GLSA 201301-01: Mozilla Products: Multiple vulnerabilities
Severity: | high |
Title: | Mozilla Products: Multiple vulnerabilities |
Date: | 01/08/2013 |
Bugs: |
|
ID: | 201301-01 |
Synopsis
Multiple vulnerabilities have been found in Mozilla Firefox, Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner, some of which may allow execution of arbitrary code or local privilege escalation.Background
Mozilla Firefox is an open-source web browser and Mozilla Thunderbird an open-source email client, both from the Mozilla Project. The SeaMonkey project is a community effort to deliver production-quality releases of code derived from the application formerly known as the ‘Mozilla Application Suite’. XULRunner is a Mozilla runtime package that can be used to bootstrap XUL+XPCOM applications such as Firefox and Thunderbird. NSS is Mozilla’s Network Security Services library that implements PKI support. IceCat is the GNU version of Firefox.
Affected packages
Package | Vulnerable | Unaffected | Architecture(s) |
---|---|---|---|
www-client/firefox | < 10.0.11 | >= 10.0.11 | All supported architectures |
www-client/firefox-bin | < 10.0.11 | >= 10.0.11 | All supported architectures |
mail-client/thunderbird | < 10.0.11 | >= 10.0.11 | All supported architectures |
mail-client/thunderbird-bin | < 10.0.11 | >= 10.0.11 | All supported architectures |
www-client/seamonkey | < 2.14-r1 | >= 2.14-r1 | All supported architectures |
www-client/seamonkey-bin | < 2.14 | >= 2.14 | All supported architectures |
dev-libs/nss | < 3.14 | >= 3.14 | All supported architectures |
www-client/mozilla-firefox | <= 3.6.8 | All supported architectures | |
www-client/mozilla-firefox-bin | <= 3.5.6 | All supported architectures | |
mail-client/mozilla-thunderbird | <= 3.0.4-r1 | All supported architectures | |
mail-client/mozilla-thunderbird-bin | <= 3.0 | All supported architectures | |
www-client/icecat | <= 10.0-r1 | All supported architectures | |
net-libs/xulrunner | <= 2.0-r1 | All supported architectures | |
net-libs/xulrunner-bin | <= 1.8.1.19 | All supported architectures |
Description
Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner. Please review the CVE identifiers referenced below for details.
Impact
A remote attacker could entice a user to view a specially crafted web page or email, possibly resulting in execution of arbitrary code or a Denial of Service condition. Furthermore, a remote attacker may be able to perform Man-in-the-Middle attacks, obtain sensitive information, bypass restrictions and protection mechanisms, force file downloads, conduct XML injection attacks, conduct XSS attacks, bypass the Same Origin Policy, spoof URL’s for phishing attacks, trigger a vertical scroll, spoof the location bar, spoof an SSL indicator, modify the browser’s font, conduct clickjacking attacks, or have other unspecified impact.
A local attacker could gain escalated privileges, obtain sensitive information, or replace an arbitrary downloaded file.
Workaround
There is no known workaround at this time.
Resolution
All Mozilla Firefox users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-10.0.11"
All users of the Mozilla Firefox binary package should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-10.0.11"
