Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections: Blog - Developer - High Performance - Infrastructure - IT Management - Security - Storage -
Linux Today Navigation
LT Home
Preferences
Contribute
Link to Us
Search
Linux Jobs

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Technology Jobs

JustTechJobs.com

LinuxToday Newsletters
Server Daily
IT Management Daily
Subscribe News
Subscribe PR
Subscribe Security

internet.com
Internet News
Small Business

Advertise
Newsletters
Tech Jobs
E-mail Offers

 






Current Newswire:

Malware devs embrace open-source

A tale of two distros: Ubuntu and Linux Mint

Raspberry Pi benchmarked against Beagleboard, low price is long term

20 popular Ubuntu Linux apps you may want to try

A Selection of the Very Best Open Source Tutorials and Tools

Android Ice Cream Sandwich ported to x86 tablets, netbooks and notebooks

SECURITY: Google Chrome 17 Improves Security

How to read a CSV file in Perl?

Red Hat Brings Gluster to Amazon Cloud

New Linux kernel fixes power-saving issues



Applications Management Engineer Sr (NYC)
Next Step Systems
US-NY-New York

Justtechjobs.com Post A Job | Post A Resume
:Advisories, February 8, 2006
Advisories, February 8, 2006
Feb 9, 2006, 04 :45 UTC (0 Talkback[s]) (3533 reads)

Mandriva Linux Security Advisory MDKSA-2006:036
http://www.mandriva.com/security/

Package : mozilla
Date : February 7, 2006
Affected: Corporate 3.0

Problem Description:

Mozilla and Mozilla Firefox allow remote attackers to cause a denial of service (CPU consumption and delayed application startup) via a web site with a large title, which is recorded in history.dat but not processed efficiently during startup. (CVE-2005-4134)

The Javascript interpreter (jsinterp.c) in Mozilla and Firefox before 1.5.1 does not properly dereference objects, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via unknown attack vectors related to garbage collection. (CVE-2006-0292)

The XULDocument.persist function in Mozilla, Firefox before 1.5.0.1, and SeaMonkey before 1.0 does not validate the attribute name, which allows remote attackers to execute arbitrary Javascript by injecting RDF data into the user's localstore.rdf file. (CVE-2006-0296)

Updated packages are patched to address these issues.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4134
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0292
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0296

Updated Packages:

Corporate 3.0:
8d1376d6440bc1602ab2b1c74262a30c corporate/3.0/RPMS/libnspr4-1.7.8-0.7.C30mdk.i586.rpm
ceae80feec83d84891234f8bcf546247 corporate/3.0/RPMS/libnspr4-devel-1.7.8-0.7.C30mdk.i586.rpm
4be42f4a2297322ac93e6c4e635a225b corporate/3.0/RPMS/libnss3-1.7.8-0.7.C30mdk.i586.rpm
f7490d1448b0ef6fe8eaa7561066095f corporate/3.0/RPMS/libnss3-devel-1.7.8-0.7.C30mdk.i586.rpm
d3c71d0217099e4586818dc40f819308 corporate/3.0/RPMS/mozilla-1.7.8-0.7.C30mdk.i586.rpm
5d73ae4396714d8b5bf9892090c22724 corporate/3.0/RPMS/mozilla-devel-1.7.8-0.7.C30mdk.i586.rpm
005998ef07bd769563084275c27928ec corporate/3.0/RPMS/mozilla-dom-inspector-1.7.8-0.7.C30mdk.i586.rpm
0774d333844c7d27b560146e632a33b2 corporate/3.0/RPMS/mozilla-enigmail-1.7.8-0.7.C30mdk.i586.rpm
72bda6c0dfc17eb36b5f64aced6da5a3 corporate/3.0/RPMS/mozilla-enigmime-1.7.8-0.7.C30mdk.i586.rpm
b425cbdf6b2f2261799869327527d1c7 corporate/3.0/RPMS/mozilla-irc-1.7.8-0.7.C30mdk.i586.rpm
a2ba40970fd46883f707979925553074 corporate/3.0/RPMS/mozilla-js-debugger-1.7.8-0.7.C30mdk.i586.rpm
3f786a780a2355f4605886287fc489c3 corporate/3.0/RPMS/mozilla-mail-1.7.8-0.7.C30mdk.i586.rpm
4dc8edd930a75430e84520b3b2f00859 corporate/3.0/RPMS/mozilla-spellchecker-1.7.8-0.7.C30mdk.i586.rpm
4f1024a56ad3c8f3aef13ff2ea881ceb corporate/3.0/SRPMS/mozilla-1.7.8-0.7.C30mdk.src.rpm

