Summary
The remote host is missing an update to firefox
announced via advisory MDVSA-2009:198.
Solution
To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.
https://secure1.securityspace.com/smysecure/catid.html?in=MDVSA-2009:198 http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.13
Insight
Security issues were identified and fixed in firefox 3.0.x:
Security researcher Juan Pablo Lopez Yacubian reported that an attacker could call window.open() on an invalid URL which looks similar to a legitimate URL and then use document.write() to place content within the new document, appearing to have come from the spoofed location (CVE-2009-2654).
Moxie Marlinspike reported a heap overflow vulnerability in the code that handles regular expressions in certificate names. This vulnerability could be used to compromise the browser and run arbitrary code by presenting a specially crafted certificate to the client (CVE-2009-2404).
IOActive security researcher Dan Kaminsky reported a mismatch in the treatment of domain names in SSL certificates between SSL clients and the Certificate Authorities (CA) which issue server certificates. These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions (CVE-2009-2408).
This update provides the latest Mozilla Firefox 3.0.x to correct these issues.
Additionally, some packages which require so, have been rebuilt and are being provided as updates.
Affected: 2009.0, 2009.1, Enterprise Server 5.0
Severity
Classification
-
CVE CVE-2009-2404, CVE-2009-2408, CVE-2009-2654 -
CVSS Base Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
Related Vulnerabilities