English | Deutsch | Español | Português
 UserID:
 Passwd:
new user
 About:   Dedicated  | Advanced  | Standard  | Recurring  | No Risk  | Desktop  | Basic  | Single  | Security Seal  | FAQ
  Price/Feature Summary  | Order  | New Vulnerabilities  | Confidentiality  | Vulnerability Search
 Vulnerability   
Search   
    Search 75803 CVE descriptions
and 40037 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.60630
Category:Ubuntu Local Security Checks
Title:Ubuntu USN-592-1 (firefox)
Summary:Ubuntu USN-592-1 (firefox)
Description:
The remote host is missing an update to firefox
announced via advisory USN-592-1.

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

Details follow:

Alexey Proskuryakov, Yosuke Hasegawa and Simon Montagu discovered flaws
in Firefox's character encoding handling. If a user were tricked into
opening a malicious web page, an attacker could perform cross-site
scripting attacks. (CVE-2008-0416)

Various flaws were discovered in the JavaScript engine. By tricking
a user into opening a malicious web page, an attacker could escalate
privileges within the browser, perform cross-site scripting attacks
and/or execute arbitrary code with the user's privileges.
(CVE-2008-1233, CVE-2008-1234, CVE-2008-1235)

Several problems were discovered in Firefox which could lead to crashes
and memory corruption. If a user were tricked into opening a malicious
web page, an attacker may be able to execute arbitrary code with the
user's privileges. (CVE-2008-1236, CVE-2008-1237)

Gregory Fleischer discovered Firefox did not properly process HTTP
Referrer headers when they were sent with with requests to URLs
containing Basic Authentication credentials with empty usernames. An
attacker could exploit this vulnerability to perform cross-site request
forgery attacks. (CVE-2008-1238)

Peter Brodersen and Alexander Klink reported that default the setting in
Firefox for SSL Client Authentication allowed for users to be tracked
via their client certificate. The default has been changed to prompt
the user each time a website requests a client certificate.
(CVE-2007-4879)

Gregory Fleischer discovered that web content fetched via the jar
protocol could use Java LiveConnect to connect to arbitrary ports on
the user's machine due to improper parsing in the Java plugin. If a
user were tricked into opening malicious web content, an attacker may be
able to access services running on the user's machine. (CVE-2008-1195,
CVE-2008-1240)

Chris Thomas discovered that Firefox would allow an XUL popup from an
unselected tab to display in front of the selected tab. An attacker
could exploit this behavior to spoof a login prompt and steal the user's
credentials. (CVE-2008-1241)

Solution:
The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
firefox 1.5.dfsg+1.5.0.15~
prepatch080323a-0ubuntu1

Ubuntu 6.10:
firefox 2.0.0.13+0nobinonly-0ubuntu0.6.10

Ubuntu 7.04:
firefox 2.0.0.13+0nobinonly-0ubuntu0.7.4

Ubuntu 7.10:
firefox 2.0.0.13+1nobinonly-0ubuntu0.7.10

After a standard system upgrade you need to restart firefox to effect
the necessary changes.