All Mozilla Thunderbird users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/thunderbird-10.0.11"
All users of the Mozilla Thunderbird binary package should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose
">=mail-client/thunderbird-bin-10.0.11"
All Mozilla SeaMonkey users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/seamonkey-2.14-r1"
All users of the Mozilla SeaMonkey binary package should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/seamonkey-bin-2.14"
All NSS users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/nss-3.14"
The “www-client/mozilla-firefox” package has been merged into the “www-client/firefox” package. To upgrade, please unmerge “www-client/mozilla-firefox” and then emerge the latest “www-client/firefox” package:
# emerge --sync
# emerge --unmerge "www-client/mozilla-firefox"
# emerge --ask --oneshot --verbose ">=www-client/firefox-10.0.11"
The “www-client/mozilla-firefox-bin” package has been merged into the “www-client/firefox-bin” package. To upgrade, please unmerge “www-client/mozilla-firefox-bin” and then emerge the latest “www-client/firefox-bin” package:
# emerge --sync
# emerge --unmerge "www-client/mozilla-firefox-bin"
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-10.0.11"
The “mail-client/mozilla-thunderbird” package has been merged into the “mail-client/thunderbird” package. To upgrade, please unmerge “mail-client/mozilla-thunderbird” and then emerge the latest “mail-client/thunderbird” package:
# emerge --sync
# emerge --unmerge "mail-client/mozilla-thunderbird"
# emerge --ask --oneshot --verbose ">=mail-client/thunderbird-10.0.11"
The “mail-client/mozilla-thunderbird-bin” package has been merged into the “mail-client/thunderbird-bin” package. To upgrade, please unmerge “mail-client/mozilla-thunderbird-bin” and then emerge the latest “mail-client/thunderbird-bin” package:
# emerge --sync
# emerge --unmerge "mail-client/mozilla-thunderbird-bin"
# emerge --ask --oneshot --verbose
">=mail-client/thunderbird-bin-10.0.11"
Gentoo discontinued support for GNU IceCat. We recommend that users unmerge GNU IceCat:
# emerge --unmerge "www-client/icecat"
Gentoo discontinued support for XULRunner. We recommend that users unmerge XULRunner:
# emerge --unmerge "net-libs/xulrunner"
Gentoo discontinued support for the XULRunner binary package. We recommend that users unmerge XULRunner:
# emerge --unmerge "net-libs/xulrunner-bin"
References
CVE-2011-3101 CVE-2007-2436 CVE-2007-2437 CVE-2007-2671 CVE-2007-3073 CVE-2008-0016 CVE-2008-0017 CVE-2008-0367 CVE-2008-3835 CVE-2008-3836 CVE-2008-3837 CVE-2008-4058 CVE-2008-4059 CVE-2008-4060 CVE-2008-4061 CVE-2008-4062 CVE-2008-4063 CVE-2008-4064 CVE-2008-4065 CVE-2008-4066 CVE-2008-4067 CVE-2008-4068 CVE-2008-4069 CVE-2008-4070 CVE-2008-4582 CVE-2008-5012 CVE-2008-5013 CVE-2008-5014 CVE-2008-5015 CVE-2008-5016 CVE-2008-5017 CVE-2008-5018 CVE-2008-5019 CVE-2008-5021 CVE-2008-5022 CVE-2008-5023 CVE-2008-5024 CVE-2008-5052 CVE-2008-5500 CVE-2008-5501 CVE-2008-5502 CVE-2008-5503 CVE-2008-5504 CVE-2008-5505 CVE-2008-5506 CVE-2008-5507 CVE-2008-5508 CVE-2008-5510 CVE-2008-5511 CVE-2008-5512 CVE-2008-5513 CVE-2008-5822 CVE-2008-5913 CVE-2008-6961 CVE-2009-0071 CVE-2009-0071 CVE-2009-0352 