-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: mozilla,MozillaFirefox,epiphany,galeon
Announcement ID: SUSE-SA:2005:045
Date: Thu, 11 Aug 2005 15:00:00 +0000
Affected Products: 8.2, 9.0, 9.1, 9.2, 9.3
SUSE Linux Desktop 1.0
SUSE Linux Enterprise Server 8, 9
Novell Linux Desktop 9
Vulnerability Type: information leak
Severity (1-10): 7
SUSE Default Package: yes
Cross-References: MFSA 2005-56 CAN-2005-2270
MFSA 2005-55 CAN-2005-2269
MFSA 2005-54 CAN-2005-2268
MFSA 2005-53 CAN-2005-2267
MFSA 2005-52 CAN-2005-2266
MFSA 2005-51 CAN-2005-1937
MFSA 2005-50 CAN-2005-2265
MFSA 2005-49 CAN-2005-2264
MFSA 2005-48 CAN-2005-2263
MFSA 2005-47 CAN-2005-2262
MFSA 2005-46 CAN-2005-2261
MFSA 2005-45 CAN-2005-2260
Content of This Advisory:
1) Security Vulnerability Resolved:
Various security problems in the Mozilla suite and Mozilla Firefox
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Various security vulnerabilities in the mozilla browser suite and
the Mozilla Firefox browser have been reported and fixed upstream.
The Mozilla suite browser has been updated to a security fix level
of Mozilla 1.7.11, the Mozilla Firefox browser has been updated to
a fix level of Firefox 1.0.6.
Security relevant bugs that are fixed include (but are not limited to):
MFSA 2005-56 Code execution through shared function objects
MFSA 2005-55 XHTML node spoofing
MFSA 2005-54 Javascript prompt origin spoofing
MFSA 2005-52 Same origin violation: frame calling top.focus()
MFSA 2005-51 The return of frame-injection spoofing
MFSA 2005-50 Possibly exploitable crash in InstallVersion.compareTo()
MFSA 2005-49 Stealing of sensitive information via _search and the Firefox sidebar
MFSA 2005-48 Same-origin violation with InstallTrigger callback
MFSA 2005-47 "Set as wallpaper" javascript: privilege escalation
MFSA 2005-46 XBL scripts ran even when Javascript disabled
MFSA 2005-45 Content-generated event vulnerabilities
This update also upgrades the version of the Mozilla suite for the
following products:
* SUSE Linux Desktop 1.0:
The original Mozilla 1.4 branch browser is upgraded to the Mozilla
1.7 branch version.
We were not able to port the galeon web browser included in SUSE
Linux Desktop 1.0 to support Mozilla 1.7 in time, so we no longer
support it.
The galeon package on SUSE Linux Desktop 1.0 is removed by this update.
* SUSE Linux Enterprise Server 8:
The original Mozilla 1.4 branch browser is upgraded to the Mozilla
1.7 branch version.
* SUSE Linux Enterprise Server 9:
The Mozilla version 1.6 shipped with GA of the SUSE Linux Enterprise
Server 9 was replaced by the Mozilla 1.7 branch version in Service
Pack 2.
* SUSE Linux 8.2, 9.0, 9.1:
The Mozilla version 1.4 and 1.6 contained in the SUSE Linux versions
8.2 up to 9.1 was replaced by the Mozilla 1.7 branch version.
We were not able to port the galeon and the epiphany web browsers included in SUSE Linux 9.0 up to 9.1 to support Mozilla 1.7 in time,
so we will no longer support it.
The galeon and epiphany packages on SUSE Linux 9.0 and 9.1 are removed
by this update.
2) Solution or Work-Around
Please install the upgraded packages and make sure you restart your
browsers after the update.
A workaround would be to deinstall the Mozilla browser suite and/or
the Firefox web browser.
3) Special Instructions and Notes
Please note that galeon will be de installed by this update on SUSE
Linux Desktop 1.0, SUSE Linux 8.2, 9.0 and 9.1.
Also note that epiphany will be de installed by this update on SUSE
Linux 9.0 and 9.1.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv
to apply the update, replacing with the filename of the
downloaded RPM package.
