[Security Preview] Firefox 1.0.4-2sarge4 fixes various security bugs

Saturday, September 24. 2005

Posted by asac (Alexander Sack) in Debian OS at 22:58 | Comments (3) | Trackbacks (0)

[Security Preview] Firefox 1.0.4-2sarge4 fixes various security bugs

I uploaded a firefox package that should address all currently disclosed issues. Please provide feedback if you encounter any regressions. Otherwise, this package will be pushed to the debian security mirrors.

Here the hunk from the changelog that gives you a brief overview of issues addressed with this upload:

CODE:

mozilla-firefox (1.0.4-2sarge4) stable-security; urgency=critical

   + MFSA-2005-57: IDN heap overrun
     Summary: Tom Ferris reported a Firefox crash when processing a domain
      name consisting solely of soft-hyphen characters.
     Closes: 327452
     CVE-Ids: CAN-2005-2871
     Bugzilla: 307259
     Issues addressed:
       + CAN-2005-2871 - IDN heap overrun

   + MFSA-2005-58: Accumulated vendor advisory for multiple vulnerabilities
     Summary: Fixes for multiple vulnerabilities with an overall severity
      of ”critical” have been released in Mozilla Firefox 1.0.7 and
      the Mozilla Suite 1.7.12
     Closes: -
     CVE-Ids: CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704
      CAN-2005-2705 CAN-2005-2706 CAN-2005-2707
     Bugzilla: 300936 296134 297078 302263 299518 303213 304754 306261
       306804 291178 300853 301180 302100
     Issues addressed:
       + CAN-2005-2701 - Heap overrun in XBM image processing
       + CAN-2005-2702 - Crash on ”zero-width non-joiner” sequence
       + CAN-2005-2703 - XMLHttpRequest header spoofing
       + CAN-2005-2704 - Object spoofing using XBL <implements>
       + CAN-2005-2705 - JavaScript integer overflow
       + CAN-2005-2706 - Privilege escalation using about: scheme
       + CAN-2005-2707 - Chrome window spoofing
       + Regression fixes

   + MFSA-2005-59: Debian Firefox is not affected by this.

Edit: You can get this package from my security preview archives. See http://www.asoftsite.org/apt-archives.html for the lines you need to apt-get this package.

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

Hi Alex! I’ve already installed firefox 1.07 for sarge from backports.org . So it’s good to see you guys racing to get the latest security releases out.

Your Thunderbird 1.0.6-1.sarge2 is performing flawlessly, btw.

Thanks and regards,
Ralph

#1 Ralph Katz on 2005-09-25 21:46 (Reply)

Since when do you do Firefox releases?

#2 Marcel on 2005-09-28 16:13 (Reply)

I prepare them mainly, because I prepare the patchsets for all mozilla apps … so just for the sake of QAing the patches

#2.1 asac (Homepage) on 2005-09-28 16:19 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above: BBCode format allowed Enclosing asterisks marks text as bold (word), underscore are made via _word_. Textile-formatting allowed Standard emoticons like :-) and ;-) are converted to images.
	Remember Information? Subscribe to this entry