[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 568/05 - Fedora - Nine Update Notifications



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 568/05 dated 22.07.05  Time: 11:05 
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Fedora - Nine Update Notifications:
     1.  Fedora Core 4 Update: fetchmail-6.2.5-7.fc4.1  [FEDORA-2005-613]
     2.  Fedora Core 4 Update: mozilla-1.7.10-1.5.1     [FEDORA-2005-619]
     3.  Fedora Core 4 Update: epiphany-1.6.3-2         [FEDORA-2005-620]
     4.  Fedora Core 4 Update: devhelp-0.10-1.4.1       [FEDORA-2005-621]
     5.  Fedora Core 4 Update: yelp-2.10.0-1.4.1        [FEDORA-2005-622]
     6.  Fedora Core 3 Update: fetchmail-6.2.5-7.fc3.1  [FEDORA-2005-614]
     7.  Fedora Core 3 Update: mozilla-1.7.10-1.3.1     [FEDORA-2005-616]
     8.  Fedora Core 3 Update: epiphany-1.4.4-4.3.5     [FEDORA-2005-617]
     9.  Fedora Core 3 Update: devhelp-0.9.2-2.3.5      [FEDORA-2005-618]


Detail
====== 


Update notification summaries:

     1.  A buffer overflow was discovered in fetchmail's POP3 client. A malicious
         server could cause fetchmail to execute arbitrary code.

     2.  Multiple vulnerabilities - Users of Mozilla are advised to upgrade to 
         updated packages, which contain Mozilla version 1.7.10 and are not 
         vulnerable to listed issues. 

     3.  There were several security flaws found in the mozilla package, which 
         epiphany depends on.  Users of epiphany are advised to upgrade to this 
         updated package which has been rebuilt against a version of mozilla not 
         vulnerable to these flaws.

     4.  There were several security flaws found in the mozilla package, which 
         devhelp depends on.   Users of devhelp are advised to upgrade to this 
         updated package which has been rebuilt against a version of mozilla not 
         vulnerable to these flaws.

     5.  There were several security flaws found in the mozilla package, which yelp 
         depends on.   Users of yelp are advised to upgrade to this updated package 
         which has been rebuilt against a version of mozilla not vulnerable to these 
         flaws.

     6.  A buffer overflow was discovered in fetchmail's POP3 client. A malicious
         server could cause fetchmail to execute arbitrary code.

     7.  Multiple vulnerabilities - Users of Mozilla are advised to upgrade to 
         updated packages, which contain Mozilla version 1.7.10 and are not 
         vulnerable to listed issues. 

     8.  There were several security flaws found in the mozilla package, which 
         epiphany depends on.  Users of epiphany are advised to upgrade to this 
         updated package which has been rebuilt against a version of mozilla not 
         vulnerable to these flaws.

     9.  There were several security flaws found in the mozilla package, which 
         devhelp depends on.   Users of devhelp are advised to upgrade to this 
         updated package which has been rebuilt against a version of mozilla not 
         vulnerable to these flaws.


Update notification content follows:


1.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-613
2005-07-21
- ---------------------------------------------------------------------

Product     : Fedora Core 4
Name        : fetchmail
Version     : 6.2.5                      
Release     : 7.fc4.1                  
Summary     : A remote mail retrieval and forwarding utility.
Description :
Fetchmail is a remote mail retrieval and forwarding utility intended
for use over on-demand TCP/IP links, like SLIP or PPP connections.
Fetchmail supports every remote-mail protocol currently in use on the
Internet (POP2, POP3, RPOP, APOP, KPOP, all IMAPs, ESMTP ETRN, IPv6,
and IPSEC) for retrieval. Then Fetchmail forwards the mail through
SMTP so you can read it through your favorite mail client.

Install fetchmail if you need to retrieve mail over SLIP or PPP
connections.

- ---------------------------------------------------------------------
Update Information:

A buffer overflow was discovered in fetchmail's POP3 client. A 
malicious server could cause fetchmail to execute arbitrary code.

