RHSA-2009:1162 - Security Advisory

Overview
Updated Packages

Synopsis

Critical: firefox security update

Type/Severity

Security Advisory: Critical

Topic

Updated firefox packages that fix several security issues are now available
for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

Description

Mozilla Firefox is an open source Web browser. XULRunner provides the XUL
Runtime environment for Mozilla Firefox.

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code as the user running Firefox.
(CVE-2009-2462, CVE-2009-2463, CVE-2009-2464, CVE-2009-2465, CVE-2009-2466,
CVE-2009-2467, CVE-2009-2469, CVE-2009-2471)

Several flaws were found in the way Firefox handles malformed JavaScript
code. A website containing malicious content could launch a cross-site
scripting (XSS) attack or execute arbitrary JavaScript with the permissions
of another website. (CVE-2009-2472)

For technical details regarding these flaws, refer to the Mozilla security
advisories for Firefox 3.0.12. You can find a link to the Mozilla
advisories in the References section of this errata.

All Firefox users should upgrade to these updated packages, which contain
Firefox version 3.0.12, which corrects these issues. After installing the
update, Firefox must be restarted for the changes to take effect.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

Red Hat Enterprise Linux Server 5 x86_64
Red Hat Enterprise Linux Server 5 ia64
Red Hat Enterprise Linux Server 5 i386
Red Hat Enterprise Linux Server 4 x86_64
Red Hat Enterprise Linux Server 4 ia64
Red Hat Enterprise Linux Server 4 i386
Red Hat Enterprise Linux Server - Extended Update Support 5.3 x86_64
Red Hat Enterprise Linux Server - Extended Update Support 5.3 ia64
Red Hat Enterprise Linux Server - Extended Update Support 5.3 i386
Red Hat Enterprise Linux Server - Extended Update Support 4.8 x86_64
Red Hat Enterprise Linux Server - Extended Update Support 4.8 ia64
Red Hat Enterprise Linux Server - Extended Update Support 4.8 i386
Red Hat Enterprise Linux Server - AUS 5.3 x86_64
Red Hat Enterprise Linux Server - AUS 5.3 ia64
Red Hat Enterprise Linux Server - AUS 5.3 i386
Red Hat Enterprise Linux Workstation 5 x86_64
Red Hat Enterprise Linux Workstation 5 i386
Red Hat Enterprise Linux Workstation 4 x86_64
Red Hat Enterprise Linux Workstation 4 ia64
Red Hat Enterprise Linux Workstation 4 i386
Red Hat Enterprise Linux Desktop 5 x86_64
Red Hat Enterprise Linux Desktop 5 i386
Red Hat Enterprise Linux Desktop 4 x86_64
Red Hat Enterprise Linux Desktop 4 i386
Red Hat Enterprise Linux for IBM z Systems 5 s390x
Red Hat Enterprise Linux for IBM z Systems 4 s390x
Red Hat Enterprise Linux for IBM z Systems 4 s390
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.3 s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.8 s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.8 s390
Red Hat Enterprise Linux for Power, big endian 5 ppc
Red Hat Enterprise Linux for Power, big endian 4 ppc
Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.3 ppc
Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.8 ppc
Red Hat Enterprise Linux Server from RHUI 5 x86_64
Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

BZ - 512128 - CVE-2009-2462 Mozilla Browser engine crashes
BZ - 512131 - CVE-2009-2463 Mozilla Base64 decoding crash
BZ - 512133 - CVE-2009-2464 Mozilla crash with multiple RDFs in XUL tree
BZ - 512135 - CVE-2009-2465 Mozilla double frame construction crashes
BZ - 512136 - CVE-2009-2466 Mozilla JavaScript engine crashes
BZ - 512137 - CVE-2009-2467 Mozilla remote code execution during Flash player unloading
BZ - 512142 - CVE-2009-2469 Mozilla remote code execution using watch and __defineSetter__ on SVG element
BZ - 512146 - CVE-2009-2471 Mozilla setTimeout loses XPCNativeWrappers
BZ - 512147 - CVE-2009-2472 Mozilla multiple cross origin wrapper bypasses

