| Description: | Summary:
The remote host is missing an update for the 'firefox'
package(s) announced via the referenced advisory.
Vulnerability Insight:
Mozilla Firefox is an open source web browser.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user
running Firefox. (CVE-2012-0461, CVE-2012-0462, CVE-2012-0464)
Two flaws were found in the way Firefox parsed certain Scalable Vector
Graphics (SVG) image files. A web page containing a malicious SVG image
file could cause an information leak, or cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2012-0456, CVE-2012-0457)
A flaw could allow a malicious site to bypass intended restrictions,
possibly leading to a cross-site scripting (XSS) attack if a user were
tricked into dropping a 'javascript:' link onto a frame. (CVE-2012-0455)
It was found that the home page could be set to a 'javascript:' link. If a
user were tricked into setting such a home page by dragging a link to the
home button, it could cause Firefox to repeatedly crash, eventually
leading to arbitrary code execution with the privileges of the user
running Firefox. (CVE-2012-0458)
A flaw was found in the way Firefox parsed certain web content containing
'cssText'. A web page containing malicious content could cause Firefox to
crash or, potentially, execute arbitrary code with the privileges of the
user running Firefox. (CVE-2012-0459)
It was found that by using the DOM fullscreen API, untrusted content could
bypass the mozRequestFullscreen security protections. A web page containing
malicious web content could exploit this API flaw to cause user interface
spoofing. (CVE-2012-0460)
A flaw was found in the way Firefox handled pages with multiple Content
Security Policy (CSP) headers. This could lead to a cross-site scripting
attack if used in conjunction with a website that has a header injection
flaw. (CVE-2012-0451)
For technical details regarding these flaws, refer to the Mozilla security
advisories for Firefox 10.0.3 ESR. You can find a link to the Mozilla
advisories in the References section of this erratum.
This update also fixes the following bugs:
* When using the Traditional Chinese locale (zh-TW), a segmentation fault
sometimes occurred when closing Firefox. (BZ#729632)
* Inputting any text in the Web Console (Tools -> Web Developer ->
Web Console) caused Firefox to crash. (BZ#784048)
* The java-1.6.0-ibm-plugin and java-1.6.0-sun-plugin packages require the
&q ...
Description truncated, please see the referenced URL(s) for more information.
Affected Software/OS:
firefox on CentOS 6
Solution:
Please install the updated packages.
CVSS Score:
9.3
CVSS Vector:
AV:N/AC:M/Au:N/C:C/I:C/A:C
|
