Red Hat Local Security Checks : RedHat Security Advisory RHSA-2009:1185

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.64509

Categoría: Red Hat Local Security Checks

Título: RedHat Security Advisory RHSA-2009:1185

Resumen: The remote host is missing updates announced in;advisory RHSA-2009:1185.;;SeaMonkey is an open source Web browser, email and newsgroup client, IRC;chat client, and HTML editor.;;Moxie Marlinspike reported a heap overflow flaw in a regular expression;parser in the NSS library (provided by SeaMonkey) used to match common;names in certificates. A malicious website could present a;carefully-crafted certificate in such a way as to trigger the heap;overflow, leading to a crash or, possibly, arbitrary code execution with;the permissions of the user running SeaMonkey. (CVE-2009-2404);;Note: in order to exploit this issue without further user interaction, the;carefully-crafted certificate would need to be signed by a Certificate;Authority trusted by SeaMonkey, otherwise SeaMonkey presents the victim;with a warning that the certificate is untrusted. Only if the user then;accepts the certificate will the overflow take place.;;All SeaMonkey users should upgrade to these updated packages, which contain;a backported patch to correct this issue. After installing the updated;packages, SeaMonkey must be restarted for the update to take effect.

Descripción: Summary:
The remote host is missing updates announced in
advisory RHSA-2009:1185.

SeaMonkey is an open source Web browser, email and newsgroup client, IRC
chat client, and HTML editor.

Moxie Marlinspike reported a heap overflow flaw in a regular expression
parser in the NSS library (provided by SeaMonkey) used to match common
names in certificates. A malicious website could present a
carefully-crafted certificate in such a way as to trigger the heap
overflow, leading to a crash or, possibly, arbitrary code execution with
the permissions of the user running SeaMonkey. (CVE-2009-2404)

Note: in order to exploit this issue without further user interaction, the
carefully-crafted certificate would need to be signed by a Certificate
Authority trusted by SeaMonkey, otherwise SeaMonkey presents the victim
with a warning that the certificate is untrusted. Only if the user then
accepts the certificate will the overflow take place.

All SeaMonkey users should upgrade to these updated packages, which contain
a backported patch to correct this issue. After installing the updated
packages, SeaMonkey must be restarted for the update to take effect.

Solution:
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date

CVSS Score:
9.3

CVSS Vector:
AV:N/AC:M/Au:N/C:C/I:C/A:C

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2009-2404
1021030
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021030.1-1
1021699
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021699.1-1
273910
http://sunsolve.sun.com/search/document.do?assetkey=1-66-273910-1
35891
http://www.securityfocus.com/bid/35891
36088
http://secunia.com/advisories/36088
36102
http://secunia.com/advisories/36102
36125
http://secunia.com/advisories/36125
36139
http://secunia.com/advisories/36139
36157
http://secunia.com/advisories/36157
36434
http://secunia.com/advisories/36434
37098
http://secunia.com/advisories/37098
39428
http://secunia.com/advisories/39428
ADV-2009-2085
http://www.vupen.com/english/advisories/2009/2085
DSA-1874
http://www.debian.org/security/2009/dsa-1874
MDVSA-2009:197
http://www.mandriva.com/security/advisories?name=MDVSA-2009:197
MDVSA-2009:216
http://www.mandriva.com/security/advisories?name=MDVSA-2009:216
RHSA-2009:1185
http://rhn.redhat.com/errata/RHSA-2009-1185.html
RHSA-2009:1207
http://www.redhat.com/support/errata/RHSA-2009-1207.html
SUSE-SA:2009:048
http://www.novell.com/linux/security/advisories/2009_48_firefox.html
TA10-103B
http://www.us-cert.gov/cas/techalerts/TA10-103B.html
USN-810-1
http://www.ubuntu.com/usn/usn-810-1
USN-810-2
https://usn.ubuntu.com/810-2/
http://www.blackhat.com/presentations/bh-usa-09/MARLINSPIKE/BHUSA09-Marlinspike-DefeatSSL-SLIDES.pdf
http://www.mozilla.org/security/announce/2009/mfsa2009-43.html
http://www.oracle.com/technetwork/topics/security/cpuapr2010-099504.html
https://bugzilla.redhat.com/show_bug.cgi?id=512912
oval:org.mitre.oval:def:11174
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11174
oval:org.mitre.oval:def:8658
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8658

Copyright Copyright (C) 2009 E-Soft Inc.

