firefox security patches attached
Mike Hommey
mh at glandium.org
Sat Sep 24 07:32:26 UTC 2005
On Fri, Sep 23, 2005 at 05:30:30PM -0400, Noah Meyerhans <noahm at debian.org> wrote:
> On Fri, Sep 23, 2005 at 03:10:54PM +0200, Alexander Sack wrote:
> > So what to do: Please give me feedback on the mfsa_*_short.txt files.
> > They are thought to be included in the changelog Any suggestions on
> > the content and layout of such changelog entries is welcome.
>
> OK, I've connected CVE references to the bugs fixed by your patch.
> Here's an initial attempt at a changelog entry for 1.0.4-2sarge4:
>
> mozilla-firefox (1.0.4-2sarge4) stable-security; urgency=critical
>
> * MFSA-2005-59 - Command-line handling on Linux allows shell execution
> CAN-2005-2968
> URLs passed to Linux versions of Firefox on the command-line are
> not correctly protected against interpretation by the shell. As a
> result a malicious URL can result in the execution of shell
> commands with the privileges of the user. If Firefox is set as
> the default handler for web URLs then opening a URL in another
> program (for example, links in a mail or chat client) can result
> in shell command execution.
Again, we're not subject to this one.
Mike
More information about the pkg-mozilla-maintainers
mailing list