Re: [SECURITY] [DSA 775-1] New Mozilla packages fix frame injection spoofing vulnerability
On Mon, Aug 15, 2005 at 01:02:20PM +0200, Martin Schulze wrote:
>
> --------------------------------------------------------------------------
> Debian Security Advisory DSA 775-1 security@debian.org
> http://www.debian.org/security/ Martin Schulze August 15th, 2005
> http://www.debian.org/security/faq -
> --------------------------------------------------------------------------
>
> Package : mozilla
> Vulnerability : frame injection spoofing
> Problem-Type : remote
> Debian-specific: no
> CVE ID : CAN-2004-0718 CAN-2005-1937
> BugTraq ID : 14242
>
> A vulnerability has been discovered in Mozilla and Mozilla Firefox
> that allows remote attackers to inject arbitrary Javascript from one
> page into the frameset of another site. Thunderbird is not affected
> by this and Galeon will be automatically fixed as it uses Mozilla
> components.
>
> The old stable distribution (woody) does not contain Mozilla Firefox
> packages.
>
> For the stable distribution (sarge) this problem has been fixed in
> version 1.0.4-2sarge1.
>
> For the unstable distribution (sid) this problem has been fixed in
> version 1.0.6-1.
>
> We recommend that you upgrade your mozilla-firefox package.
>...
You say it's affecting Mozilla, but you are offering only Firefox
packages.
You say Galeon will be automatically fixed, but since Galeon is using
Mozilla and not Firefox you have not yet fixed it.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
Reply to: