Executive Summary
Summary | |
---|---|
Title | firefox security update |
Informations | |||
---|---|---|---|
Name | RHSA-2009:0256 | First vendor Publication | 2009-02-04 |
Vendor | RedHat | Last vendor Modification | 2009-02-04 |
Severity (Vendor) | Critical | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: An updated firefox package that fixes various security issues is now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: Mozilla Firefox is an open source Web browser. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-0352, CVE-2009-0353, CVE-2009-0356) Several flaws were found in the way malformed content was processed. A website containing specially-crafted content could, potentially, trick a Firefox user into surrendering sensitive information. (CVE-2009-0354, CVE-2009-0355) A flaw was found in the way Firefox treated HTTPOnly cookies. An attacker able to execute arbitrary JavaScript on a target site using HTTPOnly cookies may be able to use this flaw to steal the cookie. (CVE-2009-0357) A flaw was found in the way Firefox treated certain HTTP page caching directives. A local attacker could steal the contents of sensitive pages which the page author did not intend to be cached. (CVE-2009-0358) For technical details regarding these flaws, please see the Mozilla security advisories for Firefox 3.0. |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2009-0256.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
29 % | CWE-399 | Resource Management Errors |
29 % | CWE-264 | Permissions, Privileges, and Access Controls |
14 % | CWE-200 | Information Exposure |
14 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
14 % | CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10610 | |||
Oval ID: | oval:org.mitre.oval:def:10610 | ||
Title: | Mozilla Firefox 3.x before 3.0.6 does not properly implement the (1) no-store and (2) no-cache Cache-Control directives, which allows local users to obtain sensitive information by using the (a) back button or (b) history list of the victim's browser, as demonstrated by reading the response page of an https POST request. | ||
Description: | Mozilla Firefox 3.x before 3.0.6 does not properly implement the (1) no-store and (2) no-cache Cache-Control directives, which allows local users to obtain sensitive information by using the (a) back button or (b) history list of the victim's browser, as demonstrated by reading the response page of an https POST request. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-0358 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:13873 | |||
Oval ID: | oval:org.mitre.oval:def:13873 | ||
Title: | USN-717-2 -- firefox-3.0 vulnerabilities | ||
Description: | A flaw was discovered in the browser engine when restoring closed tabs. If a user were tricked into restoring a tab to a malicious website with form input controls, an attacker could steal local files on the user�s system. Wladimir Palant discovered that Firefox did not restrict access to cookies in HTTP response headers. If a user were tricked into opening a malicious web page, a remote attacker could view sensitive information | ||
Family: | unix | Class: | patch |
Reference(s): | USN-717-2 CVE-2009-0355 CVE-2009-0357 | Version: | 5 |
Platform(s): | Ubuntu 7.10 | Product(s): | firefox-3.0 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22773 | |||
Oval ID: | oval:org.mitre.oval:def:22773 | ||
Title: | ELSA-2009:0256: firefox security update (Critical) | ||
Description: | Mozilla Firefox 3.x before 3.0.6 does not properly implement the (1) no-store and (2) no-cache Cache-Control directives, which allows local users to obtain sensitive information by using the (a) back button or (b) history list of the victim's browser, as demonstrated by reading the response page of an https POST request. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2009:0256-01 CVE-2009-0352 CVE-2009-0353 CVE-2009-0354 CVE-2009-0355 CVE-2009-0356 CVE-2009-0357 CVE-2009-0358 | Version: | 33 |
Platform(s): | Oracle Linux 5 | Product(s): | firefox nss xulrunner |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:29045 | |||
Oval ID: | oval:org.mitre.oval:def:29045 | ||
Title: | RHSA-2009:0256 -- firefox security update (Critical) | ||
