[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 544/04 - Four RedHat Security Advisories



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 544/04 dated 04.10.04  Time: 14:50 
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Four RedHat Security Advisories:

1. RHSA-2004:441-01 - Updated ruby package fixes security flaw

2. RHSA-2004:451-01 - Updated spamassassin package fixes denial of service issue
        
3. RHSA-2004:462-01 - Updated squid package fixes security vulnerability
            
4. RHSA-2004:486-01 - Updated mozilla packages fix security issues
               

Detail
====== 

1. An updated ruby package that fixes insecure file permissions for CGI session files is now available.

2. An updated spamassassin package that fixes a denial of service bug when parsing malformed messages is now available.

3. An updated squid package that fixes a security vulnerability in the NTLM authentication helper is now available.

4. Updated mozilla packages that fix a number of security issues are now available.



1.                   ESB-2004.0613 -- RHSA-2004:441-01
                 Updated ruby package fixes security flaw
                              1 October 2004


Product:                ruby
Publisher:              Red Hat
Operating System:       Red Hat Desktop version 3
                        Red Hat Enterprise Linux AS/ES/WS 3
                        Red Hat Enterprise Linux AS/ES/WS 2.1
                        Linux variants
                        UNIX variants
Impact:                 Read-only Data Access
Access:                 Existing Account
CVE Names:              CAN-2004-0755

- - --------------------------BEGIN INCLUDED TEXT--------------------

- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated ruby package fixes security flaw
Advisory ID:       RHSA-2004:441-01
Issue date:        2004-09-30
Updated on:        2004-09-30
Product:           Red Hat Enterprise Linux
Keywords:          file permission
CVE Names:         CAN-2004-0755
- - - ---------------------------------------------------------------------

1. Summary:

An updated ruby package that fixes insecure file permissions for CGI session files is now available.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Problem description:

Ruby is an interpreted scripting language for object-oriented programming.

Andres Salomon reported an insecure file permissions flaw in the CGI session management of Ruby.  FileStore created world readable files that could allow a malicious local user the ability to read CGI session data. 
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0755 to this issue.

Users are advised to upgrade to this erratum package, which contains a backported patch to CGI::Session FileStore.

4. Solution:

Before applying this update, make sure that all previously-released errata relevant to your system have been applied.  Use Red Hat Network to download and update your packages.  To launch the Red Hat Update Agent, use the following command:

    up2date

For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system:

    http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info):

130065 - CAN-2004-0755 ruby insecure file permissions

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/ruby-1.6.4-2.AS21.0.src.rpm
eb97376e716aa09d718d5afc0f4a0020  ruby-1.6.4-2.AS21.0.src.rpm

i386:
8570dca43ce0243d098a667d77f08490  irb-1.6.4-2.AS21.0.i386.rpm ec1d1fe2f3f0ebae66342127c5a48e19  ruby-1.6.4-2.AS21.0.i386.rpm b318516e9af9320a3638d496754c3f3e  ruby-devel-1.6.4-2.AS21.0.i386.rpm
95c13aa43397b4d1f8f625d5db8cf0e6  ruby-docs-1.6.4-2.AS21.0.i386.rpm dd229e6ba40dee0ddd9f7072bd24780b  ruby-libs-1.6.4-2.AS21.0.i386.rpm b7b059fa23ba437057ad66125201407e  ruby-tcltk-1.6.4-2.AS21.0.i386.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/ruby-1.6.4-2.AS21.0.src.rpm
eb97376e716aa09d718d5afc0f4a0020  ruby-1.6.4-2.AS21.0.src.rpm

i386:
8570dca43ce0243d098a667d77f08490  irb-1.6.4-2.AS21.0.i386.rpm ec1d1fe2f3f0ebae66342127c5a48e19  ruby-1.6.4-2.AS21.0.i386.rpm b318516e9af9320a3638d496754c3f3e  ruby-devel-1.6.4-2.AS21.0.i386.rpm
95c13aa43397b4d1f8f625d5db8cf0e6  ruby-docs-1.6.4-2.AS21.0.i386.rpm dd229e6ba40dee0ddd9f7072bd24780b  ruby-libs-1.6.4-2.AS21.0.i386.rpm b7b059fa23ba437057ad66125201407e  ruby-tcltk-1.6.4-2.AS21.0.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/ruby-1.6.4-2.AS21.0.src.rpm
eb97376e716aa09d718d5afc0f4a0020  ruby-1.6.4-2.AS21.0.src.rpm

i386:
8570dca43ce0243d098a667d77f08490  irb-1.6.4-2.AS21.0.i386.rpm ec1d1fe2f3f0ebae66342127c5a48e19  ruby-1.6.4-2.AS21.0.i386.rpm b318516e9af9320a3638d496754c3f3e  ruby-devel-1.6.4-2.AS21.0.i386.rpm
95c13aa43397b4d1f8f625d5db8cf0e6  ruby-docs-1.6.4-2.AS21.0.i386.rpm dd229e6ba40dee0ddd9f7072bd24780b  ruby-libs-1.6.4-2.AS21.0.i386.rpm b7b059fa23ba437057ad66125201407e  ruby-tcltk-1.6.4-2.AS21.0.i386.rpm

Red Hat Enterprise Linux AS version 3:

SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/ruby-1.6.8-9.EL3.2.src.rpm
4a005a302e389f88e0059a04ffe1c301  ruby-1.6.8-9.EL3.2.src.rpm

i386:
b806ed75a84c93559323ad7a31775ce3  ruby-1.6.8-9.EL3.2.i386.rpm 945e6b9345cc4f23667ac60909b0ef5d  ruby-devel-1.6.8-9.EL3.2.i386.rpm 056d3fc25714ecf458837e2350f1403e  ruby-libs-1.6.8-9.EL3.2.i386.rpm e3c51a8f573f313113ab0de0811c3993  ruby-mode-1.6.8-9.EL3.2.i386.rpm

ia64:
54124222ea6990ebae5aba4355d9ac70  ruby-1.6.8-9.EL3.2.ia64.rpm 3118ec318e2ff6065e4e598ee07374e3  ruby-devel-1.6.8-9.EL3.2.ia64.rpm bc523ead60e9bd104cf55373a9ad3b8c  ruby-libs-1.6.8-9.EL3.2.ia64.rpm f5c7ade5502b67d1a35c76223de7663c  ruby-mode-1.6.8-9.EL3.2.ia64.rpm

ppc:
e111badd02691f2d3af1228cfd1305ad  ruby-1.6.8-9.EL3.2.ppc.rpm 71f4002652015dc1394d1a0707dac921  ruby-devel-1.6.8-9.EL3.2.ppc.rpm 2834716a178d5c22b2a0bdc3c18e4569  ruby-libs-1.6.8-9.EL3.2.ppc.rpm c722c0ce315e1e5a4229e94b1518ba30  ruby-mode-1.6.8-9.EL3.2.ppc.rpm