The Common Vulnerabilities and Exposures project has assigned the name
CAN-2005-2355 to this issue.

All fetchmail users should upgrade to the updated package, which fixes 
this issue.
- ---------------------------------------------------------------------
* Thu Jul 21 2005 Miloslav Trmac <mitr@xxxxxxxxxx> - 6.2.5-7.fc4.1
- - Fix CAN-2005-2355 (#163819, patch by Ludwig Nussel)


- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

e00eaabfa00150c2001ca61a58a7845e  SRPMS/fetchmail-6.2.5-7.fc4.1.src.rpm
4528439141789d049cb2094162c92406  ppc/fetchmail-6.2.5-7.fc4.1.ppc.rpm
6bdcf129726571d6e3e2536c3dcc27a3  ppc/debug/fetchmail-debuginfo-6.2.5-7.fc4.1.ppc.rpm
2bebf8c785e918bc43e590a2f029ba48  x86_64/fetchmail-6.2.5-7.fc4.1.x86_64.rpm
3c590e5aa4af40cfa80590ce23b16958  x86_64/debug/fetchmail-debuginfo-6.2.5-7.fc4.1.x86_64.rpm
469b305b86b25c292876877432ce5ead  i386/fetchmail-6.2.5-7.fc4.1.i386.rpm
2635dfe61df68b358fb61803a7d12ca1  i386/debug/fetchmail-debuginfo-6.2.5-7.fc4.1.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
- ---------------------------------------------------------------------




2.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-619
2005-07-22
- ---------------------------------------------------------------------

Product     : Fedora Core 4
Name        : mozilla
Version     : 1.7.10                      
Release     : 1.5.1                  
Summary     : A Web browser.
Description :
Mozilla is an open-source Web browser, designed for standards
compliance, performance, and portability.

- ---------------------------------------------------------------------
Update Information:

Mozilla is an open source Web browser, advanced email and newsgroup client,
IRC chat client, and HTML editor.

A bug was found in the way Mozilla handled synthetic events. It is possible
that Web content could generate events such as keystrokes or mouse clicks
that could be used to steal data or execute malicious Javascript code. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2005-2260 to this issue.

A bug was found in the way Mozilla executed Javascript in XBL controls. It
is possible for a malicious webpage to leverage this vulnerability to
execute other JavaScript based attacks even when JavaScript is disabled.
(CAN-2005-2261)

A bug was found in the way Mozilla installed its extensions. If a user can
be tricked into visiting a malicious webpage, it may be possible to obtain
sensitive information such as cookies or passwords. (CAN-2005-2263)

A bug was found in the way Mozilla handled certain Javascript functions. It
is possible for a malicious webpage to crash the browser by executing
malformed Javascript code. (CAN-2005-2265)

A bug was found in the way Mozilla handled multiple frame domains. It is
possible for a frame as part of a malicious website to inject content into
a frame that belongs to another domain. This issue was previously fixed as
CAN-2004-0718 but was accidentally disabled. (CAN-2005-1937)

A bug was found in the way Mozilla handled child frames. It is possible for
a malicious framed page to steal sensitive information from its parent
page. (CAN-2005-2266)

A bug was found in the way Mozilla opened URLs from media players. If a
media player opens a URL which is Javascript, the Javascript executes
with access to the currently open webpage. (CAN-2005-2267)

A design flaw was found in the way Mozilla displayed alerts and prompts.
Alerts and prompts were given the generic title [JavaScript Application]
which prevented a user from knowing which site created them. (CAN-2005-2268)

A bug was found in the way Mozilla handled DOM node names. It is possible
for a malicious site to overwrite a DOM node name, allowing certain
privileged chrome actions to execute the malicious Javascript. (CAN-2005-2269)

A bug was found in the way Mozilla cloned base objects. It is possible for
Web content to traverse the prototype chain to gain access to privileged
chrome objects. (CAN-2005-2270)

Users of Mozilla are advised to upgrade to these updated packages, which
contain Mozilla version 1.7.10 and are not vulnerable to these issues. 
- ---------------------------------------------------------------------
* Tue Jul 19 2005 Christopher Aillon <caillon@xxxxxxxxxx> 37:1.7.10-1.5.1
- - Update to 1.7.10
- - Fix a crash on 64bit platforms (#160330)


- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

eb361c708dddc1af05158ce6759a61b9  SRPMS/mozilla-1.7.10-1.5.1.src.rpm
c5cfc540316ed7679b562ce6e4431a53  ppc/mozilla-1.7.10-1.5.1.ppc.rpm
69ea1fde672e04a4f6913025870ae28e  ppc/mozilla-nspr-1.7.10-1.5.1.ppc.rpm
26ccb88f78bb5142aa07325fd4c5a8c2  ppc/mozilla-nspr-devel-1.7.10-1.5.1.ppc.rpm
465c71611974982178a4acbd03e79848  ppc/mozilla-nss-1.7.10-1.5.1.ppc.rpm
6c3043f14271ce087413b667de05e04c  ppc/mozilla-nss-devel-1.7.10-1.5.1.ppc.rpm
5489a8676730b06e32e18f375b83b55d  ppc/mozilla-devel-1.7.10-1.5.1.ppc.rpm
b672a31b9bf29f2a593d870f694aa014  ppc/mozilla-mail-1.7.10-1.5.1.ppc.rpm
51be9cdb1510a8b045104bf8956cd174  ppc/mozilla-chat-1.7.10-1.5.1.ppc.rpm
fc3b1d1ecbfcb7a26bbfd2cb18153ec3  ppc/mozilla-js-debugger-1.7.10-1.5.1.ppc.rpm
76f4786b961fa856c99f7a6d60e53ef6  ppc/mozilla-dom-inspector-1.7.10-1.5.1.ppc.rpm
2e3612c10f295f670de5cdf5537b8d18  ppc/debug/mozilla-debuginfo-1.7.10-1.5.1.ppc.rpm
e01cf2f85658577773f84c27be82a981  x86_64/mozilla-1.7.10-1.5.1.x86_64.rpm
78ea2f828bdf576072d5b1d8a117ac18  x86_64/mozilla-nspr-1.7.10-1.5.1.x86_64.rpm
6ed062540e8729a0fe20603dd81a4555  x86_64/mozilla-nspr-devel-1.7.10-1.5.1.x86_64.rpm
900e1bdda17a57a40734e4632216b09b  x86_64/mozilla-nss-1.7.10-1.5.1.x86_64.rpm
0835f3a6eb0d3a28e571c659f62b58b5  x86_64/mozilla-nss-devel-1.7.10-1.5.1.x86_64.rpm
46366778caa6bbc28ac2fd7ab601b3e6  x86_64/mozilla-devel-1.7.10-1.5.1.x86_64.rpm
d484918f9a9aacaa3244dfe9aa00724c  x86_64/mozilla-mail-1.7.10-1.5.1.x86_64.rpm
a91f3fdebba315d7a904dce6ca078a71  x86_64/mozilla-chat-1.7.10-1.5.1.x86_64.rpm
b7c81fc35699665628b08becab581d89  x86_64/mozilla-js-debugger-1.7.10-1.5.1.x86_64.rpm
e2159457c9cb315bb58ea141fcb61f58  x86_64/mozilla-dom-inspector-1.7.10-1.5.1.x86_64.rpm
bee07c4cc4a2334c6c659b9a78b5dd27  x86_64/debug/mozilla-debuginfo-1.7.10-1.5.1.x86_64.rpm
9e00889d8cf0e0cf6e05b9e2bfa4aa59  x86_64/mozilla-nspr-1.7.10-1.5.1.i386.rpm
d3debda6d568aaf48caec6f01d2c4bb5  x86_64/mozilla-nss-1.7.10-1.5.1.i386.rpm
0170da6538e34da1618ae3b496e19191  i386/mozilla-1.7.10-1.5.1.i386.rpm
9e00889d8cf0e0cf6e05b9e2bfa4aa59  i386/mozilla-nspr-1.7.10-1.5.1.i386.rpm
4284565ab14530bc3a3b9c67f19b5ef3  i386/mozilla-nspr-devel-1.7.10-1.5.1.i386.rpm
d3debda6d568aaf48caec6f01d2c4bb5  i386/mozilla-nss-1.7.10-1.5.1.i386.rpm
29207a796c6f6467afaf012f4102e51f  i386/mozilla-nss-devel-1.7.10-1.5.1.i386.rpm
46c2a725f16211cf11c6f247c4865baf  i386/mozilla-devel-1.7.10-1.5.1.i386.rpm
6875846f0350c548aea6bc80c248f97f  i386/mozilla-mail-1.7.10-1.5.1.i386.rpm
ed5d8fa1b534c8226dca48c30fbab7c0  i386/mozilla-chat-1.7.10-1.5.1.i386.rpm
3cd9b40c026c9bc7ff0f1688eddb0a55  i386/mozilla-js-debugger-1.7.10-1.5.1.i386.rpm
30dea8f03254fa2b7504099592c5c073  i386/mozilla-dom-inspector-1.7.10-1.5.1.i386.rpm
e85b37cef808ba529a228cec8b205a82  i386/debug/mozilla-debuginfo-1.7.10-1.5.1.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
- ---------------------------------------------------------------------




