[Bug 210155] Re: [xulrunner, iceape] [DSA-1532-1, DSA-1534-1] several vulnerabilities

Alexander Sack asac at jwsdot.com
Tue Apr 1 19:50:13 UTC 2008 

hardy already fixed in 1.8.1.13+nobinonly-0ubuntu1

** Changed in: xulrunner (Ubuntu Hardy)
       Status: New => Fix Released

** Changed in: xulrunner (Ubuntu Hardy)
   Importance: Undecided => High

** Summary changed:

- [xulrunner, iceape] [DSA-1532-1, DSA-1534-1] several vulnerabilities
+ various outstanding security updates in mozilla universe packages

** Summary changed:

- various outstanding security updates in mozilla universe packages
+ various outstanding security updates in mozilla universe packages (as of 1.8.1.13)

** Description changed:

+ various
+ 
+ 
  Binary package hint: xulrunner
  
  References:
  DSA-1532-1 (http://www.debian.org/security/2008/dsa-1532)
  
  Quoting:
  "Several remote vulnerabilities have been discovered in Xulrunner, a
  runtime environment for XUL applications. The Common Vulnerabilities
  and Exposures project identifies the following problems:
  
  CVE-2007-4879
  
      Peter Brodersen and Alexander Klink discovered that the
      autoselection of SSL client certificates could lead to users
      being tracked, resulting in a loss of privacy.
  
  CVE-2008-1233
  
      "moz_bug_r_a4" discovered that variants of CVE-2007-3738 and
      CVE-2007-5338 allow the execution of arbitrary code through
      XPCNativeWrapper.
  
  CVE-2008-1234
  
      "moz_bug_r_a4" discovered that insecure handling of event
      handlers could lead to cross-site scripting.
  
  CVE-2008-1235
  
      Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
      that incorrect principal handling could lead to cross-site
      scripting and the execution of arbitrary code.
  
  CVE-2008-1236
  
      Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats
      Palmgren discovered crashes in the layout engine, which might
      allow the execution of arbitrary code.
  
  CVE-2008-1237
  
      "georgi", "tgirmann" and Igor Bukanov discovered crashes in the
      Javascript engine, which might allow the execution of arbitrary
      code.
  
  CVE-2008-1238
  
      Gregory Fleischer discovered that HTTP Referrer headers were
      handled incorrectly in combination with URLs containing Basic
      Authentication credentials with empty usernames, resulting
      in potential Cross-Site Request Forgery attacks.
  
  CVE-2008-1240
  
      Gregory Fleischer discovered that web content fetched through
      the jar: protocol can use Java to connect to arbitrary ports.
      This is only an issue in combination with the non-free Java
      plugin.
  
  CVE-2008-1241
  
      Chris Thomas discovered that background tabs could generate
      XUL popups overlaying the current tab, resulting in potential
      spoofing attacks."

** Description changed:

- various
- 
+ various security issues that have been disclosed for mozilla products
+ are currently unfixed in ubuntu.
  
  Binary package hint: xulrunner
  
  References:
  DSA-1532-1 (http://www.debian.org/security/2008/dsa-1532)
  
  Quoting:
  "Several remote vulnerabilities have been discovered in Xulrunner, a
  runtime environment for XUL applications. The Common Vulnerabilities
  and Exposures project identifies the following problems:
  
  CVE-2007-4879
  
      Peter Brodersen and Alexander Klink discovered that the
      autoselection of SSL client certificates could lead to users
      being tracked, resulting in a loss of privacy.
  
  CVE-2008-1233
  
      "moz_bug_r_a4" discovered that variants of CVE-2007-3738 and
      CVE-2007-5338 allow the execution of arbitrary code through
      XPCNativeWrapper.
  
  CVE-2008-1234
  
      "moz_bug_r_a4" discovered that insecure handling of event
      handlers could lead to cross-site scripting.
  
  CVE-2008-1235
  
      Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
      that incorrect principal handling could lead to cross-site
      scripting and the execution of arbitrary code.
  
  CVE-2008-1236
  
      Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats
      Palmgren discovered crashes in the layout engine, which might
      allow the execution of arbitrary code.
  
  CVE-2008-1237
  
      "georgi", "tgirmann" and Igor Bukanov discovered crashes in the
      Javascript engine, which might allow the execution of arbitrary
      code.
  
  CVE-2008-1238
  
      Gregory Fleischer discovered that HTTP Referrer headers were
      handled incorrectly in combination with URLs containing Basic
      Authentication credentials with empty usernames, resulting
      in potential Cross-Site Request Forgery attacks.
  
  CVE-2008-1240
  
      Gregory Fleischer discovered that web content fetched through
      the jar: protocol can use Java to connect to arbitrary ports.
      This is only an issue in combination with the non-free Java
      plugin.
  
  CVE-2008-1241
  
      Chris Thomas discovered that background tabs could generate
      XUL popups overlaying the current tab, resulting in potential
      spoofing attacks."

** Description changed:

  various security issues that have been disclosed for mozilla products
- are currently unfixed in ubuntu.
+ (as of 1.8.1.13 aka ffox 2.0.0.13) are unfixed in ubuntu.
  
- Binary package hint: xulrunner
+ Examples of outstanding issues for xulrunner:
  
  References:
  DSA-1532-1 (http://www.debian.org/security/2008/dsa-1532)
  
  Quoting:
  "Several remote vulnerabilities have been discovered in Xulrunner, a
  runtime environment for XUL applications. The Common Vulnerabilities
  and Exposures project identifies the following problems:
  
  CVE-2007-4879
  
      Peter Brodersen and Alexander Klink discovered that the
      autoselection of SSL client certificates could lead to users
      being tracked, resulting in a loss of privacy.
  
  CVE-2008-1233
  
      "moz_bug_r_a4" discovered that variants of CVE-2007-3738 and
      CVE-2007-5338 allow the execution of arbitrary code through
      XPCNativeWrapper.
  
  CVE-2008-1234
  
      "moz_bug_r_a4" discovered that insecure handling of event
      handlers could lead to cross-site scripting.
  
  CVE-2008-1235
  
      Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
      that incorrect principal handling could lead to cross-site
      scripting and the execution of arbitrary code.
  
  CVE-2008-1236
  
      Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats
      Palmgren discovered crashes in the layout engine, which might
      allow the execution of arbitrary code.
  
  CVE-2008-1237
  
      "georgi", "tgirmann" and Igor Bukanov discovered crashes in the
      Javascript engine, which might allow the execution of arbitrary
      code.
  
  CVE-2008-1238
  
      Gregory Fleischer discovered that HTTP Referrer headers were
      handled incorrectly in combination with URLs containing Basic
      Authentication credentials with empty usernames, resulting
      in potential Cross-Site Request Forgery attacks.
  
  CVE-2008-1240
  
      Gregory Fleischer discovered that web content fetched through
      the jar: protocol can use Java to connect to arbitrary ports.
      This is only an issue in combination with the non-free Java
      plugin.
  
  CVE-2008-1241
  
      Chris Thomas discovered that background tabs could generate
      XUL popups overlaying the current tab, resulting in potential
      spoofing attacks."

-- 
various outstanding security updates in mozilla universe packages (as of 1.8.1.13)
https://bugs.launchpad.net/bugs/210155
You received this bug notification because you are a member of Mozilla
Bugs, which is subscribed to iceape in ubuntu.

More information about the Ubuntu-mozillateam-bugs mailing list