- Emissione:
- 2010-10-19
- Aggiornato:
- 2010-10-19
RHSA-2010:0782 - Security Advisory
Riassunto
Critical: firefox security update
Tipo/Gravità
Security Advisory: Critical
Argomento
Updated firefox packages that fix several security issues are now available
for Red Hat Enterprise Linux 4 and 5.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
Descrizione
Mozilla Firefox is an open source web browser. XULRunner provides the XUL
Runtime environment for Mozilla Firefox. Network Security Services (NSS) is
a set of libraries designed to support the development of security-enabled
client and server applications.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2010-3175, CVE-2010-3176, CVE-2010-3179, CVE-2010-3183,
CVE-2010-3180)
A flaw was found in the way the Gopher parser in Firefox converted text
into HTML. A malformed file name on a Gopher server could, when accessed by
a victim running Firefox, allow arbitrary JavaScript to be executed in the
context of the Gopher domain. (CVE-2010-3177)
A same-origin policy bypass flaw was found in Firefox. An attacker could
create a malicious web page that, when viewed by a victim, could steal
private data from a different website the victim has loaded with Firefox.
(CVE-2010-3178)
A flaw was found in the script that launches Firefox. The LD_LIBRARY_PATH
variable was appending a "." character, which could allow a local attacker
to execute arbitrary code with the privileges of a different user running
Firefox, if that user ran Firefox from within an attacker-controlled
directory. (CVE-2010-3182)
This update also provides NSS version 3.12.8 which is required by the
updated Firefox version, fixing the following security issues:
It was found that the SSL DHE (Diffie-Hellman Ephemeral) mode
implementation for key exchanges in Firefox accepted DHE keys that were 256
bits in length. This update removes support for 256 bit DHE keys, as such
keys are easily broken using modern hardware. (CVE-2010-3173)
A flaw was found in the way NSS matched SSL certificates when the
certificates had a Common Name containing a wildcard and a partial IP
address. NSS incorrectly accepted connections to IP addresses that fell
within the SSL certificate's wildcard range as valid SSL connections,
possibly allowing an attacker to conduct a man-in-the-middle attack.
(CVE-2010-3170)
For technical details regarding these flaws, refer to the Mozilla security
advisories for Firefox 3.6.11. You can find a link to the Mozilla
advisories in the References section of this erratum.
All Firefox users should upgrade to these updated packages, which contain
Firefox version 3.6.11, which corrects these issues. After installing the
