[Secure-testing-commits] r1761 - in data/DTSA: . advs hints

Joey Hess joeyh at costa.debian.org
Thu Sep 1 17:01:09 UTC 2005 

Author: joeyh
Date: 2005-09-01 17:01:09 +0000 (Thu, 01 Sep 2005)
New Revision: 1761

Added:
   data/DTSA/DTSA-8-2
Modified:
   data/DTSA/advs/8-mozilla-firefox.adv
   data/DTSA/hints/joeyh
   data/DTSA/list
Log:
update firefox advisory since the DSA was updated


Added: data/DTSA/DTSA-8-2
===================================================================
--- data/DTSA/DTSA-8-2	2005-09-01 15:04:09 UTC (rev 1760)
+++ data/DTSA/DTSA-8-2	2005-09-01 17:01:09 UTC (rev 1761)
@@ -0,0 +1,117 @@
+------------------------------------------------------------------------------
+Debian Testing Security Advisory DTSA-8-2     http://secure-testing.debian.net
+secure-testing-team at lists.alioth.debian.org                          Joey Hess
+September 1st, 2005
+------------------------------------------------------------------------------
+
+Package        : mozilla-firefox
+Vulnerability  : several vulnerabilities (update)
+Problem-Scope  : remote
+Debian-specific: No
+CVE ID         : CAN-2004-0718 CAN-2005-1937 CAN-2005-2260 CAN-2005-2261 CAN-2005-2262 CAN-2005-2263 CAN-2005-2264 CAN-2005-2265 CAN-2005-2266 CAN-2005-2267 CAN-2005-2268 CAN-2005-2269 CAN-2005-2270 
+
+We experienced that the update for Mozilla Firefox from DTSA-8-1
+unfortunately was a regression in several cases.  Since the usual
+praxis of backporting apparently does not work, this update is
+basically version 1.0.6 with the version number rolled back, and hence
+still named 1.0.4-*.  For completeness below is the original advisory
+text:
+
+Several problems were discovered in Mozilla Firefox:
+
+CAN-2004-0718 CAN-2005-1937
+
+A vulnerability has been discovered in Mozilla Firefox that allows remote
+attackers to inject arbitrary Javascript from one page into the frameset of
+another site.
+
+CAN-2005-2260
+
+The browser user interface does not properly distinguish between
+user-generated events and untrusted synthetic events, which makes it easier
+for remote attackers to perform dangerous actions that normally could only be
+performed manually by the user.
+
+CAN-2005-2261
+
+XML scripts ran even when Javascript disabled.
+
+CAN-2005-2262
+
+The user can be tricked to executing arbitrary JavaScript code by using a
+JavaScript URL as wallpaper.
+
+CAN-2005-2263
+
+It is possible for a remote attacker to execute a callback function in the
+context of another domain (i.e. frame).
+
+CAN-2005-2264
+
+By opening a malicious link in the sidebar it is possible for remote
+attackers to steal sensitive information.
+
+CAN-2005-2265
+
+Missing input sanitising of InstallVersion.compareTo() can cause the
+application to crash.
+
+CAN-2005-2266
+
+Remote attackers could steal sensitive information such as cookies and
+passwords from web sites by accessing data in alien frames.
+
+CAN-2005-2267
+
+By using standalone applications such as Flash and QuickTime to open a
+javascript: URL, it is possible for a remote attacker to steal sensitive
+information and possibly execute arbitrary code.
+
+CAN-2005-2268
+
+It is possible for a Javascript dialog box to spoof a dialog box from a
+trusted site and facilitates phishing attacks.
+
+CAN-2005-2269
+
+Remote attackers could modify certain tag properties of DOM nodes that could
+lead to the execution of arbitrary script or code.
+
+CAN-2005-2270
+
+The Mozilla browser family does not properly clone base objects, which allows
+remote attackers to execute arbitrary code.
+
+Note that this is the same set of security fixes put into stable in
+DSA-775 and DSA-779, and updated in DSA-779-2.
+
+For the testing distribution (etch) this is fixed in version
+1.0.4-2sarge3
+
+For the unstable distribution (sid) this is fixed in version
+1.0.6-3
+
+This upgrade is recommended if you use mozilla-firefox.
+
+The Debian testing security team does not track security issues for then
+stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
+the Debian security team will make an announcement once a fix is ready.
+
+Upgrade Instructions
+--------------------
+
+To use the Debian testing security archive, add the following lines to
+your /etc/apt/sources.list:
+
+deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
+deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free
+
+The archive signing key can be downloaded from
+http://secure-testing.debian.net/ziyi-2005-7.asc
+
+To install the update, run this command as root:
+
+apt-get update && apt-get install mozilla-firefox
+
+For further information about the Debian testing security team, please refer
+to http://secure-testing.debian.net/