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web.
x86 Platform:
SUSE Linux 9.3:
166c3b4abffa53c7a8f6727c25f864fc
030877cffa160bdb73fb83ecf203beeb
23b21c1570e805548cbb4ff838ef3a3a
357af3e740a6afcbe93d30df2ba6f8c0
056837d21e79bf9685db9a5a6107e314
d44ac8b3f9f3a872cce217213fc75d5f
c5372426942a4e7edd93e76c262f902b
f99441b4557a52f19e691769ff3586bf
dab29a38878bdccb0a2adcfd54695022
e77fa1183e8550d7d76463ca5175cdff
6f31d1cb01eed1b1d824d4997cf9b74e
SUSE Linux 9.2:
3a5028572220d317b5b36cbd204be28a
6cf1065e8f4e106bd4b4b7db81279886
4fb955c43973dcf210cb88bda26eb2bc
110ff4ef92560f2c769240a98956501e
5315f6fcb9f9948350a3aabd1bff97b7
7a6a9eea59e272d8a9c552e614215262
9ffdaf54b21aa1195d424679060f382b
a8ed8fc7e43fa6551e6a6df9ea77a2d6
0d7dff63430002e604b0d3c08a262a2d
42a00ad1de897f70e2a73e654213c0a6
ed16008085e96426bf00d7fe2f7f8141
3bf5bb5e315240b0d8a98382328460f8
5bfee4a99f2f56c4e0087d26df7317e8
8427dc7f4c86e252b74b7bef6abf0738
SUSE Linux 9.1:
478fd9555b6cc78148938cc50d78ff36
b2aa6c73c1f63fc73658f10e7d6f3bb8
a0ec30a46e482ed5883b404a2769da9d
f0ccbea190ddbbdc3af3926de1933965
793f620d87d5d2226d9c26cbad4f7489
0eff1dee760d0a9ff60fd796d76e4868
32d36ec02e9804a218992f7f0246a501
6b0f76b8249de7571d87f439da4f00e0
59470d7d277f6c99d1568f3fc5767cf7
f71d29d90481552db60eb538f4c0ab73
a7d6df35c11a6b2ac3d5f8a13e4f3ce8
1bab3281cd69ae52e5272336f0accff8
791161e361b85904facfc57ac67a885e
91f7f6f22ea820290e0cf665d7e52d77
04d2a3266da0292833fe9bb3eb6db4a0
source rpm(s):
c5032babc3e8dda2b4fc793e0cedb6e3
7cd385922b4ef615f988d92ed0687c55
09f2a48c0e6db1e9cdb16a31b4bf964e
274b10f06271150d62f110747f84ec7d
d7b82478b0cbe502d192992eb9f32694
88dd71414d170b19227b9e2ca8e438d1
3577e8db5bfc32928f410a50da21fff0
SUSE Linux 9.0:
d3f3667784ae8ffdb52d6fd684a60031
1ac066a5cc32b7bf315e9865292026e0
db3a421e7cc80dc37f9379fd34dc0a50
7ae7dada10e5d594d37770fccc1a2c91
47820d48cab860da0c0e5284f3dd2151
1d11b924771353eb0e8446f734991869
b5197d58cc39907749fada7860458088
2c8f3366d8d4b4f4d1db9e5f629c99f4
2af9df9ba55ff5a598bf9a2770531545
68b6bfdc62e530180e4e41025c6d690d
05448c90532d7b138798342c933a086d
5c44dd021e2b6ba4fd1c2d1252360d45
source rpm(s):
e73b37663812b9707e2bfb4598f10bf8
af55dfd829630d7665bedf2c78ae6a4c
459bbc0404efe46db849e018a1e0a044
0dda29c6a940747cc0c5e4b57bc994b7
7c4316c175697f25667833a108bf4d38
SUSE Linux 8.2:
ecf646af23f7acae815f96e75b05eb61
181d77f2943f788e68f3f73505620406
1c1337d1632b5e9e96f73d62ed6bd108
7a28a07a12804eb60830e383fde3229b
7d6d403e5032b118e4f805d90522f32e
3cbaf034630575f8d10de1fedb0d105f
d7cc46deafd264d296b096d10fc66ab7
aab00041a2f06eeacb4490cf0bbb3a20
b7ae80a54d0f25aae696351da8508c6d
source rpm(s):
fb01cf105b4f7a16955408863b99812d
e126a11f03476c844390c0d5b148cf9b
ccbf0ebc3f1b80db016c49591a96e081
5805309872e732a6566742ade686f56d
x86-64 Platform:
SUSE Linux 9.3:
818cd3658b021375bc60087bc7a61ce3
3150933846de56e01769a52263be4f73
14606ed7a0e86bc175592b01672eb004
78472d39ed5aca6da4787f4482afe995
6c9f63d41c2c5ee7d9f2909e3bbddbaa
