RHEL 4 / 5 : firefox (RHSA-2008:0978)

medium Nessus Plugin ID 34764

Synopsis

The remote Red Hat host is missing one or more security updates for firefox.

Description

The remote Redhat Enterprise Linux 4 / 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2008:0978 advisory.

- Mozilla buffer overflow in http-index-format parser (CVE-2008-0017)

- Mozilla crash and remote code execution via __proto__ tampering (CVE-2008-5014)

- Mozilla file: URIs inherit chrome privileges (CVE-2008-5015)

- Mozilla crash with evidence of memory corruption (CVE-2008-5016, CVE-2008-5017, CVE-2008-5018)

- Mozilla XSS via session restore (CVE-2008-5019)

- Mozilla crash and remote code execution in nsFrameManager (CVE-2008-5021)

- Mozilla nsXMLHttpRequest::NotifyEventListeners() same-origin violation (CVE-2008-5022)

- Mozilla -moz-binding property bypasses security checks on codebase principals (CVE-2008-5023)

- Mozilla parsing error in E4X default namespace (CVE-2008-5024)

- security flaw (CVE-2008-5052)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the RHEL firefox package based on the guidance in RHSA-2008:0978.

See Also

http://www.nessus.org/u?b9f88bec

http://www.nessus.org/u?d6ef9aa8

https://access.redhat.com/errata/RHSA-2008:0978

https://access.redhat.com/security/updates/classification/#critical

https://bugzilla.redhat.com/show_bug.cgi?id=454283

https://bugzilla.redhat.com/show_bug.cgi?id=470873

https://bugzilla.redhat.com/show_bug.cgi?id=470876

https://bugzilla.redhat.com/show_bug.cgi?id=470881

https://bugzilla.redhat.com/show_bug.cgi?id=470883

https://bugzilla.redhat.com/show_bug.cgi?id=470884

https://bugzilla.redhat.com/show_bug.cgi?id=470889

https://bugzilla.redhat.com/show_bug.cgi?id=470892

https://bugzilla.redhat.com/show_bug.cgi?id=470894

https://bugzilla.redhat.com/show_bug.cgi?id=470895

https://bugzilla.redhat.com/show_bug.cgi?id=470898

https://bugzilla.redhat.com/show_bug.cgi?id=470902

Plugin Details

Severity: Medium

ID: 34764

File Name: redhat-RHSA-2008-0978.nasl

Version: 1.29

Type: local

Agent: unix

Published: 11/13/2008

Updated: 4/21/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.1

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2008-5052

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2008-5019

Vulnerability Information

CPE: cpe:/o:redhat:enterprise_linux:5, p-cpe:/a:redhat:enterprise_linux:nss-devel, p-cpe:/a:redhat:enterprise_linux:nss-pkcs11-devel, p-cpe:/a:redhat:enterprise_linux:nss-tools, p-cpe:/a:redhat:enterprise_linux:xulrunner, cpe:/o:redhat:enterprise_linux:4, p-cpe:/a:redhat:enterprise_linux:yelp, p-cpe:/a:redhat:enterprise_linux:devhelp-devel, p-cpe:/a:redhat:enterprise_linux:xulrunner-devel, p-cpe:/a:redhat:enterprise_linux:xulrunner-devel-unstable, p-cpe:/a:redhat:enterprise_linux:devhelp, p-cpe:/a:redhat:enterprise_linux:firefox, p-cpe:/a:redhat:enterprise_linux:nss

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/12/2008

Vulnerability Publication Date: 11/13/2008

Reference Information

CVE: CVE-2008-0017, CVE-2008-5014, CVE-2008-5015, CVE-2008-5016, CVE-2008-5017, CVE-2008-5018, CVE-2008-5019, CVE-2008-5021, CVE-2008-5022, CVE-2008-5023, CVE-2008-5024, CVE-2008-5052

BID: 32281

CWE: 79

RHSA: 2008:0978