Scientific Linux Security Update : firefox on SL4.x, SL5.x i386/x86_64

This script is Copyright (C) 2012 Tenable Network Security, Inc.


Synopsis :

The remote Scientific Linux host is missing one or more security
updates.

Description :

CVE-2009-2654 firefox: URL bar spoofing vulnerability

CVE-2009-3070 Firefox 3.5 3.0.14 browser engine crashes

CVE-2009-3071 Firefox 3.5.2 3.0.14 browser engine crashes

CVE-2009-3072 Firefox 3.5.3 3.0.14 browser engine crashes

CVE-2009-3074 Firefox 3.5 3.0.14 JavaScript engine crashes

CVE-2009-3075 Firefox 3.5.2 3.0.14 JavaScript engine crashes

CVE-2009-3076 Firefox 3.0.14 Insufficient warning for PKCS11 module
installation and removal

CVE-2009-3077 Firefox 3.5.3 3.0.14 TreeColumns dangling pointer
vulnerability

CVE-2009-3078 Firefox 3.5.3 3.0.14 Location bar spoofing via tall
line-height Unicode characters

CVE-2009-3079 Firefox 3.5.3 3.0.14 Chrome privilege escalation with
FeedWriter

Several flaws were found in the processing of malformed web content. A
web page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user
running Firefox. (CVE-2009-3070, CVE-2009-3071, CVE-2009-3072,
CVE-2009-3074,

CVE-2009-3075)

A use-after-free flaw was found in Firefox. An attacker could use this
flaw to crash Firefox or, potentially, execute arbitrary code with the
privileges of the user running Firefox. (CVE-2009-3077)

A flaw was found in the way Firefox handles malformed JavaScript. A
website with an object containing malicious JavaScript could execute
that JavaScript with the privileges of the user running Firefox.
(CVE-2009-3079)

Descriptions in the dialogs when adding and removing PKCS #11 modules
were not informative. An attacker able to trick a user into installing
a malicious PKCS #11 module could use this flaw to install their own
Certificate Authority certificates on a user's machine, making it
possible to trick the user into believing they are viewing a trusted
site or, potentially, execute arbitrary code with the privileges of
the user running Firefox. (CVE-2009-3076)

A flaw was found in the way Firefox displays the address bar when
window.open() is called in a certain way. An attacker could use this
flaw to conceal a malicious URL, possibly tricking a user into
believing they are viewing a trusted site. (CVE-2009-2654)

A flaw was found in the way Firefox displays certain Unicode
characters. An attacker could use this flaw to conceal a malicious
URL, possibly tricking a user into believing they are viewing a
trusted site. (CVE-2009-3078)

For technical details regarding these flaws, refer to the Mozilla
security advisories for Firefox 3.0.14. You can find a link to the
Mozilla advisories in the References section of this errata.

After installing the update, Firefox must be restarted for the changes
to take effect.

See also :

http://www.nessus.org/u?ca5e6a63

Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Family: Scientific Linux Local Security Checks

Nessus Plugin ID: 60664 ()

Bugtraq ID:

CVE ID: CVE-2009-2654
CVE-2009-3070
CVE-2009-3071
CVE-2009-3072
CVE-2009-3074
CVE-2009-3075
CVE-2009-3076
CVE-2009-3077
CVE-2009-3078
CVE-2009-3079