SuSE 10 Security Update : MozillaFirefox (ZYPP Patch Number 4757)

This script is Copyright (C) 2007-2016 Tenable Network Security, Inc.


Synopsis :

The remote SuSE 10 host is missing a security-related patch.

Description :

This update brings Mozilla Firefox to security update version 2.0.0.10

Following security problems were fixed: MFSA 2007-37 / CVE-2007-5947:
The jar protocol handler in Mozilla Firefox retrieves the inner URL
regardless of its MIME type, and considers HTML documents within a jar
archive to have the same origin as the inner URL, which allows remote
attackers to conduct cross-site scripting (XSS) attacks via a jar:
URI.

- The Firefox 2.0.0.10 update contains fixes for three
bugs that improve the stability of the product. These
crashes showed some evidence of memory corruption under
certain circumstances and we presume that with enough
effort at least some of these could be exploited to run
arbitrary code. (MFSA 2007-38 / CVE-2007-5959)

- Gregory Fleischer demonstrated that it was possible to
generate a fake HTTP Referer header by exploiting a
timing condition when setting the window.location
property. This could be used to conduct a Cross-site
Request Forgery (CSRF) attack against websites that rely
only on the Referer header as protection against such
attacks. (MFSA 2007-39 / CVE-2007-5960)

See also :

http://www.mozilla.org/security/announce/2007/mfsa2007-37.html
http://www.mozilla.org/security/announce/2007/mfsa2007-38.html
http://www.mozilla.org/security/announce/2007/mfsa2007-39.html
http://support.novell.com/security/cve/CVE-2007-5947.html
http://support.novell.com/security/cve/CVE-2007-5959.html
http://support.novell.com/security/cve/CVE-2007-5960.html

Solution :

Apply ZYPP patch number 4757.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

Family: SuSE Local Security Checks

Nessus Plugin ID: 29363 ()

Bugtraq ID:

CVE ID: CVE-2007-5947
CVE-2007-5959
CVE-2007-5960

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now