3.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-620
2005-07-22
- ---------------------------------------------------------------------

Product     : Fedora Core 4
Name        : epiphany
Version     : 1.6.3                      
Release     : 2                  
Summary     : GNOME web browser based on the Mozilla rendering engine
Description :
epiphany is a simple GNOME web browser based on the Mozilla rendering
engine

- ---------------------------------------------------------------------
Update Information:

Epiphany is a simple GNOME web browser based on the Mozilla rendering
engine.

There were several security flaws found in the mozilla package, which 
epiphany depends on.   Users of epiphany are advised to upgrade to this 
updated package which has been rebuilt against a version of mozilla not 
vulnerable to these flaws.
- ---------------------------------------------------------------------
* Tue Jul 19 2005 Christopher Aillon <caillon@xxxxxxxxxx> 1.6.3-2
- - Rebuild against new mozilla packages


- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

4f14b0270142b1394940e511e586706b  SRPMS/epiphany-1.6.3-2.src.rpm
0a9f85c668fa838005b72eb8465ce5eb  ppc/epiphany-1.6.3-2.ppc.rpm
b731fa68befb45cfcc213f6b004ba27a  ppc/epiphany-devel-1.6.3-2.ppc.rpm
188a3eea504eb32e610c8dad383682da  ppc/debug/epiphany-debuginfo-1.6.3-2.ppc.rpm
da60b74e7a51966d3b44f666f6d11526  x86_64/epiphany-1.6.3-2.x86_64.rpm
111fc9c64b4e96011b015c0d3082f10a  x86_64/epiphany-devel-1.6.3-2.x86_64.rpm
ec1efa26394206bc81d9ea1d1d8dca61  x86_64/debug/epiphany-debuginfo-1.6.3-2.x86_64.rpm
1bbdc7ebd11baae1a8fceb7aa809843e  i386/epiphany-1.6.3-2.i386.rpm
076dde628d6d9c7d539dfa8444f495dc  i386/epiphany-devel-1.6.3-2.i386.rpm
c4b3824af6e7f6b815df635ab2b6d8e2  i386/debug/epiphany-debuginfo-1.6.3-2.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
- ---------------------------------------------------------------------




4.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-621
2005-07-22
- ---------------------------------------------------------------------

Product     : Fedora Core 4
Name        : devhelp
Version     : 0.10                      
Release     : 1.4.1                  
Summary     : API document browser
Description :
A API document browser for GNOME 2.

- ---------------------------------------------------------------------
Update Information:

Devhelp is an API document browser for the GNOME environment.

