Red Hat Product Errata RHSA-2007:1082 - Security Advisory

Issued:: 2007-11-26
Updated:: 2007-11-26

RHSA-2007:1082 - Security Advisory

Overview
Updated Packages

Synopsis

Critical: firefox security update

Type/Severity

Security Advisory: Critical

Topic

Updated firefox packages that fix several security issues are now available
for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

Description

Mozilla Firefox is an open source Web browser.

A cross-site scripting flaw was found in the way Firefox handled the
jar: URI scheme. It was possible for a malicious website to leverage this
flaw and conduct a cross-site scripting attack against a user running
Firefox. (CVE-2007-5947)

Several flaws were found in the way Firefox processed certain malformed web
content. A webpage containing malicious content could cause Firefox to
crash, or potentially execute arbitrary code as the user running Firefox.
(CVE-2007-5959)

A race condition existed when Firefox set the "window.location" property
for a webpage. This flaw could allow a webpage to set an arbitrary Referer
header, which may lead to a Cross-site Request Forgery (CSRF) attack
against websites that rely only on the Referer header for protection.
(CVE-2007-5960)

Users of Firefox are advised to upgrade to these updated packages, which
contain backported patches to resolve these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Affected Products

Red Hat Enterprise Linux Server 5 x86_64
Red Hat Enterprise Linux Server 5 ia64
Red Hat Enterprise Linux Server 5 i386
Red Hat Enterprise Linux Server 4 x86_64
Red Hat Enterprise Linux Server 4 ia64
Red Hat Enterprise Linux Server 4 i386
Red Hat Enterprise Linux Server - Extended Update Support 5.1 x86_64
Red Hat Enterprise Linux Server - Extended Update Support 5.1 ia64
Red Hat Enterprise Linux Server - Extended Update Support 5.1 i386
Red Hat Enterprise Linux Server - Extended Update Support 4.6 x86_64
Red Hat Enterprise Linux Server - Extended Update Support 4.6 ia64
Red Hat Enterprise Linux Server - Extended Update Support 4.6 i386
Red Hat Enterprise Linux Server - Extended Update Support 4.5 x86_64
Red Hat Enterprise Linux Server - Extended Update Support 4.5 ia64
Red Hat Enterprise Linux Server - Extended Update Support 4.5 i386
Red Hat Enterprise Linux Workstation 5 x86_64
Red Hat Enterprise Linux Workstation 5 i386
Red Hat Enterprise Linux Workstation 4 x86_64
Red Hat Enterprise Linux Workstation 4 ia64
Red Hat Enterprise Linux Workstation 4 i386
Red Hat Enterprise Linux Desktop 5 x86_64
Red Hat Enterprise Linux Desktop 5 i386
Red Hat Enterprise Linux Desktop 4 x86_64
Red Hat Enterprise Linux Desktop 4 i386
Red Hat Enterprise Linux for IBM z Systems 5 s390x
Red Hat Enterprise Linux for IBM z Systems 4 s390x
Red Hat Enterprise Linux for IBM z Systems 4 s390
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.1 s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.6 s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.6 s390
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.5 s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.5 s390
Red Hat Enterprise Linux for Power, big endian 5 ppc
Red Hat Enterprise Linux for Power, big endian 4 ppc
Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.1 ppc
Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.6 ppc
Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.5 ppc
Red Hat Enterprise Linux Server from RHUI 5 x86_64
Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

BZ - 394211 - CVE-2007-5947 Mozilla jar: protocol XSS
BZ - 394241 - CVE-2007-5959 Multiple flaws in Firefox
BZ - 394261 - CVE-2007-5960 Mozilla Cross-site Request Forgery flaw

