1. Ubuntu Security Notices
  2. USN-546-1

USN-546-1: Firefox vulnerabilities

Publication date

26 November 2007

Overview

Firefox vulnerabilities

Releases

Packages

Details

It was discovered that Firefox incorrectly associated redirected sites
as the origin of "jar:" contents. A malicious web site could exploit this
to modify or steal confidential data (such as passwords) from other web
sites. (CVE-2007-5947)

Various flaws were discovered in the layout and JavaScript engines. By
tricking a user into opening a malicious web page, an attacker could
execute arbitrary code with the user's privileges. (CVE-2007-5959)

Gregory Fleischer discovered that it was possible to use JavaScript to
manipulate Firefox's Referer header. A malicious web site could exploit
this to conduct cross-site request forgeries against sites that relied
only on Referer headers for protection from such attacks. (CVE-2007-5960)

It was discovered that Firefox incorrectly associated redirected sites
as the origin of "jar:" contents. A malicious web site could exploit this
to modify or steal confidential data (such as passwords) from other web
sites. (CVE-2007-5947)

Various flaws were discovered in the layout and JavaScript engines. By
tricking a user into opening a malicious web page, an attacker could
execute arbitrary code with the user's privileges. (CVE-2007-5959)

Gregory Fleischer discovered that it was possible to use JavaScript to
manipulate Firefox's Referer header. A malicious web site could exploit
this to conduct cross-site request forgeries against sites that relied
only on Referer headers for protection from such attacks. (CVE-2007-5960)

Update instructions

After a standard system upgrade you need to restart Firefox to effect the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
7.10 gutsy firefox –  2.0.0.10+2nobinonly-0ubuntu1.7.10.1
7.04 feisty firefox –  2.0.0.10+1nobinonly-0ubuntu1
6.10 edgy firefox –  2.0.0.10+0nobinonly-0ubuntu0.6.10
6.06 dapper firefox –  1.5.dfsg+1.5.0.14~prepatch071125a-0ubuntu1

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›