| New User, Welcome! Login |
Mozilla Foundation
> 18.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
> -----------------------------
> Details:
>
> At 30.02.2010 Mozilla fixed vulnerability (small one, which poses no
> security risk, as they said), found by Henry Sudhof - Mozilla Foundation
> Security Advisory 2010-23
> (http://www.mozilla.org/security/announce/2010/mfsa2010-23.html)
> (Image src
> redirect to mailto: URL opens email editor). Which allow to open email
> client at user's computer via redirector, which redirecting to mailto:
>> 18.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
>> -----------------------------
>> Details:
>>
>> At 30.02.2010 Mozilla fixed vulnerability (small one, which poses no
>> security risk, as they said), found by Henry Sudhof - Mozilla Foundation
>> Security Advisory 2010-23
>> (http://www.mozilla.org/security/announce/2010/mfsa2010-23.html) (Image
>> src
>> redirect to mailto: URL opens email editor). Which allow to open email
>> client at user's computer via redirector, which redirecting to mailto:
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in Thunderbird running on HP-UX. These vulnerabilities could be exploited remotely resulting in unauthorized access, elevation of privileges, or Denial of Service (DoS).
References: ->Mozilla Foundation Security Advisory (MFSA) 2006-74, 2006-73, 2006-72, 2006-71, 2006-70, 2006-69, 2006-68, 2006-67, 2006-66, 2006-65, 2006-64, 2006-63, 2006-60, 2006-59, 2006-58, 2006-57, 2006-55, 2006-54, 2006-53, 2006-52, 2006-51, 2006-50, 2006-49, 2006-48, 2006-47, 2006-46, 2006-44, 2006-42, 2006-40, 2006-38, 2006-37, 2006-35, 2006-33, 2006-32, 2006-31, 2006-28, 2006-27, 2006-26, 2006-25, 2006-24, 2006-22, 2006-21, 2006-20, 2006-08, 2006-07, 2006-06, 2006-05, 2006-04, 2006-02, 2006-01.
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
- ->Thunderbird prior to version 1.5.0.9 running on HP-UX B.11.11, B.11.23, and B.11.31.
BACKGROUND
18.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
-----------------------------
Details:
At 30.02.2010 Mozilla fixed vulnerability (small one, which poses no
security risk, as they said), found by Henry Sudhof - Mozilla Foundation
Security Advisory 2010-23
(http://www.mozilla.org/security/announce/2010/mfsa2010-23.html) (Image src
redirect to mailto: URL opens email editor). Which allow to open email
client at user's computer via redirector, which redirecting to mailto: URL.
But this vulnerability was fixed only in Firefox 3.5.9, Firefox 3.6.2 and
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with Thunderbird running on HP-UX. These vulnerabilities could be exploited remotely resulting in unauthorized access, elevation of privileges, or Denial of Service (DoS).
References: Mozilla Foundation Security Advisory (MFSA) 2007-12, 2007-15, 2007-18, 2007-23, 2007-26, 2007-27, 2007-29, 2007-36
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Thunderbird email application prior to v2.0.0.9 running on HP-UX B.11.11, B.11.23, and B.11.31.
BACKGROUND
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with Firefox running on HP-UX. These vulnerabilities could be exploited remotely resulting in unauthorized access, elevation of privileges, or Denial of Service (DoS).
References: Mozilla Foundation Security Advisory (MFSA) 2006-20, 2006-22 to 2006-25, 2006-27 to 2006-39, 2006-41 to 2006-48, 2006-50 to 2006-62, 2006-64 to 2006-73, 2006-75, 2006-76, 2007-01 to 2007-09, 2007-11 to 2007-39.
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Firefox web browser prior to v2.0.0.11 running on HP-UX B.11.11 and B.11.23.
BACKGROUND
- - Mozilla Seamonkey
- - KDE (example: konqueror)
- - Opera
- - K-Meleon
This list is not yet closed. US-CERT declared that will inform all vendors about this issue, however, they did not do it. Even greater confusion caused new CVE number "CVE-2009-1563". Secunia has informed that this vulnerability was only detected in Mozilla Firefox, but nobody was aware that the problem affects other products like ( KDE, Chrome ) and it is based on "CVE-2009-0689". After some time Mozilla Foundation Security Advisory
("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html")
was updated with note :
"The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz ( CVE-2009-0689)".
This fact ( new CVE number for Firefox Vulnerability )and PoC in javascript (from Secunia), forced us to official notification all other vendors. We publish all the individual advisories, to formally show all vulnerable software and to avoid wrong CVE number. We do not see any other way to fix this issue in all products.
