[bressers@redhat.com: FWD: Mozilla CVE names]
Martin Schulze
joey at infodrom.org
Wed Sep 28 09:19:06 UTC 2005
These should be the names.
----- Forwarded message from Josh Bressers <bressers at redhat.com> -----
To: vendor-sec at lst.de
From: Josh Bressers <bressers at redhat.com>
Subject: FWD: Mozilla CVE names
Date: Fri, 23 Sep 2005 14:24:45 -0400
X-Folder: debian-security-private at lists.infodrom.org
------- Forwarded Message
Date: Fri, 23 Sep 2005 14:02:43 -0400
From: "Steven M. Christey" <coley at linus.mitre.org>
To: Josh Bressers <bressers at redhat.com>
cc: coley at mitre.org, mjc at redhat.com
Subject: Re: Mozilla CVE names
On Fri, 23 Sep 2005, Josh Bressers wrote:
> Red Hat allocated CVE names for the latest round of mozilla fixes.
Thanks for the heads up. I assume you forwarded to vendor-sec.
Is there a way to get Mozilla to use CANs more directly?
See initial descriptions below.
- - Steve
======================================================
Candidate: CAN-2005-2701
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2701
Reference: CONFIRM:http://www.mozilla.org/security/announce/mfsa2005-58.html
Reference: REDHAT:RHSA-2005:785
Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-785.html
Heap-based buffer overflow in Firefox 1.0.7 and Mozilla Suite 1.7.12
allows remote attackers to execute arbitrary code via an XBM image
file that ends in a large number of spaces instead of the expected end
tag.
======================================================
Candidate: CAN-2005-2702
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2702
Reference: CONFIRM:http://www.mozilla.org/security/announce/mfsa2005-58.html
Reference: REDHAT:RHSA-2005:785
Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-785.html
Firefox 1.0.7 and Mozilla Suite 1.7.12 allows remote attackers to
cause a denial of service (crash) and possibly execute arbitrary code
via Unicode sequences with "zero-width non-joiner" characters.
======================================================
Candidate: CAN-2005-2703
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2703
Reference: CONFIRM:http://www.mozilla.org/security/announce/mfsa2005-58.html
Reference: REDHAT:RHSA-2005:785
Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-785.html
Firefox 1.0.7 and Mozilla Suite 1.7.12 allows remote attackers to
modify HTTP headers of XML HTTP requests via XMLHttpRequest, and
possibly use the client to exploit vulnerabilities in servers or
proxies.
======================================================
Candidate: CAN-2005-2704
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2704
Reference: CONFIRM:http://www.mozilla.org/security/announce/mfsa2005-58.html
Reference: REDHAT:RHSA-2005:785
Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-785.html
Firefox 1.0.7 and Mozilla Suite 1.7.12 allows remote attackers to
spoof DOM objects via an XBL control that implements an internal XPCOM
interface.
======================================================
Candidate: CAN-2005-2705
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2705
Reference: CONFIRM:http://www.mozilla.org/security/announce/mfsa2005-58.html
Reference: REDHAT:RHSA-2005:785
Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-785.html
Integer overflow in the JavaScript engine in Firefox 1.0.7 and Mozilla
Suite 1.7.12 might allow remote attackers to execute arbitrary code.
======================================================
Candidate: CAN-2005-2706
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2706
Reference: CONFIRM:http://www.mozilla.org/security/announce/mfsa2005-58.html
Reference: REDHAT:RHSA-2005:785
Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-785.html
Firefox 1.0.7 and Mozilla Suite 1.7.12 allows remote attackers to
execute Javascript with chrome privileges via an about: page such as
about:mozilla.
======================================================
Candidate: CAN-2005-2707
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2707
Reference: CONFIRM:http://www.mozilla.org/security/announce/mfsa2005-58.html
Reference: REDHAT:RHSA-2005:785
Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-785.html
Firefox 1.0.7 and Mozilla Suite 1.7.12 allows remote attackers to
spawn windows without user interface components such as the address
and status bar, which could be used to conduct spoofing or phishing
attacks.
======================================================
Candidate: CAN-2005-2968
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2968
Reference: CONFIRM:http://www.mozilla.org/security/announce/mfsa2005-58.html
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=307185
Reference: REDHAT:RHSA-2005:785
Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-785.html
Reference: SECUNIA:16869
Reference: URL:http://secunia.com/advisories/16869
Firefox 1.0.6 and Mozilla 1.7.10 allows attackers to execute arbitrary
commands via shell metacharacters in a URL that is provided to the
browser on the command line, which is sent unfiltered to bash.
------- End of Forwarded Message
_______________________________________________
Vendor Security mailing list
Vendor Security at lst.de
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
----- End forwarded message -----
--
The good thing about standards is that there are so many to choose from.
-- Andrew S. Tanenbaum
Please always Cc to me when replying to me on the lists.
More information about the pkg-mozilla-maintainers
mailing list