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.64509
Categoría:	Red Hat Local Security Checks
Título:	RedHat Security Advisory RHSA-2009:1185
Resumen:	The remote host is missing updates announced in;advisory RHSA-2009:1185.;;SeaMonkey is an open source Web browser, email and newsgroup client, IRC;chat client, and HTML editor.;;Moxie Marlinspike reported a heap overflow flaw in a regular expression;parser in the NSS library (provided by SeaMonkey) used to match common;names in certificates. A malicious website could present a;carefully-crafted certificate in such a way as to trigger the heap;overflow, leading to a crash or, possibly, arbitrary code execution with;the permissions of the user running SeaMonkey. (CVE-2009-2404);;Note: in order to exploit this issue without further user interaction, the;carefully-crafted certificate would need to be signed by a Certificate;Authority trusted by SeaMonkey, otherwise SeaMonkey presents the victim;with a warning that the certificate is untrusted. Only if the user then;accepts the certificate will the overflow take place.;;All SeaMonkey users should upgrade to these updated packages, which contain;a backported patch to correct this issue. After installing the updated;packages, SeaMonkey must be restarted for the update to take effect.
Descripción:	Summary: The remote host is missing updates announced in advisory RHSA-2009:1185. SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. Moxie Marlinspike reported a heap overflow flaw in a regular expression parser in the NSS library (provided by SeaMonkey) used to match common names in certificates. A malicious website could present a carefully-crafted certificate in such a way as to trigger the heap overflow, leading to a crash or, possibly, arbitrary code execution with the permissions of the user running SeaMonkey. (CVE-2009-2404) Note: in order to exploit this issue without further user interaction, the carefully-crafted certificate would need to be signed by a Certificate Authority trusted by SeaMonkey, otherwise SeaMonkey presents the victim with a warning that the certificate is untrusted. Only if the user then accepts the certificate will the overflow take place. All SeaMonkey users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, SeaMonkey must be restarted for the update to take effect. Solution: Please note that this update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date CVSS Score: 9.3 CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2009-2404 1021030 http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021030.1-1 1021699 http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021699.1-1 273910 http://sunsolve.sun.com/search/document.do?assetkey=1-66-273910-1 35891 http://www.securityfocus.com/bid/35891 36088 http://secunia.com/advisories/36088 36102 http://secunia.com/advisories/36102 36125 http://secunia.com/advisories/36125 36139 http://secunia.com/advisories/36139 36157 http://secunia.com/advisories/36157 36434 http://secunia.com/advisories/36434 37098 http://secunia.com/advisories/37098 39428 http://secunia.com/advisories/39428 ADV-2009-2085 http://www.vupen.com/english/advisories/2009/2085 DSA-1874 http://www.debian.org/security/2009/dsa-1874 MDVSA-2009:197 http://www.mandriva.com/security/advisories?name=MDVSA-2009:197 MDVSA-2009:216 http://www.mandriva.com/security/advisories?name=MDVSA-2009:216 RHSA-2009:1185 http://rhn.redhat.com/errata/RHSA-2009-1185.html RHSA-2009:1207 http://www.redhat.com/support/errata/RHSA-2009-1207.html SUSE-SA:2009:048 http://www.novell.com/linux/security/advisories/2009_48_firefox.html TA10-103B http://www.us-cert.gov/cas/techalerts/TA10-103B.html USN-810-1 http://www.ubuntu.com/usn/usn-810-1 USN-810-2 https://usn.ubuntu.com/810-2/ http://www.blackhat.com/presentations/bh-usa-09/MARLINSPIKE/BHUSA09-Marlinspike-DefeatSSL-SLIDES.pdf http://www.mozilla.org/security/announce/2009/mfsa2009-43.html http://www.oracle.com/technetwork/topics/security/cpuapr2010-099504.html https://bugzilla.redhat.com/show_bug.cgi?id=512912 oval:org.mitre.oval:def:11174 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11174 oval:org.mitre.oval:def:8658 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8658
Copyright	Copyright (C) 2009 E-Soft Inc.