| Summary: | mozilla-firefox 1.0.7 update for severe security flaw | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | VinnieNZ <spamtrap+gentoo> |
| Component: | New packages | Assignee: | Gentoo Linux bug wranglers <bug-wranglers> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | critical | ||
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
Mozilla Firefox has been updated to v1.0.7 for a severe security flaw that affects Linux (below from computerworld.co.nz): "The bug is in the Linux shell scripts that Firefox and the Mozilla browser suite use to parse web addresses supplied via the command line or by external programs such as email clients. Researcher Peter Zelezny discovered that commands included in the URL and enclosed in backticks (') were executed by the Linux or Unix shell. The flaw doesn't require web interaction to be effective. If a user with affected versions of Firefox or Mozilla set as the default browser clicks on a maliciously crafted URL in an email program, for example, malicious commands would be executed before the browser was launched. Security advisory aggregators Secunia and FrSIRT both gave the flaw their most severe ratings. The Mozilla Foundation, which develops Firefox and other Mozilla-based software such as the Thunderbird email client, has issued a Firefox update, version 1.0.7, fixing the flaw as well as a week-old security bug in the handling of International Domain Names (IDN). The update can be found on the Mozilla website." Reproducible: Always Steps to Reproduce: 1. 2. 3.