update, Firefox must be restarted for the changes to take effect.
Soluzione
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259
Prodotti interessati
- Red Hat Enterprise Linux Server 5 x86_64
- Red Hat Enterprise Linux Server 5 ia64
- Red Hat Enterprise Linux Server 5 i386
- Red Hat Enterprise Linux Server 4 x86_64
- Red Hat Enterprise Linux Server 4 ia64
- Red Hat Enterprise Linux Server 4 i386
- Red Hat Enterprise Linux Server - Extended Update Support 4.8 x86_64
- Red Hat Enterprise Linux Server - Extended Update Support 4.8 ia64
- Red Hat Enterprise Linux Server - Extended Update Support 4.8 i386
- Red Hat Enterprise Linux Workstation 5 x86_64
- Red Hat Enterprise Linux Workstation 5 i386
- Red Hat Enterprise Linux Workstation 4 x86_64
- Red Hat Enterprise Linux Workstation 4 ia64
- Red Hat Enterprise Linux Workstation 4 i386
- Red Hat Enterprise Linux Desktop 5 x86_64
- Red Hat Enterprise Linux Desktop 5 i386
- Red Hat Enterprise Linux Desktop 4 x86_64
- Red Hat Enterprise Linux Desktop 4 i386
- Red Hat Enterprise Linux for IBM z Systems 5 s390x
- Red Hat Enterprise Linux for IBM z Systems 4 s390x
- Red Hat Enterprise Linux for IBM z Systems 4 s390
- Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.8 s390x
- Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.8 s390
- Red Hat Enterprise Linux for Power, big endian 5 ppc
- Red Hat Enterprise Linux for Power, big endian 4 ppc
- Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.8 ppc
- Red Hat Enterprise Linux Server from RHUI 5 x86_64
- Red Hat Enterprise Linux Server from RHUI 5 i386
Correzioni
- BZ - 630047 - CVE-2010-3170 firefox/nss: Doesn't handle wildcards in Common Name properly
- BZ - 642272 - CVE-2010-3176 Mozilla miscellaneous memory safety hazards
- BZ - 642275 - CVE-2010-3175 Mozilla miscellaneous memory safety hazards
- BZ - 642277 - CVE-2010-3179 Mozilla buffer overflow and memory corruption using document.write
- BZ - 642283 - CVE-2010-3180 Mozilla use-after-free error in nsBarProp
- BZ - 642286 - CVE-2010-3183 Mozilla dangling pointer vulnerability in LookupGetterOrSetter
- BZ - 642290 - CVE-2010-3177 Mozilla XSS in gopher parser when parsing hrefs
- BZ - 642294 - CVE-2010-3178 Mozilla cross-site information disclosure via modal calls
- BZ - 642300 - CVE-2010-3182 Mozilla unsafe library loading flaw
- BZ - 642302 - CVE-2010-3173 Mozilla insecure Diffie-Hellman key exchange
CVE
- CVE-2010-3180
- CVE-2010-3182
- CVE-2010-3176
- CVE-2010-3170
- CVE-2010-3173
- CVE-2010-3177
- CVE-2010-3179
- CVE-2010-3178
- CVE-2010-3183
- CVE-2010-3175
Riferimenti
Red Hat Enterprise Linux Server 5
| SRPM | |
|---|---|
| x86_64 | |
| firefox-3.6.11-2.el5.i386.rpm | SHA-256: bd16bc4e425f9e059a9fa7a02c0c527411efd16712caef1142128a7c8b6a394a |
