From 4f2d7949f03e1c198bc888f2d05f421d35c57e21 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Mon, 9 Oct 2017 18:53:29 +0100 Subject: reinit the tree, so we can have metadata --- metadata/glsa/glsa-200507-24.xml | 109 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 109 insertions(+) create mode 100644 metadata/glsa/glsa-200507-24.xml (limited to 'metadata/glsa/glsa-200507-24.xml') diff --git a/metadata/glsa/glsa-200507-24.xml b/metadata/glsa/glsa-200507-24.xml new file mode 100644 index 000000000000..27fc0f52d765 --- /dev/null +++ b/metadata/glsa/glsa-200507-24.xml @@ -0,0 +1,109 @@ + + + + Mozilla Suite: Multiple vulnerabilities + + Several vulnerabilities in the Mozilla Suite allow attacks ranging from the + execution of javascript code with elevated privileges to information + leakage. + + mozilla + 2005-07-26 + 2005-07-26: 01 + 98846 + remote + + + 1.7.10 + 1.7.10 + + + 1.7.10 + 1.7.10 + + + +

+ The Mozilla Suite is an all-in-one Internet application suite + including a web browser, an advanced e-mail and newsgroup client, IRC + client and HTML editor. +

+ + +

+ The following vulnerabilities were found and fixed in the Mozilla + Suite: +

+
    +
  • "moz_bug_r_a4" and "shutdown" discovered that the + Mozilla Suite was improperly cloning base objects (MFSA 2005-56).
    • +
  • "moz_bug_r_a4" reported that the suite failed to validate XHTML DOM + nodes properly (MFSA 2005-55).
    • +
  • Secunia reported that alerts + and prompts scripts are presented with the generic title [JavaScript + Application] which could lead to tricking a user (MFSA 2005-54).
    • +
  • Andreas Sandblad of Secunia reported that top.focus() can be called + in the context of a child frame even if the framing page comes from a + different origin and has overridden the focus() routine (MFSA + 2005-52).
    • +
  • Secunia reported that a frame-injection spoofing bug + which was fixed in earlier versions, was accidently bypassed in Mozilla + Suite 1.7.7 (MFSA 2005-51).
    • +
  • "shutdown" reported that + InstallVersion.compareTo() might be exploitable. When it gets an object + rather than a string, the browser would generally crash with an access + violation (MFSA 2005-50).
    • +
  • Matthew Mastracci reported that by + forcing a page navigation immediately after calling the install method + can end up running in the context of the new page selected by the + attacker (MFSA 2005-48).
    • +
  • "moz_bug_r_a4" reported that XBL + scripts run even when Javascript is disabled (MFSA 2005-46).
    • +
  • + Omar Khan, Jochen, "shutdown" and Matthew Mastracci reported that the + Mozilla Suite incorrectly distinguished between true events like mouse + clicks or keystrokes and synthetic events generated by a web content + (MFSA 2005-45).
    • +
+ + +

+ A remote attacker could craft malicious web pages that would + leverage these issues to inject and execute arbitrary javascript code + with elevated privileges, steal cookies or other information from web + pages, or spoof content. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All Mozilla Suite users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-1.7.10" +

+ All Mozilla Suite binary users should upgrade to the latest + version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/mozilla-bin-1.7.10" + + + Mozilla Foundation Security Advisories + + + DerCorny + + + DerCorny + + + adir + + -- cgit v1.2.3