[Secure-testing-commits] r1950 - data/DTSA/advs

Joey Hess joeyh at costa.debian.org
Tue Sep 13 13:53:07 UTC 2005 

Author: joeyh
Date: 2005-09-13 13:53:07 +0000 (Tue, 13 Sep 2005)
New Revision: 1950

Added:
   data/DTSA/advs/18-mozilla.adv
Log:
working in a followup dtsa for mozilla


Added: data/DTSA/advs/18-mozilla.adv
===================================================================
--- data/DTSA/advs/18-mozilla.adv	2005-09-13 13:17:22 UTC (rev 1949)
+++ data/DTSA/advs/18-mozilla.adv	2005-09-13 13:53:07 UTC (rev 1950)
@@ -0,0 +1,65 @@
+source: mozilla
+date: September 13th, 2005
+author: Joey Hess
+vuln-type: several
+problem-scope: remote
+debian-specifc: no
+cve: CAN-2004-0718 CAN-2005-1937 CAN-2005-2260 CAN-2005-2261 CAN-2005-2263 CAN-2005-2265 CAN-2005-2266 CAN-2005-2268 CAN-2005-2269 CAN-2005-2270
+testing-fix: 1.7.8-1sarge2
+sid-fix: 1.7.10-1
+upgrade: apt-get install mozilla
+
+Several problems have been discovered in Mozilla. Since the usual praxis of
+backporting apparently does not work for this package, this update is
+basically version 1.7.10 with the version number rolled back, and hence still
+named 1.7.8.  The Common Vulnerabilities and Exposures project identifies the
+following problems:
+
+CAN-2004-0718, CAN-2005-1937
+
+    A vulnerability has been discovered in Mozilla that allows remote
+    attackers to inject arbitrary Javascript from one page into the
+    frameset of another site.
+
+CAN-2005-2260
+
+    The browser user interface does not properly distinguish between
+    user-generated events and untrusted synthetic events, which makes
+    it easier for remote attackers to perform dangerous actions that
+    normally could only be performed manually by the user.
+
+CAN-2005-2261
+
+    XML scripts ran even when Javascript disabled.
+
+CAN-2005-2263
+
+    It is possible for a remote attacker to execute a callback
+    function in the context of another domain (i.e. frame).
+
+CAN-2005-2265
+
+    Missing input sanitising of InstallVersion.compareTo() can cause
+    the application to crash.
+
+CAN-2005-2266
+
+    Remote attackers could steal sensitive information such as cookies
+    and passwords from web sites by accessing data in alien frames.
+
+CAN-2005-2268
+
+    It is possible for a Javascript dialog box to spoof a dialog box
+    from a trusted site and facilitates phishing attacks.
+
+CAN-2005-2269
+
+    Remote attackers could modify certain tag properties of DOM nodes
+    that could lead to the execution of arbitrary script or code.
+
+CAN-2005-2270
+
+    The Mozilla browser family does not properly clone base objects,
+    which allows remote attackers to execute arbitrary code.
+
+Note that this is the same update contained in DSA-810-1 for Debian stable.

More information about the Secure-testing-commits mailing list