| firefox-3.6.11-2.el5.x86_64.rpm | SHA-256: cf23a49a06a5aece4f1e842ac15d92c55366e9b96ce0a0817797ad5b651e55be |
| nss-3.12.8-1.el5.i386.rpm | SHA-256: b992d20c9e4d85e6834f1f0b6ec17e5a306852b50a2510d90f4fd17db334d620 |
| nss-3.12.8-1.el5.x86_64.rpm | SHA-256: 7b42763e9cc53b770b4bdb76038bfcb5ab85eea36d2c9750daa95302ad697e0c |
| nss-devel-3.12.8-1.el5.i386.rpm | SHA-256: 438d3e2d244e4e7527e2529968583d9ad30fc07af4352112736f7a5b02282ca7 |
| nss-devel-3.12.8-1.el5.x86_64.rpm | SHA-256: 98826cce30671c632dc0dc6927582f8842c39332af58689eb9c3dd6d7b42d111 |
| nss-pkcs11-devel-3.12.8-1.el5.i386.rpm | SHA-256: c06d5666d51f18a9bff8a9f0ef9882a1e05dde412fc1081a4c65acded0c0eddd |
| nss-pkcs11-devel-3.12.8-1.el5.x86_64.rpm | SHA-256: 0b354f11e4e8cfb1af989f295cdb76d8f6d2363ba006e980f80fbb6c4b724f4b |
| nss-tools-3.12.8-1.el5.x86_64.rpm | SHA-256: fce1c186b682ca4bedd5bd685406e9c9f4c0f571fe8c980913cad2dfdcbaf65e |
| xulrunner-1.9.2.11-2.el5.i386.rpm | SHA-256: ffd3aa9428efc4e20cc41e7cc9ed2014c38e011c90644ce4d238a809b3a875b8 |
| xulrunner-1.9.2.11-2.el5.x86_64.rpm | SHA-256: d703301866094db564482e3aa21390b21abb4c59705e65e0aae9a85976fb7adc |
| xulrunner-devel-1.9.2.11-2.el5.i386.rpm | SHA-256: a70926d182e49d9903a93599e9f31265d8e9267c5bf928e5625e19031338fb3c |
| xulrunner-devel-1.9.2.11-2.el5.x86_64.rpm | SHA-256: 1f2a507448f1491a3c585d2adb60b641afae1ae28c920cebbf3fd6fb9ea9f74a |
| ia64 | |
| nss-3.12.8-1.el5.i386.rpm | SHA-256: b992d20c9e4d85e6834f1f0b6ec17e5a306852b50a2510d90f4fd17db334d620 |
| i386 | |
| firefox-3.6.11-2.el5.i386.rpm | SHA-256: bd16bc4e425f9e059a9fa7a02c0c527411efd16712caef1142128a7c8b6a394a |
| nss-3.12.8-1.el5.i386.rpm | SHA-256: b992d20c9e4d85e6834f1f0b6ec17e5a306852b50a2510d90f4fd17db334d620 |
| nss-devel-3.12.8-1.el5.i386.rpm | SHA-256: 438d3e2d244e4e7527e2529968583d9ad30fc07af4352112736f7a5b02282ca7 |
| nss-pkcs11-devel-3.12.8-1.el5.i386.rpm | SHA-256: c06d5666d51f18a9bff8a9f0ef9882a1e05dde412fc1081a4c65acded0c0eddd |
| xulrunner-1.9.2.11-2.el5.i386.rpm | SHA-256: ffd3aa9428efc4e20cc41e7cc9ed2014c38e011c90644ce4d238a809b3a875b8 |
| xulrunner-devel-1.9.2.11-2.el5.i386.rpm | SHA-256: a70926d182e49d9903a93599e9f31265d8e9267c5bf928e5625e19031338fb3c |
Red Hat Enterprise Linux Workstation 5
| SRPM | |
|---|---|
| x86_64 | |
| firefox-3.6.11-2.el5.i386.rpm | SHA-256: bd16bc4e425f9e059a9fa7a02c0c527411efd16712caef1142128a7c8b6a394a |
| firefox-3.6.11-2.el5.x86_64.rpm | SHA-256: cf23a49a06a5aece4f1e842ac15d92c55366e9b96ce0a0817797ad5b651e55be |
| nss-3.12.8-1.el5.i386.rpm | SHA-256: b992d20c9e4d85e6834f1f0b6ec17e5a306852b50a2510d90f4fd17db334d620 |
| nss-3.12.8-1.el5.x86_64.rpm | SHA-256: 7b42763e9cc53b770b4bdb76038bfcb5ab85eea36d2c9750daa95302ad697e0c |