CVEs

References

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 5

SRPM
firefox-3.0.12-1.el5_3.src.rpm	SHA-256: d7611885523730fc157d04fc0c27a39b3a08c2986ef09cebf1b85426659d5d44
xulrunner-1.9.0.12-1.el5_3.src.rpm	SHA-256: fed451b1196731ff2a355f743cb7f82e9fcc01204ca06403ea44cae83d48119b
x86_64
firefox-3.0.12-1.el5_3.i386.rpm	SHA-256: df8f6646f8d20cf2c63808362787150f021051f74a2a7432ee4a302a44759b6c
firefox-3.0.12-1.el5_3.x86_64.rpm	SHA-256: ec5d3078e6f71f398f57622f0324d56afc89a631764534af6e26efcb26e1638f
xulrunner-1.9.0.12-1.el5_3.i386.rpm	SHA-256: d32b1ef06b833295a707195f027535dfbe9236f1e3f4ff536ebe49b4a95c8832
xulrunner-1.9.0.12-1.el5_3.x86_64.rpm	SHA-256: 5be856ea38fca13c5401bf8a5dbc843536ae13eabd33a7da8ba27731ca8b560a
xulrunner-devel-1.9.0.12-1.el5_3.i386.rpm	SHA-256: 7f8e3438b99b6d69f47ae630d960d749eac223128f36d2c27fa291cd4068dedd
xulrunner-devel-1.9.0.12-1.el5_3.x86_64.rpm	SHA-256: 1cca3028a3900fc453aefcf5bcc6a2144479338984928f4dcf6834cf6fe9e886
xulrunner-devel-unstable-1.9.0.12-1.el5_3.x86_64.rpm	SHA-256: 77a2cd1907b27c32c2aefcbea111c48948e1d5b8fba18fdd800a578de18710c4
ia64
firefox-3.0.12-1.el5_3.ia64.rpm	SHA-256: 110e2de34fdc56cdc5781ccc4f4864346fa6b86a4f088e25b3d3944ccd74a2ca
xulrunner-1.9.0.12-1.el5_3.ia64.rpm	SHA-256: 3d878a21ddc2cbfed860c236c18043f7d130e92db6080274f07ddb5ad82df94a
xulrunner-devel-1.9.0.12-1.el5_3.ia64.rpm	SHA-256: b78ac6854aa0aa916b0588c7854b7949ca4cdf91b692e790d5998e64b6f7f891
xulrunner-devel-unstable-1.9.0.12-1.el5_3.ia64.rpm	SHA-256: 75fe2018c429fceaa25d40f00c031d4ff200b61d70f473d9aea2eb56323b17db
i386
firefox-3.0.12-1.el5_3.i386.rpm	SHA-256: df8f6646f8d20cf2c63808362787150f021051f74a2a7432ee4a302a44759b6c
xulrunner-1.9.0.12-1.el5_3.i386.rpm	SHA-256: d32b1ef06b833295a707195f027535dfbe9236f1e3f4ff536ebe49b4a95c8832
xulrunner-devel-1.9.0.12-1.el5_3.i386.rpm	SHA-256: 7f8e3438b99b6d69f47ae630d960d749eac223128f36d2c27fa291cd4068dedd
xulrunner-devel-unstable-1.9.0.12-1.el5_3.i386.rpm	SHA-256: e82f7d1f56b7d64e6a55464bba6b49bb4594540d024dff935b74773b941007e8

