<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> <glsa id="200710-31"> <title>Opera: Multiple vulnerabilities</title> <synopsis> Opera contains multiple vulnerabilities, which may allow the execution of arbitrary code. </synopsis> <product type="ebuild">opera</product> <announced>2007-10-30</announced> <revised count="01">2007-10-30</revised> <bug>196164</bug> <access>remote</access> <affected> <package name="www-client/opera" auto="yes" arch="*"> <unaffected range="ge">9.24</unaffected> <vulnerable range="lt">9.24</vulnerable> </package> </affected> <background> <p> Opera is a multi-platform web browser. </p> </background> <description> <p> Michael A. Puls II discovered an unspecified flaw when launching external email or newsgroup clients (CVE-2007-5541). David Bloom discovered that when displaying frames from different websites, the same-origin policy is not correctly enforced (CVE-2007-5540). </p> </description> <impact type="normal"> <p> An attacker could potentially exploit the first vulnerability to execute arbitrary code with the privileges of the user running Opera by enticing a user to visit a specially crafted URL. Note that this vulnerability requires an external e-mail or newsgroup client configured in Opera to be exploitable. The second vulnerability allows an attacker to execute arbitrary script code in a user's browser session in context of other sites or the theft of browser credentials. </p> </impact> <workaround> <p> There is no known workaround at this time for all these vulnerabilities. </p> </workaround> <resolution> <p> All Opera users should upgrade to the latest version: </p> <code> # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/opera-9.24"</code> </resolution> <references> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5540">CVE-2007-5540</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5541">CVE-2007-5541</uri> </references> <metadata tag="submitter" timestamp="2007-10-21T22:07:58Z"> rbu </metadata> <metadata tag="bugReady" timestamp="2007-10-22T21:37:32Z"> p-y </metadata> </glsa>