CVE-2009-0353 CVE-2009-0354 CVE-2009-0355 CVE-2009-0356 CVE-2009-0357 CVE-2009-0358 CVE-2009-0652 CVE-2009-0771 CVE-2009-0772 CVE-2009-0773 CVE-2009-0774 CVE-2009-0775 CVE-2009-0776 CVE-2009-0777 CVE-2009-1044 CVE-2009-1169 CVE-2009-1302 CVE-2009-1303 CVE-2009-1304 CVE-2009-1305 CVE-2009-1306 CVE-2009-1307 CVE-2009-1308 CVE-2009-1309 CVE-2009-1310 CVE-2009-1311 CVE-2009-1312 CVE-2009-1313 CVE-2009-1392 CVE-2009-1563 CVE-2009-1571 CVE-2009-1828 CVE-2009-1832 CVE-2009-1833 CVE-2009-1834 CVE-2009-1835 CVE-2009-1836 CVE-2009-1837 CVE-2009-1838 CVE-2009-1839 CVE-2009-1840 CVE-2009-1841 CVE-2009-2043 CVE-2009-2044 CVE-2009-2061 CVE-2009-2065 CVE-2009-2210 CVE-2009-2404 CVE-2009-2408 CVE-2009-2462 CVE-2009-2463 CVE-2009-2464 CVE-2009-2465 CVE-2009-2466 CVE-2009-2467 CVE-2009-2469 CVE-2009-2470 CVE-2009-2471 CVE-2009-2472 CVE-2009-2477 CVE-2009-2478 CVE-2009-2479 CVE-2009-2535 CVE-2009-2654 CVE-2009-2662 CVE-2009-2664 CVE-2009-2665 CVE-2009-3069 CVE-2009-3070 CVE-2009-3071 CVE-2009-3072 CVE-2009-3074 CVE-2009-3075 CVE-2009-3076 CVE-2009-3077 CVE-2009-3078 CVE-2009-3079 CVE-2009-3274 CVE-2009-3371 CVE-2009-3372 CVE-2009-3373 CVE-2009-3374 CVE-2009-3375 CVE-2009-3376 CVE-2009-3377 CVE-2009-3378 CVE-2009-3379 CVE-2009-3380 CVE-2009-3381 CVE-2009-3382 CVE-2009-3383 CVE-2009-3388 CVE-2009-3389 CVE-2009-3555 CVE-2009-3978 CVE-2009-3979 CVE-2009-3980 CVE-2009-3981 CVE-2009-3982 CVE-2009-3983 CVE-2009-3984 CVE-2009-3985 CVE-2009-3986 CVE-2009-3987 CVE-2009-3988 CVE-2010-0159 CVE-2010-0160 CVE-2010-0162 CVE-2010-0163 CVE-2010-0164 CVE-2010-0165 CVE-2010-0166 CVE-2010-0167 CVE-2010-0167 CVE-2010-0168 CVE-2010-0169 CVE-2010-0169 CVE-2010-0170 CVE-2010-0171 CVE-2010-0171 CVE-2010-0172 CVE-2010-0173 CVE-2010-0174 CVE-2010-0174 CVE-2010-0175 CVE-2010-0175 CVE-2010-0176 CVE-2010-0176 CVE-2010-0177 CVE-2010-0178 CVE-2010-0179 CVE-2010-0181 CVE-2010-0182 CVE-2010-0183 CVE-2010-0220 CVE-2010-0648 CVE-2010-0654 CVE-2010-1028 CVE-2010-1121 CVE-2010-1125 CVE-2010-1196 CVE-2010-1197 CVE-2010-1198 CVE-2010-1199 CVE-2010-1200 CVE-2010-1201 CVE-2010-1202 CVE-2010-1203 CVE-2010-1205 CVE-2010-1206 CVE-2010-1207 CVE-2010-1208 CVE-2010-1209 CVE-2010-1210 CVE-2010-1211 CVE-2010-1212 CVE-2010-1213 CVE-2010-1214 CVE-2010-1215 CVE-2010-1585 CVE-2010-2751 CVE-2010-2752 CVE-2010-2753 CVE-2010-2754 CVE-2010-2755 CVE-2010-2760 CVE-2010-2762 CVE-2010-2763 CVE-2010-2764 CVE-2010-2765 CVE-2010-2766 CVE-2010-2767 CVE-2010-2768 CVE-2010-2769 CVE-2010-2770 CVE-2010-3131 CVE-2010-3166 CVE-2010-3167 CVE-2010-3168 CVE-2010-3169 CVE-2010-3170 CVE-2010-3171 CVE-2010-3173 CVE-2010-3174 CVE-2010-3175 CVE-2010-3176 CVE-2010-3177 CVE-2010-3178 CVE-2010-3179 CVE-2010-3180 CVE-2010-3182 CVE-2010-3183 CVE-2010-3399 CVE-2010-3400 CVE-2010-3765 CVE-2010-3766 CVE-2010-3767 CVE-2010-3768 CVE-2010-3769 CVE-2010-3770 CVE-2010-3771 CVE-2010-3772 CVE-2010-3773 CVE-2010-3774 CVE-2010-3775 CVE-2010-3776 CVE-2010-3777 CVE-2010-3778 CVE-2010-4508 CVE-2010-5074 CVE-2011-0051 CVE-2011-0053 CVE-2011-0054 CVE-2011-0055 CVE-2011-0056 CVE-2011-0057 CVE-2011-0058 CVE-2011-0059 CVE-2011-0061 CVE-2011-0062 CVE-2011-0065 CVE-2011-0066 CVE-2011-0067 CVE-2011-0068 CVE-2011-0069 CVE-2011-0070 CVE-2011-0071 CVE-2011-0072 CVE-2011-0073 CVE-2011-0074 CVE-2011-0075 CVE-2011-0076 