There were several security flaws found in the mozilla package, which 
devhelp depends on.   Users of devhelp are advised to upgrade to this 
updated package which has been rebuilt against a version of mozilla not 
vulnerable to these flaws.
- ---------------------------------------------------------------------
* Tue Jul 19 2005 Christopher Aillon <caillon@xxxxxxxxxx> 0.10-1.4.1
- - Rebuild against new mozilla packages


- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

1ceba8f8141b25fcb5e42069b277d0e4  SRPMS/devhelp-0.10-1.4.1.src.rpm
d8a189b319e5f5d01907a7842601a698  ppc/devhelp-0.10-1.4.1.ppc.rpm
c94e3ac885daa3858a8fd921f57ab39b  ppc/devhelp-devel-0.10-1.4.1.ppc.rpm
7e3356b797bee0b86252dc3d59728ad2  ppc/debug/devhelp-debuginfo-0.10-1.4.1.ppc.rpm
e07f36bfdd2090a9b246e05b04c9574a  x86_64/devhelp-0.10-1.4.1.x86_64.rpm
785e019bb309a1b113bc134dcbb55459  x86_64/devhelp-devel-0.10-1.4.1.x86_64.rpm
52ad208fe8cd1e2c7ec88f6943a437a2  x86_64/debug/devhelp-debuginfo-0.10-1.4.1.x86_64.rpm
159d3267192e15c90ddff2331dc9d284  i386/devhelp-0.10-1.4.1.i386.rpm
cd715bfaff8320014d5e2a70d1c36479  i386/devhelp-devel-0.10-1.4.1.i386.rpm
2da37799d542709178a1b37515cc27a9  i386/debug/devhelp-debuginfo-0.10-1.4.1.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
- ---------------------------------------------------------------------




5.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-622
2005-07-22
- ---------------------------------------------------------------------

Product     : Fedora Core 4
Name        : yelp
Version     : 2.10.0                      
Release     : 1.4.1                  
Summary     : A system documentation reader from the Gnome project.
Description :
Yelp is the Gnome 2 help/documentation browser. It is designed
to help you browse all the documentation on your system in
one central tool.

- ---------------------------------------------------------------------
Update Information:

Yelp is a help documentation browser for the GNOME environment.

There were several security flaws found in the mozilla package, which 
yelp depends on.   Users of yelp are advised to upgrade to this updated 
package which has been rebuilt against a version of mozilla not 
vulnerable to these flaws.
- ---------------------------------------------------------------------
* Tue Jul 19 2005 Christopher Aillon <caillon@xxxxxxxxxx> 2.10-1.4.1
- - Rebuild against new mozilla packages


- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

1549d1f13932f84e5f6c9d06945595c3  SRPMS/yelp-2.10.0-1.4.1.src.rpm
b04357d708957208b83890cd6e02de01  ppc/yelp-2.10.0-1.4.1.ppc.rpm
93c521fcdfb5bc053a2bac820093b80c  ppc/debug/yelp-debuginfo-2.10.0-1.4.1.ppc.rpm
25d8090ceb7318131a1c7c2e9d736c32  x86_64/yelp-2.10.0-1.4.1.x86_64.rpm
6c9db5fe5d7a23996609260991c0f724  x86_64/debug/yelp-debuginfo-2.10.0-1.4.1.x86_64.rpm
8a82dd94877bcf0fd99a05ff9be5c620  i386/yelp-2.10.0-1.4.1.i386.rpm
95c3ddee41f555f9e11e660ca06ceb64  i386/debug/yelp-debuginfo-2.10.0-1.4.1.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
- ---------------------------------------------------------------------




6.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-614
2005-07-21
- ---------------------------------------------------------------------

Product     : Fedora Core 3
Name        : fetchmail
Version     : 6.2.5                      
Release     : 7.fc3.1                  
Summary     : A remote mail retrieval and forwarding utility.
Description :
Fetchmail is a remote mail retrieval and forwarding utility intended
for use over on-demand TCP/IP links, like SLIP or PPP connections.
Fetchmail supports every remote-mail protocol currently in use on the
Internet (POP2, POP3, RPOP, APOP, KPOP, all IMAPs, ESMTP ETRN, IPv6,
and IPSEC) for retrieval. Then Fetchmail forwards the mail through
SMTP so you can read it through your favorite mail client.

