Mozilla products: Multiple vulnerabilities Multiple vulnerabilities have been reported in Mozilla Firefox, Thunderbird, SeaMonkey and XULRunner, some of which may allow user-assisted execution of arbitrary code. mozilla-firefox mozilla-firefox-bin seamonkey seamonkey-bin mozilla-thunderbird mozilla-thunderbird-bin xulrunner May 20, 2008 May 20, 2008: 01 208128 214816 218065 remote 2.0.0.14 2.0.0.14 2.0.0.14 2.0.0.14 2.0.0.14 2.0.0.14 2.0.0.14 2.0.0.14 1.1.9-r1 1.1.9-r1 1.1.9 1.1.9 1.8.1.14 1.8.1.14

Mozilla Firefox is an open-source web browser and Mozilla Thunderbird an open-source email client, both from the Mozilla Project. The SeaMonkey project is a community effort to deliver production-quality releases of code derived from the application formerly known as the 'Mozilla Application Suite'. XULRunner is a Mozilla runtime package that can be used to bootstrap XUL+XPCOM applications like Firefox and Thunderbird.

The following vulnerabilities were reported in all mentioned Mozilla products:

The following vulnerability was reported in Thunderbird and SeaMonkey:

The following vulnerabilities were reported in Firefox, SeaMonkey and XULRunner:

The following vulnerabilities were reported in Firefox:

A remote attacker could entice a user to view a specially crafted web page or email that will trigger one of the vulnerabilities, possibly leading to the execution of arbitrary code or a Denial of Service. It is also possible for an attacker to trick a user to upload arbitrary files when submitting a form, to corrupt saved passwords for other sites, to steal login credentials, or to conduct Cross-Site Scripting and Cross-Site Request Forgery attacks.

There is no known workaround at this time.

All Mozilla Firefox users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-2.0.0.14"

All Mozilla Firefox binary users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-2.0.0.14"

All Mozilla Thunderbird users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-2.0.0.14"

All Mozilla Thunderbird binary users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-bin-2.0.0.14"

All SeaMonkey users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=www-client/seamonkey-1.1.9-r1"

All SeaMonkey binary users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=www-client/seamonkey-bin-1.1.9"

All XULRunner users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/xulrunner-1.8.1.14"

NOTE: The crash vulnerability (CVE-2008-1380) is currently unfixed in the SeaMonkey binary ebuild, as no precompiled packages have been released. Until an update is available, we recommend all SeaMonkey users to disable JavaScript, use Firefox for JavaScript-enabled browsing, or switch to the SeaMonkey source ebuild.

CVE-2007-4879 CVE-2008-0304 CVE-2008-0412 CVE-2008-0413 CVE-2008-0414 CVE-2008-0415 CVE-2008-0416 CVE-2008-0417 CVE-2008-0418 CVE-2008-0419 CVE-2008-0420 CVE-2008-0591 CVE-2008-0592 CVE-2008-0593 CVE-2008-0594 CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1240 CVE-2008-1241 CVE-2008-1380 rbu rbu