[Secure-testing-commits] r1703 - in data/DTSA: . advs

Joey Hess joeyh at costa.debian.org
Sun Aug 28 19:44:11 UTC 2005 

Author: joeyh
Date: 2005-08-28 19:44:10 +0000 (Sun, 28 Aug 2005)
New Revision: 1703

Added:
   data/DTSA/DTSA-7-1
   data/DTSA/advs/7-mozilla.adv
Modified:
   data/DTSA/list
Log:
add advisory for mozilla, created with dtsa script but then hand-cleaned up


Added: data/DTSA/DTSA-7-1
===================================================================
--- data/DTSA/DTSA-7-1	2005-08-28 19:40:35 UTC (rev 1702)
+++ data/DTSA/DTSA-7-1	2005-08-28 19:44:10 UTC (rev 1703)
@@ -0,0 +1,46 @@
+------------------------------------------------------------------------------
+Debian Testing Security Advisory DTSA-7-1     http://secure-testing.debian.net
+secure-testing-team at lists.alioth.debian.org                          Joey Hess
+August 28th, 2005
+------------------------------------------------------------------------------
+
+Package        : mozilla
+Vulnerability  : frame injection spoofing
+Problem-Scope  : remote
+Debian-specific: No
+CVE ID         : CAN-2004-0718 CAN-2005-1937 
+
+A vulnerability has been discovered in Mozilla that allows remote attackers
+to inject arbitrary Javascript from one page into the frameset of another
+site. Thunderbird is not affected by this and Galeon will be automatically
+fixed as it uses Mozilla components. Mozilla Firefox is vulnerable and will
+be covered by a separate advisory.
+
+For the testing distribution (etch) this is fixed in version
+2:1.7.8-1sarge1
+
+For the unstable distribution (sid) this is fixed in version
+2:1.7.10-1
+
+This upgrade is recommended if you use mozilla.
+
+Note that this is the same security fix put into stable in DSA-777.
+
+Upgrade Instructions
+--------------------
+
+To use the Debian testing security archive, add the following lines to
+your /etc/apt/sources.list:
+
+deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
+deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
+
+The archive signing key can be downloaded from
+http://secure-testing.debian.net/ziyi-2005-7.asc
+
+To install the update, run this command as root:
+
+apt-get update && apt-get upgrade
+
+For further information about the Debian testing security team, please refer
+to http://secure-testing.debian.net/

Added: data/DTSA/advs/7-mozilla.adv
===================================================================
--- data/DTSA/advs/7-mozilla.adv	2005-08-28 19:40:35 UTC (rev 1702)
+++ data/DTSA/advs/7-mozilla.adv	2005-08-28 19:44:10 UTC (rev 1703)
@@ -0,0 +1,18 @@
+dtsa: DTSA-7-1
+source: mozilla
+date: August 28th, 2005
+author: Joey Hess
+vuln-type: frame injection spoofing
+problem-scope: remote
+debian-specific: no
+cve: CAN-2004-0718 CAN-2005-1937
+testing-fix: 2:1.7.8-1sarge1
+sid-fix: 2:1.7.10-1
+
+A vulnerability has been discovered in Mozilla that allows remote attackers
+to inject arbitrary Javascript from one page into the frameset of another
+site. Thunderbird is not affected by this and Galeon will be automatically
+fixed as it uses Mozilla components. Mozilla Firefox is vulnerable and will
+be covered by a separate advisory.
+
+Note that this is the same security fix put into stable in DSA-777.

Modified: data/DTSA/list
===================================================================
--- data/DTSA/list	2005-08-28 19:40:35 UTC (rev 1702)
+++ data/DTSA/list	2005-08-28 19:44:10 UTC (rev 1703)
@@ -1,3 +1,6 @@
+[29 Aug 2005] DTSA-7-1 mozilla - frame injection spoofing
+	- mozilla 2:1.7.8-1sarge1
+	NOTE: joeyh working on it
 [28 Aug 2005] DTSA-6-1 cgiwrap - multiple vulnerabilities
 	- cgiwrap 3.9-3.0etch1 (low)
 	NOTE: waiting for builds (neilm)

More information about the Secure-testing-commits mailing list