Debians sikkerhedsbulletin

DSA-1224-1 mozilla -- flere sårbarheder

Rapporteret den:

3. dec 2006

Berørte pakker:

Sårbar:

Referencer i sikkerhedsdatabaser:

I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 19678, BugTraq-id 20957.
I Mitres CVE-ordbog: CVE-2006-4310, CVE-2006-5462, CVE-2006-5463, CVE-2006-5464, CVE-2006-5748.
CERTs noter om sårbarheder, bulletiner og hændelser: VU#335392, VU#390480, VU#495288, VU#714496.

Yderligere oplysninger:

Flere sikkerhedsrelaterede problemer er opdaget i Mozilla og afledte produkter. Projektet Common Vulnerabilities and Exposures har fundet frem til følgende sårbarheder:

CVE-2006-4310
Tomas Kempinsky har opdaget at misdannede ftp-serversvar kunne føre til lammelsesangreb (denial of service).
CVE-2006-5462
Ulrich Kühn har opdaget at rettelsen af en kryptografisk fejl i håndteringen af PKCS-1-certifikater ikke var komplet, hvilket tillod forfalskning af certifikater.
CVE-2006-5463
shutdown har opdaget af ændring af JavaScript-objekter under udførelse kunne føre til udførelse af vilkårlig JavaScript-bytecode.
CVE-2006-5464
Jesse Ruderman og Martijn Wargers har opdaget flere nedbrud i layout-maskinen, hvilket også kunne føre til udførelse af vilkårlig kode.
CVE-2006-5748
Igor Bukanov og Jesse Ruderman opdagede flere nedbrud i JavaScript-maskinen, hvilket også kunne føre til udførelse af vilkårlig kode.

Denne opdatering tager også vare om flere nedbrud, der kunne udløses af ondsindede websteder, og retter en regression der blev introduceret i den foregående Mozilla-opdatering.

I den stabile distribution (sarge) er disse problemer rettet i version 1.7.8-1sarge8.

Vi anbefaler at du opgraderer din mozilla-pakke.

Rettet i:

Debian GNU/Linux 3.1 (sarge)

Kildekode:: http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8.dsc; http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8.diff.gz; http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8.orig.tar.gz
Alpha:: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_alpha.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_alpha.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_alpha.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_alpha.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_alpha.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_alpha.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_alpha.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_alpha.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_alpha.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_alpha.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_alpha.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_alpha.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge8_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_amd64.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_amd64.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_amd64.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_amd64.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_amd64.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_amd64.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_amd64.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_amd64.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_amd64.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_amd64.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_amd64.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_amd64.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge8_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_arm.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_arm.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_arm.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_arm.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_arm.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_arm.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_arm.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_arm.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_arm.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_arm.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_arm.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_arm.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge8_arm.deb
HPPA:: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_hppa.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_hppa.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_hppa.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_hppa.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_hppa.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_hppa.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_hppa.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_hppa.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_hppa.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_hppa.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_hppa.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_hppa.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge8_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_i386.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_i386.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_i386.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_i386.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_i386.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_i386.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_i386.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_i386.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_i386.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_i386.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_i386.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_i386.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge8_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_ia64.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_ia64.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_ia64.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_ia64.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_ia64.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_ia64.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_ia64.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_ia64.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_ia64.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_ia64.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_ia64.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_ia64.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge8_ia64.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_m68k.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_m68k.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_m68k.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_m68k.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_m68k.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_m68k.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_m68k.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_m68k.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_m68k.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_m68k.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_m68k.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_m68k.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge8_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_mips.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_mips.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_mips.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_mips.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_mips.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_mips.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_mips.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_mips.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_mips.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_mips.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_mips.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_mips.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge8_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_mipsel.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_mipsel.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_mipsel.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_mipsel.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_mipsel.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_mipsel.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_mipsel.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_mipsel.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_mipsel.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_mipsel.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_mipsel.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_mipsel.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge8_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_powerpc.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_powerpc.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_powerpc.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_powerpc.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_powerpc.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_powerpc.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_powerpc.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_powerpc.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_powerpc.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_powerpc.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_powerpc.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_powerpc.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge8_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_s390.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_s390.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_s390.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_s390.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_s390.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_s390.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_s390.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_s390.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_s390.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_s390.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_s390.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_s390.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge8_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge8_sparc.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge8_sparc.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge8_sparc.deb; http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge8_sparc.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge8_sparc.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge8_sparc.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge8_sparc.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge8_sparc.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge8_sparc.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge8_sparc.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge8_sparc.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge8_sparc.deb; http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge8_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.