-site scripting flaw was found in the way Firefox handled the
jar: URI scheme. It was possible for a malicious website to leverage this
flaw and conduct a cross-site scripting attack against a user running
Firefox. (CVE-2007-5947)

Several flaws were found in the way Firefox processed certain malformed web
content. A webpage containing malicious content could cause Firefox to
crash, or potentially execute arbitrary code as the user running Firefox.
(CVE-2007-5959)

A race condition existed when Firefox set the "window.location" property
for a webpage. This flaw could allow a webpage to set an arbitrary Referer
header, which may lead to a Cross-site Request Forgery (CSRF) attack
against websites that rely only on the Referer header for protection.
(CVE-2007-5960)

Users of Firefox are advised to upgrade to these updated packages, which
contain backported patches to resolve these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Affected Products

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 ia64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux Server 4 x86_64
  • Red Hat Enterprise Linux Server 4 ia64
  • Red Hat Enterprise Linux Server 4 i386
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.1 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.1 ia64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.1 i386
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.6 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.6 ia64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.6 i386
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.5 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.5 ia64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.5 i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux Workstation 4 x86_64
  • Red Hat Enterprise Linux Workstation 4 ia64
  • Red Hat Enterprise Linux Workstation 4 i386
  • Red Hat Enterprise Linux Desktop 5 x86_64
  • Red Hat Enterprise Linux Desktop 5 i386
  • Red Hat Enterprise Linux Desktop 4 x86_64
  • Red Hat Enterprise Linux Desktop 4 i386
  • Red Hat Enterprise Linux for IBM z Systems 5 s390x
  • Red Hat Enterprise Linux for IBM z Systems 4 s390x
  • Red Hat Enterprise Linux for IBM z Systems 4 s390
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.1 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.6 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.6 s390
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.5 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.5 s390
  • Red Hat Enterprise Linux for Power, big endian 5 ppc
  • Red Hat Enterprise Linux for Power, big endian 4 ppc
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.1 ppc
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.6 ppc
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.5 ppc
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

  • BZ - 394211 - CVE-2007-5947 Mozilla jar: protocol XSS
  • BZ - 394241 - CVE-2007-5959 Multiple flaws in Firefox
  • BZ - 394261 - CVE-2007-5960 Mozilla Cross-site Request Forgery flaw

Red Hat Enterprise Linux Server 5

SRPM
firefox-1.5.0.12-7.el5.src.rpm SHA-256: 41e50c0170c31c69c964b2e8d324ac31c0ad82976025a130396d6d608956e9ca
x86_64
firefox-1.5.0.12-7.el5.i386.rpm SHA-256: 1cc22924205165ee1a7964ea1ff30d6257660bd61440a38933cbae61012a31e4
firefox-1.5.0.12-7.el5.x86_64.rpm SHA-256: 5cc2ccb80064a1e7caefcb07415204ab0afff0f4044beb0e194a4ca6d1319e2f
firefox-devel-1.5.0.12-7.el5.i386.rpm SHA-256: 38ff962d8edaa60948f8077a6467b5786757086d0e4a9229c84e64d2d1521958
firefox-devel-1.5.0.12-7.el5.x86_64.rpm SHA-256: 062ddf0cd999e192ecde7bc33442626a032cce4cb53d72885128d7d2490f8ff7
ia64
firefox-1.5.0.12-7.el5.ia64.rpm SHA-256: 3d73970d117576e4b55eb5c69158bf3bd34f509dead1faa3dca222ab3a6c07f9
firefox-devel-1.5.0.12-7.el5.ia64.rpm SHA-256: 37a4891ac786e81ea5c7cc1acdb3415abe6ac65d2cedb6dff3bef2fe0efaed4d
i386
firefox-1.5.0.12-7.el5.i386.rpm SHA-256: 1cc22924205165ee1a7964ea1ff30d6257660bd61440a38933cbae61012a31e4
firefox-devel-1.5.0.12-7.el5.i386.rpm SHA-256: 38ff962d8edaa60948f8077a6467b5786757086d0e4a9229c84e64d2d1521958

