Executive Summary
Summary | |
---|---|
Title | New iceweasel packages fix several vulnerabilities |
Informations | |||
---|---|---|---|
Name | DSA-1338 | First vendor Publication | 2007-07-23 |
Vendor | Debian | Last vendor Modification | 2007-07-23 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-3089 Ronen Zilberman and Michal Zalewski discovered that a timing race allows the injection of content into about:blank frames. CVE-2007-3656 Michal Zalewski discovered that same-origin policies for wyciwyg:// documents are insufficiently enforced. CVE-2007-3734 Bernd Mielke, Boris Zbarsky, David Baron, Daniel Veditz, Jesse Ruderman, Lukas Loehrer, Martijn Wargers, Mats Palmgren, Olli Pettay, Paul Nickerson,and Vladimir Sukhoy discovered crashes in the layout engine, which might allow the execution of arbitrary code. CVE-2007-3735 Asaf Romano, Jesse Ruderman and Igor Bukanov discovered crashes in the javascript engine, which might allow the execution of arbitrary code. CVE-2007-3736 "moz_bug_r_a4" discovered that the addEventListener() and setTimeout() functions allow cross-site scripting. CVE-2007-3737 "moz_bug_r_a4" discovered that a programming error in event handling allows privilege escalation. CVE-2007-3738 "shutdown" and "moz_bug_r_a4" discovered that the XPCNativeWrapper allows the execution of arbitrary code. The Mozilla products in the oldstable distribution (sarge) are no longer supported with with security updates. You're strongly encouraged to upgrade to stable as soon as possible. For the stable distribution (etch) these problems have been fixed in version 2.0.0.5-0etch1. Builds for alpha and mips are not yet available, they will be provided later. For the unstable distribution (sid) these problems have been fixed in version 2.0.0.5-1. We recommend that you upgrade your iceweasel packages. |
Original Source
Url : http://www.debian.org/security/2007/dsa-1338 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-200 | Information Exposure |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:11122 | |||
Oval ID: | oval:org.mitre.oval:def:11122 | ||
Title: | Mozilla Firefox before 2.0.0.5 does not prevent use of document.write to replace an IFRAME (1) during the load stage or (2) in the case of an about:blank frame, which allows remote attackers to display arbitrary HTML or execute certain JavaScript code, as demonstrated by code that intercepts keystroke values from window.event, aka the "promiscuous IFRAME access bug," a related issue to CVE-2006-4568. | ||
Description: | Mozilla Firefox before 2.0.0.5 does not prevent use of document.write to replace an IFRAME (1) during the load stage or (2) in the case of an about:blank frame, which allows remote attackers to display arbitrary HTML or execute certain JavaScript code, as demonstrated by code that intercepts keystroke values from window.event, aka the "promiscuous IFRAME access bug," a related issue to CVE-2006-4568. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-3089 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:11749 | |||
Oval ID: | oval:org.mitre.oval:def:11749 | ||
Title: | Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0.0.5 allows remote attackers to inject arbitrary web script "into another site's context" via a "timing issue" involving the (1) addEventListener or (2) setTimeout function, probably by setting events that activate after the context has changed. | ||
Description: | Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0.0.5 allows remote attackers to inject arbitrary web script "into another site's context" via a "timing issue" involving the (1) addEventListener or (2) setTimeout function, probably by setting events that activate after the context has changed. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-3736 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18981 | |||
Oval ID: | oval:org.mitre.oval:def:18981 | ||
Title: | DSA-1338-1 iceweasel | ||
Description: | Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1338-1 CVE-2007-3089 CVE-2007-3656 CVE-2007-3734 CVE-2007-3735 CVE-2007-3736 CVE-2007-3737 CVE-2007-3738 | Version: | 7 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | iceweasel |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:19992 | |||
Oval ID: | oval:org.mitre.oval:def:19992 | ||
Title: | DSA-1337-1 xulrunner | ||
Description: | Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1337-1 CVE-2007-3089 CVE-2007-3285 CVE-2007-3656 CVE-2007-3734 CVE-2007-3735 CVE-2007-3736 CVE-2007-3737 CVE-2007-3738 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | xulrunner |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:21817 | |||
Oval ID: | oval:org.mitre.oval:def:21817 | ||
Title: | ELSA-2007:0724: firefox security update (Critical) | ||
Description: | Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.5 allow remote attackers to execute arbitrary code via a crafted XPCNativeWrapper. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2007:0724-02 CVE-2007-3089 CVE-2007-3656 CVE-2007-3734 CVE-2007-3735 CVE-2007-3736 CVE-2007-3737 CVE-2007-3738 | Version: | 33 |
Platform(s): | Oracle Linux 5 | Product(s): | firefox |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:21880 | |||
Oval ID: | oval:org.mitre.oval:def:21880 | ||
Title: | ELSA-2007:0723: thunderbird security update (Moderate) | ||
Description: | Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.5 allow remote attackers to execute arbitrary code via a crafted XPCNativeWrapper. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2007:0723-01 CVE-2007-3089 CVE-2007-3734 CVE-2007-3735 CVE-2007-3736 CVE-2007-3737 CVE-2007-3738 | Version: | 29 |
Platform(s): | Oracle Linux 5 | Product(s): | thunderbird |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:9105 | |||
Oval ID: | oval:org.mitre.oval:def:9105 | ||
Title: | Mozilla Firefox before 1.8.0.13 and 1.8.1.x before 1.8.1.5 does not perform a security zone check when processing a wyciwyg URI, which allows remote attackers to obtain sensitive information, poison the browser cache, and possibly enable further attack vectors via (1) HTTP 302 redirect controls, (2) XMLHttpRequest, or (3) view-source URIs. | ||
Description: | Mozilla Firefox before 1.8.0.13 and 1.8.1.x before 1.8.1.5 does not perform a security zone check when processing a wyciwyg URI, which allows remote attackers to obtain sensitive information, poison the browser cache, and possibly enable further attack vectors via (1) HTTP 302 redirect controls, (2) XMLHttpRequest, or (3) view-source URIs. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-3656 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2009-10-10 | Name : SLES9: Security update for Mozilla File : nvt/sles9p5011293.nasl |
2009-05-05 | Name : HP-UX Update for Thunderbird HPSBUX02156 File : nvt/gb_hp_ux_HPSBUX02156.nasl |
2009-04-09 | Name : Mandriva Update for mozilla-thunderbird MDVSA-2007:047 (mozilla-thunderbird) File : nvt/gb_mandriva_MDVSA_2007_047.nasl |
2009-04-09 | Name : Mandriva Update for mozilla-firefox MDKSA-2007:152 (mozilla-firefox) File : nvt/gb_mandriva_MDKSA_2007_152.nasl |
2009-03-23 | Name : Ubuntu Update for mozilla-thunderbird vulnerabilities USN-503-1 File : nvt/gb_ubuntu_USN_503_1.nasl |
2009-03-23 | Name : Ubuntu Update for firefox vulnerabilities USN-490-1 File : nvt/gb_ubuntu_USN_490_1.nasl |
2009-02-27 | Name : Fedora Update for epiphany-extensions FEDORA-2007-1155 File : nvt/gb_fedora_2007_1155_epiphany-extensions_fc7.nasl |
2009-02-27 | Name : Fedora Update for firefox FEDORA-2007-642 File : nvt/gb_fedora_2007_642_firefox_fc6.nasl |
2009-02-27 | Name : Fedora Update for thunderbird FEDORA-2007-641 File : nvt/gb_fedora_2007_641_thunderbird_fc6.nasl |
2009-02-27 | Name : Fedora Update for seamonkey FEDORA-2007-1181 File : nvt/gb_fedora_2007_1181_seamonkey_fc7.nasl |
2009-02-27 | Name : Fedora Update for thunderbird FEDORA-2007-1180 File : nvt/gb_fedora_2007_1180_thunderbird_fc7.nasl |
2009-02-27 | Name : Fedora Update for blam FEDORA-2007-1157 File : nvt/gb_fedora_2007_1157_blam_fc7.nasl |
2009-02-27 | Name : Fedora Update for yelp FEDORA-2007-1144 File : nvt/gb_fedora_2007_1144_yelp_fc7.nasl |
2009-02-27 | Name : Fedora Update for devhelp FEDORA-2007-1143 File : nvt/gb_fedora_2007_1143_devhelp_fc7.nasl |
2009-02-27 | Name : Fedora Update for firefox FEDORA-2007-1142 File : nvt/gb_fedora_2007_1142_firefox_fc7.nasl |
2009-02-27 | Name : Fedora Update for epiphany FEDORA-2007-1138 File : nvt/gb_fedora_2007_1138_epiphany_fc7.nasl |
2009-01-28 | Name : SuSE Update for MozillaFirefox,MozillaThunderbird,Seamonkey SUSE-SA:2007:049 File : nvt/gb_suse_2007_049.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200708-09 (mozilla/thunderbird/firefox/xulrunner) File : nvt/glsa_200708_09.nasl |
2008-09-04 | Name : FreeBSD Ports: firefox File : nvt/freebsd_firefox29.nasl |
2008-05-27 | Name : Debian Security Advisory DSA 1574-1 (icedove) File : nvt/deb_1574_1.nasl |
2008-04-30 | Name : Debian Security Advisory DSA 1534-2 (iceape) File : nvt/deb_1534_2.nasl |
2008-04-07 | Name : Debian Security Advisory DSA 1535-1 (iceweasel) File : nvt/deb_1535_1.nasl |
2008-04-07 | Name : Debian Security Advisory DSA 1534-1 (iceape) File : nvt/deb_1534_1.nasl |
2008-04-07 | Name : Debian Security Advisory DSA 1532-1 (xulrunner) File : nvt/deb_1532_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1337-1 (xulrunner) File : nvt/deb_1337_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1391-1 (icedove) File : nvt/deb_1391_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1339-1 (iceape) File : nvt/deb_1339_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1338-1 (iceweasel) File : nvt/deb_1338_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
38028 | Mozilla Firefox wyciwyg:// Handler Cache Zone Bypass |
38024 | Mozilla Firefox document.write IFRAME Replacement XSS |
38016 | Mozilla Firefox Crafted XPCNativeWrapper Arbitrary Code Execution (moz_bug_r_a4) |
38015 | Mozilla Firefox Crafted XPCNativeWrapper Arbitrary Code Execution (shutdown) |
38010 | Mozilla Firefox Event Handler Unspecified Element Arbitrary Code Execution |
38002 | Mozilla Firefox addEventListener / setTimeout Function Cross Site Context XSS |
38001 | Mozilla Multiple Products JavaScript Engine Multiple Unspecified Memory Corru... |
38000 | Mozilla Multiple Products Browser Engine Multiple Unspecified Memory Corruption |
Snort® IPS/IDS
Date | Description |
---|---|
2018-01-23 | Mozilla Firefox DOM event handler privilege escalation attempt RuleID : 45247 - Revision : 2 - Type : BROWSER-FIREFOX |
