Debians sikkerhedsbulletin

DSA-810-1 mozilla -- flere sårbarheder

Rapporteret den:
13. sep 2005
Berørte pakker:
mozilla
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 14242.
I Mitres CVE-ordbog: CVE-2004-0718, CVE-2005-1937, CVE-2005-2260, CVE-2005-2261, CVE-2005-2263, CVE-2005-2265, CVE-2005-2266, CVE-2005-2268, CVE-2005-2269, CVE-2005-2270.
Yderligere oplysninger:

Flere problemer er opdaget i Mozilla, webbrowseren fra Mozilla-programpakken. Da den almindelige praksis med tilbageførelse af ændringer ikke lader til at virke med denne pakke, er denne opdatering grundlæggende version 1.7.10 hvor versionsnummeret er rullet tilbage, og derfor stadig hedder 1.7.8. Projektet Common Vulnerabilities and Exposures har fundet frem til følgende problemer:

  • CAN-2004-0718, CAN-2005-1937

    En sårbarhed er opdaget i Mozilla hvilket gjorde det muligt for fjernangribere at indsprøjte vilkårligt Javascript fra en side ind i en andet websteds frameset.

  • CAN-2005-2260

    Browserens brugergrænseflade skelner ikke korrekt mellem brugergenererede begivenheder og syntetiske begivenheder som man ikke kan stole på, hvilket gjode det nemmere for fjernagrigere at udføre farlige handlinger som normalt kun kunne udføres manuelt af brugeren.

  • CAN-2005-2261

    XML-skripter kørte selv når Javascript var slået fra.

  • CAN-2005-2263

    Det var muligt for en fjernangriber at udføre en tilbagekaldsfunktion i et andet domænes kontekst (dvs. fx en frame).

  • CAN-2005-2265

    Manglende kontrol af inddata i InstallVersion.compareTo() kunne medføre at programmet gik ned.

  • CAN-2005-2266

    Fjernangribere kunne stjæle følsomme oplysninger så som cookies og adgangskoder fra webstedet ved at tilgå data i fremmede frames.

  • CAN-2005-2268

    Det var muligt for en Javascript-dialogboks at udgive sig for en dialogboks fra et websted der stoles på og dermed være et instrument i et "phishing"-angreb.

  • CAN-2005-2269

    Fjernangribere kunne ændre visse tag-indstillinger hørende til DOM-noder, hvilket kunne før til udførelse af vilkårlige skripter eller kode.

  • CAN-2005-2270

    Mozilla-browserfamilien kloner ikke baseobjekter korrekt, hvilket gjorde det muligt for fjernangribere at udføre vilkårlig kode.

I den stabile distribution (sarge) er disse problemer rettet i version 1.7.8-1sarge2.

I den ustabile distribution (sid) er disse problemer rettet i version 1.7.10-1.

Vi anbefaler at du opgraderer dine Mozilla-pakker.

Rettet i:

Debian GNU/Linux 3.1 (sarge)

Kildekode:
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2.dsc
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2.diff.gz
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8.orig.tar.gz
Alpha:
http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.