[Technik] [SECURITY] [DSA 1615-1] New xulrunner packages fix several vulnerabilities

Noèl Köthe noel at debian.org
Wed Jul 30 00:46:54 CEST 2008 

Am Mittwoch, den 23.07.2008, 22:33 +0200 schrieb Moritz Muehlenhoff:

> Debian Security Advisory DSA-1615-1                  security at debian.org
> http://www.debian.org/security/                       Moritz Muehlenhoff
> July 23, 2008                         http://www.debian.org/security/faq
> 
> Package        : xulrunner
> Vulnerability  : several
> Problem type   : local/remote
> Debian-specific: no
> CVE ID         : CVE-2008-2785 CVE-2008-2798 CVE-2008-2799 CVE-2008-2800 CVE-2008-2801 CVE-2008-2802 CVE-2008-2803 CVE-2008-2805 CVE-2008-2807 CVE-2008-2808 CVE-2008-2809 CVE-2008-2811 CVE-2008-2933

xulrunner auf h01, h02, h03, h04, h51, h52 und h90 aktualisiert.

> For the stable distribution (etch), these problems have been fixed in
> version 1.8.0.15~pre080614d-0etch1.

changelog:
xulrunner (1.8.0.15~pre080614d-0etch1) stable-security; urgency=low

  [ Alexander Sack <asac at canonical.com> ]
  * New security/stability upstream release (backports for 2.0.0.15 + 2.0.0.16)
  * Upstream advisories (v2.0.0.15):
      MFSA 2008-21 aka CVE-2008-2798 Crashes with evidence of memory corruption (rv:1.8.1.15)
      MFSA 2008-21 aka CVE-2008-2799 Crashes with evidence of memory corruption (rv:1.8.1.15)
      MFSA 2008-22 aka CVE-2008-2800 - XSS through JavaScript same-origin violation
      MFSA 2008-23 aka CVE-2008-2801 - Signed JAR tampering
      MFSA 2008-24 aka CVE-2008-2802 - Chrome script loading from fastload file
      MFSA 2008-25 aka CVE-2008-2803 - Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
      MFSA 2008-27 aka CVE-2008-2805 - Arbitrary file upload via originalTarget and DOM Range
      MFSA 2008-28 aka CVE-2008-2806 - Arbitrary socket connections with Java LiveConnect on Mac OS X
      MFSA 2008-29 aka CVE-2008-2807 - Faulty .properties file results in uninitialized memory being used
      MFSA 2008-30 aka CVE-2008-2808 - File location URL in directory listings not escaped properly
      MFSA 2008-31 aka CVE-2008-2809 - Peer-trusted certs can use alt names to spoof
      MFSA 2008-32 aka CVE-2008-2810 - Remote site run as local file via Windows URL shortcut
      MFSA 2008-33 aka CVE-2008-2811 - Crash and remote code execution in block reflow
  * Upstream advisories (v2.0.0.16):
      MFSA 2008-35 aka CVE-2008-2785 - Command-line URLs launch multiple tabs when Firefox not running
      MFSA 2008-34 aka CVE-2008-2933 - Remote code execution by overflowing CSS reference counter
      MFSA 2008-36 aka CVE-2008-2934 - Crash with malformed GIF file on Mac OS X
  * debian/patches/90_bz421622.dpatch,90_bz425576.dpatch: drop prepatched
    prepatches which are now shipped in upstream source.
  * debian/patches/00list: Updated accordingly.
  * debian/patches/00list: disable 20_visibility patch now shipped upstream
  * debian/patches/99_configure.dpatch: updated accordingly.

 -- Alexander Sack <asac at canonical.com>  Thu, 17 Jul 2008 09:16:13 +0000

-- 
Noèl Köthe <noel debian.org>
Debian GNU/Linux, www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : /archiv/technik/attachments/20080730/4573fc0f/attachment.pgp

More information about the Technik mailing list