s390:
ba3145afb52bc659a5efcc0452a55ff3  ruby-1.6.8-9.EL3.2.s390.rpm e52eb4855a8501f0c2fccf2b1e3524aa  ruby-devel-1.6.8-9.EL3.2.s390.rpm 6b18d38bd6d62c84d757f229845b6079  ruby-libs-1.6.8-9.EL3.2.s390.rpm 0cf38f2a6c42ceb80a674bcc9ffa557d  ruby-mode-1.6.8-9.EL3.2.s390.rpm

s390x:
7292fe703498f5ee33a20d69f7ad6cd1  ruby-1.6.8-9.EL3.2.s390x.rpm e1ff142228b28536b4a3977db8d430a7  ruby-devel-1.6.8-9.EL3.2.s390x.rpm
c1849a6c9570941144914d7d518d71e8  ruby-libs-1.6.8-9.EL3.2.s390x.rpm fd9f25954b2d1b87d521848a6bf2501b  ruby-mode-1.6.8-9.EL3.2.s390x.rpm

x86_64:
3048997bfb6fc66ca6ec6813d2f0aff6  ruby-1.6.8-9.EL3.2.x86_64.rpm b8135ec687a30ca432a67cb383a1e62a  ruby-devel-1.6.8-9.EL3.2.x86_64.rpm
160b4e7a46029a3ccb2ba98fd1a4dd7d  ruby-libs-1.6.8-9.EL3.2.x86_64.rpm
8456efd1389a4d322fca5fce518e44a1  ruby-mode-1.6.8-9.EL3.2.x86_64.rpm

Red Hat Desktop version 3:

SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/ruby-1.6.8-9.EL3.2.src.rpm
4a005a302e389f88e0059a04ffe1c301  ruby-1.6.8-9.EL3.2.src.rpm

i386:
b806ed75a84c93559323ad7a31775ce3  ruby-1.6.8-9.EL3.2.i386.rpm 945e6b9345cc4f23667ac60909b0ef5d  ruby-devel-1.6.8-9.EL3.2.i386.rpm 056d3fc25714ecf458837e2350f1403e  ruby-libs-1.6.8-9.EL3.2.i386.rpm e3c51a8f573f313113ab0de0811c3993  ruby-mode-1.6.8-9.EL3.2.i386.rpm

x86_64:
3048997bfb6fc66ca6ec6813d2f0aff6  ruby-1.6.8-9.EL3.2.x86_64.rpm b8135ec687a30ca432a67cb383a1e62a  ruby-devel-1.6.8-9.EL3.2.x86_64.rpm
160b4e7a46029a3ccb2ba98fd1a4dd7d  ruby-libs-1.6.8-9.EL3.2.x86_64.rpm
8456efd1389a4d322fca5fce518e44a1  ruby-mode-1.6.8-9.EL3.2.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/ruby-1.6.8-9.EL3.2.src.rpm
4a005a302e389f88e0059a04ffe1c301  ruby-1.6.8-9.EL3.2.src.rpm

i386:
b806ed75a84c93559323ad7a31775ce3  ruby-1.6.8-9.EL3.2.i386.rpm 945e6b9345cc4f23667ac60909b0ef5d  ruby-devel-1.6.8-9.EL3.2.i386.rpm 056d3fc25714ecf458837e2350f1403e  ruby-libs-1.6.8-9.EL3.2.i386.rpm e3c51a8f573f313113ab0de0811c3993  ruby-mode-1.6.8-9.EL3.2.i386.rpm

ia64:
54124222ea6990ebae5aba4355d9ac70  ruby-1.6.8-9.EL3.2.ia64.rpm 3118ec318e2ff6065e4e598ee07374e3  ruby-devel-1.6.8-9.EL3.2.ia64.rpm bc523ead60e9bd104cf55373a9ad3b8c  ruby-libs-1.6.8-9.EL3.2.ia64.rpm f5c7ade5502b67d1a35c76223de7663c  ruby-mode-1.6.8-9.EL3.2.ia64.rpm

x86_64:
3048997bfb6fc66ca6ec6813d2f0aff6  ruby-1.6.8-9.EL3.2.x86_64.rpm b8135ec687a30ca432a67cb383a1e62a  ruby-devel-1.6.8-9.EL3.2.x86_64.rpm
160b4e7a46029a3ccb2ba98fd1a4dd7d  ruby-libs-1.6.8-9.EL3.2.x86_64.rpm
8456efd1389a4d322fca5fce518e44a1  ruby-mode-1.6.8-9.EL3.2.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/ruby-1.6.8-9.EL3.2.src.rpm
4a005a302e389f88e0059a04ffe1c301  ruby-1.6.8-9.EL3.2.src.rpm

i386:
b806ed75a84c93559323ad7a31775ce3  ruby-1.6.8-9.EL3.2.i386.rpm 945e6b9345cc4f23667ac60909b0ef5d  ruby-devel-1.6.8-9.EL3.2.i386.rpm 056d3fc25714ecf458837e2350f1403e  ruby-libs-1.6.8-9.EL3.2.i386.rpm e3c51a8f573f313113ab0de0811c3993  ruby-mode-1.6.8-9.EL3.2.i386.rpm

ia64:
54124222ea6990ebae5aba4355d9ac70  ruby-1.6.8-9.EL3.2.ia64.rpm 3118ec318e2ff6065e4e598ee07374e3  ruby-devel-1.6.8-9.EL3.2.ia64.rpm bc523ead60e9bd104cf55373a9ad3b8c  ruby-libs-1.6.8-9.EL3.2.ia64.rpm f5c7ade5502b67d1a35c76223de7663c  ruby-mode-1.6.8-9.EL3.2.ia64.rpm

x86_64:
3048997bfb6fc66ca6ec6813d2f0aff6  ruby-1.6.8-9.EL3.2.x86_64.rpm b8135ec687a30ca432a67cb383a1e62a  ruby-devel-1.6.8-9.EL3.2.x86_64.rpm
160b4e7a46029a3ccb2ba98fd1a4dd7d  ruby-libs-1.6.8-9.EL3.2.x86_64.rpm
8456efd1389a4d322fca5fce518e44a1  ruby-mode-1.6.8-9.EL3.2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0755

8. Contact:

The Red Hat security contact is <secalert@xxxxxxxxxx>.  More contact details at https://www.redhat.com/security/team/contact.html

Copyright 2004 Red Hat, Inc.
- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBXB3gXlSAg2UNWIIRAkXLAKChOubcTfVhoSGLL/DRgUQbMxbD2wCfRlBD
foKv94hXR1OqHdgnMd45cGE=
=mE/N
- - -----END PGP SIGNATURE-----






2.
                     ESB-2004.0614 -- RHSA-2004:451-01
        Updated spamassassin package fixes denial of service issue
                              1 October 2004


Product:                spamassassin
Publisher:              Red Hat
Operating System:       Red Hat Desktop version 3
                        Red Hat Enterprise Linux AS/ES/WS 3
                        Linux variants
                        UNIX variants
Impact:                 Denial of Service
Access:                 Remote/Unauthenticated
CVE Names:              CAN-2004-0796

- - --------------------------BEGIN INCLUDED TEXT--------------------

- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated spamassassin package fixes denial of service issue
Advisory ID:       RHSA-2004:451-01
Issue date:        2004-09-30
Updated on:        2004-09-30
Product:           Red Hat Enterprise Linux
CVE Names:         CAN-2004-0796
- - - ---------------------------------------------------------------------

1. Summary:

An updated spamassassin package that fixes a denial of service bug when parsing malformed messages is now available.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Problem description:

SpamAssassin provides a way to reduce unsolicited commercial email (SPAM) from incoming email.