Install fetchmail if you need to retrieve mail over SLIP or PPP
connections.

- ---------------------------------------------------------------------
Update Information:

A buffer overflow was discovered in fetchmail's POP3 client. A 
malicious server could cause fetchmail to execute arbitrary code.

The Common Vulnerabilities and Exposures project has assigned the name
CAN-2005-2355 to this issue.

All fetchmail users should upgrade to the updated package, which fixes 
this issue.
- ---------------------------------------------------------------------
* Thu Jul 21 2005 Miloslav Trmac <mitr@xxxxxxxxxx> - 6.2.5-7.fc4.1
- - Fix CAN-2005-2355 (#163819, patch by Ludwig Nussel)

* Wed Mar 16 2005 Nalin Dahyabhai <nalin@xxxxxxxxxx> 6.2.5-7
- - stop using one of the libkrb5 private functions


- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

550fbe893b901e7fc028765819409b8a  SRPMS/fetchmail-6.2.5-7.fc3.1.src.rpm
14376533cb1e770d8019960596f29dd1  x86_64/fetchmail-6.2.5-7.fc3.1.x86_64.rpm
372ec66fb81998200b4ba0228f77b943  x86_64/debug/fetchmail-debuginfo-6.2.5-7.fc3.1.x86_64.rpm
62947fe15ecc12933cbcdbdfcb87412b  i386/fetchmail-6.2.5-7.fc3.1.i386.rpm
69b34d188aaa91ca770789eb582dc8ca  i386/debug/fetchmail-debuginfo-6.2.5-7.fc3.1.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
- ---------------------------------------------------------------------




7.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-616
2005-07-22
- ---------------------------------------------------------------------

Product     : Fedora Core 3
Name        : mozilla
Version     : 1.7.10                      
Release     : 1.3.1                  
Summary     : A Web browser.
Description :
Mozilla is an open-source Web browser, designed for standards
compliance, performance, and portability.

- ---------------------------------------------------------------------
Update Information:

Mozilla is an open source Web browser, advanced email and newsgroup client,
IRC chat client, and HTML editor.

A bug was found in the way Mozilla handled synthetic events. It is possible
that Web content could generate events such as keystrokes or mouse clicks
that could be used to steal data or execute malicious Javascript code. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2005-2260 to this issue.

A bug was found in the way Mozilla executed Javascript in XBL controls. It
is possible for a malicious webpage to leverage this vulnerability to
execute other JavaScript based attacks even when JavaScript is disabled.
(CAN-2005-2261)

A bug was found in the way Mozilla installed its extensions. If a user can
be tricked into visiting a malicious webpage, it may be possible to obtain
sensitive information such as cookies or passwords. (CAN-2005-2263)

A bug was found in the way Mozilla handled certain Javascript functions. It
is possible for a malicious webpage to crash the browser by executing
malformed Javascript code. (CAN-2005-2265)

A bug was found in the way Mozilla handled multiple frame domains. It is
possible for a frame as part of a malicious website to inject content into
a frame that belongs to another domain. This issue was previously fixed as
CAN-2004-0718 but was accidentally disabled. (CAN-2005-1937)

A bug was found in the way Mozilla handled child frames. It is possible for
a malicious framed page to steal sensitive information from its parent
page. (CAN-2005-2266)

A bug was found in the way Mozilla opened URLs from media players. If a
media player opens a URL which is Javascript, the Javascript executes
with access to the currently open webpage. (CAN-2005-2267)

A design flaw was found in the way Mozilla displayed alerts and prompts.
Alerts and prompts were given the generic title [JavaScript Application]
which prevented a user from knowing which site created them. (CAN-2005-2268)

A bug was found in the way Mozilla handled DOM node names. It is possible
for a malicious site to overwrite a DOM node name, allowing certain
privileged chrome actions to execute the malicious Javascript. (CAN-2005-2269)

A bug was found in the way Mozilla cloned base objects. It is possible for
Web content to traverse the prototype chain to gain access to privileged
chrome objects. (CAN-2005-2270)