Modified: data/DTSA/advs/8-mozilla-firefox.adv
===================================================================
--- data/DTSA/advs/8-mozilla-firefox.adv	2005-09-01 15:04:09 UTC (rev 1760)
+++ data/DTSA/advs/8-mozilla-firefox.adv	2005-09-01 17:01:09 UTC (rev 1761)
@@ -1,14 +1,21 @@
-dtsa: DTSA-8-1
+dtsa: DTSA-8-2
 source: mozilla-firefox
-date: August 28th, 2005
+date: September 1st, 2005
 author: Joey Hess
-vuln-type: several vulnerabilities
+vuln-type: several vulnerabilities (update)
 problem-scope: remote
 debian-specific: no
 cve: CAN-2004-0718 CAN-2005-1937 CAN-2005-2260 CAN-2005-2261 CAN-2005-2262 CAN-2005-2263 CAN-2005-2264 CAN-2005-2265 CAN-2005-2266 CAN-2005-2267 CAN-2005-2268 CAN-2005-2269 CAN-2005-2270
-testing-fix: 1.0.4-2sarge2
+testing-fix: 1.0.4-2sarge3
 sid-fix: 1.0.6-3
 
+We experienced that the update for Mozilla Firefox from DTSA-8-1
+unfortunately was a regression in several cases.  Since the usual
+praxis of backporting apparently does not work, this update is
+basically version 1.0.6 with the version number rolled back, and hence
+still named 1.0.4-*.  For completeness below is the original advisory
+text:
+
 Several problems were discovered in Mozilla Firefox:
 
 CAN-2004-0718 CAN-2005-1937
@@ -75,4 +82,4 @@
   remote attackers to execute arbitrary code.
 
 Note that this is the same set of security fixes put into stable in
-DSA-775 and DSA-779.
+DSA-775 and DSA-779, and updated in DSA-779-2.

Modified: data/DTSA/hints/joeyh
===================================================================
--- data/DTSA/hints/joeyh	2005-09-01 15:04:09 UTC (rev 1760)
+++ data/DTSA/hints/joeyh	2005-09-01 17:01:09 UTC (rev 1761)
@@ -1,6 +1,6 @@
 sync maildrop/1.5.3-1.1etch1
 sync pcre3/6.3-0.1etch1
-sync mozilla-firefox/1.0.4-2sarge2
+sync mozilla-firefox/1.0.4-2sarge3
 sync mozilla/2:1.7.8-1sarge1
 sync centericq/4.20.0-8etch1
 sync clamav/0.86.2-4etch1

Modified: data/DTSA/list
===================================================================
--- data/DTSA/list	2005-09-01 15:04:09 UTC (rev 1760)
+++ data/DTSA/list	2005-09-01 17:01:09 UTC (rev 1761)
@@ -6,8 +6,8 @@
 [31 Aug 2005] DTSA-9-1 bluez-utils - bad device name escaping
 	- bluez-utils 2.19-0.1etch1
 	TODO: unreleased
-[28 Aug 2005] DTSA-8-1 mozilla-firefox - several vulnerabilities
-	- mozilla-firefox 1.0.4-2sarge2 (high)
+[28 Aug 2005] DTSA-8-2 mozilla-firefox - several vulnerabilities
+	- mozilla-firefox 1.0.4-2sarge3 (high)
 [28 Aug 2005] DTSA-7-1 mozilla - frame injection spoofing
 	- mozilla 2:1.7.8-1sarge1 (high)
 [28 Aug 2005] DTSA-6-1 cgiwrap - multiple vulnerabilities

More information about the Secure-testing-commits mailing list