2018-01-23 | Mozilla Firefox DOM event handler privilege escalation attempt RuleID : 45246 - Revision : 2 - Type : BROWSER-FIREFOX |
2017-08-29 | Mozilla Firefox wyciwgy domain forgery attempt RuleID : 43761 - Revision : 2 - Type : BROWSER-FIREFOX |
2017-08-23 | Mozilla Firefox display moz-deck style memory corruption attempt RuleID : 43644 - Revision : 2 - Type : BROWSER-FIREFOX |
2017-08-23 | Mozilla Firefox design mode deleted style memory corruption attempt RuleID : 43643 - Revision : 2 - Type : BROWSER-FIREFOX |
2017-08-23 | Mozilla Firefox multiple vulnerabilities memory corruption attempt RuleID : 43642 - Revision : 4 - Type : BROWSER-FIREFOX |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0724.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2007-0723.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0722.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20070718_firefox_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20070718_seamonkey_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing a security update. File : sl_20070718_thunderbird_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2010-02-22 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-042.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2008-047.nasl - Type : ACT_GATHER_INFO |
2008-05-13 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1574.nasl - Type : ACT_GATHER_INFO |
2008-04-11 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1535.nasl - Type : ACT_GATHER_INFO |
2008-03-31 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1532.nasl - Type : ACT_GATHER_INFO |
2008-03-31 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1534.nasl - Type : ACT_GATHER_INFO |
2007-12-13 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_MozillaFirefox-3932.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-503-1.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-490-1.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-1155.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-1157.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-1180.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-1181.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-1143.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-1144.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-1142.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-1138.nasl - Type : ACT_GATHER_INFO |
2007-10-25 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1391.nasl - Type : ACT_GATHER_INFO |
2007-10-17 | Name : The remote openSUSE host is missing a security update. File : suse_MozillaFirefox-3935.nasl - Type : ACT_GATHER_INFO |
2007-10-17 | Name : The remote openSUSE host is missing a security update. File : suse_MozillaFirefox-3933.nasl - Type : ACT_GATHER_INFO |
2007-10-17 | Name : The remote openSUSE host is missing a security update. File : suse_MozillaThunderbird-3973.nasl - Type : ACT_GATHER_INFO |
2007-10-17 | Name : The remote openSUSE host is missing a security update. File : suse_seamonkey-3984.nasl - Type : ACT_GATHER_INFO |
2007-10-17 | Name : The remote openSUSE host is missing a security update. File : suse_seamonkey-3986.nasl - Type : ACT_GATHER_INFO |
2007-08-15 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200708-09.nasl - Type : ACT_GATHER_INFO |
2007-08-02 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2007-152.nasl - Type : ACT_GATHER_INFO |
2007-07-30 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1339.nasl - Type : ACT_GATHER_INFO |
2007-07-27 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1338.nasl - Type : ACT_GATHER_INFO |
2007-07-27 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1337.nasl - Type : ACT_GATHER_INFO |
2007-07-25 | Name : A web browser on the remote host is prone to multiple flaws. File : seamonkey_113.nasl - Type : ACT_GATHER_INFO |
2007-07-23 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0722.nasl - Type : ACT_GATHER_INFO |
2007-07-23 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2007-0723.nasl - Type : ACT_GATHER_INFO |
2007-07-23 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0724.nasl - Type : ACT_GATHER_INFO |
2007-07-23 | Name : The remote Windows host contains a mail client that is affected by multiple v... File : mozilla_thunderbird_2005.nasl - Type : ACT_GATHER_INFO |
2007-07-23 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0722.nasl - Type : ACT_GATHER_INFO |
2007-07-23 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_e190ca65363611dca697000c6ec775d9.nasl - Type : ACT_GATHER_INFO |
2007-07-23 | Name : The remote Fedora Core host is missing a security update. File : fedora_2007-642.nasl - Type : ACT_GATHER_INFO |
2007-07-23 | Name : The remote Fedora Core host is missing a security update. File : fedora_2007-641.nasl - Type : ACT_GATHER_INFO |
2007-07-23 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0724.nasl - Type : ACT_GATHER_INFO |
2007-07-23 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2007-0723.nasl - Type : ACT_GATHER_INFO |
2007-07-19 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : mozilla_firefox_2005.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:26:45 |
|