CVEs

References

http://www.redhat.com/security/updates/classification/#critical

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 5

SRPM
firefox-1.5.0.12-7.el5.src.rpm	SHA-256: 41e50c0170c31c69c964b2e8d324ac31c0ad82976025a130396d6d608956e9ca
x86_64
firefox-1.5.0.12-7.el5.i386.rpm	SHA-256: 1cc22924205165ee1a7964ea1ff30d6257660bd61440a38933cbae61012a31e4
firefox-1.5.0.12-7.el5.x86_64.rpm	SHA-256: 5cc2ccb80064a1e7caefcb07415204ab0afff0f4044beb0e194a4ca6d1319e2f
firefox-devel-1.5.0.12-7.el5.i386.rpm	SHA-256: 38ff962d8edaa60948f8077a6467b5786757086d0e4a9229c84e64d2d1521958
firefox-devel-1.5.0.12-7.el5.x86_64.rpm	SHA-256: 062ddf0cd999e192ecde7bc33442626a032cce4cb53d72885128d7d2490f8ff7
ia64
firefox-1.5.0.12-7.el5.ia64.rpm	SHA-256: 3d73970d117576e4b55eb5c69158bf3bd34f509dead1faa3dca222ab3a6c07f9
firefox-devel-1.5.0.12-7.el5.ia64.rpm	SHA-256: 37a4891ac786e81ea5c7cc1acdb3415abe6ac65d2cedb6dff3bef2fe0efaed4d
i386
firefox-1.5.0.12-7.el5.i386.rpm	SHA-256: 1cc22924205165ee1a7964ea1ff30d6257660bd61440a38933cbae61012a31e4
firefox-devel-1.5.0.12-7.el5.i386.rpm	SHA-256: 38ff962d8edaa60948f8077a6467b5786757086d0e4a9229c84e64d2d1521958

Red Hat Enterprise Linux Server 4

SRPM
firefox-1.5.0.12-0.8.el4.src.rpm	SHA-256: 8a2cf3cbd6d4d686be7b5ecc6ab6f4a0f633940e3c92084488a127a7ab0d49c9
x86_64
firefox-1.5.0.12-0.8.el4.x86_64.rpm	SHA-256: e374e8cf27e8916267853f38234807d71807c5ace3f1c16f8e7f03a6bcbbc431
firefox-1.5.0.12-0.8.el4.x86_64.rpm	SHA-256: e374e8cf27e8916267853f38234807d71807c5ace3f1c16f8e7f03a6bcbbc431
ia64
firefox-1.5.0.12-0.8.el4.ia64.rpm	SHA-256: bc0be10bd26b598bced32184fabd0b168ec998b6add9f93a21337579fd1690f0
firefox-1.5.0.12-0.8.el4.ia64.rpm	SHA-256: bc0be10bd26b598bced32184fabd0b168ec998b6add9f93a21337579fd1690f0
i386
firefox-1.5.0.12-0.8.el4.i386.rpm	SHA-256: db1044d7fcd0a850fef5fadfb2d42a5a3bca131976c25024891d0ba80b2d07d0
firefox-1.5.0.12-0.8.el4.i386.rpm	SHA-256: db1044d7fcd0a850fef5fadfb2d42a5a3bca131976c25024891d0ba80b2d07d0

Red Hat Enterprise Linux Server - Extended Update Support 4.6

SRPM
firefox-1.5.0.12-0.8.el4.src.rpm	SHA-256: 8a2cf3cbd6d4d686be7b5ecc6ab6f4a0f633940e3c92084488a127a7ab0d49c9
x86_64
firefox-1.5.0.12-0.8.el4.x86_64.rpm	SHA-256: e374e8cf27e8916267853f38234807d71807c5ace3f1c16f8e7f03a6bcbbc431
firefox-1.5.0.12-0.8.el4.x86_64.rpm	SHA-256: e374e8cf27e8916267853f38234807d71807c5ace3f1c16f8e7f03a6bcbbc431
ia64
firefox-1.5.0.12-0.8.el4.ia64.rpm	SHA-256: bc0be10bd26b598bced32184fabd0b168ec998b6add9f93a21337579fd1690f0
firefox-1.5.0.12-0.8.el4.ia64.rpm	SHA-256: bc0be10bd26b598bced32184fabd0b168ec998b6add9f93a21337579fd1690f0
i386
firefox-1.5.0.12-0.8.el4.i386.rpm	SHA-256: db1044d7fcd0a850fef5fadfb2d42a5a3bca131976c25024891d0ba80b2d07d0
firefox-1.5.0.12-0.8.el4.i386.rpm	SHA-256: db1044d7fcd0a850fef5fadfb2d42a5a3bca131976c25024891d0ba80b2d07d0

