-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2012-0069

Title: Several vulnerabilities in Firefox, Thunderbird and Seamonkey

Version history
07.06.2012 Initial publication

Summary and Potential impact
============================
The most severe vulnerability (Priority: urgent; Severity: urgent;
classification done by Redhat) allows a remote attacker to run code in
the security context of a user of Firefox, Thunderbird or Seamonkey,
when they open a malicious website or email.

(CVSS v2 Base Score: 9.3 CRITICAL AV:N/AC:M/Au:N/C:C/I:C/A:C)[6]

List of all addressed vulnerabilities:

CVE-2012-1938: Memory safety bugs fixed in Firefox 13[1]
CVE-2012-1939: Assertion failure: [infer failure] Missing type pushed 0:
float, at jsinfer.cpp:348[1]
CVE-2012-1937: Memory safety bugs fixed in Firefox 10.0.5 and Firefox 13[1]
CVE-2011-3101: Work around NVIDIA driver bug in glBufferData[1]
CVE-2012-1944: script code execute even when inline scripts are blocked
by CSP[2]
CVE-2012-1945: Arbitrary File + Directory read via .lnk files on Windows
Share[3]
CVE-2012-1946: Use-after-free in nsINode::ReplaceOrInsertBefore[4]
CVE-2012-1947: Heap-buffer-overflow in utf16_to_isolatin1[5]
CVE-2012-1940: Heap-use-after-free in nsFrameList::FirstChild[5]
CVE-2012-1941: Heap-buffer-overflow in
nsHTMLReflowState::CalculateHypotheticalBox, with nested multi-column,
relative position, and absolute position[5]

Updates/Fixes
===========
The vulnerabilities are fixed in

Firefox 13.0
Firefox ESR 10.0.5
Thunderbird 13.0
Thunderbird ESR 10.0.5
SeaMonkey 2.10

What can you do?
================
A couple of vendors or maintainers of Linux Distributions (including
RedHat) already issued an update for the packages.

Please refer to the vendor or maintainer of your Software to learn about
exact information about updates.

What to tell your users?
========================
Normal security best practices apply. Especially, inform your Web users
to be cautious about following links to sites that are provided by
unfamiliar or  suspicious sources. Users are to be aware not to click on
the link in suspicious emails; to immediately forward the suspicious
email to the respective IT security officer / contact in your institution.

More information
================
[1] http://www.mozilla.org/security/announce/2012/mfsa2012-34.html
[2] http://www.mozilla.org/security/announce/2012/mfsa2012-36.html
[3] http://www.mozilla.org/security/announce/2012/mfsa2012-37.html
[4] http://www.mozilla.org/security/announce/2012/mfsa2012-38.html
[5] http://www.mozilla.org/security/announce/2012/mfsa2012-40.html
[6] More information about CVSS is available at:
http://www.first.org/cvss/cvss-guide.html

Best regards,

CERT-EU Pre-configuration Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383
Privacy Statement:
http://cert.europa.eu/cert/plainedition/en/cert_privacy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJP0GnZAAoJEPpzpNLI8SVoEy4P/iMz5h/IXuOBhrbnN+Cbd6dJ
7LnkUBp2Iu+MSWt3fuyiKFwXx5Ys4ZX5kGImlmgXC030oyZcpomO0KBdGwlRUBy1
n8e5Te8hfSvixJJZewj2f+odBnkYoXiovODjBOuV5DlaVlhAhjRtiRIzyKBOHm3i
dZNJopqvBZEAclujkcqNf5tOk3OLYQ1dv1/WC2129hmSd4mX3eeeRffSEIOmPvlj
hJeD9GU+/8uaSttdTJnjdM3aMeT0iXvwuMfFoCn69ELTyeoGaFklJA+2KZ/hqJAM
6lBqNIn007RAFjtG+fT/pFOtJ1ApvAX9uPOOodKLHDlx2z7zjb3eH5Xukl50K78S
ebwRi68LyT39ysEf7Znk4wl2x2JG946sTV4R8vo71CxpP3BRCbR/foNwiGT+E8jL
gLem1HRgyiy6ZuDWYXlvnE45oEsSzQYxkG0414IkIJYBHv4eRyyDkdYlXwdImSRz
ibkAop5vIWKKF9Y77F7R8dEG3O4IXThGYCzHEN9XqeV+Cb+UJXV61AYfJqCkpcxG
LGRrb3blefL1XIV5j6BHMMSOfAS40cDKLQoCqWBXcln5405OXlV2MuSvMtxtxry/
wCDIhSd+jj/PXdV2Ge7rmtsz8BB3ioT32FL5zL3TT/FEUqjqg6PVeXsWweecwRf9
u3JaaNgC7pkF79rngpu9
=7u8d
-----END PGP SIGNATURE-----