Description: | All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.6, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2009:0256 CESA-2009:0256-CentOS 5 CVE-2009-0352 CVE-2009-0353 CVE-2009-0354 CVE-2009-0355 CVE-2009-0356 CVE-2009-0357 CVE-2009-0358 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 CentOS Linux 5 | Product(s): | firefox nss xulrunner |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:9796 | |||
Oval ID: | oval:org.mitre.oval:def:9796 | ||
Title: | Cross-domain vulnerability in js/src/jsobj.cpp in Mozilla Firefox 3.x before 3.0.6 allows remote attackers to bypass the Same Origin Policy, and access the properties of an arbitrary window and conduct cross-site scripting (XSS) attacks, via vectors involving a chrome XBL method and the window.eval function. | ||
Description: | Cross-domain vulnerability in js/src/jsobj.cpp in Mozilla Firefox 3.x before 3.0.6 allows remote attackers to bypass the Same Origin Policy, and access the properties of an arbitrary window and conduct cross-site scripting (XSS) attacks, via vectors involving a chrome XBL method and the window.eval function. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-0354 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:9922 | |||
Oval ID: | oval:org.mitre.oval:def:9922 | ||
Title: | Mozilla Firefox before 3.0.6 and SeaMonkey do not block links to the (1) about:plugins and (2) about:config URIs from .desktop files, which allows user-assisted remote attackers to bypass the Same Origin Policy and execute arbitrary code with chrome privileges via vectors involving the URL field in a Desktop Entry section of a .desktop file, related to representation of about: URIs as jar:file:// URIs. NOTE: this issue exists because of an incomplete fix for CVE-2008-4582. | ||
Description: | Mozilla Firefox before 3.0.6 and SeaMonkey do not block links to the (1) about:plugins and (2) about:config URIs from .desktop files, which allows user-assisted remote attackers to bypass the Same Origin Policy and execute arbitrary code with chrome privileges via vectors involving the URL field in a Desktop Entry section of a .desktop file, related to representation of about: URIs as jar:file:// URIs. NOTE: this issue exists because of an incomplete fix for CVE-2008-4582. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-0356 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2011-08-09 | Name : CentOS Update for thunderbird CESA-2009:0258 centos5 i386 File : nvt/gb_CESA-2009_0258_thunderbird_centos5_i386.nasl |
2011-08-09 | Name : CentOS Update for thunderbird CESA-2009:0258 centos4 i386 File : nvt/gb_CESA-2009_0258_thunderbird_centos4_i386.nasl |
2011-08-09 | Name : CentOS Update for seamonkey CESA-2009:0257 centos4 i386 File : nvt/gb_CESA-2009_0257_seamonkey_centos4_i386.nasl |
2011-08-09 | Name : CentOS Update for seamonkey CESA-2009:0257 centos3 i386 File : nvt/gb_CESA-2009_0257_seamonkey_centos3_i386.nasl |
2011-08-09 | Name : CentOS Update for seamonkey CESA-2009:0257-01 centos2 i386 File : nvt/gb_CESA-2009_0257-01_seamonkey_centos2_i386.nasl |
2011-08-09 | Name : CentOS Update for firefox CESA-2009:0256 centos5 i386 File : nvt/gb_CESA-2009_0256_firefox_centos5_i386.nasl |
2011-08-09 | Name : CentOS Update for firefox CESA-2009:0256 centos4 i386 File : nvt/gb_CESA-2009_0256_firefox_centos4_i386.nasl |
2009-10-13 | Name : SLES10: Security update for MozillaFirefox File : nvt/sles10_MozillaFirefox3.nasl |
2009-07-29 | Name : Ubuntu USN-802-1 (apache2) File : nvt/ubuntu_802_1.nasl |
2009-07-29 | Name : Ubuntu USN-799-1 (dbus) File : nvt/ubuntu_799_1.nasl |
2009-07-29 | Name : Ubuntu USN-801-1 (tiff) File : nvt/ubuntu_801_1.nasl |
2009-07-29 | Name : Debian Security Advisory DSA 1830-1 (icedove) File : nvt/deb_1830_1.nasl |
2009-06-05 | Name : Ubuntu USN-723-1 (git-core) File : nvt/ubuntu_723_1.nasl |
2009-05-20 | Name : CentOS Security Advisory CESA-2009:0258 (thunderbird) File : nvt/ovcesa2009_0258.nasl |
2009-04-20 | Name : SuSE Security Advisory SUSE-SA:2009:023 (MozillaFirefox) File : nvt/suse_sa_2009_023.nasl |
2009-04-06 | Name : Fedora Core 9 FEDORA-2009-3101 (seamonkey) File : nvt/fcore_2009_3101.nasl |
2009-04-06 | Name : Fedora Core 10 FEDORA-2009-3161 (seamonkey) File : nvt/fcore_2009_3161.nasl |