Red Hat Enterprise Linux Server 4

SRPM
firefox-3.0.12-1.el4.src.rpm	SHA-256: e5c42af439194bace19030bb93141115ebfdf590bb0187f42e18994761f8d202
x86_64
firefox-3.0.12-1.el4.x86_64.rpm	SHA-256: 7d25b2ef10cf66101d58e922565383f3e810da6d191d94dece870d3cb21a0600
firefox-3.0.12-1.el4.x86_64.rpm	SHA-256: 7d25b2ef10cf66101d58e922565383f3e810da6d191d94dece870d3cb21a0600
ia64
firefox-3.0.12-1.el4.ia64.rpm	SHA-256: 80e13e0ced83bac7be37d812a0fb1a25912d141fbb9df39372ec969ee53a7239
firefox-3.0.12-1.el4.ia64.rpm	SHA-256: 80e13e0ced83bac7be37d812a0fb1a25912d141fbb9df39372ec969ee53a7239
i386
firefox-3.0.12-1.el4.i386.rpm	SHA-256: 2cdb5c23d6acc466dc444906d5b85a9bea19b43bf2a1ae6cc18f558f7519e58a
firefox-3.0.12-1.el4.i386.rpm	SHA-256: 2cdb5c23d6acc466dc444906d5b85a9bea19b43bf2a1ae6cc18f558f7519e58a

Red Hat Enterprise Linux Server - Extended Update Support 4.8

SRPM
firefox-3.0.12-1.el4.src.rpm	SHA-256: e5c42af439194bace19030bb93141115ebfdf590bb0187f42e18994761f8d202
x86_64
firefox-3.0.12-1.el4.x86_64.rpm	SHA-256: 7d25b2ef10cf66101d58e922565383f3e810da6d191d94dece870d3cb21a0600
firefox-3.0.12-1.el4.x86_64.rpm	SHA-256: 7d25b2ef10cf66101d58e922565383f3e810da6d191d94dece870d3cb21a0600
ia64
firefox-3.0.12-1.el4.ia64.rpm	SHA-256: 80e13e0ced83bac7be37d812a0fb1a25912d141fbb9df39372ec969ee53a7239
firefox-3.0.12-1.el4.ia64.rpm	SHA-256: 80e13e0ced83bac7be37d812a0fb1a25912d141fbb9df39372ec969ee53a7239
i386
firefox-3.0.12-1.el4.i386.rpm	SHA-256: 2cdb5c23d6acc466dc444906d5b85a9bea19b43bf2a1ae6cc18f558f7519e58a
firefox-3.0.12-1.el4.i386.rpm	SHA-256: 2cdb5c23d6acc466dc444906d5b85a9bea19b43bf2a1ae6cc18f558f7519e58a

Red Hat Enterprise Linux Workstation 5

SRPM
firefox-3.0.12-1.el5_3.src.rpm	SHA-256: d7611885523730fc157d04fc0c27a39b3a08c2986ef09cebf1b85426659d5d44
xulrunner-1.9.0.12-1.el5_3.src.rpm	SHA-256: fed451b1196731ff2a355f743cb7f82e9fcc01204ca06403ea44cae83d48119b
x86_64
firefox-3.0.12-1.el5_3.i386.rpm	SHA-256: df8f6646f8d20cf2c63808362787150f021051f74a2a7432ee4a302a44759b6c
firefox-3.0.12-1.el5_3.x86_64.rpm	SHA-256: ec5d3078e6f71f398f57622f0324d56afc89a631764534af6e26efcb26e1638f
xulrunner-1.9.0.12-1.el5_3.i386.rpm	SHA-256: d32b1ef06b833295a707195f027535dfbe9236f1e3f4ff536ebe49b4a95c8832
xulrunner-1.9.0.12-1.el5_3.x86_64.rpm	SHA-256: 5be856ea38fca13c5401bf8a5dbc843536ae13eabd33a7da8ba27731ca8b560a
xulrunner-devel-1.9.0.12-1.el5_3.i386.rpm	SHA-256: 7f8e3438b99b6d69f47ae630d960d749eac223128f36d2c27fa291cd4068dedd
xulrunner-devel-1.9.0.12-1.el5_3.x86_64.rpm	SHA-256: 1cca3028a3900fc453aefcf5bcc6a2144479338984928f4dcf6834cf6fe9e886
xulrunner-devel-unstable-1.9.0.12-1.el5_3.x86_64.rpm	SHA-256: 77a2cd1907b27c32c2aefcbea111c48948e1d5b8fba18fdd800a578de18710c4
i386
firefox-3.0.12-1.el5_3.i386.rpm	SHA-256: df8f6646f8d20cf2c63808362787150f021051f74a2a7432ee4a302a44759b6c
xulrunner-1.9.0.12-1.el5_3.i386.rpm	SHA-256: d32b1ef06b833295a707195f027535dfbe9236f1e3f4ff536ebe49b4a95c8832
xulrunner-devel-1.9.0.12-1.el5_3.i386.rpm	SHA-256: 7f8e3438b99b6d69f47ae630d960d749eac223128f36d2c27fa291cd4068dedd
xulrunner-devel-unstable-1.9.0.12-1.el5_3.i386.rpm	SHA-256: e82f7d1f56b7d64e6a55464bba6b49bb4594540d024dff935b74773b941007e8