Red Hat Enterprise Linux Server - Extended Update Support 4.5

SRPM
firefox-1.5.0.12-0.8.el4.src.rpm	SHA-256: 8a2cf3cbd6d4d686be7b5ecc6ab6f4a0f633940e3c92084488a127a7ab0d49c9
x86_64
firefox-1.5.0.12-0.8.el4.x86_64.rpm	SHA-256: e374e8cf27e8916267853f38234807d71807c5ace3f1c16f8e7f03a6bcbbc431
firefox-1.5.0.12-0.8.el4.x86_64.rpm	SHA-256: e374e8cf27e8916267853f38234807d71807c5ace3f1c16f8e7f03a6bcbbc431
ia64
firefox-1.5.0.12-0.8.el4.ia64.rpm	SHA-256: bc0be10bd26b598bced32184fabd0b168ec998b6add9f93a21337579fd1690f0
firefox-1.5.0.12-0.8.el4.ia64.rpm	SHA-256: bc0be10bd26b598bced32184fabd0b168ec998b6add9f93a21337579fd1690f0
i386
firefox-1.5.0.12-0.8.el4.i386.rpm	SHA-256: db1044d7fcd0a850fef5fadfb2d42a5a3bca131976c25024891d0ba80b2d07d0
firefox-1.5.0.12-0.8.el4.i386.rpm	SHA-256: db1044d7fcd0a850fef5fadfb2d42a5a3bca131976c25024891d0ba80b2d07d0

Red Hat Enterprise Linux Workstation 5

SRPM
firefox-1.5.0.12-7.el5.src.rpm	SHA-256: 41e50c0170c31c69c964b2e8d324ac31c0ad82976025a130396d6d608956e9ca
x86_64
firefox-1.5.0.12-7.el5.i386.rpm	SHA-256: 1cc22924205165ee1a7964ea1ff30d6257660bd61440a38933cbae61012a31e4
firefox-1.5.0.12-7.el5.x86_64.rpm	SHA-256: 5cc2ccb80064a1e7caefcb07415204ab0afff0f4044beb0e194a4ca6d1319e2f
firefox-devel-1.5.0.12-7.el5.i386.rpm	SHA-256: 38ff962d8edaa60948f8077a6467b5786757086d0e4a9229c84e64d2d1521958
firefox-devel-1.5.0.12-7.el5.x86_64.rpm	SHA-256: 062ddf0cd999e192ecde7bc33442626a032cce4cb53d72885128d7d2490f8ff7
i386
firefox-1.5.0.12-7.el5.i386.rpm	SHA-256: 1cc22924205165ee1a7964ea1ff30d6257660bd61440a38933cbae61012a31e4
firefox-devel-1.5.0.12-7.el5.i386.rpm	SHA-256: 38ff962d8edaa60948f8077a6467b5786757086d0e4a9229c84e64d2d1521958

Red Hat Enterprise Linux Workstation 4

SRPM
firefox-1.5.0.12-0.8.el4.src.rpm	SHA-256: 8a2cf3cbd6d4d686be7b5ecc6ab6f4a0f633940e3c92084488a127a7ab0d49c9
x86_64
firefox-1.5.0.12-0.8.el4.x86_64.rpm	SHA-256: e374e8cf27e8916267853f38234807d71807c5ace3f1c16f8e7f03a6bcbbc431
ia64
firefox-1.5.0.12-0.8.el4.ia64.rpm	SHA-256: bc0be10bd26b598bced32184fabd0b168ec998b6add9f93a21337579fd1690f0
i386
firefox-1.5.0.12-0.8.el4.i386.rpm	SHA-256: db1044d7fcd0a850fef5fadfb2d42a5a3bca131976c25024891d0ba80b2d07d0