http://www.securityspace.com/smysecure/catid.html?in=USN-592-1

Risk factor : Critical
Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2007-4879
Bugtraq: 20080327 rPSA-2008-0128-1 firefox (Google Search)
http://www.securityfocus.com/archive/1/archive/1/490196/100/0/threaded
http://0x90.eu/ff_tls_poc.html
Debian Security Information: DSA-1532 (Google Search)
http://www.debian.org/security/2008/dsa-1532
Debian Security Information: DSA-1534 (Google Search)
http://www.debian.org/security/2008/dsa-1534
Debian Security Information: DSA-1535 (Google Search)
http://www.debian.org/security/2008/dsa-1535
http://www.gentoo.org/security/en/glsa/glsa-200805-18.xml
http://www.mandriva.com/security/advisories?name=MDVSA-2008:080
http://sunsolve.sun.com/search/document.do?assetkey=1-26-238492-1
SuSE Security Announcement: SUSE-SA:2008:019 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00002.html
http://www.ubuntu.com/usn/usn-592-1
Cert/CC Advisory: TA08-087A
http://www.us-cert.gov/cas/techalerts/TA08-087A.html
BugTraq ID: 28448
http://www.securityfocus.com/bid/28448
http://www.vupen.com/english/advisories/2008/0998/references
http://www.vupen.com/english/advisories/2008/1793/references
http://www.securitytracker.com/id?1019704
http://secunia.com/advisories/29560
http://secunia.com/advisories/29539
http://secunia.com/advisories/29558
http://secunia.com/advisories/29616
http://secunia.com/advisories/29526
http://secunia.com/advisories/29541
http://secunia.com/advisories/29547
http://secunia.com/advisories/29645
http://secunia.com/advisories/30327
http://secunia.com/advisories/30620
Common Vulnerability Exposure (CVE) ID: CVE-2008-0416
https://bugzilla.mozilla.org/buglist.cgi?bug_id=404252,381412,407161
Debian Security Information: DSA-1484 (Google Search)
http://www.debian.org/security/2008/dsa-1484
Debian Security Information: DSA-1485 (Google Search)
http://www.debian.org/security/2008/dsa-1485
Debian Security Information: DSA-1489 (Google Search)
http://www.debian.org/security/2008/dsa-1489
http://sunsolve.sun.com/search/document.do?assetkey=1-26-239546-1
TurboLinux Advisory: TLSA-2008-9
http://www.turbolinux.com/security/2008/TLSA-2008-9.txt
http://www.ubuntulinux.org/support/documentation/usn/usn-576-1
http://jvn.jp/en/jp/JVN21563357/index.html
http://jvndb.jvn.jp/ja/contents/2008/JVNDB-2008-000021.html
BugTraq ID: 29303
http://www.securityfocus.com/bid/29303
http://www.vupen.com/english/advisories/2008/2091/references
http://secunia.com/advisories/28839
http://secunia.com/advisories/28864
http://secunia.com/advisories/28865
http://secunia.com/advisories/28879
http://secunia.com/advisories/31043
XForce ISS Database: firefox-character-encoding-xss(40488)
http://xforce.iss.net/xforce/xfdb/40488
Common Vulnerability Exposure (CVE) ID: CVE-2008-1195
http://lists.apple.com/archives/security-announce//2008/Sep/msg00008.html
http://www.gentoo.org/security/en/glsa/glsa-200804-20.xml
http://security.gentoo.org/glsa/glsa-200804-28.xml
http://www.gentoo.org/security/en/glsa/glsa-200806-11.xml
http://www.redhat.com/support/errata/RHSA-2008-0186.html
http://www.redhat.com/support/errata/RHSA-2008-0210.html
http://www.redhat.com/support/errata/RHSA-2008-0267.html
http://sunsolve.sun.com/search/document.do?assetkey=1-26-233326-1
SuSE Security Announcement: SUSE-SA:2008:018 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00000.html
SuSE Security Announcement: SUSE-SA:2008:025 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00010.html
Cert/CC Advisory: TA08-066A
http://www.us-cert.gov/cas/techalerts/TA08-066A.html
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:9486
http://www.vupen.com/english/advisories/2008/0770/references
http://www.vupen.com/english/advisories/2008/1856/references
http://www.securitytracker.com/id?1019553
http://secunia.com/advisories/29273
http://secunia.com/advisories/29239
http://secunia.com/advisories/29498
http://secunia.com/advisories/29582
http://secunia.com/advisories/29858
http://secunia.com/advisories/29897