Red Hat Enterprise Linux Workstation 4

SRPM
firefox-3.0.12-1.el4.src.rpm	SHA-256: e5c42af439194bace19030bb93141115ebfdf590bb0187f42e18994761f8d202
x86_64
firefox-3.0.12-1.el4.x86_64.rpm	SHA-256: 7d25b2ef10cf66101d58e922565383f3e810da6d191d94dece870d3cb21a0600
ia64
firefox-3.0.12-1.el4.ia64.rpm	SHA-256: 80e13e0ced83bac7be37d812a0fb1a25912d141fbb9df39372ec969ee53a7239
i386
firefox-3.0.12-1.el4.i386.rpm	SHA-256: 2cdb5c23d6acc466dc444906d5b85a9bea19b43bf2a1ae6cc18f558f7519e58a

Red Hat Enterprise Linux Desktop 5

SRPM
firefox-3.0.12-1.el5_3.src.rpm	SHA-256: d7611885523730fc157d04fc0c27a39b3a08c2986ef09cebf1b85426659d5d44
xulrunner-1.9.0.12-1.el5_3.src.rpm	SHA-256: fed451b1196731ff2a355f743cb7f82e9fcc01204ca06403ea44cae83d48119b
x86_64
firefox-3.0.12-1.el5_3.i386.rpm	SHA-256: df8f6646f8d20cf2c63808362787150f021051f74a2a7432ee4a302a44759b6c
firefox-3.0.12-1.el5_3.x86_64.rpm	SHA-256: ec5d3078e6f71f398f57622f0324d56afc89a631764534af6e26efcb26e1638f
xulrunner-1.9.0.12-1.el5_3.i386.rpm	SHA-256: d32b1ef06b833295a707195f027535dfbe9236f1e3f4ff536ebe49b4a95c8832
xulrunner-1.9.0.12-1.el5_3.x86_64.rpm	SHA-256: 5be856ea38fca13c5401bf8a5dbc843536ae13eabd33a7da8ba27731ca8b560a
i386
firefox-3.0.12-1.el5_3.i386.rpm	SHA-256: df8f6646f8d20cf2c63808362787150f021051f74a2a7432ee4a302a44759b6c
xulrunner-1.9.0.12-1.el5_3.i386.rpm	SHA-256: d32b1ef06b833295a707195f027535dfbe9236f1e3f4ff536ebe49b4a95c8832

Red Hat Enterprise Linux Desktop 4

SRPM
firefox-3.0.12-1.el4.src.rpm	SHA-256: e5c42af439194bace19030bb93141115ebfdf590bb0187f42e18994761f8d202
x86_64
firefox-3.0.12-1.el4.x86_64.rpm	SHA-256: 7d25b2ef10cf66101d58e922565383f3e810da6d191d94dece870d3cb21a0600
i386
firefox-3.0.12-1.el4.i386.rpm	SHA-256: 2cdb5c23d6acc466dc444906d5b85a9bea19b43bf2a1ae6cc18f558f7519e58a