Red Hat Enterprise Linux Desktop 5

SRPM
firefox-1.5.0.12-7.el5.src.rpm	SHA-256: 41e50c0170c31c69c964b2e8d324ac31c0ad82976025a130396d6d608956e9ca
x86_64
firefox-1.5.0.12-7.el5.i386.rpm	SHA-256: 1cc22924205165ee1a7964ea1ff30d6257660bd61440a38933cbae61012a31e4
firefox-1.5.0.12-7.el5.x86_64.rpm	SHA-256: 5cc2ccb80064a1e7caefcb07415204ab0afff0f4044beb0e194a4ca6d1319e2f
i386
firefox-1.5.0.12-7.el5.i386.rpm	SHA-256: 1cc22924205165ee1a7964ea1ff30d6257660bd61440a38933cbae61012a31e4

Red Hat Enterprise Linux Desktop 4

SRPM
firefox-1.5.0.12-0.8.el4.src.rpm	SHA-256: 8a2cf3cbd6d4d686be7b5ecc6ab6f4a0f633940e3c92084488a127a7ab0d49c9
x86_64
firefox-1.5.0.12-0.8.el4.x86_64.rpm	SHA-256: e374e8cf27e8916267853f38234807d71807c5ace3f1c16f8e7f03a6bcbbc431
i386
firefox-1.5.0.12-0.8.el4.i386.rpm	SHA-256: db1044d7fcd0a850fef5fadfb2d42a5a3bca131976c25024891d0ba80b2d07d0

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
firefox-1.5.0.12-7.el5.src.rpm	SHA-256: 41e50c0170c31c69c964b2e8d324ac31c0ad82976025a130396d6d608956e9ca
s390x
firefox-1.5.0.12-7.el5.s390.rpm	SHA-256: 3f1de3d0124730a5be75d0dd70ebf365357f4b3edc40b0475af4e47eb933e815
firefox-1.5.0.12-7.el5.s390x.rpm	SHA-256: 02acfbf3c91583c680e53ba48ed7ff6dc06be15b3bff2b4fcc7a6d562fba4ad4
firefox-devel-1.5.0.12-7.el5.s390.rpm	SHA-256: 7a7f2e191d392f9b4a7256ca278a921c5470ae6251ca7c3cec14b625866d91fc
firefox-devel-1.5.0.12-7.el5.s390x.rpm	SHA-256: f3841d257308d4703518797fb056f1f757e31ab4be310cde48db32e8980a2cd1

Red Hat Enterprise Linux for IBM z Systems 4

SRPM
firefox-1.5.0.12-0.8.el4.src.rpm	SHA-256: 8a2cf3cbd6d4d686be7b5ecc6ab6f4a0f633940e3c92084488a127a7ab0d49c9
s390x
firefox-1.5.0.12-0.8.el4.s390x.rpm	SHA-256: 1056a12c13595519d7a3595a6e57365c218562ab37b04e4160c7070d79c7e678
s390
firefox-1.5.0.12-0.8.el4.s390.rpm	SHA-256: 9c8afa5602766ebd82e35b0ccc48d28793614f09c9b0d6d7413291ee52d9b974

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.6

SRPM
firefox-1.5.0.12-0.8.el4.src.rpm	SHA-256: 8a2cf3cbd6d4d686be7b5ecc6ab6f4a0f633940e3c92084488a127a7ab0d49c9
s390x
firefox-1.5.0.12-0.8.el4.s390x.rpm	SHA-256: 1056a12c13595519d7a3595a6e57365c218562ab37b04e4160c7070d79c7e678
s390
firefox-1.5.0.12-0.8.el4.s390.rpm	SHA-256: 9c8afa5602766ebd82e35b0ccc48d28793614f09c9b0d6d7413291ee52d9b974

