Synopsis: Critical: firefox security update Issue date: 2009-06-11 CVE Names: CVE-2009-1392 CVE-2009-1832 CVE-2009-1833 CVE-2009-1834 CVE-2009-1835 CVE-2009-1836 CVE-2009-1837 CVE-2009-1838 CVE-2009-1839 CVE-2009-1840 CVE-2009-1841 Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code as the user running Firefox. (CVE-2009-1392, CVE-2009-1832, CVE-2009-1833, CVE-2009-1837, CVE-2009-1838, CVE-2009-1841) Multiple flaws were found in the processing of malformed, local file content. If a user loaded malicious, local content via the file:// URL, it was possible for that content to access other local data. (CVE-2009-1835, CVE-2009-1839) A script, privilege elevation flaw was found in the way Firefox loaded XML User Interface Language (XUL) scripts. Firefox and certain add-ons could load malicious content when certain policy checks did not happen. (CVE-2009-1840) A flaw was found in the way Firefox displayed certain Unicode characters in International Domain Names (IDN). If an IDN contained invalid characters, they may have been displayed as spaces, making it appear to the user that they were visiting a trusted site. (CVE-2009-1834) A flaw was found in the way Firefox handled error responses returned from proxy servers. If an attacker is able to conduct a man-in-the-middle attack against a Firefox instance that is using a proxy server, they may be able to steal sensitive information from the site the user is visiting. (CVE-2009-1836) After installing the update, Firefox must be restarted for the changes to take effect. SL 4.x SRPMS: firefox-3.0.11-4.el4.src.rpm i386: firefox-3.0.11-4.el4.i386.rpm x86_64: firefox-3.0.11-4.el4.i386.rpm firefox-3.0.11-4.el4.x86_64.rpm SL 5.x SRPMS: firefox-3.0.11-2.el5_3.src.rpm xulrunner-1.9.0.11-3.el5_3.src.rpm i386: firefox-3.0.11-2.el5_3.i386.rpm xulrunner-1.9.0.11-3.el5_3.i386.rpm xulrunner-devel-1.9.0.11-3.el5_3.i386.rpm xulrunner-devel-unstable-1.9.0.11-3.el5_3.i386.rpm x86_64: firefox-3.0.11-2.el5_3.i386.rpm firefox-3.0.11-2.el5_3.x86_64.rpm xulrunner-1.9.0.11-3.el5_3.i386.rpm xulrunner-1.9.0.11-3.el5_3.x86_64.rpm xulrunner-devel-1.9.0.11-3.el5_3.i386.rpm xulrunner-devel-1.9.0.11-3.el5_3.x86_64.rpm xulrunner-devel-unstable-1.9.0.11-3.el5_3.x86_64.rpm -Connie Sieh -Troy Dawson