CVE-2011-0077 CVE-2011-0078 CVE-2011-0079 CVE-2011-0080 CVE-2011-0081 CVE-2011-0082 CVE-2011-0083 CVE-2011-0084 CVE-2011-0085 CVE-2011-1187 CVE-2011-1202 CVE-2011-1712 CVE-2011-2362 CVE-2011-2363 CVE-2011-2364 CVE-2011-2365 CVE-2011-2369 CVE-2011-2370 CVE-2011-2371 CVE-2011-2372 CVE-2011-2373 CVE-2011-2374 CVE-2011-2375 CVE-2011-2376 CVE-2011-2377 CVE-2011-2378 CVE-2011-2605 CVE-2011-2980 CVE-2011-2981 CVE-2011-2982 CVE-2011-2983 CVE-2011-2984 CVE-2011-2985 CVE-2011-2986 CVE-2011-2987 CVE-2011-2988 CVE-2011-2989 CVE-2011-2990 CVE-2011-2991 CVE-2011-2993 CVE-2011-2995 CVE-2011-2996 CVE-2011-2997 CVE-2011-2998 CVE-2011-2999 CVE-2011-3000 CVE-2011-3001 CVE-2011-3002 CVE-2011-3003 CVE-2011-3004 CVE-2011-3005 CVE-2011-3026 CVE-2011-3062 CVE-2011-3232 CVE-2011-3389 CVE-2011-3640 CVE-2011-3647 CVE-2011-3648 CVE-2011-3649 CVE-2011-3650 CVE-2011-3651 CVE-2011-3652 CVE-2011-3653 CVE-2011-3654 CVE-2011-3655 CVE-2011-3658 CVE-2011-3659 CVE-2011-3660 CVE-2011-3661 CVE-2011-3663 CVE-2011-3665 CVE-2011-3670 CVE-2011-3866 CVE-2011-4688 CVE-2012-0441 CVE-2012-0442 CVE-2012-0443 CVE-2012-0444 CVE-2012-0445 CVE-2012-0446 CVE-2012-0447 CVE-2012-0449 CVE-2012-0450 CVE-2012-0451 CVE-2012-0452 CVE-2012-0455 CVE-2012-0456 CVE-2012-0457 CVE-2012-0458 CVE-2012-0459 CVE-2012-0460 CVE-2012-0461 CVE-2012-0462 CVE-2012-0463 CVE-2012-0464 CVE-2012-0467 CVE-2012-0468 CVE-2012-0469 CVE-2012-0470 CVE-2012-0471 CVE-2012-0473 CVE-2012-0474 CVE-2012-0475 CVE-2012-0477 CVE-2012-0478 CVE-2012-0479 CVE-2012-1937 CVE-2012-1938 CVE-2012-1939 CVE-2012-1940 CVE-2012-1941 CVE-2012-1945 CVE-2012-1946 CVE-2012-1947 CVE-2012-1948 CVE-2012-1949 CVE-2012-1950 CVE-2012-1951 CVE-2012-1952 CVE-2012-1953 CVE-2012-1954 CVE-2012-1955 CVE-2012-1956 CVE-2012-1957 CVE-2012-1958 CVE-2012-1959 CVE-2012-1960 CVE-2012-1961 CVE-2012-1962 CVE-2012-1963 CVE-2012-1964 CVE-2012-1965 CVE-2012-1966 CVE-2012-1967 CVE-2012-1970 CVE-2012-1971 CVE-2012-1972 CVE-2012-1973 CVE-2012-1974 CVE-2012-1975 CVE-2012-1976 CVE-2012-1994 CVE-2012-3956 CVE-2012-3957 CVE-2012-3958 CVE-2012-3959 CVE-2012-3960 CVE-2012-3961 CVE-2012-3962 CVE-2012-3963 CVE-2012-3964 CVE-2012-3965 CVE-2012-3966 CVE-2012-3967 CVE-2012-3968 CVE-2012-3969 CVE-2012-3970 CVE-2012-3971 CVE-2012-3972 CVE-2012-3973 CVE-2012-3975 CVE-2012-3976 CVE-2012-3977 CVE-2012-3978 CVE-2012-3980 CVE-2012-3982 CVE-2012-3984 CVE-2012-3985 CVE-2012-3986 CVE-2012-3988 CVE-2012-3989 CVE-2012-3990 CVE-2012-3991 CVE-2012-3992 CVE-2012-3993 CVE-2012-3994 CVE-2012-3995 CVE-2012-4179 CVE-2012-4180 CVE-2012-4181 CVE-2012-4182 CVE-2012-4183 CVE-2012-4184 CVE-2012-4185 CVE-2012-4186 CVE-2012-4187 CVE-2012-4188 CVE-2012-4190 CVE-2012-4191 CVE-2012-4192 CVE-2012-4193 CVE-2012-4194 CVE-2012-4195 CVE-2012-4196 CVE-2012-4201 CVE-2012-4202 CVE-2012-4204 CVE-2012-4205 CVE-2012-4206 CVE-2012-4207 CVE-2012-4208 CVE-2012-4209 CVE-2012-4210 CVE-2012-4212 CVE-2012-4215 CVE-2012-4216 CVE-2012-5354 CVE-2012-5829 CVE-2012-5830 CVE-2012-5833 CVE-2012-5835 CVE-2012-5836 CVE-2012-5838 CVE-2012-5839 CVE-2012-5840 CVE-2012-5841 CVE-2012-5842 CVE-2012-5843 Firefox Blocking Fraudulent Certificates Mozilla Foundation Security Advisory 2011-11 Mozilla Foundation Security Advisory 2011-34
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.