A denial of service bug has been found in SpamAssassin versions below 2.64. A malicious attacker could construct a message in such a way that would cause spamassassin to stop responding, potentially preventing the delivery or filtering of email.  The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0796 to this issue.

Users of SpamAssassin should update to these updated packages which contain a backported patch and is not vulnerable to this issue.

4. Solution:

Before applying this update, make sure that all previously-released errata relevant to your system have been applied.  Use Red Hat Network to download and update your packages.  To launch the Red Hat Update Agent, use the following command:

    up2date

For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system:

    http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info):

129337 - CAN-2004-0796 DOS attack open to certain malformed messages

6. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/spamassassin-2.55-3.2.src.rpm
dc61064510ef1814b033366f15838f7d  spamassassin-2.55-3.2.src.rpm

i386:
52dea7b072ab36c717be6fe70e8b72da  spamassassin-2.55-3.2.i386.rpm

ia64:
a53253a30f1eac9bfa99cf48864fbea0  spamassassin-2.55-3.2.ia64.rpm

ppc:
f14d7231b8eeb09f44e6a7526d4dba4f  spamassassin-2.55-3.2.ppc.rpm

s390:
a7fb9f360bffaa24ecd5da9b3406ba1a  spamassassin-2.55-3.2.s390.rpm

s390x:
d259c8305d3661fe8137badccd4dee8c  spamassassin-2.55-3.2.s390x.rpm

x86_64:
a49500110469d36992245f63ca0ba7ec  spamassassin-2.55-3.2.x86_64.rpm

Red Hat Desktop version 3:

SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/spamassassin-2.55-3.2.src.rpm
dc61064510ef1814b033366f15838f7d  spamassassin-2.55-3.2.src.rpm

i386:
52dea7b072ab36c717be6fe70e8b72da  spamassassin-2.55-3.2.i386.rpm

x86_64:
a49500110469d36992245f63ca0ba7ec  spamassassin-2.55-3.2.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/spamassassin-2.55-3.2.src.rpm
dc61064510ef1814b033366f15838f7d  spamassassin-2.55-3.2.src.rpm

i386:
52dea7b072ab36c717be6fe70e8b72da  spamassassin-2.55-3.2.i386.rpm

ia64:
a53253a30f1eac9bfa99cf48864fbea0  spamassassin-2.55-3.2.ia64.rpm

x86_64:
a49500110469d36992245f63ca0ba7ec  spamassassin-2.55-3.2.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/spamassassin-2.55-3.2.src.rpm
dc61064510ef1814b033366f15838f7d  spamassassin-2.55-3.2.src.rpm

i386:
52dea7b072ab36c717be6fe70e8b72da  spamassassin-2.55-3.2.i386.rpm

ia64:
a53253a30f1eac9bfa99cf48864fbea0  spamassassin-2.55-3.2.ia64.rpm

x86_64:
a49500110469d36992245f63ca0ba7ec  spamassassin-2.55-3.2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0796

8. Contact:

The Red Hat security contact is <secalert@xxxxxxxxxx>.  More contact details at https://www.redhat.com/security/team/contact.html

Copyright 2004 Red Hat, Inc.
- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBXB3wXlSAg2UNWIIRAo8JAJ4uF5p97GxC+u/Be7qpxO1nE4cKeACfY1uV
pkrMySxxH0wsS0LnVLAdEwE=
=hT7f
- - -----END PGP SIGNATURE-----




3.                   ESB-2004.0615 -- RHSA-2004:462-01
            Updated squid package fixes security vulnerability
                              1 October 2004


Product:                squid with NTLM authentication
Publisher:              Red Hat
Operating System:       Red Hat Desktop version 3
                        Red Hat Enterprise Linux AS/ES/WS 3
                        Linux variants
                        UNIX variants
Impact:                 Denial of Service
Access:                 Remote/Unauthenticated
CVE Names:              CAN-2004-0832

- - --------------------------BEGIN INCLUDED TEXT--------------------

- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated squid package fixes security vulnerability
Advisory ID:       RHSA-2004:462-01
Issue date:        2004-09-30
Updated on:        2004-09-30
Product:           Red Hat Enterprise Linux
CVE Names:         CAN-2004-0832
- - - ---------------------------------------------------------------------

1. Summary:

An updated squid package that fixes a security vulnerability in the NTLM authentication helper is now available.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Problem description:

Squid is a full-featured Web proxy cache.

An out of bounds memory read bug was found within the NTLM authentication helper routine.  If Squid is configured to use the NTLM authentication helper, a remote attacker could send a carefully crafted NTLM authentication packet and cause Squid to crash.  The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0832 to this issue.

Note: The NTLM authentication helper is not enabled by default in Red Hat Enterprise Linux 3.  Red Hat Enterprise Linux 2.1 is not vulnerable to this issue as it shipped with a version of Squid which did not contain the vulnerable helper. 

Users of Squid should update to this erratum package, which contains a backported patch and is not vulnerable to this issue.

4. Solution:

Before applying this update, make sure that all previously-released errata relevant to your system have been applied.  Use Red Hat Network to download and update your packages.  To launch the Red Hat Update Agent, use the following command:

    up2date

For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system:

    http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info):

131750 - CAN-2004-0832 Certain malformed NTLMSSP packets could crash the NTLM helpers provided by Squid

6. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/squid-2.5.STABLE3-6.3E.1.src.rpm
319a574d8ab2d7e1bfa454055f3f1933  squid-2.5.STABLE3-6.3E.1.src.rpm

i386:
3b46288783aacdd9842d43f221201c44  squid-2.5.STABLE3-6.3E.1.i386.rpm

ia64:
e92e66c250e34497a397c53c33ae1c2b  squid-2.5.STABLE3-6.3E.1.ia64.rpm

ppc:
726578556b36bb263526841add7dd9a2  squid-2.5.STABLE3-6.3E.1.ppc.rpm

s390:
ce1c585636cfe7843f9188f283533800  squid-2.5.STABLE3-6.3E.1.s390.rpm

s390x:
cd974ecba26d90d98a145e9813221dfb  squid-2.5.STABLE3-6.3E.1.s390x.rpm

x86_64:
0c63d4747a0e6848cd69259b6e7648dd  squid-2.5.STABLE3-6.3E.1.x86_64.rpm

Red Hat Desktop version 3:

SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/squid-2.5.STABLE3-6.3E.1.src.rpm
319a574d8ab2d7e1bfa454055f3f1933  squid-2.5.STABLE3-6.3E.1.src.rpm

i386:
3b46288783aacdd9842d43f221201c44  squid-2.5.STABLE3-6.3E.1.i386.rpm

x86_64:
0c63d4747a0e6848cd69259b6e7648dd  squid-2.5.STABLE3-6.3E.1.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/squid-2.5.STABLE3-6.3E.1.src.rpm
319a574d8ab2d7e1bfa454055f3f1933  squid-2.5.STABLE3-6.3E.1.src.rpm

i386:
3b46288783aacdd9842d43f221201c44  squid-2.5.STABLE3-6.3E.1.i386.rpm

ia64:
e92e66c250e34497a397c53c33ae1c2b  squid-2.5.STABLE3-6.3E.1.ia64.rpm

x86_64:
0c63d4747a0e6848cd69259b6e7648dd  squid-2.5.STABLE3-6.3E.1.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/squid-2.5.STABLE3-6.3E.1.src.rpm
319a574d8ab2d7e1bfa454055f3f1933  squid-2.5.STABLE3-6.3E.1.src.rpm

i386:
3b46288783aacdd9842d43f221201c44  squid-2.5.STABLE3-6.3E.1.i386.rpm

ia64:
e92e66c250e34497a397c53c33ae1c2b  squid-2.5.STABLE3-6.3E.1.ia64.rpm

x86_64:
0c63d4747a0e6848cd69259b6e7648dd  squid-2.5.STABLE3-6.3E.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package

7. References:

http://www.squid-cache.org/bugs/show_bug.cgi?id=1045
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0832

8. Contact:

The Red Hat security contact is <secalert@xxxxxxxxxx>.  More contact details at https://www.redhat.com/security/team/contact.html

Copyright 2004 Red Hat, Inc.
- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBXB3/XlSAg2UNWIIRAv+0AKCCo4giuS0f4+08gpTrkQf1Tq5hGACePATc
WS+U3uPqlRwelHaCy3CGGYU=
=Dg9j
- - -----END PGP SIGNATURE-----



4. 

                     ESB-2004.0616 -- RHSA-2004:486-01
               Updated mozilla packages fix security issues
                              1 October 2004


Product:                mozilla
Publisher:              Red Hat
Operating System:       Red Hat Desktop version 3
                        Red Hat Enterprise Linux AS/ES/WS 2.1
                        Red Hat Enterprise Linux AS/ES/WS 3
                        Linux variants
                        UNIX variants
                        Windows
                        Mac OS X
Impact:                 Execute Arbitrary Code/Commands
                        Denial of Service
                        Inappropriate Access
Access:                 Remote/Unauthenticated
CVE Names:              CAN-2004-0908 CAN-2004-0905 CAN-2004-0904
                        CAN-2004-0903 CAN-2004-0902

Ref:                    ESB-2004.0573

- - --------------------------BEGIN INCLUDED TEXT--------------------

- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated mozilla packages fix security issues
Advisory ID:       RHSA-2004:486-01
Issue date:        2004-09-30
Updated on:        2004-09-30
Product:           Red Hat Enterprise Linux
CVE Names:         CAN-2004-0902 CAN-2004-0903 CAN-2004-0904 CAN-2004-0905 CAN-2004-0908
- - - ---------------------------------------------------------------------

1. Summary:

Updated mozilla packages that fix a number of security issues are now available.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Problem description:

Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor.

Jesse Ruderman discovered a cross-domain scripting bug in Mozilla.  If a user is tricked into dragging a javascript link into another frame or page, it becomes possible for an attacker to steal or modify sensitive information from that site.  Additionally, if a user is tricked into dragging two links in sequence to another window (not frame), it is possible for the attacker to execute arbitrary commands.  The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0905 to this issue.

Gael Delalleau discovered an integer overflow which affects the BMP handling code inside Mozilla. An attacker could create a carefully crafted BMP file in such a way that it would cause Mozilla to crash or execute arbitrary code when the image is viewed.  The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0904 to this issue.

Georgi Guninski discovered a stack-based buffer overflow in the vCard display routines.  An attacker could create a carefully crafted vCard file in such a way that it would cause Mozilla to crash or execute arbitrary code when viewed.  The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0903 to this issue.

Wladimir Palant discovered a flaw in the way javascript interacts with the clipboard.  It is possible that an attacker could use malicious javascript code to steal sensitive data which has been copied into the clipboard.  The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0908 to this issue.

Georgi Guninski discovered a heap based buffer overflow in the "Send Page" feature.  It is possible that an attacker could construct a link in such a way that a user attempting to forward it could result in a crash or arbitrary code execution.  The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0902 to this issue.

Users of Mozilla should update to these updated packages, which contain backported patches and are not vulnerable to these issues.

4. Solution:

Before applying this update, make sure that all previously-released errata relevant to your system have been applied.  Use Red Hat Network to download and update your packages.  To launch the Red Hat Update Agent, use the following command:

    up2date

For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system:

    http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info):

133023 - CAN-2004-0902 "send page" heap based buffer overflow 133024 - CAN-2004-0902 "send page" heap based buffer overflow 133022 - CAN-2004-0908 javascript clipboard information leakage 133021 - CAN-2004-0908 javascript clipboard information leakage 133017 - CAN-2004-0903 VCard buffer overflow 133016 - CAN-2004-0903 VCard buffer overflow 133015 - CAN-2004-0904 BMP integer overflows 133014 - CAN-2004-0904 BMP integer overflows 133013 - CAN-2004-0905 javascript link dragging information leak 133012 - CAN-2004-0905 javascript link dragging information leak

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/galeon-1.2.13-5.2.1.src.rpm
38d208921a49cdba604bb43913abe051  galeon-1.2.13-5.2.1.src.rpm ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/mozilla-1.4.3-2.1.4.src.rpm
1df0013c48248d17778fc1551ff15dad  mozilla-1.4.3-2.1.4.src.rpm

i386:
0113f2b2e33551ddae0b48ede67b31e6  galeon-1.2.13-5.2.1.i386.rpm fea3285b8dd5da3a3bb611a7d5738d0b  mozilla-1.4.3-2.1.4.i386.rpm a89a3550a7773de347018c8a463027cb  mozilla-chat-1.4.3-2.1.4.i386.rpm b57acd6332cb88d652a3cc41b5f9c527  mozilla-devel-1.4.3-2.1.4.i386.rpm
8bea20265ab364b52d6fd361bf23d190  mozilla-dom-inspector-1.4.3-2.1.4.i386.rpm
4bfcd1dd7b588edf2052efc9e8f6326a  mozilla-js-debugger-1.4.3-2.1.4.i386.rpm
9c512ae1ecc4c8efe7a9684465b8b871  mozilla-mail-1.4.3-2.1.4.i386.rpm 1e7977951fc2c8c69e03b50377f2398d  mozilla-nspr-1.4.3-2.1.4.i386.rpm c268cd8846a17b8cc7aee6a3d50f9c9c  mozilla-nspr-devel-1.4.3-2.1.4.i386.rpm
69cc833f9d5a469b258a474e1ebc9ddf  mozilla-nss-1.4.3-2.1.4.i386.rpm 891300626fafc05a8cd371f8b256dd15  mozilla-nss-devel-1.4.3-2.1.4.i386.rpm