2009-04-06 | Name : Mandrake Security Advisory MDVSA-2009:083 (mozilla-thunderbird) File : nvt/mdksa_2009_083.nasl |
2009-03-31 | Name : Ubuntu USN-741-1 (thunderbird) File : nvt/ubuntu_741_1.nasl |
2009-03-31 | Name : Fedora Core 9 FEDORA-2009-2884 (thunderbird) File : nvt/fcore_2009_2884.nasl |
2009-03-31 | Name : Ubuntu USN-742-1 (jasper) File : nvt/ubuntu_742_1.nasl |
2009-03-31 | Name : RedHat Security Advisory RHSA-2009:0258 File : nvt/RHSA_2009_0258.nasl |
2009-03-31 | Name : Fedora Core 10 FEDORA-2009-2882 (thunderbird) File : nvt/fcore_2009_2882.nasl |
2009-02-23 | Name : Mandrake Security Advisory MDVSA-2009:044 (firefox) File : nvt/mdksa_2009_044.nasl |
2009-02-20 | Name : Mozilla Seamonkey Multiple Vulnerabilities Feb-09 (Win) File : nvt/secpod_seamonkey_mult_vuln_feb09_win.nasl |
2009-02-20 | Name : Mozilla Thunderbird Multiple Vulnerabilities Feb-09 (Win) File : nvt/secpod_thunderbird_mult_vuln_feb09_win.nasl |
2009-02-20 | Name : Mozilla Thunderbird Multiple Vulnerabilities Feb-09 (Linux) File : nvt/secpod_thunderbird_mult_vuln_feb09_lin.nasl |
2009-02-20 | Name : Mozilla Seamonkey Multiple Vulnerabilities Feb-09 (Linux) File : nvt/secpod_seamonkey_mult_vuln_feb09_lin.nasl |
2009-02-20 | Name : Mozilla Firefox Multiple Vulnerabilities Feb-09 (Win) File : nvt/secpod_firefox_mult_vuln_feb09_win.nasl |
2009-02-20 | Name : Mozilla Firefox Multiple Vulnerabilities Feb-09 (Linux) File : nvt/secpod_firefox_mult_vuln_feb09_lin.nasl |
2009-02-18 | Name : SuSE Security Advisory SUSE-SA:2009:009 (MozillaFirefox) File : nvt/suse_sa_2009_009.nasl |
2009-02-13 | Name : Fedora Core 9 FEDORA-2009-1399 (xulrunner) File : nvt/fcore_2009_1399.nasl |
2009-02-13 | Name : Fedora Core 10 FEDORA-2009-1398 (xulrunner) File : nvt/fcore_2009_1398.nasl |
2009-02-13 | Name : FreeBSD Ports: firefox File : nvt/freebsd_firefox37.nasl |
2009-02-13 | Name : Ubuntu USN-717-1 (xulrunner-1.9) File : nvt/ubuntu_717_1.nasl |
2009-02-13 | Name : Ubuntu USN-717-2 (firefox-3.0) File : nvt/ubuntu_717_2.nasl |
2009-02-13 | Name : Ubuntu USN-717-3 (firefox) File : nvt/ubuntu_717_3.nasl |
2009-02-10 | Name : CentOS Security Advisory CESA-2009:0256 (firefox) File : nvt/ovcesa2009_0256.nasl |
2009-02-10 | Name : CentOS Security Advisory CESA-2009:0257-01 (seamonkey) File : nvt/ovcesa2009_0257_01.nasl |
2009-02-10 | Name : CentOS Security Advisory CESA-2009:0257 (seamonkey) File : nvt/ovcesa2009_0257.nasl |
2009-02-10 | Name : RedHat Security Advisory RHSA-2009:0256 File : nvt/RHSA_2009_0256.nasl |
2009-02-10 | Name : RedHat Security Advisory RHSA-2009:0257 File : nvt/RHSA_2009_0257.nasl |
0000-00-00 | Name : Slackware Advisory SSA:2009-083-03 mozilla-thunderbird File : nvt/esoft_slk_ssa_2009_083_03.nasl |
0000-00-00 | Name : Slackware Advisory SSA:2009-083-02 seamonkey File : nvt/esoft_slk_ssa_2009_083_02.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
51940 | Mozilla Multiple Products Layout Engine nsStyleContext::Destroy Multiple Meth... |
51939 | Mozilla Multiple Products Layout Engine nsOverflowContinuationTracker::Insert... |
51938 | Mozilla Multiple Products Layout Engine nsContainerFrame::ReflowOverflowConta... |
51937 | Mozilla Multiple Products Layout Engine nsViewManager::Composite() Layout Obj... |
51936 | Mozilla Multiple Products Layout Engine nsTransactionItem.cpp PlaceholderTxn:... |
51935 | Mozilla Multiple Products Layout Engine nsAttributeTextNode GetStrokeDash* Me... |
51934 | Mozilla Multiple Products Layout Engine nsStyleContext::Release Memory Corrup... |
51933 | Mozilla Multiple Products Layout Engine nsContainerFrame.cpp Frame Tree Handl... |
51932 | Mozilla Multiple Products Layout Engine nsContentUtils::ComparePosition Memor... |
51931 | Mozilla Multiple Products Layout Engine File Open Dialog input type Manipulat... |
51930 | Mozilla Firefox components/sessionstore/src/nsSessionStore.js file INPUT Elem... |
51929 | Mozilla Multiple Products JavaScript Engine Unspecified Memory Corruption |
51928 | Mozilla Firefox js/src/jsobj.cpp Chrome XBL Method / window.eval XSS |
51927 | Mozilla Multiple Products .desktop File Handling about: URL Restriction Bypass |
