SuSE Update for MozillaFirefox,mozilla,seamonkey SUSE-SA:2007:057

Impact
remote code execution
Solution
Please Install the Updated Packages.
Insight
Various problems were identified and fixed in the Mozilla family of browsers. The Mozilla Firefox Browser was updated to security update version 2.0.0.8 for SUSE Linux Enterprise 10, SUSE Linux 10.1, openSUSE 10.2 and 10.3. On Novell Linux Desktop 9 the fixes were back ported to the 1.5.0.12 Firefox version. Mozilla Seamonkey was updated to 1.1.5 on openSUSE 10.2 and 10.3, the older products received backports to Mozilla Seamonkey 1.0.9. MozillaThunderbird updates are not yet available. Following security problems were fixed: - CVE-2007-3844: Privilege escalation through chrome-loaded about:blank windows Mozilla researcher moz_bug_r_a4 reported that a flaw was introduced by the fix for MFSA 2007-20 that could enable privilege escalation attacks against addons that create &quot about:blank&quot windows and populate them in certain ways (including implicit &quot about:blank&quot document creation through data: or javascript: URLs in a new window). - MFSA 2007-29: Crashes with evidence of memory corruption As part of the Firefox 2.0.0.8 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. - CVE-2007-5339 Browser crashes - CVE-2007-5340 JavaScript engine crashes - CVE-2007-1095: onUnload Tailgating Michal Zalewski demonstrated that onUnload event handlers had access to the address of the new page about to be loaded, even if the navigation was triggered from outside the page content such as by using a bookmark, pressing the back button, or typing an address into the location bar. If the bookmark contained sensitive information in the URL the attacking page might be able to take advantage of it. An attacking page would also be able to redirect the user, perhaps to a phishing page that looked like the site the user thought they were about to visit. - CVE-2007-2292: Digest authentication request splitting Security researcher Stefano Di Paola reported that Firefox did not properly validate the user ID when making an HTTP request using Digest Authentication t ... Description truncated, for more information please check the Reference URL
Affected
MozillaFirefox,mozilla,seamonkey on SUSE LINUX 10.1, openSUSE 10.2, openSUSE 10.3, SuSE Linux Enterprise Server 8, SUSE SLES 9, Novell Linux Desktop 9, Open Enterprise Server, Novell Linux POS 9, SUSE Linux Enterprise Desktop 10 SP1, SUSE Linux Enterprise Server 10 SP1
References