ia64:
fcb96e9637ce3b6dfe17a0171d15a50c  galeon-1.2.13-5.2.1.ia64.rpm 6c4a5d7e011e56e4aa1018ae7e705b57  mozilla-1.4.3-2.1.4.ia64.rpm 0eee8252025e7d702b91df5660ee34ef  mozilla-chat-1.4.3-2.1.4.ia64.rpm 529225b13b9aae00118083bbef99834d  mozilla-devel-1.4.3-2.1.4.ia64.rpm
0dcd345bd8163775000a77126668a4d8  mozilla-dom-inspector-1.4.3-2.1.4.ia64.rpm
17761fdf3bc78ededd68ca4c6e26ae2e  mozilla-js-debugger-1.4.3-2.1.4.ia64.rpm
8f804d0ac0d0d2755b557226f488dca2  mozilla-mail-1.4.3-2.1.4.ia64.rpm da89647961a2ebde1270b6789bca51b8  mozilla-nspr-1.4.3-2.1.4.ia64.rpm 870ae30ec76b4cb4eaa6bb2002c50b83  mozilla-nspr-devel-1.4.3-2.1.4.ia64.rpm
8a3ee63abfb58c99c0dd45c37bb0fffb  mozilla-nss-1.4.3-2.1.4.ia64.rpm e5b52d933f797a5fb5b815bc75427b2e  mozilla-nss-devel-1.4.3-2.1.4.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/galeon-1.2.13-5.2.1.src.rpm
38d208921a49cdba604bb43913abe051  galeon-1.2.13-5.2.1.src.rpm ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/mozilla-1.4.3-2.1.4.src.rpm
1df0013c48248d17778fc1551ff15dad  mozilla-1.4.3-2.1.4.src.rpm

ia64:
fcb96e9637ce3b6dfe17a0171d15a50c  galeon-1.2.13-5.2.1.ia64.rpm 6c4a5d7e011e56e4aa1018ae7e705b57  mozilla-1.4.3-2.1.4.ia64.rpm 0eee8252025e7d702b91df5660ee34ef  mozilla-chat-1.4.3-2.1.4.ia64.rpm 529225b13b9aae00118083bbef99834d  mozilla-devel-1.4.3-2.1.4.ia64.rpm
0dcd345bd8163775000a77126668a4d8  mozilla-dom-inspector-1.4.3-2.1.4.ia64.rpm
17761fdf3bc78ededd68ca4c6e26ae2e  mozilla-js-debugger-1.4.3-2.1.4.ia64.rpm
8f804d0ac0d0d2755b557226f488dca2  mozilla-mail-1.4.3-2.1.4.ia64.rpm da89647961a2ebde1270b6789bca51b8  mozilla-nspr-1.4.3-2.1.4.ia64.rpm 870ae30ec76b4cb4eaa6bb2002c50b83  mozilla-nspr-devel-1.4.3-2.1.4.ia64.rpm
8a3ee63abfb58c99c0dd45c37bb0fffb  mozilla-nss-1.4.3-2.1.4.ia64.rpm e5b52d933f797a5fb5b815bc75427b2e  mozilla-nss-devel-1.4.3-2.1.4.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/galeon-1.2.13-5.2.1.src.rpm
38d208921a49cdba604bb43913abe051  galeon-1.2.13-5.2.1.src.rpm ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/mozilla-1.4.3-2.1.4.src.rpm
1df0013c48248d17778fc1551ff15dad  mozilla-1.4.3-2.1.4.src.rpm

i386:
0113f2b2e33551ddae0b48ede67b31e6  galeon-1.2.13-5.2.1.i386.rpm fea3285b8dd5da3a3bb611a7d5738d0b  mozilla-1.4.3-2.1.4.i386.rpm a89a3550a7773de347018c8a463027cb  mozilla-chat-1.4.3-2.1.4.i386.rpm b57acd6332cb88d652a3cc41b5f9c527  mozilla-devel-1.4.3-2.1.4.i386.rpm
8bea20265ab364b52d6fd361bf23d190  mozilla-dom-inspector-1.4.3-2.1.4.i386.rpm
4bfcd1dd7b588edf2052efc9e8f6326a  mozilla-js-debugger-1.4.3-2.1.4.i386.rpm
9c512ae1ecc4c8efe7a9684465b8b871  mozilla-mail-1.4.3-2.1.4.i386.rpm 1e7977951fc2c8c69e03b50377f2398d  mozilla-nspr-1.4.3-2.1.4.i386.rpm c268cd8846a17b8cc7aee6a3d50f9c9c  mozilla-nspr-devel-1.4.3-2.1.4.i386.rpm
69cc833f9d5a469b258a474e1ebc9ddf  mozilla-nss-1.4.3-2.1.4.i386.rpm 891300626fafc05a8cd371f8b256dd15  mozilla-nss-devel-1.4.3-2.1.4.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/galeon-1.2.13-5.2.1.src.rpm
38d208921a49cdba604bb43913abe051  galeon-1.2.13-5.2.1.src.rpm ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/mozilla-1.4.3-2.1.4.src.rpm
1df0013c48248d17778fc1551ff15dad  mozilla-1.4.3-2.1.4.src.rpm

i386:
0113f2b2e33551ddae0b48ede67b31e6  galeon-1.2.13-5.2.1.i386.rpm fea3285b8dd5da3a3bb611a7d5738d0b  mozilla-1.4.3-2.1.4.i386.rpm a89a3550a7773de347018c8a463027cb  mozilla-chat-1.4.3-2.1.4.i386.rpm b57acd6332cb88d652a3cc41b5f9c527  mozilla-devel-1.4.3-2.1.4.i386.rpm
8bea20265ab364b52d6fd361bf23d190  mozilla-dom-inspector-1.4.3-2.1.4.i386.rpm
4bfcd1dd7b588edf2052efc9e8f6326a  mozilla-js-debugger-1.4.3-2.1.4.i386.rpm
9c512ae1ecc4c8efe7a9684465b8b871  mozilla-mail-1.4.3-2.1.4.i386.rpm 1e7977951fc2c8c69e03b50377f2398d  mozilla-nspr-1.4.3-2.1.4.i386.rpm c268cd8846a17b8cc7aee6a3d50f9c9c  mozilla-nspr-devel-1.4.3-2.1.4.i386.rpm
69cc833f9d5a469b258a474e1ebc9ddf  mozilla-nss-1.4.3-2.1.4.i386.rpm 891300626fafc05a8cd371f8b256dd15  mozilla-nss-devel-1.4.3-2.1.4.i386.rpm

Red Hat Enterprise Linux AS version 3:

SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/mozilla-1.4.3-3.0.4.src.rpm
c8db78ffe83ebd4a0e935a4c5287a509  mozilla-1.4.3-3.0.4.src.rpm

i386:
ed34cad577e7a2ec43b73155662c3823  mozilla-1.4.3-3.0.4.i386.rpm 30035e1900b293f3c01f5441e5b3486d  mozilla-chat-1.4.3-3.0.4.i386.rpm e2f44df2fa7ac76f50c419ad7415c898  mozilla-devel-1.4.3-3.0.4.i386.rpm
fe6c46344d57ac89a453edab1e2a249a  mozilla-dom-inspector-1.4.3-3.0.4.i386.rpm
0ae9c284917a0813202d13977ebc23d8  mozilla-js-debugger-1.4.3-3.0.4.i386.rpm
9682e260d658b97c748b34bb5a52c1ee  mozilla-mail-1.4.3-3.0.4.i386.rpm dfa30f1286bab6f24603e1947314567f  mozilla-nspr-1.4.3-3.0.4.i386.rpm 488703befef51e466079b462c02094c7  mozilla-nspr-devel-1.4.3-3.0.4.i386.rpm
b3165005cd23d7cb33024f67de209cc1  mozilla-nss-1.4.3-3.0.4.i386.rpm 0daea4b62934c4825267bdfa57121d9d  mozilla-nss-devel-1.4.3-3.0.4.i386.rpm

ia64:
764f44795fae70df98eb784cfc24cb61  mozilla-1.4.3-3.0.4.ia64.rpm 498f1bc992269627837acfd9fb5c1c16  mozilla-chat-1.4.3-3.0.4.ia64.rpm 3c0e32e6dfd33b5b42d6ceecfc0e5d5a  mozilla-devel-1.4.3-3.0.4.ia64.rpm
4a67ebbcb89f5e8add363f47a657d6df  mozilla-dom-inspector-1.4.3-3.0.4.ia64.rpm
445ed37eb27214ef386114fe97d15ef9  mozilla-js-debugger-1.4.3-3.0.4.ia64.rpm
618d5c39e66f2ff6a2ca461647b91fa2  mozilla-mail-1.4.3-3.0.4.ia64.rpm 5927274883eaa60f10ec714085d22a48  mozilla-nspr-1.4.3-3.0.4.ia64.rpm 83f18ec8692a9f309737efbb502ae5b9  mozilla-nspr-devel-1.4.3-3.0.4.ia64.rpm
dcd233f7708eb136a18ab6070d028592  mozilla-nss-1.4.3-3.0.4.ia64.rpm 9e7b9754a77d136636c6d35f932fcc86  mozilla-nss-devel-1.4.3-3.0.4.ia64.rpm

ppc:
7cced64ddef3f5f449bc93bf1d2fe2de  mozilla-1.4.3-3.0.4.ppc.rpm 4c1754389a897376b33f4eedfc307fbd  mozilla-chat-1.4.3-3.0.4.ppc.rpm 781272325efec348c82bf9f13f2b1c01  mozilla-devel-1.4.3-3.0.4.ppc.rpm 21bca14e1c7debc4517762c42ea0af18  mozilla-dom-inspector-1.4.3-3.0.4.ppc.rpm
267b1669158b9ae70d8a216bedd8ab3d  mozilla-js-debugger-1.4.3-3.0.4.ppc.rpm
fe897ea969605ea7b7b8c65cfbca5837  mozilla-mail-1.4.3-3.0.4.ppc.rpm 850877d573ac4c3c246be7bac1d0ae9e  mozilla-nspr-1.4.3-3.0.4.ppc.rpm 736e608b4ff8802fa2ff156149399b79  mozilla-nspr-devel-1.4.3-3.0.4.ppc.rpm
1e0c30c752fff593fb0b7ccc56d72a3b  mozilla-nss-1.4.3-3.0.4.ppc.rpm e23c2cd94df856a5a852c090a5f935b9  mozilla-nss-devel-1.4.3-3.0.4.ppc.rpm

s390:
f509c61bed2d17bb777e26c362dc7d3c  mozilla-1.4.3-3.0.4.s390.rpm 2adcad1473851141f73d847b9ea8658b  mozilla-chat-1.4.3-3.0.4.s390.rpm aa87922bcf00504f4433b05f08c9880a  mozilla-devel-1.4.3-3.0.4.s390.rpm
bd57c23e7c4348f05ab7e3d8d1a209c3  mozilla-dom-inspector-1.4.3-3.0.4.s390.rpm
f1827ae1bfb53d7e334b0f50351d2733  mozilla-js-debugger-1.4.3-3.0.4.s390.rpm
f4013dbd4fb1fdb5d66f2d059aeeaf65  mozilla-mail-1.4.3-3.0.4.s390.rpm e8f1f5dff953ad3e4bebeb3720034870  mozilla-nspr-1.4.3-3.0.4.s390.rpm 7b7073e954a3806af5190c6022a33846  mozilla-nspr-devel-1.4.3-3.0.4.s390.rpm
34bf96dc6d7c74e118eca502d639619f  mozilla-nss-1.4.3-3.0.4.s390.rpm 995dd5f501ce1849843b4b0b8b7e362e  mozilla-nss-devel-1.4.3-3.0.4.s390.rpm

s390x:
42e7bbd941624c0d5f78a2daaef77a36  mozilla-1.4.3-3.0.4.s390x.rpm 452d26a8fe47ce1ae6519a3fe0f69fd6  mozilla-chat-1.4.3-3.0.4.s390x.rpm
9107c76c5feba6761df5eb0c05e361e6  mozilla-devel-1.4.3-3.0.4.s390x.rpm
2d2bcee4e192763a6fa6e1b9c0020e46  mozilla-dom-inspector-1.4.3-3.0.4.s390x.rpm
4b314a8025478ceea7643f1afbcbc3d4  mozilla-js-debugger-1.4.3-3.0.4.s390x.rpm
2ec20f1e7645e5e3a5bf9774dfcbcb9a  mozilla-mail-1.4.3-3.0.4.s390x.rpm
08a8ad7f957bf7758f0eb25de18cdae3  mozilla-nspr-1.4.3-3.0.4.s390x.rpm
7e8b974544b0f496a76cb69464b87c22  mozilla-nspr-devel-1.4.3-3.0.4.s390x.rpm
2df9052e3d468aae9fec4a87c5ec1fab  mozilla-nss-1.4.3-3.0.4.s390x.rpm 46568a244360960aa670751c2feab9d7  mozilla-nss-devel-1.4.3-3.0.4.s390x.rpm