51926 | Mozilla Multiple Products XMLHttpRequest Call Set-Cookie Response Header Rest... Firefox and SeaMonkey contains a flaw that may lead to an unauthorized information disclosure. Â The issue is triggered when cookies marked HTTPOnly are readable by JavaScript, which will disclose contents of the 'Set-Cookie' response header resulting in a loss of confidentiality. |
51925 | Mozilla Firefox Multiple Cache-Control Directives Local Information Disclosure |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-0256.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-0257.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2009-0258.nasl - Type : ACT_GATHER_INFO |
2013-03-09 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-717-3.nasl - Type : ACT_GATHER_INFO |
2013-03-09 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-717-2.nasl - Type : ACT_GATHER_INFO |
2013-01-08 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201301-01.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing a security update. File : sl_20090324_thunderbird_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20090204_seamonkey_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20090204_firefox_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2010-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1830.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_MozillaFirefox-6187.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_seamonkey-090617.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_MozillaFirefox-090206.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_seamonkey-090617.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_MozillaFirefox-090206.nasl - Type : ACT_GATHER_INFO |
2009-06-19 | Name : The remote openSUSE host is missing a security update. File : suse_seamonkey-6310.nasl - Type : ACT_GATHER_INFO |
2009-05-26 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2009-0258.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-717-1.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-741-1.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2009-1398.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Fedora host is missing a security update. File : fedora_2009-2882.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-083.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-044.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Fedora host is missing a security update. File : fedora_2009-3161.nasl - Type : ACT_GATHER_INFO |
2009-04-21 | Name : The remote openSUSE host is missing a security update. File : suse_MozillaFirefox-6194.nasl - Type : ACT_GATHER_INFO |
2009-03-31 | Name : The remote Fedora host is missing a security update. File : fedora_2009-3101.nasl - Type : ACT_GATHER_INFO |
2009-03-25 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2009-083-02.nasl - Type : ACT_GATHER_INFO |
2009-03-25 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2009-083-03.nasl - Type : ACT_GATHER_INFO |
2009-03-25 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2009-0258.nasl - Type : ACT_GATHER_INFO |
2009-03-22 | Name : The remote Fedora host is missing a security update. File : fedora_2009-2884.nasl - Type : ACT_GATHER_INFO |
2009-03-20 | Name : A web browser on the remote host is affected by multiple vulnerabilities. File : seamonkey_1115.nasl - Type : ACT_GATHER_INFO |
2009-03-20 | Name : The remote Windows host contains a mail client that is affected by multiple v... File : mozilla_thunderbird_20021.nasl - Type : ACT_GATHER_INFO |
2009-02-12 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_8b491182f84211dd94d90030843d3802.nasl - Type : ACT_GATHER_INFO |
2009-02-06 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2009-1399.nasl - Type : ACT_GATHER_INFO |
2009-02-05 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-0257.nasl - Type : ACT_GATHER_INFO |
2009-02-05 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-0256.nasl - Type : ACT_GATHER_INFO |
2009-02-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-0257.nasl - Type : ACT_GATHER_INFO |
2009-02-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-0256.nasl - Type : ACT_GATHER_INFO |
2009-02-04 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : mozilla_firefox_306.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:52:14 |
|