Rapid7 Vulnerability & Exploit Database

RHSA-2010:0781: seamonkey security update

Back to Search

RHSA-2010:0781: seamonkey security update

Severity
9
CVSS
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
Published
10/21/2010
Created
07/25/2018
Added
10/25/2010
Modified
07/04/2017

Description

SeaMonkey is an open source web browser, email and newsgroup client, IRCchat client, and HTML editor.Several flaws were found in the processing of malformed web content. A webpage containing malicious content could cause SeaMonkey to crash or,potentially, execute arbitrary code with the privileges of the user runningSeaMonkey. (CVE-2010-3176, CVE-2010-3180)A flaw was found in the way the Gopher parser in SeaMonkey converted textinto HTML. A malformed file name on a Gopher server could, when accessed bya victim running SeaMonkey, allow arbitrary JavaScript to be executed inthe context of the Gopher domain. (CVE-2010-3177)A flaw was found in the script that launches SeaMonkey. The LD_LIBRARY_PATHvariable was appending a "." character, which could allow a local attackerto execute arbitrary code with the privileges of a different user runningSeaMonkey, if that user ran SeaMonkey from within an attacker-controlleddirectory. (CVE-2010-3182)It was found that the SSL DHE (Diffie-Hellman Ephemeral) modeimplementation for key exchanges in SeaMonkey accepted DHE keys that were256 bits in length. This update removes support for 256 bit DHE keys, assuch keys are easily broken using modern hardware. (CVE-2010-3173)A flaw was found in the way SeaMonkey matched SSL certificates when thecertificates had a Common Name containing a wildcard and a partial IPaddress. SeaMonkey incorrectly accepted connections to IP addresses thatfell within the SSL certificate's wildcard range as valid SSL connections,possibly allowing an attacker to conduct a man-in-the-middle attack.(CVE-2010-3170)All SeaMonkey users should upgrade to these updated packages, which correctthese issues. After installing the update, SeaMonkey must be restarted forthe changes to take effect.

Solution(s)

  • redhat-upgrade-seamonkey
  • redhat-upgrade-seamonkey-chat
  • redhat-upgrade-seamonkey-devel
  • redhat-upgrade-seamonkey-dom-inspector
  • redhat-upgrade-seamonkey-js-debugger
  • redhat-upgrade-seamonkey-mail

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;