[SUSE-Announcements] BES Auto Notification: New Fixlets Published in Fixlet Site: 'Patches for SUSE Linux Enterprise'

Notification of New SUSE Fixlet Messages suse-announcements at bigmail.bigfix.com
Fri Feb 26 03:10:10 PST 2010 

Fixlet Site - 'Patches for SUSE Linux Enterprise'
Current Version: 303	Published: Thu, 25 Feb 2010 20:04:20  GMT

New Fixlets:
============

***************************************************************
Title: PATCH-B10022401 - Security update for Mozilla Firefox - SLES10 SP2
Severity: <Unspecified>
Fixlet ID: 1002240101
Fixlet Link: http://download.novell.com/Download?buildid=eiCtgpmCFWo~

Fixlet Description: Mozilla Firefox was upgraded to version 3.5.8, fixing various bugs and security issues. Following security issues have been fixed:     MFSA 2010-01 / CVE-2010-0159: Mozilla developers identified and fixed several stability bugs in the browser  engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.   MFSA 2010-02 / CVE-2010-0160: Security researcher Orlando Barrera II reported via TippingPoint's Zero Day Initiative that Mozilla's implementation of Web Workers contained an error in its handling of array data types when processing posted messages. This error could be used by an attacker to corrupt heap memory and crash the browser, potentially running arbitrary code on a victim's computer.   MFSA 2010-03 / CVE-2009-1571: Security researcher Alin Rad Pop of Secunia Research reported that the HTML parser incorrectly freed used memory when insufficient space was available to process remaining input. Under such circumstances, memory occupied by in-use objects was freed and could later be filled with attacker-controlled text. These conditions could result in the execution or arbitrary code if methods on the freed objects were subsequently called.   MFSA 2010-04 / CVE-2009-3988: Security researcher Hidetake Jo of Microsoft Vulnerability Research reported that the properties set on an object passed to showModalDialog were readable by the document contained in the dialog, even when the document was from a different domain. This is a violation of the same-origin policy and could result in a website running untrusted JavaScript if it assumed the dialogArguments could not be initialized by another site. An anonymous security researcher, via TippingPoint's Zero Day Initiative, also independently reported this issue to Mozilla.   MFSA 2010-05 / CVE-2010-0162: Mozilla security researcher Georgi Guninski reported that when a SVG document which is served with Content-Type: application/octet-stream is embedded into another document via an  tag with type="image/svg+xml", the Content-Type is ignored and the SVG document is processed normally. A website which allows arbitrary binary data to be uploaded but which relies on Content-Type: application/octet-stream to prevent script execution could have such protection bypassed. An attacker could upload a SVG document containing JavaScript as a binary file to a website, embed the SVG document into a malicous page on another site, and gain access to the script environment from the SVG-serving site, bypassing the same-origin policy. Please install this update. Please see patch page for more detailed information.

***************************************************************
Title: PATCH-B10022401 - Dependencies Needed - SLES10 SP2
Severity: <Unspecified>
Fixlet ID: 1002240102
Fixlet Link: http://download.novell.com/Download?buildid=eiCtgpmCFWo~

Fixlet Description: Updated Mozilla Firefox packages are now available for SuSE Linux Enterprise 10. However, these packages have dependencies that must be resolved. The following package must be installed at the specified version or greater:  MozillaFirefox-3.5.3-1.4.2.i586.rpm mozilla-nspr-4.8.2-1.5.1.i586.rpm

***************************************************************
Title: PATCH-B10022401 - Dependency Conflict - SLES10 SP2
Severity: <Unspecified>
Fixlet ID: 1002240103
Fixlet Link: http://download.novell.com/Download?buildid=LTYFEUv46Qc~

Fixlet Description: Updated Mozilla Firefox packages that addresses a security vulnerability are now available. However, the listed computers have the package "mozilla-xulrunner191-devel" installed, less than version "1.9.1.8-1.4.1" which conflicts with this security update. You must uninstall or upgrade this package in order for this security update to become relevant.

***************************************************************
Title: PATCH-B10022401 - Security update for Mozilla Firefox - SLED10 SP2
Severity: <Unspecified>
Fixlet ID: 1002240104
Fixlet Link: http://download.novell.com/Download?buildid=LTYFEUv46Qc~

Fixlet Description: Mozilla Firefox was upgraded to version 3.5.8, fixing various bugs and security issues. Following security issues have been fixed:     MFSA 2010-01 / CVE-2010-0159: Mozilla developers identified and fixed several stability bugs in the browser  engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.   MFSA 2010-02 / CVE-2010-0160: Security researcher Orlando Barrera II reported via TippingPoint's Zero Day Initiative that Mozilla's implementation of Web Workers contained an error in its handling of array data types when processing posted messages. This error could be used by an attacker to corrupt heap memory and crash the browser, potentially running arbitrary code on a victim's computer.   MFSA 2010-03 / CVE-2009-1571: Security researcher Alin Rad Pop of Secunia Research reported that the HTML parser incorrectly freed used memory when insufficient space was available to process remaining input. Under such circumstances, memory occupied by in-use objects was freed and could later be filled with attacker-controlled text. These conditions could result in the execution or arbitrary code if methods on the freed objects were subsequently called.   MFSA 2010-04 / CVE-2009-3988: Security researcher Hidetake Jo of Microsoft Vulnerability Research reported that the properties set on an object passed to showModalDialog were readable by the document contained in the dialog, even when the document was from a different domain. This is a violation of the same-origin policy and could result in a website running untrusted JavaScript if it assumed the dialogArguments could not be initialized by another site. An anonymous security researcher, via TippingPoint's Zero Day Initiative, also independently reported this issue to Mozilla.   MFSA 2010-05 / CVE-2010-0162: Mozilla security researcher Georgi Guninski reported that when a SVG document which is served with Content-Type: application/octet-stream is embedded into another document via an  tag with type="image/svg+xml", the Content-Type is ignored and the SVG document is processed normally. A website which allows arbitrary binary data to be uploaded but which relies on Content-Type: application/octet-stream to prevent script execution could have such protection bypassed. An attacker could upload a SVG document containing JavaScript as a binary file to a website, embed the SVG document into a malicous page on another site, and gain access to the script environment from the SVG-serving site, bypassing the same-origin policy. Please install this update. Please see patch page for more detailed information.

***************************************************************
Title: PATCH-B10022401 - Dependencies Needed- SLED10 SP2
Severity: <Unspecified>
Fixlet ID: 1002240106
Fixlet Link: http://download.novell.com/Download?buildid=eiCtgpmCFWo~

Fixlet Description: Updated Mozilla Firefox packages are now available for SuSE Linux Enterprise 10. However, these packages have dependencies that must be resolved. The following package must be installed at the specified version or greater:  MozillaFirefox-3.5.3-1.4.2.i586.rpm mozilla-nspr-4.8.2-1.5.1.i586.rpm

***************************************************************
Title: PATCH-B10022401 - Dependency Conflict - SLED10 SP2
Severity: <Unspecified>
Fixlet ID: 1002240108
Fixlet Link: http://download.novell.com/Download?buildid=LTYFEUv46Qc~

Fixlet Description: Updated Mozilla Firefox packages that addresses a security vulnerability are now available. However, the listed computers have the package "mozilla-xulrunner191-devel" installed, less than version "1.9.1.8-1.4.1" which conflicts with this security update. You must uninstall or upgrade this package in order for this security update to become relevant.

More information about the SUSE-Announcements mailing list