CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
99.8%
CentOS Errata and Security Advisory CESA-2007:0079
Mozilla Firefox is an open source Web browser.
Several flaws were found in the way Firefox processed certain malformed
JavaScript code. A malicious web page could execute JavaScript code in such
a way that may result in Firefox crashing or executing arbitrary code as
the user running Firefox. (CVE-2007-0775, CVE-2007-0777)
Several cross-site scripting (XSS) flaws were found in the way Firefox
processed certain malformed web pages. A malicious web page could display
misleading information which may result in a user unknowingly divulging
sensitive information such as a password. (CVE-2006-6077, CVE-2007-0995,
CVE-2007-0996)
A flaw was found in the way Firefox cached web pages on the local disk. A
malicious web page may be able to inject arbitrary HTML into a browsing
session if the user reloads a targeted site. (CVE-2007-0778)
A flaw was found in the way Firefox displayed certain web content. A
malicious web page could generate content which could overlay user
interface elements such as the hostname and security indicators, tricking a
user into thinking they are visiting a different site. (CVE-2007-0779)
Two flaws were found in the way Firefox displayed blocked popup windows. If
a user can be convinced to open a blocked popup, it is possible to read
arbitrary local files, or conduct an XSS attack against the user.
(CVE-2007-0780, CVE-2007-0800)
Two buffer overflow flaws were found in the Network Security Services (NSS)
code for processing the SSLv2 protocol. Connecting to a malicious secure
web server could cause the execution of arbitrary code as the user running
Firefox. (CVE-2007-0008, CVE-2007-0009)
A flaw was found in the way Firefox handled the “location.hostname” value
during certain browser domain checks. This flaw could allow a malicious web
site to set domain cookies for an arbitrary site, or possibly perform an
XSS attack. (CVE-2007-0981)
Users of Firefox are advised to upgrade to these erratum packages, which
contain Firefox version 1.5.0.10 that corrects these issues.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2007-February/075726.html
https://lists.centos.org/pipermail/centos-announce/2007-February/075728.html
https://lists.centos.org/pipermail/centos-announce/2007-February/075729.html
https://lists.centos.org/pipermail/centos-announce/2007-February/075730.html
https://lists.centos.org/pipermail/centos-announce/2007-February/075735.html
https://lists.centos.org/pipermail/centos-announce/2007-February/075736.html
Affected packages:
firefox
Upstream details at:
https://access.redhat.com/errata/RHSA-2007:0079
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
CentOS | 4 | ia64 | firefox | < 1.5.0.10-0.1.el4.centos | firefox-1.5.0.10-0.1.el4.centos.ia64.rpm |
CentOS | 4 | s390 | firefox | < 1.5.0.10-0.1.el4.centos | firefox-1.5.0.10-0.1.el4.centos.s390.rpm |
CentOS | 4 | s390x | firefox | < 1.5.0.10-0.1.el4.centos | firefox-1.5.0.10-0.1.el4.centos.s390x.rpm |
CentOS | 4 | x86_64 | firefox | < 1.5.0.10-0.1.el4.centos | firefox-1.5.0.10-0.1.el4.centos.x86_64.rpm |
CentOS | 4 | i386 | firefox | < 1.5.0.10-0.1.el4.centos | firefox-1.5.0.10-0.1.el4.centos.i386.rpm |
CentOS | 4 | i386 | firefox | < 1.5.0.10-0.1.el4.centos3 | firefox-1.5.0.10-0.1.el4.centos3.i386.rpm |
CentOS | 4 | x86_64 | firefox | < 1.5.0.10-0.1.el4.centos3 | firefox-1.5.0.10-0.1.el4.centos3.x86_64.rpm |