Mozilla contributor Masahiro Yamada reported that file URLs in directory listings were not being HTML escaped properly when the filenames contained particular characters. This resulted in files from directory listings being opened in unintended ways or files not being able to be opened by the browser altogether.
This will be MFSA 2008-30
This is now public: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15
devhelp-0.16.1-8.fc8, gtkmozembedmm-1.4.2.cvs20060817-21.fc8, yelp-2.20.0-10.fc8, gnome-web-photo-0.3-11.fc8, kazehakase-0.5.4-2.fc8.2, blam-1.8.3-16.fc8, epiphany-2.20.3-5.fc8, liferea-1.4.15-2.fc8, epiphany-extensions-2.20.1-8.fc8, galeon-2.0.4-3.fc8.3, openvrml-0.17.6-3.fc8, chmsee-1.0.0-2.31.fc8, ruby-gnome2-0.17.0-0.2.rc1.fc8, firefox-2.0.0.15-1.fc8, gnome-python2-extras-2.19.1-15.fc8, Miro-1.2.3-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
seamonkey-1.1.10-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
seamonkey-1.1.10-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
It should be noted that the description used in the security errata is mistaken. This issue does not only affect local file listings, but can affect any file listings such as ftp, gopher, and jar schemas.
This was addressed via: Red Hat Enterprise Linux version 2.1 (seamonkey) RHSA-2008:0547 Red Hat Enterprise Linux version 3 (seamonkey) RHSA-2008:0547 Red Hat Enterprise Linux version 4 (seamonkey) RHSA-2008:0547 Red Hat Enterprise Linux version 4 (firefox) RHSA-2008:0549 Red Hat Enterprise Linux version 5 (firefox) RHSA-2008:0569 Red Hat Enterprise Linux version 4 (thunderbird) RHSA-2008:0616 Red Hat Enterprise Linux Desktop version 5 (thunderbird) RHSA-2008:0616 RHEL Optional Productivity Applications version 5 (thunderbird) RHSA-2008:0616