Red Hat Enterprise Linux Server 4

SRPM
firefox-1.5.0.12-0.8.el4.src.rpm SHA-256: 8a2cf3cbd6d4d686be7b5ecc6ab6f4a0f633940e3c92084488a127a7ab0d49c9
x86_64
firefox-1.5.0.12-0.8.el4.x86_64.rpm SHA-256: e374e8cf27e8916267853f38234807d71807c5ace3f1c16f8e7f03a6bcbbc431
firefox-1.5.0.12-0.8.el4.x86_64.rpm SHA-256: e374e8cf27e8916267853f38234807d71807c5ace3f1c16f8e7f03a6bcbbc431
ia64
firefox-1.5.0.12-0.8.el4.ia64.rpm SHA-256: bc0be10bd26b598bced32184fabd0b168ec998b6add9f93a21337579fd1690f0
firefox-1.5.0.12-0.8.el4.ia64.rpm SHA-256: bc0be10bd26b598bced32184fabd0b168ec998b6add9f93a21337579fd1690f0
i386
firefox-1.5.0.12-0.8.el4.i386.rpm SHA-256: db1044d7fcd0a850fef5fadfb2d42a5a3bca131976c25024891d0ba80b2d07d0
firefox-1.5.0.12-0.8.el4.i386.rpm SHA-256: db1044d7fcd0a850fef5fadfb2d42a5a3bca131976c25024891d0ba80b2d07d0

Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.1

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.6

SRPM
firefox-1.5.0.12-0.8.el4.src.rpm SHA-256: 8a2cf3cbd6d4d686be7b5ecc6ab6f4a0f633940e3c92084488a127a7ab0d49c9
x86_64
firefox-1.5.0.12-0.8.el4.x86_64.rpm SHA-256: e374e8cf27e8916267853f38234807d71807c5ace3f1c16f8e7f03a6bcbbc431
firefox-1.5.0.12-0.8.el4.x86_64.rpm SHA-256: e374e8cf27e8916267853f38234807d71807c5ace3f1c16f8e7f03a6bcbbc431
ia64
firefox-1.5.0.12-0.8.el4.ia64.rpm SHA-256: bc0be10bd26b598bced32184fabd0b168ec998b6add9f93a21337579fd1690f0
firefox-1.5.0.12-0.8.el4.ia64.rpm SHA-256: bc0be10bd26b598bced32184fabd0b168ec998b6add9f93a21337579fd1690f0
i386
firefox-1.5.0.12-0.8.el4.i386.rpm SHA-256: db1044d7fcd0a850fef5fadfb2d42a5a3bca131976c25024891d0ba80b2d07d0
firefox-1.5.0.12-0.8.el4.i386.rpm SHA-256: db1044d7fcd0a850fef5fadfb2d42a5a3bca131976c25024891d0ba80b2d07d0

Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.5

SRPM
firefox-1.5.0.12-0.8.el4.src.rpm SHA-256: 8a2cf3cbd6d4d686be7b5ecc6ab6f4a0f633940e3c92084488a127a7ab0d49c9
x86_64
firefox-1.5.0.12-0.8.el4.x86_64.rpm SHA-256: e374e8cf27e8916267853f38234807d71807c5ace3f1c16f8e7f03a6bcbbc431
firefox-1.5.0.12-0.8.el4.x86_64.rpm SHA-256: e374e8cf27e8916267853f38234807d71807c5ace3f1c16f8e7f03a6bcbbc431
ia64
firefox-1.5.0.12-0.8.el4.ia64.rpm SHA-256: bc0be10bd26b598bced32184fabd0b168ec998b6add9f93a21337579fd1690f0
firefox-1.5.0.12-0.8.el4.ia64.rpm SHA-256: bc0be10bd26b598bced32184fabd0b168ec998b6add9f93a21337579fd1690f0
i386
firefox-1.5.0.12-0.8.el4.i386.rpm SHA-256: db1044d7fcd0a850fef5fadfb2d42a5a3bca131976c25024891d0ba80b2d07d0
firefox-1.5.0.12-0.8.el4.i386.rpm SHA-256: db1044d7fcd0a850fef5fadfb2d42a5a3bca131976c25024891d0ba80b2d07d0

Red Hat Enterprise Linux Workstation 5

SRPM
firefox-1.5.0.12-7.el5.src.rpm SHA-256: 41e50c0170c31c69c964b2e8d324ac31c0ad82976025a130396d6d608956e9ca
x86_64
firefox-1.5.0.12-7.el5.i386.rpm SHA-256: 1cc22924205165ee1a7964ea1ff30d6257660bd61440a38933cbae61012a31e4
firefox-1.5.0.12-7.el5.x86_64.rpm SHA-256: 5cc2ccb80064a1e7caefcb07415204ab0afff0f4044beb0e194a4ca6d1319e2f
firefox-devel-1.5.0.12-7.el5.i386.rpm SHA-256: 38ff962d8edaa60948f8077a6467b5786757086d0e4a9229c84e64d2d1521958
firefox-devel-1.5.0.12-7.el5.x86_64.rpm SHA-256: 062ddf0cd999e192ecde7bc33442626a032cce4cb53d72885128d7d2490f8ff7
i386
firefox-1.5.0.12-7.el5.i386.rpm SHA-256: 1cc22924205165ee1a7964ea1ff30d6257660bd61440a38933cbae61012a31e4
firefox-devel-1.5.0.12-7.el5.i386.rpm SHA-256: 38ff962d8edaa60948f8077a6467b5786757086d0e4a9229c84e64d2d1521958

