[arch] [security] Alert on Firefox fixed
JJDaNiMoTh
jjdanimoth at gmail.com
Wed Aug 1 12:24:49 EDT 2007
------------------------------------------------------------
Arch Linux Security Warning ALSW 2007-#36
------------------------------------------------------------
Name: firefox
Date: 2007-08-01
Severity: High
Warning #: 2007-#36
------------------------------------------------------------
Product Background
===================
The Mozilla Foundation Browser Web
Problem Background
===================
A flaw was discovered in handling of "about:blank" windows used by addons.
Jesper Johansson discovered that spaces and double-quotes were not correctly handled when launching external programs.
Impact
==================
[1]A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-3844)
[2]In rare configurations, after tricking a user into opening a malicious web page, an attacker could execute helpers with arbitrary arguments with the user's privileges. (CVE-2007-3845)
Problem Packages
===================
Package: firefox
Repo: current
Group: network
Unsafe: < 2.0.0.6
Safe: >= 2.0.0.6
Package Fix
===================
Upgrade to 2.0.0.6
---------------------------------------------
Unofficial ArchLinux Security Bug Tracker:
http://jjdanimoth.netsons.org/alsw.html
---------------------------------------------
Reference(s)
===================
[1]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3844
[2]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3845
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://archlinux.org/pipermail/arch/attachments/20070801/1cbd782f/attachment.bin
More information about the arch
mailing list