firefox-3.6.24-3.0.1.AXS3, xulrunner-1.9.2.24-2.0.1.AXS3

エラータID: AXSA:2011-389:08

Release date: 
Thursday, December 8, 2011 - 12:03
Subject: 
firefox-3.6.24-3.0.1.AXS3, xulrunner-1.9.2.24-2.0.1.AXS3
Affected Channels: 
Asianux Server 3 for x86_64
Asianux Server 3 for x86
Severity: 
High
Description: 

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability.
XULRunner provides the XUL Runtime environment for Gecko applications.
Security issues fixed with this release:
CVE-2011-3647
The JSSubScriptLoader in Mozilla Firefox before 3.6.24 and Thunderbird before 3.1.6 does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior, a related issue to CVE-2011-3004.
CVE-2011-3648
Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding.
CVE-2011-3650
Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug.

Solution: 

Update packages.

CVEs: 
CVE-2011-3647
The JSSubScriptLoader in Mozilla Firefox before 3.6.24 and Thunderbird before 3.1.6 does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior, a related issue to CVE-2011-3004.
CVE-2011-3648
Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding.
CVE-2011-3650
Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug.




Additional Info: 

N/A

Download: 

SRPMS
  1. firefox-3.6.24-3.0.1.AXS3.src.rpm
    MD5: 5a786ed3744ecaa66d0e2119a12a9878
    SHA-256: 9838ef9219cfb9de0762c3042ca8f73f2a7bb091d179b372275cb6609caa61e1
    Size: 58.30 MB
  2. xulrunner-1.9.2.24-2.0.1.AXS3.src.rpm
    MD5: 6fedc046a24a99a0638dff8ceaff6511
    SHA-256: 666cb07c577327cb77598ce966f2eb562788a6971782228f764693dc07d019cf
    Size: 49.04 MB

Asianux Server 3 for x86
  1. firefox-3.6.24-3.0.1.AXS3.i386.rpm
    MD5: b3d23905cd9e6cd62bfcca15a4250966
    SHA-256: 552a5af7bd3086f03306f23eb1edc4cf4ba5db344bd7173c1fd1cf4620feb567
    Size: 14.66 MB
  2. xulrunner-1.9.2.24-2.0.1.AXS3.i386.rpm
    MD5: 8d772763c99406abf76a3c14d7c07ef5
    SHA-256: 88ee1a52dd82578cd136cc64b2888eeaec52d090ba9bdb4a976d41baf3ddc553
    Size: 11.65 MB

Asianux Server 3 for x86_64
  1. firefox-3.6.24-3.0.1.AXS3.x86_64.rpm
    MD5: b7dda3da210cf56065bf3f94ab858c64
    SHA-256: e41f3749d1362b0824069d8ade55e8ad76787b6725452039f09f9be5336f7c48
    Size: 14.65 MB
  2. xulrunner-1.9.2.24-2.0.1.AXS3.x86_64.rpm
    MD5: 2047b16503ce098d0831478c3b1a2e8e
    SHA-256: 2db14aa2aa75b7e2f2570e9647530f0bff3b606945155279c8a44f33839610fe
    Size: 11.08 MB