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.5

SRPM
firefox-1.5.0.12-0.8.el4.src.rpm	SHA-256: 8a2cf3cbd6d4d686be7b5ecc6ab6f4a0f633940e3c92084488a127a7ab0d49c9
s390x
firefox-1.5.0.12-0.8.el4.s390x.rpm	SHA-256: 1056a12c13595519d7a3595a6e57365c218562ab37b04e4160c7070d79c7e678
s390
firefox-1.5.0.12-0.8.el4.s390.rpm	SHA-256: 9c8afa5602766ebd82e35b0ccc48d28793614f09c9b0d6d7413291ee52d9b974

Red Hat Enterprise Linux for Power, big endian 5

SRPM
firefox-1.5.0.12-7.el5.src.rpm	SHA-256: 41e50c0170c31c69c964b2e8d324ac31c0ad82976025a130396d6d608956e9ca
ppc
firefox-1.5.0.12-7.el5.ppc.rpm	SHA-256: 27e0961913053585dca6fd57a108d50e5008478204b0cf0f245cb7c403a9daee
firefox-devel-1.5.0.12-7.el5.ppc.rpm	SHA-256: 6f8b2d7952ef86b22367d102632793e556f8aec6e98994d9df766e484824a8f9

Red Hat Enterprise Linux for Power, big endian 4

SRPM
firefox-1.5.0.12-0.8.el4.src.rpm	SHA-256: 8a2cf3cbd6d4d686be7b5ecc6ab6f4a0f633940e3c92084488a127a7ab0d49c9
ppc
firefox-1.5.0.12-0.8.el4.ppc.rpm	SHA-256: d2aa6a07cfe275783c6cbd683b081f01c3d511cf7f34ba8188ced1a9c9aca785

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.6

SRPM
firefox-1.5.0.12-0.8.el4.src.rpm	SHA-256: 8a2cf3cbd6d4d686be7b5ecc6ab6f4a0f633940e3c92084488a127a7ab0d49c9
ppc
firefox-1.5.0.12-0.8.el4.ppc.rpm	SHA-256: d2aa6a07cfe275783c6cbd683b081f01c3d511cf7f34ba8188ced1a9c9aca785

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.5

SRPM
firefox-1.5.0.12-0.8.el4.src.rpm	SHA-256: 8a2cf3cbd6d4d686be7b5ecc6ab6f4a0f633940e3c92084488a127a7ab0d49c9
ppc
firefox-1.5.0.12-0.8.el4.ppc.rpm	SHA-256: d2aa6a07cfe275783c6cbd683b081f01c3d511cf7f34ba8188ced1a9c9aca785

Red Hat Enterprise Linux Server from RHUI 5

SRPM
firefox-1.5.0.12-7.el5.src.rpm	SHA-256: 41e50c0170c31c69c964b2e8d324ac31c0ad82976025a130396d6d608956e9ca
x86_64
firefox-1.5.0.12-7.el5.i386.rpm	SHA-256: 1cc22924205165ee1a7964ea1ff30d6257660bd61440a38933cbae61012a31e4
firefox-1.5.0.12-7.el5.x86_64.rpm	SHA-256: 5cc2ccb80064a1e7caefcb07415204ab0afff0f4044beb0e194a4ca6d1319e2f
firefox-devel-1.5.0.12-7.el5.i386.rpm	SHA-256: 38ff962d8edaa60948f8077a6467b5786757086d0e4a9229c84e64d2d1521958
firefox-devel-1.5.0.12-7.el5.x86_64.rpm	SHA-256: 062ddf0cd999e192ecde7bc33442626a032cce4cb53d72885128d7d2490f8ff7
i386
firefox-1.5.0.12-7.el5.i386.rpm	SHA-256: 1cc22924205165ee1a7964ea1ff30d6257660bd61440a38933cbae61012a31e4
firefox-devel-1.5.0.12-7.el5.i386.rpm	SHA-256: 38ff962d8edaa60948f8077a6467b5786757086d0e4a9229c84e64d2d1521958

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.