Users of Mozilla are advised to upgrade to these updated packages, which
contain Mozilla version 1.7.10 and are not vulnerable to these issues. 
- ---------------------------------------------------------------------
* Tue Jul 19 2005 Christopher Aillon <caillon@xxxxxxxxxx> 37:1.7.10-1.3.1
- - Update to 1.7.10
- - Fix a crash on 64bit platforms (#160330)


- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

698009229e06fad1d7b9406c072ee0a9  SRPMS/mozilla-1.7.10-1.3.1.src.rpm
d2593847a3720f2437d61ab53061e9be  x86_64/mozilla-1.7.10-1.3.1.x86_64.rpm
949d5f656de6782f92af383cb2ff4ada  x86_64/mozilla-nspr-1.7.10-1.3.1.x86_64.rpm
42c12731ee0f67480c1e302956013bce  x86_64/mozilla-nspr-devel-1.7.10-1.3.1.x86_64.rpm
315e96f6235299f9984ef87b33913408  x86_64/mozilla-nss-1.7.10-1.3.1.x86_64.rpm
3dc29ad690ef97756e731f4f5c471b1e  x86_64/mozilla-nss-devel-1.7.10-1.3.1.x86_64.rpm
4b10675f37638dc40c426f8b45f67bfa  x86_64/mozilla-devel-1.7.10-1.3.1.x86_64.rpm
38f4c8381123bc86bfbf28e4f3dd99b0  x86_64/mozilla-mail-1.7.10-1.3.1.x86_64.rpm
7754ce9a64b65fab29cbea9ce6de9549  x86_64/mozilla-chat-1.7.10-1.3.1.x86_64.rpm
735fcb06fd18a1b69c12edc58556d83e  x86_64/mozilla-js-debugger-1.7.10-1.3.1.x86_64.rpm
d4c78884a0e27e95614dc4bff8b325fd  x86_64/mozilla-dom-inspector-1.7.10-1.3.1.x86_64.rpm
b08870788586b7831ab7a8ee8ff2b23c  x86_64/debug/mozilla-debuginfo-1.7.10-1.3.1.x86_64.rpm
eafc6311968ebfc5f7c806564b6c47c6  x86_64/mozilla-nspr-1.7.10-1.3.1.i386.rpm
ca00c8845f2fc411acf3cf0729bdbca6  x86_64/mozilla-nss-1.7.10-1.3.1.i386.rpm
e00f1b1a0af07f62e20fb92678816cc6  i386/mozilla-1.7.10-1.3.1.i386.rpm
eafc6311968ebfc5f7c806564b6c47c6  i386/mozilla-nspr-1.7.10-1.3.1.i386.rpm
829f78f10fb46c3423a231c847f5c85c  i386/mozilla-nspr-devel-1.7.10-1.3.1.i386.rpm
ca00c8845f2fc411acf3cf0729bdbca6  i386/mozilla-nss-1.7.10-1.3.1.i386.rpm
45424d71b9ab5b3124d9899633ba94be  i386/mozilla-nss-devel-1.7.10-1.3.1.i386.rpm
c9791bf350eba92088d98928804a8e6a  i386/mozilla-devel-1.7.10-1.3.1.i386.rpm
2f1e0174bbd6e94143ab24f9b26017bb  i386/mozilla-mail-1.7.10-1.3.1.i386.rpm
dd6f87e4badc6dc179c7977208e84536  i386/mozilla-chat-1.7.10-1.3.1.i386.rpm
31af3c9bc533da93f5c0fe3aa25df2f2  i386/mozilla-js-debugger-1.7.10-1.3.1.i386.rpm
7216fc495e370b94795d965a3f02d280  i386/mozilla-dom-inspector-1.7.10-1.3.1.i386.rpm
eeb7aeb6e2dcd89ad39d43d7914f82c6  i386/debug/mozilla-debuginfo-1.7.10-1.3.1.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
- ---------------------------------------------------------------------




8.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-617
2005-07-22
- ---------------------------------------------------------------------

Product     : Fedora Core 3
Name        : epiphany
Version     : 1.4.4                      
Release     : 4.3.5                  
Summary     : GNOME web browser based on the Mozilla rendering engine
Description :
epiphany is a simple GNOME web browser based on the Mozilla rendering
engine

- ---------------------------------------------------------------------
Update Information:

Epiphany is a simple GNOME web browser based on the Mozilla rendering
engine.