http://secunia.com/advisories/30676
http://secunia.com/advisories/30780
http://secunia.com/advisories/31497
http://secunia.com/advisories/32018
XForce ISS Database: sun-jre-javascript-unauthorized-access(41030)
http://xforce.iss.net/xforce/xfdb/41030
Common Vulnerability Exposure (CVE) ID: CVE-2008-1233
Debian Security Information: DSA-1574 (Google Search)
http://www.debian.org/security/2008/dsa-1574
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00058.html
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00074.html
http://www.mandriva.com/security/advisories?name=MDVSA-2008:155
RedHat Security Advisories: RHSA-2008:0208
http://rhn.redhat.com/errata/RHSA-2008-0208.html
http://www.redhat.com/support/errata/RHSA-2008-0207.html
http://www.redhat.com/support/errata/RHSA-2008-0209.html
http://marc.info/?l=slackware-security&m=121022465927874&w=2
http://www.ubuntu.com/usn/usn-605-1
CERT/CC vulnerability note: VU#466521
http://www.kb.cert.org/vuls/id/466521
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11078
http://www.vupen.com/english/advisories/2008/0999/references
http://www.securitytracker.com/id?1019694
http://secunia.com/advisories/29391
http://secunia.com/advisories/29548
http://secunia.com/advisories/29550
http://secunia.com/advisories/29607
http://secunia.com/advisories/30016
http://secunia.com/advisories/30094
http://secunia.com/advisories/30370
http://secunia.com/advisories/30192
http://secunia.com/advisories/30105
XForce ISS Database: mozilla-settimeout-code-execution(41443)
http://xforce.iss.net/xforce/xfdb/41443
Common Vulnerability Exposure (CVE) ID: CVE-2008-1234
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:9551
XForce ISS Database: firefox-eventhandlers-xss(41455)
http://xforce.iss.net/xforce/xfdb/41455
Common Vulnerability Exposure (CVE) ID: CVE-2008-1235
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10980
XForce ISS Database: mozilla-principal-code-execution(41457)
http://xforce.iss.net/xforce/xfdb/41457
Common Vulnerability Exposure (CVE) ID: CVE-2008-1236
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11788
http://www.securitytracker.com/id?1019695
XForce ISS Database: mozilla-layoutengine-code-execution(41445)
http://xforce.iss.net/xforce/xfdb/41445
Common Vulnerability Exposure (CVE) ID: CVE-2008-1237
SuSE Security Announcement: SUSE-SR:2008:011 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2008-05/msg00000.html
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:9651
XForce ISS Database: firefox-javascript-engine-code-execution(41446)
http://xforce.iss.net/xforce/xfdb/41446
Common Vulnerability Exposure (CVE) ID: CVE-2008-1238
http://sla.ckers.org/forum/read.php?10,20033
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:9889
http://www.securitytracker.com/id?1019703
XForce ISS Database: mozilla-http-referrer-spoofing(41449)
http://xforce.iss.net/xforce/xfdb/41449
Common Vulnerability Exposure (CVE) ID: CVE-2008-1240
XForce ISS Database: mozilla-liveconnect-unauthorized-access(41458)
http://xforce.iss.net/xforce/xfdb/41458
Common Vulnerability Exposure (CVE) ID: CVE-2008-1241
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11163
http://www.securitytracker.com/id?1019700
XForce ISS Database: firefox-xul-popup-spoofing(41454)
http://xforce.iss.net/xforce/xfdb/41454
CopyrightCopyright (c) 2008 E-Soft Inc. http://www.securityspace.com

This is only one of 40037 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.

New User Registration
Email:
UserID:
Passwd:
Please email me your monthly newsletters, informing the latest services, improvements & surveys.
Please email me a vulnerability test announcement whenever a new test is added.
   Privacy
Registered User Login
 
UserID:   
Passwd:  

 Forgot userid or passwd?
Email/Userid:




Home | About Us | Contact Us | Partner Programs | Developer APIs | Privacy | Mailing Lists | Abuse
Security Audits | Managed DNS | Network Monitoring | Site Analyzer | Internet Research Reports
Web Probe | Whois

© 1998-2014 E-Soft Inc. All rights reserved.