The new java 3.6.x does not use the old java plugin, only the new java plugin. As a result, we had to update java-1.6.0-sun-compat to put both the old and the new java plugin into the correct plugin areas. This new java-1.6.0-sun-compat will work with both the old firefox (3.0.x) and the new firefox (3.6.x) Dependancies: SRPMS: java-1.6.0-sun-compat-1.6.0.20-3.sl4.jpp.src.rpm i386: java-1.6.0-sun-compat-1.6.0.20-3.sl4.jpp.i586.rpm x86_64: java-1.6.0-sun-compat-1.6.0.20-3.sl4.jpp.i586.rpm Thanks Troy On 06/24/2010 06:48 AM, Troy J Dawson wrote: > Synopsis: Critical: firefox security, bug fix, and enhancement update > Issue date: 2010-06-22 > CVE Names: CVE-2008-5913 CVE-2010-0182 CVE-2010-1121 > CVE-2010-1125 CVE-2010-1196 CVE-2010-1197 > CVE-2010-1198 CVE-2010-1199 CVE-2010-1200 > CVE-2010-1202 CVE-2010-1203 > > Several flaws were found in the processing of malformed web content. A > web page containing malicious content could cause Firefox to crash or, > potentially, execute arbitrary code with the privileges of the user > running Firefox. (CVE-2010-1121, CVE-2010-1200, CVE-2010-1202, > CVE-2010-1203) > > A flaw was found in the way browser plug-ins interact. It was possible > for a plug-in to reference the freed memory from a different plug-in, > resulting in the execution of arbitrary code with the privileges of the > user running Firefox. (CVE-2010-1198) > > Several integer overflow flaws were found in the processing of malformed > web content. A web page containing malicious content could cause Firefox > to crash or, potentially, execute arbitrary code with the privileges of > the user running Firefox. (CVE-2010-1196, CVE-2010-1199) > > A focus stealing flaw was found in the way Firefox handled focus > changes. A malicious website could use this flaw to steal sensitive data > from a user, such as usernames and passwords. (CVE-2010-1125) > > A flaw was found in the way Firefox handled the "Content-Disposition: > attachment" HTTP header when the "Content-Type: multipart" HTTP header > was also present. A website that allows arbitrary uploads and relies on > the "Content-Disposition: attachment" HTTP header to prevent content > from being displayed inline, could be used by an attacker to serve > malicious content to users. (CVE-2010-1197) > > A flaw was found in the Firefox Math.random() function. This function > could be used to identify a browsing session and track a user across > different websites. (CVE-2008-5913) > > A flaw was found in the Firefox XML document loading security checks. > Certain security checks were not being called when an XML document was > loaded. This could possibly be leveraged later by an attacker to load > certain resources that violate the security policies of the browser or > its add-ons. Note that this issue cannot be exploited by only loading an > XML document. (CVE-2010-0182) > > This erratum upgrades Firefox from version 3.0.19 to version 3.6.4, and > as such, contains multiple bug fixes and numerous enhancements. Space > precludes documenting these changes in this advisory. > > Important: Firefox 3.6.4 is not completely backwards-compatible with all > Mozilla Add-ons and Firefox plug-ins that worked with Firefox 3.0.19. > Firefox 3.6 checks compatibility on first-launch, and, depending on the > individual configuration and the installed Add-ons and plug-ins, may > disable said Add-ons and plug-ins, or attempt to check for updates and > upgrade them. Add-ons and plug-ins may have to be manually updated. > > After installing the update, Firefox must be restarted for the changes > to take effect. > > SL 4.x > > SRPMS: > firefox-3.6.4-8.el4.src.rpm > i386: > firefox-3.6.4-8.el4.i386.rpm > x86_64: > firefox-3.6.4-8.el4.i386.rpm > firefox-3.6.4-8.el4.x86_64.rpm > > -Connie Sieh > -Troy Dawson > > > -- __________________________________________________ Troy Dawson [log in to unmask] (630)840-6468 Fermilab ComputingDivision/LSCS/CSI/USS Group __________________________________________________