Debian DSA-1336-1 : mozilla-firefox - several vulnerabilities

High Nessus Plugin ID 25779

Synopsis

The remote Debian host is missing a security-related update.

Description

Several remote vulnerabilities have been discovered in Mozilla Firefox.

This will be the last security update of Mozilla-based products for the oldstable (sarge) distribution of Debian. We recommend to upgrade to stable (etch) as soon as possible.

The Common Vulnerabilities and Exposures project identifies the following vulnerabilities :

- CVE-2007-1282 It was discovered that an integer overflow in text/enhanced message parsing allows the execution of arbitrary code.

- CVE-2007-0994 It was discovered that a regression in the JavaScript engine allows the execution of JavaScript with elevated privileges.

- CVE-2007-0995 It was discovered that incorrect parsing of invalid HTML characters allows the bypass of content filters.

- CVE-2007-0996 It was discovered that insecure child frame handling allows cross-site scripting.

- CVE-2007-0981 It was discovered that Firefox handles URI with a null byte in the hostname insecurely.

- CVE-2007-0008 It was discovered that a buffer overflow in the NSS code allows the execution of arbitrary code.

- CVE-2007-0009 It was discovered that a buffer overflow in the NSS code allows the execution of arbitrary code.

- CVE-2007-0775 It was discovered that multiple programming errors in the layout engine allow the execution of arbitrary code.

- CVE-2007-0778 It was discovered that the page cache calculates hashes in an insecure manner.

- CVE-2006-6077 It was discovered that the password manager allows the disclosure of passwords.

Solution

For the oldstable distribution (sarge) these problems have been fixed in version 1.0.4-2sarge17. You should upgrade to etch as soon as possible.

The stable distribution (etch) isn't affected. These vulnerabilities have been fixed prior to the release of Debian etch.

See Also

https://security-tracker.debian.org/tracker/CVE-2007-1282

https://security-tracker.debian.org/tracker/CVE-2007-0994

https://security-tracker.debian.org/tracker/CVE-2007-0995

https://security-tracker.debian.org/tracker/CVE-2007-0996

https://security-tracker.debian.org/tracker/CVE-2007-0981

https://security-tracker.debian.org/tracker/CVE-2007-0008

https://security-tracker.debian.org/tracker/CVE-2007-0009

https://security-tracker.debian.org/tracker/CVE-2007-0775

https://security-tracker.debian.org/tracker/CVE-2007-0778

https://security-tracker.debian.org/tracker/CVE-2006-6077

http://www.debian.org/security/2007/dsa-1336

Plugin Details

Severity: High

ID: 25779

File Name: debian_DSA-1336.nasl

Version: 1.22

Type: local

Agent: unix

Published: 2007/07/27

Updated: 2018/07/20

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:mozilla-firefox, cpe:/o:debian:debian_linux:3.1

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2007/07/22

Vulnerability Publication Date: 2006/08/08

Reference Information

CVE: CVE-2006-6077, CVE-2007-0008, CVE-2007-0009, CVE-2007-0045, CVE-2007-0775, CVE-2007-0778, CVE-2007-0981, CVE-2007-0994, CVE-2007-0995, CVE-2007-0996, CVE-2007-1282

DSA: 1336

CWE: 79, 119, 189