Next Page >>
Mozilla
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Mozilla products: Multiple vulnerabilities
Date: August 06, 2008
Bugs: #204337, #218065, #230567, #231975
ID: 200808-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Mozilla products: Multiple vulnerabilities
Date: May 20, 2008
Bugs: #208128, #214816, #218065
ID: 200805-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Affected: 2011.
_______________________________________________________________________
Problem Description:
Security issues were identified and fixed in mozilla firefox and
thunderbird:
Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before
7.0, and SeaMonkey before 2.4 do not prevent the starting of a download
in response to the holding of the Enter key, which allows user-assisted
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Mozilla products: Multiple vulnerabilities
Date: August 14, 2007
Bugs: #185737, #187205
ID: 200708-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hello Bugtraq!
I want to warn you about Cross-Site Scripting vulnerability in Mozilla
Firefox, Opera and other browsers. It allows to bypass protection from
executing of JavaScript code in location-header redirectors (by redirecting
to javascript: URI).
Recently, 04.08.2010, I wrote about vulnerability in Mozilla and Mozilla
Firefox at my site. I made full disclosure because Mozilla completely
ignored similar vulnerability, which I informed them in August 2009, like
Mandriva Linux Security Advisory MDVSA-2012:013
http://www.mandriva.com/security/
_______________________________________________________________________
Package : mozilla
Date : February 3, 2012
Affected: 2010.1, 2011., Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Some time ago I read your message and also checked Firefox 3.0.6 and
confirmed the crash in it. What I can tell you about this hole.
In the beginning of September 2008 I already wrote about such DoS
vulnerability in Mozilla Firefox (http://websecurity.com.ua/2421/). Which
leads to that after running of the exploit the browser begun taking 100% of
CPU resources and freezes.
The attack was based on using nested marquee tags (this hole was already
found in Firefox 1.0 and 1.5). Vulnerable were Mozilla Firefox 3.0.1 and
Problem Description:
Security issues were identified and fixed in firefox 3.5.x:
liboggplay in Mozilla Firefox 3.5.x before 3.5.6 and SeaMonkey before
2.0.1 might allow context-dependent attackers to cause a denial of
service (application crash) or execute arbitrary code via unspecified
vectors, related to memory safety issues. (CVE-2009-3388)
Integer overflow in libtheora in Xiph.Org Theora before 1.1, as used
Affected: 2009.0, 2010.0, 2010.1, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Cross-site request forgery (CSRF) vulnerability in Mozilla Firefox
before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12,
allows remote attackers to hijack the authentication of arbitrary
users for requests that were initiated by a plugin and received a
307 redirect to a page on a different web site. (CVE-2011-0059)
Problem Description:
Security issues were identified and fixed in firefox:
An unspecified function in the JavaScript implementation in Mozilla
Firefox creates and exposes a temporary footprint when there is
a current login to a web site, which makes it easier for remote
attackers to trick a user into acting upon a spoofed pop-up message,
aka an in-session phishing attack. (CVE-2008-5913).
Problem Description:
Security issues were identified and fixed in firefox:
Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird
before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9
recognize a wildcard IP address in the subject's Common Name field of
an X.509 certificate, which might allow man-in-the-middle attackers
to spoof arbitrary SSL servers via a crafted certificate issued by
a legitimate Certification Authority (CVE-2010-3170).
Affected: 2009.0, 2010.1, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Security issues were identified and fixed in mozilla firefox and
thunderbird:
Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before
7.0, and SeaMonkey before 2.4 do not prevent the starting of a download
in response to the holding of the Enter key, which allows user-assisted
> did I receive any thanks from Susan (especially taking into account
> that I
> did inform vendors) or any other user of browsers for this info? No
> :-). Did
> browser vendors answered me? No :-) (at first day) - which is normal for
> such cases, based on my experience. Only on second day Opera and Mozilla
> answered me and begun investigation of these cases (which is rare case
> when
> they responded on DoS hole, based on my experience), but not other
> vendors.
>
So this time I informed browser developers and users about these issues. And
did I receive any thanks from Susan (especially taking into account that I
did inform vendors) or any other user of browsers for this info? No :-). Did
browser vendors answered me? No :-) (at first day) - which is normal for
such cases, based on my experience. Only on second day Opera and Mozilla
answered me and begun investigation of these cases (which is rare case when
they responded on DoS hole, based on my experience), but not other vendors.
> These vendors do not ignore security issues and do respond
Initiative) a potential reuse of a deleted image frame in Firefox 3.6's
handling of multipart/x-mixed-replace images. Although no exploit was
shown, re-use of freed memory has led to exploitable vulnerabilities
in the past (CVE-2010-0164).
Mozilla developers identified and fixed several stability bugs in the
browser engine used in Firefox and other Mozilla-based products. Some
of these crashes showed evidence of memory corruption under certain
circumstances and we presume that with enough effort at least some
of these could be exploited to run arbitrary code (CVE-2010-0165,
CVE-2010-0167).
