GLSA-200504-18 : Mozilla Firefox, Mozilla Suite: Multiple vulnerabilities
High Nessus Plugin ID 18090
SynopsisThe remote Gentoo host is missing one or more security-related patches.
DescriptionThe remote host is affected by the vulnerability described in GLSA-200504-18 (Mozilla Firefox, Mozilla Suite: Multiple vulnerabilities)
The following vulnerabilities were found and fixed in the Mozilla Suite and Mozilla Firefox:
moz_bug_r_a4 discovered that Chrome UI code was overly trusting DOM nodes from the content window, allowing privilege escalation via DOM property overrides.
shutdown discovered a technique to pollute the global scope of a window in a way that persists from page to page.
The following Firefox-specific vulnerabilities have also been discovered:
The memory disclosure issue can be used to reveal potentially sensitive information. Finally, the cache pollution issue and search plugin abuse can be leveraged in cross-site-scripting attacks.
There is no known workaround at this time.
SolutionAll Mozilla Firefox users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=www-client/mozilla-firefox-1.0.3' All Mozilla Firefox binary users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=www-client/mozilla-firefox-bin-1.0.3' All Mozilla Suite users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=www-client/mozilla-1.7.7' All Mozilla Suite binary users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=www-client/mozilla-bin-1.7.7'