Red Hat Enterprise Linux Workstation 4

SRPM
firefox-1.5.0.12-0.8.el4.src.rpm SHA-256: 8a2cf3cbd6d4d686be7b5ecc6ab6f4a0f633940e3c92084488a127a7ab0d49c9
x86_64
firefox-1.5.0.12-0.8.el4.x86_64.rpm SHA-256: e374e8cf27e8916267853f38234807d71807c5ace3f1c16f8e7f03a6bcbbc431
ia64
firefox-1.5.0.12-0.8.el4.ia64.rpm SHA-256: bc0be10bd26b598bced32184fabd0b168ec998b6add9f93a21337579fd1690f0
i386
firefox-1.5.0.12-0.8.el4.i386.rpm SHA-256: db1044d7fcd0a850fef5fadfb2d42a5a3bca131976c25024891d0ba80b2d07d0

Red Hat Enterprise Linux Desktop 5

SRPM
firefox-1.5.0.12-7.el5.src.rpm SHA-256: 41e50c0170c31c69c964b2e8d324ac31c0ad82976025a130396d6d608956e9ca
x86_64
firefox-1.5.0.12-7.el5.i386.rpm SHA-256: 1cc22924205165ee1a7964ea1ff30d6257660bd61440a38933cbae61012a31e4
firefox-1.5.0.12-7.el5.x86_64.rpm SHA-256: 5cc2ccb80064a1e7caefcb07415204ab0afff0f4044beb0e194a4ca6d1319e2f
i386
firefox-1.5.0.12-7.el5.i386.rpm SHA-256: 1cc22924205165ee1a7964ea1ff30d6257660bd61440a38933cbae61012a31e4

Red Hat Enterprise Linux Desktop 4

SRPM
firefox-1.5.0.12-0.8.el4.src.rpm SHA-256: 8a2cf3cbd6d4d686be7b5ecc6ab6f4a0f633940e3c92084488a127a7ab0d49c9
x86_64
firefox-1.5.0.12-0.8.el4.x86_64.rpm SHA-256: e374e8cf27e8916267853f38234807d71807c5ace3f1c16f8e7f03a6bcbbc431
i386
firefox-1.5.0.12-0.8.el4.i386.rpm SHA-256: db1044d7fcd0a850fef5fadfb2d42a5a3bca131976c25024891d0ba80b2d07d0

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
firefox-1.5.0.12-7.el5.src.rpm SHA-256: 41e50c0170c31c69c964b2e8d324ac31c0ad82976025a130396d6d608956e9ca
s390x
firefox-1.5.0.12-7.el5.s390.rpm SHA-256: 3f1de3d0124730a5be75d0dd70ebf365357f4b3edc40b0475af4e47eb933e815
firefox-1.5.0.12-7.el5.s390x.rpm SHA-256: 02acfbf3c91583c680e53ba48ed7ff6dc06be15b3bff2b4fcc7a6d562fba4ad4
firefox-devel-1.5.0.12-7.el5.s390.rpm SHA-256: 7a7f2e191d392f9b4a7256ca278a921c5470ae6251ca7c3cec14b625866d91fc
firefox-devel-1.5.0.12-7.el5.s390x.rpm SHA-256: f3841d257308d4703518797fb056f1f757e31ab4be310cde48db32e8980a2cd1

Red Hat Enterprise Linux for IBM z Systems 4

SRPM
firefox-1.5.0.12-0.8.el4.src.rpm SHA-256: 8a2cf3cbd6d4d686be7b5ecc6ab6f4a0f633940e3c92084488a127a7ab0d49c9
s390x
firefox-1.5.0.12-0.8.el4.s390x.rpm SHA-256: 1056a12c13595519d7a3595a6e57365c218562ab37b04e4160c7070d79c7e678
s390
firefox-1.5.0.12-0.8.el4.s390.rpm SHA-256: 9c8afa5602766ebd82e35b0ccc48d28793614f09c9b0d6d7413291ee52d9b974

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.1

SRPM
s390x

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.6

SRPM
firefox-1.5.0.12-0.8.el4.src.rpm SHA-256: 8a2cf3cbd6d4d686be7b5ecc6ab6f4a0f633940e3c92084488a127a7ab0d49c9
s390x
firefox-1.5.0.12-0.8.el4.s390x.rpm SHA-256: 1056a12c13595519d7a3595a6e57365c218562ab37b04e4160c7070d79c7e678
s390
firefox-1.5.0.12-0.8.el4.s390.rpm SHA-256: 9c8afa5602766ebd82e35b0ccc48d28793614f09c9b0d6d7413291ee52d9b974

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.5

SRPM
firefox-1.5.0.12-0.8.el4.src.rpm SHA-256: 8a2cf3cbd6d4d686be7b5ecc6ab6f4a0f633940e3c92084488a127a7ab0d49c9
s390x
firefox-1.5.0.12-0.8.el4.s390x.rpm SHA-256: 1056a12c13595519d7a3595a6e57365c218562ab37b04e4160c7070d79c7e678
s390
firefox-1.5.0.12-0.8.el4.s390.rpm SHA-256: 9c8afa5602766ebd82e35b0ccc48d28793614f09c9b0d6d7413291ee52d9b974

Red Hat Enterprise Linux for Power, big endian 5

SRPM
firefox-1.5.0.12-7.el5.src.rpm SHA-256: 41e50c0170c31c69c964b2e8d324ac31c0ad82976025a130396d6d608956e9ca
ppc
firefox-1.5.0.12-7.el5.ppc.rpm SHA-256: 27e0961913053585dca6fd57a108d50e5008478204b0cf0f245cb7c403a9daee
firefox-devel-1.5.0.12-7.el5.ppc.rpm SHA-256: 6f8b2d7952ef86b22367d102632793e556f8aec6e98994d9df766e484824a8f9

Red Hat Enterprise Linux for Power, big endian 4

SRPM
firefox-1.5.0.12-0.8.el4.src.rpm SHA-256: 8a2cf3cbd6d4d686be7b5ecc6ab6f4a0f633940e3c92084488a127a7ab0d49c9
ppc
firefox-1.5.0.12-0.8.el4.ppc.rpm SHA-256: d2aa6a07cfe275783c6cbd683b081f01c3d511cf7f34ba8188ced1a9c9aca785

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.1

SRPM
ppc

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.6

SRPM
firefox-1.5.0.12-0.8.el4.src.rpm SHA-256: 8a2cf3cbd6d4d686be7b5ecc6ab6f4a0f633940e3c92084488a127a7ab0d49c9
ppc
firefox-1.5.0.12-0.8.el4.ppc.rpm SHA-256: d2aa6a07cfe275783c6cbd683b081f01c3d511cf7f34ba8188ced1a9c9aca785

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.5

SRPM
firefox-1.5.0.12-0.8.el4.src.rpm SHA-256: 8a2cf3cbd6d4d686be7b5ecc6ab6f4a0f633940e3c92084488a127a7ab0d49c9
ppc
firefox-1.5.0.12-0.8.el4.ppc.rpm SHA-256: d2aa6a07cfe275783c6cbd683b081f01c3d511cf7f34ba8188ced1a9c9aca785

Red Hat Enterprise Linux Server from RHUI 5

SRPM
firefox-1.5.0.12-7.el5.src.rpm SHA-256: 41e50c0170c31c69c964b2e8d324ac31c0ad82976025a130396d6d608956e9ca
x86_64
firefox-1.5.0.12-7.el5.i386.rpm SHA-256: 1cc22924205165ee1a7964ea1ff30d6257660bd61440a38933cbae61012a31e4
firefox-1.5.0.12-7.el5.x86_64.rpm SHA-256: 5cc2ccb80064a1e7caefcb07415204ab0afff0f4044beb0e194a4ca6d1319e2f
firefox-devel-1.5.0.12-7.el5.i386.rpm SHA-256: 38ff962d8edaa60948f8077a6467b5786757086d0e4a9229c84e64d2d1521958
firefox-devel-1.5.0.12-7.el5.x86_64.rpm SHA-256: 062ddf0cd999e192ecde7bc33442626a032cce4cb53d72885128d7d2490f8ff7
i386
firefox-1.5.0.12-7.el5.i386.rpm SHA-256: 1cc22924205165ee1a7964ea1ff30d6257660bd61440a38933cbae61012a31e4
firefox-devel-1.5.0.12-7.el5.i386.rpm SHA-256: 38ff962d8edaa60948f8077a6467b5786757086d0e4a9229c84e64d2d1521958

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.