There were several security flaws found in the mozilla package, which 
epiphany depends on.   Users of epiphany are advised to upgrade to this 
updated package which has been rebuilt against a version of mozilla not 
vulnerable to these flaws.
- ---------------------------------------------------------------------
* Tue Jul 19 2005 Christopher Aillon <caillon@xxxxxxxxxx> 1.4.4-4.3.5
- - Rebuild against new mozilla packages


- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

3a266c72700e2dc7a03fd09f00cf49b1  SRPMS/epiphany-1.4.4-4.3.5.src.rpm
e1b4e0cd128e17cf512cd4657f84a03e  x86_64/epiphany-1.4.4-4.3.5.x86_64.rpm
df4bdc6f5ef53849f780686e1845bdad  x86_64/epiphany-devel-1.4.4-4.3.5.x86_64.rpm
8e609bdf293dbbf41001803cd3f7b5d3  x86_64/debug/epiphany-debuginfo-1.4.4-4.3.5.x86_64.rpm
b6fd052acfabaefef7d1aa80332b5b12  i386/epiphany-1.4.4-4.3.5.i386.rpm
7315a590b0db09e54d5464b5fcccaa03  i386/epiphany-devel-1.4.4-4.3.5.i386.rpm
a6f2cc678c712dd47fa138831aec30cf  i386/debug/epiphany-debuginfo-1.4.4-4.3.5.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
- ---------------------------------------------------------------------




9.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-618
2005-07-22
- ---------------------------------------------------------------------

Product     : Fedora Core 3
Name        : devhelp
Version     : 0.9.2                      
Release     : 2.3.5                  
Summary     : API document browser
Description :
A API document browser for GNOME 2.

- ---------------------------------------------------------------------
Update Information:

Devhelp is an API document browser for the GNOME environment.

There were several security flaws found in the mozilla package, which 
devhelp depends on.   Users of devhelp are advised to upgrade to this 
updated package which has been rebuilt against a version of mozilla not 
vulnerable to these flaws.
- ---------------------------------------------------------------------
* Tue Jul 19 2005 Christopher Aillon <caillon@xxxxxxxxxx> 0.9.2-2.3.5
- - Rebuild against new mozilla packages


- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

fe3b718497c07e39d547e01be33d83da  SRPMS/devhelp-0.9.2-2.3.5.src.rpm
0b2cbe1b517a5cc18580a8b4740aaa2f  x86_64/devhelp-0.9.2-2.3.5.x86_64.rpm
569a69eb125896bb4871354786d447b1  x86_64/devhelp-devel-0.9.2-2.3.5.x86_64.rpm
4ec820b2d1c50078487e0739f98e172e  x86_64/debug/devhelp-debuginfo-0.9.2-2.3.5.x86_64.rpm
e8eae8b1aa449605d3e07d48077ee828  i386/devhelp-0.9.2-2.3.5.i386.rpm
d0dc013cb6fc9a53ed71fa46602ac390  i386/devhelp-devel-0.9.2-2.3.5.i386.rpm
624b3018896faae0b43263e0e7a6871f  i386/debug/devhelp-debuginfo-0.9.2-2.3.5.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
- ---------------------------------------------------------------------



- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Fedora for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQuDE9Ipao72zK539AQEsSwP+IvIYsSJJoMs/DR+ATddgeFC1o+DDwaAh
J7nIRbZiLDu9I2ncAttlFp+GgGiQE/jRa3hEiVnoMJv+1Nw9kIYuTzP9HNVkiC62
lX/gkDPJskS2Ppd9U3Mruv6st9+vLaUwT+dKNniqYCEmh8asfa3361VXOBufp5oI
1obqQc7KSUI=
=tjhj
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________