Security researcher Ilja van Sprundel of IOActive reported that the Content-Disposition: attachment HTTP header was ignored when Content-Type: multipart was also present. This issue could potentially lead to XSS problems in sites that allow users to upload arbitrary files and specify a Content-Type, but rely on Content-Disposition: attachment to prevent the content from being displayed inline.
This issue is now public: http://www.mozilla.org/security/announce/2010/mfsa2010-32.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 3 Via RHSA-2010:0499 https://rhn.redhat.com/errata/RHSA-2010-0499.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:0500 https://rhn.redhat.com/errata/RHSA-2010-0500.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0501 https://rhn.redhat.com/errata/RHSA-2010-0501.html
seamonkey-2.0.5-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/seamonkey-2.0.5-1.fc12
seamonkey-2.0.5-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/seamonkey-2.0.5-1.fc13
xulrunner-1.9.2.4-1.fc13,firefox-3.6.4-1.fc13,mozvoikko-1.0-11.fc13,gnome-web-photo-0.9-9.fc13,perl-Gtk2-MozEmbed-0.08-6.fc13.14,gnome-python2-extras-2.25.3-19.fc13,galeon-2.0.7-29.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/xulrunner-1.9.2.4-1.fc13,firefox-3.6.4-1.fc13,mozvoikko-1.0-11.fc13,gnome-web-photo-0.9-9.fc13,perl-Gtk2-MozEmbed-0.08-6.fc13.14,gnome-python2-extras-2.25.3-19.fc13,galeon-2.0.7-29.fc13
firefox-3.5.10-1.fc12,xulrunner-1.9.1.10-1.fc12,mozvoikko-1.0-10.fc12,gnome-web-photo-0.9-7.fc12,gnome-python2-extras-2.25.3-18.fc12,perl-Gtk2-MozEmbed-0.08-6.fc12.13,galeon-2.0.7-23.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/firefox-3.5.10-1.fc12,xulrunner-1.9.1.10-1.fc12,mozvoikko-1.0-10.fc12,gnome-web-photo-0.9-7.fc12,gnome-python2-extras-2.25.3-18.fc12,perl-Gtk2-MozEmbed-0.08-6.fc12.13,galeon-2.0.7-23.fc12
seamonkey-2.0.5-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
xulrunner-1.9.1.10-1.fc12, mozvoikko-1.0-10.fc12, gnome-web-photo-0.9-7.fc12, gnome-python2-extras-2.25.3-18.fc12, perl-Gtk2-MozEmbed-0.08-6.fc12.13, galeon-2.0.7-23.fc12, firefox-3.5.10-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
xulrunner-1.9.2.4-1.fc13, firefox-3.6.4-1.fc13, mozvoikko-1.0-11.fc13, gnome-web-photo-0.9-9.fc13, perl-Gtk2-MozEmbed-0.08-6.fc13.14, gnome-python2-extras-2.25.3-19.fc13, galeon-2.0.7-29.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
seamonkey-2.0.5-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0545 https://rhn.redhat.com/errata/RHSA-2010-0545.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:0544 https://rhn.redhat.com/errata/RHSA-2010-0544.html