- - Mozilla Seamonkey
- - KDE (example: konqueror)
- - Opera
- - K-Meleon
This list is not yet closed. US-CERT declared that will inform all vendors about this issue, however, they did not do it. Even greater confusion caused new CVE number "CVE-2009-1563". Secunia has informed that this vulnerability was only detected in Mozilla Firefox, but nobody was aware that the problem affects other products like ( KDE, Chrome ) and it is based on "CVE-2009-0689". After some time Mozilla Foundation Security Advisory
("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html")
was updated with note :
"The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz ( CVE-2009-0689)".
This fact ( new CVE number for Firefox Vulnerability )and PoC in javascript (from Secunia), forced us to official notification all other vendors. We publish all the individual advisories, to formally show all vulnerable software and to avoid wrong CVE number. We do not see any other way to fix this issue in all products.
http://www.binaryplanting.com/
[2] Microsoft's CWDIllegalInDllSearch hotfix
http://support.microsoft.com/kb/2264107
[3] Mozilla Foundation Security Advisory 2011-30
http://www.mozilla.org/security/announce/2011/mfsa2011-30.html
Contact
=======
- - Mozilla Seamonkey
- - KDE (example: konqueror)
- - Opera
- - K-Meleon
This list is not yet closed. US-CERT declared that will inform all vendors about this issue, however, they did not do it. Even greater confusion caused new CVE number "CVE-2009-1563". Secunia has informed that this vulnerability was only detected in Mozilla Firefox, but nobody was aware that the problem affects other products like ( KDE, Chrome ) and it is based on "CVE-2009-0689". After some time Mozilla Foundation Security Advisory
("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html")
was updated with note :
"The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz ( CVE-2009-0689)".
This fact ( new CVE number for Firefox Vulnerability )and PoC in javascript (from Secunia), forced us to official notification all other vendors. We publish all the individual advisories, to formally show all vulnerable software and to avoid wrong CVE number. We do not see any other way to fix this issue in all products.
http://www.binaryplanting.com/
[2] Microsoft's CWDIllegalInDllSearch hotfix
http://support.microsoft.com/kb/2264107
[3] Mozilla Foundation Security Advisory 2011-32
http://www.mozilla.org/security/announce/2011/mfsa2011-32.html
Contact
=======
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in Firefox running on HP-UX. These vulnerabilities could be exploited remotely resulting in unauthorized access, elevation of privileges, or Denial of Service (DoS).
References: Mozilla Foundation Security Advisory (MFSA) 2006-20, 2006-22 to 2006-25, 2006-27 to 2006-39, 2006-41 to 2006-48, 2006-50 to 2006-62, 2006-64 to 2006-73, 2006-75, 2006-76, 2007-01 to 2007-09, 2007-11 to 2007-27.
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
- ->Firefox prior to v2.0.0.6 running on HP-UX B.11.11 and B.11.23.
BACKGROUND
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in Firefox running on HP-UX. These vulnerabilities could be exploited remotely resulting in unauthorized access, elevation of privileges, or Denial of Service (DoS).
References: Mozilla Foundation Security Advisory (MFSA) 2006-20, 2006-22 to 2006-25, 2006-27 to 2006-39, 2006-41 to 2006-48, 2006-50 to 2006-62, 2006-64 to 2006-73, 2006-75, 2006-76, 2007-01 to 2007-09, 2007-11 to 2007-17.
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Firefox prior to version 2.0.0.4 running on HP-UX B.11.11 and B.11.23.
BACKGROUND
- - Mozilla Seamonkey
- - KDE (example: konqueror)
- - Opera
- - K-Meleon
This list is not yet closed. US-CERT declared that will inform all vendors about this issue, however, they did not do it. Even greater confusion caused new CVE number "CVE-2009-1563". Secunia has informed that this vulnerability was only detected in Mozilla Firefox, but nobody was aware that the problem affects other products like ( KDE, Chrome ) and it is based on "CVE-2009-0689". After some time Mozilla Foundation Security Advisory
("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html")
was updated with note :
"The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz ( CVE-2009-0689)".
This fact ( new CVE number for Firefox Vulnerability )and PoC in javascript (from Secunia), forced us to official notification all other vendors. We publish all the individual advisories, to formally show all vulnerable software and to avoid wrong CVE number. We do not see any other way to fix this issue in all products.
property to any value >= 3 will prevent the vulnerable code from being
triggered.
VI. VENDOR RESPONSE
The Mozilla Foundation has addressed this vulnerability by releasing
version 2.0.0.12 of Thunderbird. For more information, refer to their
advisory at the following URL.
http://www.mozilla.org/security/announce/2008/mfsa2008-12.html
|
|
|
