639552 – VUL-0: Mozilla Firefox 3.6.8 a. o.: version 3.6.9 and 3.5.12 fixes security bug Cross-Site Scripting Attacks, Obtain Potentially Sensitive Information, and Execute Arbitrary Code (related: Thunderbird 3.1.2 Thunderbird 3.0.6 SeaMonkey 2.0.6 )

Bug 639552 - VUL-0: Mozilla Firefox 3.6.8 a. o.: version 3.6.9 and 3.5.12 fixes security bug Cross-Site Scripting Attacks, Obtain Potentially Sensitive Information, and Execute Arbitrary Code (related: Thunderbird 3.1.2 Thunderbird 3.0.6 SeaMonkey 2.0.6 )

Summary: VUL-0: Mozilla Firefox 3.6.8 a. o.: version 3.6.9 and 3.5.12 fixes security b...

Status:	RESOLVED FIXED

Alias:	None

Product:	openSUSE 11.2
Classification:	openSUSE
Component:	Firefox (show other bugs)
Version:	Final
Hardware:	All openSUSE 11.2

Priority:	P5 - None Severity: Major with 1 vote (vote)
Target Milestone:	---
Assignee:	E-mail List
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2010-09-15 14:51 UTC by Martin Seidler
Modified:	2010-09-17 11:46 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Martin Seidler 2010-09-15 14:51:19 UTC

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.8 SUSE/7.0.522.0 (KHTML, like Gecko) Chrome/7.0.522.0 Safari/534.8

Will also affect 11.3 ; Firefox 3.5.11 ; Thunderbird 3.1.2 ; Thunderbird 3.0.6 ; SeaMonkey 2.0.6 )

References

[1] http://www.mozilla.org/security/announce/2010/mfsa2010-49.html
"Title: Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12)
Impact: Critical
Announced: September 7, 2010
Reporter: Mozilla developers and community
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.6.9 Firefox 3.5.12 Thunderbird 3.1.3 Thunderbird
3.0.7 SeaMonkey 2.0.7"

[2] Mozilla Thunderbird Bugs Let Remote Users Conduct Cross-Site
Scripting Attacks, Obtain Potentially Sensitive Information, and Execute
Arbitrary Code SecurityTracker; SecurityTracker URL:
http://securitytracker.com/id?1024403
(2010-09-08)
"Impact: A remote user can create a HTML that, when loaded by the
target user, will execute arbitrary code on the target user's system.

A remote user can access the target user's cookies (including
authentication cookies), if any, associated with the target site, access
data recently submitted by the target user via web form to the site, or
take actions on the site acting as the target user.

A remote user can obtain potentially sensitive information.
Solution: The vendor has issued a fix (3.0.7, 3.1.3).
"
[3] Mozilla Firefox DLL Loading Error Lets Remote Users Execute
Arbitrary Code; SecurityTracker URL:
http://securitytracker.com/id?1024406
(2010-09-08)

[4] Mozilla Firefox Bugs Let Remote Users Conduct Cross-Site Scripting
Attacks, Obtain Potentially Sensitive Information, and Execute Arbitrary
Code, SecurityTracker URL:
http://securitytracker.com/id?1024401
(2010-09-08)

Reproducible: Didn't try

Steps to Reproduce:
This bug is public and the vendor Mozilla has released fixing versions on 2010-09-07.
1. Try to build a Cross-Site Scripting attacking page?
2. Read the references.
Actual Results:  
I cannot find a coordinated release date (CRD) set or a openSUSE security warning.

Expected Results:  
1. Release a security warning (documentation bug).
2. Update to Mozilla Firefox 3.6.9 and 3.5.12 ; Thunderbird 3.1.3 ; Thunderbird
3.0.7 ; SeaMonkey 2.0.7 - Push the release to main repository update and the maybe the further openSUSE testing.


[5] Problems with mozilla-nspr (Netscape Portable Runtime) ? : http://lists.opensuse.org/opensuse-factory-mozilla/2010-09/msg00000.html

What (how stable) is
"mozilla-nspr 4.8.6-1.1
Changelog:
23 July 2010 ([...]):
- update to 4.8.6 "?
in
http://download.opensuse.org/repositories/mozilla/openSUSE_11.2/i586/
http://download.opensuse.org/repositories/mozilla/openSUSE_11.3/i586/
http://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.8.6/

Compare:
4.8.*3*
http://www.mozilla.org/projects/nspr/release-notes/
http://www.mozilla.org/projects/nspr/release-notes/nspr483.html
http://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.8.3/

[6] http://forums.opensuse.org/english/community/general-chit-chat/445980-security-issues-how-do-users-maintainers-developers-work-together-exemple-opera-10-60-issues.html

Comment 1 Marcus Meissner 2010-09-15 18:37:02 UTC

thx for the report, we know. :/

*** This bug has been marked as a duplicate of bug 637303 ***

Comment 2 Martin Seidler 2010-09-15 19:45:04 UTC

Thanks for the answer!

But how could I know that you know?
"Access Denied
You are not authorized to access bug #637303."

By the way:

"Expected Results:  
1. Release a security warning (documentation bug).[...]"

Shall I open a second bug report for that? ;-)

Comment 3 Martin Seidler 2010-09-17 07:02:05 UTC

(In reply to comment #1)
> thx for the report, we know. :/
> 
> *** This bug has been marked as a duplicate of bug 637303 ***
>>"Access Denied
>>You are not authorized to access bug #637303."
As the bug 637303 is hidden/privat it does not serve the warning and informing function of a bug report. As the bug is at least for 10 days otherwise public and even confirmed by the vendor (Mozilla) that makes not sense at all.

Openness may also be about making the user able to decide if she or he will use a program with a confirmed security bug (but maybe without any effect in the wild live at all?), use an other maybe not so stable version of that program or just use an other program for that purpose (Chromium, Opera, Kmail, Evolution, etc.).

And also it is not possible to see for a user
which programs are affected
(Mozilla Firefox 3.6.8 ; Firefox 3.5.11 ; Thunderbird 3.1.2 ; Thunderbird 3.0.6
; SeaMonkey 2.0.6 ).
from the so called "bug 637303" .

So I will reopen this not hidden bug report.

And I still rate a real openSUSE security warning being appropriate to be published at a time when it is not only of historical interest.

Comment 4 Marcus Meissner 2010-09-17 09:03:25 UTC

the firefox update was just released, the rest will follow.

Comment 5 Martin Seidler 2010-09-17 11:46:13 UTC

(In reply to comment #4)
(1)
> the firefox update was just released,
*Thanks a lot* for this version of Firefox!

So I could now change form
MozillaFirefox 3.6.10-30.1 (i586) from the openSUSE Mozilla repository
back to the
MozillaFirefox 3.6.10-0.3.1 (i586) from the openSUSE Update (main) repository
to be in line with the Main repositories again, or?

(2)
>the rest will follow.
On the issue of Thunderbird:

Shall/Could I update
Mozilla Thunderbird 3.0.6-0.1.1  (i586) from the openSUSE Update (main) repository on my openSUSE 11.2 system to
Mozilla Thunderbird 3.1.4-23.1  (i586) from the openSUSE Mozilla repository?

I cannot see anything with a higher version number than 3.0.6 in the openSUSE Test (test for Update main) repository.

Or will be there a openSUSE MozillaThunderbird 3.0.7 or 3.0.8 for openSUSE 11.2 in the future?