firefox-3.6.24-3.0.1.AXS4, xulrunner-1.9.2.24-2.1.0.1.AXS4

エラータID: AXSA:2012-81:01

リリース日: 
2012/02/07 Tuesday - 21:33
題名: 
firefox-3.6.24-3.0.1.AXS4, xulrunner-1.9.2.24-2.1.0.1.AXS4
影響のあるチャネル: 
Asianux Server 4 for x86
Asianux Server 4 for x86_64
Severity: 
High
Description: 

Security issues fixed with this release:

CVE-2011-2372
Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 do not prevent the starting of a download in response to the holding of the Enter key, which allows user-assisted remote attackers to bypass intended access restrictions via a crafted web site.

CVE-2011-2995
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2011-2998
Integer underflow in Mozilla Firefox 3.6.x before 3.6.23 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via JavaScript code containing a large RegExp expression.

CVE-2011-2999
Mozilla Firefox before 3.6.23 and 4.x through 5, Thunderbird before 6.0, and SeaMonkey before 2.3 do not properly handle "location" as the name of a frame, which allows remote attackers to bypass the Same Origin Policy via a crafted web site, a different vulnerability than CVE-2010-0170.

CVE-2011-3000
Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 do not properly handle HTTP responses that contain multiple Location, Content-Length, or Content-Disposition headers, which makes it easier for remote attackers to conduct HTTP response splitting attacks via crafted header values.

CVE-2011-3647
The JSSubScriptLoader in Mozilla Firefox before 3.6.24 and Thunderbird before 3.1.6 does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior, a related issue to CVE-2011-3004.

CVE-2011-3648
Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding.

CVE-2011-3650
Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug.

解決策: 

パッケージをアップデートしてください。

CVE: 
CVE-2011-2372
Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 do not prevent the starting of a download in response to the holding of the Enter key, which allows user-assisted remote attackers to bypass intended access restrictions via a crafted web site.
CVE-2011-2995
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
CVE-2011-2998
Integer underflow in Mozilla Firefox 3.6.x before 3.6.23 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via JavaScript code containing a large RegExp expression.
CVE-2011-2999
Mozilla Firefox before 3.6.23 and 4.x through 5, Thunderbird before 6.0, and SeaMonkey before 2.3 do not properly handle "location" as the name of a frame, which allows remote attackers to bypass the Same Origin Policy via a crafted web site, a different vulnerability than CVE-2010-0170.
CVE-2011-3000
Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 do not properly handle HTTP responses that contain multiple Location, Content-Length, or Content-Disposition headers, which makes it easier for remote attackers to conduct HTTP response splitting attacks via crafted header values.
CVE-2011-3647
The JSSubScriptLoader in Mozilla Firefox before 3.6.24 and Thunderbird before 3.1.6 does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior, a related issue to CVE-2011-3004.
CVE-2011-3648
Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding.
CVE-2011-3650
Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. firefox-3.6.24-3.0.1.AXS4.src.rpm
    MD5: 6d20bad4545993e3ebceca3e87e430d3
    SHA-256: ed926b286b0f5441cdf771fba7a9c34886cf7cfb4e658c6c87e18b048d722cb9
    Size: 58.30 MB
  2. xulrunner-1.9.2.24-2.1.0.1.AXS4.src.rpm
    MD5: ba0b1849fc99533b77a0f4bf7bbb5bca
    SHA-256: 959742a30f6bf4ccd621ce0beaa3acc67e9ed7ff62c961701618b82ecf565fa2
    Size: 49.05 MB

Asianux Server 4 for x86
  1. firefox-3.6.24-3.0.1.AXS4.i686.rpm
    MD5: d411e57694bd2b2e34ae47b8b2c0d7de
    SHA-256: b1a13673f4bb354d1903347b492d28c2116b43201109dbd373d2e480334faa70
    Size: 14.22 MB
  2. xulrunner-1.9.2.24-2.1.0.1.AXS4.i686.rpm
    MD5: 06c68f66c94f43fa997aa63fb203051c
    SHA-256: a323d966f89ebce96c8b5742cb774a4bdbf60d2b419debe3c84bbad3ccf4c8fb
    Size: 9.18 MB

Asianux Server 4 for x86_64
  1. firefox-3.6.24-3.0.1.AXS4.x86_64.rpm
    MD5: f7357a20b8730887314edb936c80a104
    SHA-256: ad919f6b93077d3cf06c0bd43ac67ec6a040d034e27d0dbc7c3a7934e95d37a3
    Size: 14.21 MB
  2. firefox-3.6.24-3.0.1.AXS4.i686.rpm
    MD5: d411e57694bd2b2e34ae47b8b2c0d7de
    SHA-256: b1a13673f4bb354d1903347b492d28c2116b43201109dbd373d2e480334faa70
    Size: 14.22 MB
  3. xulrunner-1.9.2.24-2.1.0.1.AXS4.x86_64.rpm
    MD5: 1364ebde2e4b038aa5e9c5fc0e4ededf
    SHA-256: 3bdc900d6303cfce1ca81e96497ec286e9daa9dd9f6fe551696f2b3c891ac2dc
    Size: 8.89 MB
  4. xulrunner-1.9.2.24-2.1.0.1.AXS4.i686.rpm
    MD5: 06c68f66c94f43fa997aa63fb203051c
    SHA-256: a323d966f89ebce96c8b5742cb774a4bdbf60d2b419debe3c84bbad3ccf4c8fb
    Size: 9.18 MB