x86_64:
02f35e9307a780aaf4394db84c924fe7  mozilla-1.4.3-3.0.4.x86_64.rpm ed34cad577e7a2ec43b73155662c3823  mozilla-1.4.3-3.0.4.i386.rpm eba11930db2fd0105bd960970db013db  mozilla-chat-1.4.3-3.0.4.x86_64.rpm
76e5e88cc598f0a7e4507beeb519290c  mozilla-devel-1.4.3-3.0.4.x86_64.rpm
e7e8dcc47f550d61e3cef3d350726c4b  mozilla-dom-inspector-1.4.3-3.0.4.x86_64.rpm
df5183bafcdb220fa4ed9ce7bad36f5a  mozilla-js-debugger-1.4.3-3.0.4.x86_64.rpm
4e15297548c9b21f595fe6bbd3e51e48  mozilla-mail-1.4.3-3.0.4.x86_64.rpm
38e9db5a3bc1092e83bb2f8820235100  mozilla-nspr-1.4.3-3.0.4.x86_64.rpm
dfa30f1286bab6f24603e1947314567f  mozilla-nspr-1.4.3-3.0.4.i386.rpm 96f6b2eca2afe2fa512f494d138fa327  mozilla-nspr-devel-1.4.3-3.0.4.x86_64.rpm
13aae14a38c165a32b123b2e84af5ee7  mozilla-nss-1.4.3-3.0.4.x86_64.rpm
b3165005cd23d7cb33024f67de209cc1  mozilla-nss-1.4.3-3.0.4.i386.rpm c679a873dad6b08eb47f69c871bb04b9  mozilla-nss-devel-1.4.3-3.0.4.x86_64.rpm

Red Hat Desktop version 3:

SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/mozilla-1.4.3-3.0.4.src.rpm
c8db78ffe83ebd4a0e935a4c5287a509  mozilla-1.4.3-3.0.4.src.rpm

i386:
ed34cad577e7a2ec43b73155662c3823  mozilla-1.4.3-3.0.4.i386.rpm 30035e1900b293f3c01f5441e5b3486d  mozilla-chat-1.4.3-3.0.4.i386.rpm e2f44df2fa7ac76f50c419ad7415c898  mozilla-devel-1.4.3-3.0.4.i386.rpm
fe6c46344d57ac89a453edab1e2a249a  mozilla-dom-inspector-1.4.3-3.0.4.i386.rpm
0ae9c284917a0813202d13977ebc23d8  mozilla-js-debugger-1.4.3-3.0.4.i386.rpm
9682e260d658b97c748b34bb5a52c1ee  mozilla-mail-1.4.3-3.0.4.i386.rpm dfa30f1286bab6f24603e1947314567f  mozilla-nspr-1.4.3-3.0.4.i386.rpm 488703befef51e466079b462c02094c7  mozilla-nspr-devel-1.4.3-3.0.4.i386.rpm
b3165005cd23d7cb33024f67de209cc1  mozilla-nss-1.4.3-3.0.4.i386.rpm 0daea4b62934c4825267bdfa57121d9d  mozilla-nss-devel-1.4.3-3.0.4.i386.rpm

x86_64:
02f35e9307a780aaf4394db84c924fe7  mozilla-1.4.3-3.0.4.x86_64.rpm ed34cad577e7a2ec43b73155662c3823  mozilla-1.4.3-3.0.4.i386.rpm eba11930db2fd0105bd960970db013db  mozilla-chat-1.4.3-3.0.4.x86_64.rpm
76e5e88cc598f0a7e4507beeb519290c  mozilla-devel-1.4.3-3.0.4.x86_64.rpm
e7e8dcc47f550d61e3cef3d350726c4b  mozilla-dom-inspector-1.4.3-3.0.4.x86_64.rpm
df5183bafcdb220fa4ed9ce7bad36f5a  mozilla-js-debugger-1.4.3-3.0.4.x86_64.rpm
4e15297548c9b21f595fe6bbd3e51e48  mozilla-mail-1.4.3-3.0.4.x86_64.rpm
38e9db5a3bc1092e83bb2f8820235100  mozilla-nspr-1.4.3-3.0.4.x86_64.rpm
dfa30f1286bab6f24603e1947314567f  mozilla-nspr-1.4.3-3.0.4.i386.rpm 96f6b2eca2afe2fa512f494d138fa327  mozilla-nspr-devel-1.4.3-3.0.4.x86_64.rpm
13aae14a38c165a32b123b2e84af5ee7  mozilla-nss-1.4.3-3.0.4.x86_64.rpm
b3165005cd23d7cb33024f67de209cc1  mozilla-nss-1.4.3-3.0.4.i386.rpm c679a873dad6b08eb47f69c871bb04b9  mozilla-nss-devel-1.4.3-3.0.4.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/mozilla-1.4.3-3.0.4.src.rpm
c8db78ffe83ebd4a0e935a4c5287a509  mozilla-1.4.3-3.0.4.src.rpm

i386:
ed34cad577e7a2ec43b73155662c3823  mozilla-1.4.3-3.0.4.i386.rpm 30035e1900b293f3c01f5441e5b3486d  mozilla-chat-1.4.3-3.0.4.i386.rpm e2f44df2fa7ac76f50c419ad7415c898  mozilla-devel-1.4.3-3.0.4.i386.rpm
fe6c46344d57ac89a453edab1e2a249a  mozilla-dom-inspector-1.4.3-3.0.4.i386.rpm
0ae9c284917a0813202d13977ebc23d8  mozilla-js-debugger-1.4.3-3.0.4.i386.rpm
9682e260d658b97c748b34bb5a52c1ee  mozilla-mail-1.4.3-3.0.4.i386.rpm dfa30f1286bab6f24603e1947314567f  mozilla-nspr-1.4.3-3.0.4.i386.rpm 488703befef51e466079b462c02094c7  mozilla-nspr-devel-1.4.3-3.0.4.i386.rpm
b3165005cd23d7cb33024f67de209cc1  mozilla-nss-1.4.3-3.0.4.i386.rpm 0daea4b62934c4825267bdfa57121d9d  mozilla-nss-devel-1.4.3-3.0.4.i386.rpm

ia64:
764f44795fae70df98eb784cfc24cb61  mozilla-1.4.3-3.0.4.ia64.rpm 498f1bc992269627837acfd9fb5c1c16  mozilla-chat-1.4.3-3.0.4.ia64.rpm 3c0e32e6dfd33b5b42d6ceecfc0e5d5a  mozilla-devel-1.4.3-3.0.4.ia64.rpm
4a67ebbcb89f5e8add363f47a657d6df  mozilla-dom-inspector-1.4.3-3.0.4.ia64.rpm
445ed37eb27214ef386114fe97d15ef9  mozilla-js-debugger-1.4.3-3.0.4.ia64.rpm
618d5c39e66f2ff6a2ca461647b91fa2  mozilla-mail-1.4.3-3.0.4.ia64.rpm 5927274883eaa60f10ec714085d22a48  mozilla-nspr-1.4.3-3.0.4.ia64.rpm 83f18ec8692a9f309737efbb502ae5b9  mozilla-nspr-devel-1.4.3-3.0.4.ia64.rpm
dcd233f7708eb136a18ab6070d028592  mozilla-nss-1.4.3-3.0.4.ia64.rpm 9e7b9754a77d136636c6d35f932fcc86  mozilla-nss-devel-1.4.3-3.0.4.ia64.rpm