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
firefox-3.0.12-1.el5_3.src.rpm	SHA-256: d7611885523730fc157d04fc0c27a39b3a08c2986ef09cebf1b85426659d5d44
xulrunner-1.9.0.12-1.el5_3.src.rpm	SHA-256: fed451b1196731ff2a355f743cb7f82e9fcc01204ca06403ea44cae83d48119b
s390x
firefox-3.0.12-1.el5_3.s390.rpm	SHA-256: 1491a8bc81bd86a3fd481728a1485313c8fe4ce892a604c9b704a55215c3ba8d
firefox-3.0.12-1.el5_3.s390x.rpm	SHA-256: 051a7ca98c042efa9f1e05bad1924872ff61483bff05d4e923851f7a60cfa7be
xulrunner-1.9.0.12-1.el5_3.s390.rpm	SHA-256: 44913391b07dfdfcfe3ca8074c9bda715f8ab34afaab0a630f8dd2ad7169f80a
xulrunner-1.9.0.12-1.el5_3.s390x.rpm	SHA-256: 3a44780c479dee4903e272fd67ffbf382c2ce6aa683781fc7cc5366fa23d8ece
xulrunner-devel-1.9.0.12-1.el5_3.s390.rpm	SHA-256: 21fd5e39582d0c13c8368a3a11e66ef0474d72ad60a9bf9ce230168bb05ab67e
xulrunner-devel-1.9.0.12-1.el5_3.s390x.rpm	SHA-256: 945f998ba5d71853bbc8e520de7a13362c6a1bc3984876dbde7c736868370839
xulrunner-devel-unstable-1.9.0.12-1.el5_3.s390x.rpm	SHA-256: 003ce8c488a8e22792b0f5f19aa9c28351e0e893fa80a1f4691265d9cfef0e4e

Red Hat Enterprise Linux for IBM z Systems 4

SRPM
firefox-3.0.12-1.el4.src.rpm	SHA-256: e5c42af439194bace19030bb93141115ebfdf590bb0187f42e18994761f8d202
s390x
firefox-3.0.12-1.el4.s390x.rpm	SHA-256: 958b01d04cdf24a9cda4b146043a7bc6ce9b2e28b5f82f14689d31043a76884d
s390
firefox-3.0.12-1.el4.s390.rpm	SHA-256: 24dae7ef7ec87615116c2ca629daad98f6b343f3f378918bd95a78b6019232ad

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.8

SRPM
firefox-3.0.12-1.el4.src.rpm	SHA-256: e5c42af439194bace19030bb93141115ebfdf590bb0187f42e18994761f8d202
s390x
firefox-3.0.12-1.el4.s390x.rpm	SHA-256: 958b01d04cdf24a9cda4b146043a7bc6ce9b2e28b5f82f14689d31043a76884d
s390
firefox-3.0.12-1.el4.s390.rpm	SHA-256: 24dae7ef7ec87615116c2ca629daad98f6b343f3f378918bd95a78b6019232ad

Red Hat Enterprise Linux for Power, big endian 5

SRPM
firefox-3.0.12-1.el5_3.src.rpm	SHA-256: d7611885523730fc157d04fc0c27a39b3a08c2986ef09cebf1b85426659d5d44
xulrunner-1.9.0.12-1.el5_3.src.rpm	SHA-256: fed451b1196731ff2a355f743cb7f82e9fcc01204ca06403ea44cae83d48119b
ppc
firefox-3.0.12-1.el5_3.ppc.rpm	SHA-256: 4fc61bcda60bc6731a2756eeca79b0f8f90e80f5fb15af4c0c809d8ad94f47e7
xulrunner-1.9.0.12-1.el5_3.ppc.rpm	SHA-256: 24b7a4bf12942b57a5ed92d609cddd2f06a41d6f2258bf39adfc4f1be165e322
xulrunner-1.9.0.12-1.el5_3.ppc64.rpm	SHA-256: 516601ea6a36d88c718aa79cd9f15934fabcb3b4d4ae289dac7bc69b748ac75b
xulrunner-devel-1.9.0.12-1.el5_3.ppc.rpm	SHA-256: 92aa1885fac9d91cd37a34bd5d56d40f71e32b59a92747fa0186e8a9e2e6e20a
xulrunner-devel-1.9.0.12-1.el5_3.ppc64.rpm	SHA-256: 6a3708bf89ca552c7260541ff8e4711c3b84b65b358f2c3fb0975fed637161cb
xulrunner-devel-unstable-1.9.0.12-1.el5_3.ppc.rpm	SHA-256: 77d7522470eeacf392ee906c6b9e8d911453b333e9bcd35970f8cc6408235886

