Bug 815187 (CVE-2011-1187, CVE-2012-0475)

Summary: CVE-2011-1187 CVE-2012-0475 Multiple flaws in Firefox 12 which do not affect firefox 10.0.4 ESR
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-23 04:40:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 812268    

Description Huzaifa S. Sidhpurwala 2012-04-23 04:37:27 UTC 
Multiple flaws were fixed in Mozilla Firefox and Thunderbird 12, the flaws described below do however do not affect the version of Firefox 10.0.4 ESR and Thunderbird 10.0.4 shipped with Red Hat Enterprise Linux.

Security researcher Simone Fabiano reported that if a cross-site XHR or WebSocket is opened on a web server on a non-standard port for web traffic while using an IPv6 address, the browser will send an ambiguous origin headers if the IPv6 address contains at least 2 consecutive 16-bit fields of zeroes. If there is an origin access control list that uses IPv6 literals, this issue could be used to bypass these access controls on the server.
Reference:
http://www.mozilla.org/security/announce/2012/mfsa2012-28.html 

Security researcher Daniel Divricean reported that a defect in the error handling of javascript errors can leak the file names and location of javascript files on a server, leading to inadvertent information disclosure and a vector for further attacks. 
Reference:
http://www.mozilla.org/security/announce/2012/mfsa2012-32.html
Comment 1 Huzaifa S. Sidhpurwala 2012-04-23 04:40:21 UTC 
Statement:

Not Vulnerable. These issues do not affect the versions of firefox and thunderbird package, as shipped with Red Hat Enterprise Linux 5 and 6.