x86_64:
02f35e9307a780aaf4394db84c924fe7  mozilla-1.4.3-3.0.4.x86_64.rpm ed34cad577e7a2ec43b73155662c3823  mozilla-1.4.3-3.0.4.i386.rpm eba11930db2fd0105bd960970db013db  mozilla-chat-1.4.3-3.0.4.x86_64.rpm
76e5e88cc598f0a7e4507beeb519290c  mozilla-devel-1.4.3-3.0.4.x86_64.rpm
e7e8dcc47f550d61e3cef3d350726c4b  mozilla-dom-inspector-1.4.3-3.0.4.x86_64.rpm
df5183bafcdb220fa4ed9ce7bad36f5a  mozilla-js-debugger-1.4.3-3.0.4.x86_64.rpm
4e15297548c9b21f595fe6bbd3e51e48  mozilla-mail-1.4.3-3.0.4.x86_64.rpm
38e9db5a3bc1092e83bb2f8820235100  mozilla-nspr-1.4.3-3.0.4.x86_64.rpm
dfa30f1286bab6f24603e1947314567f  mozilla-nspr-1.4.3-3.0.4.i386.rpm 96f6b2eca2afe2fa512f494d138fa327  mozilla-nspr-devel-1.4.3-3.0.4.x86_64.rpm
13aae14a38c165a32b123b2e84af5ee7  mozilla-nss-1.4.3-3.0.4.x86_64.rpm
b3165005cd23d7cb33024f67de209cc1  mozilla-nss-1.4.3-3.0.4.i386.rpm c679a873dad6b08eb47f69c871bb04b9  mozilla-nss-devel-1.4.3-3.0.4.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/mozilla-1.4.3-3.0.4.src.rpm
c8db78ffe83ebd4a0e935a4c5287a509  mozilla-1.4.3-3.0.4.src.rpm

i386:
ed34cad577e7a2ec43b73155662c3823  mozilla-1.4.3-3.0.4.i386.rpm 30035e1900b293f3c01f5441e5b3486d  mozilla-chat-1.4.3-3.0.4.i386.rpm e2f44df2fa7ac76f50c419ad7415c898  mozilla-devel-1.4.3-3.0.4.i386.rpm
fe6c46344d57ac89a453edab1e2a249a  mozilla-dom-inspector-1.4.3-3.0.4.i386.rpm
0ae9c284917a0813202d13977ebc23d8  mozilla-js-debugger-1.4.3-3.0.4.i386.rpm
9682e260d658b97c748b34bb5a52c1ee  mozilla-mail-1.4.3-3.0.4.i386.rpm dfa30f1286bab6f24603e1947314567f  mozilla-nspr-1.4.3-3.0.4.i386.rpm 488703befef51e466079b462c02094c7  mozilla-nspr-devel-1.4.3-3.0.4.i386.rpm
b3165005cd23d7cb33024f67de209cc1  mozilla-nss-1.4.3-3.0.4.i386.rpm 0daea4b62934c4825267bdfa57121d9d  mozilla-nss-devel-1.4.3-3.0.4.i386.rpm

ia64:
764f44795fae70df98eb784cfc24cb61  mozilla-1.4.3-3.0.4.ia64.rpm 498f1bc992269627837acfd9fb5c1c16  mozilla-chat-1.4.3-3.0.4.ia64.rpm 3c0e32e6dfd33b5b42d6ceecfc0e5d5a  mozilla-devel-1.4.3-3.0.4.ia64.rpm
4a67ebbcb89f5e8add363f47a657d6df  mozilla-dom-inspector-1.4.3-3.0.4.ia64.rpm
445ed37eb27214ef386114fe97d15ef9  mozilla-js-debugger-1.4.3-3.0.4.ia64.rpm
618d5c39e66f2ff6a2ca461647b91fa2  mozilla-mail-1.4.3-3.0.4.ia64.rpm 5927274883eaa60f10ec714085d22a48  mozilla-nspr-1.4.3-3.0.4.ia64.rpm 83f18ec8692a9f309737efbb502ae5b9  mozilla-nspr-devel-1.4.3-3.0.4.ia64.rpm
dcd233f7708eb136a18ab6070d028592  mozilla-nss-1.4.3-3.0.4.ia64.rpm 9e7b9754a77d136636c6d35f932fcc86  mozilla-nss-devel-1.4.3-3.0.4.ia64.rpm

x86_64:
02f35e9307a780aaf4394db84c924fe7  mozilla-1.4.3-3.0.4.x86_64.rpm ed34cad577e7a2ec43b73155662c3823  mozilla-1.4.3-3.0.4.i386.rpm eba11930db2fd0105bd960970db013db  mozilla-chat-1.4.3-3.0.4.x86_64.rpm
76e5e88cc598f0a7e4507beeb519290c  mozilla-devel-1.4.3-3.0.4.x86_64.rpm
e7e8dcc47f550d61e3cef3d350726c4b  mozilla-dom-inspector-1.4.3-3.0.4.x86_64.rpm
df5183bafcdb220fa4ed9ce7bad36f5a  mozilla-js-debugger-1.4.3-3.0.4.x86_64.rpm
4e15297548c9b21f595fe6bbd3e51e48  mozilla-mail-1.4.3-3.0.4.x86_64.rpm
38e9db5a3bc1092e83bb2f8820235100  mozilla-nspr-1.4.3-3.0.4.x86_64.rpm
dfa30f1286bab6f24603e1947314567f  mozilla-nspr-1.4.3-3.0.4.i386.rpm 96f6b2eca2afe2fa512f494d138fa327  mozilla-nspr-devel-1.4.3-3.0.4.x86_64.rpm
13aae14a38c165a32b123b2e84af5ee7  mozilla-nss-1.4.3-3.0.4.x86_64.rpm
b3165005cd23d7cb33024f67de209cc1  mozilla-nss-1.4.3-3.0.4.i386.rpm c679a873dad6b08eb47f69c871bb04b9  mozilla-nss-devel-1.4.3-3.0.4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package

7. References:

http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3
http://secunia.com/advisories/12526/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0902
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0903
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0904
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0905
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0908

8. Contact:

The Red Hat security contact is <secalert@xxxxxxxxxx>.  More contact details at https://www.redhat.com/security/team/contact.html

Copyright 2004 Red Hat, Inc.
- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBXB4YXlSAg2UNWIIRAqmYAJkBGoxR78vGZp7RawhXNlTpTp3v9QCfTC7T
OVJnwLDKB0KZ5vJIFH1HB8s=
=ijeu
- - -----END PGP SIGNATURE-----

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of RedHat for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQWFTh4pao72zK539AQFs+AP9GTN+jdm632MhLiw5OHsdP6LUEcrENIzR
aXjy7RZ2pI9zrMl856nu0RZyBYK9RVLqxvNDdemip6ZPK6OyBTPDJZZNSMgFFFqW
E9+Io6P+GXngwakBHHEUZ7CURbp425qluHvnHt+uWZSHgnGNNASXDMhaKTwUnEnU
kwQvfgRSIww=
=zi7V
-----END PGP SIGNATURE-----