firefox-17.0.8-1.0.1.AXS3, xulrunner-17.0.8-3.0.1.AXS3

エラータID: AXSA:2013-623:06

Release date: 
Monday, September 23, 2013 - 17:16
Subject: 
firefox-17.0.8-1.0.1.AXS3, xulrunner-17.0.8-3.0.1.AXS3
Affected Channels: 
Asianux Server 3 for x86
Asianux Server 3 for x86_64
Severity: 
High
Description: 

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability.

Security issues fixed with this release:

• CVE-2013-1701
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

• CVE-2013-1709
Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly handle the interaction between FRAME elements and history, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving spoofing a relative location in a previously visited document.

• CVE-2013-1710
The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allows remote attackers to execute arbitrary JavaScript code or conduct cross-site scripting (XSS) attacks via vectors related to Certificate Request Message Format (CRMF) request generation.

• CVE-2013-1713
Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 use an incorrect URI within unspecified comparisons during enforcement of the Same Origin Policy, which allows remote attackers to conduct cross-site scripting (XSS) attacks or install arbitrary add-ons via a crafted web site.

• CVE-2013-1714
The Web Workers implementation in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 does not properly restrict XMLHttpRequest calls, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via unspecified vectors.

• CVE-2013-1717
Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly restrict local-filesystem access by Java applets, which allows user-assisted remote attackers to read arbitrary files by leveraging a download to a fixed pathname or other predictable pathname.

Solution: 

Update packages.

CVEs: 
CVE-2013-1701
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
CVE-2013-1709
Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly handle the interaction between FRAME elements and history, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving spoofing a relative location in a previously visited document.
CVE-2013-1713
Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 use an incorrect URI within unspecified comparisons during enforcement of the Same Origin Policy, which allows remote attackers to conduct cross-site scripting (XSS) attacks or install arbitrary add-ons via a crafted web site.
CVE-2013-1714
The Web Workers implementation in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 does not properly restrict XMLHttpRequest calls, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via unspecified vectors.
CVE-2013-1717
Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly restrict local-filesystem access by Java applets, which allows user-assisted remote attackers to read arbitrary files by leveraging a download to a fixed pathname or other predictable pathname.
Additional Info: 

N/A

Download: 

SRPMS
  1. xulrunner-17.0.8-3.0.1.AXS3.src.rpm
    MD5: 444a81d4f23eb2ac901dfe5640b9d13a
    SHA-256: 6235f1023781fea519f90babaa38b212d646e9cef21db217d992fe2798d86a19
    Size: 86.31 MB

Asianux Server 3 for x86
  1. firefox-17.0.8-1.0.1.AXS3.i386.rpm
    MD5: 1a07f756de586e62cfc47385e76fe1aa
    SHA-256: eb905e9b47fc19d74460e8d0c59b918d9a7ad242545ea969927385b9ea2dfec0
    Size: 25.73 MB
  2. xulrunner-17.0.8-3.0.1.AXS3.i386.rpm
    MD5: feec0c89146b388225e89757be4784bf
    SHA-256: 202bc653667d711f7a7194d1672ad724b112f686d273f1cf011d00231e492493
    Size: 15.23 MB

Asianux Server 3 for x86_64
  1. firefox-17.0.8-1.0.1.AXS3.x86_64.rpm
    MD5: 58dc193c6fcce3de2bd67c0c6f94940a
    SHA-256: 36c2e8d173b5ba34743e95ae288a72b54bdfe150bfcb54085ca7c82ad90b6e4f
    Size: 25.72 MB
  2. xulrunner-17.0.8-3.0.1.AXS3.x86_64.rpm
    MD5: c3fa517cd6b443945e2683a4998a8b95
    SHA-256: c8a9b6f13004f02d31b9f6cac11bfd94193b55a8a83ce7575d27cb2a66cabd57
    Size: 14.67 MB