From $URL: Issue: Mozilla is aware of a critical vulnerability affecting Firefox 3.5 and Firefox 3.6 users. We have received reports from several security research firms that exploit code leveraging this vulnerability has been detected in the wild. Impact to users: Users who visited an infected site could have been affected by the malware through the vulnerability. The trojan was initially reported as live on the Nobel Peace Prize site, and that specific site is now being blocked by Firefox’s built-in malware protection. However, the exploit code could still be live on other websites. Status: We have diagnosed the issue and are currently developing a fix, which will be pushed out to Firefox users as soon as the fix has been properly tested. In the meantime, users can protect themselves by doing either of the following: * Disabling JavaScript in Firefox * Using the NoScript Add-on This appears to this upstream bug, which is currently embargoed: https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2010-3765
Mozilla has released their advisory, and fixed software. http://www.mozilla.org/security/announce/2010/mfsa2010-73.html
In the long tradition of security-related stabilization requests the mozilla team would like arch teams to stabilize the following packages: Target keywords for =net-libs/xulrunner-1.9.2.12/=www-client/firefox-3.6.12 are: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 ~amd64-linux ~ia64-linux ~x86-linux ~sparc-solaris ~x64-solaris ~x86-solaris Target keywords for =mail-client/thunderbird-3.1.6 are: alpha amd64 arm ia64 ppc ppc64 sparc x86 ~x86-fbsd ~amd64-linux ~x86-linux Target keywords for =www-client/seamonkey-2.0.10 are: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 Taget keywords for =www-client/firefox-bin-3.6.12/=www-client/seamonkey-bin-2.0.10 are: amd64 x86 www-client/icecat is lacking behind as usual. So amd46-, ppc-, ppc64- and x86-arches please prepare to get re-added once icecat comes with a bugfix-release, too.
Stable for HPPA.
Stable for PPC.
Target keywords for =mail-client/thunderbird-bin-3.1.6: amd64 x86
amd64 done
ppc64 done
x86 stable
arm stable
Mozilla team, Icecat 3.6.12 is released, please bump and readd ppc@gentoo.org, ppc64@gentoo.org, x86@gentoo.org,amd64@gentoo.org
re-added archs for stabilization of icecat-3.6.12
would help to click add archs.
alpha/ia64/sparc stable
ppc64, please stabilize: =www-client/icecat-3.6.12 Thank you.
Thanks, folks. Added to existing Mozilla GLSA request.
Nothing for mozilla team to handle, tree has all appropriate updates.
sorry for the noise just forgot to remove mozilla team from the bug reports.
CVE-2010-3765 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3765): Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before 3.0.10, and SeaMonkey 2.x before 2.0.10, when JavaScript is enabled, allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption, as exploited in the wild in October 2010 by the Belmoo malware.
This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle).