Well aware. Of course Mozilla's silly security policies prevent me from viewing the bug's making a release before MoFo does. But as soon as 1.0.4 is released I'll have it packaged in short order.
* Joey Hess ([EMAIL PROTECTED]) wrote: > Package: mozilla-firefox > Version: 1.0.3-2 > Severity: grave > Tags: security > > I'm sure you already know of these, but for the record, firefox is > vulnerale to a pair of new security holes: > > CAN-2005-1477 > > The install function in Firefox 1.0.3 allows remote web sites on the browser's > whitelist, such as update.mozilla.org or addon.mozilla.org, to execute > arbitrary Javascript with chrome privileges, leading to arbitrary code > execution on the system when combined with vulnerabilities such as > CAN-2005-1476, as demonstrated using a javascript: URL as the package icon and > a cross-site scripting (XSS) attack on a vulnerable whitelist site. > > CAN-2005-1476 > > Firefox 1.0.3 allows remote attackers to execute arbitrary Javascript in other > domains by using an IFRAME and causing the browser to navigate to a previous > javascript: URL, which can lead to arbitrary code execution when combined with > CAN-2005-1477. -- Eric Dorland <[EMAIL PROTECTED]> ICQ: #61138586, Jabber: [EMAIL PROTECTED] 1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+ O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+ G e h! r- y+ ------END GEEK CODE BLOCK------
signature.asc
Description: Digital signature
