The Mozilla project is releasing Firefox 1.5.0.9 to fix several flaws: mfsa2006-68 impact=critical,source=mozilla,reported=20061212,public=20061219 As part of the Firefox 2.0.0.1 and 1.5.0.9 update releases we fixed several bugs to improve the stability of the product. Some of these were crashes that showed evidence of memory corruption and we presume that at least some of these could be exploited to run arbitrary code with enough effort. CVE-2006-6497 Andrew Miller, David Baron, Georgi Guninski, Jesse Ruderman, Olli Pettay and Vladimir Vukicevic reported crashes in the layout engine CVE-2006-6498 Igor Bukanov, Jesse Ruderman and moz_bug_r_a4 reported potential memory corruption in the JavaScript engine mfsa2006-70 CVE-2006-6501 impact=critical,source=mozilla,reported=20061212,public=20061219 Shutdown demonstrated that it was possible to use a JavaScript watch() to gain elevated privilege. This could be used to compromise the user's computer and install malware. mfsa2006-71 CVE-2006-6502 impact=critical,source=mozilla,reported=20061212,public=20061219 Steven Michaud reported a crash in LiveConnect, the bridge code that allows Java applets and web JavaScript to communicate. The crash is due to re-use of an already-freed object and we presume this could be exploited with enough effort. mfsa2006-72 CVE-2006-6503 impact=moderate,source=mozilla,reported=20061212,public=20061219 moz_bug_r_a4 reported that the src attribute of an IMG element loaded in a frame could be changed to a javascript: URI that was able to bypass the protections against cross-site script (XSS) injection. The injected script could steal credentials and financial data, or perform destructive actions on behalf of a logged-in user. mfsa2006-73 CVE-2006-6504 impact=critical,source=mozilla,reported=20061212,public=20061219 An anonymous researcher for TippingPoint and the Zero Day Initiative reports that attempting to append an SVG comment DOM node from one document into another type of document results in memory corruption that can be exploited to run arbitrary code.
Lifting embargo
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0758.html