| nss-devel-3.12.8-1.el5.i386.rpm | SHA-256: 438d3e2d244e4e7527e2529968583d9ad30fc07af4352112736f7a5b02282ca7 |
| nss-devel-3.12.8-1.el5.x86_64.rpm | SHA-256: 98826cce30671c632dc0dc6927582f8842c39332af58689eb9c3dd6d7b42d111 |
| nss-pkcs11-devel-3.12.8-1.el5.i386.rpm | SHA-256: c06d5666d51f18a9bff8a9f0ef9882a1e05dde412fc1081a4c65acded0c0eddd |
| nss-pkcs11-devel-3.12.8-1.el5.x86_64.rpm | SHA-256: 0b354f11e4e8cfb1af989f295cdb76d8f6d2363ba006e980f80fbb6c4b724f4b |
| nss-tools-3.12.8-1.el5.x86_64.rpm | SHA-256: fce1c186b682ca4bedd5bd685406e9c9f4c0f571fe8c980913cad2dfdcbaf65e |
| xulrunner-1.9.2.11-2.el5.i386.rpm | SHA-256: ffd3aa9428efc4e20cc41e7cc9ed2014c38e011c90644ce4d238a809b3a875b8 |
| xulrunner-1.9.2.11-2.el5.x86_64.rpm | SHA-256: d703301866094db564482e3aa21390b21abb4c59705e65e0aae9a85976fb7adc |
| xulrunner-devel-1.9.2.11-2.el5.i386.rpm | SHA-256: a70926d182e49d9903a93599e9f31265d8e9267c5bf928e5625e19031338fb3c |
| xulrunner-devel-1.9.2.11-2.el5.x86_64.rpm | SHA-256: 1f2a507448f1491a3c585d2adb60b641afae1ae28c920cebbf3fd6fb9ea9f74a |
| i386 | |
| firefox-3.6.11-2.el5.i386.rpm | SHA-256: bd16bc4e425f9e059a9fa7a02c0c527411efd16712caef1142128a7c8b6a394a |
| nss-3.12.8-1.el5.i386.rpm | SHA-256: b992d20c9e4d85e6834f1f0b6ec17e5a306852b50a2510d90f4fd17db334d620 |
| nss-devel-3.12.8-1.el5.i386.rpm | SHA-256: 438d3e2d244e4e7527e2529968583d9ad30fc07af4352112736f7a5b02282ca7 |
| nss-pkcs11-devel-3.12.8-1.el5.i386.rpm | SHA-256: c06d5666d51f18a9bff8a9f0ef9882a1e05dde412fc1081a4c65acded0c0eddd |
| xulrunner-1.9.2.11-2.el5.i386.rpm | SHA-256: ffd3aa9428efc4e20cc41e7cc9ed2014c38e011c90644ce4d238a809b3a875b8 |
| xulrunner-devel-1.9.2.11-2.el5.i386.rpm | SHA-256: a70926d182e49d9903a93599e9f31265d8e9267c5bf928e5625e19031338fb3c |
Red Hat Enterprise Linux Desktop 5
| SRPM | |
|---|---|
| x86_64 | |
| firefox-3.6.11-2.el5.i386.rpm | SHA-256: bd16bc4e425f9e059a9fa7a02c0c527411efd16712caef1142128a7c8b6a394a |
| firefox-3.6.11-2.el5.x86_64.rpm | SHA-256: cf23a49a06a5aece4f1e842ac15d92c55366e9b96ce0a0817797ad5b651e55be |
| nss-3.12.8-1.el5.i386.rpm | SHA-256: b992d20c9e4d85e6834f1f0b6ec17e5a306852b50a2510d90f4fd17db334d620 |
| nss-3.12.8-1.el5.x86_64.rpm | SHA-256: 7b42763e9cc53b770b4bdb76038bfcb5ab85eea36d2c9750daa95302ad697e0c |
| nss-tools-3.12.8-1.el5.x86_64.rpm | SHA-256: fce1c186b682ca4bedd5bd685406e9c9f4c0f571fe8c980913cad2dfdcbaf65e |
| xulrunner-1.9.2.11-2.el5.i386.rpm | SHA-256: ffd3aa9428efc4e20cc41e7cc9ed2014c38e011c90644ce4d238a809b3a875b8 |
| xulrunner-1.9.2.11-2.el5.x86_64.rpm | SHA-256: d703301866094db564482e3aa21390b21abb4c59705e65e0aae9a85976fb7adc |
| i386 | |
