Aviso de seguridad de Debian

DSA-810-1 mozilla -- varias vulnerabilidades

Fecha del informe:
13 de sep de 2005
Paquetes afectados:
mozilla
Vulnerable:
Referencias a bases de datos de seguridad:
En la base de datos de Bugtraq (en SecurityFocus): Id. en BugTraq 14242.
En el diccionario CVE de Mitre: CVE-2004-0718, CVE-2005-1937, CVE-2005-2260, CVE-2005-2261, CVE-2005-2263, CVE-2005-2265, CVE-2005-2266, CVE-2005-2268, CVE-2005-2269, CVE-2005-2270.
Información adicional:

Se han descubierto varias vulnerabilidades en Mozilla, el navegador web de la suite Mozilla. Puesto que no funcionó la traslación a esta versión de la corrección de los fallos en estos paquetes, esta actualización es básicamente la versión 1.7.10 con el número de versión antiguo, y de ahí que su nombre siga siendo 1.7.8. El proyecto Common Vulnerabilities and Exposures identifica los siguientes problemas:

  • CAN-2004-0718, CAN-2005-1937

    Se ha descubierto una vulnerabilidad en Mozilla que permitía que los atacantes remotos inyectasen Javascript arbitrario de una página en el conjunto de marcos de otro sitio.

  • CAN-2005-2260

    La interfaz de usuario del navegador no distinguía adecuadamente entre los eventos generados por el usuario y los eventos sintetizados no fiables, que hacía más fácil para los atacantes remotos realizar acciones peligrosas que normalmente sólo las podría realizar manualmente el usuario.

  • CAN-2005-2261

    Los guiones XML se podían ejecutar aunque Javascript estuviese desactivado.

  • CAN-2005-2263

    Era posible que un atacante remoto ejecutase una función de llamada en el contexto de otro dominio (por ejemplo, un marco).

  • CAN-2005-2265

    Un olvido en el saneamiento de la entrada de InstallVersion.compareTo() podía provocar que la aplicación cayese.

  • CAN-2005-2266

    Los atacantes remotos podían robar información sensible, como cookies y contraseñas, de sitios web accediendo a los datos de los marcos adyacentes.

  • CAN-2005-2268

    Era posible que un cuadro de diálogo Javascript hiciese spoofing sobre un sitio de confianza y facilitase los ataques de phishing.

  • CAN-2005-2269

    Los atacantes remotos podían modificar las propiedades de ciertas etiquetas en los nodos DOM, lo que podría conducir a la ejecución de guiones o de código arbitrario.

  • CAN-2005-2270

    La familia de navegadores Mozilla no clonaba adecuadamente los objetos base, lo que permitía que los atacantes remotos ejecutasen código arbitrario.

Para la distribución estable (sarge), estos problemas se han corregido en la versión 1.7.8-1sarge2.

Para la distribución inestable (sid), estos problemas se han corregido en la versión 1.7.10-1.

Le recomendamos que actualice los paquetes de Mozilla.

Arreglado en:

Debian GNU/Linux 3.1 (sarge)

Fuentes:
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2.dsc
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2.diff.gz
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8.orig.tar.gz
Alpha:
http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_alpha.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_amd64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_arm.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_i386.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_ia64.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_hppa.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_m68k.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_mips.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_mipsel.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_powerpc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_s390.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_sparc.deb
http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_sparc.deb

Las sumas MD5 de los ficheros que se listan están disponibles en el aviso original.