Mozilla hat issued important security update for Firefox package that that fix various security issues are now available from Mozilla, Red Hat, and other distributions. Mozilla announced Firefox 220.127.116.11 security and stability update available for download. This update has been rated as having critical security impact by the Mozialla. All Mozilla Firefox users should upgrade to this updated package, which contains backported patches that correct many issues.
How do I update FireFox 3.x or 1.5.x or 2.x under Red Hat / CentOS Linux?
Simply type the following command at a shell prompt:
# yum update
How do I update Firefox under Debian / Ububtu Linux?
Open terminal and type the following commands:
$ apt-get update
$ apt-get upgrade
After a standard system upgrade you need to restart Firefox to effect the necessary changes.
Security Issues Details
From the CVE database:
Various flaws were discovered in the browser engine. By tricking a user into opening a malicious web page, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2798, CVE-2008-2799)
A flaw was discovered in Firefox that allowed overwriting trusted objects viaozIJSSubScriptLoader.loadSubScript(). If a user were tricked into opening a malicious web page, an attacker could execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2803)
Claudio Santambrogio discovered a vulnerability in Firefox which could lead to stealing of arbitrary files. If a user were tricked into opening malicious content, an attacker could force the browser into uploading local files to the remote server. (CVE-2008-2805)
Gregory Fleischer discovered a flaw in Java LiveConnect. An attacker could exploit this to bypass the same-origin policy and create arbitrary socket connections to other domains. (CVE-2008-2806) Daniel Glazman found that an improperly encoded .properties file in an add-on can result in uninitialized memory being used. If a user were tricked into installing a malicious add-on, the browser may be able to see data from other programs.(CVE-2008-2807)
Masahiro Yamada discovered that Firefox did not properly sanitize file URLs in directory listings, resulting in files from directory listings being opened in unintended ways or not being able to be
opened by the browser at all. (CVE-2008-2808)
John G. Myers discovered a weakness in the trust model used by Firefox regarding alternate names on self-signed certificates. If a user were tricked into accepting a certificate containing alternate name entries, an attacker could impersonate another server. (CVE-2008-2809)
A flaw was discovered in the way Firefox opened URL files. If a user were tricked into opening a bookmark to a malicious web page, the page could potentially read from local files on the user’s computer. (CVE-2008-2810)
A vulnerability was discovered in the block reflow code of Firefox. This vulnerability could be used by an attacker to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2811)