| firefox-3.6.11-2.el5.i386.rpm | SHA-256: bd16bc4e425f9e059a9fa7a02c0c527411efd16712caef1142128a7c8b6a394a |
| nss-3.12.8-1.el5.i386.rpm | SHA-256: b992d20c9e4d85e6834f1f0b6ec17e5a306852b50a2510d90f4fd17db334d620 |
| xulrunner-1.9.2.11-2.el5.i386.rpm | SHA-256: ffd3aa9428efc4e20cc41e7cc9ed2014c38e011c90644ce4d238a809b3a875b8 |
Red Hat Enterprise Linux Server from RHUI 5
| SRPM | |
|---|---|
| x86_64 | |
| firefox-3.6.11-2.el5.i386.rpm | SHA-256: bd16bc4e425f9e059a9fa7a02c0c527411efd16712caef1142128a7c8b6a394a |
| firefox-3.6.11-2.el5.x86_64.rpm | SHA-256: cf23a49a06a5aece4f1e842ac15d92c55366e9b96ce0a0817797ad5b651e55be |
| nss-3.12.8-1.el5.i386.rpm | SHA-256: b992d20c9e4d85e6834f1f0b6ec17e5a306852b50a2510d90f4fd17db334d620 |
| nss-3.12.8-1.el5.x86_64.rpm | SHA-256: 7b42763e9cc53b770b4bdb76038bfcb5ab85eea36d2c9750daa95302ad697e0c |
| nss-devel-3.12.8-1.el5.i386.rpm | SHA-256: 438d3e2d244e4e7527e2529968583d9ad30fc07af4352112736f7a5b02282ca7 |
| nss-devel-3.12.8-1.el5.x86_64.rpm | SHA-256: 98826cce30671c632dc0dc6927582f8842c39332af58689eb9c3dd6d7b42d111 |
| nss-pkcs11-devel-3.12.8-1.el5.i386.rpm | SHA-256: c06d5666d51f18a9bff8a9f0ef9882a1e05dde412fc1081a4c65acded0c0eddd |
| nss-pkcs11-devel-3.12.8-1.el5.x86_64.rpm | SHA-256: 0b354f11e4e8cfb1af989f295cdb76d8f6d2363ba006e980f80fbb6c4b724f4b |
| nss-tools-3.12.8-1.el5.x86_64.rpm | SHA-256: fce1c186b682ca4bedd5bd685406e9c9f4c0f571fe8c980913cad2dfdcbaf65e |
| xulrunner-1.9.2.11-2.el5.i386.rpm | SHA-256: ffd3aa9428efc4e20cc41e7cc9ed2014c38e011c90644ce4d238a809b3a875b8 |
| xulrunner-1.9.2.11-2.el5.x86_64.rpm | SHA-256: d703301866094db564482e3aa21390b21abb4c59705e65e0aae9a85976fb7adc |
| xulrunner-devel-1.9.2.11-2.el5.i386.rpm | SHA-256: a70926d182e49d9903a93599e9f31265d8e9267c5bf928e5625e19031338fb3c |
| xulrunner-devel-1.9.2.11-2.el5.x86_64.rpm | SHA-256: 1f2a507448f1491a3c585d2adb60b641afae1ae28c920cebbf3fd6fb9ea9f74a |
| i386 | |
| firefox-3.6.11-2.el5.i386.rpm | SHA-256: bd16bc4e425f9e059a9fa7a02c0c527411efd16712caef1142128a7c8b6a394a |
| nss-3.12.8-1.el5.i386.rpm | SHA-256: b992d20c9e4d85e6834f1f0b6ec17e5a306852b50a2510d90f4fd17db334d620 |
| nss-devel-3.12.8-1.el5.i386.rpm | SHA-256: 438d3e2d244e4e7527e2529968583d9ad30fc07af4352112736f7a5b02282ca7 |
| nss-pkcs11-devel-3.12.8-1.el5.i386.rpm | SHA-256: c06d5666d51f18a9bff8a9f0ef9882a1e05dde412fc1081a4c65acded0c0eddd |
| xulrunner-1.9.2.11-2.el5.i386.rpm | SHA-256: ffd3aa9428efc4e20cc41e7cc9ed2014c38e011c90644ce4d238a809b3a875b8 |
| xulrunner-devel-1.9.2.11-2.el5.i386.rpm | SHA-256: a70926d182e49d9903a93599e9f31265d8e9267c5bf928e5625e19031338fb3c |
Il contatto Red Hat per la sicurezza è secalert@redhat.com. Per altre informazioni di contatto, vedere https://access.redhat.com/security/team/contact/.