From secure@conectiva.com.br Thu Feb 13 16:21:17 2003 From: secure@conectiva.com.br To: conectiva-updates@papaleguas.conectiva.com.br, lwn@lwn.net, bugtraq@securityfocus.com, security-alerts@linuxsecurity.com, linsec@lists.seifried.org Date: Thu, 13 Feb 2003 15:55:26 -0200 Subject: [CLA-2003:568] Conectiva Linux Security Announcement - mozilla -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : mozilla SUMMARY : Several vulnerabilities DATE : 2003-02-13 15:54:00 ID : CLA-2003:568 RELEVANT RELEASES : 6.0, 7.0, 8 - ------------------------------------------------------------------------- DESCRIPTION Mozilla is an open-source web browser designed for standards compliance, performance and portability. This update addresses several vulnerabilities found after the mozilla 1.0rc2 release, wich was the last version sent as an official update[1] for Conectiva Linux distributions. A complete list of such vulnerabilities can be obtained in [2,3], and details about the most known ones in [5,6,7,8,9]. A remote attacker could exploit these vulnerabilities by creating malicious web pages that, when acessed, would crash the browser, potentially allow remote arbitrary code execution or cause some sort of unexpected behavior. The packages from this update are of Mozilla 1.2.1, which is the latest stable release[10] from mozilla.org and includes fixes for the known vulnerabilities. Besides the security fixes, it also includes several new features and other minor corrections. The vulnerabilities aforementioned also affect the Galeon web browser, which uses the Mozilla engine. Galeon is being updated to the version 1.2.7 in Conectiva Linux 8, but not in Conectiva Linux 6.0 and 7.0. The Galeon version distributed in these versions of Conectiva Linux was in its early stages of development and would not work with the new Mozilla packages. A new version of Galeon for these distributions would need many other updated packages and therefore will not be provided. SOLUTION All mozilla and galeon users should upgrade. Galeon users on Conectiva Linux 6.0 and 7.0 should consider upgrading their distribution or choosing another browser. REFERENCES: 1.http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000490 2.http://mozilla.org/releases/mozilla1.0.1/security-fixes-1.0.1.html 3.http://www.mozilla.org/projects/security/known-vulnerabilities.html 4.http://online.securityfocus.com/bid/5665/discussion/ 5.http://online.securityfocus.com/bid/5694/discussion/ 6.http://online.securityfocus.com/bid/5757/discussion/ 7.http://online.securityfocus.com/bid/5759/discussion/ 8.http://online.securityfocus.com/bid/5762/discussion/ 9.http://online.securityfocus.com/bid/5766/discussion/ 10.http://www.mozilla.org/releases/mozilla1.2.1/ UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/6.0/RPMS/mozilla-1.2.1-1U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/mozilla-devel-1.2.1-1U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/mozilla-1.2.1-1U60_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/mozilla-1.2.1-1U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/mozilla-devel-1.2.1-1U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/mozilla-devel-static-1.2.1-1U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/mozilla-irc-1.2.1-1U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/mozilla-mail-1.2.1-1U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/mozilla-psm-1.2.1-1U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/mozilla-1.2.1-1U70_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/mozilla-1.2.1-1U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/mozilla-devel-1.2.1-1U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/mozilla-devel-static-1.2.1-1U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/mozilla-irc-1.2.1-1U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/mozilla-mail-1.2.1-1U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/mozilla-psm-1.2.1-1U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/galeon-1.2.7-1U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/galeon-devel-1.2.7-1U80_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/mozilla-1.2.1-1U80_5cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/galeon-1.2.7-1U80_5cl.src.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+S9wN42jd0JmAcZARAqZcAJ46gKJh6DkblFy3ru866JtYOwtOvQCgt/Q2 nM+hTrbUCmSQs/BlJtiuFHs= =96my -----END PGP SIGNATURE-----