Summary: | <www-client/firefox{-bin}-3.6.12, <mail-client/thunderbird{-bin}-3.1.6, <www-client/seamonkey{-bin}-2.0.10: Remote Code Execution Vulnerability (CVE-2010-3765) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tim Sammut (RETIRED) <underling> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | fauli |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/ | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 342323 | ||
Bug Blocks: |
Description
Tim Sammut (RETIRED)
2010-10-27 00:26:21 UTC
Mozilla has released their advisory, and fixed software. http://www.mozilla.org/security/announce/2010/mfsa2010-73.html In the long tradition of security-related stabilization requests the mozilla team would like arch teams to stabilize the following packages: Target keywords for =net-libs/xulrunner-1.9.2.12/=www-client/firefox-3.6.12 are: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 ~amd64-linux ~ia64-linux ~x86-linux ~sparc-solaris ~x64-solaris ~x86-solaris Target keywords for =mail-client/thunderbird-3.1.6 are: alpha amd64 arm ia64 ppc ppc64 sparc x86 ~x86-fbsd ~amd64-linux ~x86-linux Target keywords for =www-client/seamonkey-2.0.10 are: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 Taget keywords for =www-client/firefox-bin-3.6.12/=www-client/seamonkey-bin-2.0.10 are: amd64 x86 www-client/icecat is lacking behind as usual. So amd46-, ppc-, ppc64- and x86-arches please prepare to get re-added once icecat comes with a bugfix-release, too. Stable for HPPA. Stable for PPC. Target keywords for =mail-client/thunderbird-bin-3.1.6: amd64 x86 amd64 done ppc64 done x86 stable arm stable Mozilla team, Icecat 3.6.12 is released, please bump and readd ppc@gentoo.org, ppc64@gentoo.org, x86@gentoo.org,amd64@gentoo.org re-added archs for stabilization of icecat-3.6.12 would help to click add archs. amd64 done x86 stable ppc64 done Stable for PPC. alpha/ia64/sparc stable ppc64, please stabilize: =www-client/icecat-3.6.12 Thank you. ppc64 done Thanks, folks. Added to existing Mozilla GLSA request. Nothing for mozilla team to handle, tree has all appropriate updates. sorry for the noise just forgot to remove mozilla team from the bug reports. CVE-2010-3765 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3765): Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before 3.0.10, and SeaMonkey 2.x before 2.0.10, when JavaScript is enabled, allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption, as exploited in the wild in October 2010 by the Belmoo malware. This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle). |