Corporate 3.0/X86_64:
990fd040a970e2fe393665bc87f9d964 x86_64/corporate/3.0/RPMS/lib64nspr4-1.7.8-0.7.C30mdk.x86_64.rpm
e70615c6a988f23636f7bf3d642d2028 x86_64/corporate/3.0/RPMS/lib64nspr4-devel-1.7.8-0.7.C30mdk.x86_64.rpm
69e14625db53e49b4d1fcd9d346218db x86_64/corporate/3.0/RPMS/lib64nss3-1.7.8-0.7.C30mdk.x86_64.rpm
17f22cc0913232f4d0cd3efbffd17af1 x86_64/corporate/3.0/RPMS/lib64nss3-devel-1.7.8-0.7.C30mdk.x86_64.rpm
23d7b49cde6c2e96742f45625845d825 x86_64/corporate/3.0/RPMS/mozilla-1.7.8-0.7.C30mdk.x86_64.rpm
a14cde7bc834e298f9b1ff97d0faa04c x86_64/corporate/3.0/RPMS/mozilla-devel-1.7.8-0.7.C30mdk.x86_64.rpm
7b6a92d89e3771330e69b24eef80d02b x86_64/corporate/3.0/RPMS/mozilla-dom-inspector-1.7.8-0.7.C30mdk.x86_64.rpm
88510e96eee3232f5dd931de50ef9878 x86_64/corporate/3.0/RPMS/mozilla-enigmail-1.7.8-0.7.C30mdk.x86_64.rpm
71e44f63b296849361d5733b0e6824d1 x86_64/corporate/3.0/RPMS/mozilla-enigmime-1.7.8-0.7.C30mdk.x86_64.rpm
1740b993c3c30a35dcd37d7c88bd6187 x86_64/corporate/3.0/RPMS/mozilla-irc-1.7.8-0.7.C30mdk.x86_64.rpm
13b44d4ab0a1b80fb50ad8c881d94253 x86_64/corporate/3.0/RPMS/mozilla-js-debugger-1.7.8-0.7.C30mdk.x86_64.rpm
b9683c1834c25ab3d78606b912714780 x86_64/corporate/3.0/RPMS/mozilla-mail-1.7.8-0.7.C30mdk.x86_64.rpm
7ccb971d176e3e3a1a924bfc23f34b1e x86_64/corporate/3.0/RPMS/mozilla-spellchecker-1.7.8-0.7.C30mdk.x86_64.rpm
4f1024a56ad3c8f3aef13ff2ea881ceb x86_64/corporate/3.0/SRPMS/mozilla-1.7.8-0.7.C30mdk.src.rpm

To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>

Mandriva Linux Security Advisory MDKSA-2006:037
http://www.mandriva.com/security/

Package : mozilla-firefox
Date : February 7, 2006
Affected: 2006.0

Problem Description:

Mozilla and Mozilla Firefox allow remote attackers to cause a denial of service (CPU consumption and delayed application startup) via a web site with a large title, which is recorded in history.dat but not processed efficiently during startup. (CVE-2005-4134)

The Javascript interpreter (jsinterp.c) in Mozilla and Firefox before 1.5.1 does not properly dereference objects, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via unknown attack vectors related to garbage collection. (CVE-2006-0292)

The XULDocument.persist function in Mozilla, Firefox before 1.5.0.1, and SeaMonkey before 1.0 does not validate the attribute name, which allows remote attackers to execute arbitrary Javascript by injecting RDF data into the user's localstore.rdf file. (CVE-2006-0296)

Updated packages are patched to address these issues.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4134
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0292
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0296

Updated Packages:

Mandriva Linux 2006.0:
da643268d4704d938689f5fe2cca120f 2006.0/RPMS/libnspr4-1.0.6-16.4.20060mdk.i586.rpm
b6911002ac57b7d9aa2b250362eb800a 2006.0/RPMS/libnspr4-devel-1.0.6-16.4.20060mdk.i586.rpm
f0b33d31942402c9375e28b67b5af7a1 2006.0/RPMS/libnss3-1.0.6-16.4.20060mdk.i586.rpm
44be800d89df092daf5fb2cccbbd38cc 2006.0/RPMS/libnss3-devel-1.0.6-16.4.20060mdk.i586.rpm
23f78dfcad4ffac1232ac34021312140 2006.0/RPMS/mozilla-firefox-1.0.6-16.4.20060mdk.i586.rpm
f15d9c997aea3efc48cfb04534e0710a 2006.0/RPMS/mozilla-firefox-devel-1.0.6-16.4.20060mdk.i586.rpm
f1309fb4699a35abfb9d0ed618eae738 2006.0/SRPMS/mozilla-firefox-1.0.6-16.4.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
6f7649defa3b0f2ecb7fad32a22e780b x86_64/2006.0/RPMS/lib64nspr4-1.0.6-16.4.20060mdk.x86_64.rpm
bf965382a901febf026662823158aec0 x86_64/2006.0/RPMS/lib64nspr4-devel-1.0.6-16.4.20060mdk.x86_64.rpm
34e4b253f78196e93749150263447c94 x86_64/2006.0/RPMS/lib64nss3-1.0.6-16.4.20060mdk.x86_64.rpm
1d7cf344f788454a1b151fc886b88200 x86_64/2006.0/RPMS/lib64nss3-devel-1.0.6-16.4.20060mdk.x86_64.rpm
ef97a23ece3c504332437f395dad3f77 x86_64/2006.0/RPMS/mozilla-firefox-1.0.6-16.4.20060mdk.x86_64.rpm
a9f2be464482f4cf70120f12d5ff9e58 x86_64/2006.0/RPMS/mozilla-firefox-devel-1.0.6-16.4.20060mdk.x86_64.rpm
f1309fb4699a35abfb9d0ed618eae738 x86_64/2006.0/SRPMS/mozilla-firefox-1.0.6-16.4.20060mdk.src.rpm

To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>

Mandriva Linux Security Advisory MDKSA-2006:038
http://www.mandriva.com/security/

Package : groff
Date : February 8, 2006
Affected: 10.1, 10.2, 2006.0, Corporate 3.0

Problem Description:

The Trustix Secure Linux team discovered a vulnerability in the groffer utility, part of the groff package. It created a temporary directory in an insecure way which allowed for the exploitation of a race condition to create or overwrite files the privileges of the user invoking groffer.

Likewise, similar temporary file issues were fixed in the pic2graph and eqn2graph programs which now use mktemp to create temporary files, as discovered by Javier Fernandez-Sanguino Pena.

The updated packages have been patched to correct this issue.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0969

Updated Packages:

Mandriva Linux 10.1:
2da61d56e608da8cdecd8dcaefa5a608 10.1/RPMS/groff-1.19-6.1.101mdk.i586.rpm
b224b02a6d026ff2d6800c171731c9eb 10.1/RPMS/groff-for-man-1.19-6.1.101mdk.i586.rpm
ccd5222ec22c3413544f4b1a27262cf6 10.1/RPMS/groff-gxditview-1.19-6.1.101mdk.i586.rpm
23814a0830723e7c4ed5fced5995b071 10.1/RPMS/groff-perl-1.19-6.1.101mdk.i586.rpm
d3b1d5792f5f9eb941b0a0111a5488b8 10.1/SRPMS/groff-1.19-6.1.101mdk.src.rpm

Mandriva Linux 10.1/X86_64:
f8a2eec5b2d92413a599f63ea9b0c180 x86_64/10.1/RPMS/groff-1.19-6.1.101mdk.x86_64.rpm
36d3ac889a34af4274dbf966647390fb x86_64/10.1/RPMS/groff-for-man-1.19-6.1.101mdk.x86_64.rpm
d56f7aa42108ea4ff6375714b125e443 x86_64/10.1/RPMS/groff-gxditview-1.19-6.1.101mdk.x86_64.rpm
027479132bfcfc79663f2d4e737f420e x86_64/10.1/RPMS/groff-perl-1.19-6.1.101mdk.x86_64.rpm
d3b1d5792f5f9eb941b0a0111a5488b8 x86_64/10.1/SRPMS/groff-1.19-6.1.101mdk.src.rpm

Mandriva Linux 10.2:
9d2bf8589987d6cb7c35ad12df82c69a 10.2/RPMS/groff-1.19-9.1.102mdk.i586.rpm
2737744582fe03aa752d69bbbe72e8af 10.2/RPMS/groff-for-man-1.19-9.1.102mdk.i586.rpm
f1b10bbbaeb2a0c6310b155168fcf836 10.2/RPMS/groff-gxditview-1.19-9.1.102mdk.i586.rpm
6ebe47194102d0700c902030e9e73638 10.2/RPMS/groff-perl-1.19-9.1.102mdk.i586.rpm
88d91b5a36400352de2cd845a5c16508 10.2/SRPMS/groff-1.19-9.1.102mdk.src.rpm

Mandriva Linux 10.2/X86_64:
e274e9135c59de46ee6b81e9173ae564 x86_64/10.2/RPMS/groff-1.19-9.1.102mdk.x86_64.rpm
82320dc08ec42570eaaf7fa172d6b80a x86_64/10.2/RPMS/groff-for-man-1.19-9.1.102mdk.x86_64.rpm
fa52ea5b60cbe0fdc2c3995003fbd63a x86_64/10.2/RPMS/groff-gxditview-1.19-9.1.102mdk.x86_64.rpm
959423c66c0ae1aeecf56f38176f458c x86_64/10.2/RPMS/groff-perl-1.19-9.1.102mdk.x86_64.rpm
88d91b5a36400352de2cd845a5c16508 x86_64/10.2/SRPMS/groff-1.19-9.1.102mdk.src.rpm

Mandriva Linux 2006.0:
2bfa7438040cfdfab92d3d109afa96aa 2006.0/RPMS/groff-1.19.1-1.1.20060mdk.i586.rpm
c408fa608c4234405b91f4cf763b1bd3 2006.0/RPMS/groff-for-man-1.19.1-1.1.20060mdk.i586.rpm
f8e94b09822328151af0aaf213b043a9 2006.0/RPMS/groff-gxditview-1.19.1-1.1.20060mdk.i586.rpm
c64dc660b7a906d9003205caaeabcd62 2006.0/RPMS/groff-perl-1.19.1-1.1.20060mdk.i586.rpm
2821299644c84404e2fa743835722dab 2006.0/SRPMS/groff-1.19.1-1.1.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
63175fa1b86871cf684d768f08837ec6 x86_64/2006.0/RPMS/groff-1.19.1-1.1.20060mdk.x86_64.rpm
c0fae16eb3f9c2a813f60b4e6b1dbfc5 x86_64/2006.0/RPMS/groff-for-man-1.19.1-1.1.20060mdk.x86_64.rpm
2ff202c91cd6a3e864b92a6c317b4803 x86_64/2006.0/RPMS/groff-gxditview-1.19.1-1.1.20060mdk.x86_64.rpm
7b877faf1a8db9af7e2d2808e100a4a5 x86_64/2006.0/RPMS/groff-perl-1.19.1-1.1.20060mdk.x86_64.rpm
2821299644c84404e2fa743835722dab x86_64/2006.0/SRPMS/groff-1.19.1-1.1.20060mdk.src.rpm

Corporate 3.0:
410ef29b051bfb96703154b26d16d631 corporate/3.0/RPMS/groff-1.19-6.1.C30mdk.i586.rpm
0d5dc3e189003f6809f20dd9b9cb3209 corporate/3.0/RPMS/groff-for-man-1.19-6.1.C30mdk.i586.rpm
cbdbf36d7826f0699dd609d7feb17f66 corporate/3.0/RPMS/groff-gxditview-1.19-6.1.C30mdk.i586.rpm
4e9c264c0d49eb5838a38cd79e0b65a0 corporate/3.0/RPMS/groff-perl-1.19-6.1.C30mdk.i586.rpm
b7a252f9135ebd8f1b9a8b56573f8ee0 corporate/3.0/SRPMS/groff-1.19-6.1.C30mdk.src.rpm

Corporate 3.0/X86_64:
1c4328212aa64ecbd7f51ccba72718b6 x86_64/corporate/3.0/RPMS/groff-1.19-6.1.C30mdk.x86_64.rpm
ea375e1f85f86dd87a886f32ea368228 x86_64/corporate/3.0/RPMS/groff-for-man-1.19-6.1.C30mdk.x86_64.rpm
6e09c552c3953ffa6e99a7a31a8f3516 x86_64/corporate/3.0/RPMS/groff-gxditview-1.19-6.1.C30mdk.x86_64.rpm
2f6f0e853b722e3a94b7dc09a65bcb38 x86_64/corporate/3.0/RPMS/groff-perl-1.19-6.1.C30mdk.x86_64.rpm
b7a252f9135ebd8f1b9a8b56573f8ee0 x86_64/corporate/3.0/SRPMS/groff-1.19-6.1.C30mdk.src.rpm

To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>



No talkbacks posted.
  Home | Search Talkbacks | Customize View    Top of Page  



Enter your comments below:

* Your Name:

* Your Email Address:

* Subject:

CC: [will also send this talkback to an E-Mail address]

* Comments:

Tags allowed:<I>,<B> and <U>. See our talkback-policy for more about talkback content.

Fields marked with * are required!

..............................




All times are recorded in UTC.
Linux is a trademark of Linus Torvalds.
Powered by Linux, Apache and PHP