Mandriva Linux Security Advisory MDVSA-2010:071
http://www.mandriva.com/security/
_______________________________________________________________________
Package : mozilla-thunderbird
Date : April 23, 2010
Affected: 2008.0, 2009.0, 2009.1, 2010.0
_______________________________________________________________________
Problem Description:
Problem Description:
Security issues were identified and fixed in firefox 3.0.x:
Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 3.0.16 and 3.5.x before 3.5.6, SeaMonkey before 2.0.1,
and Thunderbird allow remote attackers to cause a denial of service
(memory corruption and application crash) or possibly execute arbitrary
code via unknown vectors (CVE-2009-3979).
Thierry, I even planned to write here a large message on this subject (which
I planned in the beginning of this year), but I canceled it due lack of time
:-). In a short: the developers are not right and DoS is a security issue.
I tested your vulnerability (your PoC) in all my browsers: Mozilla, Firefox,
IE, Opera and Chrome. Here are results of my tests, which will be additional
stroke to your picture of vulnerable browsers and systems.
Mozilla 1.7.x is not vulnerable. And this is a reason why I like Mozilla
1.7.x, because it hasn't many of the holes which Mozilla added to new
Initiative) a potential reuse of a deleted image frame in Firefox 3.6's
handling of multipart/x-mixed-replace images. Although no exploit was
shown, re-use of freed memory has led to exploitable vulnerabilities
in the past (CVE-2010-0164).
Mozilla developers identified and fixed several stability bugs in the
browser engine used in Firefox and other Mozilla-based products. Some
of these crashes showed evidence of memory corruption under certain
circumstances and we presume that with enough effort at least some
of these could be exploited to run arbitrary code (CVE-2010-0165,
CVE-2010-0167).
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Mozilla Firefox, SeaMonkey: Multiple vulnerabilities
Date: December 29, 2007
Bugs: #198965, #200909
ID: 200712-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Mozilla Firefox, SeaMonkey, XULRunner: Multiple
vulnerabilities
Date: November 12, 2007
Bugs: #196480
ID: 200711-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Mozilla Thunderbird: Multiple vulnerabilities
Date: November 18, 2007
Bugs: #196481
ID: 200711-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PUBLIC
=========================================================================
ACROS Security Problem Report #2011-08-18-2
-------------------------------------------------------------------------
ASPR #2011-08-18-2: Remote Binary Planting in Mozilla Thunderbird
=========================================================================
Document ID: ASPR #2011-08-18-2-PUB
Vendor: Mozilla (http://www.mozilla.org)
Target: Mozilla Thunderbird
PUBLIC
=========================================================================
ACROS Security Problem Report #2011-08-18-1
-------------------------------------------------------------------------
ASPR #2011-08-18-1: Remote Binary Planting in Mozilla Firefox
=========================================================================
Document ID: ASPR #2011-08-18-1-PUB
Vendor: Mozilla (http://www.mozilla.org)
Target: Mozilla Firefox
Mandriva Linux Security Advisory MDVSA-2011:140
http://www.mandriva.com/security/
_______________________________________________________________________
Package : mozilla-thunderbird
Date : October 1, 2011
Affected: 2009.0, 2010.1
_______________________________________________________________________
Problem Description:
Mandriva Linux Security Advisory MDVSA-2011:142
http://www.mandriva.com/security/
_______________________________________________________________________
Package : mozilla-thunderbird
Date : October 1, 2011
Affected: 2011.
_______________________________________________________________________
Problem Description:
Problem Description:
Security issues were identified and fixed in firefox 3.5.x:
Security researcher Alin Rad Pop of Secunia Research reported a
heap-based buffer overflow in Mozilla's string to floating point
number conversion routines. Using this vulnerability an attacker
could craft some malicious JavaScript code containing a very long
string to be converted to a floating point number which would result
in improper memory allocation and the execution of an arbitrary memory
location. This vulnerability could thus be leveraged by the attacker
16.05.2010 - found vulnerability.
17.05.2010 - disclosed at my site.
18.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
Found on the 16th
Blogged on the 17th
Told vendors on the 18th
Posted here on the 18th
Hello SecurityFocus!
I want to warn you about Cross-Site Scripting vulnerability in Mozilla,
Firefox and Chrome.
Some time ago Mozilla fixed vulnerability in Firefox described in MFSA
2009-22 (http://www.mozilla.org/security/announce/2009/mfsa2009-22.html).
Which allowed Refresh header to redirect to javascript: URIs.
This vulnerability was fixed in Firefox 3.0.9. And recently, 06.07.2009, I
Problem Description:
Security issues were identified and fixed in firefox 3.0.x:
Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 3.0.14 allow remote attackers to cause a denial of
service (memory corruption and application crash) or possibly execute
arbitrary code via unknown vectors (CVE-2009-3069, CVE-2009-3070,
CVE-2009-3071, CVE-2009-3072).
Next Page>>
|
