Coordinación de Seguridad de la Información

Coordinación de Seguridad de la Información

Información y servicios de seguridad en cómputo

1 2 3 4 5 6 7

Vulnerabilidades rss pdf

Coordinación de Seguridad de la Información - UNAM-CERT -- DGTIC-UNAM

Vulnerabilidad de Seguridad UNAM-CERT-2005-412 Actualización de Debian para Mozilla.

Debian liberó una actualización para Mozilla. Esta repara varias vulnerabilidades que pueden explotarse para burlar ciertas restricciones de seguridad, realizar ataques de spoofing y Cross-site Scripting, y comprometer el sistema de un usuario.

  • Fecha de Liberación: 13-Sep-2005
  • Fuente:

    Debian Security Advisory
    DSA-810-1 mozilla

  • CVE ID: CAN-2004-0718 CAN-2005-1937 CAN-2005-2260 CAN-2005-2261 CAN-2005-2263 CAN-2005-2265 CAN-2005-2266 CAN-2005-2268 CAN-2005-2269 CAN-2005-2270
  • Riesgo Altamente crítico
  • Problema de Vulnerabilidad Remoto
  • Tipo de Vulnerabilidad Múltiples vulnerabilidades

Sistemas Afectados

Debian GNU/Linux 3.1 alias sarge Mozilla Suite 1.7.8
  1. Descripción

    Debian liberó una actualización para Mozilla. Esta repara varias vulnerabilidades que pueden explotarse por personas maliciosas para burlar ciertas restricciones de seguridad, realizar ataques de spoofing y Cross-site Scripting, y comprometer el sistema de un usuario.

    1. Se encontro una vulnerabilidad en Mozilla que permite a los atacantes remotos inyectar código Javascript arbitrario de una página en los marcos de otro sitio (CAN-2004-0718, CAN-2005-1937).

    2. La interfaz de usuario del navegador no distinguía adecuadamente entre eventos generados por el usuario y eventos sintetizados, esto hace más fácil para los atacantes remotos realizar acciones peligrosas que normalmente sólo las podría realizar manualmente el usuario (CAN-2005-2260).

    3. Se podían ejeuctar scripts XML aunque Javascript estuviese desactivado (CAN-2005-2261).

    4. Un atacante remoto podia ejecutar una función "call()" en el contexto de otro sitio (CAN-2005-2263).

    5. La falta de verificación en la entrada de InstallVersion.compareTo() podía provocar un DoS a la aplicación (CAN-2005-2265).

    6. Un atacante remoto podía obtener información sensible, de sitios web accediendo a los datos de los marcos adyacentes (CAN-2005-2266).

    7. Un cuadro de diálogo de Javascript podía hacer spoofing sobre un sitio de confianza y facilitar los ataques de phishing (CAN-2005-2268).

    8. Un atacante remoto podía modificar las propiedades de ciertas etiquetas en los nodos DOM, lo que podía conducir a la ejecución de scripts o de código arbitrario (CAN-2005-2269).

    9. Los navegadores de Mozilla no clonan adecuadamente los objetos base, lo que permite que un atacante remoto ejecute código arbitrario (CAN-2005-2270).

  2. Impacto

    Security Bypass.

    Cross-site Scripting.

    Spoofing.

    Acceso al sistema.

  3. Solución

    Aplicar paquetes actualizados.

    Debian GNU/Linux 3.1 (sarge)

    Fuentes:

    http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2.dsc
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2.diff.gz
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8.orig.tar.gz

    Alpha:

    http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_alpha.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_alpha.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_alpha.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_alpha.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_alpha.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_alpha.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_alpha.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_alpha.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_alpha.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_alpha.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_alpha.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_alpha.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_alpha.deb

    AMD64:

    http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_amd64.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_amd64.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_amd64.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_amd64.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_amd64.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_amd64.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_amd64.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_amd64.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_amd64.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_amd64.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_amd64.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_amd64.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_amd64.deb

    ARM:

    http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_arm.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_arm.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_arm.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_arm.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_arm.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_arm.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_arm.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_arm.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_arm.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_arm.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_arm.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_arm.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_arm.deb

    Intel IA-32:

    http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_i386.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_i386.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_i386.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_i386.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_i386.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_i386.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_i386.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_i386.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_i386.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_i386.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_i386.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_i386.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_i386.deb

    Intel IA-64:

    http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_ia64.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_ia64.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_ia64.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_ia64.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_ia64.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_ia64.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_ia64.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_ia64.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_ia64.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_ia64.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_ia64.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_ia64.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_ia64.deb

    HPPA:

    http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_hppa.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_hppa.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_hppa.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_hppa.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_hppa.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_hppa.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_hppa.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_hppa.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_hppa.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_hppa.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_hppa.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_hppa.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_hppa.deb

    Motorola 680x0:

    http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_m68k.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_m68k.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_m68k.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_m68k.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_m68k.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_m68k.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_m68k.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_m68k.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_m68k.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_m68k.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_m68k.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_m68k.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_m68k.deb

    Big endian MIPS:

    http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_mips.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_mips.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_mips.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_mips.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_mips.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_mips.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_mips.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_mips.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_mips.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_mips.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_mips.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_mips.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_mips.deb

    Little endian MIPS:

    http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_mipsel.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_mipsel.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_mipsel.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_mipsel.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_mipsel.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_mipsel.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_mipsel.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_mipsel.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_mipsel.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_mipsel.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_mipsel.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_mipsel.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_mipsel.deb

    PowerPC:

    http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_powerpc.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_powerpc.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_powerpc.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_powerpc.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_powerpc.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_powerpc.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_powerpc.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_powerpc.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_powerpc.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_powerpc.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_powerpc.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_powerpc.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_powerpc.deb
    IBM S/390:
    http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_s390.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_s390.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_s390.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_s390.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_s390.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_s390.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_s390.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_s390.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_s390.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_s390.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_s390.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_s390.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_s390.deb

    Sun Sparc:

    http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge2_sparc.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge2_sparc.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge2_sparc.deb
    http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge2_sparc.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge2_sparc.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge2_sparc.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge2_sparc.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-chatzilla_1.7.8-1sarge2_sparc.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dev_1.7.8-1sarge2_sparc.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-dom-inspector_1.7.8-1sarge2_sparc.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-js-debugger_1.7.8-1sarge2_sparc.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-mailnews_1.7.8-1sarge2_sparc.deb
    http://security.debian.org/pool/updates/main/m/mozilla/mozilla-psm_1.7.8-1sarge2_sparc.deb
  4. Apéndices

    Mayor información.

    http://www.debian.org/

La Coordinación de Seguridad de la Información/UNAM-CERT agradece el apoyo en la elaboración ó traducción y revisión de éste Documento a:

  • Floriberto López Velázquez (flopez at seguridad dot unam dot mx)

UNAM-CERT
Equipo de Respuesta a Incidentes UNAM
Coordinación de Seguridad de la Información

incidentes at seguridad.unam.mx
phishing at seguridad.unam.mx
http://www.cert.org.mx
http://www.seguridad.unam.mx
ftp://ftp.seguridad.unam.mx
Tel: 56 22 81 69
Fax: 56 22 80 47


Universidad Nacional Autonoma de México AENOR LOGO FIRST LOGO Aviso legal |  Créditos |  Staff |  Acerca |  Contacto |  FTP |  Administración
Copyright © Todos los derechos reservados
UNAM - CERT