Mandrake Linux Security Advisory : mozilla (MDKSA-2004:082)

critical Nessus Plugin ID 14331
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Mandrake Linux host is missing one or more security updates.

Description

A number of security vulnerabilities in mozilla are addressed by this update for Mandrakelinux 10.0 users, including a fix for frame spoofing, a fixed popup XPInstall/security dialog bug, a fix for untrusted chrome calls, a fix for SSL certificate spoofing, a fix for stealing secure HTTP Auth passwords via DNS spoofing, a fix for insecure matching of cert names for non-FQDNs, a fix for focus redefinition from another domain, a fix for a SOAP parameter overflow, a fix for text drag on file entry, a fix for certificate DoS, and a fix for lock icon and cert spoofing.

Additionally, mozilla for both Mandrakelinux 9.2 and 10.0 have been rebuilt to use the system libjpeg and libpng which addresses vulnerabilities discovered in libpng (ref: MDKSA-2004:079).

Solution

Update the affected packages.

See Also

https://bugzilla.mozilla.org/show_bug.cgi?id=149478

http://bugzilla.mozilla.org/show_bug.cgi?id=162020

https://bugzilla.mozilla.org/show_bug.cgi?id=206859

https://bugzilla.mozilla.org/show_bug.cgi?id=226278

http://bugzilla.mozilla.org/show_bug.cgi?id=229374

http://bugzilla.mozilla.org/show_bug.cgi?id=234058

http://bugzilla.mozilla.org/show_bug.cgi?id=236618

https://bugzilla.mozilla.org/show_bug.cgi?id=239580

http://bugzilla.mozilla.org/show_bug.cgi?id=240053

http://bugzilla.mozilla.org/show_bug.cgi?id=244965

http://bugzilla.mozilla.org/show_bug.cgi?id=246448

http://bugzilla.mozilla.org/show_bug.cgi?id=249004

http://bugzilla.mozilla.org/show_bug.cgi?id=253121

https://bugzilla.mozilla.org/show_bug.cgi?id=86028

Plugin Details

Severity: Critical

ID: 14331

File Name: mandrake_MDKSA-2004-082.nasl

Version: 1.21

Type: local

Published: 8/22/2004

Updated: 1/6/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Critical

Score: 9.6

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:lib64nspr4, p-cpe:/a:mandriva:linux:lib64nspr4-devel, p-cpe:/a:mandriva:linux:lib64nss3, p-cpe:/a:mandriva:linux:lib64nss3-devel, p-cpe:/a:mandriva:linux:libnspr4, p-cpe:/a:mandriva:linux:libnspr4-devel, p-cpe:/a:mandriva:linux:libnss3, p-cpe:/a:mandriva:linux:libnss3-devel, p-cpe:/a:mandriva:linux:mozilla, p-cpe:/a:mandriva:linux:mozilla-devel, p-cpe:/a:mandriva:linux:mozilla-dom-inspector, p-cpe:/a:mandriva:linux:mozilla-enigmail, p-cpe:/a:mandriva:linux:mozilla-enigmime, p-cpe:/a:mandriva:linux:mozilla-irc, p-cpe:/a:mandriva:linux:mozilla-js-debugger, p-cpe:/a:mandriva:linux:mozilla-mail, p-cpe:/a:mandriva:linux:mozilla-spellchecker, cpe:/o:mandrakesoft:mandrake_linux:10.0, cpe:/o:mandrakesoft:mandrake_linux:9.2

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/12/2004

Reference Information

CVE: CVE-2004-0597, CVE-2004-0598, CVE-2004-0599, CVE-2004-0718, CVE-2004-0722, CVE-2004-0757, CVE-2004-0758, CVE-2004-0759, CVE-2004-0760, CVE-2004-0761, CVE-2004-0762, CVE-2004-0763, CVE-2004-0764, CVE-2004-0765, CVE-2004-0779, CVE-2004-1449, CVE-2005-1937

MDKSA: 2004:082