c5cc774513da309d20e550c9ef690e1a
8a9b3c0f8526499bc2a52787fee8ee60
0641e898ce6072d9e72757318785e0cb
source rpm(s):
cacbda15810bd6f5603ca9b9b3e1970e
SUSE Linux 9.2:
c4a4504f35d758e0c90def270d3895c4
f2e8a8a66901d96b5267fe15650bd0d7
63721c65c29312d85e0bd83d7e0e668d
497653dd80813edc7512eaa89181514a
fb2aedcb40e7865f50dd751cc8551c72
9f0cd31c9aace99836540295e0cae57f
3ca6505f0902de095686a066fcd49bcd
49e14e285e25fec43f5d5f93ad66a98d
1456a79695ccaa1b1887bc74f3eaad28
381e0a5bd0b1766cdcb21d20099e9005
6ac315c96a9e5f886ec5ae1bc2d58b4b
23e0a2a2da3c8b0c2f54c5cfea54e853
713540470613683cbc2ceda6cd30f32a
439c9618b88915dd0a9dd51614282926
source rpm(s):
9465f6d549e794b6bfbe4c1e48dfde5a
56a820a30e1719fbe6f15b2333733fb4
6cad0702acba84800382db956ffa20fd
096926ecce28109356aaef5ea3e5f059
4299ffe08939196c1e66df8d8bdd6936
SUSE Linux 9.1:
a370814658c6c59b22c0b26f152fd009
b63680dbea5cdd2429a16e9ae8b3b62c
f47c7eb99e793a4c84506d67598cb79e
0f2a961352f58614cb09f228037e80b4
06a5a58c043624c2e1f3564a0aac48a5
143567942ced1976c1956aeb13c4e551
b19f5a46930dac566ca79684da8072f3
ac5a2a6d97661771af4498729906c20a
5ba3441864bd620f4df283359b3bf78a
bd34182213c1df88c430051e76195e8f
6eae7f6519978d5fc630b65ddc6ea925
cdf0841a48a0c70b01263edad0d1a41d
97d9a2831e01f14416565cda9e0b5893
289f7ca0d17ae052d3d2b8bd3e83b613
47d7a9ccd5c760260aa23681050d061e
source rpm(s):
00786352c76255079057effb9a810283
cf36f5e3a85d488133b0ebad42ca61c3
592bd5c5902fd8e30f78dde0d2536843
81186f752ad57deb1fe0c201c0f3ea6d
5ffc830758e55d0496d3d24c0581f16e
7ad0667f296852266e642828f9c6a46b
a41ea52316a6f5a541c90663721f6b23
SUSE Linux 9.0:
8c424bcb147929ca3b25ede8c6d4230b
71e2363debdc9ca95ac019a23880d7f0
b9884210a7608e0470287194b5f81181
b32f908a5d0198bded47c068ecc5dfb7
365df64a69e4d830059902b412d9f06f
951445bca390ea36cbddb097ae6fe800
1abf2651aefffa6d22c3dcde4f081d45
a9f2e216f49958302455aca802e3b12d
cc7d440ae25bbfd460892b9efee82664
2b279158c3a2131b30c54d6bf33c08cc
994ba3dc0c7e8f2cd925fe92a969a3ad
8aa655a52453608c0fd7484f22425899
source rpm(s):
643de31a2b60aad00c33e788f6a676cb
420e4ebe9ca47c59e683ecec99fcbfcf
7ca8e9bd16cf1fd5b8b176be436e6d9e
c5d85e3d18ac3eba4b2eda9e777ea1a1
cfac61dc8b7ca512f31a31cca35ff9b1
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify
replacing with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team "
where is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig
to verify the signature of the package, replacing with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security@suse.de), the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security@suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
.
suse-security-announce@suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
.
For general information or the frequently asked questions (FAQ),
send mail to or
.
==================================================================== SUSE's security contact is or .
The public key is listed below.
====================================================================