Red Hat Enterprise Linux for Power, big endian 4

SRPM
firefox-3.0.12-1.el4.src.rpm	SHA-256: e5c42af439194bace19030bb93141115ebfdf590bb0187f42e18994761f8d202
ppc
firefox-3.0.12-1.el4.ppc.rpm	SHA-256: 2f48f735bce2d9eb3b93a268c9d958a5ca5aaa05875765d5aa783da6a26c8fdd

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.8

SRPM
firefox-3.0.12-1.el4.src.rpm	SHA-256: e5c42af439194bace19030bb93141115ebfdf590bb0187f42e18994761f8d202
ppc
firefox-3.0.12-1.el4.ppc.rpm	SHA-256: 2f48f735bce2d9eb3b93a268c9d958a5ca5aaa05875765d5aa783da6a26c8fdd

Red Hat Enterprise Linux Server from RHUI 5

SRPM
firefox-3.0.12-1.el5_3.src.rpm	SHA-256: d7611885523730fc157d04fc0c27a39b3a08c2986ef09cebf1b85426659d5d44
xulrunner-1.9.0.12-1.el5_3.src.rpm	SHA-256: fed451b1196731ff2a355f743cb7f82e9fcc01204ca06403ea44cae83d48119b
x86_64
firefox-3.0.12-1.el5_3.i386.rpm	SHA-256: df8f6646f8d20cf2c63808362787150f021051f74a2a7432ee4a302a44759b6c
firefox-3.0.12-1.el5_3.x86_64.rpm	SHA-256: ec5d3078e6f71f398f57622f0324d56afc89a631764534af6e26efcb26e1638f
xulrunner-1.9.0.12-1.el5_3.i386.rpm	SHA-256: d32b1ef06b833295a707195f027535dfbe9236f1e3f4ff536ebe49b4a95c8832
xulrunner-1.9.0.12-1.el5_3.x86_64.rpm	SHA-256: 5be856ea38fca13c5401bf8a5dbc843536ae13eabd33a7da8ba27731ca8b560a
xulrunner-devel-1.9.0.12-1.el5_3.i386.rpm	SHA-256: 7f8e3438b99b6d69f47ae630d960d749eac223128f36d2c27fa291cd4068dedd
xulrunner-devel-1.9.0.12-1.el5_3.x86_64.rpm	SHA-256: 1cca3028a3900fc453aefcf5bcc6a2144479338984928f4dcf6834cf6fe9e886
xulrunner-devel-unstable-1.9.0.12-1.el5_3.x86_64.rpm	SHA-256: 77a2cd1907b27c32c2aefcbea111c48948e1d5b8fba18fdd800a578de18710c4
i386
firefox-3.0.12-1.el5_3.i386.rpm	SHA-256: df8f6646f8d20cf2c63808362787150f021051f74a2a7432ee4a302a44759b6c
xulrunner-1.9.0.12-1.el5_3.i386.rpm	SHA-256: d32b1ef06b833295a707195f027535dfbe9236f1e3f4ff536ebe49b4a95c8832
xulrunner-devel-1.9.0.12-1.el5_3.i386.rpm	SHA-256: 7f8e3438b99b6d69f47ae630d960d749eac223128f36d2c27fa291cd4068dedd
xulrunner-devel-unstable-1.9.0.12-1.el5_3.i386.rpm	SHA-256: e82f7d1f56b7d64e6a55464bba6b49bb4594540d024dff935b74773b941007e8

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.